<div dir="ltr">Thanks, James! I believe there should be a space between the User-Agent|3A| and globalupdate (at least it appears that way in the report). Can I suggest the following as a fix?<div><br></div><div><span style="font-family:arial,sans-serif;font-size:13px">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC OSX.Trojan.Wirelurker.AB"; flow:to_server,established; content:"User-Agent|3A| </span><u style="font-family:arial,sans-serif;font-size:13px"></u><span style="font-family:arial,sans-serif;font-size:13px">globalu</span><span style="font-family:arial,sans-serif;font-size:13px">pdate"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference: url,</span><a href="http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware" target="_blank" style="font-family:arial,sans-serif;font-size:13px">researchcenter.<u></u>paloaltonetworks.com/2014/11/<u></u>wirelurker-new-era-os-x-ios-<u></u>malware</a><span style="font-family:arial,sans-serif;font-size:13px">; classtype:trojan-activity; sid:10000138; rev:1;)</span><br></div><div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif">Thanks,<br></font><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div style="font-family:arial;font-size:small"><b style="font-family:verdana,sans-serif">james espinosa</b></div><div style="font-family:arial;font-size:small"><span style="font-family:verdana,sans-serif">security researcher</span></div><div style="font-family:arial;font-size:small"><span style="font-family:verdana,sans-serif">847.497.5237 @ </span><span style="font-family:verdana,sans-serif"><a href="http://jamesejr.com" target="_blank">jamesejr.com</a></span></div></div></div></div>
<br><div class="gmail_quote">On Thu, Nov 6, 2014 at 10:47 AM, James Lay <span dir="ltr"><<a href="mailto:jlay@...3266..." target="_blank">jlay@...3266...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">May help someone somewhere...a quick search of <a href="http://www.ua-tracker.com/" target="_blank">http://www.ua-tracker.com/</a> showed no known UA with globalupdate, so I figured I'd just look for that and be done with it.<br>
<br>
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC OSX.Trojan.Wirelurker.AB"; flow:to_server,established; content:"User-Agent|3A|<u></u>globalupdate"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference: url,<a href="http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware" target="_blank">researchcenter.<u></u>paloaltonetworks.com/2014/11/<u></u>wirelurker-new-era-os-x-ios-<u></u>malware</a>; classtype:trojan-activity; sid:10000138; rev:1;)<br>
<br>
Rev C uses encrypted channels, so uh...hope you don't get C.  As always fixes are welcome.<br>
<br>
James<br>
______________________________<u></u>_________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@...3694..." target="_blank">Emerging-sigs@...2570...<u></u>emergingthreats.net</a><br>
<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">https://lists.emergingthreats.<u></u>net/mailman/listinfo/emerging-<u></u>sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreats.net" target="_blank">http://www.emergingthreats.net</a><br>
<br>
</blockquote></div><br></div></div></div>