Home page logo
/

snort logo Snort mailing list archives

Re: Openadvertising.com Malware Campaign malicious jar sigs
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 19 Jun 2013 09:57:36 -0400

BTW -- sig 26653 also catches this.


On Jun 19, 2013, at 9:46 AM, Joel Esler <jesler () sourcefire com> wrote:

All,

I have rules that will ship in the next rule pack for these already written.  I'll add the community tag to them so 
they go out for free.


On Jun 18, 2013, at 7:31 PM, lists () packetmail net wrote:

On 06/18/2013 06:06 PM, Joel Esler wrote:
Thanks James!

I've got hits and these aren't what I'm seeing, I was seeing 16-byte by 16-byte
to these; James good sig but I see your &k=&h= concatenated together without the
16-byte values.  As always James, you rock, despite what Joel says about you :)

hxxp://www.msas.ch/images/_notes/.cache/?f=site.jar&k=9899151747059318&h=0504dc8510fdce57

hxxp://www.msas.ch/images/_notes/.cache/?f=sm_main.mp3&k=9899151747059329&h=0504dc8510fdce57

hxxp://www.communicatemagazine.co.uk/plugins/editors/tinymce/jscripts/tiny_mce/plugins/media/images/.cache/?f=site.jar&k=9465364283059318&h=0504dc8510fdce57

hxxp://www.la-diag.com/forum.bad/images/.cache/?f=site.jar&k=7484643054057816&h=a8946c52c90a7e96

hxxp://www.arielentertainment.com/images/new_buttons/enter_button/.cache/?f=site.jar&k=6046817725057817&h=a8946c52477b6b89

hxxp://iavisarts.org/include/adodb/.cache/?f=atom.jar&k=9900174397059339&h=0504dc8578794650

Recommending:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"INDICATOR-COMPROMSED openxadvertising.com Malvertising Campaign
URI request"; flow:to_server,established;
content:"/.cache/?f="; http_uri; fast_pattern;
pcre:"/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$/U";
metadata:policy balanced-ips drop, policy security-ips drop, service http;
reference:url,http://research.zscaler.com/2013/06/openxadvertisingcom-mass-malvertising.html;
classtype:trojan-activity; sid:10000079; rev:1;

These will catch all variants with no FPs, I ran 05/01/2013+ with the below Hive
query:

SELECT distinct
date_time,user_name,client_ip,http_status,block_reason,url_body_size,media_type,dest_ip,url,url_referrer,user_agent
FROM webwasher_full where day>='2013-05-01' and http_status <> '407'
and url rlike 'http:\\/\\/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$'

Cheers,
Nathan

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault