This is familer

[James Lay <jlay () slave-tothe-box net>]

Yay..just like that one --c32 malware that kept popping up everywhere 
months ago, comes ded509 (google that..it's a hoot):

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"MALWARE-OTHER Compromised Website response - leads to Exploit 
Kit"; flow:established,to_client; file_data; content:"<!--ded509-->"; 
distance:0; content:"<!--/ded509-->"; distance:0; metadata:policy 
balanced-ips drop, policy security-ips drop, ruleset community, service 
http; 
reference:url,http://www.jsunpack.jeek.org/?report=c94ca7cda909cf93ae95db22a27bb5d711c2ae8f; 
classtype:trojan-activity; sid:10000063; rev:1;)

Currently being served at:

hxxp://tascq.dreamhosters.com/owner.html

Cleverly disguised as a "spam" email (something about satisfying 
lades).  The jsunpack reference is a different one, so eh...it's spotty 
out in the wild I guess.  Enjoy on a Friday!

James

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!