Proposed Signatures for Fake Adobe Flash installer

["lists () packetmail net" <lists () packetmail net>]

Typo squatting of http://youtbube.com/ HTTP 302s to
hxxp://super-saving.veryfunnycomercials.com/?sid=12015&hid=dlhtflthdldhlvhf and
attempts to install some badness in the form of
http://downloads.getsoftfree.com/get/click/aafc1d2b/?uid=KD10I468UB&filename=Flash%20Player%2012

https://www.virustotal.com/en/file/22eb8974f9f5c50902cd2c773cdd95c2de9ace8911ab637cb6de6a1422b08ce6/analysis/1373386716/

Looking at the page body seems we have a very easy kill on this payload:

<!-- STARTALERT -->
<script type="text/javascript">
alert("WARNING! You should update your Flash Player Immediately");      
</script>
<!-- ENDALERT -->

Proposed Signatures:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"VRT COMMUNITY
Fake Adobe Flash Player update warning enticing clicks to malware payload";
flow:established,from_server; content:"WARNING|21| You should update your Flash
Player Immediately"; classtype:trojan-activity; sid:x; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY
Fake Adobe Flash Player malware binary requested"; flow:established,to_server;
content:"&filename=Flash Player "; http_uri; fast_pattern;
content:".exe"; http_uri; within:8;
classtype:trojan-activity; sid:x; rev:1;)

Cheers,
Nathan

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!