Snort mailing list archives
Proposed Signatures for Fake Adobe Flash installer
From: "lists () packetmail net" <lists () packetmail net>
Date: Tue, 9 Jul 2013 11:25:11 -0500
Typo squatting of http://youtbube.com/ HTTP 302s to hxxp://super-saving.veryfunnycomercials.com/?sid=12015&hid=dlhtflthdldhlvhf and attempts to install some badness in the form of http://downloads.getsoftfree.com/get/click/aafc1d2b/?uid=KD10I468UB&filename=Flash%20Player%2012 https://www.virustotal.com/en/file/22eb8974f9f5c50902cd2c773cdd95c2de9ace8911ab637cb6de6a1422b08ce6/analysis/1373386716/ Looking at the page body seems we have a very easy kill on this payload: <!-- STARTALERT --> <script type="text/javascript"> alert("WARNING! You should update your Flash Player Immediately"); </script> <!-- ENDALERT --> Proposed Signatures: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"VRT COMMUNITY Fake Adobe Flash Player update warning enticing clicks to malware payload"; flow:established,from_server; content:"WARNING|21| You should update your Flash Player Immediately"; classtype:trojan-activity; sid:x; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY Fake Adobe Flash Player malware binary requested"; flow:established,to_server; content:"&filename=Flash Player "; http_uri; fast_pattern; content:".exe"; http_uri; within:8; classtype:trojan-activity; sid:x; rev:1;) Cheers, Nathan ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed Signatures for Fake Adobe Flash installer lists () packetmail net (Jul 09)
- Re: Proposed Signatures for Fake Adobe Flash installer lists () packetmail net (Jul 09)