[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bleeding-sigs
Subject:    [Bleeding-sigs] Spyware
From:       Matt Jonkman <matt () infotex ! com>
Date:       2005-08-17 1:09:04
Message-ID: 43028E30.4040005 () infotex ! com
[Download RAW message or body]

And last post for the night: Some spyware. New stuff learned from the
Spyware Listening Post data that's starting to flow. One sig we don't
know anything about. If you know something please let us know. If you
get hits please report them to the email in the sig:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:
"BLEEDING-EDGE MALWARE Casalemedia Spyware Reporting URL Visited1";
flow: to_server,established; pcre:"/\/s\?s=[d+]&u=http/Ui"; classtype:
trojan-activity; sid:2002195; rev:1; )

        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:
"BLEEDING-EDGE Malware Unknown Spyware. Please report hits to
lp-analysts@bleedingsnort.com"; flow: to_server,established;
uricontent:"/xml/check.php?u="; nocase; classtype: policy-violation;
sid: 2002194; rev:1; )

        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:
"BLEEDING-EDGE MALWARE Tickle.com Spyware"; flow: to_server,established;
uricontent:"/forward?sid="; classtype: trojan-activity;
reference:url,www.spywareremove.com/removeTickle.html; sid:2002197; rev:1; )

        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:
"BLEEDING-EDGE MALWARE Casalemedia Spyware Reporting URL Visited2";
flow: to_server,established; pcre:"/\/sd\?s=[d+]&f=\d/Ui"; classtype:
trojan-activity; sid:2002196; rev:1; )

        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE MALWARE Bidclix.com Spyware";
flow:to_server,established; pcre:"/\/code\/\d+\/\?cb=\d+/Ui"; classtype:
trojan-activity; sid:2002198; rev:1;)


-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/bleeding-sigs
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic