[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] FP sid:2012299
From:       jonkman () emergingthreatspro ! com (Matthew Jonkman)
Date:       2011-04-28 15:51:08
Message-ID: FF5B76E2-39A8-42C3-8609-BD6F722ACA39 () emergingthreatspro ! com
[Download RAW message or body]

Here are a few, defanged, within the last few days in the sandnet:  (spam filters are \
going to love this one)

hxxp://78.26.187.35/soft-u \
sage/favicon.ico?0=1200&1=GT-FDCCX9A4405D&2=i-s&3=21&4=2600&5=5&6=1&7=6290 \
hxxp://soft-store-inc.com/soft- \
usage/favicon.ico?0=1200&1=GT-FDCCX9A4405D&2=i-s&3=190&4=2600&5=5&6=1 \
hxxp://soft-store-inc.com/soft \
-usage/favicon.ico?0=1200&1=GT-FDCCX9A4405D&2=i-s&3=62&4=2600&5=5&6=1&

There are variations, but we could tighten this up some with favicon.ico. I'll do so \
and we'll mark it to keep an eye out for variation.

Matt


On Apr 27, 2011, at 11:11 AM, harry.tuttle wrote:

> Have had a couple of false positives to americanexpress.com (looks like a \
> rewards-related part of the site with no ssl). 
> Anyone have a pcap of the actual malicious traffic to look for something more to go \
> on in the headers maybe? 
> Rule posted for easy reference. I haven't modified it.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32 Bamital or \
> Backdoor.Win32.Shiz CnC? Communication"; flow:established,to_server; content:"?0="; \
> http_uri; content:"&1="; http_uri; content:"&2="; http_uri; content:"&3="; \
> http_uri; content:"&4="; http_uri; content:"&5="; http_uri; content:"&6="; \
> http_uri; content:"&7="; http_uri; classtype:trojan-activity; \
> reference:url,www.threatexpert.com/report.aspx?md5=fbcdfecc73c4389e8d3ed7e2e573b6f1; \
> sid:2012299; rev:1;)  
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro \
> http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets \
> for Snort 2.4.0 through Current!


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic