[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] "ET TROJAN FakeAV Landing Page"
From: Marcos Orallo <morallo () tb-security ! com>
Date: 2012-12-18 15:10:48
Message-ID: 50D08778.1020804 () tb-security ! com
[Download RAW message or body]
I forgot to add the payload:
----------------------------------------------
GET
/cgi-bin/r.cgi?p=10003&i=4eceb876&j=333&m=426c2c0e3a47ef54414bdd7afa5de26a&h=topbodyre \
sults.com&u=/wp-content/uploads/2010/06/p90x-testimonials.jpg&q=&t=20121217131317 \
HTTP/1.1
Connection: keep-alive
Accept: */*
Referer:
http://www.google.es/imgres?q=p90x+opiniones&start=78&um=1&hl=es&sa=N&tbo=d&biw=1317&b \
ih=639&tbm=isch&tbnid=LIhwwnaUutGRDM:&imgrefurl=http://www.sodahead.com/living/would-y \
ou-trade-a-year-of-your-life-for-the-perfect-body/question-1654325/%3Fpage%3D6&docid=P \
L8JyID3ivk-eM&imgurl=http://topbodyresults.com/wp-content/uploads/2010/06/p90x-testimo \
nials.jpg&w=590&h=456&ei=wG7PUI3lL8aR0AWF-YDYCA&zoom=1&iact=hc&vpx=318&vpy=327&dur=309 \
4&hovh=197&hovw=255&tx=125&ty=147&sig=101713389886022537501&page=4&tbnh=138&tbnw=158&ndsp=28&ved=1t:429,r:1,s:100,i:7
Accept-Language: es
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
Trident/4.0; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152;
.NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: dutytraditional.net
X-IMForwards: 20
------------------------------------------------
Regards,
Marcos.
El 18/12/2012 15:58, Marcos Orallo escribió:
> Hi all,
>
> I have regular detections from this rule, together with this other one:
> "ET CURRENT_EVENTS Ponmocup Redirection from infected Website to
> Trojan-Downloader".
>
> From what I understand, I suppose this is just a landing page to show a
> false antivirus scan and persuade the user to download and install a
> fake AV.
> However, the rule is labeled as "TROJAN" in trojan.rules file, and
> classified as "trojan-activity". I had the impression this type of rule
> triggered only when there has already been an infection.
>
> Maybe it should be moved to CURRENT_EVENTS?
>
> Regards,
> Marcos.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs@lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro \
> http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets \
> for Snort 2.4.0 through Current!
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro \
http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for \
Snort 2.4.0 through Current!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic