[Emerging-Sigs] Spyware DNS
Matt Jonkman
jonkman at jonkmans.com
Thu Feb 21 10:05:39 EST 2008
BTW: Was asked for off list so thought I'd share. This is the apache
customlog format I use in the spyware listening post, in case anyone is
setting up a local one:
LogFormat "%V::%m::%r::%b::%{Referer}i::%{User-Agent}i::%{%Y-%m-%d
%H:%M:%S}t" spywarelp
Add %h if you want to log the source IP (We do not on the spywarelp for
privacy)
That'll get you a log like so:
btg.btgrab.com::GET::GET
/a/Drk.syn?bho=aurora.exe&InstID={0E9F8F85-274E-4F78-BF9C-62BB733F4C44}&countrycodein=PL&lastAdTime=|||||1153469605||1140696514||&lastAdCode=6&NumWindows=1&VSN=E8C94CF2&MA=000255D4F1AA&HN=serwer&PI=52817-OEM-0006413-38373&budver=2000104&status=1&adcontext=http://www.amg.gda.pl/&WindowTitle=Akademia+Medyczna+w+Gda+sku+Strona+g+wna&TM=00&ads5m=0&ads1h=0&ads24h=0&adsClkh=e0&ads7d=40&tmsys=48yrph4b&tmac=48yrpj49&act1h=1&act24h=02&actClkh=eZ1c0f&act7d=403&smode=9&cookie1=capcnt%3D1%26capdate%3D214%26capcntdy%3D1%26capdatedy%3D0721%26lstlogdt%3D20070925%26cntp%3Dnull%26&cookie2=fstcidt%3D1140678304846%26&cookie3=1-1144824607-9195:43200-50445:86400&cookie4=1-8990:7:175.106-26512:6:48.380-15301:3:159.225-4760:3:273.294-23499:11:159.226-6813:17:94.364-159623:4:78.157-8084:13:59.350-10599:1:313.313-6467:2:90.211-6019:3:250.379-6468:3:266.161-8083:49:102.368-25168:1:192.329-140865:9:48.382-6542:37:78.168-18062:348:68.358-7985:20:54.313&event=0&inststat=axed
HTTP/1.1::2::-::{0E9F8F85-274E-4F78-BF9C-62BB733F4C44}|0.21.5.114::2008-02-21
09:42:45
Very interesting info...
Matt
Which is intereesting in itself, someone's apparently browsing facebook
and getting ads/redirects to www.abmr.net
Jim McQuaid wrote:
> "What the hit on the lookup indicates is that the dumass user clicked
> on something shiny, or has spyware installed, or visited a site that
> tried to do a driveby install."
>
> I have 113,000 objects blackholed, and cannot run the corresponding
> snort sigs without dedicating an entire box to it. What I want is a
> DNS-generated entry in my IDS or firewall logs indicating the local
> machine that made the connection attempt, and the blacklisted object
> by name, and I want to do this without using Squid. A succinct, plain
> text log would suffice. So, I've retrieved my handful of DNS
> programming books.
>
> James McQuaid
>
>
>
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list