[Emerging-Sigs] Potential rule for 574d02cec61009dff20f65376cd38647
Bojan Zdrnja (SANS ISC)
bojan.isc at gmail.com
Sun Jul 6 16:02:59 EDT 2008
Hey All,
I've been here for a long time but inactive; I'm finally able to spend
some time analyzing stuff again.
Anyway, the sample in question is ad-aware. It uses NSIS's installer
to phone home when successfully installed. I wrote a short sig to
catch this -- I think this shouldn't get too many false positives
since normally one should not have NSIS installers send GET requests
back to web sites.
Since I've been rusty with Snort, Matt can you also check the rule and
see if it could be improved please? You'll need to add a SID as well
if it gets added to the repository.
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET MALWARE Ad-ware
installation phoning home"; flow: established; content:"GET"; depth:4;
content:"success"; offset:5; depth:80; content:"User-Agent\:
NSISDL/1.2"; nocase; classtype: trojan-activity; sid:ADD; rev:1;)
Cheers,
Bojan
More information about the Emerging-sigs
mailing list