[Emerging-Sigs] updates.advert-network.com
Philipp Bescht
philipp at bescht.de
Tue Jul 15 07:49:32 EDT 2008
Hi,
this host is related to the security-updater.com spyware (sid:
2003576).
checking for updates:
POST /check.php?tcpc=579796 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: updates.advert-network.com
Content-Length: 167
data=[hex string here]
downloading updates (application/x-gzip):
GET /pdata/cnconfig.gz?ct=1.4&bp=h&vs=&country=&grp=62&tcpc=582312
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: updates.advert-network.com
the following signature will catch the check for updates only, because
that request seems to be requisite for the second:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
advert-network.com Spyware checking for updates";
flow:established,to_server; uricontent:"/check.php?tcpc="; content:"|0d
0a|Host\: updates.advert-network.com|0d 0a|"; nocase;
classtype:trojan-activity; sid:2008414; rev:1;)
regards,
philipp
More information about the Emerging-sigs
mailing list