[Emerging-Sigs] Sigs for 2117966.net/iframe infection.
Reg Quinton
reggers at ist.uwaterloo.ca
Fri Mar 14 15:06:45 EST 2008
>From SANS/ISC diary reporting massive infection, this might help to detect
things:
http://ist.uwaterloo.ca/~reggers/drafts/local-iframe-infection.rules
that's the following (excuse the line wraps):
[4:02pm dominic] more local-iframe-infection.rules
# $Id: local-iframe-infection.rules,v 1.2 2008/03/14 20:01:12 reggers Exp $
# From SANS/Diary isc.sans.org/diary.html?storyid=4139
#
# Inspect your web proxy logs for visitors to 2117966.net. This will
# indicate who is potentially exposed. Check these systems to verify
# that their patches are up-to-date. Systems that are successfully
# compromised will begin sending traffic to 61.188.39.175
alert ip $HOME_NET any -> 61.188.39.175 any (msg:"UW -- 2117966.net/iframe
exploit (infect
ion)"; threshold: type limit, track by_src, seconds 60, count 1; classtype:
trojan-activit
y; reference:url,isc.sans.org/diary.html?storyid=4139; sid:9999051; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:""UW --
2117966.net/iframe explo
it (attempt)"; flow: to_server,established; content:"|0d0a|Host|3a|";
nocase; depth: 512;
content:"2117966.net"; nocase; within: 30; classtype: trojan-activity;
reference:url,isc.s
ans.org/diary.html?storyid=4139; sid:9999052; rev:1;)
Hope this helps
I am, Reg Quinton <reggers at ist.uwaterloo.ca>
Senior Technologist, Security
Information Systems and Technology
University of Waterloo, 200 University Ave W
Waterloo, Ontario N2L 3G1 Canada
+1 519 888-4567x36070
More information about the Emerging-sigs
mailing list