[Emerging-Sigs] Sigs for 2117966.net/iframe infection.

Matt Jonkman jonkman at jonkmans.com
Fri Mar 14 18:25:41 EST 2008 

Nice Reg. I'll put them up under current events for a few days.

Matt

Reg Quinton wrote:
>>From SANS/ISC diary reporting massive infection, this might help to detect
> things:
> 
> http://ist.uwaterloo.ca/~reggers/drafts/local-iframe-infection.rules
> 
> that's the following (excuse the line wraps):
> 
> [4:02pm dominic] more local-iframe-infection.rules 
> # $Id: local-iframe-infection.rules,v 1.2 2008/03/14 20:01:12 reggers Exp $
> # From SANS/Diary isc.sans.org/diary.html?storyid=4139
> # 
> # Inspect your web proxy logs for visitors to 2117966.net. This will
> # indicate who is potentially exposed. Check these systems to verify
> # that their patches are up-to-date. Systems that are successfully
> # compromised will begin sending traffic to 61.188.39.175
> 
> alert ip $HOME_NET any -> 61.188.39.175 any (msg:"UW -- 2117966.net/iframe
> exploit (infect
> ion)"; threshold: type limit, track by_src, seconds 60, count 1; classtype:
> trojan-activit
> y; reference:url,isc.sans.org/diary.html?storyid=4139; sid:9999051; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:""UW --
> 2117966.net/iframe explo
> it (attempt)"; flow: to_server,established; content:"|0d0a|Host|3a|";
> nocase; depth: 512; 
> content:"2117966.net"; nocase; within: 30; classtype: trojan-activity;
> reference:url,isc.s
> ans.org/diary.html?storyid=4139; sid:9999052; rev:1;)
> 
> 
> Hope this helps
> 
> 
> I am, Reg Quinton <reggers at ist.uwaterloo.ca>
>       Senior Technologist, Security
>       Information Systems and Technology
>       University of Waterloo, 200 University Ave W
>       Waterloo, Ontario N2L 3G1 Canada
>       +1 519 888-4567x36070
> 
> 
> 
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list