[Emerging-Sigs] MyWebSearch alerts on Dell Support
Jack Pepper
pepperjack at afferentsecurity.com
Mon Mar 24 13:40:45 EST 2008
The Malware rule "2001663" was getting some bogus hits on a piece of
Dell Spyware. I have split it into two separate rules:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
Dell MyWay Remote control agent";
flow: to_server,established; content: "Referer\:
http\://dell.myway.com/"; depth:100; content:"Host\:"; depth:250;
content:"myway.com"; nocase; within:20; distance:0;
classtype:not-suspicious; threshold:type limit, track by_src, count 2,
seconds 360; sid: 1001663; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
Malware MyWebSearch Toolbar Traffic (r10)";
flow: to_server,established; content: !"Referer\:
http\://dell.myway.com/"; depth:100; content:"Host\:"; depth:250;
content:"myway.com"; nocase; within:20; distance:0;
classtype:trojan-activity; threshold:type limit, track by_src, count
2, seconds 360; sid: 2001663; rev:10;)
I will post some packet data in the wiki to describe this finding.
jp
--
Framework? I don't need no stinking framework!
----------------------------------------------------------------
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com
More information about the Emerging-sigs
mailing list