[Emerging-Sigs] ET CURRENT_EVENTS - USPS Spam/Trojan Executable Download

Bad Horse b4dh0rs3 at gmail.com
Tue Oct 11 13:20:21 EDT 2011


I had to modify the below to get thru spam filters (thanks gmail):

On Wed, Oct 12, 2011 at 04:45 PM, Bad Horse <b4dh0rs3 at gmail.com> wrote:

> I suggest we add this:
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
> CURRENT_EVENTS - USPS Spam/Trojan Executable Download";
> flow:from_server,established; content:"filename=USPS_Invoice"; http_header;
> content:".exe"; distance:0; within:32; http_header;
> classtype:trojan-activity; reference:url,
> www.virustotal.com/file-scan/report.html?id=41866ac1950b620bd13fb3d6063e3781eaa3bbccb3089b13073abe752d0a6ffa-1318350235;
> sid:b4dh0rs3_11; rev:1;)
>
> I have tested this and found it to be working as expected.
>
> On the network activity that prompted this, i see no Referer header on the
> GET indicating link was clicked on from email. Full GET URI:
>
> <removed_thanks_to_gmail_spam_filters;_see_VT_link_for_details>
>
> Some HTTP response headers:
>
> Content-Disposition: attachment; filename=USPS_Invoice_10112011.PDF.exe
> Content-Type: application/octet-stream
>
> Clearly malicious:
>
> http://www.virustotal.com/file-scan/report.html?id=41866ac1950b620bd13fb3d6063e3781eaa3bbccb3089b13073abe752d0a6ffa-1318350235
>
> Other rules I saw alert on this were PE download rules and ET POLICY
> SUSPICIOUS *.pdf.exe in HTTP HEADER.
>
> -B4d H0rs3
>  The Thoroughbred of SYN
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111011/42b3059e/attachment-0001.html


More information about the Emerging-sigs mailing list