[Emerging-Sigs] ET CURRENT_EVENTS - USPS Spam/Trojan Executable Download

Matthew Jonkman jonkman at emergingthreatspro.com
Wed Oct 12 07:36:33 EDT 2011


Excellent, thanks. We'll get it posted!

Matt


On Oct 11, 2011, at 1:20 PM, Bad Horse wrote:

> I had to modify the below to get thru spam filters (thanks gmail):
> 
> On Wed, Oct 12, 2011 at 04:45 PM, Bad Horse <b4dh0rs3 at gmail.com> wrote:
> I suggest we add this:
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS - USPS Spam/Trojan Executable Download"; flow:from_server,established; content:"filename=USPS_Invoice"; http_header; content:".exe"; distance:0; within:32; http_header; classtype:trojan-activity; reference:url,www.virustotal.com/file-scan/report.html?id=41866ac1950b620bd13fb3d6063e3781eaa3bbccb3089b13073abe752d0a6ffa-1318350235; sid:b4dh0rs3_11; rev:1;)
> 
> I have tested this and found it to be working as expected. 
> 
> On the network activity that prompted this, i see no Referer header on the GET indicating link was clicked on from email. Full GET URI:
> 
> <removed_thanks_to_gmail_spam_filters;_see_VT_link_for_details>
> 
> Some HTTP response headers:
> 
> Content-Disposition: attachment; filename=USPS_Invoice_10112011.PDF.exe
> Content-Type: application/octet-stream
> 
> Clearly malicious:
> http://www.virustotal.com/file-scan/report.html?id=41866ac1950b620bd13fb3d6063e3781eaa3bbccb3089b13073abe752d0a6ffa-1318350235
> 
> Other rules I saw alert on this were PE download rules and ET POLICY SUSPICIOUS *.pdf.exe in HTTP HEADER.
> 
> -B4d H0rs3
>  The Thoroughbred of SYN
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4364 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111012/f879dfde/smime.bin


More information about the Emerging-sigs mailing list