[Emerging-Sigs] Proposed Signature for hostile 302 'gift.exe'
nathan at packetmail.net
Mon Oct 17 10:28:02 EDT 2011
Originating vector was E-Mail link, oddly enough http://animalscountry.org is
actually pretty well done. Landing serves 'gift.exe' which is malicious see
#A little weak on the executable matching but that's really all I got.
alert $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS
Malicious gift.exe 302 Redirect"; flow:established,from_server;
content:"/gift.exe|0d 0a|"; http_header; nocase; fast_pattern:only;
content:"302"; http_stat_code; classtype:trojan-activity; sid:x; rev:1;)
More information about the Emerging-sigs