[Emerging-Sigs] Proposed Signature for hostile 302 'gift.exe'

Nathan nathan at packetmail.net
Mon Oct 17 10:28:02 EDT 2011


Originating vector was E-Mail link, oddly enough http://animalscountry.org is
actually pretty well done.  Landing serves 'gift.exe' which is malicious see
http://www.virustotal.com/file-scan/report.html?id=b90da363c9b52fce0457ba5dcd5fd18b5a594887fd5fee35307d5e4bf3fb3589-1318860872

#A little weak on the executable matching but that's really all I got.
alert $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS
Malicious gift.exe 302 Redirect"; flow:established,from_server;
content:"/gift.exe|0d 0a|"; http_header; nocase; fast_pattern:only;
content:"302"; http_stat_code; classtype:trojan-activity; sid:x; rev:1;)

Thanks,
Nathan



More information about the Emerging-sigs mailing list