[Emerging-Sigs] Proposed Signature for hostile 302 'gift.exe'

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 18 12:07:44 EDT 2011


How about we just go with a suspicious download request for gift.exe? Not all that many places where that'd happen naturally?

Then we know if the browser followed and requested the exe, vs just an attempt. I'd hope safebrowsing or some other protection might prevent it, and thus we'd not have an event if so.

Matt


On Oct 17, 2011, at 10:28 AM, Nathan wrote:

> Originating vector was E-Mail link, oddly enough http://animalscountry.org is
> actually pretty well done.  Landing serves 'gift.exe' which is malicious see
> http://www.virustotal.com/file-scan/report.html?id=b90da363c9b52fce0457ba5dcd5fd18b5a594887fd5fee35307d5e4bf3fb3589-1318860872
> 
> #A little weak on the executable matching but that's really all I got.
> alert $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS
> Malicious gift.exe 302 Redirect"; flow:established,from_server;
> content:"/gift.exe|0d 0a|"; http_header; nocase; fast_pattern:only;
> content:"302"; http_stat_code; classtype:trojan-activity; sid:x; rev:1;)
> 
> Thanks,
> Nathan
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list