[Emerging-Sigs] "ET TROJAN FakeAV Landing Page"

Marcos Orallo morallo at tb-security.com
Tue Dec 18 05:10:48 HAST 2012


I forgot to add the payload:

----------------------------------------------
GET
/cgi-bin/r.cgi?p=10003&i=4eceb876&j=333&m=426c2c0e3a47ef54414bdd7afa5de26a&h=topbodyresults.com&u=/wp-content/uploads/2010/06/p90x-testimonials.jpg&q=&t=20121217131317
HTTP/1.1
Connection: keep-alive
Accept: */*
Referer:
http://www.google.es/imgres?q=p90x+opiniones&start=78&um=1&hl=es&sa=N&tbo=d&biw=1317&bih=639&tbm=isch&tbnid=LIhwwnaUutGRDM:&imgrefurl=http://www.sodahead.com/living/would-you-trade-a-year-of-your-life-for-the-perfect-body/question-1654325/%3Fpage%3D6&docid=PL8JyID3ivk-eM&imgurl=http://topbodyresults.com/wp-content/uploads/2010/06/p90x-testimonials.jpg&w=590&h=456&ei=wG7PUI3lL8aR0AWF-YDYCA&zoom=1&iact=hc&vpx=318&vpy=327&dur=3094&hovh=197&hovw=255&tx=125&ty=147&sig=101713389886022537501&page=4&tbnh=138&tbnw=158&ndsp=28&ved=1t:429,r:1,s:100,i:7
Accept-Language: es
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
Trident/4.0; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152;
.NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: dutytraditional.net
X-IMForwards: 20
------------------------------------------------

Regards,
Marcos.

El 18/12/2012 15:58, Marcos Orallo escribió:
> Hi all,
>
> I have regular detections from this rule, together with this other one:
> "ET CURRENT_EVENTS Ponmocup Redirection from infected Website to
> Trojan-Downloader".
>
> From what I understand, I suppose this is just a landing page to show a
> false antivirus scan and persuade the user to download and install a
> fake AV.
> However, the rule is labeled as "TROJAN" in trojan.rules file, and
> classified as "trojan-activity". I had the impression this type of rule
> triggered only when there has already been an infection.
>
> Maybe it should be moved to CURRENT_EVENTS?
>
> Regards,
> Marcos.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!



More information about the Emerging-sigs mailing list