[Emerging-Sigs] SIGS: MULTIPLE MOBILE_MALWARE & TROJAN SIGS

Darien Huss dhuss at emergingthreats.net
Fri Sep 5 08:10:57 EDT 2014


Thanks Kevin, we'll get these into QA!

Regards,
Darien


On Fri, Sep 5, 2014 at 6:11 AM, Kevin Ross <kevross33 at googlemail.com> wrote:

> correction on this:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> W32/Dycler.Dropper Google Connectivity Check"; flow:established,to_server;
> content:"HOST|3A|www.google.com"; http_header; fast_pattern:only;
> content:"|00 00 00 00 00 00 00 00 00 00|"; http_client_body; depth:10;
> classtype:trojan-activity; reference:md5,
> 1b1eb326141d8baeca752d949d049eee; sid:191316; rev:1;)
>
> Kind Regards,
> kevin
>
>
>
> On 5 September 2014 11:10, Kevin Ross <kevross33 at googlemail.com> wrote:
>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>> MOBILE_MALWARE Android/Youmi.Adware IP Lookup"; flow:established,to_server;
>> content:"/iplookup/iplookup.php?format="; http_uri; fast_pattern:10,20;
>> content:"&ip="; http_uri; content:"User-Agent|3A|
>> Apache-HttpClient/UNAVAILABLE (java 1.4)"; http_header;
>> classtype:trojan-activity; reference:md5,6096ace9002792e625a0cdb6aec3f379;
>> sid:191311; rev:1;)
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>> MOBILE_MALWARE Android/Youmi.Adware Install Report CnC Beacon";
>> flow:established,to_server; content:"POST"; http_method;
>> content:"/report/install"; http_uri; depth:15; content:"data=";
>> http_client_body; depth:5; content:"os="; http_client_body; distance:0;
>> content:"mac="; http_client_body; distance:0; content:"sign=";
>> http_client_body; distance:0; classtype:trojan-activity;
>> reference:md5,6096ace9002792e625a0cdb6aec3f379; sid:191312; rev:1;)
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>> MOBILE_MALWARE Android/Leadbolt.Adware CnC Beacon";
>> flow:established,to_server; content:"POST"; http_method;
>> content:"/show_app.conf?&get="; http_uri; depth:20; content:"&section_id=";
>> http_uri; distance:0; content:"ref="; http_client_body; depth:4;
>> classtype:trojan-activity; reference:md5,3ca21926c3cb4176b193227c94d71ea5;
>> sid:191313; rev:1;)
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>> MOBILE_MALWARE Android/Leadbolt.Adware Checkin";
>> flow:established,to_server; content:"GET"; http_method;
>> content:"/show_app?pf="; http_uri; depth:13; content:"&req="; http_uri;
>> distance:0; content:"&scr_"; http_uri; distance:0; content:"&section_id=";
>> classtype:trojan-activity; reference:md5,3ca21926c3cb4176b193227c94d71ea5;
>> sid:191314; rev:1;)
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>> W32/Bapy.Downloader CnC Beacon"; flow:established,to_server; content:"GET";
>> http_method; content:"/tmps."; http_uri; depth:6; fast_pattern; content:"
>> HTTP/1.1|0D 0A|Host|3A 20|"; content:"|0D 0A|Connection|3A| close|0D
>> 0A|User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT
>> 5.1)|0D 0A 0D 0A|";
>> pcre:"/Host\x3A\x20[^\r\n]*\x0D\x0AConnection\x3A\x20Close/smi";
>> classtype:trojan-activity; reference:md5,e256976cedda8c9d07a21ca0e5c2f86c;
>> sid:191315; rev:1;)
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>> W32/Dycler.Dropper Google Connectivity Check"; flow:established,to_server;
>> urilen:1; http_method; content:"HOST|3A|www.google.com"; http_header;
>> fast_pattern:only; content:"|00 00 00 00 00 00 00 00 00 00|";
>> http_client_body; depth:10; classtype:trojan-activity;
>> reference:md5,1b1eb326141d8baeca752d949d049eee; sid:191316; rev:1;)
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>> W32/Bravix.Dropper CnC Beacon"; flow:established,to_server; content:"GET";
>> http_method; content:"/ctl/get.php?file=cmds/main"; http_uri;
>> content:"HTTP/1.0|0D 0A|User-Agent|3A|"; content:!"Referer|3A|";
>> http_header; content:"Pragma|3A| no-cache"; http_header;
>> classtype:trojan-activity; reference:md5,19484a240a16c7faea84dcac0c38d118;
>> sid:191317; rev:1;)
>>
>> Kind Regards,
>> kevin Ross
>>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140905/f107d041/attachment.html>


More information about the Emerging-sigs mailing list