[Emerging-Sigs] SIGS: Kyle&Stan Malvertising Malware Cisco Security Blox

Kevin Ross kevross33 at googlemail.com
Tue Sep 9 10:50:47 EDT 2014


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
MAC/Conduit Vsearch Component Download"; flow:established,to_server;
content:"/vsearch/installer?dp="; http_uri; content:"&sdp="; http_uri;
content:"&f="; http_uri; content:"&id="; http_uri; content:"&v="; http_uri;
classtype:trojan-activity; reference:url,
blogs.cisco.com/security/kyle-and-stan/; sid:1239911; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Kyle&Stan Malvertising.Dropper CnC Beacon 1";
flow:established,to_server; urilen:>50; content:"GET"; http_method;
pcre:"/^\x2F[a-f0-9\x2F]{50,}$/U"; content:"Proxy-Authorization|3A| Basic";
http_header; content:"Host|3A| stan|2E|"; http_header; fast_pattern:only;
classtype:trojan-activity; reference:url,
blogs.cisco.com/security/kyle-and-stan/;
reference:md5,602c94e82c83bbaea1abdea420e0b939; sid:1239912; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Kyle&Stan Malvertising.Dropper CnC Beacon 2";
flow:established,to_server; urilen:>50; content:"GET"; http_method;
pcre:"/^\x2F[a-f0-9\x2F]{50,}$/U"; content:"Proxy-Authorization|3A| Basic";
http_header; content:"Host|3A| kyle|2E|"; http_header; fast_pattern:only;
classtype:trojan-activity; reference:url,
blogs.cisco.com/security/kyle-and-stan/;
reference:md5,602c94e82c83bbaea1abdea420e0b939; sid:1239913; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
32/Kyle&Stan Malvertising.Dropper CnC Download Instructions";
flow:established,to_client; file_data; content:"{|22|time|22 3A|";
within:15; content:"|22|country|22 3A|"; distance:0;
content:"|22|countryID|22 3A|"; distance:0;
content:"|22|installerBehavior|22 3A|"; distance:0;
content:"|22|hideOnInstall|22 3A|"; distance:0; content:"|22|abortUrl|22
3A|"; distance:0; classtype:trojan-activity; reference:url,
blogs.cisco.com/security/kyle-and-stan/;
reference:md5,602c94e82c83bbaea1abdea420e0b939; sid:1239914; rev:1;)


Kind Regards,
Kevin Ross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140909/b393bba4/attachment-0001.html>


More information about the Emerging-sigs mailing list