[Emerging-Sigs] SIGS: Kyle&Stan Malvertising Malware Cisco Security Blox

Darien Huss dhuss at emergingthreats.net
Tue Sep 9 10:51:30 EDT 2014


Thanks Kevin, we'll get that into QA!

Regards,
Darien

On Tue, Sep 9, 2014 at 10:50 AM, Kevin Ross <kevross33 at googlemail.com>
wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> MAC/Conduit Vsearch Component Download"; flow:established,to_server;
> content:"/vsearch/installer?dp="; http_uri; content:"&sdp="; http_uri;
> content:"&f="; http_uri; content:"&id="; http_uri; content:"&v="; http_uri;
> classtype:trojan-activity; reference:url,
> blogs.cisco.com/security/kyle-and-stan/; sid:1239911; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> W32/Kyle&Stan Malvertising.Dropper CnC Beacon 1";
> flow:established,to_server; urilen:>50; content:"GET"; http_method;
> pcre:"/^\x2F[a-f0-9\x2F]{50,}$/U"; content:"Proxy-Authorization|3A| Basic";
> http_header; content:"Host|3A| stan|2E|"; http_header; fast_pattern:only;
> classtype:trojan-activity; reference:url,
> blogs.cisco.com/security/kyle-and-stan/;
> reference:md5,602c94e82c83bbaea1abdea420e0b939; sid:1239912; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> W32/Kyle&Stan Malvertising.Dropper CnC Beacon 2";
> flow:established,to_server; urilen:>50; content:"GET"; http_method;
> pcre:"/^\x2F[a-f0-9\x2F]{50,}$/U"; content:"Proxy-Authorization|3A| Basic";
> http_header; content:"Host|3A| kyle|2E|"; http_header; fast_pattern:only;
> classtype:trojan-activity; reference:url,
> blogs.cisco.com/security/kyle-and-stan/;
> reference:md5,602c94e82c83bbaea1abdea420e0b939; sid:1239913; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
> 32/Kyle&Stan Malvertising.Dropper CnC Download Instructions";
> flow:established,to_client; file_data; content:"{|22|time|22 3A|";
> within:15; content:"|22|country|22 3A|"; distance:0;
> content:"|22|countryID|22 3A|"; distance:0;
> content:"|22|installerBehavior|22 3A|"; distance:0;
> content:"|22|hideOnInstall|22 3A|"; distance:0; content:"|22|abortUrl|22
> 3A|"; distance:0; classtype:trojan-activity; reference:url,
> blogs.cisco.com/security/kyle-and-stan/;
> reference:md5,602c94e82c83bbaea1abdea420e0b939; sid:1239914; rev:1;)
>
>
> Kind Regards,
> Kevin Ross
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140909/e5285ce3/attachment.html>


More information about the Emerging-sigs mailing list