[Emerging-Sigs] SIGS: Kyle&Stan Malvertising Malware Cisco Security Blox

Darien Huss dhuss at emergingthreats.net
Wed Sep 10 11:41:05 EDT 2014


>From what we have seen, the traffic to the kyle.* domains are different.
Everything we analyzed was already covered (besides the OSX) by an OPEN sig
(2808261,2018557) and one PRO sig. We moved the PRO sig over to OPEN which
is now sid:2019143. Even 1239912 we were a little reluctant to post because
so far all the PEs we have are already covered, but we'll keep an eye on it
just in case we were missing anything. Let me know if that didn't clear
everything up.

Regards,
Darien

On Wed, Sep 10, 2014 at 11:11 AM, Jake Warren <jake.warren at masergy.com>
wrote:

> I saw you guys pushed most of Kevin's signatures, is there some reason
> Kevin's 1239913 signature was left out? Unless I'm missing something that
> would leave all kyle.* domains without coverage.
>
> Also, although it's not a big deal, Kevin's MD5 reference didn't get
> included in 2019145.
>
> Thanks,
> Jake
>
> On Tue, Sep 9, 2014 at 9:51 AM, Darien Huss <dhuss at emergingthreats.net>
> wrote:
>
>> Thanks Kevin, we'll get that into QA!
>>
>> Regards,
>> Darien
>>
>> On Tue, Sep 9, 2014 at 10:50 AM, Kevin Ross <kevross33 at googlemail.com>
>> wrote:
>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>>> MAC/Conduit Vsearch Component Download"; flow:established,to_server;
>>> content:"/vsearch/installer?dp="; http_uri; content:"&sdp="; http_uri;
>>> content:"&f="; http_uri; content:"&id="; http_uri; content:"&v="; http_uri;
>>> classtype:trojan-activity; reference:url,
>>> blogs.cisco.com/security/kyle-and-stan/; sid:1239911; rev:1;)
>>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>>> W32/Kyle&Stan Malvertising.Dropper CnC Beacon 1";
>>> flow:established,to_server; urilen:>50; content:"GET"; http_method;
>>> pcre:"/^\x2F[a-f0-9\x2F]{50,}$/U"; content:"Proxy-Authorization|3A| Basic";
>>> http_header; content:"Host|3A| stan|2E|"; http_header; fast_pattern:only;
>>> classtype:trojan-activity; reference:url,
>>> blogs.cisco.com/security/kyle-and-stan/;
>>> reference:md5,602c94e82c83bbaea1abdea420e0b939; sid:1239912; rev:1;)
>>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>>> W32/Kyle&Stan Malvertising.Dropper CnC Beacon 2";
>>> flow:established,to_server; urilen:>50; content:"GET"; http_method;
>>> pcre:"/^\x2F[a-f0-9\x2F]{50,}$/U"; content:"Proxy-Authorization|3A| Basic";
>>> http_header; content:"Host|3A| kyle|2E|"; http_header; fast_pattern:only;
>>> classtype:trojan-activity; reference:url,
>>> blogs.cisco.com/security/kyle-and-stan/;
>>> reference:md5,602c94e82c83bbaea1abdea420e0b939; sid:1239913; rev:1;)
>>>
>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
>>> 32/Kyle&Stan Malvertising.Dropper CnC Download Instructions";
>>> flow:established,to_client; file_data; content:"{|22|time|22 3A|";
>>> within:15; content:"|22|country|22 3A|"; distance:0;
>>> content:"|22|countryID|22 3A|"; distance:0;
>>> content:"|22|installerBehavior|22 3A|"; distance:0;
>>> content:"|22|hideOnInstall|22 3A|"; distance:0; content:"|22|abortUrl|22
>>> 3A|"; distance:0; classtype:trojan-activity; reference:url,
>>> blogs.cisco.com/security/kyle-and-stan/;
>>> reference:md5,602c94e82c83bbaea1abdea420e0b939; sid:1239914; rev:1;)
>>>
>>>
>>> Kind Regards,
>>> Kevin Ross
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at lists.emergingthreats.net
>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>> http://www.emergingthreats.net
>>>
>>>
>>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140910/231680de/attachment-0001.html>


More information about the Emerging-sigs mailing list