[Emerging-Sigs] SIGS: Kyle&Stan Malvertising Malware Cisco Security Blox

Jake Warren jake.warren at masergy.com
Wed Sep 10 12:51:24 EDT 2014


Thanks Darien, I didn't realize that it was already covered by the open
ruleset. I appreciate the quick response.

-Jake

On Wed, Sep 10, 2014 at 10:41 AM, Darien Huss <dhuss at emergingthreats.net>
wrote:

> From what we have seen, the traffic to the kyle.* domains are different.
> Everything we analyzed was already covered (besides the OSX) by an OPEN sig
> (2808261,2018557) and one PRO sig. We moved the PRO sig over to OPEN which
> is now sid:2019143. Even 1239912 we were a little reluctant to post because
> so far all the PEs we have are already covered, but we'll keep an eye on it
> just in case we were missing anything. Let me know if that didn't clear
> everything up.
>
> Regards,
> Darien
>
> On Wed, Sep 10, 2014 at 11:11 AM, Jake Warren <jake.warren at masergy.com>
> wrote:
>
>> I saw you guys pushed most of Kevin's signatures, is there some reason
>> Kevin's 1239913 signature was left out? Unless I'm missing something that
>> would leave all kyle.* domains without coverage.
>>
>> Also, although it's not a big deal, Kevin's MD5 reference didn't get
>> included in 2019145.
>>
>> Thanks,
>> Jake
>>
>> On Tue, Sep 9, 2014 at 9:51 AM, Darien Huss <dhuss at emergingthreats.net>
>> wrote:
>>
>>> Thanks Kevin, we'll get that into QA!
>>>
>>> Regards,
>>> Darien
>>>
>>> On Tue, Sep 9, 2014 at 10:50 AM, Kevin Ross <kevross33 at googlemail.com>
>>> wrote:
>>>
>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>>>> MAC/Conduit Vsearch Component Download"; flow:established,to_server;
>>>> content:"/vsearch/installer?dp="; http_uri; content:"&sdp="; http_uri;
>>>> content:"&f="; http_uri; content:"&id="; http_uri; content:"&v="; http_uri;
>>>> classtype:trojan-activity; reference:url,
>>>> blogs.cisco.com/security/kyle-and-stan/; sid:1239911; rev:1;)
>>>>
>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>>>> W32/Kyle&Stan Malvertising.Dropper CnC Beacon 1";
>>>> flow:established,to_server; urilen:>50; content:"GET"; http_method;
>>>> pcre:"/^\x2F[a-f0-9\x2F]{50,}$/U"; content:"Proxy-Authorization|3A| Basic";
>>>> http_header; content:"Host|3A| stan|2E|"; http_header; fast_pattern:only;
>>>> classtype:trojan-activity; reference:url,
>>>> blogs.cisco.com/security/kyle-and-stan/;
>>>> reference:md5,602c94e82c83bbaea1abdea420e0b939; sid:1239912; rev:1;)
>>>>
>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>>>> W32/Kyle&Stan Malvertising.Dropper CnC Beacon 2";
>>>> flow:established,to_server; urilen:>50; content:"GET"; http_method;
>>>> pcre:"/^\x2F[a-f0-9\x2F]{50,}$/U"; content:"Proxy-Authorization|3A| Basic";
>>>> http_header; content:"Host|3A| kyle|2E|"; http_header; fast_pattern:only;
>>>> classtype:trojan-activity; reference:url,
>>>> blogs.cisco.com/security/kyle-and-stan/;
>>>> reference:md5,602c94e82c83bbaea1abdea420e0b939; sid:1239913; rev:1;)
>>>>
>>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
>>>> 32/Kyle&Stan Malvertising.Dropper CnC Download Instructions";
>>>> flow:established,to_client; file_data; content:"{|22|time|22 3A|";
>>>> within:15; content:"|22|country|22 3A|"; distance:0;
>>>> content:"|22|countryID|22 3A|"; distance:0;
>>>> content:"|22|installerBehavior|22 3A|"; distance:0;
>>>> content:"|22|hideOnInstall|22 3A|"; distance:0; content:"|22|abortUrl|22
>>>> 3A|"; distance:0; classtype:trojan-activity; reference:url,
>>>> blogs.cisco.com/security/kyle-and-stan/;
>>>> reference:md5,602c94e82c83bbaea1abdea420e0b939; sid:1239914; rev:1;)
>>>>
>>>>
>>>> Kind Regards,
>>>> Kevin Ross
>>>>
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at lists.emergingthreats.net
>>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>
>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>>> http://www.emergingthreats.net
>>>>
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at lists.emergingthreats.net
>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>> http://www.emergingthreats.net
>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140910/925255f6/attachment.html>


More information about the Emerging-sigs mailing list