[Emerging-Sigs] SIGS: Kyle&Stan Malvertising Malware Cisco Security Blox

Darien Huss dhuss at emergingthreats.net
Wed Sep 10 12:53:47 EDT 2014


Someone else pointed out some URIs to the kyle domains so that should go
out today. Thanks again guys.

Regards,
Darien

On Wed, Sep 10, 2014 at 12:51 PM, Jake Warren <jake.warren at masergy.com>
wrote:

> Thanks Darien, I didn't realize that it was already covered by the open
> ruleset. I appreciate the quick response.
>
> -Jake
>
> On Wed, Sep 10, 2014 at 10:41 AM, Darien Huss <dhuss at emergingthreats.net>
> wrote:
>
>> From what we have seen, the traffic to the kyle.* domains are different.
>> Everything we analyzed was already covered (besides the OSX) by an OPEN sig
>> (2808261,2018557) and one PRO sig. We moved the PRO sig over to OPEN which
>> is now sid:2019143. Even 1239912 we were a little reluctant to post because
>> so far all the PEs we have are already covered, but we'll keep an eye on it
>> just in case we were missing anything. Let me know if that didn't clear
>> everything up.
>>
>> Regards,
>> Darien
>>
>> On Wed, Sep 10, 2014 at 11:11 AM, Jake Warren <jake.warren at masergy.com>
>> wrote:
>>
>>> I saw you guys pushed most of Kevin's signatures, is there some reason
>>> Kevin's 1239913 signature was left out? Unless I'm missing something that
>>> would leave all kyle.* domains without coverage.
>>>
>>> Also, although it's not a big deal, Kevin's MD5 reference didn't get
>>> included in 2019145.
>>>
>>> Thanks,
>>> Jake
>>>
>>> On Tue, Sep 9, 2014 at 9:51 AM, Darien Huss <dhuss at emergingthreats.net>
>>> wrote:
>>>
>>>> Thanks Kevin, we'll get that into QA!
>>>>
>>>> Regards,
>>>> Darien
>>>>
>>>> On Tue, Sep 9, 2014 at 10:50 AM, Kevin Ross <kevross33 at googlemail.com>
>>>> wrote:
>>>>
>>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>>>>> MAC/Conduit Vsearch Component Download"; flow:established,to_server;
>>>>> content:"/vsearch/installer?dp="; http_uri; content:"&sdp="; http_uri;
>>>>> content:"&f="; http_uri; content:"&id="; http_uri; content:"&v="; http_uri;
>>>>> classtype:trojan-activity; reference:url,
>>>>> blogs.cisco.com/security/kyle-and-stan/; sid:1239911; rev:1;)
>>>>>
>>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>>>>> W32/Kyle&Stan Malvertising.Dropper CnC Beacon 1";
>>>>> flow:established,to_server; urilen:>50; content:"GET"; http_method;
>>>>> pcre:"/^\x2F[a-f0-9\x2F]{50,}$/U"; content:"Proxy-Authorization|3A| Basic";
>>>>> http_header; content:"Host|3A| stan|2E|"; http_header; fast_pattern:only;
>>>>> classtype:trojan-activity; reference:url,
>>>>> blogs.cisco.com/security/kyle-and-stan/;
>>>>> reference:md5,602c94e82c83bbaea1abdea420e0b939; sid:1239912; rev:1;)
>>>>>
>>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>>>>> W32/Kyle&Stan Malvertising.Dropper CnC Beacon 2";
>>>>> flow:established,to_server; urilen:>50; content:"GET"; http_method;
>>>>> pcre:"/^\x2F[a-f0-9\x2F]{50,}$/U"; content:"Proxy-Authorization|3A| Basic";
>>>>> http_header; content:"Host|3A| kyle|2E|"; http_header; fast_pattern:only;
>>>>> classtype:trojan-activity; reference:url,
>>>>> blogs.cisco.com/security/kyle-and-stan/;
>>>>> reference:md5,602c94e82c83bbaea1abdea420e0b939; sid:1239913; rev:1;)
>>>>>
>>>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
>>>>> 32/Kyle&Stan Malvertising.Dropper CnC Download Instructions";
>>>>> flow:established,to_client; file_data; content:"{|22|time|22 3A|";
>>>>> within:15; content:"|22|country|22 3A|"; distance:0;
>>>>> content:"|22|countryID|22 3A|"; distance:0;
>>>>> content:"|22|installerBehavior|22 3A|"; distance:0;
>>>>> content:"|22|hideOnInstall|22 3A|"; distance:0; content:"|22|abortUrl|22
>>>>> 3A|"; distance:0; classtype:trojan-activity; reference:url,
>>>>> blogs.cisco.com/security/kyle-and-stan/;
>>>>> reference:md5,602c94e82c83bbaea1abdea420e0b939; sid:1239914; rev:1;)
>>>>>
>>>>>
>>>>> Kind Regards,
>>>>> Kevin Ross
>>>>>
>>>>> _______________________________________________
>>>>> Emerging-sigs mailing list
>>>>> Emerging-sigs at lists.emergingthreats.net
>>>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>
>>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>>>> http://www.emergingthreats.net
>>>>>
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at lists.emergingthreats.net
>>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>
>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>>> http://www.emergingthreats.net
>>>>
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140910/dc0b9991/attachment-0001.html>


More information about the Emerging-sigs mailing list