[Emerging-Sigs] Current Events: Detection for Kuluoz spam, embedded link

Ben Koenig koenigb at gmail.com
Fri Sep 12 18:29:14 EDT 2014


2nd minor tweak:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS You
have voice message Kuluoz.D URI"; flow:established,to_server;
content:".php?"; http_uri; fast_pattern:only;
pcre:"/\.php\?[a-z]+=[a-zA-Z0-9\x2b\x5c\x2f]{22}$/U"; reference:url,
www.virustotal.com/en/file/fbfcb033627e7c26c82b3f69c52f0592f203661cf49d60fb017ae7532984ae2b/analysis/;
classtype:trojan-activity; sid:XxXxXxXx; rev:1;)

Updated with $/U at end of PCRE.

-Ben.

On Fri, Sep 12, 2014 at 3:13 PM, Ben Koenig <koenigb at gmail.com> wrote:

> minor tweak:
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS You
> have voice message Kuluoz.D URI"; flow:established,to_server;
> content:".php?"; http_uri; fast_pattern:only;
> pcre:"/\.php\?[a-z]+=[a-zA-Z0-9\x2b\x5c\x2f]{22}"; reference:url,
> www.virustotal.com/en/file/fbfcb033627e7c26c82b3f69c52f0592f203661cf49d60fb017ae7532984ae2b/analysis/;
> classtype:trojan-activity; sid:XxXxXxXx; rev:1;)
>
> This is very close to SID: 2018589 from June.
>
>
>
> On Fri, Sep 12, 2014 at 3:07 PM, Ben Koenig <koenigb at gmail.com> wrote:
>
>> I'm pretty sure I did this right but, please let me know if I didn't.
>> This is related to a spam campaign that shows up as Kuluoz.D: Email subject
>> was "You have voice message".
>>
>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS You
>> have voice message Kuluoz.D URI"; flow:established,to_server;
>> content:".php?"; http_uri; fast_pattern:only;
>> pcre:"/\.php\?[a-z]+=[a-zA-Z0-9/+]{22}"; reference:url,
>> www.virustotal.com/en/file/fbfcb033627e7c26c82b3f69c52f0592f203661cf49d60fb017ae7532984ae2b/analysis/;
>> classtype:trojan-activity; sid:XxXxXxXx; rev:1;)
>>
>>
>> I didn't see any of the existing Asprox/Kuluox rules matching that in our
>> set.
>>
>> -Thanks,
>> Ben.
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140912/2022e1c3/attachment-0001.html>


More information about the Emerging-sigs mailing list