[Emerging-Sigs] SIGS: Critx/Flashpack Flash Request & Payload Request

Darien Huss dhuss at emergingthreats.net
Thu Sep 25 15:45:50 EDT 2014


Thanks Kevin for the heads up on CryptoWall, good to know that's still
covered :) For the Critx, we may not end up posting those as we still have
good coverage on the more static components of that EK.

Regards,
Darien

On Thu, Sep 25, 2014 at 7:13 AM, Kevin Ross <kevross33 at googlemail.com>
wrote:

> Oh and FYI malware this tried to get on end machine was CryptoWall but my
> stuff extracted the sample. PCAP here:
> https://anubis.iseclab.org/?action=result&task_id=13c4a6fe9c5e8a644d96360cbb833855a.
> Also ran that PCAP through my sensors to confirm and came out fine for ET
> sig detection.
>
>
> Kind Regards,
> Kevin Ross
>
>
>
> On 25 September 2014 09:52, Kevin Ross <kevross33 at googlemail.com> wrote:
>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>> CURRENT_EVENTS Critx/Flashpack Flash Exploit Request";
>> flow:established,to_server; content:"POST"; http_method;
>> content:"/imageclass/newgater.php"; http_uri; content:"fvers=";
>> http_client_body; depth:6; classtype:trojan-activity;
>> reference:md5,ce0fa5d811e0735369366b76b1efd07a; sid:123991; rev:1;)
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>> CURRENT_EVENTS Critx/Flashpack Payload Request";
>> flow:established,to_server; content:"/imageclass/load"; http_uri;
>> content:".php"; http_uri;
>> pcre:"/^\x2Fimageclass\x2Fload[a-z0-9]{5,15}\x2Ephp$/U";
>> classtype:trojan-activity; reference:md5,cce12efacf5800fb937d40bbf0b0c4b0;
>> sid:123992; rev:1;)
>>
>>
>> Kind Regards,
>> Kevin Ross
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140925/4e618bfb/attachment.html>


More information about the Emerging-sigs mailing list