<div dir="ltr">A couple of sigs for the NewPosThings PoS malware. <br><br>I was going to roll with a fast pattern on the "Accept" http header (content:"Accept|3a 20 3f 2a|"; fast_pattern:only; ) but it looks like the malware authors corrected the header in later samples.<br><div><div><br><br>alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NewPosThings CNC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| Mozilla/4.0(compatible|3b| MSIE 7.0b|3b| Windows NT 6.0)";  fast_pattern:41,20; http_header; content:"cs="; http_client_body; content:"&p="; http_client_body; content:"&m="; http_client_body; reference:md5,ae9899722707fc2c9716138580787026; reference:url,<a href="http://arbornetworks.com/asert/2014/09/lets-talk-about-newposthings/">arbornetworks.com/asert/2014/09/lets-talk-about-newposthings/</a>; classtype:trojan-activity; sid:xxxx; rev:1; )<br><br>alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NewPosThings Data Exfiltration"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| Mozilla/4.0(compatible|3b| MSIE 7.0b|3b| Windows NT 6.0)"; fast_pattern:41,20; http_header; content:"cs="; http_client_body; content:"&m="; http_client_body; content:"&ls="; http_client_body; reference:md5,4196c67648003a18f61573a77b6d3be6; reference:url,<a href="http://arbornetworks.com/asert/2014/09/lets-talk-about-newposthings/">arbornetworks.com/asert/2014/09/lets-talk-about-newposthings/</a>; classtype:trojan-activity; sid:xxxx; rev:1; )<br clear="all"><div><div dir="ltr"><div><span class=""><font color="#888888"><div><div><div><div dir="ltr"><div><span><font color="#888888"><div><div dir="ltr">

<div><span><font color="#888888"><span><font color="#888888"><div>
        <div>
          <div dir="ltr">
            <div><span><font color="#888888">
                  <div>
                    <p><font face="Calibri"><b><small>Jake Warren </small></b></font><small><font face="Calibri"><br>
                          <a href="http://www.masergy.com/" target="_blank">www.masergy.com</a></font></small></p>
                  </div>
                </font></span></div>
          </div>
        </div>
      </div></font></span></font></span></div></div></div></font></span></div></div></div>
</div></div></font></span></div></div></div>
</div></div></div>