Francis Trudeau | 30 Oct 22:35 2014
Picon

Daily Ruleset Update Summary 10/30/2014

 [***] Summary: [***]

 9 new Open signatures, 16 new Pro (9+7).  SweetOrange EK, CryptoBot,
HB_Banker16, Win32/Ropest.

 Thanks:  Nathan Fowler and  <at> abuse_ch.

 [+++]          Added rules:          [+++]

 Open:

  2019600 - ET CURRENT_EVENTS Likely SweetOrange EK Java Exploit
Struct (JNLP) (current_events.rules)
  2019601 - ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 4
(trojan.rules)
  2019602 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 43 (trojan.rules)
  2019603 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS C2) (trojan.rules)
  2019604 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS C2) (trojan.rules)
  2019605 - ET CURRENT_EVENTS Win32/Trustezeb.J SSL Cert Oct 30 2014
(current_events.rules)
  2019606 - ET TROJAN Poweliks Abnormal HTTP Headers, high likelihood
of Poweliks infection (trojan.rules)
  2019607 - ET TROJAN CryptoBot Downloading Files (trojan.rules)
  2019608 - ET TROJAN HB_Banker16 Get (trojan.rules)

 Pro:

(Continue reading)

Jake Warren | 30 Oct 21:20 2014

EITest & Tinba Sigs


alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Tinba DGA NXDOMAIN Responses (2)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ru"; distance:15; within:4; fast_pattern; content:"|0c|"; distance:-16; within:1; pcre:"/^[a-z]{12}/R"; threshold: type both, track by_src, count 50, seconds 10; reference:md5,5808cc73c78263a8114eb205f510f6a7; reference:url,blog.malwarebytes.org/exploits-2/2014/10/exposing-the-flash-eitest-malware-campaign/; classtype:trojan-activity; sid:xxxx; rev:1;)

#hasn't been tested, could be prone to false positives
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Possible EITest Flash Redirect"; flow:established,to_client; file_data; content:"|20|name=|22|EITest|22 20|"; fast_pattern; reference:url,blog.malwarebytes.org/exploits-2/2014/10/exposing-the-flash-eitest-malware-campaign/; classtype:trojan-activity; sid:xxxx; rev:1;)

Regards,
Jake Warren
<div><div dir="ltr">
<div>
<div>
<br>alert udp any 53 -&gt; $HOME_NET any (msg:"ET TROJAN Possible Tinba DGA NXDOMAIN Responses (2)"; byte_test:1,&amp;,128,2; byte_test:1,&amp;,1,3; byte_test:1,&amp;,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ru"; distance:15; within:4; fast_pattern; content:"|0c|"; distance:-16; within:1; pcre:"/^[a-z]{12}/R"; threshold: type both, track by_src, count 50, seconds 10; reference:md5,5808cc73c78263a8114eb205f510f6a7; reference:url,<a href="http://blog.malwarebytes.org/exploits-2/2014/10/exposing-the-flash-eitest-malware-campaign/">blog.malwarebytes.org/exploits-2/2014/10/exposing-the-flash-eitest-malware-campaign/</a>; classtype:trojan-activity; sid:xxxx; rev:1;)<br><br>
</div>
<div>#hasn't been tested, could be prone to false positives<br>
</div>
<div>alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:"Possible EITest Flash Redirect"; flow:established,to_client; file_data; content:"|20|name=|22|EITest|22 20|"; fast_pattern; reference:url,<a href="http://blog.malwarebytes.org/exploits-2/2014/10/exposing-the-flash-eitest-malware-campaign/">blog.malwarebytes.org/exploits-2/2014/10/exposing-the-flash-eitest-malware-campaign/</a>; classtype:trojan-activity; sid:xxxx; rev:1;)<br><br>
</div>Regards,<br>
</div>Jake Warren<br>
</div></div>
Sabu Thaliyath | 30 Oct 20:56 2014
Picon

Frequency of update for "Compromised Hosts"

Hi,

I was trying to figure out how frequently is the rule - 'Compromised Hosts' under emerging threats - is updated.

http://doc.emergingthreats.net/bin/view/Main/CompromisedHost

I tried looking at the changelogs but couldn't figure it out. Can anybody let me know on an average how frequently this rule is updated or give me pointer?

Regards,
Sabu
<div><div><div>Hi,<br><br>I was trying to figure out how frequently is the rule - 'Compromised Hosts' under emerging threats - is updated.<br><br>http://doc.emergingthreats.net/bin/view/Main/CompromisedHost<br><br>I tried looking at the changelogs but couldn't figure it out. Can anybody let me know on an average how frequently this rule is updated or give me pointer?<br><br>Regards,<br>Sabu <br>
</div></div></div>
rmkml | 30 Oct 11:14 2014
Picon

Offered a new sig for detecting ftp rce via http redirect location pipe

Hi,

Etplc project offered a new sig for detecting ftp rce via http redirect location pipe :

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT FTP NetBSDv7.99.1 or
MacOSXv10.10 or FreeBSDv10 Remote Command Execution pipe 
via Location header attempt"; flow:to_client,established; content:"Location\:"; nocase;
http_header; content:"|7C|"; within:100; 
distance:0; http_header; pcre:"/^Location\:[^\n]{0,100}?\x7c/Hsmi"; reference:cve,2014-8517; 
reference:url,cxsecurity.com/issue/WLB-2014100174; classtype:web-application-activity;
sid:1; rev:1;)

Don't forget check $EXTERNAL_NET or $HTTP_PORTS or $HOME_NET.

Feedbacks is welcome.

Regards
 <at> Rmkml

PS: http://etplc.org project.
Francis Trudeau | 29 Oct 23:26 2014
Picon

Daily Ruleset Update Summary 10/29/2014

 [***] Summary: [***]

 15 new Open signatures, 19 new Pro (15+4).  Sofacy, PoisonIvy, W32/ZxShell.

 Thanks:  Kevin Ross, Eoin Miller and  <at> rmkml

 [+++]          Added rules:          [+++]

 Open:

  2019585 - ET TROJAN Sofacy HTTP Request msonlinelive.com (trojan.rules)
  2019586 - ET TROJAN Sofacy DNS Lookup msonlinelive.com (trojan.rules)
  2019587 - ET TROJAN W32/ZxShell Server Checkin Response (trojan.rules)
  2019588 - ET TROJAN W32/ZxShell Checkin (trojan.rules)
  2019589 - ET TROJAN PoisonIvy Keepalive to CnC (Operation SMN
Variant) (trojan.rules)
  2019590 - ET TROJAN PoisonIvy Keepalive to CnC (Operation SMN
Variant) (trojan.rules)
  2019591 - ET TROJAN PoisonIvy Keepalive to CnC (Operation SMN
Variant) (trojan.rules)
  2019592 - ET TROJAN PoisonIvy Keepalive to CnC (Operation SMN
Variant) (trojan.rules)
  2019593 - ET TROJAN PoisonIvy Keepalive to CnC (Operation SMN
Variant) (trojan.rules)
  2019594 - ET CURRENT_EVENTS FlashPack EK Plugin-Detect Post
(current_events.rules)
  2019595 - ET CURRENT_EVENTS FlashPack Payload Download Oct 29
(current_events.rules)
  2019596 - ET CURRENT_EVENTS FlashPack Secondary Landing Oct 29
(current_events.rules)
  2019597 - ET CURRENT_EVENTS DRIVEBY FakeSupport - Landing Page -
Windows Firewall Warning (current_events.rules)
  2019598 - ET CURRENT_EVENTS DRIVEBY FakeSupport - URI -
windows-firewall.png (current_events.rules)
  2019599 - ET CURRENT_EVENTS DRIVEBY FakeSupport - Landing Page -
Operating System Check (current_events.rules)

 Pro:

  2809090 - ETPRO TROJAN Win32/Critroni Tor DNS Proxy lookup (trojan.rules)
  2809091 - ETPRO TROJAN Win32/RpcBrute.A CnC (trojan.rules)
  2809092 - ETPRO DOS Possible XMLRPC DoS in Progress (dos.rules)
  2809093 - ETPRO MOBILE_MALWARE Android/TrojanSMS.FakeInst.FO Checkin
(mobile_malware.rules)

 [///]     Modified active rules:     [///]

  2019539 - ET TROJAN Win32/Coreshell Checkin (APT28 Related) (trojan.rules)
  2019542 - ET CURRENT_EVENTS Likely SweetOrange EK Java Exploit
Struct (JAR) (current_events.rules)
  2019545 - ET TROJAN Sofacy Request Outbound (trojan.rules)
  2806662 - ETPRO DOS UDP Based DOS LOIC Low Orbit Ion Cannon Attack
Default String (dos.rules)
  2806663 - ETPRO DOS UDP Based D0S LOIC Low Orbit Ion Cannon Attack
OUTBOUND Default String (dos.rules)
  2806664 - ETPRO DOS TCP Based DOS LOIC Low Orbit Ion Cannon Attack
Default String (dos.rules)
  2806665 - ETPRO DOS TCP Based DOS LOIC Low Orbit Ion Cannon Attack
OUTBOUND Default String (dos.rules)
  2807856 - ETPRO TROJAN Possible Win32/Zbot.AHJ CnC Traffic (trojan.rules)
  2808522 - ETPRO MALWARE PUP Win32/ELEX Checkin (malware.rules)
  2808814 - ETPRO TROJAN Backdoor family PCRat/Gh0st CnC Response (trojan.rules)

 [---]         Removed rules:         [---]

  2003621 - ET MALWARE MyWay Spyware Posting Activity Report - Dell
Related (malware.rules)
  2806579 - ETPRO TROJAN DarkComet-RAT init connection 3 (trojan.rules)
rmkml | 29 Oct 17:02 2014
Picon

New Elasticsearch Connector for ETPLC project.

Hi,

I'm proud to announce a new Elasticsearch Connector for my http://etplc.org project.

The new Connector retrieve proxy or web server logs since Elasticsearch in realtime and send to etplc for
checking Threats!
(need few parameters checking)

http://etplc.org/elasticsearch.html
http://etplc.org/download.html
http://etplc.org/

Example:
"perl etplc_elasticsearch_29oct2014.pl | perl etplc_15oct2014a.pl -f emergingall_sigs28oct2014a_snort290b.rules"

or Python v2:
"perl etplc_elasticsearch_29oct2014.pl | python2 etplc_15oct2014a.py2 -f emergingall_sigs28oct2014a_snort290b.rules"

All Feedbacks is welcome.

Thx you Community and  <at> EmergingThreats Open Signature.

Best Regards
 <at> Rmkml
Kevin Ross | 29 Oct 10:16 2014
Francis Trudeau | 29 Oct 00:48 2014
Picon

Daily Ruleset Update Summary 10/28/2014

 [***] Summary: [***]

 52 New Open signatures, 59 new Pro (52+7).  OLDBAIT, Sofacy, SweetOrange EK.

 Thanks:   <at> rmkml,  <at> jaimeblascob,  <at> PwC_LLC and  <at> kafeine.

 [+++]          Added rules:          [+++]

 Open:

  2019524 - ET WEB_SPECIFIC_APPS BASE base_stat_common.php remote file
include (web_specific_apps.rules)
  2019526 - ET WEB_SERVER WEB-PHP phpinfo access (web_server.rules)
  2019534 - ET TROJAN OLDBAIT Checkin (trojan.rules)
  2019535 - ET TROJAN OLDBAIT Checkin sptr (trojan.rules)
  2019536 - ET TROJAN OLDBAIT Checkin 2 brvc (trojan.rules)
  2019537 - ET TROJAN Win32/Chopstick Checkin (APT28 Related) (trojan.rules)
  2019538 - ET TROJAN Ransom.Win32.Blocker.fwlm Checkin (trojan.rules)
  2019539 - ET TROJAN Win32/Coreshell Checkin (APT28 Related) (trojan.rules)
  2019540 - ET CURRENT_EVENTS Potential Sofacy Phishing Redirect
(current_events.rules)
  2019541 - ET CURRENT_EVENTS Potential Sofacy Phishing Redirect
(current_events.rules)
  2019542 - ET CURRENT_EVENTS Likely SweetOrange EK Java Exploit
Struct (JAR) (current_events.rules)
  2019543 - ET CURRENT_EVENTS Likely SweetOrange EK Flash Exploit URI
Struct (current_events.rules)
  2019544 - ET CURRENT_EVENTS Possible Sweet Orange Flash/IE Payload
Request (current_events.rules)
  2019545 - ET TROJAN Sofacy Request Outbound (trojan.rules)
  2019546 - ET TROJAN Sofacy HTTP Request adawareblock .com (trojan.rules)
  2019547 - ET TROJAN Sofacy HTTP Request adobeincorp .com (trojan.rules)
  2019548 - ET TROJAN Sofacy HTTP Request azureon-line .com (trojan.rules)
  2019549 - ET TROJAN Sofacy HTTP Request checkmalware .info (trojan.rules)
  2019550 - ET TROJAN Sofacy HTTP Request checkwinframe .com (trojan.rules)
  2019551 - ET TROJAN Sofacy HTTP Request check-fix .com (trojan.rules)
  2019552 - ET TROJAN Sofacy HTTP Request hotfix-update .com (trojan.rules)
  2019553 - ET TROJAN Sofacy HTTP Request microsofi .org (trojan.rules)
  2019554 - ET TROJAN Sofacy HTTP Request microsof-update .com (trojan.rules)
  2019555 - ET TROJAN Sofacy HTTP Request scanmalware .info (trojan.rules)
  2019556 - ET TROJAN Sofacy HTTP Request secnetcontrol .com (trojan.rules)
  2019557 - ET TROJAN Sofacy HTTP Request securitypractic .com (trojan.rules)
  2019558 - ET TROJAN Sofacy HTTP Request testservice24 .net (trojan.rules)
  2019559 - ET TROJAN Sofacy HTTP Request testsnetcontrol .com (trojan.rules)
  2019560 - ET TROJAN Sofacy HTTP Request updatepc .org (trojan.rules)
  2019561 - ET TROJAN Sofacy HTTP Request updatesoftware24 .com (trojan.rules)
  2019562 - ET TROJAN Sofacy HTTP Request windows-updater .com (trojan.rules)
  2019563 - ET TROJAN Sofacy HTTP Request checkmalware .org (trojan.rules)
  2019564 - ET TROJAN Sofacy DNS Lookup adawareblock .com (trojan.rules)
  2019565 - ET TROJAN Sofacy DNS Lookup adobeincorp .com (trojan.rules)
  2019566 - ET TROJAN Sofacy DNS Lookup azureon-line .com (trojan.rules)
  2019567 - ET TROJAN Sofacy DNS Lookup checkmalware .info (trojan.rules)
  2019568 - ET TROJAN Sofacy DNS Lookup checkwinframe .com (trojan.rules)
  2019569 - ET TROJAN Sofacy DNS Lookup check-fix .com (trojan.rules)
  2019570 - ET TROJAN Sofacy DNS Lookup hotfix-update .com (trojan.rules)
  2019571 - ET TROJAN Sofacy DNS Lookup microsofi .org (trojan.rules)
  2019572 - ET TROJAN Sofacy DNS Lookup microsof-update .com (trojan.rules)
  2019573 - ET TROJAN Sofacy DNS Lookup scanmalware .info (trojan.rules)
  2019574 - ET TROJAN Sofacy DNS Lookup secnetcontrol .com (trojan.rules)
  2019575 - ET TROJAN Sofacy DNS Lookup securitypractic .com (trojan.rules)
  2019576 - ET TROJAN Sofacy DNS Lookup symanttec .org (trojan.rules)
  2019577 - ET TROJAN Sofacy DNS Lookup testservice24 .net (trojan.rules)
  2019578 - ET TROJAN Sofacy DNS Lookup testsnetcontrol .com (trojan.rules)
  2019579 - ET TROJAN Sofacy DNS Lookup updatepc .org (trojan.rules)
  2019580 - ET TROJAN Sofacy DNS Lookup updatesoftware24 .com (trojan.rules)
  2019581 - ET TROJAN Sofacy DNS Lookup windows-updater .com (trojan.rules)
  2019582 - ET TROJAN Sofacy DNS Lookup checkmalware .org (trojan.rules)
  2019583 - ET TROJAN Sofacy HTTP Request symanttec .org (trojan.rules)

 Pro:

  2809080 - ETPRO EXPLOIT DotNetNuke DNNspot Store 3.0.0 File Upload
(exploit.rules)
  2809081 - ETPRO MOBILE_MALWARE Android/Lxsj.A Checkin (mobile_malware.rules)
  2809082 - ETPRO EXPLOIT Mulesoft ESB Runtime 3.5.1 Privilege
Escalation (exploit.rules)
  2809084 - ETPRO TROJAN Infostealer.Limitail Stealing Info Via HTTP
(trojan.rules)
  2809085 - ETPRO TROJAN Trojan.Win32.Sefnit.C Install (trojan.rules)
  2809086 - ETPRO WEB_SPECIFIC_APPS CreativeContact Plugin Arbitrary
File Upload (web_specific_apps.rules)
  2809087 - ETPRO TROJAN Trojan.Alnaddy Checkin (trojan.rules)

 [///]     Modified active rules:     [///]

  2011488 - ET FTP Suspicious Quotation Mark Usage in FTP Username (ftp.rules)
  2017648 - ET CURRENT_EVENTS Possible Sweet Orange payload Request
(current_events.rules)
  2019418 - ET CURRENT_EVENTS SSL excessive fatal alerts (possible
POODLE attack against server) (current_events.rules)
  2806561 - ETPRO POLICY Ultrasurf Proxy Anonymizer TLS ClientHello
Attempt (policy.rules)
  2809030 - ETPRO TROJAN Possibly Malicious DNS TXT Response Contains
URL (trojan.rules)

 [///]    Modified inactive rules:    [///]

  2008547 - ET TROJAN PECompact2 Packed Binary - Sometimes Hostile
(trojan.rules)

 [---]         Removed rules:         [---]

  2805844 - ETPRO TROJAN Cryp_Xin2/Clicker.Win32.Small.zy Checkin 1
sptr (trojan.rules)
  2805845 - ETPRO TROJAN Cryp_Xin2/Clicker.Win32.Small.zy Checkin 2
brvc (trojan.rules)
  2809067 - ETPRO TROJAN Win32/Sednit.L Checkin (trojan.rules)
Kevin Ross | 28 Oct 23:57 2014

SIGS: ET TROJAN APT28 SIGS

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/CoreShell.APT28 Downloader CnC Beacon"; flow:established,to_server; urilen:7; content:"POST"; http_method; content:"/check/"; http_uri; depth:7; content:"User-Agent|3A| MSIE 8.0|0D 0A|"; http_header; classtype:trojan-activity; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; sid:139921; rev:1;)

# only ai is not randomly generated according to the report. The UA in the report has Windows NT 6.; though which is a good indicator too with the .; and same in V1
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Chopstick.APT28 Version 2 CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/search/?"; http_uri; content:"&ai="; http_uri; content:"User-Agent|3A| Mozilla/5.0 (Windows NT 6.|3B| WOW64|3B|; http_header; fast_pattern:24,16; classtype:trojan-activity; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; sid:139922; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Chopstick.APT28 Version 1 CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/webhp?"; http_uri; content:"&ai="; http_uri; content:"User-Agent|3A| Mozilla/5.0 (Windows NT 6.|3B| WOW64|3B|; http_header; fast_pattern:24,16; classtype:trojan-activity; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; sid:139923; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/OldBait.APT28 Credential Harvester CnC Beacon"; flow:established,to_server; urilen:10; content:"POST"; http_method; content:"/index.php"; http_uri; depth:10; content:"prefs="; http_client_body; depth:6; classtype:trojan-activity; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; sid:139924; rev:1;)

Kind Regards,
Kevin Ross
<div><div dir="ltr">
<div>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/CoreShell.APT28 Downloader CnC Beacon"; flow:established,to_server; urilen:7; content:"POST"; http_method; content:"/check/"; http_uri; depth:7; content:"User-Agent|3A| MSIE 8.0|0D 0A|"; http_header; classtype:trojan-activity; reference:url,<a href="http://www.fireeye.com/resources/pdfs/apt28.pdf">www.fireeye.com/resources/pdfs/apt28.pdf</a>; sid:139921; rev:1;)<br><br># only ai is not randomly generated according to the report. The UA in the report has Windows NT 6.; though which is a good indicator too with the .; and same in V1<br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Chopstick.APT28 Version 2 CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/search/?"; http_uri; content:"&amp;ai="; http_uri; content:"User-Agent|3A| Mozilla/5.0 (Windows NT 6.|3B| WOW64|3B|; http_header; fast_pattern:24,16; classtype:trojan-activity; reference:url,<a href="http://www.fireeye.com/resources/pdfs/apt28.pdf">www.fireeye.com/resources/pdfs/apt28.pdf</a>; sid:139922; rev:1;)<br><br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Chopstick.APT28 Version 1 CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/webhp?"; http_uri; content:"&amp;ai="; http_uri; content:"User-Agent|3A| Mozilla/5.0 (Windows NT 6.|3B| WOW64|3B|; http_header; fast_pattern:24,16; classtype:trojan-activity; reference:url,<a href="http://www.fireeye.com/resources/pdfs/apt28.pdf">www.fireeye.com/resources/pdfs/apt28.pdf</a>; sid:139923; rev:1;)<br><br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/OldBait.APT28 Credential Harvester CnC Beacon"; flow:established,to_server; urilen:10; content:"POST"; http_method; content:"/index.php"; http_uri; depth:10; content:"prefs="; http_client_body; depth:6; classtype:trojan-activity; reference:url,<a href="http://www.fireeye.com/resources/pdfs/apt28.pdf">www.fireeye.com/resources/pdfs/apt28.pdf</a>; sid:139924; rev:1;)<br><br>
</div>Kind Regards,<br>Kevin Ross<br>
</div></div>
Jake Warren | 28 Oct 19:29 2014

APT28 & Sofacy Community Sigs

Thought I would share these just in case you guys hadn't seen them yet.

APT28 sigs from <at> da_667:
http://pastebin.com/91sEPnJ7

Sofacy sigs from PWC:
http://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf

Regards,
Jake Warren
<div><div dir="ltr">
<div>
<div>Thought I would share these just in case you guys hadn't seen them yet.<br><br>APT28 sigs from  <at> da_667:<br><a href="http://pastebin.com/91sEPnJ7">http://pastebin.com/91sEPnJ7</a><br><br>Sofacy sigs from PWC:<br><a href="http://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf">http://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf</a><br>
</div>
<div><br></div>Regards,<br>
</div>Jake Warren<br>
</div></div>
Jake Warren | 28 Oct 19:26 2014

Sweet Orange Redirect Sig

Thanks to Brad ( <at> malware_traffic) for the analysis.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sweet Orange redirection 27 October 2014"; flow:to_client,established; file_data; content:"main_request_data_content=|27|"; pcre:"/[^0-9a-f]{1,3}6\D?8[^0-9a-f]{1,3}7\D?4[^0-9a-f]{1,3}7\D?4[^0-9a-f]{1,3}7\D?0[^0-9a-f]{1,3}3\D?a/Ri"; flowbits:set,et.exploitkitlanding; reference:url,malware-traffic-analysis.net/2014/10/27/index2.html; classtype:trojan-activity; sid:xxxx; rev:1;)

Regards,
Jake Warren
<div><div dir="ltr">Thanks to Brad ( <at> malware_traffic) for the analysis.<div>
<br>alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sweet Orange redirection 27 October 2014"; flow:to_client,established; file_data; content:"main_request_data_content=|27|"; pcre:"/[^0-9a-f]{1,3}6\D?8[^0-9a-f]{1,3}7\D?4[^0-9a-f]{1,3}7\D?4[^0-9a-f]{1,3}7\D?0[^0-9a-f]{1,3}3\D?a/Ri"; flowbits:set,et.exploitkitlanding; reference:url,<a href="http://malware-traffic-analysis.net/2014/10/27/index2.html">malware-traffic-analysis.net/2014/10/27/index2.html</a>; classtype:trojan-activity; sid:xxxx; rev:1;)<br><br>
</div>
<div>Regards,<br>Jake Warren<br>
</div>
</div></div>

Gmane