Phishing & BotNets
Snort Sigs for Phishing Malware Jan 11 2006 09:15PM
Lance James (bugtraq securescience net)
Hi all,

I thought I'd drop off some snort sigs for Corpse Spyware that is out
there, including A-311 death and Nuclear Grabber - phishing focused
(tan grabbing) malware.

There may be some false positives, but those false positives should
also be looked at carefully, as it means it's an executable that's
packed with FSG and worth analyzing before trusting. I've also sent
them to bleeding-edge snort.

# Copyright 2006 Secure Science Corporation, Feel Free to Distribute/Modify just give us credit

alert tcp any any -> any $HTTP_PORTS (msg: "corpsespyware.net Blind Drop - GET /images/data.php?"; flow:from_client; content:"GET /images/data.php?";)

alert tcp any any -> any $HTTP_PORTS (msg: "corpsespyware.net Blind Drop - POST /images/data.php?"; flow:from_client; content:"POST /images/data.php?";)

alert tcp any any -> any $HTTP_PORTS (msg: "corpsespyware.net BlackList - google.vc"; flow:from_client; content:"www.google.vc";)

alert tcp any any -> any $HTTP_PORTS (msg: "corpsespyware.net
BlackList - pcpeek"; flow:from_client; content:"www.pcpeek-webcam-sex.com";)

alert tcp any any -> any $HTTP_PORTS (msg: "corpsespyware.net Distribution - bos.biz"; flow:from_client; content:"www.businessopportunityseeker.biz";)

alert tcp any any -> any $HTTP_PORTS (msg: "corpsespyware.net Distribution - fesexy"; flow:from_client; content:"www.fesexy.net";)
alert tcp any any -> any $HTTP_PORTS (msg: "corpsespyware.net Distribution - studiolacase"; flow:from_client;
content:"www.studiolacase.com";)

alert tcp any any -> any $HTTP_PORTS (msg:"corpsespyware.net - msits.exe access"; flow:from_client,established;
uricontent:"/msits.exe"; nocase;)
alert tcp any any -> any $HTTP_PORTS (msg:"corpsespyware.net - msys.exe access"; flow:from_client,established;
uricontent:"/msys.exe"; nocase;)

alert tcp any any -> any $HTTP_PORTS (msg:"corpsespyware.net - PG 02"; content:"|4D 5A|"; content:"|50 45 00 00 4C 01 02 00 46 53 47
21|"; distance:10;)

alert tcp any $HTTP_PORTS -> any any (msg:"corpsepspyware.net - PG 02"; content:"|4D 5A|"; content:"|50 45 00 00 4C 01 02 00 46 53 47
21|"; distance:10;)

--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus