# # $Id: emerging-malware.rules $ # Emerging Threats Malware rules. # # SID's are 2000000+ to avoid conflicts # # More information available at www.emergingthreats.net # # Please submit any custom rules or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list # #************************************************************* # # Copyright (c) 2003-2010, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # #Submitted by Jason Haar alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Update Engine"; flow: to_server,established; content:"GET"; depth: 3; content:"Host|3a|"; within: 300; content:".180solutions.com"; within: 40; reference:url,www.safer-networking.org/index.php?page=threats&detail=212; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000930; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2000930; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware (tracked event reported)"; flow: to_server,established; uricontent:"/TrackedEvent.aspx?"; nocase; uricontent:"eid="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001397; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2001397; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware (action url reported)"; flow: to_server,established; uricontent:"/actionurls/ActionUrl"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001399; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2001399; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Reporting"; flow: to_server,established; uricontent:"/showme.aspx?"; nocase; uricontent:"partner_id="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2001400; rev:8;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Keywords Download"; flow: to_server,established; uricontent:"keywords/kyf"; nocase; content:"partner_id="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002001; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2002001; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Install"; flow: to_server,established; uricontent:"/downloads/installers/"; nocase; content:"simpleinternet/180sainstaller.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002003; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2002003; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Defs Download"; flow: to_server,established; uricontent:"/geodefs/gdf"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002048; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2002048; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware config Download"; flow: to_server,established; uricontent:"/config.aspx?did="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002099; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2002099; rev:4;) #By M Shirk from Listening Post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware versionconfig POST"; flow:to_server,established; uricontent:"/versionconfig.aspx?"; uricontent:"&ver="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002354; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2002354; rev:4;) #Matt Jonkman. Bundled from Warner Brothers Kids site.. can you believe that crap? Guess where my kids WON'T be spending my money.... alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Actionlibs Download"; flow:to_server,established; uricontent:"/actionurls/ActionUrlb"; nocase; uricontent:"partnerid="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003057; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2003057; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Installer Download"; flow:to_server,established; uricontent:"/Zango/ZangoInstaller.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003058; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2003058; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware TB Installer Download"; flow:to_server,established; uricontent:"/ZangoTBInstaller.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003059; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2003059; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Local Stats Post"; flow:to_server,established; uricontent:"/php/rpc_uci.php"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003060; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2003060; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Event Activity Post"; flow:to_server,established; uricontent:"/php/uci.php"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003061; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2003061; rev:3;) #New zango url alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zango Spyware Activity"; flow:to_server,established; uricontent:"/banman/banman.asp?ZoneID="; nocase; uricontent:"&Task="; nocase; uricontent:"&X="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003170; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2003170; rev:3;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Installer Config 2"; flow:to_server,established; uricontent:"config.aspx"; nocase; uricontent:"?ver="; nocase; content:"HTTP"; nocase; content:!"User-Agent\: "; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003217; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2003217; rev:5;) #more from the spywarelp #Matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware (tracked event 2 reporting)"; flow: to_server,established; uricontent:"/trackedevent.aspx?"; nocase; uricontent:"ver="; nocase; uricontent:"&pkg_ver="; nocase; uricontent:"&rnd="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003306; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2003306; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zango Spyware (tbrequest data post)"; flow: to_server,established; uricontent:"/tbrequest"; nocase; uricontent:"&q="; nocase; pcre:"/\/tbrequest\d+\.php/Ui"; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003610; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2003610; rev:3;) #by Russ McRee alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zango Spyware Post"; flow:to_server,established; uricontent:"/te.aspx?ver="; nocase; pcre:"/ver=[v\d]+/Ui"; reference:url,usa.kaspersky.com/about-us/news-press-releases.php?smnr_id=900000045; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007607; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid:2007607; rev:4;) #Submitted by Joel Esler alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware 2020"; flow: to_server,established; content:"|48 6F 73 74 3A 20 77 77 77 2E 32 30 32 30 73 65 61 72 63 68 2E 63 6F 6D|"; content:"|49 70 41 64 64 72|"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.2020search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000327; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_2020search; sid: 2000327; rev:9;) # #Submitted by Jason Haar alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 2020search Update Engine"; flow: to_server,established; content:"POST"; depth: 4; content:"srng/reg.php HTTP"; within: 50; content:"|0d0a|Host|3a|"; content:"2020search.com"; within: 40; content:"IpAddr="; nocase; within: 100; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2004-03-04; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000934; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_2020search; sid: 2000934; rev:7;) # by: Jeremy Conway at sudosecure.net #ref: 2b8175726f2dde727132299992dafbe9 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 2020search/PowerSearch Toolbar Adware/Spyware - GET"; flow:established,to_server; content:"GET "; depth:4; uricontent:"IpAddr="; nocase; uricontent:"&OS="; nocase; uricontent:"&RegistryChanged="; nocase; uricontent:"&RegistryUpdate="; nocase; uricontent:"&NewInstallation="; nocase; uricontent:"&utilMissing="; nocase; uricontent:"&Basedir="; nocase; uricontent:"&BundleID="; nocase; uricontent:"&InitInstalled="; nocase; uricontent:"&Interval="; nocase; uricontent:"&LastInitRun="; nocase; uricontent:"&LastInitVer="; nocase; uricontent:"&LastSrngRun="; nocase; uricontent:"&LastUtilRun="; nocase; uricontent:"&SrngInstalled="; nocase; uricontent:"&SrngVer="; nocase; uricontent:"&UtilInstalled="; nocase; uricontent:"&UtilVer="; nocase; uricontent:"&PCID"; nocase; classtype:trojan-activity; reference:url,vil.nai.com/vil/content/v_103738.htm; reference:url,www.sunbeltsecurity.com/ThreatDisplay.aspx?tid=13811&cs=1437A28B7A90C4C502B683CE6DE23C4E; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-111918-0210-99; reference:url,doc.emergingthreats.net/2009807; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_2020search; sid:2009807; rev:2;) #Submitted by Chris Norton alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE 2nd-thought (W32.Daqa.C) Download"; flow: from_server,established; content:"|67 6f 69 64 72 2e 63 61 62|"; nocase; content:"|48 6f 73 74 3a 20 77 77 77 2e 77 65 62 6e 65 74 69 6e 66 6f 2e 6e 65 74|"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.secondthought.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001447; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_2nd-Thought; sid: 2001447; rev:7;) #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 360safe.com related Fake Security Product Update"; flow:established,to_server; uricontent:"/?fixtool="; nocase; content:"GET /?fixtool="; offset:0; depth:16; content:!"|0d 0a|User-Agent\: "; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008036; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_360safe.com; sid:2008036; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 360safe.com related Fake Security Product Update (KillerSet)"; flow:established,to_server; uricontent:"/?KillerSet="; nocase; content:"GET /?KillerSet="; offset:0; depth:16; content:!"|0d 0a|User-Agent\: "; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008149; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_360safe.com; sid:2008149; rev:3;) #from spyware listening post data, by matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 51yes.com Spyware Reporting User Activity"; flow:established,to_server; uricontent:"/sa.aspx?id="; nocase; uricontent:"&refe=http"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003620; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_51yes.com; sid:2003620; rev:3;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE A-d-w-a-r-e.com Activity (popup)"; flow: established,to_server; uricontent:"/cgi-bin/PopupV"; nocase; uricontent:"?ID={"; nocase; reference:url,www.a-d-w-a-r-e.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001730; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_A-d-w-a-r-e.com; sid: 2001730; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE A-d-w-a-r-e.com Activity (cmd)"; flow: established,to_server; uricontent:"/app/VT00/ucmd.php?V="; nocase; reference:url,www.a-d-w-a-r-e.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001735; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_A-d-w-a-r-e.com; sid: 2001735; rev:7;) #By Mark Tombaugh alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ABX Toolbar ActiveX Install"; flow: to_server,established; uricontent:"/abx_search_webinstall/abx_search.cab"; nocase; reference:url,isc.sans.org/diary.php?date=2005-03-04; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001761; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ABX_Toolbar; sid: 2001761; rev:5;) #By Matt Jonkman, From spyware listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Abcsearch.com Spyware Reporting"; flow:established,to_server; uricontent:"/cgi-bin/search/mxml.fcgi?"; nocase; uricontent:"Terms="; nocase; uricontent:"&affiliate="; nocase; uricontent:"&subid="; nocase; uricontent:"&Hits_Per_Page="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003438; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Abcsearch.com; sid:2003438; rev:3;) #Submitted by cooljay alert tcp $EXTERNAL_NET 20 -> $HOME_NET any (msg:"ET MALWARE Abox Download"; flow: established,to_server; content:"|5c 00 43 00 61 00 72 00 6d 00 65 00 6e 00 00 00 16 00 00 00 73 00 75 00 63|"; nocase; offset: 160; depth: 26; tag: host,1,packets,src; flowbits: set,tagged; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001440; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Abox; sid: 2001440; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Abox Install Report"; flow: to_server,established; uricontent:"&time="; nocase; uricontent:"/new_install?id="; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.adultbox.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001441; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Abox; sid: 2001441; rev:11;) #by Matt Jonkman from Listening Post Data #Disabling, obsoleting. To be delleted in a month or so #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdultfriendFinder.com Spyware Iframe Download"; flow:to_server,established; uricontent:"/promo/affiframe.jsp?Pid="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002353; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Adultfriendfinder.com; sid:2002353; rev:4;) #by Philipp Bescht alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advert-network.com Related Spyware Updating"; flow:established,to_server; uricontent:"/cnconfig.gz?ct="; uricontent:"&bp="; uricontent:"&vs="; uricontent:"&country="; uricontent:"&grp="; uricontent:"&tcpc="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008419; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Advert-network.com; sid:2008419; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advert-network.com Related Spyware Checking for Updates"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/check.php?tcpc="; content:!"|0d 0a|User-Agent\:"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008425; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Advert-network.com; sid:2008425; rev:2;) #by Matt Jonkman #spyware, from the sandnet alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertisementserver.com Spyware Initial Checkin"; flow:to_server,established; uricontent:"?UID="; nocase; uricontent:"&DIST="; nocase; uricontent:"&NPR="; nocase; content:"User-Agent\: Microsoft URL Control"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007601; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Advertisementserver.com; sid:2007601; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertisementserver.com Spyware Checkin"; flow:to_server,established; uricontent:"monitor.php"; nocase; uricontent:"?UID="; nocase; pcre:"/UID=\d+/Ui"; content:"User-Agent\: Microsoft URL Control"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007602; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Advertisementserver.com; sid:2007602; rev:4;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertising.com Data Post (villains)"; flow: to_server,established; uricontent:"/Games/villains.aspx"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001228; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Advertising.com_Bot; sid: 2001228; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertising.com Data Post (cakedeal)"; flow: to_server,established; uricontent:"/Games/cakedeal.aspx"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001230; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Advertising.com_Bot; sid: 2001230; rev:8;) #From Listening Post data #Hits on normal ads, not reporting data #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertising.com Reporting Data"; flow: to_server,established; pcre:"/\/site=\d+\/mnum=\d+\/bins=\d+\/rich=\d+\/logs=\d+\/betr=/Ui"; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002304; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Advertising.com_Bot; sid: 2002304; rev:3;) #by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware Command Client Checkin"; flow: to_server,established; uricontent:"/client.php?str="; nocase; content:"User-Agent\: "; nocase; content:"Indy Library)"; within:30; nocase; classtype: policy-violation; reference:url,www.nuker.com/container/details/adware_command.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003446; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Adware_Command; sid: 2003446; rev:4;) #by pedro Marinho alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Generic Adware Install Report"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/nsi_install.php?inst_result=success&aff_id="; uricontent:"&id=";nocase; reference:url,doc.emergingthreats.net/2010630; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Adware_Command; classtype:trojan-activity; sid:2010630; rev:3;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adwave Agent Access"; flow: to_server,established; uricontent:"/search_404.aspx?aff="; nocase; classtype: policy-violation; reference:url,www.intermute.com/spyware/HuntBar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001318; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Adwave; sid: 2001318; rev:7;) #Submitted by Chris Norton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wintools Download/Configure"; flow: to_server,established; uricontent:"/WTools"; nocase; uricontent:".cab"; nocase; classtype: trojan-activity; reference:url,www.intermute.com/spyware/HuntBar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001450; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Adwave; sid: 2001450; rev:11;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casalemedia Access, Likely Spyware"; flow: to_server,established; content:"Host\:"; nocase; content:".ak-networks.com"; nocase; within: 30; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001529; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Ak-networks.com; sid: 2001529; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ak-networks.com Spyware Code Download"; flow: to_server,established; uricontent:"/SyncAkSoft.da_"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001530; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Ak-networks.com; sid: 2001530; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ak-networks.com Spyware Code Install"; flow: to_server,established; uricontent:"/akcore.dl_"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001737; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Ak-networks.com; sid: 2001737; rev:6;) #by Matt Jonkman from listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alexa Spyware Reporting URL"; flow:established,to_server; uricontent:"/image_server.cgi?size=small&url=http\:/"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002349; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Alexa; sid:2002349; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alexa Spyware Reporting"; flow:established,to_server; uricontent:"/data?"; nocase; uricontent:"cli="; nocase; uricontent:"&dat="; nocase; uricontent:"&ver="; nocase; uricontent:"&uid="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003219; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Alexa; sid:2003219; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alexa Spyware Reporting URL Visited"; flow:established,to_server; uricontent:"/data/"; nocase; uricontent:"&cli="; nocase; uricontent:"&dat="; nocase; uricontent:"&ver="; nocase; uricontent:"&url="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003606; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Alexa; sid:2003606; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alexa Spyware Redirecting User"; flow:established,to_server; uricontent:"/redirect?http"; nocase; content:"Host\: redirect.alexa.com"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003619; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Alexa; sid:2003619; rev:3;) #Modified and added to by Matt Jonkman (Original author missing) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Altnet PeerPoints Manager Start"; flow: to_server,established; uricontent:"/pm/start.asp"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000906; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Altnet_Peerpoint_Manager_Traffic; sid: 2000906; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Altnet PeerPoints Manager Data Submission"; flow: to_server,established; uricontent:"/backoffice.net/stats/Add.aspx"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000598; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Altnet_Peerpoint_Manager_Traffic; sid: 2000598; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Altnet PeerPoints Manager Settings Download"; flow: to_server,established; uricontent:"/pointsmanager/settings.cab?"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000907; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Altnet_Peerpoint_Manager_Traffic; sid: 2000907; rev:9;) #fake antispyware package, sig by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Anti-virus-pro.com Fake AV Checkin"; flow:established,to_server; uricontent:"/stat.php?machine_id={"; nocase; pcre:"/machine_id={[A-F0-9]+-[A-F0-9]+-[A-F0-9]+-[A-F0-9]+-[A-F0-9]+}/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007886; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Anti-virus-pro.com; sid:2007886; rev:2;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Avres Agent Receiving Instructions"; flow: to_server,established; uricontent:"/ie/updatenew/"; content:"CONFIG"; nocase; reference:url,www.avres.net; reference:url,ar.avres.net/ie/updatenew/; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000903; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Avres; sid: 2000903; rev:6;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BTGrab.com Spyware Downloading Ads"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; uricontent:"adcontext="; nocase; reference:url,www.btgrab.com; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001999; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_BTGrab.com; sid: 2001999; rev:7;) #Matt Jonkman from spyware listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Baidu.com Spyware Bar Reporting"; flow:to_server,established; uricontent:"/update/barcab/"; nocase; classtype:policy-violation; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003340; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Baidu.com; sid:2003340; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Baidu.com Spyware Bar Pulling Content"; flow:to_server,established; uricontent:"/update/cab/loadmovie.swf"; nocase; content:"bar.baidu.com"; nocase; classtype:policy-violation; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003341; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Baidu.com; sid:2003341; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Baidu.com Spyware Bar Pulling Data"; flow:to_server,established; uricontent:"/cpro/ui/ui"; nocase; content:"baidu.com"; nocase; content:!"Referer\: "; nocase; classtype:trojan-activity; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003578; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Baidu.com; sid:2003578; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Baidu.com Spyware Bar Activity"; flow:to_server,established; uricontent:"/n?cmd="; nocase; uricontent:"&class="; nocase; uricontent:"&pn="; nocase; uricontent:"&tn"; nocase; classtype:trojan-activity; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003605; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Baidu.com; sid:2003605; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Baidu.com Spyware Sobar Bar Activity"; flow:to_server,established; uricontent:"/sobar/sobar"; nocase; classtype:trojan-activity; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003630; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Baidu.com; sid:2003630; rev:3;) #by Jeremy at sudosecure.net #ref: c182bfbaff0a5187c95020d4ae602ac0 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adaware.BarACE Checkin and Update"; flow:established,to_server; content:"GET "; depth:4; uricontent:"|2E|php|3F|zone="; nocase; uricontent:"|26|name="; nocase; uricontent:"|26|bpid="; nocase; uricontent:"|26|bnum="; nocase; uricontent:"|26|pid="; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-021714-2431-99&tabid=2; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008318; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_BarAce; sid:2008318; rev:3;) #Submitted by Jonathan Miner alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bargain Buddy"; flow: to_server,established; uricontent:"/download/bargin_buddy"; nocase; reference:url,www.doxdesk.com/parasite/BargainBuddy.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000574; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bargain_Buddy; sid: 2000574; rev:9;) #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Beautyscreens.com Related Spyware Install Success Report"; flow:established,to_server; uricontent:"ip="; nocase; uricontent:"&id="; nocase; uricontent:"&sid="; nocase; uricontent:"&snip="; nocase; uricontent:"&itemname="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008018; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Beautyscreens.com; sid:2008018; rev:2;) #By John Stewart alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Begin2Search.com Spyware"; flow: to_server,established; content:"/cgi-bin/fav_del.fcgi?id"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.begin2search.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001885; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Begin2Search; sid: 2001885; rev:6;) #Matt Jonkman, caught off of fastmp3search.com.ar alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Best-targeted-traffic.com Spyware Checkin"; flow:established,to_server; uricontent:"/checkin.php?"; nocase; uricontent:"unq="; nocase; uricontent:"version="; nocase; content:"User-Agent\: Opera "; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003209; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Best-Targeted-Traffic.com; sid:2003209; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Best-targeted-traffic.com Spyware Install"; flow:established,to_server; uricontent:"/install.php?"; nocase; uricontent:"&pais="; nocase; uricontent:"unq="; nocase; content:"User-Agent\: Opera "; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003210; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Best-Targeted-Traffic.com; sid:2003210; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Best-targeted-traffic.com Spyware Ping"; flow:established,to_server; uricontent:"/ping.php?"; nocase; uricontent:"ul=http"; nocase; uricontent:"unq="; nocase; content:"User-Agent\: Opera "; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003211; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Best-Targeted-Traffic.com; sid:2003211; rev:3;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestcount.net Spyware Checkin"; flow:established,to_server; uricontent:"/adv/"; nocase; uricontent:"/adload.php?a1="; nocase; uricontent:"&a2=Type of Processor\:"; nocase; uricontent:"&a3=Windows version is "; nocase; uricontent:"&a4=Build\:"; nocase; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002955; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bestcount.net; sid:2002955; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestcount.net Spyware Downloading vxgame"; flow:established,to_server; uricontent:"/vxgame1/vxv.php"; nocase; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002956; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bestcount.net; sid:2002956; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestcount.net Spyware Initial Infection Download"; flow:established,to_server; uricontent:"/win32.exe"; nocase; pcre:"/\/adv\/\d+\/win32\.exe/Ui"; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002957; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bestcount.net; sid:2002957; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestcount.net Spyware Exploit Download"; flow:established,to_server; uricontent:"/sploit.anr"; nocase; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003153; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bestcount.net; sid:2003153; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestcount.net Spyware Data Upload"; flow:established,to_server; uricontent:"/objects/ocget.dll"; nocase; content:"mybest"; nocase; depth:150; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003154; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bestcount.net; sid:2003154; rev:4;) #Submitted by Jonathan Miner alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Binet (download complete)"; flow: to_server,established; uricontent:"/download/cabs/"; nocase; uricontent:"download_complete.htm"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000366; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Betterinternet; sid: 2000366; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Binet (set_pix)"; flow: to_server,established; uricontent:"/download/cabs/set_pix.php"; nocase; content:"abetterinternet.com"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000367; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Betterinternet; sid: 2000367; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Binet (randreco.exe)"; flow: to_server,established; uricontent:"/download/cabs/RANDRECO/randreco.exe"; nocase; content:"abetterinternet.com"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000371; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Betterinternet; sid: 2000371; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Binet Ad Retrieval"; flow: to_server,established; uricontent:"/bba/flashimages/"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000593; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Betterinternet; sid: 2000593; rev:7;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Twaintec Download Attempt"; flow: to_server,established; uricontent:"/downloads/cabs/TWTDLL/twaintec.cab"; nocase; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001198; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Betterinternet; sid: 2001198; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Twaintec Ad Retrieval"; flow: to_server,established; uricontent:"/twain/servlet/Twain?adcontext="; nocase; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001199; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Betterinternet; sid: 2001199; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Twaintec Reporting Data"; flow: to_server,established; uricontent:"/downloads/record_download.asp"; nocase; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001216; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Betterinternet; sid: 2001216; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BInet Information Upload"; flow: to_server,established; uricontent:"/bi/servlet/ThinstallPre"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001339; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Betterinternet; sid: 2001339; rev:7;) #Data from Allison Macfarland alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BInet Information Install Report"; flow: to_server,established; uricontent:"/bi/servlet/ThinstallPost"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001576; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Betterinternet; sid: 2001576; rev:6;) #Submitted by Matt Jonkman # Disabling this rule, it needs work. It's hitting on legit ad referrals #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bfast.com Spyware"; flow: to_server,established; uricontent:"/bfast/serve?bfmid"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001398; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bfast.com; sid: 2001398; rev:7;) #from spyware LP data, by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bizconcept.info Spyware Checkin"; flow:to_server,established; content:"POST "; depth:5; nocase; uricontent:"/zuzu.php?&r="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2005319; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bizconcept.info; sid:2005319; rev:3;) #Submitted by Allison MacFarlan alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bonziportal Traffic"; flow: to_server,established; uricontent:"/bonziportal/bin/"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59256; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001345; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bonzi; sid: 2001345; rev:7;) #by Jeffrey Brown alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Borlander Adware Checkin"; flow:to_server,established; content:"GET "; depth:4; nocase; uricontent:"?t="; nocase; uricontent:"&i="; nocase; uricontent:"&v="; nocase; uricontent:"&d="; nocase; uricontent:"&a="; nocase; uricontent:"&n="; classtype:bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2008736; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Borlander.com.cn; sid:2008736; rev:2;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bravesentry.com Fake Antispyware Download"; flow:established,to_server; uricontent:"/bravesentry.exe"; nocase; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002954; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bravesentry; sid:2002954; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bravesentry.com Fake Antispyware Updating"; flow:established,to_server; uricontent:"/update.php?v="; nocase; uricontent:"&d="; nocase; uricontent:"&vs="; nocase; content:!"User-Agent\: "; content:"Host\: "; content:".bravesentry.com"; distance:0; nocase; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003541; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bravesentry; sid:2003541; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bravesentry.com/Protectwin.com Fake Antispyware Reporting"; flow:established,to_server; uricontent:"/download.php?&advid="; nocase; uricontent:"&u="; nocase; uricontent:"&p="; nocase; content:!"User-Agent\: "; content:"Host\: "; content:".bravesentry.com"; distance:0; nocase; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003542; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bravesentry; sid:2003542; rev:3;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Browseraid.com Agent Reporting Data"; flow: to_server,established; uricontent:"/perl/ads.pl"; nocase; reference:url,www.browseraid.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001266; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Browseraid; sid: 2001266; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Browseraid.com Agent Updating"; flow: to_server,established; uricontent:"/perl/uptodate.pl"; nocase; content:"uptodate.browseraid.com"; nocase; reference:url,www.browseraid.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001304; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Browseraid; sid: 2001304; rev:7;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Clickspring.net Spyware Reporting"; flow: to_server,established; content:"Host\: www.bullseye-network.com"; nocase; classtype: trojan-activity; reference:url,sarc.com/avcenter/venc/data/adware.bargainbuddy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001501; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bullseye-Network.com; sid: 2001501; rev:6;) #Submitted by Chris Norton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bundleware Spyware Download"; flow: to_server,established; uricontent:"/app/InternetFuel/AppWrap.exe"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001451; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bundleware; sid: 2001451; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bundleware Spyware CHM Download"; flow: to_server,established; content:"Referer\: ms-its\:mhtml\:file\://C\:counter.mht!http\://"; nocase; content:"/counter/HELP3.CHM\:\:/help.htm"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001452; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bundleware; sid: 2001452; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bundleware Spyware cab Download"; flow: to_server,established; uricontent:"/counter/counter_v3.cab"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001458; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bundleware; sid: 2001458; rev:5;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE C4tdownload.com Access, Likely Spyware"; flow: to_server,established; content:"Host\:"; nocase; content:".c4tdownload.com"; within:26; nocase; classtype: trojan-activity; reference:url,sarc.com/avcenter/venc/data/adware.clickdloader.b.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001531; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_C4tdownload.com; sid: 2001531; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE C4tdownload.com Spyware Activity"; flow: to_server,established; uricontent:"/js.php?event_type=onload&recurrence="; nocase; classtype: trojan-activity; reference:url,sarc.com/avcenter/venc/data/adware.clickdloader.b.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002088; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_C4tdownload.com; sid: 2002088; rev:5;) #from sandnet analysis, called CASClient by Kaspersky #by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CASClient Spyware/Adware Install Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/ctrl/chkmac.php?mac="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006403; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CASClient; sid:2006403; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CASClient Spyware/Adware Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/ctrl/ctrv.php"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006404; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CASClient; sid:2006404; rev:3;) #By Matt Jonkman, From spyware listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CNSMIN (3721.com) Spyware Activity"; flow:established,to_server; uricontent:"/download/CnsMin"; nocase; uricontent:"?t="; nocase; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003417; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CNSMIN; sid:2003417; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CNSMIN (3721.com) Spyware Activity 2"; flow:established,to_server; uricontent:"/download/CnsUp"; nocase; uricontent:"?t="; nocase; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003418; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CNSMIN; sid:2003418; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CNSMIN (3721.com) Spyware Activity 3"; flow:established,to_server; uricontent:"/download/autolvsw.ini?"; nocase; uricontent:"?t="; nocase; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003419; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CNSMIN; sid:2003419; rev:3;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CWS qck.cc Spyware Installer (in.php)"; flow:established,to_server; uricontent:"/x/in.php?wm="; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002089; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CWS; sid:2002089; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CWS qck.cc Spyware Installer (web.php)"; flow:established,to_server; uricontent:"/x/tbd_web.php?wm="; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002095; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CWS; sid:2002095; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CWS Trafcool.biz Related Installer"; flow:established,to_server; uricontent:"/progs_traff/"; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002931; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CWS; sid:2002931; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CWS Related Installer"; flow:established,to_server; uricontent:"/livesupport/image_tracker.php?"; nocase; uricontent:"l=support&"; nocase; uricontent:"x=1&"; nocase; uricontent:"deptid=1&"; nocase; uricontent:"&page=http"; nocase; uricontent:"&unique="; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002932; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CWS; sid:2002932; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CWS Spy-Sheriff.com Infeced Buy Page Request"; flow:established,to_server; uricontent:"/?advid="; nocase; content:"spy-sheriff.com"; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002933; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CWS; sid:2002933; rev:3;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spywaremover Activity"; flow: to_server,established; uricontent:"/download/cabs/THNALL1L/thnall1l.exe"; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453087903; reference:url,doc.emergingthreats.net/bin/view/Main/2001521; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Callinghome.biz; sid: 2001521; rev:10;) #by Deapesh Misra alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casalemedia Spyware Reporting URL Visited 3"; flow: to_server,established; uricontent:"/sd?";nocase; pcre:"/\/sd\?s=\d+&f=\d&C=\d/Ui"; classtype: trojan-activity; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Casalemedia.com; reference:url,doc.emergingthreats.net/2009880; sid:2009880; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casalemedia Spyware Reporting URL Visited 2"; flow: to_server,established; uricontent:"/sd?";nocase; pcre:"/\/sd\?s=\d+&f=\d/Ui"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002196; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Casalemedia.com; sid:2002196; rev:1;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casino on Net Install"; flow: to_server,established; uricontent:"/newdownload/newsetup/"; nocase; content:"casinone"; nocase; reference:url,www.888casino.net; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001041; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CasinoonNet; sid: 2001041; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casino on Net Reporting Data"; flow: to_server,established; uricontent:"/logs.asp?MSGID=100"; nocase; reference:url,www.888casino.net; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001031; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CasinoonNet; sid: 2001031; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casino on Net Ping Hit"; flow: to_server,established; uricontent:"/Ping/Ping.txt"; nocase; reference:url,www.888casino.net; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001032; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CasinoonNet; sid: 2001032; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casino on Net Data Download"; flow: to_server,established; uricontent:"/sdl/casinov"; nocase; reference:url,www.888casino.net; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001033; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CasinoonNet; sid: 2001033; rev:7;) #Matt Jonkman from spywarelp data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Catchonlife.com Spyware"; flow: to_server,established; uricontent:"/nw3/r1.txt?"; content:"catchonlife"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003358; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Catchonlife.com; sid:2003358; rev:3;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Clickspring.net Spyware Reporting Successful Install"; flow: to_server,established; uricontent:"/notify.php?pid=remupd&module=install&v="; nocase; content:"&result=1&message=Success"; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; reference:url,doc.emergingthreats.net/bin/view/Main/2001494; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Clickspring.net; sid: 2001494; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Clickspring.net Spyware Reporting"; flow: to_server,established; uricontent:"/notify.php?pid=ctxad&module=NDrvExe&v="; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; reference:url,doc.emergingthreats.net/bin/view/Main/2001500; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Clickspring.net; sid: 2001500; rev:6;) #by Matt Jonkman from spyware listeningpost data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting"; flow:established,to_server; uricontent:"/stat.php?id="; nocase; uricontent:"&web_id="; nocase; content:"Host\:"; nocase; content:!"Referer\: "; nocase; classtype:trojan-activity; reference:url,vil.nai.com/vil/content/v_140364.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2003607; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Cnzz.com; sid:2003607; rev:7;) #Submitted by Jason Haar, modified alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Traffic"; flow: to_server,established; uricontent:"/cc/"; content:"Host\: update.cc.cometsystems.com"; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000931; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Comet_Cursor_Spyware; sid: 2000931; rev:7;) #Submitted by Jonathan Miner alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CometSystems Spyware"; flow: to_server,established; uricontent:"/comet/request"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001050; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Comet_Cursor_Spyware; sid: 2001050; rev:7;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Traffic (context.xml)"; flow: to_server,established; uricontent:"/context/1/up_context_1.xml"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083029; reference:url,doc.emergingthreats.net/bin/view/Main/2001655; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Comet_Cursor_Spyware; sid: 2001655; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Reporting"; flow: to_server,established; content:"Host\: log.cc.cometsystems.com"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001658; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Comet_Cursor_Spyware; sid: 2001658; rev:5;) #from Listening Post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Update Download"; flow: to_server,established; uricontent:"/cc/5/masterconfig/"; nocase; uricontent:"/update.xml?v="; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002351; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Comet_Cursor_Spyware; sid: 2002351; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Context Report"; flow: to_server,established; uricontent:"/context/1/up_context_1.xml?v="; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002352; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Comet_Cursor_Spyware; sid: 2002352; rev:3;) #from spywarelp data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Cursor DL"; flow: to_server,established; uricontent:"/czcontent/cursor"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003307; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Comet_Cursor_Spyware; sid: 2003307; rev:3;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Conduit Connect Toolbar Message Download(Many report to be benign)"; flow: to_server,established; uricontent:"/Message/"; content:"User-Agent\: EI"; nocase; pcre:"/\/Message\/\S+\/\S+\.xml/Ui"; reference:url,www.conduit.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003218; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Conduit_Connect; sid: 2003218; rev:3;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Content-loader.com Spyware Install"; flow: to_server,established; uricontent:"/getexe/?wmid="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003074; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Contentloader.com; sid: 2003074; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Content-loader.com Spyware Install 2"; flow: to_server,established; uricontent:"/getdata/getdata.php?wmid="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003075; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Contentloader.com; sid: 2003075; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Content-loader.com (ownusa.info) Spyware Install"; flow: to_server,established; uricontent:"/fdial2.php?o="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003076; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Contentloader.com; sid: 2003076; rev:3;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Context Plus Spyware Install"; flow: established,to_server; uricontent:"/AproposClientInstaller.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001704; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ContextPlus.net; sid: 2001704; rev:6;) #Submitted by Chris Norton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ContextPanel Reporting"; flow: to_server,established; uricontent:"/cplog/?logtype="; nocase; content:"contextpanel.com"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001456; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Contextpanel; sid: 2001456; rev:5;) #by Jacob Kitchel alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CoolDeskAlert Spyware Activity"; flow:to_server,established; uricontent:"/alert/get_xml"; nocase; content:"deskbar_id={"; nocase; reference:url,cooldeskalert.com; reference:url,www.benedelman.org/spyware/images/bannerfarms-ad_w_a_r_e-globalstore-log-061006.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003462; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CoolDeskAlert; sid:2003462; rev:3;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Coolsearch Spyware Install"; flow: to_server,established; content:"coolsearch.biz/united.htm"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001479; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Coolsearch; sid: 2001479; rev:7;) #from Lance James and Secure Science www.securescience.net -- Thanks Lance! #too many falses... #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net Blind Data Upload"; flow:to_server,established; uricontent:"/images/data.php?"; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002774; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Corpsespyware; sid:2002774; rev:3;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net BlackListed Malicious Domain - google.vc"; flow:to_server,established; content:"Host\:"; nocase; content:"google.vc"; nocase; within:30; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002765; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Corpsespyware; sid:2002765; rev:4;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net BlackList - pcpeek"; flow:to_server,established; content:"Host\:"; nocase; content:"pcpeek-webcam-sex.com"; nocase; within:40; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002766; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Corpsespyware; sid:2002766; rev:4;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net Distribution - bos.biz"; flow:to_server,established; content:"Host\:"; nocase; content:"businessopportunityseeker.biz"; nocase; within:50; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002767; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Corpsespyware; sid:2002767; rev:4;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net Distribution - fesexy"; flow:to_server,established; content:"Host\:"; nocase; content:"fesexy.net"; nocase; within:20; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002768; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Corpsespyware; sid:2002768; rev:4;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net Distribution - studiolacase"; flow:to_server,established; content:"Host\:"; nocase; content:"studiolacase.com"; nocase; within:30; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002769; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Corpsespyware; sid:2002769; rev:5;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net - msits.exe access"; flow:to_server,established; uricontent:"/msits.exe"; nocase; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002770; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Corpsespyware; sid:2002770; rev:3;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net - msys.exe access"; flow:to_server,established; uricontent:"/msys.exe"; nocase; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002771; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Corpsespyware; sid:2002771; rev:3;) #Submitted by Chris Norton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Couponage Download"; flow: to_server,established; uricontent:".dl_"; nocase; content:"couponage.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001453; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Couponage; sid: 2001453; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Couponage Configure"; flow: to_server,established; content:".da_"; nocase; content:"couponage.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001454; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Couponage; sid: 2001454; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Couponage Reporting"; flow: to_server,established; content:"/?keyword="; nocase; content:"couponage.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001455; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Couponage; sid: 2001455; rev:6;) #From Vernon Stark #alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image"; flow: established,from_server; content:"Content-Type|3a| image"; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001683; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid: 2001683; rev:8;) alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send image, Win32"; flow: established,from_server; content:"Content-Type|3a| image"; content:"|0d 0a|MZ"; isdataat: 76,relative; content:"This program must be run under Win32"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001684; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2001684; rev:9;) alert tcp any !20 -> $HOME_NET !25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send an image"; flow: established,from_server; content:"Content-Type|3a| image"; content:"|0d 0a|MZ"; within: 12; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001685; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2001685; rev:7;) alert tcp $EXTERNAL_NET !20 -> $HOME_NET !25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send Javascript"; flow: established,from_server; content:"|0d 0a|Content-Type|3a| application/"; content:"javascript|0d 0a|"; within:14; content:"|0d 0a 0d 0a|MZ"; within: 40; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008367; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2008367; rev:4;) #deapesh misra alert tcp any !20 -> $HOME_NET !25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow: established,from_server; content:"Content-Type|3a| text/plain"; content:"|0d 0a|MZ"; within: 12; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2008438; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send html content"; flow: established,from_server; content:"Content-Type|3a| text/html|0d 0a|"; content:"|0d 0a|MZ"; within: 100; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2009897; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2009897; rev:2;) #from vienna alert tcp any !20 -> $HOME_NET !25 (msg:"ET MALWARE Possible Rar'd Malware sent when remote host claims to send an Image"; flow:established,from_server; content:"Content-Type|3a| image/"; content:"|0d 0a|Rar!"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008754; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2008754; rev:2;) # by: Deapesh Misra alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send HTML/CSS Content"; flow:established,to_client; content:"Content-Type\: text/css|0d 0a|"; content:"|0d 0a|MZ"; within:500; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2009909; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2009909; rev:1;) #by evilghost alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Executable purporting to be .txt file with no Referrer - Likely Malware"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:".txt"; nocase; pcre:"/\.txt$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010500; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2010500; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Executable purporting to be .cfg file with no Referrer - Likely Malware"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:".cfg"; nocase; pcre:"/\.cfg$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010501; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2010501; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Executable purporting to be .bin file with no Referrer - Likely Malware"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:".bin"; nocase; pcre:"/\.bin$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010502; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2010502; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Executable purporting to be .jpg file with no Referrer - Likely Malware"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:".jpg"; nocase; pcre:"/\.jpg$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010503; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2010503; rev:2;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CrazyWinnings.com Activity"; flow: established,to_server; uricontent:"/scripts/protect.php?promo=promo"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001733; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CrazyWinnings.com; sid: 2001733; rev:5;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Default-homepage-network.com Access"; flow: to_server,established; content:"wsh.RegWrite"; nocase; content:"default-homepage-network.com/start.cgi?"; nocase; reference:url,default-homepage-network.com/start.cgi?new-hkcu; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001222; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Default-Homepage-Network; sid: 2001222; rev:8;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DelFin Project Spyware (payload)"; flow: established,to_server; uricontent:"/in/payload/payload.nfo?"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002816; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Delfin; sid:2002816; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DelFin Project Spyware (setup)"; flow: established,to_server; uricontent:"/in/defaults/setup.nfo?"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002817; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Delfin; sid:2002817; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DelFin Project Spyware (setup-alt)"; flow: established,to_server; uricontent:"/in/defaults/setup-alt.nfo?"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003472; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Delfin; sid:2003472; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DelFin Project Spyware (payload-alt)"; flow: established,to_server; uricontent:"/in/payload/payload-alt.nfo?"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003473; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Delfin; sid:2003473; rev:3;) #submitted by John Stewart alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DesktopTraffic Toolbar Spyware"; flow: to_server,established; uricontent:"cgi-bin/ezl_kws.fcgi?cat"; nocase; reference:url,research.spysweeper.com/threat_library/threat_details.php?threat=desktoptraffic.net_hijack; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001884; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_DeskTopTraffic; sid: 2001884; rev:3;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Deskwizz.com Spyware Install INI Download"; flow: to_server,established; uricontent:"/GetAd/tekID"; nocase; uricontent:".ini"; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003445; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Deskwizz.com; sid: 2003445; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Deskwizz.com Spyware Install Code Download"; flow: to_server,established; uricontent:"/ax/acdt-pid"; nocase; uricontent:".exe"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003444; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Deskwizz.com; sid: 2003444; rev:3;) #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Direct-web.co.kr Related Spyware Checkin"; flow:established,to_server; uricontent:".php?appname="; nocase; uricontent:"&appseq="; nocase; uricontent:"&mac="; nocase; uricontent:"&type="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007978; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Direct-web.co.kr; sid:2007978; rev:2;) #this is for the recent rash of .co.kr fake antispyware products we're seeing. #doctorpro.co.kr, karine.co.kr, Vaccineprogram.co.kr, Mycashbank.co.kr, etc. There will surely be more. Similar url patterns though alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Install Checkin"; flow:established,to_server; uricontent:"/install_count.html?id="; nocase; uricontent:"&MAC="; nocase; pcre:"/MAC=0\w-\w\w-\w\w-\w\w-\w\w-\w\w/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006425; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Doctorpro_and_Related; sid:2006425; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin"; flow:established,to_server; uricontent:"/access_count.html?id="; nocase; uricontent:"&MAC="; nocase; pcre:"/MAC=0\w-\w\w-\w\w-\w\w-\w\w-\w\w/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006426; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Doctorpro_and_Related; sid:2006426; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Mac Check"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/ctrl/nchkmac.php?mac=0"; nocase; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006427; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Doctorpro_and_Related; sid:2006427; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (open)"; flow:established,to_server; uricontent:"/open.php?sn="; nocase; pcre:"/sn=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006428; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Doctorpro_and_Related; sid:2006428; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/ctrl/chkblack.php?mac=0"; nocase; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006431; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Doctorpro_and_Related; sid:2006431; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (ret)"; flow:established,to_server; uricontent:"/ret.php?"; nocase; uricontent:"mode="; nocase; uricontent:"&cname="; nocase; uricontent:"&cn="; nocase; pcre:"/cn=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006432; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Doctorpro_and_Related; sid:2006432; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post (api_result)"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/ctrl/api_result.php?"; nocase; uricontent:"mode="; nocase; uricontent:"&PartID="; nocase; uricontent:"&mac="; nocase; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006433; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Doctorpro_and_Related; sid:2006433; rev:4;) #more from the same folks #by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Viruscheck.co.kr Related Fake Anti-Spyware Post (chkvs)"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/chkvs.php?mac=0"; nocase; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007642; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Doctorpro_and_Related; sid:2007642; rev:4;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Dollarrevenue.com Spyware Code Download"; flow:established,to_server; uricontent:"/bundle/drsmartload.exe"; nocase; reference:url,dollarrevenue.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002967; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Dollarrevenue.net; sid:2002967; rev:3;) #by Scot Melnick alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TROJAN_VB Microjoin"; flow:established,to_server; uricontent:"/bundle/loader.exe"; nocase; reference:url,de.trendmicro-europe.com/consumer/vinfo/encyclopedia.php?VName=TROJ_VB.AWW; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003084; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Dropper.Microjoin; sid:2003084; rev:3;) #by Matt Jonkman, from Spyware Listening Post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Dropspam.com Spyware Reporting"; flow:established,to_server; uricontent:"/reportaddon.cgi?"; nocase; uricontent:"report.cgi?"; nocase; uricontent:"user="; nocase; uricontent:"software="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003440; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Dropspam.com; sid:2003440; rev:3;) #matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Related Downloading IeBHOs.dll"; flow: to_server,established; uricontent:"/downloads/IeBHOs.dll"; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001415; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_E2give.com; sid:2001415; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Related Reporting Install"; flow: to_server,established; uricontent:"/count/count.php?&mm"; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001416; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_E2give.com; sid:2001416; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Related Receiving Config"; flow: to_server,established; uricontent:"/config/?"; nocase; uricontent: "v=5"; nocase; uricontent: "n=mm2"; nocase; uricontent: "i="; nocase; classtype:trojan-activity; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001417; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_E2give.com; sid:2001417; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Related Downloading Code"; flow: to_server,established; uricontent:"/soft/unstall.exe"; nocase; classtype:trojan-activity; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001418; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_E2give.com; sid:2001418; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Related Reporting"; flow: to_server,established; uricontent:"/count/count.php?&mm2cpr"; nocase; classtype:trojan-activity; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001423; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_E2give.com; sid:2001423; rev:7;) #from spyware listening post hits alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Spyware Reporting (check url)"; flow: to_server,established; uricontent:"/go/check?build="; nocase; uricontent:"&source="; nocase; uricontent:"&merchants="; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003504; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_E2give.com; sid: 2003504; rev:3;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ESyndicate Spyware Install (esyndicateinst.exe)"; flow: to_server,established; uricontent:"/files/eSyndicateInst.exe"; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; reference:url,doc.emergingthreats.net/bin/view/Main/2002009; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ESyndicate; sid: 2002009; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ESyndicate Spyware Install (sepinst.exe)"; flow: to_server,established; uricontent:"/files/SEPInst.exe"; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; reference:url,doc.emergingthreats.net/bin/view/Main/2002010; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ESyndicate; sid: 2002010; rev:6;) #By Matt Jonkman, From spyware listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EZSearch Spyware Reporting Search Strings"; flow:established,to_server; uricontent:"/partner/rt.php?q="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002317; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_EZSearch; sid:2002317; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EZSearch Spyware Reporting Search Category"; flow:established,to_server; uricontent:"/partner/rt.php?cat="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002318; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_EZSearch; sid:2002318; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EZSearch Spyware Reporting 2"; flow:established,to_server; uricontent:"/partner/bom.php?e="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002319; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_EZSearch; sid:2002319; rev:3;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Ebates Install"; flow: to_server,established; uricontent:"/ebates.exe"; reference:url,www.pestpatrol.com/PestInfo/e/ebates_moneymaker.asp; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001038; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Ebates_Moe_Money_Maker; sid: 2001038; rev:7;) #from spyware listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Effectivebrands.com Spyware Checkin"; flow:established,to_server; uricontent:"/iis2ebs.asp"; nocase; content:"effectivebrands.com"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003304; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Effectivebrands.com; sid:2003304; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Effectivebrands.com Spyware Checkin 2"; flow:established,to_server; uricontent:"/iis2ucms.asp"; nocase; content:"effectivebrands.com"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003360; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Effectivebrands.com; sid:2003360; rev:3;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Elitemediagroup.net Spyware Config Download"; flow:established,to_server; uricontent:"/bundle.php?aff="; nocase; reference:url,elitemediagroup.net; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002966; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Elitemediagroup.net; sid:2002966; rev:3;) #By Matt Jonkman, From spyware listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Epilot.com Spyware Reporting"; flow:established,to_server; uricontent:"/getresults.aspx"; nocase; uricontent:"?aff="; nocase; uricontent:"&ip="; nocase; uricontent:"&keyword="; nocase; uricontent:"&source="; nocase; reference:url,www.intermute.com/spysubtract/researchcenter/ClientMan.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003414; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Epilot.com; sid:2003414; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Epilot.com Spyware Reporting Clicks"; flow:established,to_server; uricontent:"/click.aspx?"; nocase; uricontent:"?xp="; nocase; content:"Host\: "; nocase; content:"epilot.com"; nocase; distance:0; reference:url,www.intermute.com/spysubtract/researchcenter/ClientMan.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003416; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Epilot.com; sid:2003416; rev:3;) #matt Jonkman from Spyware LP Data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Evidencenuker.com Fake AV Updating"; flow:established,to_server; uricontent:"/products/evidencenuker/update.php?version="; nocase; reference:url,www.evidencenuker.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003568; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_EvidenceNuker.com; sid:2003568; rev:3;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE F1Organizer Install Attempt"; flow: to_server,established; uricontent:"/f1/objects/"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000585; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_F1Organizer.com; sid: 2000585; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE F1Organizer Reporting"; flow: to_server,established; uricontent:"/f1/audit/"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000582; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_F1Organizer.com; sid: 2000582; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE F1Organizer Config Download"; flow: to_server,established; uricontent:"/F1/Cmd4F1"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001221; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_F1Organizer.com; sid: 2001221; rev:6;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Featured-Results.com Agent Reporting Data"; flow: to_server,established; uricontent:"action=any"; nocase; uricontent:"country="; nocase; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/.*perl\/fr\.pl/i"; reference:url,www.featured-results.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001293; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Featured-results; sid: 2001293; rev:9;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Findwhat.com Spyware (clickthrough)"; flow: to_server,established; uricontent:"/bin/findwhat.dll?clickthrough&"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003579; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Findwhat.com; sid:2003579; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Findwhat.com Spyware (sendtracker)"; flow: to_server,established; uricontent:"/bin/findwhat.dll?sendtracker&"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003580; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Findwhat.com; sid:2003580; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Findwhat.com Spyware (sendmedia)"; flow: to_server,established; uricontent:"/bin/findwhat.dll?sendmedia&"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003581; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Findwhat.com; sid:2003581; rev:3;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE FlashPoint Agent Retrieving New Code"; flow: to_server,established; uricontent:"/ftxmon.php?"; reference:url,www.flashpoint.bm; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000905; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_FlashPoint; sid: 2000905; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE FlashTrack Agent Retrieving New App Code"; flow: to_server,established; uricontent:"/apps/r.exe"; reference:url,www.flashpoint.bm; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000936; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_FlashPoint; sid: 2000936; rev:7;) #matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Flingstone Spyware Install (cxtpls)"; flow: established,to_server; uricontent:"/softwares/cxtpls_loader_ff.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001710; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Flingstone; sid: 2001710; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Flingstone Spyware Install (sportsinteraction)"; flow: established,to_server; uricontent:"/softwares/SportsInteraction.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001705; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Flingstone; sid: 2001705; rev:8;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Freeze.com Spyware/Adware (Install)"; flow: to_server,established; uricontent:"/checkhttp.htm"; nocase; content:"User-Agent\: Wise"; nocase; content:"freeze.com"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002840; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Freeze.com; sid: 2002840; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Freeze.com Spyware/Adware (Install Registration)"; flow: to_server,established; uricontent:"/ping/?shortname="; nocase; content:"User-Agent\: Wise"; nocase; content:"freeze.com"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002841; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Freeze.com; sid: 2002841; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Freeze.com Spyware/Adware (Pulling Ads)"; flow: to_server,established; uricontent:"/ToastMessage/"; nocase; uricontent:"/Toast.asp?ysaid="; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003362; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Freeze.com; sid: 2003362; rev:3;) # by: Jeremy Conway at sudosecure.net # ref: f6a78be315d98ba8df4e72296ac8ec0c alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W3i Related Adware/Spyware"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"shortname="; nocase; uricontent:"os="; nocase; uricontent:"v="; nocase; uricontent:"browsers="; nocase; uricontent:"readable="; nocase; classtype:trojan-activity; reference:url,www.tallemu.com/oasis2/vendor/w3i__llc/623302; reference:url,doc.emergingthreats.net/2009705; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Freeze.com; sid:2009705; rev:3;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Install"; flow: to_server,established; uricontent:"/install_ie.jsp?product="; reference:url,www.funwebproducts.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000599; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid: 2000599; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products SmileyCentral"; flow: to_server,established; uricontent:"/images/smileycentral/"; nocase; content:"FunWebProducts"; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001013; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid: 2001013; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Agent Traffic"; flow: to_server,established; content:"FunWebProducts\;"; nocase; threshold: type limit, track by_src, count 2, seconds 360; reference:url,www.funwebproducts.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001034; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid: 2001034; rev:16;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products MyWay Agent Traffic"; flow: to_server,established; content:"FunWebProducts-MyWay\;"; nocase; threshold: type limit, track by_src, count 10, seconds 60; reference:url,www.funwebproducts.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001043; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid: 2001043; rev:10;) #From Listening Post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Smileychooser Spyware"; flow: to_server,established; uricontent:"/SmileyChooser.html?"; nocase; uricontent:"v="; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002305; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid: 2002305; rev:6;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Smileychooser Spyware"; flow: to_server,established; uricontent:"/SmileyChooser.html?"; nocase; uricontent:"v="; nocase; reference:url,www.funwebproducts.com; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002310; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid:2002310; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Cursorchooser Spyware"; flow: to_server,established; uricontent:"/CursorChooser.html?"; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002306; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid: 2002306; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Stampchooser Spyware"; flow: to_server,established; uricontent:"/StampChooser.html?"; nocase; uricontent: "v="; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002307; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid: 2002307; rev:5;) #by Shirkdog alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products StationaryChooser Spyware"; flow: to_server,established; uricontent:"/StationeryChooser.html?"; nocase; uricontent: "v="; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002858; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid: 2002858; rev:3;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products SmileyCentral IEsp2 Install"; flow: to_server,established; uricontent:"/download/install_ie_sp2.jhtml?"; nocase; uricontent:"product="; nocase; uricontent:"utmCall="; nocase; uricontent:"bOrganic="; nocase; reference:url,www.myfuncards.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003151; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid: 2003151; rev:3;) #Matt Jonkman from Spyware LP Data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gamehouse.com Activity"; flow: to_server,established; uricontent:"/game-quit-count.jsp?ghgamecode="; reference:url,www.gamehouse.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003348; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Gamehouse.com; sid: 2003348; rev:3;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator Cookie"; flow: to_server,established; content:"webpdpcookie"; content:".gator.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000025; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Gator_Agent; sid: 2000025; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator Checkin"; flow: to_server,established; uricontent:"/gbsf/"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000595; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Gator_Agent; sid: 2000595; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator New Code Download"; flow: to_server,established; uricontent:"/gatorcme/"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000597; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Gator_Agent; sid: 2000597; rev:7;) #Matt Jonkman (depth added by bobkberg) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator/Claria Data Submission"; flow: to_server,established; content:"POST "; depth:5; uricontent:"gs_trickler"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000596; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Gator_Agent; sid: 2000596; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator/Clarian Agent"; flow: to_server,established; uricontent:"/gbsf/"; nocase; uricontent:"gtrg2ze"; nocase; classtype:policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2001306; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Gator_Agent; sid:2001306; rev:9;) #Matt Jonkman, from spyware LP Data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator/Clarian Spyware Posting Data"; flow: to_server,established; uricontent:"/gs_med"; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2003575; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Gator_Agent; sid:2003575; rev:4;) #These are for common names of malcode files as seen in common places. #Matt Jonkman #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Likely Trojan/Spyware Installer Requested (1)"; flow: established,to_server; uricontent:".scr"; nocase; pcre:"/(cartao|mensagem|voxcards|humortadela|ouca|cartaovirtual|uol3171|embratel|yahoo|viewforhumor|humormenssagem|terra)\.scr/Ui"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001850; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_General_Requests; sid: 2001850; rev:8;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Likely Trojan/Spyware Installer Requested (2)"; flow: established,to_server; uricontent:".exe"; nocase; pcre:"/(discador|ocartao|msgav|extrato|correcao|extrato_tim|visualizar|cartas&cartoes|embratel|cartao|MSN_INSTALL|VirtualCards|atualizacaonorton|serasar|CobrancaEmbratel|ExtratoTim|FlashFotos|Vacina-Norton|CartaoIloves|Cobranca|fotos_ineditas|boletocobranca|saudades|wwwuolcartoescombr|cartaoanimado)\.exe/Ui"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002093; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_General_Requests; sid: 2002093; rev:5;) #Submitted by Joseph Gama alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IE homepage hijacking"; flow: from_server,established; content:"wsh.RegWrite"; nocase; content:"HKLM\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Main\\\\Start Page"; nocase; reference:url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm; classtype: misc-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2000514; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_General_Spyware_Install; sid: 2000514; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE shell browser vulnerability W9x/XP"; flow: from_server,established; content:"shell\:windows"; nocase; reference:url,www.packetfocus.com/shell_exploit.htm; classtype: misc-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2000519; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_General_Spyware_Install; sid: 2000519; rev:8;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE shell browser vulnerability NT/2K"; flow: from_server,established; content:"shell\:winnt"; nocase; reference:url,www.packetfocus.com/shell_exploit.htm; classtype: misc-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2000520; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_General_Spyware_Install; sid: 2000520; rev:8;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GlobalPhon.com Dialer"; flow: to_server,established; content:"Host\: www.globalphon.com"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001656; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_GlobalPhon; sid: 2001656; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GlobalPhon.com Dialer Download"; flow: to_server,established; uricontent:"/dialer/internazionale_ver"; nocase; uricontent:".CAB"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001657; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_GlobalPhon; sid: 2001657; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GlobalPhon.com Dialer (no_pop)"; flow: to_server,established; uricontent:"/no_pop.asp?"; nocase; uricontent: "id="; nocase; content:"globalphon.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001659; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_GlobalPhon; sid: 2001659; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GlobalPhon.com Dialer (add_ocx)"; flow: to_server,established; uricontent:"/add_ocx.asp?"; nocase; uricontent: "id="; nocase; content:"globalphon.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001660; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_GlobalPhon; sid: 2001660; rev:6;) #by Jeremy at sudosecure # ref: 9ab0b5608af7c2c7fb3b631f27ee79c6 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gooochi Related Spyware Ad pull"; flow:established,to_server; content:"GET "; depth:4; uricontent:"?z="; nocase; uricontent:"|26|ch="; nocase; uricontent:"|26|dim="; nocase; uricontent:"|26|abr="; nocase; content:!"Referer\: "; nocase; reference:url,www.threatexpert.com/reports.aspx?find=ads.gooochi.biz; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008375; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Gooochi; sid:2008375; rev:3;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GrandstreetInteractive.com Install"; flow: to_server,established; uricontent:"/tdtb.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002012; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_GrandStreetInteractive.com; sid: 2002012; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GrandstreetInteractive.com Update"; flow: to_server,established; uricontent:"/wupdsnff.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002013; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_GrandStreetInteractive.com; sid: 2002013; rev:4;) #by Matt jonkman, guard-center.com crapware (if you're gonna pretend to scan a disk, you ought to at least access the disk a little) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Guard-Center.com Fake AntiVirus Post-Install Checkin"; flow:established,to_server; uricontent:".php?"; uricontent:"&advid="; uricontent:"&u="; uricontent:"&p="; content:"HTTP/1."; content:!"|0d 0a|User-Agent\:"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007744; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Guard-Center.com; sid:2007744; rev:4;) #by matt jonkman #many malware packages use hex to obscure an IP alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hex Encoded IP HTTP Request - Likely Malware"; flow:established,to_server; content:"|0d 0a|Host\: 0x"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007951; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hex_Domain_Request; sid:2007951; rev:2;) #by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE host-domain-lookup.com spyware related Checkin"; flow:established,to_server; uricontent:"?udata="; uricontent:"mission_supgrade\:"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007749; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Host-domain-lookup.com; sid:2007749; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE host-domain-lookup.com spyware related Start Report"; flow:established,to_server; uricontent:"?udata="; uricontent:"program_started\:"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007750; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Host-domain-lookup.com; sid:2007750; rev:3;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Install (1)"; flow: to_server,established; uricontent:"/install/startInstallprocess.asp?"; nocase; uricontent: "Defau"; reference:url,www.hotbar.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000920; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid: 2000920; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Install (2)"; flow: to_server,established; uricontent:"/install/process/upsale/hotbar"; reference:url,www.hotbar.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000921; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid: 2000921; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Install (3)"; flow: to_server,established; uricontent:"/installs/hotbar/programs/"; reference:url,www.hotbar.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000922; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid: 2000922; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Reporting Information"; flow: to_server,established; content:"POST"; nocase; uricontent:"/reports/hotbar/"; reference:url,www.hotbar.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000923; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid: 2000923; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Upgrading"; flow: to_server,established; uricontent:"/updates/hotbar/"; nocase; reference:url,www.hotbar.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000924; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid: 2000924; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Activity"; flow: to_server,established; uricontent:"/dynamic/hotbar/"; nocase; reference:url,www.hotbar.com; threshold: type limit, count 1, track by_src, seconds 360; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000929; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid: 2000929; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Partner Checkin"; flow: to_server,established; uricontent:"/partners/"; nocase; uricontent:"partners.xip"; nocase; reference:url,www.hotbar.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000925; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid: 2000925; rev:7;) #from Shirkdog alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Subscription POST"; flow: to_server,established; uricontent:"/hotbar/"; nocase; uricontent:"Subscription.dll?"; nocase; reference:url,www.hotbar.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002820; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid: 2002820; rev:3;) #Matt Jonkman from spyware lp data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Adopt/Zango"; flow: to_server,established; uricontent:"/adopt.jsp?"; nocase; uricontent:"l="; nocase; uricontent:"&sz="; nocase; uricontent:"cid="; nocase; reference:url,www.hotbar.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003364; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid:2003364; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Keywords Download"; flow: to_server,established; uricontent:"/keywords/kyfb."; nocase; uricontent:"partner_id="; nocase; reference:url,www.hotbar.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003388; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid:2003388; rev:3;) #matt jonkman, new version of hotbar apparently alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar.com Related Spyware Install Report"; flow:established,to_server; uricontent:"/ciconfig.aspx?did="; uricontent:"&brandid="; uricontent:"&os="; uricontent:"&pkg_ver="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008917; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid:2008917; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar.com Related Spyware Activity Report"; flow:established,to_server; uricontent:"/trackedevent.aspx?eid="; uricontent:"&brand="; uricontent:"&os="; uricontent:"&mt="; uricontent:"&pkg_ver="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008918; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid:2008918; rev:2;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ICQ-Update.biz Reporting Install"; flow: to_server,established; uricontent:"log.php?"; nocase; uricontent: "IP="; nocase; uricontent:"Port1="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001490; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ICQ-Update.biz; sid: 2001490; rev:8;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE IEHelp.net Spyware Installer"; flow:established,to_server; uricontent:"/counter/help.chm"; nocase; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002090; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_IEHelp.net; sid:2002090; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE IEHelp.net Spyware checkin"; flow:established,to_server; uricontent:"/l/gpr.php?"; nocase; uricontent: "ID1="; nocase; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002096; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_IEHelp.net; sid:2002096; rev:6;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ISearchTech.com XXXPornToolbar Reporting"; flow: to_server,established; uricontent:"/ist/scripts/log_downloads.php"; nocase; reference:url,www.isearchtech.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000927; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ISearchTech.com; sid: 2000927; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ISearchTech.com XXXPornToolbar Activity (1)"; flow: to_server,established; uricontent:"/ist/bars/"; nocase; reference:url,www.isearchtech.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000928; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ISearchTech.com; sid: 2000928; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ISearchTech.com XXXPornToolbar Activity (2)"; flow: to_server,established; uricontent:"/ist/softwares/"; nocase; reference:url,www.isearchtech.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001395; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ISearchTech.com; sid: 2001395; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ISearchTech.com XXXPornToolbar Data Submission"; flow: to_server,established; uricontent:"/ist/scripts/istsvc_ads_data.php?"; nocase; uricontent: "version="; nocase; reference:url,www.isearchtech.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001697; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ISearchTech.com; sid: 2001697; rev:6;) # Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Incredisearch.com Spyware Ping"; flow: established,to_server; uricontent:"/ping.asp"; nocase; content:"incredisearch.com"; depth:300; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001793; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Incredisearch.com; sid: 2001793; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Incredisearch.com Spyware Activity"; flow: established,to_server; content:"Host\: www.incredisearch.com"; depth:300; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001794; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Incredisearch.com; sid: 2001794; rev:6;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Instafinder.com spyware"; flow: established,to_server; uricontent:"/404/update/instafi"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003376; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Instafinder.com; sid: 2003376; rev:3;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Internet Fuel.com Install"; flow: to_server,established; uricontent:"/cgi-bin/omnidirect.cgi?&debug_log="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002015; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Internet_Fuel; sid: 2002015; rev:4;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Internet Optomizer Reporting Data"; flow: to_server,established; uricontent:"/io/downloads/"; nocase; content:"/wsi8/optimize"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001308; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Internet_Optimizer; sid: 2001308; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Internet Optimizer Spyware Install"; flow: to_server,established; uricontent:"/internet-optimizer/"; nocase; uricontent:"/optimize"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001396; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Internet_Optimizer; sid: 2001396; rev:6;) # by: Jeremy Conway at sudosecure.net # ref: b5880918affcbb25120b431a45b99429 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Adware Istbar Search Hijacker and Downloader"; flow:established,to_client; content:" 200 OK|0d 0a|"; nocase; depth:64; content:"|0d 0a|Content-Type|3a| qvod_update|0d 0a|"; nocase; content:"|0d 0a 0d 0a 5b|AGENTLIST|5d 0d 0a|ip0="; nocase; content:"|0d 0a|port0="; nocase; within:25; content:"|0d 0a 0d 0a|ip1="; nocase; content:"|0d 0a|port1="; nocase; within:25; reference:url,www.pctools.com/mrc/infections/id/Trojan.ISTbar/; reference:url,www.threatexpert.com/reports.aspx?find=Trojan.ISTbar; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009597; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Istbar; sid:2009597; rev:2;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE jmnad1.com Spyware Install (1)"; flow: to_server,established; uricontent:"/install.qg?"; nocase; uricontent: "ID="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002019; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Jmnad1.com; sid: 2002019; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE jmnad1.com Spyware Install (2)"; flow: to_server,established; uricontent:"/download/mw_4s_stub.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002016; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Jmnad1.com; sid: 2002016; rev:8;) #Submitted by Matt Jonkman alert udp $HOME_NET 3531 -> $EXTERNAL_NET 3531 (msg:"ET MALWARE JoltID Agent Probing or Announcing UDP"; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000900; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_JoltID; sid: 2000900; rev:7;) #alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"ET MALWARE JoltID Agent Communicating TCP"; flow: to_server,established; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000901; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_JoltID; sid: 2000901; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"ET MALWARE JoltID Agent Keep-Alive"; flow: to_server,established; dsize: 1; content:"|4b|"; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001015; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_JoltID; sid: 2001015; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JoltID Agent P2P via Proxy Server"; flow: to_server,established; content:"POST http\://"; nocase; content:"\:3531/.pkt"; nocase; within: 20; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001679; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_JoltID; sid: 2001679; rev:11;) alert tcp $HOME_NET any <> $EXTERNAL_NET 3531 (msg:"ET MALWARE JoltID Agent Requesting File"; flow: established,to_server; content:"GIVE "; content:"User-Agent\:"; nocase; content:"PeerEnabler"; within:120; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001654; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_JoltID; sid: 2001654; rev:9;) #by Jamie Blasco alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Malicious Applet Access (justexploit kit)"; flow:to_server,established; uricontent:"/sdfg.jar"; classtype: trojan-activity; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3570.0; reference:url,doc.emergingthreats.net/2010438; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Justexploit; sid:2010438; rev:3;) #Submitted by Jason Haar alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Keenvalue Update Engine"; flow: to_server,established; content:"|0d0a|Host|3a|secure.keenvalue.com"; content:"|0d0a|Extension|3a|Remote-Passphrase"; within: 300; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2003-11-24; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000932; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Keenvalue; sid: 2000932; rev:5;) #Matt Jonkman # all sorts of junk at www.thespyguard.com, fake antispyware trojan alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Thespyguard.com Spyware Install"; flow:established,to_server; uricontent:"/soft/installers/spyguardf.php"; nocase; reference:url,www.thespyguard.com; reference:url,www.kliksoftware.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003201; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Kliksoftware; sid:2003201; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Thespyguard.com Spyware Update Check"; flow:established,to_server; uricontent:"/soft/update/check_update.php"; nocase; content:"Host\: www.kliksoftware.com"; nocase; reference:url,www.kliksoftware.com; reference:url,www.thespyguard.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003202; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Kliksoftware; sid:2003202; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hitvirus Fake AV Install"; flow:established,to_server; uricontent:"/soft/installers/hitvirusf.php"; nocase; content:"get.hitvirus.com"; nocase; reference:url,www.kliksoftware.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003203; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Kliksoftware; sid:2003203; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Thespyguard.com Spyware Updating"; flow:established,to_server; uricontent:"/soft/update/get.php"; nocase; uricontent:"pid="; nocase; uricontent:"mail="; nocase; content:"Host\: www.kliksoftware.com"; nocase; reference:url,www.kliksoftware.com; reference:url,www.thespyguard.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003204; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Kliksoftware; sid:2003204; rev:3;) #from spyware listeningpost data, by matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE KMIP.net Spyware"; flow:established,to_server; uricontent:"/iesocks?peer_id="; nocase; uricontent:"ver="; nocase; classtype:trojan-activity; reference:url,www.kmip.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003298; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Kmip.net; sid:2003298; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE KMIP.net Spyware 2"; flow:established,to_server; uricontent:"/sp?c=N&i="; nocase; uricontent:"&v="; nocase; classtype:trojan-activity; reference:url,www.kmip.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003526; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Kmip.net; sid:2003526; rev:3;) #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Kwsearchguide.com Related Spyware Checkin"; flow:established,to_server; uricontent:"/statics.php?maddr="; nocase; uricontent:"&ipaddr="; nocase; uricontent:"&ovt="; nocase; uricontent:"&verno="; nocase; uricontent:"&action="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008067; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Kwsearchguide.com; sid:2008067; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Kwsearchguide.com Related Spyware Keepalive"; flow:established,to_server; uricontent:"/alive.php?ovt=new_link"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008069; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Kwsearchguide.com; sid:2008069; rev:2;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE LocalNRD Spyware Checkin"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; uricontent: "adcontext"; nocase; reference:url,www.localnrd.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001340; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Localnrd; sid: 2001340; rev:9;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Look2me Spyware Activity (1)"; flow: to_server,established; content:"Referer\: Look2Me"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.look2me.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001499; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Look2me; sid: 2001499; rev:7;) #by Pedro Marinho alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware.Look2Me Activity"; flow:established,to_server; uricontent:"?B="; uricontent:"&V="; uricontent:"&M="; uricontent:"&R="; uricontent:"&ID={"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008474; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Look2me; sid:2008474; rev:2;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MSUpdater.net Spyware Checkin"; flow:established,to_server; uricontent:"/popsetarray.php?&country="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002094; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MSUpdater.net; sid:2002094; rev:4;) #by Matt Jonkman, from sunbelt blog alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malwarealarm.com Fake AV/AntiSpyware Updating"; flow:established,to_server; uricontent:"/update.php?v="; nocase; uricontent:"&d="; nocase; uricontent:"&vs="; nocase; content:"Host\: www.MalwareAlarm.com"; nocase; classtype:trojan-activity; reference:url,sunbeltblog.blogspot.com/2007/04/another-fake-security-scam-site_9466.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003611; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Malwarealarm.com; sid:2003611; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malwarealarm.com Fake AV/AntiSpyware Download"; flow:established,to_server; uricontent:"GET /madownload.php?&advid="; nocase; uricontent:"&u="; nocase; uricontent:"&p="; nocase; content:"Host\: download.MalwareAlarm.com"; nocase; reference:url,sunbeltblog.blogspot.com/2007/04/another-fake-security-scam-site_9466.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003612; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Malwarealarm.com; sid:2003612; rev:4;) #submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Configuration Access"; flow: to_server,established; uricontent:"/oss/remoteconfig.asp"; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000902; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MarketScore; sid: 2000902; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Access"; flow: to_server,established; uricontent:"proxyhttp|0b|marketscore|03|com"; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001359; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MarketScore; sid: 2001359; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE MarketScore.com Spyware SSL Access"; flow: to_server,established; content:"www.marketscore.com"; content:"InstantSSL1"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001563; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MarketScore; sid: 2001563; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Proxied Traffic"; flow: to_server,established; content:"X-OSSProxy\: OSSProxy"; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001564; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MarketScore; sid: 2001564; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore Spyware Uploading Data"; flow: to_server,established; uricontent:"/scripts/contentidpost.dll"; nocase; content:"OSS-Proxy"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003253; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MarketScore; sid: 2003253; rev:3;) #Info from sgtocanada alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Proxied Traffic (mitmproxy agent)"; flow: to_server,established; content:"Proxy-agent\: ManInTheMiddle-Proxy"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001586; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MarketScore; sid: 2001586; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Upgrading"; flow: to_server,established; uricontent:"/oss/upgrchk_2a.asp"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001587; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MarketScore; sid: 2001587; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Activity (1)"; flow: to_server,established; uricontent:"/oss/dittorules.asp"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001588; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MarketScore; sid: 2001588; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Activity (2)"; flow: to_server,established; uricontent:"/oss/routerrules2.asp"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001589; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MarketScore; sid: 2001589; rev:6;) #Sigs by Matt Jonkman from the excellent analysis by Tom Liston at http://isc.sans.org/diary.php?date=2004-11-04 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Mastermind Related Reporting"; flow: to_server,established; uricontent:"/bundle.php?"; nocase; uricontent: "aff="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001409; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com; sid: 2001409; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8081 (msg:"ET MALWARE Mastermind Related Reporting 8081"; flow: to_server,established; content:"/a?l=PeAyF1sgrZYw&i="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001410; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com; sid: 2001410; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mastermind Related Downloading mm20.ocx"; flow: to_server,established; uricontent:"/soft/mm20.ocx"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001411; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com; sid: 2001411; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Medis-Motor Related Downloading ast_4_mm.exe"; flow: to_server,established; uricontent:"/dist/ast_4_mm.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001413; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com; sid: 2001413; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Media-Motor Related Downloading MediaMotor25.exe"; flow: to_server,established; uricontent:"/soft/MediaMotor25.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001414; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com; sid: 2001414; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Avres.net Downloading cpr_mm2.exe"; flow: to_server,established; uricontent:"/tt/cpr_mm2.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001419; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com; sid: 2001419; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Avres.net Downloading ab1.exe"; flow: to_server,established; uricontent:"/tt/ab1.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001420; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com; sid: 2001420; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Avres.net Downloading tvm_bundle.exe"; flow: to_server,established; uricontent:"/tt/tvm_bundle.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001421; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com; sid: 2001421; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Avres.net Reporting Data"; flow: to_server,established; uricontent:"/log3.php?"; nocase; uricontent:"c={"; nocase; uricontent:"what="; nocase; uricontent:"avatar="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001422; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com; sid: 2001422; rev:8;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,8080] (msg:"ET MALWARE Matcash Trojan Related Spyware Code Download"; flow:established,to_server; content:"|0d 0a|User-Agent\: Windows 5.1 (2600)\; DMCP"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008759; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Matcash.com; sid:2008759; rev:4;) #Matt Jonkman from spyware listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trinityacquisitions.com and Maximumexperience.com Spyware Activity"; flow:to_server,established; uricontent:"/upd/check?version="; nocase; uricontent:"&localeId="; nocase; uricontent:"&affid="; nocase; uricontent:"&updatevalue="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003344; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MaxExp_TrinityAcquisitions.com; sid: 2003344; rev:3;) #Mark Tombaugh alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Media Pass ActiveX Install"; flow: to_server,established; uricontent:"/MediaPassK.exe"; nocase; reference:url,www.benedelman.org/news/010205-1.html; reference:url,static.windupdates.com/Release/v19/Info.txt; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001783; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MediaPass; sid: 2001783; rev:5;) #Submitted by Chris Norton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MediaTickets Download"; flow: to_server,established; uricontent:"MediaTicketsInstaller.cab"; content:"Host\: www.mt-download.com"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001448; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MediaTickets; sid: 2001448; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MediaTickets Spyware Install"; flow: to_server,established; uricontent:"/mtrslib2.js"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001481; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MediaTickets; sid: 2001481; rev:6;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Medialoads.com Spyware Config"; flow: to_server,established; uricontent:"/dw/cgi/download.cgi?"; nocase; uricontent:"sn="; nocase; uricontent:"pid="; nocase; content:"Host\:config.medialoads.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001503; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Medialoads.com; sid: 2001503; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Medialoads.com Spyware Reporting (download.cgi)"; flow: to_server,established; uricontent:"/dw/cgi/download.cgi?"; nocase; uricontent:"sn="; nocase; content:"Host\:config.medialoads.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001508; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Medialoads.com; sid: 2001508; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Medialoads.com Spyware Reporting (register.cgi)"; flow: to_server,established; uricontent:"/dw/cgi/register.cgi?"; nocase; uricontent:"v="; nocase; content:"Host\:config.medialoads.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001509; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Medialoads.com; sid: 2001509; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Medialoads.com Spyware Identifying Country of Origin"; flow: to_server,established; uricontent:"/dw/cgi/country.cgi"; nocase; content:"User-Agent\:"; nocase; content:"NSISDL"; within:120; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001507; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Medialoads.com; sid: 2001507; rev:9;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Metarewards Spyware Activity"; flow: to_server,established; content:"Host\: www.metareward.com"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001666; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Metarward.com; sid: 2001666; rev:4;) #From listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Metarewards Disclaimer Access"; flow: to_server,established; uricontent:"/www.metareward.com/mailimg/disclaimer/"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002309; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Metarward.com; sid: 2002309; rev:4;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Microgaming.com Spyware Installation (dlhelper)"; flow: established,to_server; uricontent:"/dlhelper.cab"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001641; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Microgaming.com; sid: 2001641; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Microgaming.com Spyware Installation (2)"; flow: established,to_server; uricontent:"/DownloadHNew.asp?"; nocase; uricontent:"btag="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001643; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Microgaming.com; sid: 2001643; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Microgaming.com Spyware Reporting Installation"; flow: established,to_server; uricontent:"/dlhelper/downloadlogger2.asp?"; nocase; uricontent:"time="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001644; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Microgaming.com; sid: 2001644; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Microgaming.com Spyware Casino App Install"; flow: established,to_server; uricontent:"/viper/thunderluck/00"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001645; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Microgaming.com; sid: 2001645; rev:5;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mindset Interactive Install (1)"; flow: to_server,established; uricontent:"/mindset5/data"; nocase; reference:url,www.mindsetinteractive.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000583; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mindsetinteractive; sid: 2000583; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mindset Interactive Install (2)"; flow: to_server,established; uricontent:"/mindset/data"; nocase; reference:url,www.mindsetinteractive.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000584; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mindsetinteractive; sid: 2000584; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mindset Interactive Ad Retrieval"; flow: to_server,established; uricontent:"/mindset5"; nocase; reference:url,www.mindsetinteractive.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mindsetinteractive; sid: 2000594; rev:6;) #by Matt Jonkman, from spyware LP Data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mirarsearch.com Spyware Posting Data"; flow:established,to_server; uricontent:"/v70match.cgi?"; nocase; uricontent:"key1="; nocase; uricontent:"&key2="; nocase; uricontent:"&match="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003577; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mirarsearch.com; sid:2003577; rev:3;) #by Pedro Marinho alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware-Mirar Reporting (BAR)"; flow:to_server,established; uricontent:"download.cgi?BUILDNAME="; nocase; uricontent:"&AFFILIATE="; uricontent:"&ID="; uricontent:"&ERROR=0"; content:"|0d 0a|User-Agent\: BAR"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009234; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mirarsearch.com; sid:2009234; rev:2;) #Matt Jonkman 2/22/05 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE My-Stats.com Spyware Checkin"; flow: established,to_server; uricontent:"/ad-partner/SelectConfirm.php?"; nocase; uricontent:"dummy="; nocase; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001747; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_My-Stats.com; sid: 2001747; rev:7;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyGlobalSearch Spyware bar update"; flow:established,to_server; uricontent:"/images/mysearchbar/highlight"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003351; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MyGlobalSearch; sid:2003351; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyGlobalSearch Spyware bar update 2"; flow:established,to_server; uricontent:"/images/mysearchbar/customize"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003352; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MyGlobalSearch; sid:2003352; rev:3;) #by Akash Mahajan alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sears.com/Kmart.com My SHC Community spyware download"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/CSetup_xp.cab"; classtype:trojan-activity; reference:url,community.ca.com/blogs/securityadvisor/archive/2007/12/20/sears-com-join-the-community-get-spyware.aspx; reference:url,www.benedelman.org/news/010108-1.html; reference:url,doc.emergingthreats.net/bin/view/Main/2007996; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MySHC; sid:2007996; rev:2;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MySearchNow.com Spyware"; flow: to_server,established; uricontent:"exe/dns.html"; nocase; content:"User-Agent\: TPSystem"; nocase; reference:url,www.mysearchnow.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003221; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MySearchnow.com; sid: 2003221; rev:3;) #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MySideSearch.com Spyware Install"; flow:established,to_server; uricontent:".php?aff=mysidesearch&act=install"; content:"|0d 0a|User-Agent\: NSISDL/1.2 (Mozilla)|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008915; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MySideSearch.com; sid:2008915; rev:2;) # by: Jeremy Conway at sudosecure.net # ref: 82bd65bc1c0b2b6d2bc599d1295a3579 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MySideSearch Browser Optimizer"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent\: NSISDL/1.2 (Mozilla)|0d 0a|"; nocase; uricontent:".php?aff="; nocase; uricontent:"&act="; nocase; classtype:trojan-activity; reference:url,www.spywareremove.com/removeMySideSearch.html; reference:url,www.threatexpert.com/threats/adware-win32-mysidesearch.html; reference:url,www.pctools.com/mrc/infections/id/Adware.MySideSearch/; reference:url,doc.emergingthreats.net/2009524; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MySideSearch.com; sid:2009524; rev:2;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE My Search Bar Install"; flow: to_server,established; uricontent:"/mysetp.exe"; nocase; reference:url,www.2-spyware.com/parasite-my-search-bar.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001040; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_My_Search_Bar; sid: 2001040; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE My Search Spyware Config Download"; flow: to_server,established; uricontent:"/ms"; nocase; uricontent:"cfg.jsp?"; uricontent:"v="; nocase; nocase; pcre:"/\/ms\d\d\dcfg\.jsp/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002839; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_My_Search_Bar; sid:2002839; rev:4;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyWebSearch Toolbar Receiving Configuration"; flow: to_server,established; uricontent:"/speedbar/mySpeedbarCfg"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000600; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_My_Web_Toolbar; sid: 2000600; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyWebSearch Toolbar Traffic (bar config download)"; flow: to_server,established; uricontent:"/barcfg.jsp?"; nocase; content:"MyWebSearchWB"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002836; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_My_Web_Toolbar; sid: 2002836; rev:6;) #New, from spyware listening post hits # Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyWebSearch Toolbar Receiving Config 2"; flow: to_server,established; uricontent:"/mySpeedbarCfg2.jsp"; nocase; content:"MyWebSearch"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003222; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_My_Web_Toolbar; sid:2003222; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyWebSearch Toolbar Posting Activity Report"; flow:to_server,established; uricontent:"/jsp/cfg_redir2.jsp?id="; nocase; uricontent:"url=http"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003617; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_My_Web_Toolbar; sid:2003617; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyWay Spyware Posting Activity Report - Dell Related"; flow:to_server,established; uricontent:"/script/bzDellHpData.js?"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003621; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_My_Web_Toolbar; sid:2003621; rev:5;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE New.net Spyware updating"; flow:established,to_server; uricontent:"/download/NewDotNet/"; nocase; uricontent:"/upgrade.cab?"; nocase; uricontent:"upg="; nocase; uricontent:"ec="; nocase; reference:url,www.new.net; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003240; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_New.net; sid:2003240; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE New.net Spyware Checkin"; flow:established,to_server; uricontent:"/?version="; nocase; uricontent:"discard_tag="; nocase; uricontent:"source="; nocase; uricontent:"ptr="; nocase; uricontent:"br=NewDotNet"; nocase; uricontent:"ec="; nocase; reference:url,www.new.net; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003241; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_New.net; sid:2003241; rev:4;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Oenji.com Install"; flow: to_server,established; uricontent:"/Bundled/OemjiInstall"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001538; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Oemji.com; sid: 2001538; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyspotter.com Access, Likely Spyware"; flow: to_server,established; content:"Host\:"; nocase; depth: 400; content:".oemji.com"; within: 25; distance: 1; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001539; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Oemji.com; sid: 2001539; rev:8;) #by shirkdog from spyware lp data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Oemji.com Spyware Settings Update"; flow:established,to_server; uricontent:"/OemjiSearchPlus.ini"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094187; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003467; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Oemji.com; sid:2003467; rev:4;) #by Reg Quinton alert tcp $HOME_NET !21:902 -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port"; flow:from_server,established; content:"220"; offset:0; depth:4; pcre:"/220[- ]/"; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2003055; rev:5;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OfferOptimizer.com Spyware"; flow: to_server,established; uricontent:"/ctx/keyword_context.php?"; nocase; uricontent:"urlContext=http"; nocase; reference:url,www.offeroptimizer.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001341; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Offer_Optimizer; sid: 2001341; rev:9;) #by Will Metcalf alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OneStepSearch Host Activity"; flow: to_server,established; content:"GET "; depth:4; content:"|0d0a|host\: upgrade.onestepsearch.net"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007855; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Onestepsearch; sid:2007855; rev:2;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OutBlaze.com Spyware Activity"; flow: to_server,established; uricontent:"/scripts/adpopper/webservice.main"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002044; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Outblaze.com; sid: 2002044; rev:4;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Outerinfo.com Spyware Install"; flow: to_server,established; uricontent:"/ctxad-"; nocase; pcre:"/ctxad-\d+\.sig/Ui"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001495; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Outerinfo.com; sid: 2001495; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Outerinfo.com Spyware Advertising Campaign Download"; flow: to_server,established; uricontent:"/campaigns"; nocase; content:"outerinfo.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001496; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Outerinfo.com; sid: 2001496; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Outerinfo.com Spyware Activity"; flow: to_server,established; content:"Host\: campaigns.outerinfo.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001497; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Outerinfo.com; sid: 2001497; rev:5;) #Matt jonkman, from spywarelp data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Outerinfo.com Spyware Checkin"; flow: to_server,established; uricontent:"/notify.php?"; nocase; uricontent:"pid="; nocase; uricontent:"&module="; nocase; uricontent:"&v="; nocase; uricontent:"&result="; nocase; uricontent:"&message="; nocase; content:"outerinfo.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003426; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Outerinfo.com; sid: 2003426; rev:3;) #Submitted by Chris Norton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Overpro Spyware Bundle Install"; flow: to_server,established; content:"Host\: download.overpro.com"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/WildApp\.cab/i"; reference:url,www.wildarcade.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001444; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Overpro; sid: 2001444; rev:9;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Overpro Spyware Games"; flow: to_server,established; uricontent:"/blocks/blasterblocks"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001459; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Overpro; sid: 2001459; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Overpro Spyware Install Report"; flow: to_server,established; uricontent:"/processInstall.aspx"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002017; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Overpro; sid: 2002017; rev:6;) #by jeremy at sudosecure # ref: 48ba8bfecf840fc9a5f8ff2e225452a7 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EMO/PCPrivacyCleaner Rougue Secuirty App GET Checkin"; flow:established,to_server; content:"GET "; depth:4; uricontent:"action="; nocase; uricontent:"addt="; nocase; uricontent:"pc|5F|id="; nocase; uricontent:"abbr="; nocase; reference:url,www.spywaresignatures.com/details/pcprivacycleaner.pdf; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008456; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_PCPrivacycleaner; sid:2008456; rev:3;) #Matt Jonkman from Spyware Listening Post Data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Pacimedia Spyware 1"; flow:to_server,established; uricontent:"/mcp/mcp.cgi"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002083; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Pacimedia; sid:2002083; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Pacimedia Spyware 2"; flow: to_server,established; uricontent:"/xml/check.php?"; nocase; uricontent:"u="; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002194; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Pacimedia; sid: 2002194; rev:6;) #lovely fake av package at pcdoc.co.kr alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PCDoc.co.kr Fake AV User-Agent (PCDoc11)"; flow:established,to_server; content:"|0d 0a|User-Agent\: PCDoc"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007786; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Pcdoc.co.kr; sid:2007786; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PCDoc.co.kr Fake AV User-Agent (mypcdoctor)"; flow:established,to_server; content:"|0d 0a|User-Agent\: mypcdoc"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007804; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Pcdoc.co.kr; sid:2007804; rev:2;) #Submitted by Chris Norton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PeopleOnPage Install"; flow: to_server,established; uricontent:"/install/pop"; nocase; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001445; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_PeopleonPage; sid: 2001445; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PeopleOnPage Ping"; flow: to_server,established; content:"Host\: srv.peopleonpage.com"; nocase; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/s\/l\/firstping/i"; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001446; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_PeopleonPage; sid: 2001446; rev:8;) # by: Jeremy Conway at sudosecure.net # ref: a9036ae5d9bb8e3c53d5e0126d448d1d alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware PlusDream - GET Config Download/Update"; flow:established,to_server; content:"GET "; depth:4; uricontent:".php?kind="; nocase; uricontent:"&pid="; nocase; uricontent:"&ver="; nocase; uricontent:"&addresses="; nocase; uricontent:"&hdmacid="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009712; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_PlusDream; sid:2009712; rev:2;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Popuptraffic.com Bot Reporting"; flow: to_server,established; uricontent:"/scripts/click.php?"; nocase; uricontent:"hid="; reference:url,popuptraffic.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000577; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Popuptraffic.com_Reporting; sid: 2000577; rev:8;) #By Matt Jonkman from spyware listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Privacyprotector.com Fake Anti-Spyware Install"; flow: to_server,established; uricontent:"/privacyprotectorfreesetup.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003547; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Privacyprotector.com; sid: 2003547; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Privacyprotector.com Fake Anti-Spyware Checkin"; flow: to_server,established; uricontent:"/?action="; nocase; uricontent:"&type="; nocase; uricontent:"&pc_id="; nocase; uricontent:"&abbr="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003548; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Privacyprotector.com; sid: 2003548; rev:3;) #storageguardsoft.com also related, same installer, similar hosts alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AVSystemcare.com.com Fake Anti-Virus Product"; flow:established,to_server; uricontent:"?proto="; nocase; uricontent:"&rc="; nocase; uricontent:"&v="; nocase; uricontent:"&abbr="; nocase; uricontent:"&platform="; nocase; uricontent:"&os_version="; nocase; uricontent:"&ac="; nocase; uricontent:"&appid="; nocase; uricontent:"&em="; nocase; uricontent:"&pcid="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007664; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Privacyprotector.com; sid:2007664; rev:3;) # Submitted by John Stewart, 2/23/2005 alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET MALWARE Pynix.dll BHO Activity"; flow: established,to_server; uricontent:"ABETTERINTERNET.EXE"; nocase; uricontent:"bho=PYNIX.DLL"; nocase; reference:url,www.pynix.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001748; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Pynix; sid: 2001748; rev:5;) #by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Rabio Spyware/Adware Initial Registration"; flow:established,to_server; dsize:<200; content:"POST "; depth:5; content:"|0d 0a 0d 0a|REGISTER|7c|"; pcre:"/REGISTER\x7c\d+\x7c\d+\x7c\d+\x7c\d+/"; reference:url,www.spywareguide.com/product_show.php?id=3770; reference:url,www.rabio.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007820; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Rabio; sid:2007820; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Rabio.com Related Adware/Spyware User-Agent (HTTP_CONNECT_2)"; flow:established,to_server; content:"|0d 0a|User-Agent\: HTTP_Connect_"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007821; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Rabio; sid:2007821; rev:2;) #Updated by Jonathan Miner alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE rcprograms"; flow: to_server,established; content:"update.rcprograms.com"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.rcprograms.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Rcprograms; sid: 2000024; rev:7;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Rdxrp.com Traffic"; flow: to_server,established; uricontent:"/rdxr020304.dat"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001311; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Rdxrp.com; sid: 2001311; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Rdxrp.com Traffic (Generic)"; flow: to_server,established; uricontent:"/rdxr"; nocase; uricontent:".dat"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001312; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Rdxrp.com; sid: 2001312; rev:5;) #they run a lot of casino online games #matt jonkman, re f5e2b1706a3e0e6d34e70677a6e952a6 alert tcp $HOME_NET any -> $EXTERNAL_NET 20000 (msg:"ET MALWARE Realtimegaming.com Online Casino Spyware Gaming Checkin"; flow:established,to_server; dsize:<30; content:"|43 01 00|"; depth:4; content:"Casino"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008402; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Realtimegaming.com; sid:2008402; rev:3;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Regnow.com Access"; flow: to_server,established; uricontent:"/softsell/visitor.cgi?"; nocase; uricontent:"affiliate="; nocase; reference:url,www.regnow.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001223; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Regnow.com; sid: 2001223; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Regnow.com Gamehouse.com Access"; flow: to_server,established; uricontent:"/affiliates/template.jsp?"; nocase; uricontent:"AID="; nocase; reference:url,www.gamehouse.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001224; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Regnow.com; sid: 2001224; rev:7;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Salongas Infection"; flow: to_server,established; uricontent:"/sp.htm?id="; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000601; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Salongas; sid: 2000601; rev:5;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Search Relevancy Spyware"; flow: established,to_server; uricontent:"/SearchRelevancy/SearchRelevancy.dll"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.relevancy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001696; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SearchRelevancy; sid: 2001696; rev:8;) #By Matt Jonkman from Listening Post Data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 1"; flow: to_server,established; uricontent:"/rd/Clk.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002296; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchfeed.com; sid: 2002296; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 2"; flow: to_server,established; uricontent:"/rd/feed/TextFeed.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002297; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchfeed.com; sid: 2002297; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 3"; flow: to_server,established; uricontent:"/rd/feed/XMLFeed.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002298; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchfeed.com; sid: 2002298; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 4"; flow: to_server,established; uricontent:"/rd/feed/JavaScriptFeed.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002299; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchfeed.com; sid: 2002299; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 5"; flow: to_server,established; uricontent:"/rd/feed/JavaScriptFeedSE.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002300; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchfeed.com; sid: 2002300; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 6"; flow: to_server,established; uricontent:"/rd/SearchResults.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002301; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchfeed.com; sid: 2002301; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 7"; flow: to_server,established; uricontent:"/rd/jsp/BidRank/index.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002302; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchfeed.com; sid: 2002302; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 8"; flow: to_server,established; uricontent:"/SFToolBar.html"; reference:url,www.searchfeed.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002303; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchfeed.com; sid: 2002303; rev:4;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Install (toolbar)"; flow: to_server,established; uricontent:"/dkprogs/toolbar.txt"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001473; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmeup; sid: 2001473; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Install (prog)"; flow: to_server,established; uricontent:"/dkprogs/dktibs.php"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001474; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmeup; sid: 2001474; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Receiving Commands"; flow: to_server,established; uricontent:"/xpsystem/commands.ini"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001475; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmeup; sid: 2001475; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Install (systime)"; flow: to_server,established; uricontent:"/dkprogs/systime.txt"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001480; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmeup; sid: 2001480; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Install (mstask)"; flow: to_server,established; uricontent:"/dkprogs/mstasks3.txt"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001483; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmeup; sid: 2001483; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Install (d.exe)"; flow: to_server,established; uricontent:"/x30/d.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001484; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmeup; sid: 2001484; rev:7;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install (v3cab)"; flow: to_server,established; uricontent:"/cab/v3cab.cab"; reference:url,www.searchmiracle.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001540; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmiracle.com; sid: 2001540; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Access, Likely Spyware"; flow: to_server,established; content:"Host\:"; nocase; depth: 400; content:".searchmiracle.com"; nocase; within: 35; distance: 1; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.elitebar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001532; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmiracle.com; sid: 2001532; rev:10;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Searchmiracle.com Spyware Installer silent.exe Download"; flow: from_server,established; content:"|20 28 43 29 20 32 30 30 31 2c 20 32 30 30 33 20 52 61 64 69 6d 20 50 69 63 68 61|"; reference:url,www.searchmiracle.com/silent.exe; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001533; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmiracle.com; sid: 2001533; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install (silent_install)"; flow: to_server,established; uricontent:"/silent_install.exe"; nocase; reference:url,www.searchmiracle.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001534; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmiracle.com; sid: 2001534; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install (protector.exe)"; flow: to_server,established; uricontent:"/protector.exe"; content:"Host\: install.searchmiracle.com"; nocase; reference:url,www.searchmiracle.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001535; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmiracle.com; sid: 2001535; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install (install)"; flow: to_server,established; uricontent:"/sideb.exe"; content:"Host\: install.searchmiracle.com"; nocase; reference:url,www.searchmiracle.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001744; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmiracle.com; sid: 2001744; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install - silent.exe"; flow: to_server,established; uricontent:"/silent.exe"; nocase; reference:url,www.searchmiracle.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002091; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmiracle.com; sid: 2002091; rev:5;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Search Scout Related Spyware (content)"; flow: established,to_server; content:"Host\: content.searchscout.com"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001650; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchscout; sid: 2001650; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Search Scout Related Spyware (results)"; flow: established,to_server; content:"Host\: results.searchscout.com"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001653; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchscout; sid: 2001653; rev:6;) #by Matt Jonkman, from spyware LP Data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Security-updater.com Spyware Posting Data"; flow:established,to_server; uricontent:"/SA/receive_data.php3?tcpc="; content:"security-updater.com"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003576; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Security-updater.com; sid:2003576; rev:3;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Seekmo.com Spyware Data Upload"; flow:established,to_server; uricontent:".aspx?"; uricontent:"eid="; uricontent:"&pkg_ver="; uricontent:"&ver="; uricontent:"&brand="; uricontent:"&mt="; uricontent:"&partid="; uricontent:"&altdid="; uricontent:"&os="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008356; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Seekmo.com; sid:2008356; rev:2;) #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Servicepack.kr Fake Patch Software Checkin"; flow:established,to_server; uricontent:".php?kind="; nocase; uricontent:"&ver="; nocase; uricontent:"&ver2="; nocase; uricontent:"&ver3="; nocase; uricontent:"&pid="; nocase; uricontent:"&supportid="; nocase; uricontent:"&uniq="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008016; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Servicepack.kr; sid:2008016; rev:2;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sexmaniack Install Tracking"; flow: to_server,established; uricontent:"/counted.php?ref="; nocase; content:"Host\: counter.sexmaniack.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001460; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Sexmaniak; sid: 2001460; rev:7;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shop At Home Select.com Install Attempt"; flow: to_server,established; uricontent:"/mindset/bunsetup.cab"; nocase; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000580; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ShopAtHomeSelect; sid: 2000580; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Shop At Home Select.com Install Download"; flow: from_server,established; content:"|ab 3b d4 97 d4 a7 b4 1d da 6e 6d 0f f4 aa 4f|"; content:"|46 b3 3b 8b 38 cc 2c 2a a4 c3 07 67 67 df 65 41|"; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000581; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ShopAtHomeSelect; sid: 2000581; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shop at Home Select Spyware Heartbeat"; flow: established,to_server; uricontent:"/s.dll?MfcISAPICommand=heartbeat¶m="; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001708; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ShopAtHomeSelect; sid: 2001708; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shop at Home Select Spyware Install"; flow: established,to_server; uricontent:"/arcadecash/setup"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002037; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ShopAtHomeSelect; sid: 2002037; rev:5;) #matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shopnav Spyware Install"; flow: to_server,established; uricontent:"/toolbarv3.cgi?UID="; nocase; uricontent:"&version="; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.shopnav.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002000; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ShopNav; sid: 2002000; rev:5;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shopcenter.co.kr Spyware Install Report"; flow:established,to_server; uricontent:"/RewardInstall.php?mac=0"; uricontent:"&hdd="; uricontent:"&ver="; uricontent:"&ie="; uricontent:"&win="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008370; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Shopcenter.co.kr; sid:2008370; rev:2;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SideStep Bar Install"; flow: to_server,established; uricontent:"/servlet/sbinstservlet"; nocase; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001016; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SideStep_Bar; sid: 2001016; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SideStep Bar Reporting Data"; flow: to_server,established; uricontent:"/servlet/sblogservlet"; nocase; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001017; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SideStep_Bar; sid: 2001017; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SideStep Bar Reporting Data (sbstart)"; flow: to_server,established; uricontent:"/servlet/SbStartservlet"; nocase; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002821; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SideStep_Bar; sid: 2002821; rev:5;) #by RPG alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Simbar Spyware User-Agent Detected"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; content:"SIMBAR="; within:150; pcre:"/User-Agent\:[^\n]+\;\sSIMBAR=/"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Simbar.a&threatid=427805; reference:url,vil.nai.com/vil/content/v_131206.htm; threshold:type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2009005; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Simbar; sid:2009005; rev:4;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Smartpops.com Spyware Install rh.exe"; flow: to_server,established; uricontent:"/install/RH/rh.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001505; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Smartpops.com; sid: 2001505; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Smartpops.com Spyware Install"; flow: to_server,established; uricontent:"/install/SE/sed.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001516; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Smartpops.com; sid: 2001516; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Smartpops.com Spyware Update"; flow: to_server,established; uricontent:"/data/spv15.dat?v="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001513; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Smartpops.com; sid: 2001513; rev:7;) #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Snoopstick.net Related Spyware User-Agent (SnoopStick Updater)"; flow:established,to_server; content:"|0d 0a|User-Agent\: SnoopStick "; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007956; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Snoopstick; sid:2007956; rev:2;) #by William Salusky of the ISC (www.incidents.org) # Details and updates available here http://handlers.sans.org/wsalusky/rants/ #Cleanup and updates by John Pritchard # If you have any socks proxies being abused in your environment... The following four rules are MONEY. alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 25 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 19|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003254; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003254; rev:5;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 25 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 19|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003255; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003255; rev:5;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 25 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 19|"; depth:4; threshold:type both, track by_src, count 2, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003256; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003256; rev:5;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 25 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 19|"; depth:4; threshold:type both, track by_src, count 2, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003257; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003257; rev:5;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 DNS Inbound Request (Windows Source)"; dsize:10<>40; flow:established,to_server; content:"|05 01 00 03|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003258; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003258; rev:5;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 DNS Inbound Request (Linux Source)"; dsize:10<>40; flow:established,to_server; content:"|05 01 00 03|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003259; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003259; rev:5;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 HTTP Proxy Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 50|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003260; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003260; rev:5;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 HTTP Proxy Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 50|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003261; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003261; rev:5;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 HTTP Proxy Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 50|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003262; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003262; rev:5;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 HTTP Proxy Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 50|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003263; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003263; rev:5;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 443 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|01 bb|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003266; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003266; rev:5;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 443 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|01 bb|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003267; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003267; rev:5;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 443 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 01 bb|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003268; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003268; rev:5;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 443 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 01 bb|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003269; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003269; rev:5;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 5190 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|14 46|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003270; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003270; rev:5;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 5190 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|14 46|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003271; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003271; rev:5;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 5190 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 14 46|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003272; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003272; rev:5;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 5190 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 14 46|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003273; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003273; rev:5;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 1863 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|07 47|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003274; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003274; rev:5;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 1863 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|07 47|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003275; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003275; rev:5;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 1863 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 07 47|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003276; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003276; rev:5;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 1863 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 07 47|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003277; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003277; rev:5;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 5050 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|13 ba|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003278; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003278; rev:5;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 5050 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|13 ba|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003279; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003279; rev:5;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 5050 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 13 ba|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003280; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003280; rev:5;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 5050 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 13 ba|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003281; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003281; rev:5;) # Another case of rules that fire according to RFC standards, but I haven't really witnessed this type of traffic to confirm. alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 IPv6 Inbound Connect Request (Windows Source)"; dsize:10<>23; flow:established,to_server; content:"|05 01 00 04|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003284; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003284; rev:5;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 IPv6 Inbound Connect Request (Linux Source)"; dsize:10<>23; flow:established,to_server; content:"|05 01 00 04|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003285; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003285; rev:5;) # Another case of rules that fire according to RFC standards, but I haven't really witnessed this type of traffic to confirm. alert udp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Windows Source)"; content:"|00 00|"; depth:2; content:"|01|"; offset:3; depth:1; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003286; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003286; rev:6;) alert udp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Linux Source)"; content:"|00 00|"; depth:2; content:"|01|"; offset:3; depth:1; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003287; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003287; rev:5;) # I keep these mostly commented, while they are correct according to RFC for BIND actions, in practice I've found only FP's which I still need to dig through and see what's really going on there. #alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Bind Inbound (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 02|"; depth:2; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003288; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003288; rev:5;) #alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Bind Inbound (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 02|"; depth:2; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003289; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003289; rev:5;) #alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Bind Inbound (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 02 00 01|"; depth:4; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003290; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003290; rev:5;) #alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Bind Inbound (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 02 00 01|"; depth:4; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003291; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003291; rev:5;) #matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Soft-Show.cn Related Fake AV Install"; flow:established,to_server; uricontent:"/setup/setup.asp?id="; nocase; uricontent:"&pcid="; nocase; uricontent:"&ver="; nocase; uricontent:"&taday="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008135; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Soft-show.cn; sid:2008135; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Soft-Show.cn Related Fake AV Install Ad Pull"; flow:established,to_server; uricontent:"/setup/adClick.asp?Id="; nocase; uricontent:"&WebId="; nocase; uricontent:"&sDate="; nocase; uricontent:"&ver="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008148; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Soft-show.cn; sid:2008148; rev:2;) #by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Softcashier.com Spyware Install Checkin"; flow:established,to_server; uricontent:".php?wmid="; nocase; uricontent:"&subid="; nocase; uricontent:"&pid="; nocase; uricontent:"&lid="; nocase; uricontent:"&hs="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007861; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Softcashier; sid:2007861; rev:2;) #another fake antispyware package, by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Softspydelete.com Fake Anti-Spyware Checkin"; flow:established,to_server; uricontent:".php?"; nocase; uricontent:"a1="; nocase; uricontent:"&a2="; nocase; uricontent:"&a3="; nocase; uricontent:"Windows%20version%20is"; nocase; uricontent:"&a4=Build"; nocase; uricontent:"&a5="; nocase; uricontent:"&table="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007842; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Softspydelete.com; sid:2007842; rev:2;) #by matt Jonkman, from the sandnet alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Softwarereferral.com Adware Checkin"; flow:established,to_server; uricontent:"wmid="; nocase; uricontent:"&mid="; nocase; uricontent:"&lid="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007696; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Softwarereferral.com; sid:2007696; rev:3;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Likely Spambot Web-based Control Traffic"; flow: to_server,established; content:"User-Agent\: Godzilla"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001711; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spambots; sid: 2001711; rev:6;) # The following rule assists in the identification of spam when SMTP 220 # responses are seen egressing your network from unusual src ports. # You may want to consider tagging a number of following packets. #alert tcp $HOME_NET !21:587 -> any any (msg:"ET MALWARE Spambot Suspicious 220 Banner on Local Port"; flow: established; content:"220 "; offset: 0; depth: 4; tag: session, 20, packets; classtype: non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2001815; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spambots; sid: 2001815; rev:8;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spambot Checking in to Spam"; flow:established,to_server; uricontent:"/devrandom/"; nocase; content:"dev"; nocase; content:!"User-Agent\:"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002988; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spambots; sid:2002988; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spambot Pulling IP List to Spam"; flow:established,to_server; uricontent:"/devrandom/access.php"; nocase; content:"User-Agent\: Mozilla/4.0 (compatible)"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002990; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spambots; sid:2002990; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spambot getting new exe url"; flow:established,to_server; uricontent:"404.txt"; nocase; content:"404"; content:!"User-Agent\:"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002989; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spambots; sid:2002989; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spambot getting new exe"; flow:established,to_server; uricontent:"/traff/ppiigg.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002991; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spambots; sid:2002991; rev:4;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Specificclick.net Spyware Activity"; flow: to_server,established; uricontent:"/adopt.sm?"; nocase; uricontent:"l="; nocase; uricontent:"&sz="; nocase; uricontent:"&redir="; nocase; uricontent:"&nmv="; nocase; uricontent:"&nrsz="; nocase; uricontent:"&r="; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003450; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Specificclick.net; sid: 2003450; rev:3;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Speedera Agent"; flow: to_server,established; uricontent:"/io/downloads"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001320; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Speedera; sid: 2001320; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Speedera Agent (Specific)"; flow: to_server,established; uricontent:"/io/downloads/3/wsem302.dl"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001321; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Speedera; sid: 2001321; rev:5;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spy-Not.com Spyware Updating"; flow:to_server,established; uricontent:"/updates1/SKVersion.ini"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003377; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spy-not.com; sid:2003377; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spy-Not.com Spyware Pulling Fake Sigs"; flow:to_server,established; uricontent:"/updates1/SKSignatures.zip"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003375; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spy-not.com; sid:2003375; rev:3;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpySherriff Spyware Activity"; flow: to_server,established; uricontent:"/progs_exe/jbsrak/"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002984; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SpySherriff; sid: 2002984; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Jupitersatellites.biz Spyware Download"; flow: to_server,established; uricontent:"/traff/ppiigg.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002987; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SpySherriff; sid: 2002987; rev:4;) #by Mr Magic Pants alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpySheriff Intial Phone Home"; flow:established,to_server; uricontent:"trial.php?rest="; nocase; uricontent:"&ver="; nocase; uricontent:"&a="; nocase; content:"trial.php"; nocase; content:!"User-Agent\: "; classtype:trojan-activity; reference:url,vil.nai.com/vil/content/v_135033.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2003251; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SpySherriff; sid:2003251; rev:4;) #by Matt Jonkman, from sandnet analysis alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpyShredder Fake Anti-Spyware Install Download"; flow:established,to_server; uricontent:"&advid="; nocase; uricontent:"&u="; nocase; uricontent:"&p="; nocase; uricontent:"?=______"; uricontent:"&vs="; nocase; uricontent:"&YZYYYYYYYYYYYYYYYYYYYYYYYYYY"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007593; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SpyShredder; sid:2007593; rev:3;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyaxe Spyware DB Update"; flow: to_server,established; uricontent:"/updates/database/dbver.php"; nocase; content:"spywareaxe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002804; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spyaxe; sid: 2002804; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyaxe Spyware DB Version Check"; flow: to_server,established; uricontent:"/updates/database/dbver.dat"; nocase; content:"spywareaxe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002805; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spyaxe; sid: 2002805; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyaxe Spyware Checkin"; flow: to_server,established; uricontent:"/download.php?sid="; nocase; content:"spyaxe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002806; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spyaxe; sid: 2002806; rev:4;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spygalaxy.ws Activity"; flow: to_server,established; uricontent:"/install.php?id="; nocase; content:"Host\: spygalaxy.ws"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001489; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spygalaxy.ws; sid: 2001489; rev:6;) #from sandnet data #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spylog.ru Related Spyware Checkin"; flow:established,to_server; uricontent:"/cnt?"; nocase; uricontent:"cid="; nocase; uricontent:"&p="; nocase; uricontent:"&rn="; nocase; uricontent:"&c="; nocase; uricontent:"&tl="; nocase; uricontent:"&ls="; nocase; uricontent:"&ln="; nocase; uricontent:"&t="; nocase; uricontent:"&j="; nocase; uricontent:"&wh="; nocase; uricontent:"&px="; nocase; uricontent:"&sl="; nocase; uricontent:"&r="; nocase; uricontent:"&fr="; nocase; uricontent:"&pg="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007649; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spylog; sid:2007649; rev:3;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyspotter.com Install"; flow: to_server,established; uricontent:"/SpySpotterInstall.cab"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001536; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spyspotter.com; sid: 2001536; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyspotter.com Access"; flow: to_server,established; content:"Host\: "; depth:200; content:"spyspotter.com|0d 0a|"; nocase; distance:0; within:30; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001537; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spyspotter.com; sid: 2001537; rev:12;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpywareLabs VirtualBouncer Seeking Instructions"; flow: to_server,established; content:"instructions"; nocase; pcre:"/instructions\/\d{2}\.xml/mi"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.virtualbouncer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000587; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spywarelabs_VirtualBouncer; sid: 2000587; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpywareLabs Application Install"; flow: to_server,established; uricontent:"/DistID/BaseInstalls/V"; nocase; content:"User-Agent\:"; nocase; content:"Wise"; within:120; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001522; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spywarelabs_VirtualBouncer; sid: 2001522; rev:8;) #by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware Stormer Reporting Data"; flow: established,to_server; uricontent:"/showme.aspx?keyword="; nocase; content:"ecomdata1="; nocase; reference:url,www.spywarestormer.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001570; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spywarestormer; sid: 2001570; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware Stormer/Error Guard Activity"; flow: established,to_server; uricontent:"/sell.cgi?errorguard/1/errorguard"; nocase; reference:url,www.spywarestormer.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001571; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spywarestormer; sid: 2001571; rev:7;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Statblaster Receiving New configuration (update)"; flow: to_server,established; uricontent:"/updatestats/update"; nocase; uricontent:".xml"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001225; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Statblaster; sid: 2001225; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Statblaster Receiving New configuration (allfiles)"; flow: to_server,established; uricontent:"/updatestats/all_files"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001523; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Statblaster; sid: 2001523; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Statblaster Code Download"; flow: to_server,established; uricontent:"/updatestats/"; nocase; uricontent:".exe"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001524; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Statblaster; sid: 2001524; rev:6;) #Submitted by Chris Norton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Statblaster.MemoryWatcher Download"; flow: to_server,established; uricontent:"/memorywatcher.exe"; reference:url,www.memorywatcher.com/eula.aspx; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001442; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Statblaster; sid: 2001442; rev:9;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfSidekick Activity"; flow: established,to_server; uricontent:"/Bundling/SskUpdater"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001731; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SurfSidekick; sid: 2001731; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfSidekick Download"; flow: established,to_server; uricontent:"/requestimpression.aspx?ver="; nocase; content:"host="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001992; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SurfSidekick; sid: 2001992; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfSidekick Activity (ipixel)"; flow: established,to_server; uricontent:"/ipixel.htm?cid="; nocase; content:"&pck_id="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001994; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SurfSidekick; sid: 2001994; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfSidekick Activity (rinfo)"; flow: established,to_server; uricontent:"/rinfo.htm?"; nocase; uricontent:"host="; nocase; uricontent:"action="; nocase; uricontent:"client=SSK"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002738; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SurfSidekick; sid: 2002738; rev:3;) #By Matt Jonkman from spywarelp data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfAccuracy.com Spyware Updating"; flow:to_server,established; uricontent:"/sacc/sacc.cfg.php?"; nocase; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-062716-0109-99; reference:url,doc.emergingthreats.net/bin/view/Main/2003390; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Surfaccuracy.com; sid:2003390; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfAccuracy.com Spyware Pulling Ads"; flow:to_server,established; uricontent:"/sacc/popup.php"; nocase; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-062716-0109-99; reference:url,doc.emergingthreats.net/bin/view/Main/2003391; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Surfaccuracy.com; sid:2003391; rev:3;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfAssistant.com Spyware Install"; flow: to_server,established; uricontent:"/distribution/questmod-1.dll"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001510; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Surfassistant.com; sid: 2001510; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfAssistant.com Spyware Reporting"; flow: to_server,established; uricontent:"/sa/?a="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001514; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Surfassistant.com; sid: 2001514; rev:8;) #fake av, sig by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE System-defender.com Fake AV Install Checkin"; flow:established,to_server; uricontent:"?wmid="; nocase; uricontent:"&mid="; nocase; uricontent:"&lndid="; nocase; classtype:trojan-activity; reference:url,www.system-defender.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007856; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_System-defender.com; sid:2007856; rev:2;) #fake av package, sigs by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SysVenFak Fake AV Package User-Agent (gh2008)"; flow:established,to_server; content:"|0d 0a|User-Agent\: gh20"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007944; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Sysvenfak; sid:2007944; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SysVenFak Fake AV Package Victim Checkin (victim.php)"; flow:established,to_server; uricontent:"/victim.php?"; pcre:"/victim\.php\?\d\d\d\d\d/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007945; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Sysvenfak; sid:2007945; rev:2;) #By Matt Jonkman from spyware lp data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sytes.net Related Spyware Reporting"; flow:to_server,established; uricontent:"/Reporting/admin/upload.php"; nocase; content:"POST "; depth:5; nocase; content:"sytes.net"; nocase; classtype:trojan-activity; reference:url,www.sophos.com/security/analyses/w32forbotdv.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003533; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Sytes.net; sid:2003533; rev:4;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TargetNetworks.net Spyware Reporting (req)"; flow: to_server,established; uricontent:"/request/req.cgi?gu="; nocase; uricontent:"&sid="; nocase; uricontent:"&kw="; nocase; reference:url,www.targetnetworks.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001997; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TargetNetworks.net; sid: 2001997; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TargetNetworks.net Spyware Reporting (tn)"; flow: to_server,established; uricontent:"/data/tn.dat?v="; nocase; uricontent:"&sid="; nocase; reference:url,www.targetnetworks.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002046; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TargetNetworks.net; sid: 2002046; rev:6;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE thebestsoft4u.com Spyware Install (1)"; flow: to_server,established; uricontent:"/pa/glx.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001482; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Thebestsoft4u; sid: 2001482; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE thebestsoft4u.com Spyware Install (2)"; flow: to_server,established; uricontent:"/pa/proxyrnd.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001485; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Thebestsoft4u; sid: 2001485; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE thebestsoft4u.com Spyware Install (3)"; flow: to_server,established; uricontent:"/pr.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001486; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Thebestsoft4u; sid: 2001486; rev:6;) #horrendous multi-install service at theinstalls.com alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Theinstalls.com Initial Checkin"; flow:established,to_server; uricontent:"/plist.php?uid="; content:"|0d 0a|Host\: "; content:"theinstalls.com|0d 0a|"; within:23; classtype:trojan-activity; reference:url,www.theinstalls.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007788; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Theinstalls.com; sid:2007788; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Theinstalls.com Trojan Download"; flow:established,to_server; uricontent:"/files/programs/"; content:"|0d 0a|Host\: "; content:"theinstalls.com|0d 0a|"; within:23; classtype:trojan-activity; reference:url,www.theinstalls.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007798; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Theinstalls.com; sid:2007798; rev:2;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Tibsystems Spyware Download"; flow: to_server,established; uricontent:"/d4.fcgi?v="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001488; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Tibsystems.com; sid: 2001488; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Tibsystems Spyware Install (1)"; flow: to_server,established; uricontent:"/fcgi-bin/iza2.fcgi?m="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001729; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Tibsystems.com; sid: 2001729; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Tibsystems Spyware Install (2)"; flow: to_server,established; uricontent:"/tb/loader2.ocx"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001734; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Tibsystems.com; sid: 2001734; rev:5;) #by Russ McRee alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trojan.Downloader.Time2Pay.AQ"; flow:established,to_server; uricontent:"/progs_traff/";nocase; reference:url,research.sunbelt-software.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003034; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Time2Pay; sid:2003034; rev:3;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner Spyware Agent Download (1)"; flow: established,to_server; uricontent:"/ldr.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001890; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner; sid: 2001890; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner Spyware Spambot Retrieving Target Emails"; flow: established,to_server; uricontent:"/mailz.php?id="; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001895; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner; sid: 2001895; rev:6;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TopMoxie Reporting Data to External Host"; flow: to_server,established; content:"/downloads/record_download.asp"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/downloads\/record_download\.asp/i"; reference:url,www.topmoxie.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000588; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TopMoxie; sid: 2000588; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TopMoxie Retrieving Data (downloads)"; flow: to_server,established; uricontent:"/external/builds/downloads2/"; nocase; reference:url,www.topmoxie.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000589; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TopMoxie; sid: 2000589; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TopMoxie Retrieving Data (common)"; flow: to_server,established; uricontent:"/external/builds/common/"; nocase; reference:url,www.topmoxie.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000590; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TopMoxie; sid: 2000590; rev:7;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Toprebates.com Install (1)"; flow: established,to_server; uricontent:"/acti.asp?cl=1&gd=1&clpid="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001646; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TopRebates; sid: 2001646; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Toprebates.com Install (2)"; flow: established,to_server; uricontent:"/builds/"; nocase; uricontent:"AutoTrack_Install.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001647; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TopRebates; sid: 2001647; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Toprebates.com User Confirming Membership"; flow: established,to_server; uricontent:"/cgi/account.plx?pid="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001648; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TopRebates; sid: 2001648; rev:5;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Ezula"; flow: to_server,established; uricontent:"/MindSet5/install/ezinstall.exe"; nocase; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001334; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TopText_ILookup; sid: 2001334; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Ezula Installer Download"; flow: from_server,established; content:"|65 5a 75 6c 61 20 49 6e 73 74 61 6c 6c 61 74 69 6f 6e 00 49|"; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001335; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TopText_ILookup; sid: 2001335; rev:7;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spywaremover Activity"; flow: to_server,established; uricontent:"/spywareremovers.php?"; content:"Host\: topantispyware.com"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topantispyware.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001520; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Topantispyware.com; sid: 2001520; rev:7;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Topconverting Spyware Install"; flow: to_server,established; uricontent:"/activex/weirdontheweb_topc.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002004; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Topconverting.com; sid: 2002004; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Topconverting Spyware Reporting"; flow: to_server,established; uricontent:"/trigger.php?partner="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002040; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Topconverting.com; sid: 2002040; rev:5;) #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Topgame-online.com Ruch Casino Install User-Agent (RichCasino)"; flow:established,to_server; content:"|0d 0a|User-Agent\: RichCasino"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009831; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Topgame-online.com; sid:2009831; rev:2;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "ET MALWARE Traffic Syndicate Add/Remove"; flow: to_server,established; uricontent:"/Support/AddRemove.aspx?id="; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001313; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TrafficSyndicate; sid: 2001313; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "ET MALWARE Traffic Syndicate Agent Updating (1)"; flow: to_server,established; uricontent:"/TbLinkConfig.asmx"; nocase; threshold: type limit, track by_src, count 1, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001315; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TrafficSyndicate; sid: 2001315; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "ET MALWARE Traffic Syndicate Agent Updating (2)"; flow: to_server,established; uricontent:"/TbInstConfig.asmx"; nocase; threshold: type limit, track by_src, count 1, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001316; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TrafficSyndicate; sid: 2001316; rev:8;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trafficsector.com Spyware Install"; flow: to_server,established; uricontent:"/install.php?"; nocase; uricontent:"afid="; nocase; uricontent:"&user_id="; content:"trafficsector"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002736; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Trafficsector; sid: 2002736; rev:3;) #by Matt Jonkman, data from the Spyware Listening Post alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Transponder Spyware Activity"; flow:established,to_server; uricontent:"/sendROIcookie.cfm?refer="; nocase; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Transponder.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002320; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Transponder; sid:2002320; rev:3;) #by Matt Jonkman, from Spyware LP Hits alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Travel Update Spyware"; flow:established,to_server; uricontent:"/abt?data="; nocase; pcre:"/\/abt\?data=\S{150}/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003297; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Travel_Update; sid:2003297; rev:3;) #by cjeremy # ref: 2aebe5fa5c98589bd0f169f9013715b8 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware/Spyware Trymedia.com EXE download"; flow:established,to_server; content:"GET "; depth:4; uricontent:".exe?nva="; uricontent:"&aff="; uricontent:"&token="; content:"User-Agent\: Macrovision_DM"; nocase; classtype:policy-violation; reference:url,www.browserdefender.com/site/trymedia.com; reference:url,www.threatexpert.com/reports.aspx?find=Adware.Trymedia; reference:url,doc.emergingthreats.net/2009091; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Trymedia; sid:2009091; rev:2;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE UCMore Spyware Reporting"; flow: to_server,established; uricontent:"/iis2ucms.asp"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001995; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_UCmore; sid: 2001995; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE UCMore Spyware Downloading Ads"; flow: to_server,established; uricontent:"/iis2ucms_getsponsorlinks.asp"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001998; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_UCmore; sid: 2001998; rev:5;) # Added by Frank Knobbe on 2006-03-12 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious POST to ROBOTS.TXT"; flow:established,to_server; content:"POST "; depth:5; nocase; uricontent:"/robots.txt"; nocase; pcre:"/Cookie\:\ +x=[0-9]*\;\ +y=[0-9]+/i"; classtype:unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2002856; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Unknown; sid:2002856; rev:5;) # Added by Frank Knobbe on 2006-07-02 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE /jk/exp.wmf Exploit Code Load Attempt"; flow:to_server,established; uricontent:"/jk/exp.wmf"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002999; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Unknown; sid:2002999; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PopupSh.ocx Access Attempt"; flow:to_server,established; uricontent:"/PopupSh.ocx"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003000; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Unknown; sid:2003000; rev:4;) #Matt Jonkman # This appears to be a controller the above trojan uses alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Unknown Web Bot Controller Accessed"; flow:to_server,established; uricontent:"/stata/index.php?tr=ok"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003025; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Unknown; sid:2003025; rev:3;) #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sidelinker.com-Upspider.com Spyware Checkin"; flow:established,to_server; uricontent:"/Pro/pro.php?mac="; nocase; uricontent:"&key="; nocase; pcre:"/\/Pro\/pro\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d+/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008157; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Upspider.com-Sidelinker.com; sid:2008157; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sidelinker.com-Upspider.com Spyware Count"; flow:established,to_server; uricontent:"/Pro/cnt.php?mac="; nocase; uricontent:"&key="; nocase; uricontent:"&pid="; nocase; pcre:"/\/Pro\/cnt\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d+/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008158; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Upspider.com-Sidelinker.com; sid:2008158; rev:3;) #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE V-Clean.com Fake AV Checkin"; flow:established,to_server; uricontent:"/bill_mod/bill_count.php?C_FLAG="; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 5.5\; Windows 98)|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008180; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_V-clean.com; sid:2008180; rev:2;) #by Matt Jonkman from Listening Post Data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VPP Technologies Spyware"; flow:established,to_server; uricontent:"/DittoIA.jsh?pid="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002348; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_VPPTechnologies; sid:2002348; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VPP Technologies Spyware Reporting URL"; flow:established,to_server; uricontent:"/js.vppimage?key="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002350; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_VPPTechnologies; sid:2002350; rev:3;) #by victor julien alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vaccine-program.co.kr Related Spyware Checkin"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/version/controllerVersion"; nocase; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible\; Indy Library)|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007995; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Vaccine-program.co.kr; sid:2007995; rev:2;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virtumonde Spyware siae3123.exe GET"; flow: to_server,established; content:"siae3123.exe"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000306; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Virtumonde; sid: 2000306; rev:25;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8081 (msg:"ET MALWARE Virtumonde Spyware siae3123.exe GET (8081)"; flow: to_server,established; content:"siae3123.exe"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000307; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Virtumonde; sid: 2000307; rev:23;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virtumonde Spyware Information Post"; flow: to_server,established; content:"POST "; nocase; content:"e_g_StatisticsUploadDelay"; nocase; content:"g_AffiliateID"; nocase; content:"virtumonde.com"; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000308; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Virtumonde; sid: 2000308; rev:22;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virtumonde Spyware Code Download mmdom.exe"; flow: to_server,established; uricontent:"/mmdom.exe"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001525; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Virtumonde; sid: 2001525; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virtumonde Spyware Code Download bkinst.exe"; flow: to_server,established; uricontent:"/bkinst.exe"; nocase; content:"virtumonde.com"; reference:url,www.lurhq.com/iframeads.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001526; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Virtumonde; sid: 2001526; rev:21;) #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vombanetworks.com Spyware Installer Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/scripts/get_cookie.php"; nocase; content:"|0d 0a 0d 0a|vomba="; content:"&ff="; content:"&vombashots="; content:"&vombashots_ff="; content:"&hwd="; content:"&ver="; content:"&vinfo=Windows"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007870; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Vombanetwork.com; sid:2007870; rev:2;) # Weatherbug - Dale Handy, PE alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weatherbug"; flow: to_server,established; uricontent:"WxAlertIsapi"; nocase; threshold: type limit, track by_src, count 1, seconds 3600; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001235; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weatherbug; sid: 2001235; rev:11;) #Submitted by Joel Esler #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weatherbug Capture"; flow: to_server,established; content:"GET"; nocase; content:"Host\:"; nocase; within: 500; content:"weatherbug.com"; nocase; within: 100; threshold: type limit, track by_src, count 1, seconds 3600; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001267; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weatherbug; sid: 2001267; rev:14;) #by M Shirk #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weatherbug Wxbug Capture"; flow: to_server,established; content:"GET"; nocase; content:"Host\:"; nocase; within: 500; content:"wxbug.com"; nocase; within: 100; threshold: type limit, track by_src, count 1, seconds 3600; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002364; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weatherbug; sid: 2002364; rev:4;) #from spywarelp data, by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weatherbug Activity"; flow:established,to_server; uricontent:"/WeatherWindow/WeatherWindow"; nocase; uricontent:"?rnd="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003420; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weatherbug; sid:2003420; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weatherbug Design60 Upload Activity"; flow:established,to_server; uricontent:"/GetDesign60.aspx?Magic="; nocase; uricontent:"?ZipCode="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003421; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weatherbug; sid:2003421; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weatherbug Design60 Upload Activity"; flow:established,to_server; uricontent:"/GetDesign60.aspx?Magic="; nocase; uricontent:"?ZipCode="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003423; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weatherbug; sid:2003423; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weatherbug Command Activity"; flow:established,to_server; uricontent:"/connection/connectionv"; nocase; uricontent:"?t="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003422; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weatherbug; sid:2003422; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weatherbug Vista Gadget Activity"; flow:established,to_server; uricontent:"/Command/VistaGadget_v"; nocase; uricontent:"UserId="; nocase; uricontent:"&AppVersion="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003534; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weatherbug; sid:2003534; rev:3;) #by Matt Jonkman, from Spyware Listening Post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Webbuying.net Spyware Installing"; flow:established,to_server; uricontent:"/inst.php?"; nocase; uricontent:"d="; nocase; uricontent:"&cl="; nocase; uricontent:"&l="; nocase; uricontent:"&e="; nocase; uricontent:"&v=wbi_v"; nocase; uricontent:"&uid="; nocase; uricontent:"&time="; nocase; uricontent:"&win="; nocase; uricontent:"&un=0"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003442; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Webbuying.net; sid:2003442; rev:3;) #Submitted by Matt Jonkman, Tweaks by Bob Grabowsky alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Webhancer Data Upload"; flow: from_server,established; content:"WebHancer Authority Server"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001317; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Webhancer; sid: 2001317; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Webhancer Data Post"; flow: to_server,established; content:"POST http\://prime.webhancer.com"; nocase; content:"AgentTag\:"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001677; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Webhancer; sid: 2001677; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Webhancer Agent Activity"; flow: to_server,established; content:"Host\:"; nocase; content:"webhancer.com"; within:30; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001678; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Webhancer; sid: 2001678; rev:7;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Websearch.com Spyware"; flow: to_server,established; uricontent:"/sitereview.asmx/GetReview"; nocase; classtype: trojan-activity; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2001325; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Websearch.com; sid: 2001325; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Websearch.com Outbound Dialer Retrieval"; flow: to_server,established; uricontent:"/1/rdgUS10.exe"; nocase; classtype: trojan-activity; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2001517; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Websearch.com; sid: 2001517; rev:7;) #Matt Jonkman, from spyware listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Websearch.com Cab Download"; flow: to_server,established; uricontent:"/Dnl/T_"; nocase; pcre:"/\/\S+\.cab/Ui"; classtype: trojan-activity; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2003242; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Websearch.com; sid: 2003242; rev:7;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weird on the Web /180 Solutions Checkin"; flow: to_server,established; uricontent:"/notifier/config.ini?v="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002036; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weirdontheweb; sid: 2002036; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weird on the Web /180 Solutions Update"; flow: to_server,established; uricontent:"/notifier/updates"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002041; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weirdontheweb; sid: 2002041; rev:5;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com App and Search Bar Install (1)"; flow: to_server,established; uricontent:"/vsn/ISA/"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000908; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000908; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com App and Search Bar Install (2)"; flow: to_server,established; uricontent:"/Appinstall?app=VVSN"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000909; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000909; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Clock Sync App Checkin"; flow: to_server,established; uricontent:"/heartbeat?"; nocase; uricontent:"=clock"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000910; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000910; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Weather App Checkin"; flow: to_server,established; uricontent:"/heartbeat?"; nocase; uricontent:"=weather"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000911; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000911; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Clock Sync App Checkin (1)"; flow: to_server,established; uricontent:"/clock?id="; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000912; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000912; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Clock Sync App Checkin (2)"; flow: to_server,established; uricontent:"/clockDB"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000913; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000913; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Weather App Checkin (1)"; flow: to_server,established; uricontent:"/weatherDB"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000914; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000914; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Weather App Checkin (2)"; flow: to_server,established; uricontent:"/weather?id="; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000915; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000915; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com WhenUSave App Checkin"; flow: to_server,established; uricontent:"/heartbeat?"; nocase; uricontent:"=whenusave"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000916; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000916; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com WhenUSave Data Retrieval (offersdata)"; flow: to_server,established; uricontent:"/OffersDataGZ?update="; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000917; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000917; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Desktop Bar Install"; flow: to_server,established; uricontent:"/Appinstall?app=desktop"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000918; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000918; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com WhenUSave Data Retrieval (Searchdb)"; flow: to_server,established; uricontent:"/SearchDB?update="; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000919; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000919; rev:9;) #Submitted by Chris Norton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Desktop Bar App Checkin"; flow: to_server,established; uricontent:"/heartbeat?"; nocase; uricontent:"=desktop"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001443; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2001443; rev:8;) #Matt Jonkman from spywarelp data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Application Version Check"; flow: to_server,established; uricontent:"/versions.html"; nocase; content:"whenu.com"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003389; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2003389; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com WhenUSave Data Retrieval (DataChunksGZ)"; flow: to_server,established; uricontent:"/DataChunksGZ?update="; nocase; uricontent:"ver="; nocase; uricontent:"svr="; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003404; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2003404; rev:4;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent Agent Installation"; flow: to_server,established; uricontent:"/Recovery/Checkin.aspx?version"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001307; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Wild_Tangent; sid: 2001307; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent Agent Checking In"; flow: to_server,established; uricontent:"/CDADeliveries/Checkin.aspx"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001309; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Wild_Tangent; sid: 2001309; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent Agent Traffic"; flow: to_server,established; uricontent:"/CDAFiles/DP/SysConfig"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001310; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Wild_Tangent; sid: 2001310; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent Agent"; flow: to_server,established; uricontent:"/CDAFiles/"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001314; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Wild_Tangent; sid: 2001314; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent New Install"; flow: to_server,established; uricontent:"/NewUser/Checkin.aspx"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001322; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Wild_Tangent; sid: 2001322; rev:6;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent Install"; flow: to_server,established; uricontent:"/updatestats/AI_Euro.exe"; nocase; classtype: trojan-activity; reference:mcafee,122249; reference:url,doc.emergingthreats.net/bin/view/Main/2002008; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Wildmedia; sid: 2002008; rev:8;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Windupdates.com Spyware Install"; flow: established,to_server; uricontent:"/cab/CDTInc/ie/"; nocase; uricontent:".cab"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001700; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Windupdates.com; sid: 2001700; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Windupdates.com Spyware Loggin Data"; flow: established,to_server; uricontent:"/logging.php?p="; nocase; content:"Host\: public.windupdates.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001701; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Windupdates.com; sid: 2001701; rev:6;) #By Matt Jonkman from spyware listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winfixmaster.com Fake Anti-Spyware Install"; flow: to_server,established; uricontent:"/dispatcher.php?action="; nocase; content:"Host\: www.winfix"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003543; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Winfixmaster.com; sid: 2003543; rev:3;) #Matt jonkman from Spyware LP Data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winferno Registry Fix Spyware Download"; flow: to_server,established; uricontent:"/freeze_rpc6bundle_us/REGISTRYFIXDLL.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003353; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Wininferno.com; sid:2003353; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Freeze.com Spyware Download"; flow: to_server,established; uricontent:"/WebServices/DesktopManager/"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003356; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Wininferno.com; sid:2003356; rev:3;) #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winquickupdates.com/Mycashloads.com Related Trojan Install Report"; flow:established,to_server; uricontent:"/newuser.php?saff="; pcre:"/\/newuser\.php.saff=(\d+|x.+)/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008012; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Winquickupdates.com; sid:2008012; rev:3;) #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winreanimator.com Fake AV Install Attempt"; flow:established,to_server; uricontent:"/inst.php?wmid="; nocase; uricontent:"&p="; nocase; uricontent:"&l="; nocase; uricontent:"&s="; nocase; classtype:trojan-activity; reference:url,www.winreanimator.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007865; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Winreanimator.com; sid:2007865; rev:2;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winsoftware.com Spyware Activity"; flow: to_server,established; uricontent:"/?proto="; nocase; uricontent:"&rc="; nocase; uricontent:"&abbr="; nocase; uricontent:"platform="; nocase; uricontent:"&os_version="; nocase; uricontent:"&appid="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003471; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Winsoftware.com; sid: 2003471; rev:4;) #matt jonkman, www.winxdefender.com fake AV package alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winxdefender.com Fake AV Package Post Install Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/checkupdate.php"; nocase; content:"|0d 0a|User-Agent\: Opera"; content:"Computer ID\: "; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008197; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Winxdefender.com; sid:2008197; rev:2;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (1)"; flow: to_server,established; uricontent:"/fa/evil.html"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001461; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001461; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs Occuring"; flow: to_server,established; uricontent:"/fa/?d=get"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001462; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001462; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (2)"; flow: to_server,established; content:"src=http\://xpire.info/i.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001463; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001463; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (3)"; flow: to_server,established; uricontent:"/i.exe"; nocase; content:"xpire.info"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001464; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001464; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (4)"; flow: to_server,established; uricontent:"/dl/adv121.php"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001466; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001466; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (5)"; flow: to_server,established; uricontent:"/dl/adv121/x.chm"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001467; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001467; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs CHM Exploit"; flow: to_server,established; uricontent:"/fa/ied_s7m.chm"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001468; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001468; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (6)"; flow: to_server,established; uricontent:"/fa/x.chm"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001469; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001469; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (7)"; flow: to_server,established; uricontent:"/fa/xpl3.htm"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001470; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001470; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Spyware Exploit"; flow: to_server,established; uricontent:"/2DimensionOfExploitsEnc.php"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001471; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001471; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Spyware Install Reporting"; flow: to_server,established; uricontent:"/xpsystem/report.php?user_id="; nocase; uricontent:"&status=0&country_id="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001472; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001472; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Install Code Download"; flow: to_server,established; uricontent:"/install.gz"; nocase; content:"Host\: xpire.info"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001491; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001491; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Install Report"; flow: to_server,established; content:"counter.htm"; nocase; pcre:"//user\d+/counter\.htm/im"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001541; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001541; rev:10;) #Thanks James Ashton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Yesadvertising Banking Spyware RETRIEVE"; flow: to_server,established; uricontent:"/img1big.gif"; nocase; reference:url,isc.sans.org/presentations/banking_malware.pdf; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000336; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Yesadvertising_Banking_Spyware; sid: 2000336; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Yesadvertising Banking Spyware INFORMATION SUBMIT"; flow: to_server,established; uricontent:"/cgi-bin/yes.pl"; nocase; reference:url,isc.sans.org/presentations/banking_malware.pdf; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000337; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Yesadvertising_Banking_Spyware; sid: 2000337; rev:10;) # by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE YourSiteBar Data Submision"; flow: to_server,established; uricontent:"/ist/scripts/istsvc_ads_data.php?version="; nocase; reference:url,www.ysbweb.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001698; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_YourSiteBar; sid: 2001698; rev:6;) #Matt jonkman from Spyware LP Data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Yourscreen.com Spyware Download"; flow: to_server,established; uricontent:"/data/yourscreen_data.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003354; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Yourscreen.com; sid:2003354; rev:3;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE yupsearch.com Spyware Install - protector.exe"; flow: to_server,established; uricontent:"/protector.exe"; nocase; reference:url,www.yupsearch.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002092; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Yupsearch.com; sid: 2002092; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE yupsearch.com Spyware Install - sideb.exe"; flow: to_server,established; uricontent:"/sideb.exe"; nocase; reference:url,www.yupsearch.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002098; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Yupsearch.com; sid: 2002098; rev:6;) #John Stewart alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenotecnico Adware"; flow: to_server,established; uricontent:"/cl/clientdump"; content:"zenotecnico"; nocase; reference:url,www.zenotecnico.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001947; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Zenotecnico; sid: 2001947; rev:5;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenotecnico Adware 2"; flow: to_server,established; uricontent:"/cl/clienthost"; content:"zenotecnico"; nocase; reference:url,www.zenotecnico.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002735; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Zenotecnico; sid: 2002735; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenotecnico Spyware Install Report"; flow: to_server,established; uricontent:"/instreport"; content:"zenotecnico"; nocase; reference:url,www.zenotecnico.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002737; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Zenotecnico; sid: 2002737; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenosearch Malware Checkin HTTP POST"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a 0d 0a|uid="; distance:0; content:"&ref="; distance:0; content:"&clid="; distance:0; content:"&commode="; distance:0; content:"&cmd="; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008757; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Zenotecnico; sid:2008757; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenosearch Malware Checkin HTTP POST (2)"; flow:established,to_server; content:"POST "; depth:5; uricontent:".asp?rnd="; content:"|0d 0a 0d 0a|uid="; content:"&ref="; distance:0; content:"&clid="; distance:0; content:"&umode="; distance:0; content:"&cn="; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008798; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Zenotecnico; sid:2008798; rev:2;) #Matt Jonkman, from spyware lp data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Supergames.aavalue.com Spyware"; flow: established,to_server; uricontent:"/toolbars/msg/msg_serverside.xml"; nocase; content:"aavalue.com"; nocase; classtype:trojan-activity; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Tracks%20Toolbar&threatid=41189; reference:url,doc.emergingthreats.net/bin/view/Main/2003525; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_aavalue.com; sid: 2003525; rev:3;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE adservs.com Spyware"; flow: to_server,established; uricontent:"/binaries/relevance.dat"; content:"adservs"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002740; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_adservs.com; sid: 2002740; rev:3;) # Following are requests from adware served by iframebiz.biz alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iframebiz - adv***.php"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/adv"; nocase; pcre:"/adv\d+\.php/Ui"; classtype:trojan-activity; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002707; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_iframebiz; sid:2002707; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iframebiz - sploit.anr"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/sploit.anr"; nocase; classtype:trojan-activity; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002708; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_iframebiz; sid:2002708; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iframebiz - loaderadv***.jar"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/loaderadv"; nocase; pcre:"/loaderadv\d+\.jar/Ui"; classtype:trojan-activity; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002709; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_iframebiz; sid:2002709; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iframebiz - loadadv***.exe"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/loadadv"; nocase; pcre:"/loadadv\d+\.exe/Ui"; classtype:trojan-activity; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002710; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_iframebiz; sid:2002710; rev:6;) #by Deapesh Misra alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iframebiz - /qwertyuiyw12ertyuytre/adv***.php"; flow:established,to_server; uricontent:"/qwertyuiyw12ertyuytre"; nocase; classtype:trojan-activity; reference:url,iframecash.biz; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOADR.QC&VSect=T; reference:url,doc.emergingthreats.net/bin/view/Main/2008681; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_iframebiz; sid:2008681; rev:4;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE K8l.info Spyware Activity"; flow: to_server,established; uricontent:"/media/servlet/view/dynamic/url/zone?"; nocase; uricontent:"zid="; nocase; uricontent:"&pid="; nocase; uricontent:"&DHWidth="; nocase; uricontent:"&DHHeight="; nocase; uricontent:"Ref="; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003451; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_k8l.info; sid: 2003451; rev:3;)