# # $Id: bleeding-all.rules $ # Bleeding Edge Threats rules. # # SID's are 2000000+ to avoid conflicts # # Only basic testing has been done. At this point all we guarantee is that they won't crash a recent snort release. # # More information available at www.bleedingthreats.net # # Please submit any custom rules or ideas to bleeding@bleedingthreats.net or the bleeding-sigs mailing list # #This is the MASTER list, this includes ALL rules # #************************************************************* # # Copyright (c) 2003-2007, Bleeding Edge Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # #By Scott Melnick #You should never get a Private DNS address from a Remote DNS Server #Disable or modify this rule if your DNS server is not on your HOME_NET and is issuing Private IP's #disabling, scheduled for deletion #alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack 192.168.x.x/16 (local IP from remote DNS Server)"; content: "|c0 0c 00 01 00 01|"; content: "|00 04 c0 a8|"; within:4; distance:4; reference:url,crypto.stanford.edu/dns/; classtype:misc-attack; sid:2006913; rev:4;) #alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack 10.x.x.x /8 (local IP from remote DNS Server)"; content: "|c0 0c 00 01 00 01|"; content: "|00 04 0a|"; within:3; distance:4; reference:url,crypto.stanford.edu/dns/; classtype:misc-attack; sid:2006914; rev:4;) #alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack 172.16.x.x/12 (local IP from remote DNS Server)"; content: "|c0 0c 00 01 00 01|"; content: "|00 04 ac|"; within:3; distance:4; pcre:"/\xac+[\x10|\x11|\x12|\x13|\x14|\x15|\x16|\x17|\x18|\x19|\x1a|\x1b|\x1c|\x1d|\x1e|\x1f]/"; reference:url,crypto.stanford.edu/dns/; classtype:misc-attack; sid:2006915; rev:3;) #alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack 127.0.01 address (local IP from remote DNS Server)"; content: "|c0 0c 00 01 00 01|"; content: "|00 04 7f 00 00 01|"; within:6; distance:4; reference:url,crypto.stanford.edu/dns/; classtype:misc-attack; sid:2006916; rev:3;) #alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack 192.168.x.x/16 (local IP from remote DNS Server)"; flow:established,from_server; content: "|c0 0c 00 01 00 01|"; content: "|00 04 c0 a8|"; within:4; distance:4; reference:url,crypto.stanford.edu/dns/; classtype:misc-attack; sid:2006917; rev:5;) #alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack 10.x.x.x /8 (local IP from remote DNS Server)"; flow:established,from_server; content: "|c0 0c 00 01 00 01|"; content: "|00 04 0a|"; within:3; distance:4; reference:url,crypto.stanford.edu/dns/; classtype:misc-attack; sid:2006918; rev:5;) #alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack 172.16.x.x/12 (local IP from remote DNS Server)"; flow:established,from_server; content: "|c0 0c 00 01 00 01|"; content: "|00 04 ac|"; within:3; distance:4; pcre:"/\xac+[\x10|\x11|\x12|\x13|\x14|\x15|\x16|\x17|\x18|\x19|\x1a|\x1b|\x1c|\x1d|\x1e|\x1f]/"; reference:url,crypto.stanford.edu/dns/; classtype:misc-attack; sid:2006919; rev:4;) #alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack 127.0.0.1 address (local IP from remote DNS Server)"; flow:established,from_server; content: "|c0 0c 00 01 00 01|"; content: "|00 04 7f 00 00 01|"; within:6; distance:4; reference:url,crypto.stanford.edu/dns/; classtype:misc-attack; sid:2006920; rev:4;) #By Don Jackson of SecureWorks # Crafted for the lowest common denominator; should work in most 1.x and later engines, PCRE used for C&C traffic. # Mostly for spotting it's use on your network. Only one DDoS rule. Be careful of the number/rate of alerts; these do not use thresholding. # DNS left in hex to avoid advertising the domains to the bad guys via google #these first few are for specific domains, to be removed in the not too distant future alert tcp $HOME_NET :1024 -> any 53 (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (1)"; flow:established,to_server; content:"|08616c2d6a696e616e036e65740000010001|"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007673; rev:1;) alert tcp $HOME_NET :1024 -> any 53 (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (2)"; flow:established,to_server; content:"|0861312d6a696e616e036e65740000010001|"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007674; rev:1;) alert tcp $HOME_NET :1024 -> any 53 (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (3)"; flow:established,to_server; content:"|0661726464726104686f737402736b0000010001|"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007675; rev:1;) alert tcp $HOME_NET :1024 -> any 53 (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (4)"; flow:established,to_server; content:"|03777777056a6f2d7566036e65740000010001|"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007676; rev:1;) alert tcp $HOME_NET :1024 -> any 53 (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (5)"; flow:established,to_server; content:"|037777770c6a6f66706d7579747276636603636f6d0000010001|"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007677; rev:1;) alert udp $HOME_NET :1024 -> any 53 (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (1)"; content:"|08616c2d6a696e616e036e65740000010001|"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007678; rev:1;) alert udp $HOME_NET :1024 -> any 53 (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (2)"; content:"|0861312d6a696e616e036e65740000010001|"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007679; rev:1;) alert udp $HOME_NET :1024 -> any 53 (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (3)"; content:"|0661726464726104686f737402736b0000010001|"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007680; rev:1;) alert udp $HOME_NET :1024 -> any 53 (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (4)"; content:"|03777777056a6f2d7566036e65740000010001|"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007681; rev:1;) alert udp $HOME_NET :1024 -> any 53 (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (5)"; content:"|037777770c6a6f66706d7579747276636603636f6d0000010001|"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007682; rev:1;) #these are more permanent, C&C related alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 HTTP Activity 1"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/tlog.php?logn="; pcre:"/GET /tlog\.php?logn=[^\s]+&pss=[^\s]+\sHTTP/1\.[0|1]\x0D\x0A/"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007683; rev:1;) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 HTTP Activity 2"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/ntarg.php?"; pcre:"/GET /ntarg\.php?[^\s]*(notdoing=|howme=|uname=)[^\s]*\sHTTP/1\.[0|1]\x0D\x0A/"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007684; rev:1;) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 HTTP Activity 3"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/tnewu.php?nlogin="; pcre:"/GET /tnewu.php?nlogin=[^\s]+&npss=[^\s]+&invitedby=[^\s]+\sHTTP/1\.[0|1]\x0D\x0A/"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007685; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DDoS HTTP Activity OUTBOUND"; flow:established,to_server; content:"GET "; offset:0; depth:4; content:"|0d 0a|User-Agent\: Attacker|0d 0a|"; offset:14; classtype:denial-of-service; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007686; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DDoS HTTP Activity INBOUND"; flow:established,to_server; content:"GET "; offset:0; depth:4; content:"|0d 0a|User-Agent\: Attacker|0d 0a|"; offset:14; classtype:denial-of-service; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007687; rev:2;) #by Scott Melnick #threat passed, too high load to keep for long term. To be removed soon #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT_EVENTS FireFox Remote Command EXE Mailto Link Detected"; flow: from_server,established; content:"mailto\:%"; nocase; content: "/../../"; within:30; nocase; pcre:"/(\.exe|\.bat|\.com)/i"; reference:url,xs-sniper.com/blog/remote-command-exec-firefox-2005/; classtype:web-application-attack; sid:2006436; rev:1;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT_EVENTS FireFox Remote Command EXE News Link Detected"; flow: from_server,established; content:"news\:%"; nocase; content: "/../../"; within:30; nocase; pcre:"/(\.exe|\.bat|\.com)/i"; reference:url,xs-sniper.com/blog/remote-command-exec-firefox-2005/; classtype:web-application-attack; sid:2006437; rev:1;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT_EVENTS FireFox Remote Command EXE Nntp Link Detected"; flow: from_server,established; content:"nntp\:%"; nocase; content: "/../../"; within:30; nocase; pcre:"/(\.exe|\.bat|\.com)/i"; reference:url,xs-sniper.com/blog/remote-command-exec-firefox-2005/; classtype:web-application-attack; sid:2006438; rev:1;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT_EVENTS FireFox Remote Command EXE Snews Link Detected"; flow: from_server,established; content:"snews\:%"; nocase; content: "/../../"; within:30; nocase; pcre:"/(\.exe|\.bat|\.com)/i"; reference:url,xs-sniper.com/blog/remote-command-exec-firefox-2005/; classtype:web-application-attack; sid:2006439; rev:1;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT_EVENTS FireFox Remote Command EXE Telnet Link Detected"; flow: from_server,established; content:"telnet\:%"; nocase; content: "/../../"; within:30; nocase; pcre:"/(\.exe|\.bat|\.com)/i"; reference:url,xs-sniper.com/blog/remote-command-exec-firefox-2005/; classtype:web-application-attack; sid:2006440; rev:1;) #simple sig, but should work for the time being #by Matt Jonkman alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT_EVENTS MS IIS Auth Bypass Attempt"; flow:established,to_server; uricontent:"Webhitsfile="; uricontent:"CiRestriction="; uricontent:"CiHiliteType=full"; classtype:attempted-admin; reference:url,support.microsoft.com/kb/328832; sid:2004115; rev:1;) #by Matt Jonkman, from ISC post, idea from Russ McRee alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS Likely ANI Exploit Include from Webpage"; flow:established,from_server; content:"\s*<\s*\/\s*DIV\s*>/ism"; classtype:misc-attack; reference:url,isc.sans.org/diary.html?storyid=2648; sid:2003596; rev:3;) #by Matt Jonkman #Temporary, till the patch is widespread #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT_EVENTS Vulnerable MS FlashPix ActiveX Control in Use"; flow:established,from_server; content:"CLSID"; nocase; content:"{201EA564-A6F6-11D1-811D-00C04FB6BD36}"; distance:0; nocase; classtype:web-application-activity; reference:url,secunia.com/advisories/26426/; sid:2007342; rev:2;) #needs a better name #info from Bojan at ISC and Russell Fulton # sig by Russell and Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT_EVENTS Mac Trojan HTTP Checkin (accept-language violation)"; flow:established,to_server; content:"GET "; depth:4; content:" HTTP/1.1|0d 0a|Accept-Language\: "; pcre:"/Accept-Language\: [a-zA-Z0-9]{20}/"; classtype:trojan-activity; sid:2007650; rev:1;) #by Adam Pointon at sentinelsecurity.com.au alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"BLEEDING-EDGE DNS Possible MITM lookup for WPAD.com"; content:"|04|wpad|03|com|02|"; nocase; reference:url,support.microsoft.com/kb/247333; classtype:attempted-user; sid:2007707; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"BLEEDING-EDGE DNS Possible MITM lookup for WPAD.co"; content:"|04|wpad|02|co|02|"; nocase; reference:url,support.microsoft.com/kb/247333; classtype:attempted-user; sid:2007708; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"BLEEDING-EDGE DNS Possible MITM lookup for WPAD.net"; content:"|04|wpad|03|net|02|"; nocase; reference:url,support.microsoft.com/kb/247333; classtype:attempted-user; sid:2007709; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"BLEEDING-EDGE DNS Possible MITM lookup for WPAD.org"; content:"|04|wpad|03|org|02|"; nocase; reference:url,support.microsoft.com/kb/247333; classtype:attempted-user; sid:2007710; rev:1;) #by axnjxn #based on referenced article by Pedro Bueno #Initial experiments on writing good sigs. These are dependant on the exact variant, but we may learn something alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT EVENTS Possible XML Controlled Trojan (UrlMonitor.100.z.img)"; flow:established,to_server; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT EVENTS Possible XML Controlled Trojan (core.101.z.img)"; flow:established,to_server; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT EVENTS Possible XML Controlled Trojan (Notifier.104.z.img)"; flow:established,to_server; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT EVENTS Possible XML Controlled Trojan (bootup.exe.xml)"; flow:established,to_server; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT EVENTS Possible XML Controlled Trojan (UrlMonitor.xml)"; flow:established,to_server; content:" $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS Yahoo Messenger CLSID - Possible Attack"; flow:from_server,established; content:"CLSID"; nocase; content:"DCE2F8B1-A520-11D4-8FD0-00D0B7730277"; nocase; distance:0; within:50; classtype:attempted-admin; reference:url,www.kb.cert.org/vuls/id/949817; sid:2004599; rev:1;) #Yahoo Messenger YVerInfo.dll ActiveX Multiple Remote Buffer Overflow Vulnerabilities alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS Yahoo Messenger Vulnerable YVerInfo.dll CLSID in use - Possible Attack"; flow:from_server,established; content:"D5184A39-CBDF-4A4F-AC1A-7A45A852C883"; nocase; classtype:web-application-activity; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=591; reference:url,messenger.yahoo.com/security_update.php?id=082907; sid:2007586; rev:1;) #Submitted by Jason Haar alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Update Engine"; flow: to_server,established; content:"GET"; depth: 3; content:"Host|3a|"; within: 300; content:".180solutions.com"; within: 40; reference:url,www.safer-networking.org/index.php?page=threats&detail=212; classtype: trojan-activity; sid: 2000930; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware (tracked event reported)"; flow: to_server,established; uricontent:"/TrackedEvent.aspx?"; nocase; uricontent:"eid="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2001397; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware (action url reported)"; flow: to_server,established; uricontent:"/actionurls/ActionUrl"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2001399; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware Reporting"; flow: to_server,established; uricontent:"/showme.aspx?"; nocase; uricontent:"partner_id="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2001400; rev:6; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware Keywords Download"; flow: to_server,established; uricontent:"keywords/kyf"; nocase; content:"partner_id="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002001; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware Install"; flow: to_server,established; uricontent:"/downloads/installers/"; nocase; content:"simpleinternet/180sainstaller.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002003; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware Defs Download"; flow: to_server,established; uricontent:"/geodefs/gdf"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002048; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware config Download"; flow: to_server,established; uricontent:"/config.aspx?did="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002099; rev:2; ) #By M Shirk from Listening Post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware versionconfig POST"; flow:to_server,established; uricontent:"/versionconfig.aspx?"; uricontent:"&ver="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002354; rev:1; ) #Matt Jonkman. Bundled from Warner Brothers Kids site.. can you believe that crap? Guess where my kids WON'T be spending my money.... alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware Actionlibs Download"; flow:to_server,established; uricontent:"/actionurls/ActionUrlb"; nocase; uricontent:"partnerid="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2003057; rev:1; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions (Zango) Spyware Installer Download"; flow:to_server,established; uricontent:"/Zango/ZangoInstaller.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2003058; rev:1; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions (Zango) Spyware TB Installer Download"; flow:to_server,established; uricontent:"/ZangoTBInstaller.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2003059; rev:1; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions (Zango) Spyware Local Stats Post"; flow:to_server,established; uricontent:"/php/rpc_uci.php"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2003060; rev:1; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions (Zango) Spyware Event Activity Post"; flow:to_server,established; uricontent:"/php/uci.php"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2003061; rev:1; ) #New zango url alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Zango Spyware Activity"; flow:to_server,established; uricontent:"/banman/banman.asp?ZoneID="; nocase; uricontent:"&Task="; nocase; uricontent:"&X="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype:trojan-activity; sid: 2003170; rev:1; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions (Zango) Spyware Installer Config 2"; flow:to_server,established; uricontent:"config.aspx"; nocase; uricontent:"?ver="; nocase; content:"HTTP"; nocase; content:!"User-Agent\: "; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2003217; rev:3; ) #more from the spywarelp #Matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware (tracked event 2 reporting)"; flow: to_server,established; uricontent:"/trackedevent.aspx?"; nocase; uricontent:"ver="; nocase; pcre:"/ver=\d+\.\d+/Ui"; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2003306; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Zango Spyware (tbrequest data post)"; flow: to_server,established; uricontent:"/tbrequest"; nocase; uricontent:"&q="; nocase; pcre:"/\/tbrequest\d+\.php/Ui"; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2003610; rev:1;) #by Russ McRee alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Zango Spyware version 10.0 Post"; flow:to_server,established; uricontent:"/te.aspx?ver=10"; nocase; reference:url,usa.kaspersky.com/about-us/news-press-releases.php?smnr_id=900000045; classtype:trojan-activity; sid:2007607; rev:1; ) #Submitted by Joel Esler alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Spyware 2020"; flow: to_server,established; content:"|48 6F 73 74 3A 20 77 77 77 2E 32 30 32 30 73 65 61 72 63 68 2E 63 6F 6D|"; content:"|49 70 41 64 64 72|"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.2020search.html; sid: 2000327; rev:7; ) # #Submitted by Jason Haar alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 2020search Update Engine"; flow: to_server,established; content:"POST"; depth: 4; content:"srng/reg.php HTTP"; within: 50; content:"|0d0a|Host|3a|"; content:"2020search.com"; within: 40; content:"IpAddr="; nocase; within: 100; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2004-03-04; classtype: trojan-activity; sid: 2000934; rev:5; ) #Submitted by Chris Norton alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE MALWARE 2nd-thought (W32.Daqa.C) Download"; flow: from_server,established; content:"|67 6f 69 64 72 2e 63 61 62|"; nocase; content:"|48 6f 73 74 3a 20 77 77 77 2e 77 65 62 6e 65 74 69 6e 66 6f 2e 6e 65 74|"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.secondthought.html; sid: 2001447; rev:5; ) #from spyware listening post data, by matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE 51yes.com Spyware Reporting User Activity"; flow:established,to_server; uricontent:"/sa.aspx?id="; nocase; uricontent:"&refe=http"; nocase; classtype:trojan-activity; sid:2003620; rev:1;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE A-d-w-a-r-e.com Activity (popup)"; flow: established,to_server; uricontent:"/cgi-bin/PopupV"; nocase; uricontent:"?ID={"; nocase; reference:url,www.a-d-w-a-r-e.com; classtype: trojan-activity; sid: 2001730; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE A-d-w-a-r-e.com Activity (cmd)"; flow: established,to_server; uricontent:"/app/VT00/ucmd.php?V="; nocase; reference:url,www.a-d-w-a-r-e.com; classtype: trojan-activity; sid: 2001735; rev:5; ) #By Mark Tombaugh alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ABX Toolbar ActiveX Install"; flow: to_server,established; uricontent:"/abx_search_webinstall/abx_search.cab"; nocase; reference:url,isc.sans.org/diary.php?date=2005-03-04; classtype: trojan-activity; sid: 2001761; rev:3; ) #By Matt Jonkman, From spyware listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Abcsearch.com Spyware Reporting"; flow:established,to_server; uricontent:"/cgi-bin/search/mxml.fcgi?"; nocase; uricontent:"Terms="; nocase; uricontent:"&affiliate="; nocase; uricontent:"&subid="; nocase; uricontent:"&Hits_Per_Page="; nocase; classtype:trojan-activity; sid:2003438; rev:1;) #Submitted by cooljay alert tcp $EXTERNAL_NET 20 -> $HOME_NET any (msg: "BLEEDING-EDGE MALWARE Abox Download"; flow: established,to_server; content:"|5c 00 43 00 61 00 72 00 6d 00 65 00 6e 00 00 00 16 00 00 00 73 00 75 00 63|"; nocase; offset: 160; depth: 26; tag: host,1,packets,src; flowbits: set,tagged; classtype: trojan-activity; sid: 2001440; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Abox Install Report"; flow: to_server,established; uricontent:"&time="; nocase; uricontent:"/new_install?id="; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.adultbox.html; sid: 2001441; rev:9; ) #by Matt Jonkman from Listening Post Data #Disabling, obsoleting. To be delleted in a month or so #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware AdultfriendFinder.com Spyware Iframe Download"; flow:to_server,established; uricontent:"/promo/affiframe.jsp?Pid="; nocase; classtype:trojan-activity; sid:2002353; rev:1;) #by Matt JOnkman #spyware, from the sandnet alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Advertisementserver.com Spyware Initial Checkin"; flow:to_server,established; uricontent:"?UID="; nocase; uricontent:"&DIST="; nocase; uricontent:"&NPR="; nocase; content:"User-Agent\: Microsoft URL Control"; nocase; classtype:trojan-activity; sid:2007601; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Advertisementserver.com Spyware Checkin"; flow:to_server,established; uricontent:"monitor.php"; nocase; uricontent:"?UID="; nocase; pcre:"/UID=\d+/Ui"; content:"User-Agent\: Microsoft URL Control"; nocase; classtype:trojan-activity; sid:2007602; rev:2;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Advertising.com Data Post (villains)"; flow: to_server,established; uricontent:"/Games/villains.aspx"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; sid: 2001228; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Advertising.com Data Post (cakedeal)"; flow: to_server,established; uricontent:"/Games/cakedeal.aspx"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; sid: 2001230; rev:6; ) #From Listening Post data #Hits on normal ads, not reporting data #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Advertising.com Reporting Data"; flow: to_server,established; pcre:"/\/site=\d+\/mnum=\d+\/bins=\d+\/rich=\d+\/logs=\d+\/betr=/Ui"; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; sid: 2002304; rev:1; ) #by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Adware Command Client Checkin"; flow: to_server,established; uricontent:"/client.php?str="; nocase; content:"User-Agent\: "; nocase; content:"Indy Library)"; within:30; nocase; classtype: policy-violation; reference:url,www.nuker.com/container/details/adware_command.php; sid: 2003446; rev:2;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Adwave Agent Access"; flow: to_server,established; uricontent:"/search_404.aspx?aff="; nocase; classtype: policy-violation; reference:url,www.intermute.com/spyware/HuntBar.html; sid: 2001318; rev:5; ) #Submitted by Chris Norton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Wintools Download/Configure"; flow: to_server,established; uricontent:"/WTools"; nocase; uricontent:".cab"; nocase; classtype: trojan-activity; reference:url,www.intermute.com/spyware/HuntBar.html; sid: 2001450; rev:9; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casalemedia Access, Likely Spyware"; flow: to_server,established; content:"Host\:"; nocase; content:".ak-networks.com"; nocase; within: 30; classtype: trojan-activity; sid: 2001529; rev:7; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ak-networks.com Spyware Code Download"; flow: to_server,established; uricontent:"/SyncAkSoft.da_"; nocase; classtype: trojan-activity; sid: 2001530; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ak-networks.com Spyware Code Install"; flow: to_server,established; uricontent:"/akcore.dl_"; nocase; classtype: trojan-activity; sid: 2001737; rev:4; ) #by Matt Jonkman from listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Alexa Spyware Reporting URL"; flow:established,to_server; uricontent:"/image_server.cgi?size=small&url=http\:/"; nocase; classtype:trojan-activity; sid:2002349; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Alexa Spyware Reporting"; flow:established,to_server; uricontent:"/data?"; nocase; uricontent:"cli="; nocase; uricontent:"&dat="; nocase; uricontent:"&ver="; nocase; uricontent:"&uid="; nocase; classtype:trojan-activity; sid:2003219; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Alexa Spyware Reporting URL Visited"; flow:established,to_server; uricontent:"/data/"; nocase; uricontent:"&cli="; nocase; uricontent:"&dat="; nocase; uricontent:"&ver="; nocase; uricontent:"&url="; nocase; classtype:trojan-activity; sid:2003606; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Alexa Spyware Redirecting User"; flow:established,to_server; uricontent:"/redirect?http"; nocase; content:"Host\: redirect.alexa.com"; nocase; classtype:trojan-activity; sid:2003619; rev:1;) #Modified and added to by Matt Jonkman (Original author missing) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Altnet PeerPoints Manager Start"; flow: to_server,established; uricontent:"/pm/start.asp"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; sid: 2000906; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Altnet PeerPoints Manager Data Submission"; flow: to_server,established; uricontent:"/backoffice.net/stats/Add.aspx"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; sid: 2000598; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Altnet PeerPoints Manager Settings Download"; flow: to_server,established; uricontent:"/pointsmanager/settings.cab?"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; sid: 2000907; rev:7; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Avres Agent Receiving Instructions"; flow: to_server,established; uricontent:"/ie/updatenew/"; content:"CONFIG"; nocase; reference:url,www.avres.net; reference:url,ar.avres.net/ie/updatenew/; classtype: trojan-activity; sid: 2000903; rev:4; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE BTGrab.com Spyware Downloading Ads"; flow: to_server,established; uricontent:"/a/Drk.syn?adcontext="; nocase; reference:url,www.btgrab.com; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726; classtype: trojan-activity; sid: 2001999; rev:4; ) #Matt Jonkman from spyware listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Baidu.com Spyware Bar Reporting"; flow:to_server,established; uricontent:"/update/barcab/"; nocase; classtype:policy-violation; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; sid:2003340; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Baidu.com Spyware Bar Pulling Content"; flow:to_server,established; uricontent:"/update/cab/loadmovie.swf"; nocase; content:"bar.baidu.com"; nocase; classtype:policy-violation; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; sid:2003341; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Baidu.com Spyware Bar Pulling Data"; flow:to_server,established; uricontent:"/cpro/ui/ui"; nocase; content:"baidu.com"; nocase; classtype:trojan-activity; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; sid:2003578; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Baidu.com Spyware Bar Activity"; flow:to_server,established; uricontent:"/n?cmd="; nocase; uricontent:"&class="; nocase; uricontent:"&pn="; nocase; uricontent:"&tn"; nocase; classtype:trojan-activity; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; sid:2003605; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Baidu.com Spyware Sobar Bar Activity"; flow:to_server,established; uricontent:"/sobar/sobar"; nocase; classtype:trojan-activity; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; sid:2003630; rev:1;) #Submitted by Jonathan Miner alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Bargain Buddy"; flow: to_server,established; uricontent:"/download/bargin_buddy"; nocase; reference:url,www.doxdesk.com/parasite/BargainBuddy.html; classtype: trojan-activity; sid: 2000574; rev:7; ) #By John Stewart alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Begin2Search.com Spyware"; flow: to_server,established; content:"/cgi-bin/fav_del.fcgi?id"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.begin2search.html; classtype: policy-violation; sid: 2001885; rev:4;) #Matt Jonkman, caught off of fastmp3search.com.ar alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Best-targeted-traffic.com Spyware Checkin"; flow:established,to_server; uricontent:"/checkin.php?"; nocase; uricontent:"unq="; nocase; uricontent:"version="; nocase; content:"User-Agent\: Opera "; nocase; classtype:trojan-activity; sid:2003209; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Best-targeted-traffic.com Spyware Install"; flow:established,to_server; uricontent:"/install.php?"; nocase; uricontent:"&pais="; nocase; uricontent:"unq="; nocase; content:"User-Agent\: Opera "; nocase; classtype:trojan-activity; sid:2003210; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Best-targeted-traffic.com Spyware Ping"; flow:established,to_server; uricontent:"/ping.php?"; nocase; uricontent:"ul=http"; nocase; uricontent:"unq="; nocase; content:"User-Agent\: Opera "; nocase; classtype:trojan-activity; sid:2003211; rev:1;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Bestcount.net Spyware Checkin"; flow:established,to_server; uricontent:"/adv/"; nocase; uricontent:"/adload.php?a1="; nocase; uricontent:"&a2=Type of Processor\:"; nocase; uricontent:"&a3=Windows version is "; nocase; uricontent:"&a4=Build\:"; nocase; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; classtype:trojan-activity; sid:2002955; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Bestcount.net Spyware Downloading vxgame"; flow:established,to_server; uricontent:"/vxgame1/vxv.php"; nocase; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; classtype:trojan-activity; sid:2002956; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Bestcount.net Spyware Initial Infection Download"; flow:established,to_server; uricontent:"/win32.exe"; nocase; pcre:"/\/adv\/\d+\/win32\.exe/Ui"; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; classtype:trojan-activity; sid:2002957; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Bestcount.net Spyware Exploit Download"; flow:established,to_server; uricontent:"/sploit.anr"; nocase; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; classtype:trojan-activity; sid:2003153; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Bestcount.net Spyware Data Upload"; flow:established,to_server; uricontent:"/objects/ocget.dll"; nocase; content:"mybest"; nocase; depth:150; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; classtype:trojan-activity; sid:2003154; rev:2;) #Submitted by Jonathan Miner alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Binet (download complete)"; flow: to_server,established; uricontent:"/download/cabs/"; nocase; uricontent:"download_complete.htm"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; sid: 2000366; rev:10; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Binet (set_pix)"; flow: to_server,established; uricontent:"/download/cabs/set_pix.php"; nocase; content:"abetterinternet.com"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; sid: 2000367; rev:7; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Binet (randreco.exe)"; flow: to_server,established; uricontent:"/download/cabs/RANDRECO/randreco.exe"; nocase; content:"abetterinternet.com"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; sid: 2000371; rev:7; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Binet Ad Retrieval"; flow: to_server,established; uricontent:"/bba/flashimages/"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; sid: 2000593; rev:5; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Twaintec Download Attempt"; flow: to_server,established; uricontent:"/downloads/cabs/TWTDLL/twaintec.cab"; nocase; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; classtype: trojan-activity; sid: 2001198; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Twaintec Ad Retrieval"; flow: to_server,established; uricontent:"/twain/servlet/Twain?adcontext="; nocase; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; classtype: trojan-activity; sid: 2001199; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Twaintec Reporting Data"; flow: to_server,established; uricontent:"/downloads/record_download.asp"; nocase; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; classtype: trojan-activity; sid: 2001216; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE BInet Information Upload"; flow: to_server,established; uricontent:"/bi/servlet/ThinstallPre"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; sid: 2001339; rev:5; ) #Data from Allison Macfarland alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE BInet Information Install Report"; flow: to_server,established; uricontent:"/bi/servlet/ThinstallPost"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; sid: 2001576; rev:4; ) #Submitted by Matt Jonkman # Disabling this rule, it needs work. It's hitting on legit ad referrals #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Bfast.com Spyware"; flow: to_server,established; uricontent:"/bfast/serve?bfmid"; nocase; classtype: policy-violation; sid: 2001398; rev:5; ) #from spyware LP data, by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Bizconcept.info Spyware Checkin"; flow:to_server,established; content:"POST "; depth:5; nocase; uricontent:"/zuzu.php?&r="; nocase; classtype:trojan-activity; sid:2005319; rev:1;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Blueskyltd.biz Spyware Checkin"; flow:established,to_server; uricontent:"/cntr.php?b="; nocase; uricontent:"&c="; nocase; uricontent:"&d="; nocase; classtype:trojan-activity; sid:2002959; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Blueskyltd.biz Spyware Download"; flow:established,to_server; uricontent:"/dl.php?code1="; nocase; uricontent:"&code2="; nocase; content:"dl.php"; nocase; content:!"User-Agent\:"; classtype:trojan-activity; sid:2002960; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Blueskyltd.biz Spyware Checkin 2"; flow:established,to_server; uricontent:"/cntr.php?e="; nocase; uricontent:"&x="; nocase; classtype:trojan-activity; sid:2002961; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE nov.ru Spyware Code Download"; flow:established,to_server; uricontent:"/sred2.exe"; nocase; content:"sred2"; nocase; content:!"User-Agent\:"; classtype:trojan-activity; sid:2002962; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Generic Spambot-Spyware Access"; flow:established,to_server; uricontent:"/synctl/"; nocase; content:"synctl"; nocase; content:!"User-Agent\:"; classtype:trojan-activity; sid:2002963; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Generic Spyware Update Download"; flow:established,to_server; uricontent:"/synctl/task.fcgi?"; nocase; uricontent:"id="; nocase; uricontent:"&v="; nocase; classtype:trojan-activity; sid:2002964; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Generic Spambot Spam Download"; flow:established,to_server; uricontent:"/synctl/getmail.fcgi?"; nocase; content:"synctl"; nocase; content:!"User-Agent\:"; nocase; classtype:trojan-activity; sid:2002965; rev:2;) #Submitted by Allison MacFarlan alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Bonziportal Traffic"; flow: to_server,established; uricontent:"/bonziportal/bin/"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59256; classtype: trojan-activity; sid: 2001345; rev:5; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Bravesentry.com Fake Antispyware Download"; flow:established,to_server; uricontent:"/bravesentry.exe"; nocase; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; classtype:trojan-activity; sid:2002954; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Bravesentry.com Fake Antispyware Updating"; flow:established,to_server; uricontent:"/update.php?v="; nocase; uricontent:"&d="; nocase; uricontent:"&vs="; nocase; content:!"User-Agent\: "; content:"Host\: "; content:".bravesentry.com"; distance:0; nocase; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; classtype:trojan-activity; sid:2003541; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Bravesentry.com/Protectwin.com Fake Antispyware Reporting"; flow:established,to_server; uricontent:"/download.php?&advid="; nocase; uricontent:"&u="; nocase; uricontent:"&p="; nocase; content:!"User-Agent\: "; content:"Host\: "; content:".bravesentry.com"; distance:0; nocase; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; classtype:trojan-activity; sid:2003542; rev:1;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Browseraid.com Agent Reporting Data"; flow: to_server,established; uricontent:"/perl/ads.pl"; nocase; reference:url,www.browseraid.com; classtype: trojan-activity; sid: 2001266; rev:10; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Browseraid.com Agent Updating"; flow: to_server,established; uricontent:"/perl/uptodate.pl"; nocase; content:"uptodate.browseraid.com"; nocase; reference:url,www.browseraid.com; classtype: trojan-activity; sid: 2001304; rev:5; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Clickspring.net Spyware Reporting"; flow: to_server,established; content:"Host\: www.bullseye-network.com"; nocase; classtype: trojan-activity; reference:url,sarc.com/avcenter/venc/data/adware.bargainbuddy.html; sid: 2001501; rev:4; ) #Submitted by Chris Norton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Bundleware Spyware Download"; flow: to_server,established; uricontent:"/app/InternetFuel/AppWrap.exe"; nocase; classtype: policy-violation; sid: 2001451; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Bundleware Spyware CHM Download"; flow: to_server,established; content:"Referer\: ms-its\:mhtml\:file\://C\:counter.mht!http\://"; nocase; content:"/counter/HELP3.CHM\:\:/help.htm"; nocase; classtype: trojan-activity; sid: 2001452; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Bundleware Spyware cab Download"; flow: to_server,established; uricontent:"/counter/counter_v3.cab"; nocase; classtype: trojan-activity; sid: 2001458; rev:3; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE C4tdownload.com Access, Likely Spyware"; flow: to_server,established; content:"Host\:"; nocase; content:".c4tdownload.com"; within:26; nocase; classtype: trojan-activity; reference:url,sarc.com/avcenter/venc/data/adware.clickdloader.b.html; sid: 2001531; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE C4tdownload.com Spyware Activity"; flow: to_server,established; uricontent:"/js.php?event_type=onload&recurrence="; nocase; classtype: trojan-activity; reference:url,sarc.com/avcenter/venc/data/adware.clickdloader.b.html; sid: 2002088; rev:3;) #from sandnet analysis, called CASClient by Kaspersky #by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE CASClient Spyware/Adware Install Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/ctrl/chkmac.php?mac="; nocase; classtype:trojan-activity; sid:2006403; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE CASClient Spyware/Adware Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/ctrl/ctrv.php"; nocase; classtype:trojan-activity; sid:2006404; rev:1;) #By Matt Jonkman, From spyware listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE CNSMIN (3721.com) Spyware Activity"; flow:established,to_server; uricontent:"/download/CnsMin"; nocase; uricontent:"?t="; nocase; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; classtype:trojan-activity; sid:2003417; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE CNSMIN (3721.com) Spyware Activity 2"; flow:established,to_server; uricontent:"/download/CnsUp"; nocase; uricontent:"?t="; nocase; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; classtype:trojan-activity; sid:2003418; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE CNSMIN (3721.com) Spyware Activity 3"; flow:established,to_server; uricontent:"/download/autolvsw.ini?"; nocase; uricontent:"?t="; nocase; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; classtype:trojan-activity; sid:2003419; rev:1;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE CWS qck.cc Spyware Installer (in.php)"; flow:established,to_server; uricontent:"/x/in.php?wm="; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; sid:2002089; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE CWS qck.cc Spyware Installer (web.php)"; flow:established,to_server; uricontent:"/x/tbd_web.php?wm="; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; sid:2002095; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE CWS Trafcool.biz Related Installer"; flow:established,to_server; uricontent:"/progs_traff/"; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; sid:2002931; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE CWS Related Installer"; flow:established,to_server; uricontent:"/livesupport/image_tracker.php?"; nocase; uricontent:"l=support&"; nocase; uricontent:"x=1&"; nocase; uricontent:"deptid=1&"; nocase; uricontent:"&page=http"; nocase; uricontent:"&unique="; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; sid:2002932; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE CWS Spy-Sheriff.com Infeced Buy Page Request"; flow:established,to_server; uricontent:"/?advid="; nocase; content:"spy-sheriff.com"; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; sid:2002933; rev:1;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Spywaremover Activity"; flow: to_server,established; uricontent:"/download/cabs/THNALL1L/thnall1l.exe"; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453087903; sid: 2001521; rev:8; ) #By Matt Jonkman from Spyware listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casalemedia Spyware Reporting URL Visited1"; flow: to_server,established; pcre:"/\/s\?s=[d+]&u=http/Ui"; classtype: trojan-activity; sid:2002195; rev:1; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casalemedia Spyware Reporting URL Visited2"; flow: to_server,established; pcre:"/\/sd\?s=[d+]&f=\d/Ui"; classtype: trojan-activity; sid:2002196; rev:1; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE qsrch.com/Casalemedia Spyware Reporting URL Visited3"; flow: to_server,established; uricontent:"/r404.php?id="; nocase; uricontent:"&url=http\://"; nocase; classtype:trojan-activity; sid:2003366; rev:1; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casino on Net Install"; flow: to_server,established; uricontent:"/newdownload/newsetup/"; nocase; content:"casinone"; nocase; reference:url,www.888casino.net; classtype: trojan-activity; sid: 2001041; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casino on Net Reporting Data"; flow: to_server,established; uricontent:"/logs.asp?MSGID=100"; nocase; reference:url,www.888casino.net; classtype: trojan-activity; sid: 2001031; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casino on Net Ping Hit"; flow: to_server,established; uricontent:"/Ping/Ping.txt"; nocase; reference:url,www.888casino.net; classtype: trojan-activity; sid: 2001032; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casino on Net Data Download"; flow: to_server,established; uricontent:"/sdl/casinov"; nocase; reference:url,www.888casino.net; classtype: trojan-activity; sid: 2001033; rev:5; ) #Matt Jonkman from spywarelp data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Catchonlife.com Spyware"; flow: to_server,established; uricontent:"/nw3/r1.txt?"; content:"catchonlife"; nocase; classtype:trojan-activity; sid:2003358; rev:1;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Clickspring.net Spyware Reporting Successful Install"; flow: to_server,established; uricontent:"/notify.php?pid=remupd&module=install&v="; nocase; content:"&result=1&message=Success"; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; sid: 2001494; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Clickspring.net Spyware Reporting"; flow: to_server,established; uricontent:"/notify.php?pid=ctxad&module=NDrvExe&v="; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; sid: 2001500; rev:4; ) #by Matt Jonkman from spyware listeningpost data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting"; flow:established,to_server; uricontent:"/stat.php?id="; nocase; uricontent:"&web_id="; nocase; classtype:trojan-activity; reference:url,vil.nai.com/vil/content/v_140364.htm; sid:2003607; rev:1;) #Submitted by Jason Haar, modified alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Comet Systems Spyware Traffic"; flow: to_server,established; uricontent:"/cc/"; content:"Host\: update.cc.cometsystems.com"; classtype: policy-violation; sid: 2000931; rev:5; ) #Submitted by Jonathan Miner alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware CometSystems Spyware"; flow: to_server,established; uricontent:"/comet/request"; nocase; classtype: policy-violation; sid: 2001050; rev:5; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Comet Systems Spyware Traffic (context.xml)"; flow: to_server,established; uricontent:"/context/1/up_context_1.xml"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083029; sid: 2001655; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Comet Systems Spyware Reporting"; flow: to_server,established; content:"Host\: log.cc.cometsystems.com"; nocase; classtype: policy-violation; sid: 2001658; rev:3; ) #from Listening Post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Comet Systems Spyware Update Download"; flow: to_server,established; uricontent:"/cc/5/masterconfig/"; nocase; uricontent:"/update.xml?v="; nocase; classtype: policy-violation; sid: 2002351; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Comet Systems Spyware Context Report"; flow: to_server,established; uricontent:"/context/1/up_context_1.xml?v="; nocase; classtype: policy-violation; sid: 2002352; rev:1;) #from spywarelp data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Comet Systems Spyware Cursor DL"; flow: to_server,established; uricontent:"/czcontent/cursor"; nocase; classtype: policy-violation; sid: 2003307; rev:1;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Conduit Connect Toolbar (Many report to be benign)"; flow: to_server,established; uricontent:"/iis2ebs.asp"; content:"User-Agent\: EI"; nocase; reference:url,www.conduit.com; classtype: trojan-activity; sid: 2003216; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Conduit Connect Toolbar Message Download(Many report to be benign)"; flow: to_server,established; uricontent:"/Message/"; content:"User-Agent\: EI"; nocase; pcre:"/\/Message\/\S+\/\S+\.xml/Ui"; reference:url,www.conduit.com; classtype: trojan-activity; sid: 2003218; rev:1;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Content-loader.com Spyware Install"; flow: to_server,established; uricontent:"/getexe/?wmid="; nocase; classtype: trojan-activity; sid: 2003074; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Content-loader.com Spyware Install 2"; flow: to_server,established; uricontent:"/getdata/getdata.php?wmid="; nocase; classtype: trojan-activity; sid: 2003075; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Content-loader.com (ownusa.info) Spyware Install"; flow: to_server,established; uricontent:"/fdial2.php?o="; nocase; classtype: trojan-activity; sid: 2003076; rev:1;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Context Plus Spyware Install"; flow: established,to_server; uricontent:"/AproposClientInstaller.exe"; nocase; classtype: trojan-activity; sid: 2001704; rev:4; ) #Submitted by Chris Norton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ContextPanel Reporting"; flow: to_server,established; uricontent:"/cplog/?logtype="; nocase; content:"contextpanel.com"; nocase; classtype: policy-violation; sid: 2001456; rev:3; ) #by Jacob Kitchel alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE CoolDeskAlert Spyware Activity"; flow:to_server,established; uricontent:"/alert/get_xml"; nocase; content:"deskbar_id={"; nocase; reference:url,cooldeskalert.com; reference:url,www.benedelman.org/spyware/images/bannerfarms-ad_w_a_r_e-globalstore-log-061006.html; classtype:trojan-activity; sid:2003462; rev:1;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Coolsearch Spyware Install"; flow: to_server,established; content:"coolsearch.biz/united.htm"; nocase; classtype: trojan-activity; sid: 2001479; rev:5; ) #from Lance James and Secure Science www.securescience.net -- Thanks Lance! alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Corpsespyware.net Blind Data Upload"; flow:to_server,established; uricontent:"/images/data.php?"; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002774; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Corpsespyware.net BlackListed Malicious Domain - google.vc"; flow:to_server,established; content:"Host\:"; nocase; content:"google.vc"; nocase; within:30; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002765; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Corpsespyware.net BlackList - pcpeek"; flow:to_server,established; content:"Host\:"; nocase; content:"pcpeek-webcam-sex.com"; nocase; within:40; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002766; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Corpsespyware.net Distribution - bos.biz"; flow:to_server,established; content:"Host\:"; nocase; content:"businessopportunityseeker.biz"; nocase; within:50; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002767; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Corpsespyware.net Distribution - fesexy"; flow:to_server,established; content:"Host\:"; nocase; content:"fesexy.net"; nocase; within:20; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002768; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Corpsespyware.net Distribution - studiolacase"; flow:to_server,established; content:"Host\:"; nocase; content:"studiolacase.com"; nocase; within:30; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002769; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Corpsespyware.net - msits.exe access"; flow:to_server,established; uricontent:"/msits.exe"; nocase; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002770; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Corpsespyware.net - msys.exe access"; flow:to_server,established; uricontent:"/msys.exe"; nocase; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002771; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Corpsespyware.net - PG 02 Outbound"; flow:to_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4C 01 02 00 46 53 47 21|"; distance:10; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002772; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE MALWARE Corpsespyware.net - PG 02 Inbound"; flow:from_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4C 01 02 00 46 53 47 21|"; distance:10; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002773; rev:3;) #Submitted by Chris Norton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Couponage Download"; flow: to_server,established; uricontent:".dl_"; nocase; content:"couponage.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; sid: 2001453; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Couponage Configure"; flow: to_server,established; content:".da_"; nocase; content:"couponage.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; sid: 2001454; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Couponage Reporting"; flow: to_server,established; content:"/?keyword="; nocase; content:"couponage.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; sid: 2001455; rev:4; ) #From Vernon Stark #alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Malware Windows executable sent when remote host claims to send an image"; flow: established; content:"Content-Type\: image"; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode"; classtype: trojan-activity; sid: 2001683; rev:5; ) alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Malware Windows executable sent when remote host claims to send image, Win32"; flow: established; content:"Content-Type\: image"; content:"MZ"; isdataat: 76,relative; content:"This program must be run under Win32"; classtype: trojan-activity; sid: 2001684; rev:5; ) alert tcp any !20 -> $HOME_NET !25 (msg: "BLEEDING-EDGE Malware Possible Windows executable sent when remote host claims to send an image"; flow: established; content:"Content-Type\: image"; content:"MZ"; within: 12; classtype: trojan-activity; sid: 2001685; rev:3; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware CrazyWinnings.com Activity"; flow: established,to_server; uricontent:"/scripts/protect.php?promo=promo"; nocase; classtype: trojan-activity; sid: 2001733; rev:3; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Default-homepage-network.com Access"; flow: to_server,established; content:"wsh.RegWrite"; nocase; content:"default-homepage-network.com/start.cgi?"; nocase; reference:url,default-homepage-network.com/start.cgi?new-hkcu; classtype: trojan-activity; sid: 2001222; rev:6; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware DelFin Project Spyware (payload)"; flow: established,to_server; uricontent:"/in/payload/payload.nfo?"; nocase; classtype: trojan-activity; sid:2002816; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware DelFin Project Spyware (setup)"; flow: established,to_server; uricontent:"/in/defaults/setup.nfo?"; nocase; classtype: trojan-activity; sid:2002817; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware DelFin Project Spyware (setup-alt)"; flow: established,to_server; uricontent:"/in/defaults/setup-alt.nfo?"; nocase; classtype: trojan-activity; sid:2003472; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware DelFin Project Spyware (payload-alt)"; flow: established,to_server; uricontent:"/in/payload/payload-alt.nfo?"; nocase; classtype: trojan-activity; sid:2003473; rev:1;) #submitted by John Stewart alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE DesktopTraffic Toolbar Spyware"; flow: to_server,established; uricontent:"cgi-bin/ezl_kws.fcgi?cat"; nocase; reference:url,research.spysweeper.com/threat_library/threat_details.php?threat=desktoptraffic.net_hijack; classtype:trojan-activity; sid: 2001884; rev:4;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Deskwizz.com Spyware Install INI Download"; flow: to_server,established; uricontent:"/GetAd/tekID"; nocase; uricontent:".ini"; classtype: policy-violation; sid: 2003445; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Deskwizz.com Spyware Install Code Download"; flow: to_server,established; uricontent:"/ax/acdt-pid"; nocase; uricontent:".exe"; nocase; classtype: policy-violation; sid: 2003444; rev:1;) #this is for the recent rash of .co.kr fake antispyware products we're seeing. #doctorpro.co.kr, karine.co.kr, Vaccineprogram.co.kr, Mycashbank.co.kr, etc. There will surely be more. Similar url patterns though alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Install Checkin"; flow:established,to_server; uricontent:"/install_count.html?id="; nocase; uricontent:"&MAC="; nocase; pcre:"/MAC=0\w-\w\w-\w\w-\w\w-\w\w-\w\w/Ui"; classtype:trojan-activity; sid:2006425; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin"; flow:established,to_server; uricontent:"/access_count.html?id="; nocase; uricontent:"&MAC="; nocase; pcre:"/MAC=0\w-\w\w-\w\w-\w\w-\w\w-\w\w/Ui"; classtype:trojan-activity; sid:2006426; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Mac Check"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/ctrl/nchkmac.php?mac=0"; nocase; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; classtype:trojan-activity; sid:2006427; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (open)"; flow:established,to_server; uricontent:"/open.php?sn="; nocase; pcre:"/sn=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; classtype:trojan-activity; sid:2006428; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/ctrl/chkblack.php?mac=0"; nocase; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; classtype:trojan-activity; sid:2006431; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (ret)"; flow:established,to_server; uricontent:"/ret.php?"; nocase; uricontent:"mode="; nocase; uricontent:"&cname="; nocase; uricontent:"&cn="; nocase; pcre:"/cn=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; classtype:trojan-activity; sid:2006432; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post (api_result)"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/ctrl/api_result.php?"; nocase; uricontent:"mode="; nocase; uricontent:"&PartID="; nocase; uricontent:"&mac="; nocase; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; classtype:trojan-activity; sid:2006433; rev:1;) #more from the same folks #by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Viruscheck.co.kr Related Fake Anti-Spyware Post (chkvs)"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/chkvs.php?mac=0"; nocase; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; classtype:trojan-activity; sid:2007642; rev:1;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Dollarrevenue.com Spyware Code Download"; flow:established,to_server; uricontent:"/bundle/drsmartload.exe"; nocase; reference:url,dollarrevenue.com; classtype:trojan-activity; sid:2002967; rev:1;) #by Scot Melnick alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE TROJAN_VB Microjoin"; flow:established,to_server; uricontent:"/bundle/loader.exe"; nocase; reference:url,de.trendmicro-europe.com/consumer/vinfo/encyclopedia.php?VName=TROJ_VB.AWW; classtype:trojan-activity; sid:2003084; rev:1;) #by Matt Jonkman, from Spyware Listening Post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Dropspam.com Spyware Reporting"; flow:established,to_server; uricontent:"/reportaddon.cgi?"; nocase; uricontent:"report.cgi?"; nocase; uricontent:"user="; nocase; uricontent:"software="; nocase; classtype:trojan-activity; sid:2003440; rev:1;) #matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware E2give Related Downloading IeBHOs.dll"; flow: to_server,established; uricontent:"/downloads/IeBHOs.dll"; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; classtype:trojan-activity; sid:2001415; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware E2give Related Reporting Install"; flow: to_server,established; uricontent:"/count/count.php?&mm"; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; classtype:trojan-activity; sid:2001416; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware E2give Related Receiving Config"; flow: to_server,established; uricontent:"/config/?"; nocase; uricontent: "v=5"; nocase; uricontent: "n=mm2"; nocase; uricontent: "i="; nocase; classtype:trojan-activity; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; sid:2001417; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware E2give Related Downloading Code"; flow: to_server,established; uricontent:"/soft/unstall.exe"; nocase; classtype:trojan-activity; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; sid:2001418; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware E2give Related Reporting"; flow: to_server,established; uricontent:"/count/count.php?&mm2cpr"; nocase; classtype:trojan-activity; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; sid:2001423; rev:5;) #from spyware listening post hits alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware E2give Spyware Reporting (check url)"; flow: to_server,established; uricontent:"/go/check?build="; nocase; uricontent:"&source="; nocase; uricontent:"&merchants="; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; classtype: trojan-activity; sid: 2003504; rev:1;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ESyndicate Spyware Install (esyndicateinst.exe)"; flow: to_server,established; uricontent:"/files/eSyndicateInst.exe"; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; sid: 2002009; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ESyndicate Spyware Install (sepinst.exe)"; flow: to_server,established; uricontent:"/files/SEPInst.exe"; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; sid: 2002010; rev:4; ) #By Matt Jonkman, From spyware listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE EZSearch Spyware Reporting Search Strings"; flow:established,to_server; uricontent:"/partner/rt.php?q="; nocase; classtype:trojan-activity; sid:2002317; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE EZSearch Spyware Reporting Search Category"; flow:established,to_server; uricontent:"/partner/rt.php?cat="; nocase; classtype:trojan-activity; sid:2002318; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE EZSearch Spyware Reporting 2"; flow:established,to_server; uricontent:"/partner/bom.php?e="; nocase; classtype:trojan-activity; sid:2002319; rev:1;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Ebates Install"; flow: to_server,established; uricontent:"/ebates.exe"; reference:url,www.pestpatrol.com/PestInfo/e/ebates_moneymaker.asp; classtype: policy-violation; sid: 2001038; rev:5; ) #from spyware listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Effectivebrands.com Spyware Checkin"; flow:established,to_server; uricontent:"/iis2ebs.asp"; nocase; content:"effectivebrands.com"; nocase; classtype:trojan-activity; sid:2003304; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Effectivebrands.com Spyware Checkin 2"; flow:established,to_server; uricontent:"/iis2ucms.asp"; nocase; content:"effectivebrands.com"; nocase; classtype:trojan-activity; sid:2003360; rev:1;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Elitemediagroup.net Spyware Config Download"; flow:established,to_server; uricontent:"/bundle.php?aff="; nocase; reference:url,elitemediagroup.net; classtype:trojan-activity; sid:2002966; rev:1;) #By Matt Jonkman, From spyware listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Epilot.com Spyware Reporting"; flow:established,to_server; uricontent:"/getresults.aspx"; nocase; uricontent:"?aff="; nocase; uricontent:"&ip="; nocase; uricontent:"&keyword="; nocase; uricontent:"&source="; nocase; reference:url,www.intermute.com/spysubtract/researchcenter/ClientMan.html; classtype:trojan-activity; sid:2003414; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Epilot.com Spyware Reporting Clicks"; flow:established,to_server; uricontent:"/click.aspx?"; nocase; uricontent:"?xp="; nocase; content:"Host\: "; nocase; content:"epilot.com"; nocase; distance:0; reference:url,www.intermute.com/spysubtract/researchcenter/ClientMan.html; classtype:trojan-activity; sid:2003416; rev:1;) #matt Jonkman from Spyware LP Data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Evidencenuker.com Fake AV Updating"; flow:established,to_server; uricontent:"/products/evidencenuker/update.php?version="; nocase; reference:url,www.evidencenuker.com; classtype:trojan-activity; sid:2003568; rev:1;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware F1Organizer Install Attempt"; flow: to_server,established; uricontent:"/f1/objects/"; nocase; classtype: trojan-activity; sid: 2000585; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware F1Organizer Reporting"; flow: to_server,established; uricontent:"/f1/audit/"; nocase; classtype: trojan-activity; sid: 2000582; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware F1Organizer Config Download"; flow: to_server,established; uricontent:"/F1/Cmd4F1"; nocase; classtype: trojan-activity; sid: 2001221; rev:4; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Featured-Results.com Agent Reporting Data"; flow: to_server,established; uricontent:"action=any"; nocase; uricontent:"country="; nocase; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/.*perl\/fr\.pl/i"; reference:url,www.featured-results.com; classtype: trojan-activity; sid: 2001293; rev:7; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Findwhat.com Spyware (clickthrough)"; flow: to_server,established; uricontent:"/bin/findwhat.dll?clickthrough&"; nocase; classtype:trojan-activity; sid:2003579; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Findwhat.com Spyware (sendtracker)"; flow: to_server,established; uricontent:"/bin/findwhat.dll?sendtracker&"; nocase; classtype:trojan-activity; sid:2003580; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Findwhat.com Spyware (sendmedia)"; flow: to_server,established; uricontent:"/bin/findwhat.dll?sendmedia&"; nocase; classtype:trojan-activity; sid:2003581; rev:1;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware FlashPoint Agent Retrieving New Code"; flow: to_server,established; uricontent:"/ftxmon.php?"; reference:url,www.flashpoint.bm; classtype: trojan-activity; sid: 2000905; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware FlashTrack Agent Retrieving New App Code"; flow: to_server,established; uricontent:"/apps/r.exe"; reference:url,www.flashpoint.bm; classtype: trojan-activity; sid: 2000936; rev:5; ) #matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Flingstone Spyware Install (cxtpls)"; flow: established,to_server; uricontent:"/softwares/cxtpls_loader_ff.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; sid: 2001710; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Flingstone Spyware Install (sportsinteraction)"; flow: established,to_server; uricontent:"/softwares/SportsInteraction.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; sid: 2001705; rev:6; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Freeze.com Spyware/Adware (Install)"; flow: to_server,established; uricontent:"/checkhttp.htm"; nocase; content:"User-Agent\: Wise"; nocase; content:"freeze.com"; nocase; classtype: policy-violation; sid: 2002840; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Freeze.com Spyware/Adware (Install Registration)"; flow: to_server,established; uricontent:"/ping/?shortname="; nocase; content:"User-Agent\: Wise"; nocase; content:"freeze.com"; nocase; classtype: policy-violation; sid: 2002841; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Freeze.com Spyware/Adware (Pulling Ads)"; flow: to_server,established; uricontent:"/ToastMessage/"; nocase; uricontent:"/Toast.asp?ysaid="; nocase; classtype: policy-violation; sid: 2003362; rev:1;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products Install"; flow: to_server,established; uricontent:"/install_ie.jsp?product="; reference:url,www.funwebproducts.com; classtype: policy-violation; sid: 2000599; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products SmileyCentral"; flow: to_server,established; uricontent:"/images/smileycentral/"; nocase; content:"FunWebProducts"; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; sid: 2001013; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products Agent Traffic"; flow: to_server,established; content:"FunWebProducts\;"; nocase; threshold: type limit, track by_src, count 2, seconds 360; reference:url,www.funwebproducts.com; classtype: policy-violation; sid: 2001034; rev:14; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products MyWay Agent Traffic"; flow: to_server,established; content:"FunWebProducts-MyWay\;"; nocase; threshold: type limit, track by_src, count 10, seconds 60; reference:url,www.funwebproducts.com; classtype: policy-violation; sid: 2001043; rev:8; ) #From Listening Post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products Smileychooser Spyware"; flow: to_server,established; uricontent:"/SmileyChooser.html?"; nocase; uricontent:"v="; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; sid: 2002305; rev:4; ) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products Smileychooser Spyware"; flow: to_server,established; uricontent:"/SmileyChooser.html?"; nocase; uricontent:"v="; nocase; reference:url,www.funwebproducts.com; classtype:policy-violation; sid:2002310; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products Cursorchooser Spyware"; flow: to_server,established; uricontent:"/CursorChooser.html?"; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; sid: 2002306; rev:2; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products Stampchooser Spyware"; flow: to_server,established; uricontent:"/StampChooser.html?"; nocase; uricontent: "v="; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; sid: 2002307; rev:3; ) #by Shirkdog alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products StationaryChooser Spyware"; flow: to_server,established; uricontent:"/StationeryChooser.html?"; nocase; uricontent: "v="; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; sid: 2002858; rev:1; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products SmileyCentral IEsp2 Install"; flow: to_server,established; uricontent:"/download/install_ie_sp2.jhtml?"; nocase; uricontent:"product="; nocase; uricontent:"utmCall="; nocase; uricontent:"bOrganic="; nocase; reference:url,www.myfuncards.com; classtype:trojan-activity; sid: 2003151; rev:1; ) #Matt Jonkman from Spyware LP Data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Gamehouse.com Activity"; flow: to_server,established; uricontent:"/game-quit-count.jsp?ghgamecode="; reference:url,www.gamehouse.com; classtype: trojan-activity; sid: 2003348; rev:1;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Gator Cookie"; flow: to_server,established; content:"webpdpcookie"; content:".gator.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid: 2000025; rev:7; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Gator Checkin"; flow: to_server,established; uricontent:"/gbsf/"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid: 2000595; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Gator New Code Download"; flow: to_server,established; uricontent:"/gatorcme/"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid: 2000597; rev:5; ) #Matt Jonkman Rule (depth added by bobkberg) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Gator/Claria Data Submission"; flow: to_server,established; content:"gs_trickler"; nocase; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/gs_trickler/i"; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid: 2000596; rev:9; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Gator/Clarian Agent"; flow: to_server,established; uricontent:"/gbsf/"; nocase; uricontent:"gtrg2ze"; nocase; classtype:policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid:2001306; rev:6;) #Matt Jonkman, from spyware LP Data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Gator/Clarian Spyware Posting Data"; flow: to_server,established; uricontent:"/gs_med"; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid:2003575; rev:1;) #These are for common names of malcode files as seen in common places. #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Likely Trojan/Spyware Installer Requested (1)"; flow: established,to_server; uricontent:".scr"; nocase; pcre:"/(cartao|mensagem|voxcards|humortadela|ouca|cartaovirtual|uol3171|embratel|yahoo|viewforhumor|humormenssagem|terra)\.scr/Ui"; classtype: trojan-activity; sid: 2001850; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Likely Trojan/Spyware Installer Requested (2)"; flow: established,to_server; uricontent:".exe"; nocase; pcre:"/(discador|ocartao|msgav|extrato|correcao|extrato_tim|visualizar|cartas&cartoes|embratel|cartao|MSN_INSTALL|VirtualCards|atualizacaonorton|serasar|CobrancaEmbratel|ExtratoTim|FlashFotos|Vacina-Norton|CartaoIloves|Cobranca|fotos_ineditas|boletocobranca|saudades|wwwuolcartoescombr|cartaoanimado)\.exe/Ui"; classtype: trojan-activity; sid: 2002093; rev:3; ) #Submitted by Joseph Gama alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE IE homepage hijacking"; flow: from_server,established; content:"wsh.RegWrite"; nocase; content:"HKLM\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Main\\\\Start Page"; nocase; reference:url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm; classtype: misc-attack; sid: 2000514; rev:5; ) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE shell browser vulnerability W9x/XP"; flow: from_server,established; content:"shell\:windows"; nocase; reference:url,www.packetfocus.com/shell_exploit.htm; classtype: misc-attack; sid: 2000519; rev:6; ) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE shell browser vulnerability NT/2K"; flow: from_server,established; content:"shell\:winnt"; nocase; reference:url,www.packetfocus.com/shell_exploit.htm; classtype: misc-attack; sid: 2000520; rev:6; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware GlobalPhon.com Dialer"; flow: to_server,established; content:"Host\: www.globalphon.com"; classtype: trojan-activity; sid: 2001656; rev:2; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware GlobalPhon.com Dialer Download"; flow: to_server,established; uricontent:"/dialer/internazionale_ver"; nocase; uricontent:".CAB"; nocase; classtype: trojan-activity; sid: 2001657; rev:2; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware GlobalPhon.com Dialer (no_pop)"; flow: to_server,established; uricontent:"/no_pop.asp?"; nocase; uricontent: "id="; nocase; content:"globalphon.com"; nocase; classtype: trojan-activity; sid: 2001659; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware GlobalPhon.com Dialer (add_ocx)"; flow: to_server,established; uricontent:"/add_ocx.asp?"; nocase; uricontent: "id="; nocase; content:"globalphon.com"; nocase; classtype: trojan-activity; sid: 2001660; rev:4; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware GrandstreetInteractive.com Install"; flow: to_server,established; uricontent:"/tdtb.exe"; nocase; classtype: trojan-activity; sid: 2002012; rev:2; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware GrandstreetInteractive.com Update"; flow: to_server,established; uricontent:"/wupdsnff.exe"; nocase; classtype: trojan-activity; sid: 2002013; rev:2; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Install (1)"; flow: to_server,established; uricontent:"/install/startInstallprocess.asp?"; nocase; uricontent: "Defau"; reference:url,www.hotbar.com; classtype: trojan-activity; sid: 2000920; rev:7; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Install (2)"; flow: to_server,established; uricontent:"/install/process/upsale/hotbar"; reference:url,www.hotbar.com; classtype: trojan-activity; sid: 2000921; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Install (3)"; flow: to_server,established; uricontent:"/installs/hotbar/programs/"; reference:url,www.hotbar.com; classtype: trojan-activity; sid: 2000922; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Agent Reporting Information"; flow: to_server,established; content:"POST"; nocase; uricontent:"/reports/hotbar/"; reference:url,www.hotbar.com; classtype: trojan-activity; sid: 2000923; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Agent Upgrading"; flow: to_server,established; uricontent:"/updates/hotbar/"; nocase; reference:url,www.hotbar.com; classtype: trojan-activity; sid: 2000924; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Agent Activity"; flow: to_server,established; uricontent:"/dynamic/hotbar/"; nocase; reference:url,www.hotbar.com; threshold: type limit, count 1, track by_src, seconds 360; classtype: trojan-activity; sid: 2000929; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Agent Partner Checkin"; flow: to_server,established; uricontent:"/partners/"; nocase; uricontent:"partners.xip"; nocase; reference:url,www.hotbar.com; classtype: trojan-activity; sid: 2000925; rev:5; ) #from Shirkdog alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Agent Subscription POST"; flow: to_server,established; uricontent:"/hotbar/"; nocase; uricontent:"Subscription.dll?"; nocase; reference:url,www.hotbar.com; classtype: trojan-activity; sid: 2002820; rev:1;) #Matt Jonkman from spyware lp data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Agent Adopt/Zango"; flow: to_server,established; uricontent:"/adopt.jsp?"; nocase; uricontent:"l="; nocase; uricontent:"&sz="; nocase; uricontent:"cid="; nocase; reference:url,www.hotbar.com; classtype: trojan-activity; sid:2003364; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Keywords Download"; flow: to_server,established; uricontent:"/keywords/kyfb."; nocase; uricontent:"partner_id="; nocase; reference:url,www.hotbar.com; classtype: trojan-activity; sid:2003388; rev:1;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ICQ-Update.biz Reporting Install"; flow: to_server,established; uricontent:"log.php?"; nocase; uricontent: "IP="; nocase; uricontent:"Port1="; nocase; classtype: trojan-activity; sid: 2001490; rev:6; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE IEHelp.net Spyware Installer"; flow:established,to_server; uricontent:"/counter/help.chm"; nocase; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; sid:2002090; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE IEHelp.net Spyware checkin"; flow:established,to_server; uricontent:"/l/gpr.php?"; nocase; uricontent: "ID1="; nocase; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; sid:2002096; rev:4;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Reporting"; flow: to_server,established; uricontent:"/ist/scripts/log_downloads.php"; nocase; reference:url,www.isearchtech.com; classtype: trojan-activity; sid: 2000927; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Activity (1)"; flow: to_server,established; uricontent:"/ist/bars/"; nocase; reference:url,www.isearchtech.com; classtype: trojan-activity; sid: 2000928; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Activity (2)"; flow: to_server,established; uricontent:"/ist/softwares/"; nocase; reference:url,www.isearchtech.com; classtype: trojan-activity; sid: 2001395; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Data Submission"; flow: to_server,established; uricontent:"/ist/scripts/istsvc_ads_data.php?"; nocase; uricontent: "version="; nocase; reference:url,www.isearchtech.com; classtype: trojan-activity; sid: 2001697; rev:4; ) # Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Incredisearch.com Spyware Ping"; flow: established,to_server; uricontent:"/ping.asp"; nocase; content:"incredisearch.com"; depth:300; nocase; classtype: trojan-activity; sid: 2001793; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Incredisearch.com Spyware Activity"; flow: established,to_server; content:"Host\: www.incredisearch.com"; depth:300; nocase; classtype: trojan-activity; sid: 2001794; rev:4; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Instafinder.com spyware"; flow: established,to_server; uricontent:"/404/update/instafi"; nocase; classtype:trojan-activity; sid: 2003376; rev:1;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Internet Fuel.com Install"; flow: to_server,established; uricontent:"/cgi-bin/omnidirect.cgi?&debug_log="; nocase; classtype: trojan-activity; sid: 2002015; rev:2; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Internet Optomizer Reporting Data"; flow: to_server,established; uricontent:"/io/downloads/"; nocase; content:"/wsi8/optimize"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; sid: 2001308; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Internet Optimizer Spyware Install"; flow: to_server,established; uricontent:"/internet-optimizer/"; nocase; uricontent:"/optimize"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; sid: 2001396; rev:4; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware jmnad1.com Spyware Install (1)"; flow: to_server,established; uricontent:"/install.qg?"; nocase; uricontent: "ID="; nocase; classtype: trojan-activity; sid: 2002019; rev:7; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware jmnad1.com Spyware Install (2)"; flow: to_server,established; uricontent:"/download/mw_4s_stub.exe"; nocase; classtype: trojan-activity; sid: 2002016; rev:6; ) #Submitted by Matt Jonkman alert udp $HOME_NET 3531 -> $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE Malware JoltID Agent Probing or Announcing UDP"; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; sid: 2000900; rev:5; ) #alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE Malware JoltID Agent Communicating TCP"; flow: to_server,established; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; sid: 2000901; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE Malware JoltID Agent Keep-Alive"; flow: to_server,established; dsize: 1; content:"|4b|"; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; sid: 2001015; rev:6; ) alert tcp $HOME_NET any -> any any (msg: "BLEEDING-EDGE Malware JoltID Agent P2P via Proxy Server"; flow: to_server,established; content:"POST http\://"; nocase; content:"\:3531/.pkt"; nocase; within: 20; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; sid: 2001679; rev:8; ) alert tcp $HOME_NET any <> $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE Malware JoltID Agent Requesting File"; flow: established,to_server; content:"GIVE "; content:"User-Agent\:"; nocase; content:"PeerEnabler"; within:120; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; sid: 2001654; rev:7;) #Submitted by Jason Haar alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Keenvalue Update Engine"; flow: to_server,established; content:"|0d0a|Host|3a|secure.keenvalue.com"; content:"|0d0a|Extension|3a|Remote-Passphrase"; within: 300; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2003-11-24; classtype: trojan-activity; sid: 2000932; rev:3; ) #Matt Jonkman # all sorts of junk at www.thespyguard.com, fake antispyware trojan alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Thespyguard.com Spyware Install"; flow:established,to_server; uricontent:"/soft/installers/spyguardf.php"; nocase; reference:url,www.thespyguard.com; reference:url,www.kliksoftware.com; classtype:trojan-activity; sid:2003201; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Thespyguard.com Spyware Update Check"; flow:established,to_server; uricontent:"/soft/update/check_update.php"; nocase; content:"Host\: www.kliksoftware.com"; nocase; reference:url,www.kliksoftware.com; reference:url,www.thespyguard.com; classtype:trojan-activity; sid:2003202; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Hitvirus Fake AV Install"; flow:established,to_server; uricontent:"/soft/installers/hitvirusf.php"; nocase; content:"get.hitvirus.com"; nocase; reference:url,www.kliksoftware.com; classtype:trojan-activity; sid:2003203; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Thespyguard.com Spyware Updating"; flow:established,to_server; uricontent:"/soft/update/get.php"; nocase; uricontent:"pid="; nocase; uricontent:"mail="; nocase; content:"Host\: www.kliksoftware.com"; nocase; reference:url,www.kliksoftware.com; reference:url,www.thespyguard.com; classtype:trojan-activity; sid:2003204; rev:1;) #from spyware listeningpost data, by matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE KMIP.net Spyware"; flow:established,to_server; uricontent:"/iesocks?peer_id="; nocase; uricontent:"ver="; nocase; classtype:trojan-activity; reference:url,www.kmip.net; sid:2003298; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE KMIP.net Spyware 2"; flow:established,to_server; uricontent:"/sp?c=N&i="; nocase; uricontent:"&v="; nocase; classtype:trojan-activity; reference:url,www.kmip.net; sid:2003526; rev:1;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware LocalNRD Spyware Checkin"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; uricontent: "adcontext"; nocase; reference:url,www.localnrd.com; classtype: trojan-activity; sid: 2001340; rev:7; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Look2me Spyware Activity (1)"; flow: to_server,established; content:"Referer\: Look2Me"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.look2me.html; sid: 2001499; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Look2me Spyware Activity (2)"; flow: to_server,established; uricontent:"/cgi-bin/BW.exe"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.look2me.html; sid: 2001502; rev:6; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE MSUpdater.net Spyware Checkin"; flow:established,to_server; uricontent:"/popsetarray.php?&country="; nocase; classtype:trojan-activity; sid:2002094; rev:2;) #by Matt Jonkman, from sunbelt blog alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Malwarealarm.com Fake AV/AntiSpyware Updating"; flow:established,to_server; uricontent:"/update.php?v="; nocase; uricontent:"&d="; nocase; uricontent:"&vs="; nocase; content:"Host\: www.MalwareAlarm.com"; nocase; classtype:trojan-activity; reference:url,sunbeltblog.blogspot.com/2007/04/another-fake-security-scam-site_9466.html; sid:2003611; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Malwarealarm.com Fake AV/AntiSpyware Download"; flow:established,to_server; uricontent:"GET /madownload.php?&advid="; nocase; uricontent:"&u="; nocase; uricontent:"&p="; nocase; content:"Host\: download.MalwareAlarm.com"; nocase; reference:url,sunbeltblog.blogspot.com/2007/04/another-fake-security-scam-site_9466.html; classtype:trojan-activity; sid:2003612; rev:1;) #submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Configuration Access"; flow: to_server,established; uricontent:"/oss/remoteconfig.asp"; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2000902; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Access"; flow: to_server,established; uricontent:"proxyhttp|0b|marketscore|03|com"; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001359; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware SSL Access"; flow: to_server,established; content:"www.marketscore.com"; content:"InstantSSL1"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001563; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Proxied Traffic"; flow: to_server,established; content:"X-OSSProxy\: OSSProxy"; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001564; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore Spyware Uploading Data"; flow: to_server,established; uricontent:"/scripts/contentidpost.dll"; nocase; content:"OSS-Proxy"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2003253; rev:1; ) #Info from sgtocanada alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Proxied Traffic (mitmproxy agent)"; flow: to_server,established; content:"Proxy-agent\: ManInTheMiddle-Proxy"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001586; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Upgrading"; flow: to_server,established; uricontent:"/oss/upgrchk_2a.asp"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001587; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Activity (1)"; flow: to_server,established; uricontent:"/oss/dittorules.asp"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001588; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Activity (2)"; flow: to_server,established; uricontent:"/oss/routerrules2.asp"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001589; rev:4; ) #Sigs by Matt Jonkman from the excellent analysis by Tom Liston at http://isc.sans.org/diary.php?date=2004-11-04 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE MALWARE Mastermind Related Reporting"; flow: to_server,established; uricontent:"/bundle.php?"; nocase; uricontent: "aff="; nocase; classtype: trojan-activity; sid: 2001409; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8081 (msg: "BLEEDING-EDGE MALWARE Mastermind Related Reporting 8081"; flow: to_server,established; content:"/a?l=PeAyF1sgrZYw&i="; nocase; classtype: trojan-activity; sid: 2001410; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Mastermind Related Downloading mm20.ocx"; flow: to_server,established; uricontent:"/soft/mm20.ocx"; nocase; classtype: trojan-activity; sid: 2001411; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Medis-Motor Related Downloading ast_4_mm.exe"; flow: to_server,established; uricontent:"/dist/ast_4_mm.exe"; nocase; classtype: trojan-activity; sid: 2001413; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Media-Motor Related Downloading MediaMotor25.exe"; flow: to_server,established; uricontent:"/soft/MediaMotor25.exe"; nocase; classtype: trojan-activity; sid: 2001414; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Avres.net Downloading cpr_mm2.exe"; flow: to_server,established; uricontent:"/tt/cpr_mm2.exe"; nocase; classtype: trojan-activity; sid: 2001419; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Avres.net Downloading ab1.exe"; flow: to_server,established; uricontent:"/tt/ab1.exe"; nocase; classtype: trojan-activity; sid: 2001420; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Avres.net Downloading tvm_bundle.exe"; flow: to_server,established; uricontent:"/tt/tvm_bundle.exe"; nocase; classtype: trojan-activity; sid: 2001421; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Avres.net Reporting Data"; flow: to_server,established; uricontent:"/log3.php?"; nocase; uricontent:"c={"; nocase; uricontent:"what="; nocase; uricontent:"avatar="; nocase; classtype: trojan-activity; sid: 2001422; rev:6;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Matcash.com Spyware Code Download"; flow:established,to_server; uricontent:"/wrapper/launcher.exe"; nocase; reference:url,matcash.com; classtype:trojan-activity; sid:2002968; rev:1;) #Matt Jonkman from spyware listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Trinityacquisitions.com and Maximumexperience.com Spyware Activity"; flow:to_server,established; uricontent:"/upd/check?version="; nocase; uricontent:"&localeId="; nocase; uricontent:"&affid="; nocase; uricontent:"&updatevalue="; nocase; classtype:trojan-activity; sid: 2003344; rev:1;) #Mark Tombaugh alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Media Pass ActiveX Install"; flow: to_server,established; uricontent:"/MediaPassK.exe"; nocase; reference:url,www.benedelman.org/news/010205-1.html; reference:url,static.windupdates.com/Release/v19/Info.txt; classtype: policy-violation; sid: 2001783; rev:3; ) #Submitted by Chris Norton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MediaTickets Download"; flow: to_server,established; uricontent:"MediaTicketsInstaller.cab"; content:"Host\: www.mt-download.com"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; sid: 2001448; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MediaTickets Spyware Install"; flow: to_server,established; uricontent:"/mtrslib2.js"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; sid: 2001481; rev:4;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Medialoads.com Spyware Config"; flow: to_server,established; uricontent:"/dw/cgi/download.cgi?"; nocase; uricontent:"sn="; nocase; uricontent:"pid="; nocase; content:"Host\:config.medialoads.com"; nocase; classtype: trojan-activity; sid: 2001503; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Medialoads.com Spyware Reporting (download.cgi)"; flow: to_server,established; uricontent:"/dw/cgi/download.cgi?"; nocase; uricontent:"sn="; nocase; content:"Host\:config.medialoads.com"; nocase; classtype: trojan-activity; sid: 2001508; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Medialoads.com Spyware Reporting (register.cgi)"; flow: to_server,established; uricontent:"/dw/cgi/register.cgi?"; nocase; uricontent:"v="; nocase; content:"Host\:config.medialoads.com"; nocase; classtype: trojan-activity; sid: 2001509; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Medialoads.com Spyware Identifying Country of Origin"; flow: to_server,established; uricontent:"/dw/cgi/country.cgi"; nocase; content:"User-Agent\:"; nocase; content:"NSISDL"; within:120; nocase; classtype: trojan-activity; sid: 2001507; rev:7;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Metarewards Spyware Activity"; flow: to_server,established; content:"Host\: www.metareward.com"; nocase; classtype: policy-violation; sid: 2001666; rev:2; ) #From listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Metarewards Disclaimer Access"; flow: to_server,established; uricontent:"/www.metareward.com/mailimg/disclaimer/"; nocase; classtype: policy-violation; sid: 2002309; rev:2; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Microgaming.com Spyware Installation (dlhelper)"; flow: established,to_server; uricontent:"/dlhelper.cab"; nocase; classtype: trojan-activity; sid: 2001641; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Microgaming.com Spyware Installation (2)"; flow: established,to_server; uricontent:"/DownloadHNew.asp?"; nocase; uricontent:"btag="; nocase; classtype: trojan-activity; sid: 2001643; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Microgaming.com Spyware Reporting Installation"; flow: established,to_server; uricontent:"/dlhelper/downloadlogger2.asp?"; nocase; uricontent:"time="; nocase; classtype: trojan-activity; sid: 2001644; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Microgaming.com Spyware Casino App Install"; flow: established,to_server; uricontent:"/viper/thunderluck/00"; nocase; classtype: trojan-activity; sid: 2001645; rev:3; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Mindset Interactive Install (1)"; flow: to_server,established; uricontent:"/mindset5/data"; nocase; reference:url,www.mindsetinteractive.com; classtype: trojan-activity; sid: 2000583; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Mindset Interactive Install (2)"; flow: to_server,established; uricontent:"/mindset/data"; nocase; reference:url,www.mindsetinteractive.com; classtype: trojan-activity; sid: 2000584; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Mindset Interactive Ad Retrieval"; flow: to_server,established; uricontent:"/mindset5"; nocase; reference:url,www.mindsetinteractive.com; classtype: trojan-activity; sid: 2000594; rev:4; ) #by Matt Jonkman, from spyware LP Data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Mirarsearch.com Spyware Posting Data"; flow:established,to_server; uricontent:"/v70match.cgi?"; nocase; uricontent:"key1="; nocase; uricontent:"&key2="; nocase; uricontent:"&match="; nocase; classtype:trojan-activity; sid:2003577; rev:1;) #Matt Jonkman 2/22/05 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware My-Stats.com Spyware Checkin"; flow: established,to_server; uricontent:"/ad-partner/SelectConfirm.php?"; nocase; uricontent:"dummy="; nocase; classtype: misc-activity; sid: 2001747; rev:5;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE MyGlobalSearch Spyware bar updating"; flow:established,to_server; uricontent:"/barcfg.jsp?p="; nocase; uricontent:"&v="; nocase; uricontent:"&e="; nocase; classtype:trojan-activity; sid:2003350; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE MyGlobalSearch Spyware bar update"; flow:established,to_server; uricontent:"/images/mysearchbar/highlight"; nocase; classtype:trojan-activity; sid:2003351; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE MyGlobalSearch Spyware bar update 2"; flow:established,to_server; uricontent:"/images/mysearchbar/customize"; nocase; classtype:trojan-activity; sid:2003352; rev:1;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MySearchNow.com Spyware"; flow: to_server,established; uricontent:"exe/dns.html"; nocase; content:"User-Agent\: TPSystem"; nocase; reference:url,www.mysearchnow.com; classtype:trojan-activity; sid: 2003221; rev:1;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware My Search Bar Install"; flow: to_server,established; uricontent:"/mysetp.exe"; nocase; reference:url,www.2-spyware.com/parasite-my-search-bar.html; classtype:trojan-activity; sid: 2001040; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware My Search Spyware Config Download"; flow: to_server,established; uricontent:"/ms"; nocase; uricontent:"cfg.jsp?"; uricontent:"v="; nocase; nocase; pcre:"/\/ms\d\d\dcfg\.jsp/Ui"; classtype:trojan-activity; sid:2002839; rev:2; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MyWebSearch Toolbar Receiving Configuration"; flow: to_server,established; uricontent:"/speedbar/mySpeedbarCfg"; nocase; classtype:trojan-activity; sid: 2000600; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic (host)"; flow: to_server,established; content:"Host\: "; depth:250; content:"myway.com"; nocase; within:20; distance:0; classtype:trojan-activity; threshold:type limit, track by_src, count 2, seconds 360; sid: 2001663; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic (Agent)"; flow: to_server,established; content:" MyWay"; nocase; classtype:trojan-activity; sid: 2001662; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic (bin download)"; flow: to_server,established; uricontent:"/images/mywebsearchbar/"; nocase; uricontent:".bin"; nocase; classtype:trojan-activity; sid: 2002819; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic (general download)"; flow: to_server,established; uricontent:"/mywebsearchbar/"; nocase; classtype:trojan-activity; sid: 2002818; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic (bar config download)"; flow: to_server,established; uricontent:"/barcfg.jsp?"; nocase; content:"MyWebSearchWB"; nocase; classtype:trojan-activity; sid: 2002836; rev:2;) #New, from spyware listening post hits # Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MyWebSearch Toolbar Receiving Config 2"; flow: to_server,established; uricontent:"/mySpeedbarCfg2.jsp"; nocase; content:"MyWebSearch"; nocase; classtype:trojan-activity; sid:2003222; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MyWebSearch Toolbar Posting Activity Report"; flow:to_server,established; uricontent:"/jsp/cfg_redir2.jsp?id="; nocase; uricontent:"url=http"; nocase; classtype:trojan-activity; sid:2003617; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MyWay Spyware Posting Activity Report - Dell Related"; flow:to_server,established; uricontent:"/script/bzDellHpData.js?"; nocase; classtype:trojan-activity; sid:2003621; rev:1;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE New.net Spyware updating"; flow:established,to_server; uricontent:"/download/NewDotNet/"; nocase; uricontent:"/upgrade.cab?"; nocase; uricontent:"upg="; nocase; uricontent:"ec="; nocase; reference:url,www.new.net; classtype:trojan-activity; sid:2003240; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE New.net Spyware Checkin"; flow:established,to_server; uricontent:"/?version="; nocase; uricontent:"discard_tag="; nocase; uricontent:"source="; nocase; uricontent:"ptr="; nocase; uricontent:"br=NewDotNet"; nocase; uricontent:"ec="; nocase; reference:url,www.new.net; classtype:trojan-activity; sid:2003241; rev:2;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Oenji.com Install"; flow: to_server,established; uricontent:"/Bundled/OemjiInstall"; nocase; classtype: trojan-activity; sid: 2001538; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Spyspotter.com Access, Likely Spyware"; flow: to_server,established; content:"Host\:"; nocase; depth: 400; content:".oemji.com"; within: 25; distance: 1; classtype: trojan-activity; sid: 2001539; rev:6; ) #by shirkdog from spyware lp data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Oemji.com Spyware Settings Update"; flow:established,to_server; uricontent:"/OemjiSearchPlus.ini"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094187; classtype: trojan-activity; sid:2003467; rev:2;) #by Reg Quinton alert tcp $HOME_NET !21:902 -> any any (msg:"BLEEDING-EDGE MALWARE Suspicious 220 Banner on Local Port"; flow:from_server,established; content:"220"; offset:0; depth:4; pcre:"/220[- ]/"; classtype:non-standard-protocol; sid:2003055; rev:3; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware OfferOptimizer.com Spyware"; flow: to_server,established; uricontent:"/ctx/keyword_context.php?"; nocase; uricontent:"urlContext=http"; nocase; reference:url,www.offeroptimizer.com; classtype: policy-violation; sid: 2001341; rev:7; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware OutBlaze.com Spyware Activity"; flow: to_server,established; uricontent:"/scripts/adpopper/webservice.main"; nocase; classtype: trojan-activity; sid: 2002044; rev:2; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Outerinfo.com Spyware Install"; flow: to_server,established; uricontent:"/ctxad-"; nocase; pcre:"/ctxad-\d+\.sig/Ui"; classtype: trojan-activity; sid: 2001495; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Outerinfo.com Spyware Advertising Campaign Download"; flow: to_server,established; uricontent:"/campaigns"; nocase; content:"outerinfo.com"; nocase; classtype: trojan-activity; sid: 2001496; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Outerinfo.com Spyware Activity"; flow: to_server,established; content:"Host\: campaigns.outerinfo.com"; nocase; classtype: trojan-activity; sid: 2001497; rev:3; ) #Matt jonkman, from spywarelp data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Outerinfo.com Spyware Checkin"; flow: to_server,established; uricontent:"/notify.php?"; nocase; uricontent:"pid="; nocase; uricontent:"&module="; nocase; uricontent:"&v="; nocase; uricontent:"&result="; nocase; uricontent:"&message="; nocase; content:"outerinfo.com"; nocase; classtype: trojan-activity; sid: 2003426; rev:1; ) #Submitted by Chris Norton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Overpro Spyware Bundle Install"; flow: to_server,established; content:"Host\: download.overpro.com"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/WildApp\.cab/i"; reference:url,www.wildarcade.com; classtype: trojan-activity; sid: 2001444; rev:7; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Overpro Spyware Games"; flow: to_server,established; uricontent:"/blocks/blasterblocks"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; sid: 2001459; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Overpro Spyware Install Report"; flow: to_server,established; uricontent:"/processInstall.aspx"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; sid: 2002017; rev:4; ) #Matt Jonkman from Spyware Listening Post Data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Pacimedia Spyware 1"; flow:to_server,established; uricontent:"/mcp/mcp.cgi"; classtype:trojan-activity; sid:2002083; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Pacimedia Spyware 2"; flow: to_server,established; uricontent:"/xml/check.php?"; nocase; uricontent:"u="; nocase; classtype: policy-violation; sid: 2002194; rev:3; ) #Submitted by Chris Norton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware PeopleOnPage Install"; flow: to_server,established; uricontent:"/install/pop"; nocase; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; classtype: policy-violation; sid: 2001445; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware PeopleOnPage Ping"; flow: to_server,established; content:"Host\: srv.peopleonpage.com"; nocase; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/s\/l\/firstping/i"; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; classtype: policy-violation; sid: 2001446; rev:6; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Popuptraffic.com Bot Reporting"; flow: to_server,established; uricontent:"/scripts/click.php?"; nocase; uricontent:"hid="; reference:url,popuptraffic.com; classtype: policy-violation; sid: 2000577; rev:6; ) #By Matt Jonkman from spyware listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Privacyprotector.com Fake Anti-Spyware Install"; flow: to_server,established; uricontent:"/privacyprotectorfreesetup.exe"; nocase; classtype:trojan-activity; sid: 2003547; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Privacyprotector.com Fake Anti-Spyware Checkin"; flow: to_server,established; uricontent:"/?action="; nocase; uricontent:"&type="; nocase; uricontent:"&pc_id="; nocase; uricontent:"&abbr="; nocase; classtype:trojan-activity; sid: 2003548; rev:1;) #storageguardsoft.com also related, same installer, similar hosts alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE AVSystemcare.com.com Fake Anti-Virus Product"; flow:established,to_server; uricontent:"?proto="; nocase; uricontent:"&rc="; nocase; uricontent:"&v="; nocase; uricontent:"&abbr="; nocase; uricontent:"&platform="; nocase; uricontent:"&os_version="; nocase; uricontent:"&ac="; nocase; uricontent:"&appid="; nocase; uricontent:"&em="; nocase; uricontent:"&pcid="; no