#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Underminer EK Plugin Check"; flow:established,to_client; content:"Cache-Control|3a 20|private|3b 20|no-store|3b 20|no-cache|0d 0a|"; http_header; content:"Content-Encoding|3a 20|gzip|0d 0a|"; http_header; file_data; content:"name:location.hostname,init:function()"; nocase; within:300; content:"document.body.appendChild(UserData?.userData)"; nocase; distance:0; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; content:".setAttribute(|22|type|22|,|22|application/x-shockwave-flash|22|)"; nocase; distance:0; content:".test(navigator.userAgent)?function"; nocase; distance:0; content:"map([|22|ShockwaveFlash.ShockwaveFlash|22|,|22|AcroPDF.PDF|22|,|22|PDF.PdfCtrl|22|,|22|QuickTime.QuickTime|22|,|22|RealPlayer|22|,|22|SWCtl.SWCtl|22|,|22|WMPlayer.OCX|22|,|22|AgControl.AgControl|22|,|22|Skype.Detection|22|]"; nocase; fast_pattern; classtype:trojan-activity; sid:2025915; rev:3; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2018_09_28;)

Added 2022-05-19 19:06:46 UTC


#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Underminer EK Plugin Check"; flow:established,to_client; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; fast_pattern; content:"setcallbackfunction"; nocase; content:"<param"; pcre:"/^(?=[^>]*? name\s*=\s*[\x22\x27]movie)[^>]*? value\s*=\s*[\x22\x27]+\+(?P[\w_-]+)\+[^>]+\/>\s*[\x22\x27]+\+(?P[\w_-]+)\+(?=.+?\b(?P=var)\s*\>\=\s*23\s*&&\s*(?P=var)<\=\s*28\b)(?=.+?\b(?P=var)\s*\>\=\s*17\s*&&\s*(?P=var)<\=\s*18\b)(?=.+?\b(?P=var)\s*\>\=\s*11\s*&&\s*(?P=var)<\=\s*16\b).+?,\s*?(?P=var2)\s*\(\s*\)\s*\)\s*\:(?P=var)\s*\>\=\s*\d/Rsi"; classtype:trojan-activity; sid:2025915; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2018_09_28;)

Added 2020-08-05 19:15:00 UTC


#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Underminer EK Plugin Check"; flow:established,to_client; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; fast_pattern; content:"setcallbackfunction"; nocase; content:"<param"; pcre:"/^(?=[^>]*? name\s*=\s*[\x22\x27]movie)[^>]*? value\s*=\s*[\x22\x27]+\+(?P[\w_-]+)\+[^>]+\/>\s*[\x22\x27]+\+(?P[\w_-]+)\+(?=.+?\b(?P=var)\s*\>\=\s*23\s*&&\s*(?P=var)<\=\s*28\b)(?=.+?\b(?P=var)\s*\>\=\s*17\s*&&\s*(?P=var)<\=\s*18\b)(?=.+?\b(?P=var)\s*\>\=\s*11\s*&&\s*(?P=var)<\=\s*16\b).+?,\s*?(?P=var2)\s*\(\s*\)\s*\)\s*\:(?P=var)\s*\>\=\s*\d/Rsi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025915; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Underminer_EK, signature_severity Major, created_at 2018_07_26, updated_at 2018_09_28;)

Added 2018-09-28 18:11:40 UTC


#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Underminer EK Flash Check"; flow:established,to_client; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; fast_pattern; content:"setcallbackfunction"; nocase; content:"<param"; pcre:"/^(?=[^>]*? name\s*=\s*[\x22\x27]movie)[^>]*? value\s*=\s*[\x22\x27]+\+(?P[\w_-]+)\+[^>]+\/>\s*[\x22\x27]+\+(?P[\w_-]+)\+(?=.+?\b(?P=var)\s*\>\=\s*23\s*&&\s*(?P=var)<\=\s*28\b)(?=.+?\b(?P=var)\s*\>\=\s*17\s*&&\s*(?P=var)<\=\s*18\b)(?=.+?\b(?P=var)\s*\>\=\s*11\s*&&\s*(?P=var)<\=\s*16\b).+?,\s*?(?P=var2)\s*\(\s*\)\s*\)\s*\:(?P=var)\s*\>\=\s*\d/Rsi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025915; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Underminer_EK, signature_severity Major, created_at 2018_07_26, updated_at 2018_07_27;)

Added 2018-07-27 18:08:00 UTC


Topic revision: r1 - 2022-05-19 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats