""ET CURRENT_EVENTS Evil Redirector Leading to EK Mon Dec 21 2015 5""

SID: 2022290

Revision: 2

Class Type: trojan-activity

Metadata: affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_21, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2015_12_22

Reference:

• Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: from_server,established

Contents:

• Value: "|3f 22 5c 78|"

• Value: "var "

Within:

PCRE: "/^\s?[a-z]+\s?=\s?\x28\d+[<>]\d+\?\s?\x22[^\x22]+\x22\s?\x3a\s?\x22[^\x22]+\x22\s?\x29\s?[\x3b\x2b].?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s?\x22[^\x22]+\x22\s?\x3a\s?\x22[^\x22]+\x22\s?\x29\s?[\x3b\x2b].?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s?\x22[^\x22]+\x22\s?\x3a\s?\x22[^\x22]+\x22\s?\x29\s?[\x3b\x2b].?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s?\x22[^\x22]+\x22\s?\x3a\s?\x22[^\x22]+\x22\s?\x29\s?[\x3b\x2b]/Rsi"

Special Options:

• file_data

• fast_pattern

source