# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. # # This file contains (i) proprietary rules that were created, tested and certified by # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by # Sourcefire and other third parties (the "GPL Rules") that are distributed under the # GNU General Public License (GPL), v2. # # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a # list of third party owners and their respective copyrights. # # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer # to the VRT Certified Rules License Agreement (v2.0). # #------------------ # PUA-ADWARE RULES #------------------ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Trojan.InstantAccess variant outbound connection"; flow:to_server,established; content:"/?dn="; fast_pattern:only; http_uri; content:"pid="; nocase; http_uri; metadata:service http; reference:url,virustotal.com/en/file/c6828c8bcce6786b39427fc5ad9df2f8163d3b8a7b3b5f8a5c5790c4488039f7/analysis/; classtype:misc-activity; sid:40357; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Trojan.InstantAccess variant outbound connection"; flow:to_server,established; content:"/sk-logabpstatus.php"; fast_pattern:only; http_uri; content:"a="; nocase; http_uri; content:"b="; nocase; http_uri; metadata:service http; reference:url,virustotal.com/en/file/c6828c8bcce6786b39427fc5ad9df2f8163d3b8a7b3b5f8a5c5790c4488039f7/analysis/; classtype:misc-activity; sid:40356; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Lucky Leap Adware outbound connection"; flow:to_server,established; content:"/gdi?alpha="; fast_pattern:only; http_uri; content:"|0D 0A|Cache-Control: no-store,no-cache|0D 0A|Pragma: no-cache|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; content:!"Accept"; http_header; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30261; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Lucky Leap Adware outbound connection"; flow:to_server,established; content:"/gcs?alpha="; fast_pattern:only; http_uri; content:"|0D 0A|Cache-Control: no-store,no-cache|0D 0A|Pragma: no-cache|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; content:!"Accept"; http_header; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30260; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Boaxxe suspicious advert traffic related to click fraud"; flow:to_server,established; urilen:8; content:"/scrstat"; fast_pattern; http_uri; content:"urls=%255b%2522"; nocase; http_client_body; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; classtype:trojan-activity; sid:30496; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Boaxxe suspicious advert traffic related to click fraud"; flow:to_server,established; content:"/rlast?uri="; depth:11; http_uri; content:"?query="; distance:0; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; classtype:trojan-activity; sid:30493; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Boaxxe suspicious advert traffic related to click fraud"; flow:to_server,established; content:"/?query=FpWk/DD16pc73UdTJiml/"; depth:29; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; classtype:trojan-activity; sid:30492; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE IP address disclosure to advertisement sites attempt"; flow:to_server,established; content:"test?extip="; http_uri; content:"exip="; distance:0; http_uri; content:"pid="; distance:0; http_uri; content:"gid="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3d6fa5440c80185d24d007e5836ed4613cca7e552b516c8aca8bce749af14c13/analysis/; classtype:policy-violation; sid:19998; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-ADWARE Win.Adware.BProtector browser hijacker dll list download attempt"; flow:to_server,established; content:"GET"; http_method; content:"/builds/"; nocase; http_uri; content:"fflists.txt"; nocase; http_uri; metadata:ruleset community, service http; classtype:misc-activity; sid:26553; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware.AdultAds outbound connection"; flow:to_server,established; content:"/AdPuller/adult_mature/adult_mature.xmls"; http_uri; content:"User-Agent|3A 20|Mozilla/2.0"; http_header; content:"AdTools"; within:7; distance:14; http_header; metadata:service http; reference:url,www.virustotal.com/file/E37DAAB60FE414E8EBFA83A80BBE11877072EC09663DD5F3651FE4DDEB187A82/analysis/; classtype:trojan-activity; sid:24086; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE LiveSecurityPlatinum.A outbound connection - initial connection"; flow:to_server,established; content:"/api/urls/?ts="; fast_pattern:only; http_uri; content:"User-Agent|3A 20 20 0D 0A|"; nocase; http_header; pcre:"/\/api\/urls\/\?ts=[a-z0-9]+&affid=\d{5}/iU"; metadata:impact_flag red, service http; reference:url,siri-urz.blogspot.ca/2012/06/live-security-platinum.html; classtype:trojan-activity; sid:23863; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE FakeAV landing page request"; flow:to_server,established; content:"/payform/?k="; fast_pattern:only; http_uri; metadata:service http; reference:url,urlquery.net/report.php?id=91654; classtype:trojan-activity; sid:23472; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware.Phono post infection download attempt"; flow:to_server,established; content:"/playerUpdate2.exe"; nocase; http_uri; content:"User-Agent|3A 20|phonostar|20|Radio|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/file/6515C764C78F1F1C1067D8C23D4F400004A292E7C3C06175D8D2DDD77A16438C/analysis/; classtype:trojan-activity; sid:23369; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Wajam Monitizer outbound connection - post install"; flow:to_server,established; content:"/download/Wajam_5402.exe"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/file/AFE8CA9124F6CC84B8FEC64723531297653A419AE39710A64BCB4143F66215AB/analysis/; classtype:trojan-activity; sid:23247; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Wajam Monitizer url outbound connection - post install"; flow:to_server,established; content:"php?v="; http_uri; content:"&unique_id="; distance:0; http_uri; content:"&aid="; distance:0; http_uri; content:"&r="; distance:0; http_uri; metadata:service http; reference:url,www.virustotal.com/file/AFE8CA9124F6CC84B8FEC64723531297653A419AE39710A64BCB4143F66215AB/analysis/; classtype:trojan-activity; sid:23246; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE 888Poker install outbound connection attempt"; flow:to_server,established; content:"/setups/888poker/"; nocase; http_uri; content:"/SetupFiles/GIB/SDL/"; distance:0; nocase; http_uri; metadata:service http; classtype:trojan-activity; sid:21934; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware.Downware variant outbound connection attempt"; flow:to_server,established; content:"/action.php?channel="; nocase; http_uri; content:"&detected_products="; distance:0; nocase; http_uri; content:"&offered="; distance:0; nocase; http_uri; content:"&funnel"; distance:0; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/file/ae97f53b9f7dcbfa450b391d33b63eb21e4eada1325bea4083894b62d1bb15fe/analysis/; classtype:trojan-activity; sid:21924; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware.MediaGetInstaller outbound connection - source ip infected"; flow:to_server,established; content:"MediagetDownloaderInfo"; fast_pattern:only; content:"MediagetDownloaderInfo"; http_cookie; metadata:service http; reference:url,www.virustotal.com/file/72e86852d56b35cf19ae86c9fb37f8b65b8e3038a9a1e2c77532f254fe4f662a/analysis/; classtype:misc-activity; sid:21645; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PUA-ADWARE Adware.MediaGetInstaller inbound connection - destination ip infected"; flow:to_client,established; content:"MediagetDownloaderInfo"; fast_pattern:only; content:"MediagetDownloaderInfo"; http_cookie; metadata:service http; reference:url,www.virustotal.com/file/72e86852d56b35cf19ae86c9fb37f8b65b8e3038a9a1e2c77532f254fe4f662a/analysis/; classtype:misc-activity; sid:21644; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Internet Security 2010 outbound connection"; flow:to_server,established; content:"/buy/?code="; nocase; http_uri; pcre:"/buy\x2f\?code\=\d/U"; metadata:service http; reference:url,www.virustotal.com/en/file/af40310749172d3b59f1639122f3eb833adfb1d06802f40b2c47cbf0101b1ec8/analysis/; classtype:trojan-activity; sid:21184; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win32.WindowsOptimizationAndSecurity outbound connection"; flow:to_server,established; content:"/soft-usage/favicon.ico?0="; fast_pattern:only; http_uri; pcre:"/\&5=\d+\&6=\d+\&7=\d+\.\d+\&8=\d+/Ui"; metadata:service http; reference:url,www.virustotal.com/en/file/6c52f680af940a15f896a777ff92950d512fac8ee19ba4b7bb3bcfca75e5dc4e/analysis/; classtype:trojan-activity; sid:21176; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Apperhand SDK advertising data request - Counterclank"; flow:to_server,established; content:"/ProtocolGW/protocol/command"; nocase; http_uri; content:"Host|3A| www.apperhand.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/3d8e1108999dc35c5b5202985547a25f/detection; classtype:misc-activity; sid:21169; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win32.GamePlayLabs outbound connection"; flow:to_server,established; content:"/installer-run"; http_uri; content:"cc-silent-nozugo/"; distance:0; http_uri; content:"pid="; distance:0; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/93bf1dc265d39f119982fc5f39bce7e192c466d63c6d23b0b0b587386fd2ef06/analysis/; classtype:trojan-activity; sid:20753; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win32.GameVance outbound connection"; flow:to_server,established; content:"clientv="; http_uri; content:"cltzone="; distance:0; http_uri; content:"method="; distance:0; http_uri; content:"mstime="; distance:0; http_uri; content:"os="; distance:0; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/dfe9aecbfe4158be354f4c60886efe72202f861882b780d1fab14ce60ea75c09/analysis/; classtype:trojan-activity; sid:20752; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE XP Guardian 2010 proantivirus21 host runtime traffic detection"; flow:to_server,established; content:"Host|3A| proantivirus21|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/07099d0b0af9e29910e31af8166c5d8d/detection; classtype:trojan-activity; sid:20434; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE XP Guardian 2010 anutayadokalug host outbound connection"; flow:to_server,established; content:"Host|3A| anutayadokalug|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/07099d0b0af9e29910e31af8166c5d8d/detection; classtype:trojan-activity; sid:20433; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware.Wizpop outbound connection"; flow:to_server,established; content:"count.asp?exe="; http_uri; content:"act="; distance:0; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/5acce2b732ff1058586ab0a3c8c85b74afe62c0cb0ac07763cc2b99738b25ca4/analysis/; classtype:trojan-activity; sid:20220; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware mightymagoo/playpickle/livingplay - User-Agent"; flow:to_server,established; content:"User-Agent|3A 20|tl_v"; fast_pattern:only; http_header; pcre:"/^User\x2DAgent\x3A\x20tl_v([0-9]{1,2}\x2E){2}[0-9]{1,4}/Hmi"; metadata:service http; classtype:misc-activity; sid:20143; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware playsushi - User-Agent"; flow:to_server,established; content:"User-Agent|3A 20|ps|20|"; fast_pattern:only; http_header; pcre:"/^User\x2DAgent\x3A\x20ps\x20[0-9]{1,4}/Hmi"; metadata:service http; reference:url,www.arcadeweb.com; classtype:misc-activity; sid:20103; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware Arcade Web - X-Arcadeweb header"; flow:to_server,established; content:"X-Arcadeweb"; nocase; http_header; metadata:service http; reference:url,www.arcadeweb.com; classtype:misc-activity; sid:20102; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware Arcade Web - User-Agent"; flow:to_server,established; content:"User-Agent|3A 20|aw|20|v"; fast_pattern:only; http_header; pcre:"/^User\x2DAgent\x3A\x20aw\x20v([0-9]{1,2}\x2E){2}[0-9]{1,4}/Hmi"; metadata:service http; reference:url,www.arcadeweb.com; classtype:misc-activity; sid:20101; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware Arcade Web - installation/update"; flow:to_server,established; content:"/update/aw_update_v"; fast_pattern:only; http_uri; metadata:service http; classtype:misc-activity; sid:20100; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SecurityTool outbound connection"; flow:to_server,established; content:"php?affid="; http_uri; content:"url="; distance:0; http_uri; content:"win="; distance:0; http_uri; content:"sts="; distance:0; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/63990a154bc13ab456dcc525c632a6f191d20ff7aa3e6b80fd34403f8f3be35d/analysis/; classtype:trojan-activity; sid:20063; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware.BB outbound connection"; flow:to_server,established; content:"install.php?pid=popuptest&cid=e1popguide_update3"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/023ed105431b8970a8f852d6c133cfd0d61cda6be56b6e154b988e17bb69747c/analysis/; classtype:trojan-activity; sid:20041; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE VirusBye outbound connection"; flow:to_server,established; content:"/app/ip.php"; http_uri; content:"Host|3A 20|virusbye|2E|net"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/1c29d15a9bb6c930040775cad1a695399ecc06bff39724494e38d8bbe05acbf4/analysis/; classtype:trojan-activity; sid:20025; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Cinmus.asaq outbound connection"; flow:to_server,established; content:"/smb/nsi_install.php"; nocase; http_uri; content:"Host|3A| ads2.adservefast.biz"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/9083c85707fb33ff950d761d1c5b9acb/detection; classtype:trojan-activity; sid:20007; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE ThreatNuker outbound connection"; flow:to_server,established; content:"/build_info.php"; http_uri; content:"Host|3A 20|db|2E|threatnuker|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/2b0654d9ba5b03d511bc03a48230c941b129a81de38976e5d15241a741283983/analysis/; classtype:trojan-activity; sid:19999; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Antivirus 360 outbound connection"; flow:to_server,established; content:"/firstrun.php?product=A36&aff="; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/546150dfa94f45b6471b0e9932536741626a6c0fb7e38137cc091d8b43b6c2d9/analysis/; classtype:trojan-activity; sid:19994; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Total Protect 2009 outbound connection"; flow:to_server,established; content:"/install.php?aid="; http_uri; content:"Host|3A 20|totalprotect2009|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/28fc02ff822de3d046218ea31df2d34e85ef4fec91ada4ebf333aa01b7fb26c7/analysis/; classtype:trojan-activity; sid:19990; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Total Protect 2009 outbound connection"; flow:to_server,established; content:"/buy.php?aid="; http_uri; content:"Host|3A 20|totalprotect2009|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/28fc02ff822de3d046218ea31df2d34e85ef4fec91ada4ebf333aa01b7fb26c7/analysis/; classtype:trojan-activity; sid:19989; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE PCLiveGuard outbound connection"; flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"Host|3A| update2.pcliveguard.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/ed8c7de355473c70703c07f7ea965dc7/detection; classtype:trojan-activity; sid:19987; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE AntivirusPC2009 install-time traffic detected"; flow:to_server,established; content:"/install.php?id"; nocase; http_uri; content:"Host|3A| antiviruspc-stat.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/latestreport.html?resource=f1a48d8d1536b7bbabc09a7129c6ed8d; classtype:trojan-activity; sid:19986; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE AntivirusPC2009 runtime traffic detected"; flow:to_server,established; content:"/dailystat.php?uid"; nocase; http_uri; content:"Host|3A| antiviruspc-stat.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/latestreport.html?resource=f1a48d8d1536b7bbabc09a7129c6ed8d; classtype:trojan-activity; sid:19985; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Antivirus 2010 outbound connection"; flow:to_server,established; content:"/av2010/version.php"; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/75bc6fa2acad3fb9ca1afe36429d20fa8964cc77e2379261d1f414e5d5cfb102/analysis/; classtype:trojan-activity; sid:19984; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE WeatherStudio outbound connection"; flow:to_server,established; content:"/dp/"; depth:4; nocase; http_uri; content:"Host|3A| as.weatherstudio.com"; nocase; http_header; pcre:"/\x2fdp\x2f(newsreader|search|weather)/Ui"; metadata:service http; reference:url,www.virustotal.com/en/file/e31e227570824971f06f433d01e464aa54e015383c4188d17f033086685f1ab8/analysis/; classtype:misc-activity; sid:19939; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE WinReanimator outbound connection"; flow:to_server, established; content:"/buy.html"; nocase; http_uri; content:"Host|3A| www.winreanimator.com|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/d7a42269fb89a01c5dfb7bb56ce488664efd7e10970f473c4238b049de210d95/analysis/; classtype:misc-activity; sid:19904; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win32.Agent.vvm outbound connection"; flow:to_server, established; content:"/?mode=gen&gd="; depth:14; nocase; http_uri; content:"&affid="; nocase; http_uri; content:"Referer|3A| http|3A 2F 2F|www.zabeedly.com/search.php?q="; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/d2d13249a8c17047a717c43ba595a00f7f47c5fb6de5ce98c0675173f07ea5bc/analysis/; classtype:misc-activity; sid:19903; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Targetedbanner.biz Adrotator outbound connection"; flow:to_server, established; content:"/bc/123kah.php"; depth:14; nocase; http_uri; content:"showed="; depth:7; nocase; http_client_body; content:"clicked="; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/efe9f61a85076750d6d1f28e663de583234d05850a6ce19295a0f260eab4299d/analysis/; classtype:misc-activity; sid:19902; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware.Win32.Frosty Goes Skiing Screen Saver 2.2 Install Detection"; flow:to_server,established; content:"/AppInstall?app=VVSN"; http_uri; content:"Host|3A 20|app|2E|whenu|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/ccc3258541762de91147d8c4d51321f7a36a17162bfb9caae986417a1e13a1fb/analysis/; classtype:misc-activity; sid:19896; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trust Warrior outbound connection"; flow:to_server,established; content:"|2F|report|3F|current_version"; nocase; http_uri; content:"www|2E|trustwarrior|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/a7ed7b1b9b92c3a19d8f3525501adc82/detection; classtype:trojan-activity; sid:19860; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE XP Deluxe Protector outbound connection"; flow:to_server,established; content:"/pp/?id"; http_uri; content:"Host|3A 20|xp-deluxeprotector|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/61c381e1701a1a441d13b1b8891c552f44be3ba2bd3412b55930df6f00f9c9f0/analysis/; classtype:trojan-activity; sid:19859; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Wowpa KI outbound connection"; flow:to_server,established; content:"/wowupdate.htm"; http_uri; content:"Host|3A 20|update|2E|cn911|2E|org"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/a83fd44bf4aa4bf7ae010dd9cf707961d5964320129832cf2c233721fd028be5/analysis/; classtype:trojan-activity; sid:19853; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-ADWARE Adware.Virtumonde runtime detection"; flow:to_server,established; content:"/cn?sid="; nocase; http_uri; content:"Host|3A| 85.17.166.172"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/7fad6a99ecf25b14cb7aa98c825da27f81de2d4a8e3b15bc37f2e30faa9e3531/analysis/; classtype:trojan-activity; sid:19849; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-ADWARE Adware.Virtumonde runtime detection"; flow:to_server,established; content:"/d/5.0.1/Setup"; nocase; http_uri; content:"Host|3A| www.registrydefender.com"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/7fad6a99ecf25b14cb7aa98c825da27f81de2d4a8e3b15bc37f2e30faa9e3531/analysis/; classtype:trojan-activity; sid:19848; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Windows Antivirus 2008"; flow:to_server, established; content:"secure2|2E|softpaydirect|2E|com"; fast_pattern:only; http_header; content:"|2F|purchase|2F|secure|2E|php"; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/940deb3a47fd625af7d503dc1dc2a6b281608e6baa25aa73c66e959a70a1017c/analysis/; classtype:trojan-activity; sid:19843; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Windows Antivirus 2008"; flow:to_server, established; content:"winavsentry|2E|com"; fast_pattern:only; http_header; content:"|2F|buy|2E|php"; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/940deb3a47fd625af7d503dc1dc2a6b281608e6baa25aa73c66e959a70a1017c/analysis/; classtype:trojan-activity; sid:19842; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE 0desa MSN password stealer"; flow:to_server, established; content:"Host|3A 20|www.odesa.net84.net"; fast_pattern:only; http_header; content:"sendmail.php|3F|mail|3D|"; http_uri; content:"password"; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/35d8c61a75735d7f9d6901955f7130221bb4cf90b5ce40b46bc6561c6ff4ec29/analysis/; classtype:misc-activity; sid:19841; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE XP Antispyware 2009 outbound connection"; flow:to_server,established; content:"/buy.html?wmid="; nocase; http_uri; content:"&skey="; nocase; http_uri; content:"Host|3A| www.xpas2009.com"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/be302edbb7f36b090805eb18bbc001c14f2889c8c1c3e9476b870c203e4e7821/analysis/; classtype:trojan-activity; sid:19840; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Antivirus XP 2008 runtime detection"; flow:to_server, established; content:"/buy2/"; nocase; http_uri; content:"Host|3A| www.anti-virusxp2008.net"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/4e38904150ce5595d2187a6a647d8ac501d0d41975785dfefe7ecb654dd60f07/analysis/; classtype:misc-activity; sid:19839; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Spyware Guard 2008 outbound connection"; flow:to_server,established; content:"/buy.html?"; nocase; http_uri; content:"track_id="; content:"Host|3A| gosg2008.com"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/23825c22c0955e7a82a5ed700121cb415308ce7e4eae916a4059ba41020bac1e/analysis/; classtype:misc-activity; sid:19838; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Spyware Guard 2008 outbound connection"; flow:to_server,established; content:"/api.php?data="; nocase; http_uri; content:"Host|3A| cmserv.org"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/23825c22c0955e7a82a5ed700121cb415308ce7e4eae916a4059ba41020bac1e/analysis/; classtype:misc-activity; sid:19837; rev:4;) # alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PUA-ADWARE Delphi-Piette Windows"; itype:8; content:"Pinging from Delphi code written by F. Piette"; isdataat:2000,relative; reference:url,www.virustotal.com/en/file/3df563ec64f798ebec06abe85dec33d292def4259d6d404bcaf62ea0e0475c7e/analysis/; classtype:misc-activity; sid:19835; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE PWS-QQGame outbound connection"; flow:to_server,established; content:"/html.txt"; nocase; http_uri; content:"Host|3A| 866muma.3322.org"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/f1d6d37696bf581ef31325e23d07327dec5bdb10e546ed450716d7cc19f668ea/analysis/; classtype:trojan-activity; sid:19827; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Downloader.Banload.AKBB outbound connection"; flow:to_server,established; content:"/deca/?act="; nocase; http_uri; content:"nickname="; nocase; http_uri; content:"Host|3A| nguoidep.1sthoster.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/b0840f1ae5a0df0e85142e2c83afc5eeafc240a10c71636d1d2c8b0755a26d60/analysis/; classtype:trojan-activity; sid:19823; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Fast Antivirus 2009 outbound connection"; flow:to_server,established; content:"/reports/minstalls.php"; nocase; http_uri; content:"Host|3A| updvmfnow.cn"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/23825c22c0955e7a82a5ed700121cb415308ce7e4eae916a4059ba41020bac1e/analysis/; classtype:trojan-activity; sid:19777; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE PWS.Win32.Ldpinch.gen outbound connection"; flow:to_server,established; content:"/filter/admin.php"; nocase; http_uri; content:"a=&b=&d=&c="; depth:11; fast_pattern; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/9688faf1374b0796de296719b54a57073d2304893c8320ce8ebb93e8f1d600db/analysis/; classtype:trojan-activity; sid:19775; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Virus.Win32.Virut.ce outbound connection"; flow:to_server,established; content:"|2F|licen|2F|part|2E|txt"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/49d2b211a20fd2fa353da3f2fb2b7bfe/detection; classtype:trojan-activity; sid:19717; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Infostealer.Gampass outbound connection"; flow:to_server,established; content:"/workzx.dll"; nocase; http_uri; content:"Host|3A| www.wm5d.cn"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/44a95d5de7197ad916be6392bcc63e496e0d31559b3acabd50f058dfb97d645c/analysis/; classtype:misc-activity; sid:19598; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win32.Fruspam outbound connection"; flow:to_server,established; content:"g_Version|3A|"; nocase; http_header; content:"g_UID|3A|"; nocase; http_header; content:"g_MorphID|3A|"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/bd1cfd7b15f70d131d8f3f013a4e6afb0807791b898d96d3cc2b57de576acf1f/analysis/; classtype:misc-activity; sid:19594; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Personal Guard 2009 outbound connection"; flow:to_server,established; content:"/buy.html"; http_uri; content:"Host|3A|"; nocase; http_header; content:"personalguard2009|2E|com"; distance:0; fast_pattern; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/9636820ae780568f1627c2d596cdd0214ef7d5f4e03444de4996f1807161a37b/analysis/; classtype:trojan-activity; sid:19578; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Antivirus Pro 2010 outbound connection"; flow:to_server,established; content:"/files/avp21_d_/_1_._d_"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/4bf5ec55c48454ac1b5eb4ec9c4486bdf5a6868960b8cee77e02d34a0a84afc5/analysis/; classtype:trojan-activity; sid:19576; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Antivirus Agent Pro outbound connection"; flow:to_server,established; content:"/stat.php"; nocase; http_uri; content:"s="; distance:0; nocase; http_uri; content:"Indy Library"; nocase; http_header; content:"Host|3A 20|actupdate|2E|net"; nocase; http_header; pcre:"/User-Agent\x3A\s+[^\r\n]*Indy\s+Library/iH"; metadata:service http; reference:url,www.virustotal.com/#/file/d6868aba37c67fd3f5f526bdd1467317/detection; classtype:trojan-activity; sid:19571; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"PUA-ADWARE W32.Ackantta.C.mm mass-mailer outbound connection"; flow:to_server, established; content:"From|3A| invitations@twitter.com|0D 0A|"; depth:31; fast_pattern; nocase; content:"Subject|3A| Your friend invited you to twitter!"; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1102; reference:url,www.virustotal.com/en/file/33e9c017cd020176e99adb8243cb0028f00b49754d50e669885a831557b04659/analysis/; classtype:trojan-activity; sid:19567; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"PUA-ADWARE W32.Ackantta.C.mm mass-mailer outbound connection"; flow:to_server, established; content:"From|3A| invitations@hi5.com|0D 0A|"; depth:27; fast_pattern; nocase; content:"Subject|3A| Jessica would like to be your friend on hi5!"; nocase; metadata:service smtp; reference:url,www.virustotal.com/en/file/33e9c017cd020176e99adb8243cb0028f00b49754d50e669885a831557b04659/analysis/; classtype:trojan-activity; sid:19566; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE W32.Fiala.A outbound connection"; flow:to_server,established; content:"|2F|v|2E|txt"; nocase; http_uri; content:"Host|3A 20|x|2E|moneyinfom|2E|com"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/2c1578df8113424be3b3d9e390529615/detection; classtype:trojan-activity; sid:19486; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Sus.BancDI-B trojan outbound connection"; flow:to_server, established; content:"/historicmarietta/.vll/es.php"; nocase; http_uri; content:"Host|3A| www.mariettapa.com"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/f32f1b51145f96c3659bb3709b9da4a363858f7c71c11deb32ca1fa8bc54c834/analysis/; classtype:trojan-activity; sid:19453; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-ADWARE Lost Door v3.0"; flow:to_server,established; content:"v1ct1m|5B 5C|AS|2F 5D|"; depth:12; nocase; reference:url,www.virustotal.com/en/file/733aeabddc3a28eb61041d529b853cb41319ca700c73e5022aa7fd5eeab52919/analysis/; classtype:trojan-activity; sid:19391; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-ADWARE Classroom Spy Professional outbound connection - initial connection"; flow:to_client,established; flowbits:isset,Malware_ClassroomSpyPro_detection3; content:"|78 01 33 AD 72 AF 34 2E 77 F6 A8 34|"; depth:12; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453101935; classtype:trojan-activity; sid:19327; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-ADWARE Classroom Spy Professional outbound connection - initial connection"; flow:to_client,established; content:"|00 00 00 34|"; depth:4; flowbits:set,Malware_ClassroomSpyPro_detection3; flowbits:noalert; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453101935; classtype:trojan-activity; sid:19326; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"PUA-ADWARE Keylogger aspy v2.12 runtime detection"; flow:to_server,established; content:"This is report of the program |60|ASpy|60 2E|"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name aSpy&threatid=48392; reference:url,www.emsisoft.es/en/malware/?Adware.Win32.aSpy+Keylogger; classtype:successful-recon-limited; sid:19311; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE hijacker starware videos outbound connection"; flow:to_server,established; content:"/dp/weather?f="; nocase; http_uri; content:"loc="; distance:0; nocase; http_uri; content:"client_id="; distance:0; nocase; http_uri; content:"version="; distance:0; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/514180c942af19fdc7c7ab4de3b81100a300bf651f36ca6d736ce8526a375237/analysis/; classtype:trojan-activity; sid:19309; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware.Win32.Cashtitan contact to server attempt"; flow:to_server,established; content:"|2F|nsi_install|2E|php|3F|"; nocase; http_uri; content:"aff_id|3D|cashtitan"; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/aa43ca4f5a532043d1b673cbaa64c7fd/detection; classtype:trojan-activity; sid:19061; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE RogueSoftware.Win32.SystemDefragmenter outbound connection"; flow:to_server,established; content:"|2F|readdatagateway|2E|php|3F|"; nocase; http_uri; content:"type|3D|stats|26|"; nocase; http_uri; content:"affid|3D|"; nocase; http_uri; content:"subid|3D|"; nocase; http_uri; content:"|26|installok"; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/21d64143e87758aedddb1aa99fd3857a/detection; classtype:trojan-activity; sid:19059; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE RogueSoftware.Win32.Winwebsec outbound connection"; flow:to_server,established; content:"|2F|buy|2E|php|3F|q|3D|"; nocase; http_uri; content:"screen_info|3D|"; nocase; http_client_body; content:"cc_number|3D|"; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/#/file/c0f2d72894e2c6d96cb26483d4f6b4a2/detection; classtype:trojan-activity; sid:19046; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE RogueSoftware.Win32.ThinkPoint outbound connection"; flow:to_server,established; content:"|2F|tpn|2F|index_new|2E|php|3F|id|3D|"; nocase; http_uri; content:"|26|cache|3D|"; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/a1e3337142847dc4d14c96e586f166f6/detection; classtype:trojan-activity; sid:19044; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE RogueSoftware.Win32.BestBoan outbound connection"; flow:to_server,established; content:"|2F|pay|2F|payment|2E|php|3F|sncode|3D|"; nocase; http_uri; pcre:"/\x2Fpay\x2Fpayment\x2Ephp\x3Fsncode\x3D[0-9a-f]{12}\x26pid\x3D/Ui"; metadata:service http; reference:url,www.virustotal.com/#/file/126ef04604ffc2dfb703604e6cc2e03c/detection; classtype:trojan-activity; sid:19043; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Smart Protector outbound connection"; flow:to_server,established; content:"/buy.html"; http_uri; content:"smartprotectorpro|2E|com"; nocase; pcre:"/^Host\x3a[^\r\n]*smartprotectorpro\x2ecom/mi"; metadata:service http; reference:url,www.2-spyware.com/remove-smart-protector.html; classtype:successful-recon-limited; sid:19026; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE PC Antispyware 2010 FakeAV download/update attempt"; flow:to_server,established; content:"/files"; nocase; http_uri; content:"|29|.|28|t|29|"; fast_pattern; nocase; http_uri; metadata:service http; classtype:trojan-activity; sid:16498; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Cutwail spambot server communication attempt"; flow:to_server,established; content:"spm/page.php?"; http_uri; content:"id="; nocase; http_uri; content:"tick="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"smtp="; nocase; http_uri; content:"task="; nocase; http_uri; metadata:service http; classtype:trojan-activity; sid:16494; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Rogue-Software ang antivirus 09 runtime detection"; flow:to_server,established; content:"/angantivirus-2009.com/"; http_uri; content:"Host|3A| setup.angantivirus2009.info"; fast_pattern:only; metadata:service http; reference:url,en.wikipedia.org/wiki/ANG_Antivirus; classtype:trojan-activity; sid:16456; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE OnlineGames download attempt"; flow:to_server,established; content:"/nbok01/"; fast_pattern:only; http_uri; metadata:service http; classtype:trojan-activity; sid:16365; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue-software windows antivirus 2008 runtime detection - registration and payment page"; flow:to_server,established; content:"/purchase/secure.php?"; http_uri; content:"frame="; distance:0; nocase; http_uri; content:"orderid="; distance:0; nocase; http_uri; content:"orderid1="; distance:0; nocase; http_uri; content:"orderid2="; distance:0; nocase; http_uri; content:"disc="; distance:0; nocase; http_uri; content:"product_name=Windows+Antivirus+2008"; distance:0; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?threatid=288214; reference:url,www.spywareremove.com/removeWindowsAntivirus2008.html; classtype:trojan-activity; sid:16280; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue-software windows antivirus 2008 runtime detection - pre-sale page"; flow:to_server,established; content:"/buy.php?"; http_uri; content:"frame="; distance:0; http_uri; content:"advid="; distance:0; http_uri; content:"winavsentry.com"; fast_pattern:only; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?threatid=288214; reference:url,www.spywareremove.com/removeWindowsAntivirus2008.html; classtype:trojan-activity; sid:16279; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler win32-fakealert.kl installime detection - updates remote server"; flow:to_server,established; content:"/update_inst.php?"; http_uri; content:"wmid="; http_uri; content:"subid="; http_uri; content:"pid="; http_uri; content:"lid="; http_uri; content:"hs="; http_uri; content:"Host|3A| do-monster-scan.com"; fast_pattern:only; metadata:service http; reference:url,www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=75472; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-050916-1055-99&tabid=2; classtype:misc-activity; sid:16278; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler win32-fakealert.kl outbound connection - downloads malicious files"; flow:to_server,established; content:"/binary/AntivirusPro2009/Binaries1.cab"; http_uri; content:"Host|3A| down-soft-index.com"; nocase; metadata:service http; reference:url,www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=75472; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-050916-1055-99&tabid=2; classtype:misc-activity; sid:16277; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler win32-fakealert.kl outbound connection"; flow:to_server,established; content:"/buy.html?"; http_uri; content:"wmid="; http_uri; content:"l="; http_uri; content:"s="; http_uri; content:"skey="; http_uri; content:"Host|3A| www.av-pro-2009.com"; fast_pattern:only; metadata:service http; reference:url,www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=75472; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-050916-1055-99&tabid=2; classtype:misc-activity; sid:16276; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software pc antispyware 2010 runtime detection - files"; flow:to_server,established; content:"/files"; http_uri; content:"gomafobianiotas.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453172046; classtype:trojan-activity; sid:16267; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software pc antispyware 2010 runtime detection - buy"; flow:to_server,established; content:"/buy.html"; http_uri; content:"pc-antispy2010.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453172046; classtype:trojan-activity; sid:16266; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software 007 anti-spyware runtime detection - register"; flow:to_server,established; content:"/register"; http_uri; content:"www.007antispyware.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-073120-1433-99; classtype:trojan-activity; sid:16265; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software 007 anti-spyware runtime detection - update"; flow:to_server,established; content:"/007AS/update/Update.ini"; http_uri; content:"www.webslt.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-073120-1433-99; classtype:trojan-activity; sid:16264; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software xp-shield outbound connection - installation"; flow:to_server,established; content:"/install/?aid"; http_uri; content:"www.xp-shield.cn"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453133950; classtype:trojan-activity; sid:16263; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software xp-shield outbound connection"; flow:to_server,established; content:"/purchase.htm?aid"; http_uri; content:"www.xp-shield.cn"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453133950; classtype:trojan-activity; sid:16262; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software xp antivirus protection runtime detection - runtime"; flow:to_server,established; content:"/order_xp.php"; nocase; http_uri; content:"ver="; distance:0; http_uri; content:"liveresponsesite.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453122012; classtype:trojan-activity; sid:16261; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software xp antivirus protection runtime detection - installation"; flow:to_server,established; content:"/firstrun.php"; nocase; http_uri; content:"product=XPA"; distance:0; nocase; http_uri; content:"aff="; distance:0; nocase; http_uri; content:"liveresponsesite.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453122012; classtype:trojan-activity; sid:16260; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software antivirusdoktor2009 runtime detection"; flow:to_server,established; content:"/join.html"; http_uri; content:"www.antivirus-doktor.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453164387; classtype:trojan-activity; sid:16259; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software perfect defender 2009 outbound connection - purchase"; flow:to_server,established; content:"/buy.php"; http_uri; content:"www.pdefender2009.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453144750; classtype:trojan-activity; sid:16258; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software perfect defender 2009 outbound connection - update"; flow:to_server,established; content:"/upd1.php"; http_uri; content:"dbbasediv="; distance:0; http_uri; content:"download.pdefender2009.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453144750; classtype:trojan-activity; sid:16257; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software coreguard antivirus 2009 runtime detection"; flow:to_server,established; content:"/c.dat"; http_uri; content:"guardlab2009.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453157038; classtype:trojan-activity; sid:16256; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PUA-ADWARE rogue software system security 2009 outbound connection"; flow:to_client,established; flowbits:isset,systemsecurity2009; content:"location|3A| in.php?url="; nocase; http_header; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453154339; classtype:trojan-activity; sid:16255; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software system security 2009 outbound connection"; flow:to_server,established; content:"/in.php"; http_uri; content:"url="; http_uri; content:"affid="; http_uri; flowbits:set,systemsecurity2009; flowbits:noalert; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453154339; classtype:trojan-activity; sid:16254; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software system security 2009 outbound connection"; flow:to_server,established; content:"/cards/"; http_uri; content:"affid="; distance:0; http_uri; content:"electronicbillinghost.com"; fast_pattern:only; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453154339; classtype:trojan-activity; sid:16253; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software pro antispyware 2009 runtime detection - purchase"; flow:to_server,established; content:"/pay/"; http_uri; content:"sales.proantispyware-2009-buy.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453144054; classtype:trojan-activity; sid:16252; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software win pc defender outbound connection"; flow:to_server,established; content:"/installed.php?"; nocase; http_uri; content:"id="; distance:0; nocase; http_uri; content:"win-pc-defender.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453153970; classtype:trojan-activity; sid:16251; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software win pc defender outbound connection"; flow:to_server,established; content:"/pp/?id="; nocase; http_uri; content:"billingpayment.net"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453153970; classtype:trojan-activity; sid:16250; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software ms antispyware 2009 runtime detection - pay"; flow:to_server,established; content:"/pay/"; http_uri; content:"sales.buy-msantispyware2009.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453146855; classtype:trojan-activity; sid:16249; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software ms antispyware 2009 runtime detection - start"; flow:to_server,established; content:"/stat.php"; http_uri; content:"func="; distance:0; nocase; http_uri; content:"int.ms-asreport1.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453146855; classtype:trojan-activity; sid:16248; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software spyware protect 2009 outbound connection - block"; flow:to_server,established; content:"/block.php?"; nocase; http_uri; content:"r=19.0"; distance:0; nocase; http_uri; content:"browser-security.microsoft.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453151948; classtype:trojan-activity; sid:16247; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software spyware protect 2009 outbound connection - purchase request"; flow:to_server,established; content:"/purchase?"; nocase; http_uri; content:"r="; distance:0; nocase; http_uri; content:"spywprotect.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453151948; classtype:trojan-activity; sid:16246; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software xp police antivirus install-timedetection"; flow:to_server,established; content:"/controller.php"; nocase; http_uri; content:"action="; distance:0; nocase; http_uri; content:"guid="; distance:0; nocase; http_uri; content:"rnd="; distance:0; nocase; http_uri; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453151932; classtype:trojan-activity; sid:16245; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software xp police antivirus runtime detection - purchase"; flow:to_server,established; content:"/xpbuy/"; nocase; http_uri; content:"xp-police.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453151932; classtype:trojan-activity; sid:16244; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker xp antispyware 2009 runtime detection - pre-sale webpage"; flow:to_server,established; content:"/buy.html?"; nocase; http_uri; content:"wmid="; nocase; http_uri; content:"skey="; nocase; http_uri; content:"Host|3A| www.xpas2009.com"; fast_pattern; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=XPAntiSpyware%202009&threatid=429593; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453141780; classtype:misc-activity; sid:16136; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware spyware guard 2008 runtime detection - purchase page"; flow:to_server,established; content:"/buy.html?"; nocase; http_uri; content:"track_id="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"gosg2008.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*gosg2008\x2ecom/smiH"; metadata:service http; reference:url,malwaredatabase.net/blog/index.php/2008/10/23/antivirus-2009-2-file-added-5-domains-added-low-detection-136/; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453141606; classtype:misc-activity; sid:16135; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware spyware guard 2008 runtime detection - contacts remote server"; flow:to_server,established; content:"/api.php?"; nocase; http_uri; content:"data="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"cmserv.org"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*cmserv\x2eorg/smiH"; metadata:service http; reference:url,malwaredatabase.net/blog/index.php/2008/10/23/antivirus-2009-2-file-added-5-domains-added-low-detection-136/; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453141606; classtype:misc-activity; sid:16134; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware superiorads runtime detection"; flow:to_server,established; content:"/bc/123kah.php"; nocase; content:"Host|3A|"; nocase; http_header; content:"superiorads.biz"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*superiorads\x2ebiz/smiH"; metadata:service http; reference:url,www.adwareaway.net/superiorads.htm; reference:url,www.precisesecurity.com/threats/adwaresuperiorads/; classtype:misc-activity; sid:16127; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler virusremover 2008 outbound connection"; flow:to_server,established; content:"/2009/order/index.html?"; fast_pattern; nocase; http_uri; content:"addt="; nocase; http_uri; content:"pc_id="; nocase; http_uri; content:"abbr=3P_UVRM"; nocase; http_uri; content:"nid=3P_UVRM"; nocase; http_uri; metadata:service http; reference:url,ca.com/fr/securityadvisor/pest/pest.aspx?id=453137574; reference:url,www.spywareremove.com/removeVirusRemover2008.html; classtype:misc-activity; sid:16126; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue antivirus xp 2008 runtime detection - update"; flow:to_server,established; content:"/updates/check.html"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.anti-virusxp2008.net"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2eanti\x2dvirusxp2008\x2enet/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Antivirus%20XP%202008%20(Winifixer)&threatid=310434; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-071613-4343-99&tabid=2; classtype:misc-activity; sid:16123; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue antivirus xp 2008 runtime detection - buy"; flow:to_server,established; content:"/buy2/"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.anti-virusxp2008.net"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2eanti\x2dvirusxp2008\x2enet/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Antivirus%20XP%202008%20(Winifixer)&threatid=310434; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-071613-4343-99&tabid=2; classtype:misc-activity; sid:16122; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker weatherstudio outbound connection"; flow:to_server,established; content:"/dp/"; nocase; http_uri; content:"x="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"as.weatherstudio.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*as\x2eweatherstudio\x2ecom/smiH"; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453122854; reference:url,vil.nai.com/vil/content/v_137487.htm; classtype:misc-activity; sid:16121; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware winreanimator runtime detection - daily update"; flow:to_server,established; content:"/WinReanimator/daily.cvd"; nocase; http_uri; metadata:service http; reference:url,www.411-spyware.com/effacer-winreanimator; reference:url,www.windowsvistaplace.com/winreanimator-removal-instructions-winreanimator/spyware-removal; classtype:misc-activity; sid:16119; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware winreanimator runtime detection - register request"; flow:to_server,established; content:"/buy.html"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.winreanimator.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2ewinreanimator\x2ecom/smiH"; metadata:service http; reference:url,www.411-spyware.com/effacer-winreanimator; reference:url,www.windowsvistaplace.com/winreanimator-removal-instructions-winreanimator/spyware-removal; classtype:misc-activity; sid:16118; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Martuz HTTP GET request attempt"; flow:to_server,established; content:"/martuz.cn"; nocase; http_uri; pcre:"/\x2Fmartuz\x2Ecn\x2Fvid\x2F\x3Fid\x3D\d+/smi"; metadata:service http; reference:url,www.us-cert.gov/current/archive/2009/06/01/archive.html; classtype:trojan-activity; sid:15567; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Gumblar HTTP GET request attempt"; flow:to_server,established; content:"/gumblar.cn"; nocase; http_uri; pcre:"/\x2Fgumblar\x2Ecn\x2Frss\x2F\x3Fid\x3D\d+/smi"; metadata:service http; reference:url,www.us-cert.gov/current/archive/2009/06/01/archive.html; classtype:trojan-activity; sid:15566; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Waledac spam bot HTTP POST request"; flow:to_server,established; content:"X-Request-Kind-Code|3A|"; nocase; http_header; metadata:service http; reference:url,blogs.technet.com/mmpc/archive/2009/04/14/wheres-waledac.aspx; classtype:misc-activity; sid:15476; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware winspywareprotect runtime detection - connection to malicious server"; flow:to_server,established; content:"/confuci.php?"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"xiphoman.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*xiphoman\x2Ecom/smiH"; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453132073; reference:url,www.spywareremove.com/removeWinSpywareProtect.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042206-4253-99&tabid=1; classtype:misc-activity; sid:14080; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware winspywareprotect runtime detection - connection to malicious sites"; flow:to_server,established; content:"/bc/123kah.php"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"a1.mxlivemedia.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*a1\x2Emxlivemedia\x2Ecom/smiH"; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453132073; reference:url,www.spywareremove.com/removeWinSpywareProtect.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042206-4253-99&tabid=1; classtype:misc-activity; sid:14079; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware winspywareprotect runtime detection - download malicous code"; flow:to_server,established; content:"/mxlivemedia/multi/73.exe"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Installer"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*Installer/smiH"; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453132073; reference:url,www.spywareremove.com/removeWinSpywareProtect.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042206-4253-99&tabid=1; classtype:misc-activity; sid:14078; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker Adware win32 mostofate runtime detection - redirect search results"; flow:to_server,established; content:"/results/?"; nocase; http_uri; content:"q="; nocase; http_uri; content:"pstv="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.powersearchtool.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2epowersearchtool\x2ecom/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Mostofate.dx&threatid=356346; reference:url,www.f-secure.com/sw-desc/adware_w32_mostofate.shtml; classtype:misc-activity; sid:14077; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker Adware win32 mostofate runtime detection - hijack search"; flow:to_server,established; content:"/search/"; nocase; http_uri; content:"q="; nocase; http_uri; content:"pstv="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.powersearchtool.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2epowersearchtool\x2ecom/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Mostofate.dx&threatid=356346; reference:url,www.f-secure.com/sw-desc/adware_w32_mostofate.shtml; classtype:misc-activity; sid:14076; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker Adware bho.gen runtime detection - prompt download page"; flow:to_server,established; content:"/download.php"; nocase; http_uri; content:"ieantivirus.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*ieantivirus\x2Ecom/smi"; metadata:service http; reference:url,vil.nai.com/vil/content/v_140752.htm; reference:url,www.pctools.com/mrc/infections/id/Adware.BHO.GEN/; classtype:misc-activity; sid:14073; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker Adware bho.gen runtime detection - pop-up window traffic #2"; flow:to_server,established; content:"/?pp"; nocase; http_uri; content:"id="; nocase; http_uri; content:"free-viruscan.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*free\x2Dviruscan\x2Ecom/smi"; metadata:service http; reference:url,vil.nai.com/vil/content/v_140752.htm; reference:url,www.pctools.com/mrc/infections/id/Adware.BHO.GEN/; classtype:misc-activity; sid:14072; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker Adware bho.gen runtime detection - pop-up window traffic #1"; flow:to_server,established; content:"/id/"; nocase; http_uri; content:"free-viruscan.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*free\x2Dviruscan\x2Ecom/smi"; metadata:service http; reference:url,vil.nai.com/vil/content/v_140752.htm; reference:url,www.pctools.com/mrc/infections/id/Adware.BHO.GEN/; classtype:misc-activity; sid:14071; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware brave sentry runtime detection - self update"; flow:to_server,established; content:"/update.php?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"d="; nocase; http_uri; content:"vs="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.bravesentry.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2ebravesentry\x2ecom/smiH"; metadata:service http; reference:url,vil.nai.com/vil/content/v_138897.htm; reference:url,www.spywareremove.com/removeBravesentry.html; classtype:misc-activity; sid:14070; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware brave sentry runtime detection - order request"; flow:to_server,established; content:"/buy.php?"; nocase; http_uri; content:"advid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.bravesentry.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2ebravesentry\x2ecom/smiH"; metadata:service http; reference:url,vil.nai.com/vil/content/v_138897.htm; reference:url,www.spywareremove.com/removeBravesentry.html; classtype:misc-activity; sid:14069; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware rond runtime detection"; flow:to_server,established; content:"/st?"; nocase; http_uri; content:"ad_type=pop"; nocase; http_uri; content:"ad_size="; nocase; http_uri; content:"section="; nocase; http_uri; content:"banned_pop_types="; nocase; http_uri; content:"pop_times="; nocase; http_uri; content:"http|3A|//mtn5.goole.ws/ac.php"; distance:0; nocase; pcre:"/^Referer\x3a[^\r\n]*http\x3A\x2F\x2Fmtn5\x2Egoole\x2Ews\x2Fac\x2Ephp/smi"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Adware.Rond&threatid=164718; reference:url,www.spywaredetector.net/spyware_encyclopedia/Adware.Rond.htm; classtype:misc-activity; sid:14068; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware swizzor runtime detection"; flow:to_server,established; content:"/tba/cm"; nocase; content:"Host|3A|"; nocase; http_header; content:"ads.netbios-local.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*ads\x2enetbios\x2dlocal\x2ecom/smiH"; metadata:service http; reference:url,vil.nai.com/vil/content/v_136491.htm; reference:url,www.411-spyware.com/remove-swizzor; classtype:misc-activity; sid:14067; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware winsecuredisc runtime detection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"WinSecureDisc"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*WinSecureDisc/smiH"; metadata:service http; reference:url,www.emsisoft.com/fr/malware/?Adware.Win32.WinSecureDisc; reference:url,www.spywareremove.com/removeWinSecureDisc.html; classtype:misc-activity; sid:14066; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker cashon outbound connection - auto update"; flow:to_server,established; content:"/app/cashonband/bin/CashOnUpdate.exe"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=CashOn&threatid=53428; reference:url,vil.nai.com/vil/content/v_142287.htm; classtype:misc-activity; sid:14064; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker cashon outbound connection - hijack ie searches"; flow:to_server,established; content:"/search/search.php?"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.cashon.co.kr"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2ecashon\x2eco\x2ekr/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=CashOn&threatid=53428; reference:url,vil.nai.com/vil/content/v_142287.htm; classtype:misc-activity; sid:14063; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler antimalware guard runtime detection - auto update"; flow:to_server,established; content:"/?"; nocase; http_uri; content:"proto="; nocase; http_uri; content:"ac="; nocase; http_uri; content:"abbr=3P_UAMG"; fast_pattern; nocase; http_uri; content:"v="; nocase; http_uri; content:"rc=3P_UAMG"; nocase; http_uri; metadata:service http; reference:url,www.spyware-techie.com/how-to-remove-anti-malware-guard/; reference:url,www.xp-vista.com/spyware-removal/antimalwareguard-antimalware-guard-removal-instructions; classtype:misc-activity; sid:14062; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler antimalware guard runtime detection - order/register request"; flow:to_server,established; content:"/2009/order/index.html?"; fast_pattern; nocase; http_uri; content:"pc_id="; nocase; http_uri; content:"abbr=3P_UAMG"; nocase; http_uri; content:"aa="; nocase; http_uri; content:"al="; nocase; http_uri; content:"af="; nocase; http_uri; content:"an="; nocase; http_uri; content:"addt="; nocase; http_uri; content:"nid=3P_UAMG"; nocase; http_uri; metadata:service http; reference:url,www.spyware-techie.com/how-to-remove-anti-malware-guard/; reference:url,www.xp-vista.com/spyware-removal/antimalwareguard-antimalware-guard-removal-instructions; classtype:misc-activity; sid:14061; rev:8;) # alert udp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"PUA-ADWARE Hijacker cpush 2 outbound connection - pass info to controlling server"; content:"|01 0F|_H"; depth:4; content:"|00 00 00|"; offset:26; nocase; content:"|00 00|http|3A|//"; offset:1; nocase; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453101269; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-031215-0744-99; classtype:misc-activity; sid:14058; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware AdwareALERT runtime detection - auto update"; flow:to_server,established; content:"/update/info"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"AdwareAlert"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*AdwareAlert/smiH"; metadata:service http; reference:url,www.2-spyware.com/remove-adwarealert.html; reference:url,www.411-spyware.com/remove-adwarealert; classtype:misc-activity; sid:14054; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler dropper agent.rqg outbound connection"; flow:to_server,established; content:"/cc.txt"; nocase; http_uri; flowbits:set,Dropper_Agent.rqg_Detection; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:13943; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker win32.bho.bgf outbound connection"; flow:to_server,established; content:"/105/bmw.q?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"44.770304123.cn"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*44\x2e770304123\x2ecn/smiH"; metadata:service http; reference:url,www.baidumsg.com/malwareremoval/malwareremoval_5947.html; classtype:misc-activity; sid:13940; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PUA-ADWARE Hijacker adware.win32.ejik.ec variant runtime detection - auto update"; flow:to_client,established; flowbits:isset,AdWare_Ejik.ec_Detection; file_data; content:"|3B|aa88.dll|3B|"; pcre:"/^\d+\x3baa88\x2edll\x3b\d+\x3b/smi"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Ejik.ec&threatid=281451; reference:url,www.emsisoft.fr/fr/malware/?Adware.Win32.Ejik.ec; classtype:misc-activity; sid:13939; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker adware.win32.ejik.ec variant outbound connection"; flow:to_server,established; content:"/ver.txt"; nocase; http_uri; flowbits:set,AdWare_Ejik.ec_Detection; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:13938; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker adware.win32.ejik.ec variant runtime detection - call home"; flow:to_server,established; content:"/topnew/passdomain.txt"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.web228.cn"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2eweb228\x2ecn/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Ejik.ec&threatid=281451; reference:url,www.emsisoft.fr/fr/malware/?Adware.Win32.Ejik.ec; classtype:misc-activity; sid:13937; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler pc privacy cleaner outbound connection - order/register request"; flow:to_server,established; content:"/2009/order/index.html?"; fast_pattern; nocase; http_uri; content:"pc_id="; nocase; http_uri; content:"abbr=UPCPC"; nocase; http_uri; content:"nid=UPCPC"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"UPCPC"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*UPCPC/smiH"; metadata:service http; reference:url,malware-remover.com/pcprivacycleaner-removal-tool-pc-privacy-cleaner/; reference:url,www.xp-vista.com/spyware-removal/pcprivacycleaner-pc-privacy-cleaner-removal-instructions; classtype:misc-activity; sid:13930; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware malware destructor 4.5 runtime detection - auto update"; flow:to_server,established; content:"/application/appver.php"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"MalwareDestructor"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*MalwareDestructor/smiH"; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453116773; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-090713-4427-99; classtype:misc-activity; sid:13875; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware malware destructor 4.5 runtime detection - order request"; flow:to_server,established; content:"/order.php?"; nocase; http_uri; content:"date="; nocase; http_uri; content:"currentDate="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.malwaredestructor.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2emalwaredestructor\x2ecom/smiH"; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453116773; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-090713-4427-99; classtype:misc-activity; sid:13874; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler fushion 1.2.4.17 outbound connection - underground traffic"; flow:to_server,established; content:"/account_logout"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"xikee.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*xikee\x2ecom/smiH"; metadata:service http; reference:url,www.siteadvisor.pl/sites/funshion.com/downloads/11570528/; classtype:misc-activity; sid:13873; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler fushion 1.2.4.17 outbound connection - notice"; flow:to_server,established; content:"/sobar/notice/notice_baiducb.txt?"; fast_pattern; nocase; http_uri; content:"tn=funshion"; nocase; http_uri; content:"ss="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"bar-get"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*bar\x2dget/smiH"; metadata:service http; reference:url,www.siteadvisor.pl/sites/funshion.com/downloads/11570528/; classtype:misc-activity; sid:13872; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware coopen 5.0.0.87 runtime detection - ads"; flow:to_server,established; content:"/Adpic/"; fast_pattern; nocase; http_uri; content:".jpg"; nocase; http_uri; pcre:"/\x2fAdpic\x2f\d+\x2f\d+ad\x28\d+\x2c\d+\x2c\d+\x2c\d+\x29\x2ejpg/Ui"; metadata:service http; reference:url,www.spywareguide.com/spydet_3326_coopen.html; reference:url,www.spywaresignatures.com/details.php?spyware=coopen; classtype:misc-activity; sid:13871; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware coopen 5.0.0.87 runtime detection - init conn"; flow:to_server,established; content:"/87/param.aspx?"; fast_pattern; nocase; http_uri; content:"groupID="; nocase; http_uri; content:"spaceIDs="; nocase; http_uri; content:"mac="; nocase; http_uri; content:"ver=5.0.0.87"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/spydet_3326_coopen.html; reference:url,www.spywaresignatures.com/details.php?spyware=coopen; classtype:misc-activity; sid:13870; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware antispywaremaster runtime detection - sale/register request"; flow:to_server,established; content:"/data/sale.php?"; fast_pattern; nocase; http_uri; content:"pc_id="; nocase; http_uri; content:"abbr=UASM"; nocase; http_uri; content:"nid=UASM"; nocase; http_uri; metadata:service http; reference:url,www.spywareremove.com/removeAntiSpywareMaster.html; reference:url,www.xp-vista.com/spyware-removal/antispywaremaster-antispyware-master-removal-instructions; classtype:misc-activity; sid:13869; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware antispywaremaster runtime detection - start fake scanning"; flow:to_server,established; content:"/?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"gai="; nocase; http_uri; content:"gli="; nocase; http_uri; content:"pc_id="; nocase; http_uri; content:"abbr=UASM"; fast_pattern; nocase; http_uri; content:"err="; nocase; http_uri; metadata:service http; reference:url,www.spywareremove.com/removeAntiSpywareMaster.html; reference:url,www.xp-vista.com/spyware-removal/antispywaremaster-antispyware-master-removal-instructions; classtype:misc-activity; sid:13868; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker bitroll 5.0 outbound connection"; flow:to_server,established; content:"/banner.php?"; nocase; http_uri; content:"skin=Flexi.skf"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,www.411-spyware.com/remove-bitroll; reference:url,www.spywareremove.com/removeBitroll.html; classtype:misc-activity; sid:13852; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware roogoo 2.0 runtime detection - upgrade"; flow:to_server,established; content:"/upgrade/?"; nocase; http_uri; content:"ver="; nocase; http_uri; content:"mac="; nocase; http_uri; content:"fromid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"show.newRooGoo.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*show\x2enewRooGoo\x2ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/spydet_3018_roogoo.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097966; classtype:misc-activity; sid:13851; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware roogoo 2.0 runtime detection - popup ads"; flow:to_server,established; content:"/?"; nocase; http_uri; content:"VER="; nocase; http_uri; content:"AdID="; nocase; http_uri; content:"UID="; nocase; http_uri; content:"SURL="; nocase; http_uri; content:"Host="; nocase; http_uri; content:"ConditionID="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"show.newroogoo.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*show\x2enewroogoo\x2ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/spydet_3018_roogoo.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097966; classtype:misc-activity; sid:13850; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker rcse 4.4 outbound connection - hijack ie browser"; flow:to_server,established; content:"/10025rel/landing.php"; fast_pattern:only; content:"Rabio|3A|"; nocase; content:"RCSE"; distance:0; nocase; pcre:"/^Rabio\x3a[^\r\n]*RCSE/smi"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Rabio&threatid=169974; reference:url,www.spywareguide.com/spydet_3770_rabio.html; classtype:misc-activity; sid:13849; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler zwinky runtime detection"; flow:to_server,established; content:"/registration/logins.jhtml?"; fast_pattern; nocase; http_uri; content:"caller=desktop"; nocase; http_uri; content:"action=check"; nocase; http_uri; content:"username="; nocase; http_uri; content:"dt="; nocase; http_uri; metadata:service http; reference:url,www.castlecops.com/p970801-Zwinky_MyWebSearch_Installer.html; reference:url,www.emsisoft.net/fr/malware/?Adware.Win32.Zwinky_Test; classtype:misc-activity; sid:13848; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware phoenician casino runtime detection"; flow:to_server,established; content:"/viperML/phoenician/phoenician.cab"; nocase; http_uri; metadata:service http; reference:url,spywaredetector.net/spyware_encyclopedia/Adware.Phoenician%20.htm; reference:url,www.spywareguide.com/spydet_3441_phoenician_casino.html; classtype:misc-activity; sid:13847; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PUA-ADWARE Trickler mm.exe outbound connection"; flow:to_client,established; file_data; content:"MZKERNEL32.DLL"; nocase; content:"LoadLibraryA"; distance:0; nocase; content:"GetProcAddress"; distance:0; nocase; pcre:"/^MZKERNEL32\x2eDLL\x00\x00LoadLibraryA\x00\x00\x00\x00GetProcAddress/smi"; metadata:service http; reference:url,www.auditmypc.com/process/mm.asp; reference:url,www.fbmsoftware.com/spyware-net/process/mm_exe/1960/; classtype:misc-activity; sid:13813; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware xp antivirus runtime detection"; flow:to_server,established; content:"/order_xp.php?"; nocase; http_uri; content:"ver="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"liveresponsesite.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*liveresponsesite\x2Ecom/smiH"; metadata:service http; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453122012; reference:url,www.spywareguide.com/spydet_27817_xpantivirus.html; classtype:misc-activity; sid:13811; rev:6;) # alert udp $HOME_NET any -> $EXTERNAL_NET 31890 (msg:"PUA-ADWARE Trickler Adware.Win32.Ejik runtime detection - udp payload"; content:"60198E081622F7BCC5489B"; depth:22; nocase; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453123013; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Ejik.bc&threatid=239207; reference:url,www.emsisoft.it/it/malware/?Adware.Win32.Ejik.er; classtype:misc-activity; sid:13810; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware ie antivirus runtime detection - update request"; flow:to_server,established; content:"/updates.php?"; nocase; http_uri; content:"data1="; nocase; http_uri; content:"data2="; nocase; http_uri; content:"data3="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"ieantivirus.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*ieantivirus\x2Ecom/smiH"; metadata:service http; reference:url,ca.com/securityadvisor/pest/pest.aspx?id=453132958; reference:url,www.411-spyware.com/remove-ie-antivirus-3-2; classtype:misc-activity; sid:13809; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware ie antivirus runtime detection - presale request"; flow:to_server,established; content:"/index.php?"; nocase; http_uri; content:"la=order"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"ieantivirus.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*ieantivirus\x2Ecom/smiH"; metadata:service http; reference:url,ca.com/securityadvisor/pest/pest.aspx?id=453132958; reference:url,www.411-spyware.com/remove-ie-antivirus-3-2; classtype:misc-activity; sid:13808; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler trojan ecodec outbound connection - initial server connection #2"; flow:to_server,established; content:"/spbrn/cinst.php?"; nocase; http_uri; content:"affid="; nocase; http_uri; content:"Host|3A|"; nocase; content:"safe-strip-download.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*safe-strip-download\x2ecom/smi"; metadata:service http; reference:url,spywarefiles.prevx.com/RRHHHJ44382562/MMCODEC%2EEXE.html; reference:url,virusinfo.prevx.com/viruscenter.asp?GRP=4812100013; classtype:misc-activity; sid:13775; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler trojan ecodec outbound connection - initial server connection #1"; flow:to_server,established; content:"/in.cgi?"; nocase; http_uri; content:"group="; nocase; http_uri; content:"Host|3A|"; nocase; content:"theonlybookmark.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*theonlybookmark\x2ecom/smi"; metadata:service http; reference:url,spywarefiles.prevx.com/RRHHHJ44382562/MMCODEC%2EEXE.html; reference:url,virusinfo.prevx.com/viruscenter.asp?GRP=4812100013; classtype:misc-activity; sid:13774; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware winxdefender runtime detection - auto update"; flow:to_server,established; content:"/checkupdate.php"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"WinXDefender.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*WinXDefender\x2Ecom/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinXDefender&threatid=155747; reference:url,www.411-spyware.com/remove-winxdefender; classtype:misc-activity; sid:13766; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware winxdefender runtime detection - presale request"; flow:to_server,established; content:"/order.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"id="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.winxdefender.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Ewinxdefender\x2Ecom/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinXDefender&threatid=155747; reference:url,www.411-spyware.com/remove-winxdefender; classtype:misc-activity; sid:13765; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PUA-ADWARE Snoopware xpress remote outbound connection - init connection"; flow:to_client,established; content:"|01 00 01 00 03 00 01 00 14 00 01 01 01 00 DD DD DD DD 00 00 00 00|"; depth:22; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=XpressRemote&threatid=29388; classtype:successful-recon-limited; sid:13764; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware system defender runtime detection"; flow:to_server,established; content:"uid="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"SystemDefender"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*SystemDefender/smiH"; metadata:service http; reference:url,www.411-spyware.com/remove-systemdefender; reference:url,www.enigmasoftware.com/support/systemdefender-removal/; classtype:misc-activity; sid:13762; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware cashfiesta adbar runtime detection - updates traffic"; flow:to_server,established; content:"/partners/alex.php?"; fast_pattern; nocase; http_uri; content:"t="; nocase; http_uri; content:"dm="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.cashfiesta.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Ecashfiesta\x2Ecom/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=CashFiesta%20AdBar&threatid=42051; classtype:misc-activity; sid:13653; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"PUA-ADWARE Keylogger all in one Keylogger runtime detection"; flow:to_server,established; content:"All In One Keylogger report."; nocase; content:"PGh0bWw+PGhlYWQ+PHRpdGxlPkFsbCBJbiBPbmUgS2V5bG9nZ2VyIFJlcG9y"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.All+In+One+Keylogger; reference:url,www.noadware.net/research/index2.php?item_id=1201&item_name=all-in-one%20spy; classtype:successful-recon-limited; sid:13652; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware spyware stop runtime detection - auto updates"; flow:to_server,established; content:"/update/info"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"SpywareStop"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*SpywareStop/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=SpywareStop&threatid=205898; reference:url,www.prevx.com/filenames/1299278770072512825-0/SPYWARESTOP.MSI.html; classtype:misc-activity; sid:13650; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware spyware stop runtime detection - presale request"; flow:to_server,established; content:"/register.php"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.spywarestop.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2espywarestop\x2ecom/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=SpywareStop&threatid=205898; reference:url,www.prevx.com/filenames/1299278770072512825-0/SPYWARESTOP.MSI.html; classtype:misc-activity; sid:13649; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker mysearch bar 2.0.2.28 runtime detection"; flow:to_server,established; content:"/jsp/"; nocase; http_uri; content:"?st=bar"; nocase; http_uri; content:"searchfor="; fast_pattern; nocase; http_uri; pcre:"/jsp\/(GG(main|img|dirs?)|A(jmain|wns|wimg|wvid|waud)|Lsmain)\x2Ejsp\?st=bar&searchfor=/Ui"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=My%20Search%20Bar&threatid=14832; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.My+Search+Bar; classtype:misc-activity; sid:13648; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware registry defender runtime detection - error report request"; flow:to_server,established; content:"/report_error.aspx?"; nocase; http_uri; content:"l="; nocase; http_uri; content:"e="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"registrydefender.techwithyou.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*registrydefender\x2Etechwithyou\x2Ecom/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Registry%20Defender&threatid=91028; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.Registry+Defender; classtype:misc-activity; sid:13647; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware registry defender runtime detection - presale request"; flow:to_server,established; content:"/shoppingcart.aspx?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"dlg="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.registrydefender.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Eregistrydefender\x2Ecom/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Registry%20Defender&threatid=91028; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.Registry+Defender; classtype:misc-activity; sid:13646; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware virus heat runtime detection - presale request"; flow:to_server,established; content:"/buy_online.php?"; nocase; http_uri; content:"aff="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.virusheat.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2evirusheat\x2ecom/smiH"; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453124583; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=VirusHeat&threatid=203189; classtype:misc-activity; sid:13637; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler downloader trojan.gen outbound connection - download malicious link"; flow:to_server,established; content:"/download.php?"; nocase; http_uri; content:"track_id="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"dl1.virusheat.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*dl1\x2Evirusheat\x2Ecom/smiH"; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453120536; reference:url,www.prevx.com/filenames/X1895686732762432147-0/LAF4.EXE.html; classtype:misc-activity; sid:13636; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler downloader trojan.gen outbound connection - get malicious link"; flow:to_server,established; content:"/get.php?"; nocase; http_uri; content:"partner="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.allcollisions.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Eallcollisions\x2Ecom/smiH"; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453120536; reference:url,www.prevx.com/filenames/X1895686732762432147-0/LAF4.EXE.html; classtype:misc-activity; sid:13635; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler iecodec outbound connection - message dialog"; flow:to_server,established; content:"/a/pic1.gif"; nocase; http_uri; content:"Host|3A| vscodecsupport.com"; fast_pattern:only; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453122786; reference:url,www.prevx.com/filenames/X743654547251516036-0/IECODEC.DLL.html; classtype:misc-activity; sid:13566; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler iecodec outbound connection - initial traffic"; flow:to_server,established; content:"/hb.php?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"q="; nocase; http_uri; content:"id="; nocase; http_uri; content:"aff="; nocase; http_uri; content:"Host|3A| vscodecsupport.com"; fast_pattern:only; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453122786; reference:url,www.prevx.com/filenames/X743654547251516036-0/IECODEC.DLL.html; classtype:misc-activity; sid:13565; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware system doctor runtime detection - update status"; flow:to_server,established; content:"/stats.php?"; nocase; http_uri; content:"site_id=systemdoctor"; fast_pattern; nocase; http_uri; content:"lp="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"lid="; nocase; http_uri; content:"ref="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"USDR"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n].*USDR\d+/smiH"; metadata:service http; reference:url,www.2-spyware.com/remove-systemdoctor.html; reference:url,www.spywareguide.com/spydet_3049_systemdoctor_2006.html; classtype:misc-activity; sid:13564; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware system doctor runtime detection - presale request"; flow:to_server,established; content:"/download/2006/order.php?"; fast_pattern; nocase; http_uri; content:"v="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"lid="; nocase; http_uri; content:"Host|3A| systemdoctor.com"; nocase; metadata:service http; reference:url,www.2-spyware.com/remove-systemdoctor.html; reference:url,www.spywareguide.com/spydet_3049_systemdoctor_2006.html; classtype:misc-activity; sid:13563; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware malware alarm runtime detection - update request"; flow:to_server,established; content:"/update.php?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"d="; nocase; http_uri; content:"vs="; nocase; http_uri; content:"Host|3A| www.malware-alarm.com"; fast_pattern:only; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453113983; reference:url,www.sophos.com/security/analyses/malwarealarm.html; classtype:misc-activity; sid:13562; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware malware alarm runtime detection - presale request"; flow:to_server,established; content:"/buy.php?"; nocase; http_uri; content:"advid="; nocase; http_uri; content:"emla="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"Host|3A| www.malware-alarm.com"; fast_pattern:only; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453113983; reference:url,www.sophos.com/security/analyses/malwarealarm.html; classtype:misc-activity; sid:13561; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker kword interkey outbound connection - log user info"; flow:to_server,established; content:"/dwi_log/catch?"; fast_pattern; nocase; http_uri; content:"C="; nocase; http_uri; content:"V="; nocase; http_uri; content:"E="; nocase; http_uri; content:"R="; nocase; http_uri; content:"www.kword.co.kr"; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Kword.InterKey&threatid=46477; reference:url,www.noadware.net/research/index2.php?item_id=2656&item_name=Kword.InterKey; classtype:misc-activity; sid:13558; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker kword interkey outbound connection - search traffic 2"; flow:to_server,established; content:"/search.asp?"; nocase; http_uri; content:"fcode="; nocase; http_uri; content:"keywords="; nocase; http_uri; content:"part="; nocase; http_uri; content:"Host|3A| search.kword.co.kr"; fast_pattern:only; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Kword.InterKey&threatid=46477; reference:url,www.noadware.net/research/index2.php?item_id=2656&item_name=Kword.InterKey; classtype:misc-activity; sid:13557; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker kword interkey outbound connection - search traffic 1"; flow:to_server,established; content:"/kwordenter.asp?"; fast_pattern; nocase; http_uri; content:"q="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"ver=KW"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"vb"; nocase; http_header; content:"wininet"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*vb\s+wininet/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Kword.InterKey&threatid=46477; reference:url,www.noadware.net/research/index2.php?item_id=2656&item_name=Kword.InterKey; classtype:misc-activity; sid:13556; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware iedefender runtime detection - update"; flow:to_server,established; content:"/updates.php?"; nocase; http_uri; content:"data1="; nocase; http_uri; content:"data2="; nocase; http_uri; content:"Host|3A| iedefender.com"; fast_pattern:only; metadata:service http; reference:url,www.sophos.com/security/analyses/iedefender.html; reference:url,www.spywareguide.com/spydet_5318_ie_defender.html; classtype:misc-activity; sid:13505; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware iedefender runtime detection - presale request"; flow:to_server,established; content:"/ie/"; nocase; http_uri; content:"Host|3A| iedefender.com"; fast_pattern:only; metadata:service http; reference:url,www.sophos.com/security/analyses/iedefender.html; reference:url,www.spywareguide.com/spydet_5318_ie_defender.html; classtype:misc-activity; sid:13504; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware contravirus runtime detection - update"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"ContraVirusPro"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*ContraVirusPro/smiH"; metadata:service http; reference:url,www.spywaredetector.net/spyware_encyclopedia/Fake%20Anti%20Spyware.Contra%20Virus.htm; reference:url,www.spywareguide.com/spydet_3552_contravirus.html; classtype:misc-activity; sid:13502; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware contravirus runtime detection - presale request"; flow:to_server,established; content:"/buy2.php?"; nocase; http_uri; content:"date="; nocase; http_uri; content:"currentDate="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"Host|3A| www.contraviruspro.com"; fast_pattern:only; metadata:service http; reference:url,www.spywaredetector.net/spyware_encyclopedia/Fake%20Anti%20Spyware.Contra%20Virus.htm; reference:url,www.spywareguide.com/spydet_3552_contravirus.html; classtype:misc-activity; sid:13501; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker hbtbar outbound connection - log information"; flow:to_server,established; content:"/log.htm?"; nocase; http_uri; content:"website_id="; fast_pattern; nocase; http_uri; content:"unique="; nocase; http_uri; content:"all_unique="; nocase; http_uri; content:"dpi="; nocase; http_uri; content:"location="; nocase; http_uri; content:"t2t21"; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=HDTBar&threatid=15102; reference:url,www.spywareremove.com/removeHDTBar.html; classtype:misc-activity; sid:13500; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker hbtbar outbound connection - search traffic 2"; flow:to_server,established; content:"/baidu?"; nocase; http_uri; content:"tn=t2t21"; fast_pattern; nocase; http_uri; content:"word="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=HDTBar&threatid=15102; reference:url,www.spywareremove.com/removeHDTBar.html; classtype:misc-activity; sid:13499; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker hbtbar outbound connection - search traffic 1"; flow:to_server,established; content:"/jump.asp?"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"url="; nocase; http_uri; content:"t2t21"; nocase; http_uri; content:"guid="; nocase; http_uri; content:"siteid="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=HDTBar&threatid=15102; reference:url,www.spywareremove.com/removeHDTBar.html; classtype:misc-activity; sid:13498; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware spy shredder 2.1 runtime detection - update"; flow:to_server,established; content:"/update.php?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"d="; nocase; http_uri; content:"Host|3A| www.spy-shredder.com"; fast_pattern:only; metadata:service http; reference:url,www.ca.com/ca/en/securityadvisor/pest/pest.aspx?id=453123853; classtype:misc-activity; sid:13491; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware spy shredder 2.1 runtime detection - presale request"; flow:to_server,established; content:"/buy.php?"; nocase; http_uri; content:"advid="; nocase; http_uri; content:"emla="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"Host|3A| www.spy-shredder.com"; fast_pattern:only; metadata:service http; reference:url,www.ca.com/ca/en/securityadvisor/pest/pest.aspx?id=453123853; classtype:misc-activity; sid:13490; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware elite protector runtime detection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"EliteProtector"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*EliteProtector/smiH"; metadata:service http; reference:url,www.ca.com/ca/en/securityadvisor/pest/pest.aspx?id=453123830; classtype:misc-activity; sid:13487; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-ADWARE Snoopware remote desktop inspector runtime detection - init connection"; flow:to_client,established; flowbits:isset,RemoteDesktopInspector_detection; content:"DS"; depth:2; nocase; content:"|00 00 01 00 00 00 00 FE 01 00 00 F1 00 00 00 00|"; within:16; distance:2; nocase; reference:url,attack.mitre.org/techniques/T1076; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Remote%20Desktop%20Inspector&threatid=41996; reference:url,www.emsisoft.com/es/malware/?Adware.Win32.Remote+Desktop+Inspector; classtype:successful-recon-limited; sid:13347; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-ADWARE Snoopware remote desktop inspector outbound connection - init connection"; flow:to_server,established; content:"DS|00 00 00 00 01 00 00 00 00 FE 01 00 00 F1 00 00 00 00|"; depth:20; nocase; flowbits:set,RemoteDesktopInspector_detection; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1076; classtype:successful-recon-limited; sid:13346; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware yourprivacyguard runtime detection - update"; flow:to_server,established; content:"/?"; nocase; http_uri; content:"proto="; nocase; http_uri; content:"rc="; nocase; http_uri; content:"v="; nocase; http_uri; content:"abbr="; nocase; http_uri; content:"platform="; nocase; http_uri; content:"os_version="; nocase; http_uri; content:"User-Agent|3A| Updater"; fast_pattern:only; metadata:service http; reference:url,removers.volyn.net/2007/11/02/yourprivacyguard-removal-tool-remove-yourprivacyguard-pop-ups/; reference:url,www.spywaredetector.net/spyware_encyclopedia/Adware.Yourprivacyguard.htm; classtype:misc-activity; sid:13345; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware yourprivacyguard runtime detection - presale request"; flow:to_server,established; content:"/privacy/presale.php?"; fast_pattern; nocase; http_uri; content:"v="; nocase; http_uri; content:"lp="; nocase; http_uri; content:"addt="; nocase; http_uri; content:"air="; nocase; http_uri; content:"lir="; nocase; http_uri; content:"afr="; nocase; http_uri; content:"rem="; nocase; http_uri; metadata:service http; reference:url,removers.volyn.net/2007/11/02/yourprivacyguard-removal-tool-remove-yourprivacyguard-pop-ups/; reference:url,www.spywaredetector.net/spyware_encyclopedia/Adware.Yourprivacyguard.htm; classtype:misc-activity; sid:13344; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware 2005-search loader runtime detection"; flow:to_server,established; content:"/go/go.php"; nocase; http_uri; content:"Host|3A| 2005-search.com"; fast_pattern:only; metadata:service http; reference:url,koffix.com/research/sites/2005-search.com.html; reference:url,www.malware.com.br/cgi/submit?action=list_comp; classtype:misc-activity; sid:13343; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker search4top outbound connection - popup ads"; flow:to_server,established; content:"/adjs.php?"; nocase; http_uri; content:"n="; nocase; http_uri; content:"what="; nocase; http_uri; content:"target="; nocase; http_uri; content:"exclude="; nocase; http_uri; content:"Referer|3A| www.search4top.com/english.asp?q="; fast_pattern:only; metadata:service http; reference:url,www.spyware-research-center.com/threatdisplay.aspx?name=Search4Top&threatid=100124; reference:url,www.spywareguide.com/spydet_3578_search4top.html; classtype:misc-activity; sid:13341; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker search4top outbound connection - hijack ie searches and error pages"; flow:to_server,established; content:"/0409/as.asp?"; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A| www.search4top.com"; fast_pattern:only; metadata:service http; reference:url,www.spyware-research-center.com/threatdisplay.aspx?name=Search4Top&threatid=100124; reference:url,www.spywareguide.com/spydet_3578_search4top.html; classtype:misc-activity; sid:13340; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware 3wplayer 1.7 runtime detection"; flow:to_server,established; content:"/stats/stats.php"; fast_pattern; nocase; http_uri; content:"AppName=3wPlayer"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"WakeSpace"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*WakeSpace/smiH"; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453120279; reference:url,www.spywareremove.com/remove3wPlayer.html; classtype:misc-activity; sid:13286; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker phazebar outbound connection"; flow:to_server,established; content:"/__utm.gif?"; nocase; http_uri; content:"utmwv="; nocase; http_uri; content:"utmn="; nocase; http_uri; content:"utmhn=www.crawl.ws"; fast_pattern; nocase; http_uri; content:"utmr="; nocase; http_uri; content:"utmp="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/spydet_2531_phazebar.html; reference:url,www.spywareremove.com/removePhaZeBar.html; reference:url,www.uninstall-spyware.com/uninstallPhaZeBar.html; classtype:misc-activity; sid:13285; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware netguarder web cleaner runtime detection"; flow:to_server,established; content:"/update/webcleaner/en/updatelist.ini"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"NetGuarder WebCleaner"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*NetGuarder\s+WebCleaner/smiH"; metadata:service http; reference:url,www.ca.com/ca/fr/securityadvisor/pest/pest.aspx?id=453075057; reference:url,www.spywareguide.com/spydet_1824_netguarder_web_cleaner.html; classtype:misc-activity; sid:13284; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker dreambar outbound connection"; flow:to_server,established; content:"/setting/geturl_kword.html"; fast_pattern; nocase; http_uri; content:"uCode="; nocase; http_uri; content:"Host|3A| oper.dreambar.co.kr"; nocase; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Dreambar&threatid=97491; classtype:misc-activity; sid:13283; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware netword agent runtime detection"; flow:to_server,established; content:"/q/qry.phtml?"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"cx="; nocase; http_uri; content:"cxv="; nocase; http_uri; content:"qs="; nocase; http_uri; content:"get="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/spydet_2332_Netword_agent.html; reference:url,www.symantec.com/fr/fr/security_response/writeup.jsp?docid=2006-042614-1031-99; classtype:misc-activity; sid:13277; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware netpumper 1.26 runtime detection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"NetPumper"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*NetPumper/smiH"; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453099585; reference:url,www.spywareguide.com/spydet_975_netpumper_1_2.html; classtype:misc-activity; sid:13242; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware live protection 2.1 runtime detection - application updates"; flow:to_server,established; content:"/update.php?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"d="; nocase; http_uri; content:"vs="; nocase; http_uri; content:"Host|3A| www.LiveProtection.net"; fast_pattern:only; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453122098; reference:url,liveprotection.net; classtype:misc-activity; sid:13241; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware live protection 2.1 runtime detection - redirects to purchase page"; flow:to_server,established; content:"/buy.php?"; nocase; http_uri; content:"advid="; nocase; http_uri; content:"emla="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"Host|3A| www.liveprotection.net"; fast_pattern:only; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453122098; reference:url,liveprotection.net; classtype:misc-activity; sid:13240; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware adult p2p 1.5 runtime detection"; flow:to_server,established; content:"/cgi-bin/nodes.cgi"; fast_pattern; nocase; http_uri; content:"app=Porn2Peer"; nocase; http_uri; content:"version="; nocase; http_uri; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453122013; classtype:misc-activity; sid:13238; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware x-con spyware destroyer eh 3.2.8 runtime detection"; flow:to_server,established; content:"/xcon/XP/update.enc?="; nocase; http_uri; content:"Host|3A| x-conspywaredestroyer.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/spydet_2599_x_con_spyware_destroyer.html; reference:url,x-conspywaredestroyer.com; classtype:misc-activity; sid:12797; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker gralicwrap outbound connection - display frauddb information"; flow:to_server,established; content:"/DisplayFraudDBInformation.php?id="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=GralicWrap&threatid=40183; reference:url,www.spywareguide.com/spydet_2594_gralicwrap.html; classtype:misc-activity; sid:12795; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker gralicwrap outbound connection - search frauddb process"; flow:to_server,established; content:"/SearchFraudDBProcess.php?vbfraudURL="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=GralicWrap&threatid=40183; reference:url,www.spywareguide.com/spydet_2594_gralicwrap.html; classtype:misc-activity; sid:12794; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware sunshine spy 1.0 runtime detection - check update"; flow:to_server,established; content:"/gate/chkupdate.php"; nocase; http_uri; content:"Host|3A| www.sunshinespy.com"; fast_pattern:only; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Sunshine%20Spy&threatid=171191; classtype:misc-activity; sid:12789; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker sexyvideoscreensaver outbound connection"; flow:to_server,established; content:"/?adv=usernames&p=1"; fast_pattern; nocase; http_uri; content:"Host|3A| icoonet.com"; nocase; metadata:service http; reference:url,www.siteadvisor.com/sites/brothersoft.com/downloads/8226422/; reference:url,www.spywareguide.com/spydet_2535_sexyvideoscreensaver.html; classtype:misc-activity; sid:12722; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware pestbot runtime detection - purchase"; flow:to_server,established; content:"/purchase/"; nocase; http_uri; content:"Host|3A| pestbot.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/spydet_3581_pestbot.html; reference:url,www.spywarewarrior.com/rogue_anti-spyware.htm; classtype:misc-activity; sid:12721; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware pestbot runtime detection - update"; flow:to_server,established; content:"/SpyBase/version.txt"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"AlertSpy"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*AlertSpy/smiH"; metadata:service http; reference:url,www.spywareguide.com/spydet_3581_pestbot.html; reference:url,www.spywarewarrior.com/rogue_anti-spyware.htm; classtype:misc-activity; sid:12720; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker side find 1.0 outbound connection - hijacks search engine"; flow:to_server,established; content:"/bin/findwhat.dll?"; nocase; http_uri; content:"Host|3A| admedia.xmlsearch.findwhat.com"; fast_pattern:only; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453088285; classtype:misc-activity; sid:12719; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker side find 1.0 outbound connection - initial connection"; flow:to_server,established; content:"/results.php?target="; nocase; http_uri; content:"Host|3A| www.sidefind.com"; fast_pattern:only; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453088285; classtype:misc-activity; sid:12718; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware coopen 3.6.1 runtime detection - automatic upgrade"; flow:to_server,established; content:"/ForceUpgrade.aspx"; fast_pattern; nocase; http_uri; content:"mac="; nocase; http_uri; content:"hdid="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/spydet_3326_coopen.html; classtype:misc-activity; sid:12696; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware coopen 3.6.1 runtime detection - initial connection"; flow:to_server,established; content:"/61/param.aspx"; fast_pattern; nocase; http_uri; content:"groupID="; nocase; http_uri; content:"spaceIDs="; nocase; http_uri; content:"mac="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/spydet_3326_coopen.html; classtype:misc-activity; sid:12695; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware avsystemcare runtime detection"; flow:to_server,established; content:"/?proto"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Updater"; nocase; http_header; content:"Host|3A| free.version.bestsellerantivirus.com"; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]*Updater/smiH"; metadata:service http; reference:url,www.spywareguide.com/spydet_3529_avsystemcare.html; classtype:misc-activity; sid:12694; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker personalweb outbound connection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"PWeb"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:".personalweb.com"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*PWeb/smiH"; pcre:"/^Host\x3a[^\r\n]*\x2epersonalweb\x2ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/spydet_3785_personal_web.html; classtype:misc-activity; sid:12693; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SpyTech Realtime Spy Detection"; flow:to_server,established; content:"/realtime-spy/"; nocase; http_uri; content:"Host|3A| www.spytech-web.com"; nocase; http_header; metadata:service http; reference:url,www.spytech-web.com; classtype:misc-activity; sid:12678; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware ISTBar runtime detection - softwares"; flow:to_server,established; content:"/ist/softwares/"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=572; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075516; classtype:misc-activity; sid:12677; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Conspy Update Checking Detected"; flow:to_server,established; content:"quicken_update.php"; fast_pattern; nocase; http_uri; content:"Host|3A| conspy.com"; nocase; metadata:service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-021210-1340-99&tabid=2se; classtype:misc-activity; sid:12676; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler zlob media codec outbound connection - download redirect domains"; flow:to_server,established; content:"/redirect-settings.php"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"said="; nocase; http_uri; content:"Host|3A| nameservicedirect.com"; fast_pattern:only; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453118001; classtype:misc-activity; sid:12660; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler zlob media codec outbound connection - automatic updates"; flow:to_server,established; content:"/get-update.php"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"said="; nocase; http_uri; content:"Host|3A| www.thenmnetwork.com"; fast_pattern:only; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453118001; classtype:misc-activity; sid:12659; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware winantivirus pro 2007 runtime detection"; flow:to_server,established; content:"/?proto"; nocase; http_uri; content:"User-Agent|3A| Updater"; nocase; http_header; content:"Host|3A| trial.updates.winsoftware.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareremove.com/security/winantiviruspro2007-removal-instructions; classtype:misc-activity; sid:12658; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware icoo loader 2.5 runtime detection 2"; flow:to_server,established; content:"/upd.html"; nocase; http_uri; content:"rnd="; nocase; http_uri; content:"Host|3A| www.icooloader.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareremove.com/removeICOOLoader.html; classtype:misc-activity; sid:12657; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware icoo loader 2.5 runtime detection 1"; flow:to_server,established; content:"/net.php"; http_uri; content:"login="; nocase; http_uri; content:"vk="; nocase; http_uri; content:"Host|3A| cserv.icoosoft.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareremove.com/removeICOOLoader.html; classtype:misc-activity; sid:12656; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker rabio 4.2 outbound connection - download updates"; flow:to_server,established; content:"/search-enhancer/updates/se.info"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/spydet_3770_rabio.html; classtype:misc-activity; sid:12655; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker rabio 4.2 outbound connection - hijack browser"; flow:to_server,established; content:"/10023rel/landing.php"; fast_pattern; nocase; http_uri; content:"Rabio|3A|"; nocase; content:"search-enhancer"; distance:0; nocase; pcre:"/^Rabio\x3a[^\r\n]*search\x2Denhancer/smi"; metadata:service http; reference:url,www.spywareguide.com/spydet_3770_rabio.html; classtype:misc-activity; sid:12654; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker new.net domain 7.2.2 outbound connection - download code"; flow:to_server,established; content:"/d/sr/"; nocase; http_uri; content:"xargs="; nocase; http_uri; content:"yargs="; nocase; http_uri; content:"Host|3A| rc12.overture.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/spydet_417_new_net.html; classtype:misc-activity; sid:12653; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker new.net domain 7.2.2 outbound connection - hijack browser"; flow:to_server,established; content:"/search.cgi"; nocase; http_uri; content:"Host|3A| www.quickbrowsersearch.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/spydet_417_new_net.html; classtype:misc-activity; sid:12652; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker onestepsearch 1.0.118 outbound connection - upgrade"; flow:to_server,established; content:"/?vn"; nocase; http_uri; content:"partner=onestep"; nocase; http_uri; content:"ptag="; nocase; http_uri; content:"initial_install="; fast_pattern; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=3762; classtype:misc-activity; sid:12624; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker onestepsearch 1.0.118 outbound connection"; flow:to_server,established; content:"/b.cgi?"; nocase; http_uri; content:"bk="; nocase; http_uri; content:"Host|3A| www.onestepsearch.net"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=3762; classtype:misc-activity; sid:12623; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware drive cleaner 1.0.111 runtime detection"; flow:to_server,established; content:"/site_drivecleaner/ad_keyin/link_keyin/aff_keyin"; fast_pattern; nocase; http_uri; content:"Host|3A| stats.drivecleaner.com"; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=3150; classtype:misc-activity; sid:12620; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware instant buzz runtime detection - random text ads"; flow:to_server,established; content:"/click.php?"; http_uri; content:"id="; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A| www2.instantbuzz.com"; fast_pattern:only; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=InstantBuzz&threatid=30791; reference:url,www.spywareguide.com/spydet_3102_instant_buzz.html; reference:url,www.spywareremove.com/removeInstantBuzz.html; classtype:misc-activity; sid:12485; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware instant buzz runtime detection - ads for members"; flow:to_server,established; content:"/members.php?"; fast_pattern; nocase; http_uri; content:"username="; nocase; http_uri; content:"auth="; nocase; http_uri; content:"page="; nocase; http_uri; pcre:"/page=(messages|community)/Ui"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=InstantBuzz&threatid=30791; reference:url,www.spywareguide.com/spydet_3102_instant_buzz.html; reference:url,www.spywareremove.com/removeInstantBuzz.html; classtype:misc-activity; sid:12484; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Other-Technologies virusprotectpro 3.7 outbound connection"; flow:to_server,established; content:"/buy_online.php?"; nocase; http_uri; content:"aff="; nocase; http_uri; content:"Host|3A| www.virusprotectpro.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/spydet_3699_virusprotectpro.html; reference:url,www.xp-vista.com/spyware-removal/virusprotectpro-removal-instructions; classtype:misc-activity; sid:12483; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker imesh mediabar outbound connection - collect user information"; flow:to_server,established; content:"__utm.gif?"; nocase; http_uri; content:"utmwv="; nocase; http_uri; content:"utmn="; nocase; http_uri; content:"utmcs="; nocase; http_uri; content:"utmsr="; nocase; http_uri; content:"utmhn=search.imesh.com"; fast_pattern; nocase; http_uri; content:"utmp="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=imesh&threatid=6994; reference:url,www.spywaredata.com/spyware/malware/mediabar.dll.php; classtype:misc-activity; sid:12369; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker imesh mediabar outbound connection - hijack ie side search"; flow:to_server,established; content:"/sidebar.html?"; fast_pattern; nocase; http_uri; content:"src=ssb"; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=imesh&threatid=6994; reference:url,www.spywaredata.com/spyware/malware/mediabar.dll.php; classtype:misc-activity; sid:12368; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker imesh mediabar outbound connection - hijack ie searches"; flow:to_server,established; content:"/webResults.html?"; nocase; http_uri; content:"src="; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A| search.imesh.com"; fast_pattern:only; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=imesh&threatid=6994; reference:url,www.spywaredata.com/spyware/malware/mediabar.dll.php; classtype:misc-activity; sid:12367; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker proventactics 3.5 outbound connection - redirect searches"; flow:to_server,established; content:"/search/index.php?"; nocase; http_uri; content:"query_string="; nocase; http_uri; content:"Host|3A| www.proventactics.com"; fast_pattern:only; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=ProvenTactics&threatid=10038; reference:url,www.spywareguide.com/spydet_1826_proventactics.html; classtype:misc-activity; sid:12365; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Other-Technologies malware-stopper outbound connection"; flow:to_server,established; content:"/update.php?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"d="; nocase; http_uri; content:"vs="; nocase; http_uri; content:"Host|3A| www.malware-stopper.com"; fast_pattern:only; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Malware-Stopper&threatid=136931; reference:url,www.spywareguide.com/spydet_3513_malware_stopper.html; classtype:misc-activity; sid:12363; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Infostealer.Monstres outbound connection"; flow:to_server,established; content:"grabv2.php"; nocase; http_uri; metadata:service http; reference:url,www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-081617-4608-99; classtype:misc-activity; sid:12361; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker 3search outbound connection - hijacking"; flow:to_server,established; content:"/search.php?q="; nocase; http_uri; content:"Host|3A| downloadfile.org"; fast_pattern:only; metadata:service http; reference:url,www.downloadfile.org; reference:url,www.softwarerevenue.org; classtype:misc-activity; sid:12295; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker newdotnet quick! search outbound connection"; flow:to_server,established; content:"/apps/eps/eps.cgi?"; fast_pattern; nocase; http_uri; content:"cid="; nocase; http_uri; content:"dp_lp="; nocase; http_uri; content:"dp_p4pid="; nocase; http_uri; content:"dp_format="; nocase; http_uri; content:"s="; nocase; http_uri; content:"nnreq="; nocase; http_uri; content:"prt="; nocase; http_uri; metadata:service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-102018-0405-99; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090680; classtype:misc-activity; sid:12290; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware errorsafe runtime detection"; flow:to_server,established; content:"/pages/scanner/order.php"; fast_pattern; nocase; http_uri; content:"v="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"lid="; nocase; http_uri; content:"affid="; nocase; http_uri; content:"nid="; nocase; http_uri; content:"err="; nocase; http_uri; metadata:service http; reference:url,www.spywareremove.com/removeErrorSafe.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-012017-0346-99; classtype:misc-activity; sid:12232; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware vroomsearch runtime detection"; flow:to_server,established; content:"/cgi-bin/v30/pop.fcgi"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"gpstool.globaladserver.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*gpstool\x2eglobaladserver\x2ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/spydet_1274_vroomsearch.html; classtype:misc-activity; sid:12231; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware vroomsearch runtime detection"; flow:to_server,established; content:"/cgi-bin/v30/pop.fcgi"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"Host|3A| gpstool.globaladserver.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/spydet_1274_vroomsearch.html; classtype:misc-activity; sid:12229; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware enbrowser snackman runtime detection"; flow:to_server,established; content:"/mbop/index.php3?"; nocase; content:"UID="; distance:0; nocase; content:"DIST="; distance:0; nocase; content:"VER="; distance:0; nocase; content:"Host|3A| www.digink.com"; fast_pattern:only; metadata:service http; reference:url,www.popupsentry.com/S/SNACKMAN.EXE-4411.html; reference:url,www.spywareguide.com/spydet_2334_enbrowser.html; classtype:misc-activity; sid:12224; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker cnnic update outbound connection"; flow:to_server,established; content:"/cn.dll?"; fast_pattern; nocase; http_uri; content:"pid="; nocase; http_uri; content:"met="; nocase; http_uri; content:"charset="; nocase; http_uri; content:"name="; nocase; http_uri; metadata:service http; reference:url,www.econsultant.com/spyware-database/c/cnnic-update.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097703; classtype:misc-activity; sid:12140; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PUA-ADWARE Adware zamingo runtime detection"; flow:to_client,established; content:"Set-Cookie|3A|"; nocase; http_header; content:"LastURL=http|3A|//www.680180.net|3A|80/ads/"; nocase; http_header; pcre:"/^Set-Cookie\x3a[^\r\n]*LastURL\x3dhttp\x3a\x2f\x2fwww\x2e680180\x2enet\x3a80\x2fads\x2f/smiH"; metadata:service http; reference:url,www.spywareguide.com/spydet_795_zamingo.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088136; classtype:misc-activity; sid:12138; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker lookquick outbound connection - monitor and collect user info"; flow:to_server,established; content:"/r.look?plq="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1810; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079050; classtype:misc-activity; sid:12124; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker lookquick outbound connection - hijack ie"; flow:to_server,established; content:"/search.php?keywords="; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.lookquick.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Elookquick\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1810; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079050; classtype:misc-activity; sid:12123; rev:9;) # alert udp $HOME_NET 6600 -> $EXTERNAL_NET 30000 (msg:"PUA-ADWARE Adware pprich runtime detection - udp info sent out"; flow:to_server; content:"adf`%|24|%^pk*|94|"; depth:12; offset:8; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453100047; classtype:misc-activity; sid:12121; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware pprich runtime detection - version check"; flow:to_server,established; content:"/NewVerInfo.txt"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"down.pprich.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*down\x2Epprich\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453100047; classtype:misc-activity; sid:12120; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware yayad runtime detection"; flow:to_server,established; content:"/ad.asmx"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"yayad.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*yayad\x2Ecom/smiH"; metadata:service http; reference:url,www.360safe.com/elist.html; classtype:misc-activity; sid:12047; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler iowa webdownloader - icq notification"; flow:to_server,established; content:"/wwp/msg/1,,,00.html"; fast_pattern; nocase; http_uri; content:"Uin="; nocase; http_uri; content:"Name="; nocase; http_uri; content:"iowA"; nocase; http_uri; content:"WebDloader"; nocase; http_uri; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59689; classtype:misc-activity; sid:11310; rev:10;) # alert udp $HOME_NET 8765 -> 255.255.255.255 8765 (msg:"PUA-ADWARE Snoopware childwebguardian outbound connection - udp broadcast"; flow:to_server; content:"ChildWebGuardian|3A|"; depth:17; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453099134; classtype:successful-recon-limited; sid:11306; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"PUA-ADWARE Snoopware childwebguardian outbound connection - send log through smtp"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"Report"; distance:0; nocase; content:"from"; distance:0; nocase; content:"ChildWebGuardian"; distance:0; nocase; content:"filename=|22|report.html|22|"; fast_pattern:only; pcre:"/^Subject\x3a[^\r\n]*Report[^\r\n]*from[^\r\n]*ChildWebGuardian/smi"; metadata:service smtp; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453099134; classtype:successful-recon-limited; sid:11305; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware mokead runtime detection"; flow:to_server,established; content:"/starts.asp"; nocase; http_uri; content:"ids="; nocase; http_uri; content:"webid="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"ad.mokead.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*ad\x2Emokead\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453101519; classtype:misc-activity; sid:10439; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker bazookabar outbound connection"; flow:to_server,established; content:"/updates/checkversion.php"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.myarmory.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Emyarmory\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073886; classtype:misc-activity; sid:10437; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware newweb runtime detection"; flow:to_server,established; content:"/cliententry/"; fast_pattern; nocase; http_uri; content:"X-TITLE|3A|"; nocase; http_header; content:"X-KEYWORD|3A|"; nocase; http_header; content:"X-ADLIST|3A|"; nocase; http_header; content:"X-COMMAND|3A|"; nocase; http_header; content:"X-CLIENTID|3A|"; nocase; http_header; content:"X-TARGETURL|3A|"; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097957; classtype:misc-activity; sid:10182; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware adclicker-ej runtime detection"; flow:to_server,established; content:"/SetIE/SetIE.txt"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_139523.htm; classtype:misc-activity; sid:10164; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware borlan runtime detection"; flow:to_server,established; content:"/send"; nocase; http_uri; content:"type="; nocase; http_uri; content:"pop_rule_id="; nocase; http_uri; content:"n="; nocase; http_uri; content:"Host|3A| www.borlander.com.cn"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097501; classtype:misc-activity; sid:10094; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler zango easymessenger outbound connection"; flow:to_server,established; content:"/connect.php"; nocase; http_uri; content:"N="; nocase; http_uri; content:"Zango"; nocase; http_uri; content:"Messenger"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.easymessage.net"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Eeasymessage\x2Enet/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2182; classtype:misc-activity; sid:10090; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware u88 runtime detection"; flow:to_server,established; content:"friendlink="; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.u88.cn"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Eu88\x2Ecn/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Adware.U88&threatid=46383; classtype:misc-activity; sid:9831; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker oemji bar outbound connection"; flow:to_server,established; content:"/bar/"; nocase; http_uri; content:"keywords="; nocase; http_uri; content:"app="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.oemji.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Eoemji\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094187; classtype:misc-activity; sid:9652; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker ricercadoppia outbound connection"; flow:to_server,established; content:"/banner/banner.asp"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.ricercadoppia.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Ericercadoppia\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098730; classtype:misc-activity; sid:9651; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker sogou outbound connection - keyword hijack"; flow:to_server,established; content:"/express/sq.jsp"; fast_pattern; nocase; http_uri; content:"query="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.sogou.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Esogou\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098380; classtype:misc-activity; sid:9645; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware imnames runtime detection"; flow:to_server,established; content:"/bho/ibho.php"; fast_pattern; nocase; http_uri; content:"add="; nocase; http_uri; content:"hdid="; nocase; http_uri; content:"os="; nocase; http_uri; content:"ie="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"modid="; nocase; http_uri; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453100875; classtype:misc-activity; sid:9644; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware roogoo runtime detection - show ads"; flow:to_server,established; content:"/show/"; nocase; http_uri; content:"VER="; nocase; http_uri; content:"AdID="; nocase; http_uri; content:"UID="; nocase; http_uri; content:"SURL="; nocase; http_uri; content:"Host="; nocase; http_uri; content:"ConditionID="; nocase; http_uri; content:"HostJ"; nocase; content:"show.roogoo.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*show\x2Eroogoo\x2Ecom/smi"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=3018; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097966; classtype:misc-activity; sid:8546; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware roogoo runtime detection - surfing monitor"; flow:to_server,established; content:"|7C|roogoo|7C|"; fast_pattern:only; pcre:"/^\x23\d+\x7c([0-9A-E]{2}\x2d){5}[0-9A-E]{2}\x7croogoo\x7c/smi"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=3018; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097966; classtype:misc-activity; sid:8545; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker accoona outbound connection - open sidebar search url"; flow:to_server,established; content:"/search_assistant/accoona_search_assistant.jsp"; http_uri; content:"utm_id="; nocase; http_uri; content:"utm_content="; nocase; http_uri; content:"utm_source="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.accoona.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Eaccoona\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096478; classtype:misc-activity; sid:8469; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker accoona outbound connection - collect info"; flow:to_server,established; content:"/soap"; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.accoona.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Eaccoona\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096478; classtype:misc-activity; sid:8468; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware henbang runtime detection"; flow:to_server,established; content:"/hap/adserver.aspx"; fast_pattern; nocase; http_uri; content:"version="; nocase; http_uri; content:"mac="; nocase; http_uri; content:"distributorid="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"AD"; nocase; http_header; content:"Request"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"wwws.henbang.net"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*AD[^\r\n]*Request/smiH"; pcre:"/^Host\x3a[^\r\n]*wwws\x2Ehenbang\x2Enet/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094312; classtype:misc-activity; sid:8464; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker yok supersearch outbound connection - search info collect"; flow:to_server,established; content:"/stat.htm"; nocase; http_uri; content:"id="; nocase; http_uri; content:"repeatip="; nocase; http_uri; content:"Host|3A| count.yok.com"; fast_pattern:only; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Yok.SuperSearch&threatid=44407; classtype:misc-activity; sid:8360; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker yok supersearch outbound connection - target website display"; flow:to_server,established; content:"/related_bottom_v2.php"; fast_pattern; nocase; http_uri; content:"key="; nocase; http_uri; content:"No="; http_uri; content:"Host|3A|"; nocase; content:"related.yok.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*related\x2Eyok\x2Ecom/smi"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Yok.SuperSearch&threatid=44407; classtype:misc-activity; sid:8359; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker yok supersearch outbound connection - addressbar keyword search hijack"; flow:to_server,established; content:"/go3.php"; nocase; http_uri; content:"key="; nocase; http_uri; content:"NO="; nocase; http_uri; content:"PID="; nocase; http_uri; content:"UN="; nocase; http_uri; content:"Host|3A|"; nocase; content:"www.yok.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*www\x2Eyok\x2Ecom/smi"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Yok.SuperSearch&threatid=44407; classtype:misc-activity; sid:8358; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware desktopmedia runtime detection - surf monitoring"; flow:to_server,established; content:"/script/judge/judge.html"; fast_pattern; nocase; http_uri; content:"mid="; nocase; http_uri; content:"type="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"cojud.dmcast.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*cojud\x2Edmcast\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098156; classtype:misc-activity; sid:8354; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware desktopmedia runtime detection - auto update"; flow:to_server,established; content:"/script/update.asp"; fast_pattern; nocase; http_uri; content:"version="; nocase; http_uri; content:"ownerversion="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"dcww.dmcast.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*dcww\x2Edmcast\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098156; classtype:misc-activity; sid:8353; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware desktopmedia runtime detection - ads popup"; flow:to_server,established; content:"/rep/pop/pop_"; nocase; http_uri; content:"ad_soft_type="; nocase; http_uri; content:"ad_mid="; nocase; http_uri; content:"ad_type="; nocase; http_uri; content:"dm_source="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"corep.dmcast.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*corep\x2Edmcast\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098156; classtype:misc-activity; sid:8352; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker findthewebsiteyouneed outbound connection - surf monitor"; flow:to_server,established; content:"/1.asp"; nocase; http_uri; content:"r_t="; nocase; http_uri; content:"rnd="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.internetadvertisingcompany.biz"; nocase; http_header; content:"keyword="; nocase; content:"url="; distance:0; nocase; content:"www%2efindthewebsiteyouneed%2ecom"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*www\x2Einternetadvertisingcompany\x2Ebiz/smiH"; pcre:"/keyword\x3d[^\r\n]*url\x3d[^\r\n]*www\x252efindthewebsiteyouneed\x252ecom/smi"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098705; classtype:misc-activity; sid:8072; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker findthewebsiteyouneed outbound connection - search hijack"; flow:to_server,established; content:"/search.asp"; nocase; http_uri; content:"group=autosearch"; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"searches.worldtostart.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*searches\x2Eworldtostart\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098705; classtype:misc-activity; sid:8071; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware web-nexus runtime detection - ad url 2"; flow:to_server,established; content:"/exclurls.php"; nocase; http_uri; content:"loc="; nocase; http_uri; content:"cid="; nocase; http_uri; content:"eus="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"dl.web-nexus.net"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*dl\x2Eweb-nexus\x2Enet/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=381; classtype:misc-activity; sid:7855; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware web-nexus runtime detection - config retrieval"; flow:to_server,established; content:"/cconfig.php"; nocase; http_uri; content:"Qool-Uptime|3A|"; nocase; http_header; content:"Win-Version|3A|"; nocase; http_header; content:"QoolIE-Version|3A|"; nocase; content:"Host|3A|"; nocase; http_header; content:"dl.web-nexus.net"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*dl\x2Eweb-nexus\x2Enet/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=381; classtype:misc-activity; sid:7854; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware web-nexus runtime detection - ad url 1"; flow:to_server,established; content:"/cp.php"; nocase; http_uri; content:"QoolShown-Popups|3A|"; nocase; content:"QoolShown-Popups-nt|3A|"; fast_pattern:only; content:"Host|3A|"; nocase; http_header; content:"stech.web-nexus.net"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*stech\x2Eweb-nexus\x2Enet/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=381; classtype:misc-activity; sid:7853; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler maxsearch outbound connection - advertisement"; flow:to_server,established; content:"/pan/adlogbundle.php"; fast_pattern; nocase; http_uri; content:"bannerid="; nocase; http_uri; content:"zoneid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.adoptim.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Eadoptim\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2248; classtype:misc-activity; sid:7852; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler maxsearch outbound connection - ack"; flow:to_server,established; content:"/director/ack.php"; fast_pattern; nocase; http_uri; content:"uid="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"version="; nocase; http_uri; content:"actionname="; nocase; http_uri; content:"action="; nocase; http_uri; content:"success="; nocase; http_uri; content:"debug="; nocase; http_uri; content:"nocache="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.maxifiles.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Emaxifiles\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2248; classtype:misc-activity; sid:7851; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler maxsearch outbound connection - retrieve command"; flow:to_server,established; content:"/director/wtd.php"; fast_pattern; nocase; http_uri; content:"uid="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"version="; nocase; http_uri; content:"nocache="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.maxifiles.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Emaxifiles\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2248; classtype:misc-activity; sid:7850; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker avenuemedia.dyfuca outbound connection - post data"; flow:to_server,established; content:"/conf/xml/"; nocase; http_uri; content:"ver="; nocase; content:"rid="; nocase; content:"cls="; nocase; content:"ser="; nocase; content:"signint="; nocase; content:"installt="; nocase; content:"rmods="; nocase; content:"mods="; nocase; content:"iea="; nocase; content:"speed="; nocase; content:"Host|3A|"; nocase; http_header; content:"www.internet-optimizer.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Einternet-optimizer\x2Ecom/smiH"; metadata:service http; reference:url,www.itsecurity.com/security.htm?s=9473&sid=875854b6006d07f08dae34f1b78a4600; classtype:misc-activity; sid:7844; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker avenuemedia.dyfuca outbound connection - search engine hijack"; flow:to_server,established; content:"/searchresult/"; fast_pattern; nocase; http_uri; content:"lt="; nocase; http_uri; content:"q="; nocase; http_uri; content:"cls="; nocase; http_uri; content:"rid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.yoogee.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Eyoogee\x2Ecom/smiH"; metadata:service http; reference:url,www.itsecurity.com/security.htm?s=9473&sid=875854b6006d07f08dae34f1b78a4600; classtype:misc-activity; sid:7843; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker instafinder error redirect detection"; flow:to_server,established; content:"/error2.asp"; http_uri; content:"err="; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; pcre:"/^Host\x3A\s+www\x2Einstafinder\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1130; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090786; classtype:misc-activity; sid:7841; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware smiley central runtime detection"; flow:to_server,established; content:"/iframe.html"; nocase; http_uri; content:"bisFWB="; nocase; http_uri; content:"sPartnerID="; nocase; http_uri; content:"UID="; nocase; http_uri; content:"rand="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.smileycentral.com"; nocase; http_header; pcre:"/^Host\x3A\s+www\x2Esmileycentral\x2Ecom/smiH"; metadata:service http; reference:url,www.mac-net.com/893488.page; reference:url,www.spywareguide.com/product_show.php?id=2181; classtype:misc-activity; sid:7838; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker navexcel helper outbound connection - search"; flow:to_server,established; content:"/search?"; nocase; http_uri; content:"p="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"ts="; nocase; http_uri; content:"Host|3A| www.trustedsearch.com"; fast_pattern; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=607; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074928; classtype:misc-activity; sid:7833; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware downloadplus runtime detection"; flow:to_server,established; content:"guid="; nocase; http_uri; content:"affid="; nocase; http_uri; content:"update="; nocase; http_uri; content:"brand="; nocase; http_uri; content:"User-Agent|3A| Message Center"; fast_pattern; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=532; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076008; classtype:misc-activity; sid:7831; rev:9;) # alert tcp $HOME_NET 1174 -> $EXTERNAL_NET any (msg:"PUA-ADWARE Botnet dacryptic outbound connection"; flow:to_client,established; content:"lasd|0A|"; depth:5; nocase; reference:url,www.spywareguide.com/product_show.php?id=1392; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=26162; classtype:trojan-activity; sid:7830; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware gator user-agent detected"; flow:to_server,established; content:"User-Agent|3A| Gator"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=10; reference:url,www.spywareguide.com/product_show.php?id=1201; reference:url,www.spywareguide.com/product_show.php?id=2179; reference:url,www.spywareguide.com/product_show.php?id=741; reference:url,www.spywareguide.com/product_show.php?id=774; reference:url,www.spywareguide.com/product_show.php?id=898; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094081; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094082; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094083; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094087; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094088; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094092; classtype:misc-activity; sid:7829; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware whenu runtime detection - search request 2"; flow:to_server,established; content:"/searchb?"; nocase; http_uri; content:"datatype="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"partner="; nocase; http_uri; content:"app=desktop"; fast_pattern; nocase; http_uri; content:"ui="; nocase; http_uri; content:"srchtrig="; nocase; http_uri; content:"pat="; nocase; http_uri; content:"cc="; nocase; http_uri; content:"rgn="; nocase; http_uri; content:"type="; nocase; http_uri; content:"sid="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=18; reference:url,www.spywareguide.com/product_show.php?id=2485; classtype:misc-activity; sid:7828; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware whenu runtime detection - search request 1"; flow:to_server,established; content:"/SearchBar?"; fast_pattern; nocase; http_uri; content:"templ="; nocase; http_uri; content:"num="; nocase; http_uri; content:"app=desktop"; nocase; http_uri; content:"uiv="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"ctr="; nocase; http_uri; content:"cc="; nocase; http_uri; content:"rgn="; nocase; http_uri; content:"sgp="; nocase; http_uri; content:"stp="; nocase; http_uri; content:"cnt="; nocase; http_uri; content:"sid="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=18; reference:url,www.spywareguide.com/product_show.php?id=2230; reference:url,www.spywareguide.com/product_show.php?id=2485; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079971; classtype:misc-activity; sid:7827; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler whenu.weathercast outbound connection - check"; flow:to_server,established; content:"/WthrPrefs"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"whenu.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*whenu\x2Ecom/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threat_display.cfm?name=WhenU.WeatherCast&threatid=14106; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074634; classtype:misc-activity; sid:7826; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware whenu.savenow runtime detection"; flow:to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"program=savenow"; fast_pattern; nocase; http_uri; content:"partner="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=18; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075520; classtype:misc-activity; sid:7825; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler whenu.clocksync outbound connection"; flow:to_server,established; content:"/ClockDB"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"whenu.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*whenu\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=871; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076030; classtype:misc-activity; sid:7824; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware whenu runtime detection - datachunksgz"; flow:to_server,established; content:"/DataChunksGZ"; fast_pattern; nocase; http_uri; content:"update="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=18; reference:url,www.spywareguide.com/product_show.php?id=2485; reference:url,www.spywareguide.com/product_show.php?id=871; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075520; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076030; classtype:misc-activity; sid:7823; rev:10;) # alert tcp $HOME_NET 7000 -> $EXTERNAL_NET any (msg:"PUA-ADWARE Snoopware big brother v3.5.1 outbound connection - connect to receiver"; flow:to_client,established; flowbits:isset,snoopware.big.brother.3.5.1.conn.cts; content:"HBand"; depth:6; nocase; content:"ZBM"; distance:0; nocase; pcre:"/^HBand,[^\r\n]*,[^\r\n]*,\d+,\d+\x2A\xD5ZBM/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=45916; classtype:successful-recon-limited; sid:7603; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 7000 (msg:"PUA-ADWARE Snoopware big brother v3.5.1 outbound connection - connect to receiver - flowbit set"; flow:to_server,established; content:"HBand"; depth:6; nocase; content:"~EOL!"; distance:0; nocase; pcre:"/^HBand\d+,\d+,\d+,\d+,\d+,\d+~EOL!/smi"; flowbits:set,snoopware.big.brother.3.5.1.conn.cts; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=45916; classtype:successful-recon-limited; sid:7602; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 7001 (msg:"PUA-ADWARE Snoopware big brother v3.5.1 outbound connection - connect to keyserver"; flow:to_server,established; content:"login"; depth:5; nocase; content:"~EOL!"; distance:0; nocase; pcre:"/^login\s+[^\r\n]*\x2A[^\r\n]*~EOL!/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=45916; classtype:successful-recon-limited; sid:7601; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker adtraffic outbound connection - notfound website search hijack and redirection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"EFError"; nocase; http_header; content:"Internet"; nocase; http_header; content:"Connection"; nocase; http_header; content:"Test"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*EFError\s+Internet\s+Connection\s+Test/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094115; classtype:misc-activity; sid:7600; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware comedy planet runtime detection - collect user information"; flow:to_server,established; content:"/index.php?document="; fast_pattern:only; content:"form-data|3B|"; nocase; content:"name="; distance:0; nocase; content:"user_name"; distance:0; nocase; content:"user_email"; distance:0; nocase; metadata:service http; reference:url,labs.paretologic.com/spyware.aspx?remove=Comedy-Planet; classtype:misc-activity; sid:7595; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware comedy planet runtime detection - ads"; flow:to_server,established; content:"/advertisement/advertisement.php?"; fast_pattern; nocase; http_uri; content:"systemTray="; nocase; http_uri; content:"joke_category="; nocase; http_uri; content:"joke_id="; nocase; http_uri; metadata:service http; reference:url,labs.paretologic.com/spyware.aspx?remove=Comedy-Planet; classtype:misc-activity; sid:7594; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg:"PUA-ADWARE Trickler urlblaze outbound connection - irc notification"; flow:to_server,established; content:"NICK"; depth:4; nocase; content:"6633"; distance:0; nocase; pcre:"/^NICK\s+\x5E\d+\x5E\d+\x5E\d+\x5E\d+\x5E6633/smi"; reference:url,www.spywareguide.com/product_show.php?id=743; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073195; classtype:misc-activity; sid:7589; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler urlblaze outbound connection - files search or download"; flow:to_server,established; content:"/phppbc.php"; nocase; http_uri; content:"Referer|3A|"; nocase; http_header; content:"www.urlblaze.net"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"www.peer2mail.com"; nocase; http_header; pcre:"/^Referer\x3a[^\r\n]*www\x2eurlblaze\x2enet.*Host\x3A[^\r\n]*www\x2Epeer2mail\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=743; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073195; classtype:misc-activity; sid:7588; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler album galaxy outbound connection - p2p gnutella"; flow:to_server,established; content:"/P2P/gnutella/cache/gerry.asp"; fast_pattern; nocase; http_uri; content:"urlfile="; nocase; http_uri; content:"client=GALA"; nocase; http_uri; content:"version="; nocase; http_uri; content:"get="; nocase; http_uri; metadata:service http; reference:url,codegravity.com/index.php/spyware; classtype:misc-activity; sid:7573; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker linkspider search bar outbound connection - ads"; flow:to_server,established; content:"/pagead/ads?"; nocase; http_uri; content:"www.linkspider.co.uk/cgi-bin/cgsearch/cgsearch.cgi"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,linkspider.co.uk; classtype:misc-activity; sid:7570; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware lordofsearch runtime detection"; flow:to_server,established; content:"/home/lordofsearch"; nocase; http_uri; pcre:"/\x5Chome\/lordofsearch[^\r\n]*\x2Ehtml/smi"; metadata:service http; reference:url,www.spywareguide.com/product_list_category.php?category_id=12; classtype:misc-activity; sid:7569; rev:14;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker adshooter.searchforit outbound connection - redirector"; flow:to_server,established; content:"/redirector.html"; fast_pattern; nocase; http_uri; content:"image_id="; nocase; http_uri; content:"advertiser_id="; nocase; http_uri; content:"keyword_id="; nocase; http_uri; content:"bid="; nocase; http_uri; content:"url="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=860; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079051; classtype:misc-activity; sid:7566; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker adshooter.searchforit outbound connection - search engine"; flow:to_server,established; content:"/searchbar/engine.php"; fast_pattern; nocase; http_uri; content:"cver="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.searchexpert.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Esearchexpert\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=860; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079051; classtype:misc-activity; sid:7565; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker startnow outbound connection"; flow:to_server,established; content:"/ieb/res/topres.xsl"; nocase; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1220; reference:url,www.spywareguide.com/product_show.php?id=1356; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083036; classtype:misc-activity; sid:7564; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware morpheus runtime detection - ad 2"; flow:to_server,established; content:"Referer|3A|"; nocase; http_header; content:"downloads.morpheus.com/rotation/"; nocase; http_header; pcre:"/^Referer\x3A[^\r\n]*downloads\x2Emorpheus\x2Ecom\x2Frotation/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075453; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=54367; classtype:misc-activity; sid:7563; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware morpheus runtime detection - ad 1"; flow:to_server,established; content:"/rotation/"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"downloads.morpheus.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*downloads\x2Emorpheus\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075453; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=54367; classtype:misc-activity; sid:7562; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker blazefind outbound connection - search bar"; flow:to_server,established; content:"/search_results.php"; fast_pattern; nocase; http_uri; content:"account_id="; nocase; http_uri; content:"search_string="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.blazefind.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]+www\x2Eblazefind\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=724; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079063; classtype:misc-activity; sid:7556; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware hxdl runtime detection - hxdownload user-agent"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"HXDownload"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]+HXDownload/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=516; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075079; classtype:misc-activity; sid:7554; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware hxdl runtime detection - hxlogonly user-agent"; flow:to_server,established; content:"ClientID="; nocase; http_uri; content:"ServerTableID="; fast_pattern; nocase; http_uri; content:"ClientData="; nocase; http_uri; content:"AuxData="; nocase; http_uri; content:"ReleaseID="; nocase; http_uri; content:"ClientStats="; nocase; http_uri; content:"StoreID="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"HXLogOnly"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]+HXLogOnly/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=516; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075079; classtype:misc-activity; sid:7553; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware adroar runtime detection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"ADROAR"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*ADROAR/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=761; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077256; classtype:misc-activity; sid:7550; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker 2020search outbound connection"; flow:to_server,established; content:"/9894/search/search.html"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"pop.popuptoast.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*pop\x2Epopuptoast\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=640; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076971; classtype:misc-activity; sid:7543; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PUA-ADWARE Screen-Scraper hidden camera outbound connection"; flow:to_server,established; content:"100"; depth:3; nocase; content:"hcarchive"; distance:0; nocase; content:"jpg"; distance:0; nocase; reference:url,www.sofotex.com/Hidden-Camera-download_L14936.html; classtype:successful-recon-limited; sid:7538; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker clearsearch variant outbound connection - popup"; flow:to_server,established; content:"/popup/popup.php?"; fast_pattern; nocase; http_uri; content:"cat="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"sc="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"clearsearch.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*clearsearch\x2Ecom/smiH"; metadata:service http; reference:url,www.2-spyware.com/remove-clearsearch.html; reference:url,www.doxdesk.com/parasite/ClearSearch.html; classtype:misc-activity; sid:7536; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker clearsearch variant outbound connection - pass information"; flow:to_server,established; content:"/fast-cgi/bsc?"; nocase; http_uri; content:"mandant=clear"; nocase; http_uri; content:"synd=clear"; nocase; http_uri; content:"device="; nocase; http_uri; content:"portalLanguage="; fast_pattern; nocase; http_uri; content:"userLanguage="; nocase; http_uri; content:"context="; nocase; http_uri; content:"ip="; nocase; http_uri; content:"q="; nocase; http_uri; metadata:service http; reference:url,www.2-spyware.com/remove-clearsearch.html; reference:url,www.doxdesk.com/parasite/ClearSearch.html; classtype:misc-activity; sid:7535; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware piolet runtime detection - ads request"; flow:to_server,established; content:"/ads/468x60"; nocase; http_uri; content:"Host|3A| www.piolet.com"; fast_pattern:only; http_header; metadata:service http; reference:url,taxster.fateback.com/piolet.htm; classtype:misc-activity; sid:7533; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware piolet runtime detection - user-agent"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"Microsoft"; nocase; http_header; content:"URL"; nocase; http_header; content:"Control"; nocase; http_header; content:"Host|3A| www.piolet.com"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*Microsoft\s+URL\s+Control/smiH"; metadata:service http; reference:url,taxster.fateback.com/piolet.htm; classtype:misc-activity; sid:7532; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"PUA-ADWARE Trickler mediaseek.pl client outbound connection - login"; flow:to_server,established; content:"GET"; depth:3; nocase; content:"/K?"; distance:0; nocase; pcre:"/^GET\s+\x2FK\x3F[^\r\n]*\x7C*\x7C*\x7C*\s+HTTP/smi"; metadata:service ftp; reference:url,www.remove-spyware-now.net/MediaSeek-pl-Client.html; classtype:misc-activity; sid:7531; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler mediaseek.pl client outbound connection - trickler"; flow:to_server,established; content:"/gs_trickler"; fast_pattern; nocase; http_uri; content:"TRICKLER"; nocase; pcre:"/^TRICKLER\d+=[^\r\n]*MediaSeek/smi"; metadata:service http; reference:url,www.remove-spyware-now.net/MediaSeek-pl-Client.html; classtype:misc-activity; sid:7530; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Snoopware halflife jacker outbound connection"; flow:to_server,established; content:"from=HL-Jacker"; nocase; http_uri; content:"body=key"; nocase; http_uri; content:"fromemail=Jacked"; fast_pattern; nocase; http_uri; content:"to="; nocase; http_uri; metadata:service http; reference:url,www.megasecurity.org/trojans/h/halflifejacker/Halflifejacker1.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077199; classtype:successful-recon-limited; sid:7529; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker moneybar outbound connection - cgispy counter"; flow:to_server,established; content:"/counter3.cgi?"; fast_pattern; nocase; http_uri; content:"p=moneytreck"; nocase; http_uri; metadata:service http; reference:url,www.aladdin.com/home/csrt/grayware-list2.asp?GraywareNo=277; classtype:misc-activity; sid:7524; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker chinese keywords outbound connection"; flow:to_server,established; content:"cn.dll?pid="; nocase; http_uri; content:"met="; nocase; http_uri; content:"charset="; nocase; http_uri; content:"name="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"name.cnnic.cn"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*name\x2ecnnic\x2ecn/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074952; classtype:misc-activity; sid:7517; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler edonkey2000 outbound connection - version verification"; flow:to_server,established; content:"/ver/ver.php"; nocase; http_uri; content:"ver="; nocase; http_uri; content:"app="; nocase; http_uri; content:"install_date="; nocase; http_uri; content:"reg="; nocase; http_uri; content:"sys="; nocase; http_uri; content:"sver="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"home.edonkey.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*home\x2Eedonkey\x2Ecom/smiH"; metadata:service http; reference:url,www.fbmsoftware.com/spyware-net/Process/edonkey2000_exe/705/; classtype:misc-activity; sid:7510; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker shopprreports outbound connection - services requests"; flow:to_server,established; content:"/cs/cs.aspx?"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"cs.shopperreports.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*cs\x2Eshopperreports\x2Ecom/smiH"; metadata:service http; reference:url,vil.mcafeesecurity.com/vil/content/v_133312.htm; classtype:misc-activity; sid:7194; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"PUA-ADWARE Adware trustyfiles v3.1.0.1 runtime detection - startup access"; flow:to_server,established; content:"/index-tfc.php"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"trustyfiles"; nocase; http_header; content:"com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*trustyfiles\x2Ecom/smiH"; metadata:service http; reference:url,www.softpicks.net/software/TrustyFiles-Personal-File-Sharing-13308.htm; classtype:misc-activity; sid:7193; rev:14;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"PUA-ADWARE Adware trustyfiles v3.1.0.1 runtime detection - sponsor selection"; flow:to_server,established; content:"/rd/feed/XMLFeed.jsp"; fast_pattern; nocase; http_uri; content:"trackID="; nocase; http_uri; content:"pID="; nocase; http_uri; content:"cat="; nocase; http_uri; content:"nl="; nocase; http_uri; content:"page="; nocase; http_uri; content:"ip="; nocase; http_uri; content:"excID="; nocase; http_uri; metadata:service http; reference:url,www.softpicks.net/software/TrustyFiles-Personal-File-Sharing-13308.htm; classtype:misc-activity; sid:7192; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"PUA-ADWARE Adware trustyfiles v3.1.0.1 runtime detection - url retrieval"; flow:to_server,established; content:"/."; http_uri; content:"urlfile="; nocase; http_uri; content:"client=TFLS"; fast_pattern; nocase; http_uri; content:"version="; nocase; http_uri; content:"get="; nocase; http_uri; metadata:service http; reference:url,www.softpicks.net/software/TrustyFiles-Personal-File-Sharing-13308.htm; classtype:misc-activity; sid:7191; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware trustyfiles v3.1.0.1 runtime detection - host retrieval"; flow:to_server,established; content:"?hostfile="; depth:20; nocase; http_uri; content:"client=TFLS"; fast_pattern; nocase; http_uri; content:"version="; nocase; http_uri; content:"get="; nocase; http_uri; metadata:service http; reference:url,www.softpicks.net/software/TrustyFiles-Personal-File-Sharing-13308.htm; classtype:misc-activity; sid:7190; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker shop at home select - merchant redirect in progress"; flow:to_server,established; content:"/frameset.asp?"; fast_pattern; nocase; http_uri; content:"MID="; nocase; http_uri; content:"ruleID="; nocase; http_uri; content:"popupID="; nocase; http_uri; content:"doPopup="; nocase; http_uri; content:"version="; nocase; http_uri; content:"requested="; nocase; http_uri; content:"CustomerID="; nocase; http_uri; content:"owner="; nocase; http_uri; content:"refer="; nocase; http_uri; content:"LastPrefs="; http_uri; content:"GUID="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076082; classtype:successful-recon-limited; sid:7188; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler jubster outbound connection"; flow:to_server,established; content:"/sresult.aspx"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.emp3finder.com"; nocase; http_header; content:"txtSearch="; nocase; content:"mp3s="; nocase; pcre:"/^Host\x3A\s+www\x2Eemp3finder\x2Ecom/smiH"; metadata:service http; reference:url,freeware4pc.com/multimedia/jubster.shtml; classtype:misc-activity; sid:7155; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker cnsmin 3721 outbound connection - hijacking"; flow:to_server,established; content:"/cns.dll"; nocase; http_uri; content:"coagent="; nocase; http_uri; content:"3721cnsmin"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,doxdesk.com/parasite/CnsMin.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072511; classtype:misc-activity; sid:7153; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker cnsmin 3721 outbound connection - installation"; flow:to_server,established; content:"/download/CnsMinM.ini"; fast_pattern; nocase; http_uri; content:"t="; nocase; http_uri; metadata:service http; reference:url,doxdesk.com/parasite/CnsMin.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072511; classtype:misc-activity; sid:7152; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker cool search outbound connection"; flow:to_server,established; content:"/_other/dll/blank8.pac"; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"WinInet"; nocase; http_header; content:"Test"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*WinInet\s+Test/smiH"; metadata:service http; reference:url,www.spywaredb.com/remove-pcshare-2-0/; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079768; classtype:misc-activity; sid:7144; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware digink.com runtime detection"; flow:to_server,established; content:"/mbop/index.php3"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Microsoft"; nocase; http_header; content:"URL"; nocase; http_header; content:"Control"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"www.digink.com"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*Microsoft\s+URL\s+Control\s+-/smiH"; pcre:"/^Host\x3A\s+www\x2Edigink\x2Ecom/smiH"; metadata:service http; reference:url,www.nuker.com/container/details/snackman.php; reference:url,www.techsupportforum.com/archive/index.php/t-46308.html; classtype:misc-activity; sid:7143; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware ares flash downloader 2.04 runtime detection"; flow:to_server,established; content:"/lordofsearchD_468X60.html"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"aresflashdownloader.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*aresflashdownloader\x2Ecom/smiH"; metadata:service http; reference:url,www.download2you.com/details_page.asp?titleID=12388; classtype:misc-activity; sid:7142; rev:14;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware pay-per-click runtime detection - update"; flow:to_server,established; content:"/1.hta"; http_uri; content:"Host|3A|"; nocase; http_header; content:"dimattic.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*dimattic\x2Ecom/smiH"; metadata:service http; reference:url,attack.mitre.org/techniques/T1170; reference:url,ppcdomain.co.uk; classtype:misc-activity; sid:7141; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware pay-per-click runtime detection - configuration"; flow:to_server,established; content:"/cgi-bin/rb/cout.cgi"; http_uri; content:"Host|3A|"; nocase; http_header; content:"ppcdomain.co.uk"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*ppcdomain\x2Eco\x2Euk/smiH"; metadata:service http; reference:url,ppcdomain.co.uk; classtype:misc-activity; sid:7140; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Other-Technologies clicktrojan outbound connection - fake search query"; flow:to_server,established; content:"/search.php"; nocase; http_uri; content:"aid="; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.searchadv.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Esearchadv\x2Ecom/smiH"; metadata:service http; reference:url,sunbeltblog.blogspot.com/2006/01/seen-in-wild-new-pay-per-click-fraud.html; classtype:misc-activity; sid:7139; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Other-Technologies clicktrojan outbound connection - version check"; flow:to_server,established; content:"/xversion.php"; nocase; http_uri; content:"version="; nocase; http_uri; content:"mode="; nocase; http_uri; content:"click="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"loomcompany.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*loomcompany\x2Ecom/smiH"; metadata:service http; reference:url,sunbeltblog.blogspot.com/2006/01/seen-in-wild-new-pay-per-click-fraud.html; classtype:misc-activity; sid:7138; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker dsrch outbound connection - side search redirect"; flow:to_server,established; content:"/sidesearch/sidesearch.html"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"websearch.drsnsrch.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*websearch\x2Edrsnsrch\x2Ecom/smiH"; metadata:service http; reference:url,www.sunbelt-software.com/research/threat_display.cfm?name=DSrch&threatid=41080; classtype:misc-activity; sid:7137; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker dsrch outbound connection - search assistant redirect"; flow:to_server,established; content:"/url.cgi"; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"badurl.grandstreetinteractive.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*badurl\x2Egrandstreetinteractive\x2Ecom/smiH"; metadata:service http; reference:url,www.sunbelt-software.com/research/threat_display.cfm?name=DSrch&threatid=41080; classtype:misc-activity; sid:7136; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker wowok mp3 bar outbound connection - search assissant hijacking"; flow:to_server,established; content:"/?s="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.weepee.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Eweepee\x2Ecom/smiH"; metadata:service http; reference:url,www.zdnet.com.au/downloads/0,39024478,39111669s,00.htm; classtype:misc-activity; sid:7130; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 2"; flow:to_server,established; content:"/ea.exe"; nocase; http_uri; content:"sb"; nocase; http_uri; content:"joelesoftware"; nocase; http_uri; content:"01"; nocase; http_uri; content:"Referer|3A|"; nocase; http_header; content:"www.wowokay.com/wowokaybar.php"; nocase; http_header; pcre:"/^Referer\x3A[^\r\n]*www\x2Ewowokay\x2Ecom\/wowokaybar\x2Ephp/smiH"; metadata:service http; reference:url,www.zdnet.com.au/downloads/0,39024478,39111669s,00.htm; classtype:misc-activity; sid:7129; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 1"; flow:to_server,established; content:"/mb/text_group.php"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"col="; nocase; http_uri; content:"br="; nocase; http_uri; content:"dk="; nocase; http_uri; content:"Referer|3A|"; nocase; http_header; content:"www.wowokay.com/wowokaybar.php"; nocase; http_header; pcre:"/^Referer\x3A[^\r\n]*www\x2Ewowokay\x2Ecom\/wowokaybar\x2Ephp/smiH"; metadata:service http; reference:url,www.zdnet.com.au/downloads/0,39024478,39111669s,00.htm; classtype:misc-activity; sid:7128; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker wowok mp3 bar outbound connection - tracking"; flow:to_server,established; content:"t.php"; nocase; http_uri; content:"sc_project="; fast_pattern; nocase; http_uri; content:"resolution="; nocase; http_uri; content:"camefrom="; nocase; http_uri; content:"camefrom="; nocase; http_uri; content:"u="; nocase; http_uri; content:"java="; nocase; http_uri; content:"security="; nocase; http_uri; content:"sc_random="; nocase; http_uri; pcre:"/u=[^\r\n]*www\.wowokay\.com/Ui"; metadata:service http; reference:url,www.zdnet.com.au/downloads/0,39024478,39111669s,00.htm; classtype:misc-activity; sid:7127; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"PUA-ADWARE Hijacker trojan proxy atiup outbound connection - notification"; flow:to_server,established; content:"/devrandom/r.php"; nocase; http_uri; content:"Host|3A| jupitersatellites.biz"; metadata:service http; reference:url,vil.nai.com/vil/content/v_137129.htm; classtype:misc-activity; sid:7126; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker traffbest biz outbound connection - adv"; flow:to_server,established; content:"/progs_exe/"; nocase; http_uri; content:".php"; nocase; http_uri; content:"adv="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"traffbest.biz"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*traffbest\x2Ebiz/smiH"; metadata:service http; reference:url,forums.maddoktor2.com/index.php?showtopic=3601; classtype:misc-activity; sid:7125; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Other-Technologies alfacleaner outbound connection - buy"; flow:to_server,established; content:"/buy.dhtml"; nocase; http_uri; content:"aff="; nocase; http_uri; content:"sub="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.alfacleaner.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Ealfacleaner\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2733; classtype:misc-activity; sid:7124; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Other-Technologies alfacleaner outbound connection - update"; flow:to_server,established; content:"/updates/update.php"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.alfacleaner.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Ealfacleaner\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2733; classtype:misc-activity; sid:7123; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker vip01 biz outbound connection - adv"; flow:to_server,established; content:"/progs/"; nocase; http_uri; content:".php"; nocase; http_uri; content:"adv="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"vip01.biz"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*vip01\x2Ebiz/smiH"; metadata:service http; reference:url,forums.maddoktor2.com/index.php?showtopic=3601; classtype:misc-activity; sid:7055; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler download arq variant outbound connection"; flow:to_server,established; content:"/b/info.php"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"ccecaedbebfcaf.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*ccecaedbebfcaf\x2Ecom.*?uuid=.*?wv=.*?cargo=.*?check=/smiH"; metadata:service http; reference:url,vil.nai.com/vil/content/v_137359.htm; classtype:misc-activity; sid:7054; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware webredir runtime detection"; flow:to_server,established; content:"/whois.xml"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"cache.everer.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*cache\x2Eeverer\x2Ecom/smiH"; metadata:service http; reference:url,castlecops.com/tk1907-pxwma_dll.html; classtype:misc-activity; sid:7053; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler generic downloader.g outbound connection - adv"; flow:to_server,established; content:"adv="; nocase; http_uri; content:"ads="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.topadwarereviews.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Etopadwarereviews\x2Ecom/smiH"; metadata:service http; reference:url,vil.mcafeesecurity.com/vil/content/v_128719.htm; classtype:misc-activity; sid:7052; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler generic downloader.g outbound connection - spyware injection"; flow:to_server,established; content:"/newsys/options.xml"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"i-femdom.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*i\-femdom\x2Ecom/smiH"; metadata:service http; reference:url,vil.mcafeesecurity.com/vil/content/v_128719.htm; classtype:misc-activity; sid:7051; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker extreme biz outbound connection - uniq1"; flow:to_server,established; content:"/uniq1.php"; nocase; http_uri; content:"exp="; nocase; http_uri; content:"adv="; nocase; http_uri; content:"code1="; nocase; http_uri; content:"code2="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"1-extreme.biz"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*1\-extreme\x2Ebiz/smiH"; metadata:service http; reference:url,vil.nai.com/vil/content/v_139122.htm; classtype:misc-activity; sid:7049; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware adpowerzone runtime detection"; flow:to_server,established; content:"/advertpro/servlet/view/dynamic/html/campaign"; fast_pattern; nocase; http_uri; content:"cid="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"media.top-banners.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*media\x2Etop-banners\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1299; classtype:misc-activity; sid:6496; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker troj_spywad.x outbound connection"; flow:to_server,established; content:"/trial.php"; fast_pattern; nocase; http_uri; content:"rest="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"a="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"httphost"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*httphost/smiH"; metadata:service http; reference:url,www.sophos.com/virusinfo/analyses/trojspywadi.html; classtype:misc-activity; sid:6495; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware yourenhancement runtime detection"; flow:to_server,established; content:"/mbop/display.php3"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"yourenhancement.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*yourenhancement\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097585; classtype:misc-activity; sid:6494; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker analyze IE outbound connection - default page hijacker"; flow:to_server,established; content:"/hp/"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.webcruiser.cc"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Ewebcruiser\x2Ecc/smiH"; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.spywaredetails.com/index.php?a=spyware&act=read&id=1680; classtype:misc-activity; sid:6489; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker cws.cameup outbound connection - search"; flow:to_server,established; content:"/searchtb.php?q="; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"fast-look.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*fast-look\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079081; classtype:misc-activity; sid:6481; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker cws.cameup outbound connection - home page"; flow:to_server,established; content:"/hpt/"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.e-finder.cc"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Ee-finder\x2Ecc/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079081; classtype:misc-activity; sid:6480; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Snoopware totalvelocity zsearch outbound connection"; flow:to_server,established; content:"/e.aspx"; nocase; content:"ver="; nocase; content:"host="; nocase; content:"Host|3A|"; nocase; http_header; content:"www.ZSearchResults.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2EZSearchResults\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=763; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083031; classtype:successful-recon-limited; sid:6479; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker zeropopup outbound connection"; flow:to_server,established; content:"/searchbar/"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.znext.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=627; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075510; classtype:misc-activity; sid:6392; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware esyndicate runtime detection - ads popup"; flow:to_server,established; flowbits:isset,eSyndicate.ads; content:"/ad/zadframe.esyn"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"aw="; nocase; http_uri; content:"ah="; nocase; http_uri; content:"dt="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1759; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; classtype:misc-activity; sid:6391; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware esyndicate runtime detection - ads popup"; flow:to_server,established; content:"/content/"; fast_pattern; nocase; http_uri; flowbits:set,eSyndicate.ads; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:6390; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware esyndicate runtime detection - postinstall request"; flow:to_server,established; content:"/exclusionlist/"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"client.contextual.esyndicate.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*client\x2Econtextual\x2Eesyndicate\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1759; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; classtype:misc-activity; sid:6389; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker internet optimizer outbound connection - error page hijack"; flow:to_server,established; content:"/?"; nocase; http_uri; content:"js="; nocase; http_uri; content:"e=ERR404"; fast_pattern; nocase; http_uri; content:"u=http"; nocase; http_uri; content:"cls="; nocase; http_uri; content:"rid="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=869; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453093995; classtype:misc-activity; sid:6388; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker internet optimizer outbound connection - autosearch hijack"; flow:to_server,established; content:"/query/"; fast_pattern; nocase; http_uri; content:"lt="; nocase; http_uri; content:"q="; nocase; http_uri; content:"cls="; nocase; http_uri; content:"rid="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=869; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453093995; classtype:misc-activity; sid:6387; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker adbars outbound connection - homepage hijack"; flow:to_server,established; content:"/r/banner_iw_codigo_gtc.php"; fast_pattern; nocase; http_uri; content:"idrotador="; nocase; http_uri; content:"tamano="; nocase; http_uri; content:"iw_alternativo="; nocase; http_uri; content:"www.adbars.com"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1331; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079049; classtype:misc-activity; sid:6378; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler spyblocs.eblocs detection - register request"; flow:to_server,established; content:"/cart11.html?affl="; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.eblocs.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Eeblocs\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088571; classtype:misc-activity; sid:6375; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler spyblocs eblocs detection - get spyblpat.dat/spyblini.ini"; flow:to_server,established; content:"/products/spyblocs/"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"download.eblocs.com"; nocase; http_header; pcre:"/\x2Fproducts\x2Fspyblocs\x2F(spyblpat\d*\x2Edat\x2E\d+|spyblini\x2Eini)/Ui"; pcre:"/^Host\x3A[^\r\n]*download\x2Eeblocs\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088571; classtype:misc-activity; sid:6374; rev:14;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler spyblocs eblocs detection - stbarpat.dat"; flow:to_server,established; content:"/products/stbar/stbarpat.dat"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"download.eblocs.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*download\x2Eeblocs\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088571; classtype:misc-activity; sid:6373; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler spyblocs eblocs detection - get wsliveup.dat"; flow:to_server,established; content:"/wsliveup/advisor/wsliveup.dat"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"spybl.cyberdefender.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*spybl\x2Ecyberdefender\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088571; classtype:misc-activity; sid:6372; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware flashtrack media/spoton runtime detection - pop up ads"; flow:to_server,established; content:"/js/jsnew2.php?"; fast_pattern; nocase; http_uri; content:"grp="; nocase; http_uri; content:"guid="; nocase; http_uri; content:"ft_id="; nocase; http_uri; content:"c="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"k="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=477; classtype:misc-activity; sid:6371; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware flashtrack media/spoton runtime detection - update request"; flow:to_server,established; content:"?c="; nocase; http_uri; content:"&g="; nocase; http_uri; content:"&i="; nocase; http_uri; content:"User-Agent|3A| Daemon"; fast_pattern; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=477; classtype:misc-activity; sid:6368; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler eacceleration downloadreceiver outbound connection - stop-sign ads"; flow:to_server,established; content:"/dlp_def/"; nocase; http_uri; content:"imod="; nocase; http_uri; content:"prod=scanner"; fast_pattern; nocase; http_uri; content:"lng="; nocase; http_uri; content:"geo="; nocase; http_uri; content:"ftid="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"ui="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=398; classtype:misc-activity; sid:6367; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware altnet runtime detection - status report"; flow:to_server,established; content:"/backoffice.net/stats/Add.aspx"; fast_pattern; nocase; http_uri; content:"ST="; nocase; http_uri; content:"PN=Altnet"; nocase; http_uri; content:"AN=Altnet"; nocase; http_uri; content:"LN="; nocase; http_uri; content:"DN="; nocase; http_uri; content:"GR="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.altnet.com"; nocase; http_header; pcre:"/^HOST\x3A[^\r\n]*www\x2Ealtnet\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1369; reference:url,www.spywareremove.com/removeAltnet.html; classtype:misc-activity; sid:6361; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware altnet runtime detection - update"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"Peer"; nocase; http_header; content:"Points"; nocase; http_header; content:"Manager"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*Peer\s+Points\s+Manager/smiH"; content:"Host|3A|"; nocase; http_header; content:"pm.altnet.com"; fast_pattern; nocase; http_header; pcre:"/^HOST\x3A[^\r\n]*pm\x2Ealtnet\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1369; reference:url,www.spywareremove.com/removeAltnet.html; classtype:misc-activity; sid:6360; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware altnet runtime detection - initial retrieval"; flow:to_server,established; content:"/pm/start.asp"; nocase; http_uri; content:"pmver="; nocase; http_uri; content:"guid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.altnet.com"; nocase; http_header; pcre:"/^HOST\x3A[^\r\n]*www\x2Ealtnet\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1369; reference:url,www.spywareremove.com/removeAltnet.html; classtype:misc-activity; sid:6359; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker need2find search query detection"; flow:to_server,established; content:"/jsp/cfg_redir.jsp"; http_uri; content:"id="; nocase; http_uri; content:"url="; nocase; http_uri; content:"searchfor="; nocase; http_uri; pcre:"/url=[^\r\n]*kl\x2Esearch\x2Eneed2find\x2Ecom/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2195; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096250; classtype:misc-activity; sid:6358; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler wsearch outbound connection - desktop search"; flow:to_server,established; content:"/desksearch.cgi"; nocase; http_uri; content:"tps="; nocase; http_uri; content:"word="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.zhongsou.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Ezhongsou\x2Ecom/smiH"; metadata:service http; reference:url,www.zhongsou.com; classtype:misc-activity; sid:6356; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler wsearch outbound connection - mp3 search"; flow:to_server,established; content:"/zsmp3"; nocase; http_uri; content:"tps="; nocase; http_uri; content:"word="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"mp3.zhongsou.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*mp3\x2Ezhongsou\x2Ecom/smiH"; metadata:service http; reference:url,www.zhongsou.com; classtype:misc-activity; sid:6355; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker adblock ie search assistant redirect detection"; flow:to_server,established; content:"/iesearch.php"; fast_pattern; nocase; http_uri; content:"term="; nocase; http_uri; content:"Submit=Search"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"linkz.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*linkz\x2Ecom/smiH"; metadata:service http; reference:url,adblock.linkz.com/Home.php; reference:url,www.spywareguide.com/product_show.php?id=48; classtype:misc-activity; sid:6353; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker adblock auto search redirect detection"; flow:to_server,established; content:"/abho/autosrch.abs"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"adblock.linkz.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*adblock\x2Elinkz\x2Ecom/smiH"; metadata:service http; reference:url,adblock.linkz.com/Home.php; reference:url,www.spywareguide.com/product_show.php?id=48; classtype:misc-activity; sid:6352; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker adblock update detection"; flow:to_server,established; content:"/abho/chkupdate.abs"; fast_pattern; nocase; http_uri; content:"cv="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"adblock.linkz.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*adblock\x2Elinkz\x2Ecom/smiH"; metadata:service http; reference:url,adblock.linkz.com/Home.php; reference:url,www.spywareguide.com/product_show.php?id=48; classtype:misc-activity; sid:6351; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker richfind auto search redirect detection"; flow:to_server,established; content:"/search.php"; nocase; http_uri; content:"qq="; nocase; http_uri; content:"said=bar"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"richfind.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*richfind\x2Ecom/smiH"; metadata:service http; reference:url,users.telenet.be/marcvn/spyware/1954375.htm; reference:url,www.f-secure.com/sw-desc/iehijacker_richfind.shtml; classtype:misc-activity; sid:6350; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker richfind update detection"; flow:to_server,established; content:"/news.php"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.richfind.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Erichfind\x2Ecom/smiH"; metadata:service http; reference:url,users.telenet.be/marcvn/spyware/1954375.htm; reference:url,www.f-secure.com/sw-desc/iehijacker_richfind.shtml; classtype:misc-activity; sid:6349; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Snoopware zenosearch outbound connection"; flow:to_server,established; content:"/engine"; fast_pattern; nocase; http_uri; content:"site="; nocase; http_uri; content:"page="; nocase; http_uri; content:"space="; nocase; http_uri; content:"size="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"domain="; nocase; http_uri; metadata:service http; reference:url,www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=ADW%5FZENO%2EA; classtype:successful-recon-limited; sid:6348; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware stationripper ad display detection"; flow:to_server,established; content:"/minimall"; nocase; http_uri; content:"w="; nocase; http_uri; content:"h="; nocase; http_uri; content:"client="; nocase; http_uri; content:"noctxt="; nocase; http_uri; content:"sid="; nocase; http_uri; content:"url=http|3A|/www.stationripper.com/Portal/ad.htm"; fast_pattern; nocase; http_uri; content:"query="; nocase; http_uri; metadata:service http; reference:url,stationripper.com; classtype:misc-activity; sid:6347; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware stationripper update detection"; flow:to_server,established; content:"/version/stationripper-getver"; nocase; http_uri; metadata:service http; reference:url,stationripper.com; classtype:misc-activity; sid:6346; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware excite search bar runtime detection - search"; flow:to_server,established; content:"/tr.js"; nocase; http_uri; content:"a="; nocase; http_uri; content:"r="; nocase; http_uri; content:"site=excite"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,www.scanspyware.net/info/ExciteSearchBar.htm; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078495; classtype:misc-activity; sid:6345; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware excite search bar runtime detection - config"; flow:to_server,established; content:"/speedbar/speedbarcfg.jsp"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Excite"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*Excite/smiH"; metadata:service http; reference:url,www.scanspyware.net/info/ExciteSearchBar.htm; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078495; classtype:misc-activity; sid:6344; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware targetsaver runtime detection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"TSA/"; fast_pattern; nocase; http_header; content:"Ts2/"; nocase; http_header; content:"OS/"; nocase; http_header; content:"IE/"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*?TSA\x2F[^\r\n]*?Ts2\x2F[^\r\n]*?OS\x2F[^\r\n]*?IE\x2F[^\r\n]*?CD\x2F[^\r\n]*?UID\x2F[^\r\n]*?AID\x2F/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1914; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090707; classtype:misc-activity; sid:6343; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker spediabar outbound connection - info check"; flow:to_server,established; content:"/cgi-bin/tz.cgi"; nocase; http_uri; content:"run="; nocase; http_uri; content:"Host|3A| spedia.net"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1693; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074295; classtype:misc-activity; sid:6342; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker websearch outbound connection - webstat"; flow:to_server,established; content:"/WebStat.asmx/GetXML2"; fast_pattern; nocase; http_uri; content:"sDate="; nocase; http_uri; content:"sModule="; nocase; http_uri; content:"sCID="; nocase; http_uri; content:"sIP="; nocase; http_uri; content:"sURL="; nocase; http_uri; content:"sReferrer="; nocase; http_uri; content:"sBT="; nocase; http_uri; content:"sAgent="; nocase; http_uri; content:"sName="; nocase; http_uri; content:"sAction="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=769; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074933; classtype:misc-activity; sid:6284; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker websearch outbound connection - sitereview"; flow:to_server,established; content:"/sitereview.asmx/GetReview"; fast_pattern; nocase; http_uri; content:"URL="; nocase; http_uri; content:"SITE="; nocase; http_uri; content:"TUID="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=769; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074933; classtype:misc-activity; sid:6283; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker sidefind outbound connection - cookie"; flow:to_server,established; content:"/javascripts/common.js"; fast_pattern; nocase; http_uri; content:"Cookie|3A| "; nocase; http_header; content:"origin=sidefind"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1147; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088285; classtype:misc-activity; sid:6280; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker sidefind outbound connection"; flow:to_server,established; content:"target="; nocase; http_uri; content:"tv="; nocase; http_uri; content:"tu="; nocase; http_uri; content:"td="; nocase; http_uri; content:"account_id="; nocase; http_uri; content:"tt="; http_uri; content:"search_string="; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1147; classtype:misc-activity; sid:6279; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker incredifind outbound connection - cookie"; flow:to_server,established; content:"/index.cfm"; nocase; http_uri; content:"action="; nocase; http_uri; content:"pc="; nocase; http_uri; content:"keywords="; nocase; http_uri; content:"Cookie|3A| "; nocase; http_header; content:"source=IncrediFind"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=530; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077295; classtype:misc-activity; sid:6275; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler bundleware runtime detection"; flow:to_server,established; content:"/AD/UCMD?"; fast_pattern; nocase; http_uri; content:"&ID={"; nocase; http_uri; content:"&rand="; nocase; http_uri; metadata:service http; reference:url,www.xp-vista.com/spyware-removal/antimalwareguard-antimalware-guard-removal-instructions; classtype:misc-activity; sid:6271; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker gigatech superbar outbound connection - track event"; flow:to_server,established; content:"/superbar/event.php"; fast_pattern; nocase; http_uri; content:"event="; nocase; content:"gmt="; nocase; content:"guid="; nocase; content:"camp="; nocase; content:"build="; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=500; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466; classtype:misc-activity; sid:6269; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker gigatech superbar outbound connection - self update - download exe"; flow:to_server,established; content:"/SUPERBARINSTALL_2.2.1.EXE"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=500; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466; classtype:misc-activity; sid:6268; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker gigatech superbar outbound connection - self update - get update"; flow:to_server,established; content:"/superbar/seupdate.php"; fast_pattern; nocase; http_uri; content:"action=getUpdate"; nocase; content:"fileName="; nocase; content:"guid="; nocase; content:"camp="; nocase; content:"build="; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=500; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466; classtype:misc-activity; sid:6267; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker gigatech superbar outbound connection - self update - check update"; flow:to_server,established; content:"/superbar/seupdate.php"; fast_pattern; nocase; http_uri; content:"action=checkUpdate"; nocase; content:"guid="; nocase; content:"camp="; nocase; content:"build="; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=500; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466; classtype:misc-activity; sid:6266; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker gigatech superbar outbound connection - self update - engine"; flow:to_server,established; content:"/superbar/engine.php"; fast_pattern; nocase; http_uri; content:"requests="; nocase; content:"engine="; nocase; content:"guid="; nocase; content:"camp="; nocase; content:"build="; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=500; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466; classtype:misc-activity; sid:6265; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker gigatech superbar outbound connection - self update - movie"; flow:to_server,established; content:"/superbar/movie.php"; fast_pattern; nocase; http_uri; content:"requests="; nocase; content:"guid="; nocase; content:"camp="; nocase; content:"build="; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=500; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466; classtype:misc-activity; sid:6264; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker gigatech superbar outbound connection - collect information"; flow:to_server,established; content:"/adi/fandango.dart/theaterselectionpage|3B|"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=500; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466; classtype:misc-activity; sid:6263; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware overpro runtime detection"; flow:to_server,established; content:"/cmapp/zx-popup.php?"; fast_pattern; nocase; http_uri; content:"uid="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"m="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"url=http"; nocase; http_uri; content:"Host|3A| newads1.com"; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=757; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090731; classtype:misc-activity; sid:6260; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware searchsquire runtime detection - search forward"; flow:to_server,established; content:"/search.php?"; nocase; http_uri; content:"domain="; nocase; http_uri; content:"term="; nocase; http_uri; content:"partner=searchsquire"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=584; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094363; classtype:misc-activity; sid:6259; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware searchsquire runtime detection - get engine file"; flow:to_server,established; content:"/engine"; fast_pattern; nocase; http_uri; content:".txt"; nocase; http_uri; pcre:"/\x2Fengine2?\x2Etxt/Ui"; content:"User-Agent|3A|"; nocase; http_header; content:"Agent"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*Agent[0-9]{7}/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=584; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094363; classtype:misc-activity; sid:6258; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware searchsquire runtime detection - testgeonew query"; flow:to_server,established; content:"/testgeonew.php"; nocase; http_uri; content:"Referer|3A| http|3A|//ad.searchsquire.com/blank.html"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=584; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094363; classtype:misc-activity; sid:6257; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PUA-ADWARE Adware searchsquire installtime/auto-update"; flow:to_client,established; file_data; content:"907CA0E5-CE84-11D6-9508-02608CDD2846"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3A\s*\x7B?\s*907CA0E5-CE84-11D6-9508-02608CDD2846/si"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=584; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094363; classtype:misc-activity; sid:6256; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware hotbar runtime detection - hostie user-agent"; flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"hostie"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*?hostie/Hsmi"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=481; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075474; classtype:misc-activity; sid:6251; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware hotbar runtime detection - hotbar user-agent"; flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"hotbar"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*?hotbar/Hsmi"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=481; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075474; classtype:misc-activity; sid:6250; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware ezula toptext runtime detection - redirect"; flow:to_server,established; content:"/IntermixWO/redirect/redirect.asp?"; fast_pattern; nocase; http_uri; content:"DS_ID="; nocase; http_uri; content:"PubName="; nocase; http_uri; content:"UV_ID="; nocase; http_uri; content:"country="; nocase; http_uri; content:"region="; nocase; http_uri; content:"city="; nocase; http_uri; content:"zip="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=9; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072551; classtype:misc-activity; sid:6249; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware ezula toptext runtime detection - popup"; flow:to_server,established; content:"/TopText/pop-popup.html"; fast_pattern; nocase; http_uri; content:"Host|3A| www.ezula.com"; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=9; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072551; classtype:misc-activity; sid:6248; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware ezula toptext runtime detection - help redirect"; flow:to_server,established; content:"/IntermixWO/Redirect/HelpRedirect.asp?"; fast_pattern; nocase; http_uri; content:"var="; nocase; http_uri; content:"Host|3A| www.ezula.com"; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=9; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072551; classtype:misc-activity; sid:6247; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker exact navisearch outbound connection - search hijack"; flow:to_server,established; content:"/404/search.php?"; nocase; http_uri; content:"p="; nocase; http_uri; content:"Keywords="; nocase; http_uri; content:"a="; nocase; http_uri; content:"Host|3A| www.navisearch.net"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1169; classtype:misc-activity; sid:6246; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker coolwebsearch startpage outbound connection"; flow:to_server,established; content:"/2gt.php"; nocase; http_uri; content:"cp="; nocase; http_uri; content:"dn=daosearch.com"; fast_pattern; nocase; http_uri; content:"ckey="; nocase; http_uri; content:"ip="; nocase; http_uri; content:"iphsh="; nocase; http_uri; content:"tm="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=599; classtype:misc-activity; sid:6245; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker coolwebsearch cameup outbound connection - ie auto search hijack"; flow:to_server,established; content:"/notfound.php"; nocase; http_uri; content:"Host|3A| www.cameup.com"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079081; classtype:misc-activity; sid:6244; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker coolwebsearch cameup outbound connection - home page hijack"; flow:to_server,established; content:"/justas.css"; nocase; http_uri; content:"Host|3A| www.kliksearch.com"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079081; classtype:misc-activity; sid:6243; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker coolwebsearch.cameup outbound connection"; flow:to_server,established; content:"svc="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"type="; nocase; http_uri; content:"mode="; nocase; http_uri; content:"art="; nocase; http_uri; content:"acct="; nocase; http_uri; content:"url="; nocase; http_uri; content:"category="; fast_pattern; nocase; http_uri; content:"view="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=599; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; classtype:misc-activity; sid:6242; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware lop runtime detection - ie autosearch hijack"; flow:to_server,established; content:"/exe/dns.html"; nocase; http_uri; content:"User-Agent|3A| TPSystem"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076024; classtype:misc-activity; sid:6241; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware lop runtime detection - pop up ads"; flow:to_server,established; content:"/prod/C2mediapops/pop3.asp?"; fast_pattern; nocase; http_uri; content:"mt="; nocase; http_uri; content:"popid="; nocase; http_uri; content:"User-Agent|3A| TPSystem"; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076024; classtype:misc-activity; sid:6240; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware lop runtime detection - collect info request 2"; flow:to_server,established; content:"/tba/p?"; nocase; http_uri; content:"guid="; nocase; http_uri; content:"version="; nocase; http_uri; content:"clientid="; nocase; http_uri; content:"time="; nocase; http_uri; content:"locale="; nocase; http_uri; content:"session="; nocase; http_uri; content:"idle="; nocase; http_uri; content:"crc="; nocase; http_uri; content:"User-Agent|3A| TPSystem"; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076024; classtype:misc-activity; sid:6239; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware lop runtime detection - collect info request 1"; flow:to_server,established; content:"/tba/"; nocase; content:"guid="; distance:0; nocase; content:"version="; distance:0; nocase; content:"clientid="; distance:0; nocase; content:"time="; distance:0; nocase; content:"locale="; distance:0; nocase; content:"session="; distance:0; nocase; content:"id="; distance:0; nocase; content:"idle="; distance:0; nocase; content:"queued="; distance:0; nocase; content:"crc="; distance:0; nocase; content:"User-Agent|3A| TPSystem"; fast_pattern:only; http_header; pcre:"/\x2Ftba\x2F(cm|cu)\?/smi"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076024; classtype:misc-activity; sid:6238; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware lop runtime detection - check update request"; flow:to_server,established; content:"/upd/check?version="; nocase; http_uri; content:"User-Agent|3A| Download UBAgent"; fast_pattern:only; http_header; metadata:service http; classtype:misc-activity; sid:6237; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware lop runtime detection - pass info to server"; flow:to_server,established; content:"/abt?data="; nocase; http_uri; content:"User-Agent|3A| Travel Update"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076024; classtype:misc-activity; sid:6236; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware mirar runtime detection - delayed"; flow:to_server,established; content:"/delayed.cgi"; nocase; http_uri; content:"g"; nocase; http_uri; content:"edata"; nocase; http_uri; content:"q"; nocase; http_uri; content:"User-Agent|3A| Mirar_KeywordContent"; fast_pattern:only; http_header; metadata:service http; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Adware%3AWin32%2FMirar; classtype:misc-activity; sid:6233; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker ieplugin outbound connection - search"; flow:to_server,established; content:"/q.cgi?"; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A| wwd.ieplugin"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=482; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072530; classtype:misc-activity; sid:6224; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware delfin media viewer runtime detection - retrieve schedule"; flow:to_server,established; content:"/Delfin/schedule.html"; nocase; http_uri; content:"pBrd"; nocase; http_uri; content:"pSch"; nocase; http_uri; content:"pIsp"; nocase; http_uri; content:"pVer"; http_uri; content:"pZip"; nocase; http_uri; content:"pSer"; nocase; http_uri; content:"User-Agent|3A| PromulGate"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=727; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076775; classtype:misc-activity; sid:6223; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware delfin media viewer runtime detection - contact server"; flow:to_server,established; content:"/Delfin/ini.html"; nocase; http_uri; content:"pBrd"; nocase; http_uri; content:"pIsp"; nocase; http_uri; content:"pVer"; nocase; http_uri; content:"pSer"; nocase; http_uri; content:"User-Agent|3A| PromulGate"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=727; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076775; classtype:misc-activity; sid:6222; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware bonzibuddy runtime detection"; flow:to_server,established; content:"/bonzibuddy/"; fast_pattern; nocase; http_uri; content:".nbd"; nocase; http_uri; pcre:"/\x2Fbonzibuddy\x2F(updates|products|daily)\x2Enbd/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=512; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59256; classtype:misc-activity; sid:6219; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware aornum/iwon copilot runtime detection - ads"; flow:to_server,established; content:"/ad_string.js?"; fast_pattern; nocase; http_uri; content:"tagad"; nocase; http_uri; content:"site=iwon"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=461; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072491; classtype:misc-activity; sid:6218; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware aornum/iwon copilot runtime detection - config"; flow:to_server,established; content:"/copilot/copilotcfg.jsp?"; fast_pattern; nocase; http_uri; content:"User-Agent|3A| "; nocase; http_header; content:"iWon"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=461; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072491; classtype:misc-activity; sid:6216; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker 7fasst outbound connection - track"; flow:to_server,established; content:"/data/track.aspx?"; fast_pattern; nocase; http_uri; content:"version="; nocase; http_uri; content:"userid="; nocase; http_uri; content:"affiliateid="; nocase; http_uri; content:"theurl="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=419; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072502; classtype:misc-activity; sid:6215; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker 7fasst outbound connection - search"; flow:to_server,established; content:"/searchweb.aspx?"; fast_pattern; nocase; http_uri; content:"userid="; nocase; http_uri; content:"affiliateid="; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"theurl="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=419; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072502; classtype:misc-activity; sid:6214; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker 7fasst outbound connection - auto requests"; flow:to_server,established; content:".aspx?"; nocase; http_uri; content:"userid="; nocase; http_uri; content:"affiliateid="; nocase; http_uri; content:"Host|3A| client.browseraccelerator.com"; fast_pattern:only; http_header; pcre:"/\x2F(word|news|weather|joke|tip)\x2Easpx\?/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=419; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072502; classtype:misc-activity; sid:6213; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware commonname runtime detection"; flow:to_server,established; content:"User-Agent|3A| CommonName Agent"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=429; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078618; classtype:misc-activity; sid:6212; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware deskwizz runtime detection - pop-up ad request"; flow:to_server,established; content:"/select/Get"; nocase; http_uri; pcre:"/select\x2FGet(One|SbAts)\x2Ephp/Ui"; content:"Host|3A| "; nocase; content:"deskwizz.com"; distance:0; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1127; classtype:misc-activity; sid:6211; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware deskwizz/zquest runtime detection - get config information / ad banner"; flow:to_server,established; content:"/GetAd/"; nocase; http_uri; content:"Host|3A| "; nocase; content:"deskwizz.com"; distance:0; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1127; reference:url,www.symantec.com/avcenter/venc/data/adware.zquest.html; classtype:misc-activity; sid:6209; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler farmmext outbound connection - track activity"; flow:to_server,established; content:"/imp/servlet/ImpServe?"; fast_pattern; nocase; http_uri; content:"urlContext="; nocase; http_uri; content:"domainContext="; nocase; http_uri; content:"distID="; nocase; http_uri; content:"MM_RECO.EXE"; nocase; http_uri; content:"country="; nocase; http_uri; content:"transponderID="; nocase; http_uri; metadata:service http; reference:url,www.spyany.com/files/farmmext_exe.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090784; classtype:misc-activity; sid:6204; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler farmmext outbound connection - drk.syn request"; flow:to_server,established; content:"/a/Drk.syn?"; fast_pattern; nocase; http_uri; content:"bho="; nocase; http_uri; content:"DistID="; nocase; http_uri; content:"MM_RECO.EXE"; nocase; http_uri; metadata:service http; reference:url,www.spyany.com/files/farmmext_exe.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090784; classtype:misc-activity; sid:6203; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware twaintec runtime detection"; flow:to_server,established; content:"/twain/servlet/Twain"; fast_pattern; nocase; http_uri; content:"adcontext="; nocase; http_uri; content:"contextpeak="; nocase; http_uri; content:"contextcount="; nocase; http_uri; content:"countrycodein="; nocase; http_uri; content:"cookie1="; nocase; http_uri; content:"cookie2="; nocase; http_uri; content:"InstID="; nocase; http_uri; content:"status="; nocase; http_uri; content:"smode="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=650; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078844; classtype:misc-activity; sid:6201; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker smart search outbound connection - get settings"; flow:to_server,established; content:"/settings/"; nocase; content:"Host|3A| www.searchreslt.com"; distance:0; nocase; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078876; classtype:misc-activity; sid:6200; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker smart search outbound connection - hijack/ads"; flow:to_server,established; content:"/files/adframe.aspx?"; nocase; http_uri; content:"SE="; nocase; http_uri; content:"ST="; nocase; http_uri; content:"Host|3A| www.searchreslt.com"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078876; classtype:misc-activity; sid:6199; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker smart shopper outbound connection - services requests"; flow:to_server,established; content:"/cs/cs.aspx?"; nocase; http_uri; content:"Host|3A| cs.smartshopper.com"; fast_pattern:only; metadata:service http; reference:url,vil.mcafeesecurity.com/vil/content/v_133312.htm; classtype:misc-activity; sid:6196; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware seekmo runtime detection - download .cab"; flow:to_server,established; content:"/downloads/ff/"; nocase; http_uri; content:"/seekmo/npclntax.CAB"; nocase; http_uri; content:"Host|3A| installs.seekmo.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2368; classtype:misc-activity; sid:6195; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware seekmo runtime detection - config upload"; flow:to_server,established; content:"/config.aspx?"; nocase; http_uri; content:"did="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"duid="; nocase; http_uri; content:"partner_id="; nocase; http_uri; content:"product_id="; nocase; http_uri; content:"Host|3A| config.seekmo.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2368; classtype:misc-activity; sid:6194; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware seekmo runtime detection - pop up ads"; flow:to_server,established; content:"/display.aspx?"; nocase; http_uri; content:"adid="; nocase; http_uri; content:"kwid="; nocase; http_uri; content:"umt="; nocase; http_uri; content:"inid="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"tv.seekmo.com/showme.aspx?keyword="; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2368; classtype:misc-activity; sid:6193; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware seekmo runtime detection - reporting keyword"; flow:to_server,established; content:"/showme.aspx?keyword="; fast_pattern; nocase; http_uri; content:"Host|3A| tv.seekmo.com"; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2368; classtype:misc-activity; sid:6192; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware ISTBar runtime detection - bar"; flow:to_server,established; content:"/ist/bars/istbar"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=572; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075516; classtype:misc-activity; sid:6188; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware ISTBar runtime detection - scripts"; flow:to_server,established; content:"/ist/scripts/"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=572; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075516; classtype:misc-activity; sid:6187; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware 180Search assistant runtime detection - reporting keyword"; flow:to_server,established; content:"/showme.aspx?keyword="; nocase; http_uri; content:"Host|3A| tv.180solutions.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=507; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090677; classtype:misc-activity; sid:6185; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware 180Search assistant runtime detection - config upload"; flow:to_server,established; content:"/config.aspx?"; nocase; http_uri; content:"did="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"duid="; nocase; http_uri; content:"partner_id="; nocase; http_uri; content:"product_id="; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=507; classtype:misc-activity; sid:6184; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware 180Search assistant runtime detection - tracked event URL"; flow:to_server,established; content:"/trackedevent.aspx?"; fast_pattern; nocase; http_uri; content:"eid="; nocase; http_uri; content:"mt="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"basename="; nocase; http_uri; content:"time="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=507; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090677; classtype:misc-activity; sid:6183; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware offeragent runtime detection - ads request"; flow:to_server,established; content:"/103/getad.aspx?"; nocase; http_uri; content:"guid="; nocase; http_uri; content:"ciso="; nocase; http_uri; content:"pcpi="; nocase; http_uri; content:"Host|3A| dist.atlas-ia.com"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096710; classtype:misc-activity; sid:5996; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware offeragent runtime detection - information checking"; flow:to_server,established; content:"/103/co.aspx?"; nocase; http_uri; content:"guid="; nocase; http_uri; content:"cv="; nocase; http_uri; content:"cfv="; nocase; http_uri; content:"sfv="; nocase; http_uri; content:"ciso="; nocase; http_uri; content:"Host|3A| dist.atlas-ia.com"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096710; classtype:misc-activity; sid:5995; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker getmirar outbound connection - click related button"; flow:to_server,established; content:"/thumbnail.cgi?"; fast_pattern:only; http_uri; content:"DURL="; nocase; http_uri; content:"TAG="; nocase; http_uri; metadata:service http; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Adware%3AWin32%2FMirar; classtype:misc-activity; sid:5994; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker getmirar outbound connection - track activity"; flow:to_server,established; content:"/v70click.cgi?"; fast_pattern:only; http_uri; content:"u="; nocase; http_uri; content:"adurl="; nocase; http_uri; content:"adtitle="; nocase; http_uri; content:"adbody="; nocase; http_uri; metadata:service http; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Adware%3AWin32%2FMirar; classtype:misc-activity; sid:5993; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware broadcastpc runtime detection - get up-to-date movie/tv/ad information"; flow:to_server,established; content:"/client/"; nocase; http_uri; content:".aspx"; nocase; http_uri; content:"Host|3A| www.broadcastpc.tv"; fast_pattern:only; pcre:"/\x2Fclient\x2F(view|tvlistings|tvshowtickets|movietickets)\x2Easpx/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=738; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074364; classtype:misc-activity; sid:5990; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware broadcastpc runtime detection - get config"; flow:to_server,established; content:"/v2.asmx"; nocase; content:"SOAPAction|3A| |22|http|3A|//ws.broadcastpc.tv/GetConfig|22|"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=738; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074364; classtype:misc-activity; sid:5989; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware powerstrip runtime detection"; flow:to_server,established; content:"/Subscriptions/NewsFeed.asp?"; fast_pattern; nocase; http_uri; content:"selection="; nocase; http_uri; content:"distribution="; nocase; http_uri; content:"User-Agent|3A| POWRSTRP"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=522; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074932; classtype:misc-activity; sid:5983; rev:14;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE hijacker topfive searchassistant detection - side search"; flow:to_server,established; content:"/index.php?"; nocase; http_uri; content:"st="; nocase; http_uri; content:"ldid="; nocase; http_uri; content:"fpid="; nocase; http_uri; content:"fdid="; nocase; http_uri; content:"prid="; nocase; http_uri; content:"tpid="; nocase; http_uri; content:"ttid="; nocase; http_uri; content:"tspid="; nocase; http_uri; content:"pn="; nocase; http_uri; content:"x="; nocase; http_uri; content:"y="; nocase; http_uri; content:"Referer|3A| ws1.appswebservice.com/index.php?tpid="; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2645; classtype:misc-activity; sid:5976; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE hijacker topfive searchassistant detection - search request"; flow:to_server,established; content:"/index.php?tpid="; nocase; http_uri; content:"ttid="; nocase; http_uri; content:"st="; nocase; http_uri; content:"Host|3A| ws1.appswebservice.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2645; classtype:misc-activity; sid:5975; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE hijacker smart finder detection - pop-up ads"; flow:to_server,established; content:"/ad/cc.php?"; fast_pattern:only; http_uri; content:"pin="; nocase; http_uri; content:"qq="; nocase; http_uri; content:"v0="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2165; classtype:misc-activity; sid:5974; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE hijacker smart finder detection - search engines hijack"; flow:to_server,established; content:"/gc/xsearch.php?"; nocase; http_uri; content:"qq="; nocase; http_uri; content:"pin="; nocase; http_uri; content:"v0="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2165; classtype:misc-activity; sid:5973; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE hijacker smart finder detection - ie autosearch hijack 1"; flow:to_server,established; content:"/sh.php?"; nocase; http_uri; content:"qq="; nocase; http_uri; content:"pin="; nocase; http_uri; content:"v0="; nocase; http_uri; content:"HelpAgent|3A|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2165; classtype:misc-activity; sid:5972; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE trackware searchinweb detection - collect information"; flow:to_server,established; content:"/r?X="; nocase; http_uri; content:"Referer|3A| http|3A|//www.searchinweb.com/search.php?said=bar&q="; fast_pattern; nocase; http_header; content:"Host|3A| c.goclick.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1787; classtype:successful-recon-limited; sid:5969; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE trackware searchinweb detection - redirect"; flow:to_server,established; content:"/go.php?c="; nocase; http_uri; content:"Referer|3A| http|3A|//www.searchinweb.com/search.php?said=bar&q="; fast_pattern; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1787; classtype:successful-recon-limited; sid:5968; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE trackware searchinweb detection - click result links"; flow:to_server,established; content:"/click.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"Referer|3A| http|3A|//www.searchinweb.com/search.php?said=bar&q="; fast_pattern; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1787; classtype:successful-recon-limited; sid:5967; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE trackware searchinweb detection - search request"; flow:to_server,established; content:"/search.php?"; nocase; http_uri; content:"said=bar"; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A| www.searchinweb.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1787; classtype:successful-recon-limited; sid:5966; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker searchfast detection - search request"; flow:to_server,established; content:"/fstdirectory/searchResults.php?searchTerm="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1694; classtype:misc-activity; sid:5963; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker searchfast detection - catch search keyword"; flow:to_server,established; content:"/keyword.php?"; nocase; http_uri; content:"installID="; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"partnerID="; nocase; http_uri; content:"partnerReferID="; nocase; http_uri; content:"Host|3A| searchfst.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1694; classtype:misc-activity; sid:5962; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker searchfast detection - news ticker"; flow:to_server,established; content:"/searchfast/ticker.xml"; nocase; http_uri; content:"Host|3A| www.thecommunicator.net"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1694; classtype:misc-activity; sid:5961; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker raxsearch detection - pop-up raxsearch window"; flow:to_server,established; content:"/search.m?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"q="; nocase; http_uri; content:"r=rxh"; nocase; http_uri; content:"Host|3A| www.raxsearch.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2485; classtype:misc-activity; sid:5960; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker raxsearch detection - send search keywords to raxsearch"; flow:to_server,established; content:"/gettotal.m?"; fast_pattern; nocase; http_uri; content:"q="; nocase; http_uri; content:"a="; nocase; http_uri; content:"r=rxh"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2485; classtype:misc-activity; sid:5959; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker 123mania outbound connection - sidesearch hijacking"; flow:to_server,established; content:"/ie?"; nocase; http_uri; content:"q="; nocase; http_uri; content:"hl="; nocase; http_uri; content:"lr="; nocase; http_uri; content:"ie="; nocase; http_uri; content:"btnG="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"www.123mania.com/0409/ie.asp"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=940; classtype:misc-activity; sid:5953; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker 123mania outbound connection - autosearch hijacking"; flow:to_server,established; content:"/english.asp?"; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A| www.123mania.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=940; classtype:misc-activity; sid:5952; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware weirdontheweb runtime detection - update notifier"; flow:to_server,established; content:"/notifier/"; nocase; http_uri; content:"v="; nocase; http_uri; content:"b="; nocase; http_uri; content:"guid="; nocase; http_uri; content:"metadata="; nocase; http_uri; content:"Host|3A| www.weirdontheweb.net"; fast_pattern:only; pcre:"/\x2Fnotifier\x2F(configINTERNAL\.ini|update\.cgi)\?/Ui"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094260; classtype:misc-activity; sid:5948; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware weirdontheweb runtime detection - log url"; flow:to_server,established; content:"/cgi/logurl.cgi"; nocase; content:"form-data|3B| name=|22|pid|22|"; fast_pattern:only; content:"internal"; nocase; content:"User-Agent|3A| MyPost"; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094260; classtype:misc-activity; sid:5947; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware weirdontheweb runtime detection - monitor user web activity"; flow:to_server,established; content:"/request/req.cgi?"; fast_pattern; nocase; http_uri; content:"gu=TN-internal"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"lid="; nocase; http_uri; content:"sp="; nocase; http_uri; content:"v="; nocase; http_uri; content:"sn="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"AID="; nocase; http_uri; content:"FT="; nocase; http_uri; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094260; classtype:misc-activity; sid:5946; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware weirdontheweb runtime detection - track.cgi request"; flow:to_server,established; content:"/track.cgi?"; nocase; http_uri; content:"prov=INTERNAL"; nocase; http_uri; content:"prog="; nocase; http_uri; content:"siteid="; nocase; http_uri; content:"group="; nocase; http_uri; content:"Host|3A| track.aadserver.net"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094260; classtype:misc-activity; sid:5945; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware free access bar runtime detection 1"; flow:to_server,established; content:"User-Agent|3A| FreeAccessBar"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2493; classtype:misc-activity; sid:5944; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker dropspam outbound connection - third party information collection"; flow:to_server,established; content:"/d/sr/?"; nocase; http_uri; content:"xargs="; nocase; http_uri; content:"yargs="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"mysearch.dropspam.com/index.php?tpid="; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5938; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker dropspam outbound connection - pass information to its controlling server"; flow:to_server,established; content:"/r.php?"; nocase; http_uri; content:"apid="; nocase; http_uri; content:"ldid="; nocase; http_uri; content:"tpid="; nocase; http_uri; content:"ttid="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"st="; nocase; http_uri; content:"cdurl="; nocase; http_uri; content:"srurl="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"mysearch.dropspam.com/index.php?tpid="; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5937; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker dropspam outbound connection - side search"; flow:to_server,established; content:"/sidesearch.htm"; nocase; http_uri; content:"Host|3A| sidesearch.dropspam.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5936; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker dropspam outbound connection - search request 3"; flow:to_server,established; content:"/search.cgi"; nocase; content:"source=lifestyle"; nocase; content:"query="; distance:0; nocase; content:"select="; distance:0; nocase; content:"Host|3A| desksearch.dropspam.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5935; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker dropspam outbound connection - search request 2"; flow:to_server,established; content:"/search.cgi?"; nocase; http_uri; content:"tbid="; nocase; http_uri; content:"query="; nocase; http_uri; content:"Host|3A| search.dropspam.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5934; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker dropspam outbound connection - search request 1"; flow:to_server,established; content:"/search.cgi?"; nocase; http_uri; content:"source="; nocase; http_uri; content:"query="; nocase; http_uri; content:"Host|3A| search.dropspam.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5933; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware cashbar runtime detection - stats track"; flow:to_server,established; content:"/cgi-bin/connect.cgi?"; nocase; http_uri; content:"usr="; nocase; http_uri; content:"url="; nocase; http_uri; content:"title=CashSurfers"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1340; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076621; classtype:misc-activity; sid:5932; rev:14;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware cashbar runtime detection - pop-up ad 2"; flow:to_server,established; content:"/asp/offers.asp?url=http|3A|/cashsurfers.metareward.com"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1340; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076621; classtype:misc-activity; sid:5930; rev:15;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware cashbar runtime detection - pop-up ad 1"; flow:to_server,established; content:"si="; nocase; http_uri; content:"Host|3A| www.metareward.com"; fast_pattern:only; pcre:"/\x2F(f|s)\?[^\r\n]*si=/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1340; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076621; classtype:misc-activity; sid:5929; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware cashbar runtime detection - ads request"; flow:to_server,established; content:"/ads.aspx?"; nocase; http_uri; content:"Host|3A| ads.grokads.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1340; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076621; classtype:misc-activity; sid:5928; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware cashbar runtime detection - .smx requests"; flow:to_server,established; content:"/cbn/"; nocase; http_uri; content:".smx?"; nocase; http_uri; content:"u="; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A| ads.cashsurfers.com"; fast_pattern:only; pcre:"/\x2Fcbn\x2F(c|b)\.smx\?[^\r\n]*u=/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1340; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076621; classtype:misc-activity; sid:5927; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware active shopper runtime detection - collect information"; flow:to_server,established; content:"/HG?"; nocase; http_uri; content:"hc="; nocase; http_uri; content:"vcon=ActiveShopper"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2410; classtype:misc-activity; sid:5926; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware active shopper runtime detection - check"; flow:to_server,established; content:"/check.asp?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"dom="; nocase; http_uri; content:"Host|3A| sidebar.activeshopper.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2410; classtype:misc-activity; sid:5925; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware active shopper runtime detection - redirect"; flow:to_server,established; content:"/active/redir_sidecheck.php?"; fast_pattern; nocase; http_uri; content:"search="; nocase; http_uri; content:"dom="; nocase; http_uri; content:"Host|3A| data2.activshopper.com"; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2410; classtype:misc-activity; sid:5924; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware active shopper runtime detection - side search request"; flow:to_server,established; content:"/sidebar.asp?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"Host|3A| sidebar.activeshopper.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2410; classtype:misc-activity; sid:5923; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker painter outbound connection - redirect yahoo search through online-casino-searcher"; flow:to_server,established; content:"/mtc/yahoo/search.php?"; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A| online-casino-searcher.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2730; classtype:misc-activity; sid:5920; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker painter outbound connection - redirect to klikvipsearch"; flow:to_server,established; content:"/search.php?"; nocase; http_uri; content:"aff="; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A| www.klikvipsearch.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2730; classtype:misc-activity; sid:5919; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker painter outbound connection - ping 'alive' signal"; flow:to_server,established; content:"/ping"; nocase; content:"Host|3A| 195.225."; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2730; classtype:misc-activity; sid:5918; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware smartpops runtime detection"; flow:to_server,established; content:"/adserv/GetAd.pl"; fast_pattern; nocase; http_uri; content:"sid="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"lid="; nocase; http_uri; content:"rfs="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"uri="; nocase; http_uri; content:"sn="; nocase; http_uri; content:"cv="; nocase; http_uri; content:"mdm="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1910; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074758; classtype:misc-activity; sid:5911; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware download accelerator plus runtime detection - update"; flow:to_server,established; content:"/cgi-bin/update.dll?"; fast_pattern; nocase; http_uri; content:"User-Agent|3A| dapupd"; nocase; http_header; metadata:service http; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5906; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware download accelerator plus runtime detection - games center request"; flow:to_server,established; content:"/GamesTab_realarcade.asp"; nocase; http_uri; metadata:service http; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5905; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware download accelerator plus runtime detection - download files"; flow:to_server,established; content:"/cgi-bin/MirrorSearch.dll?"; fast_pattern; nocase; http_uri; content:"User-Agent|3A| DA"; nocase; http_header; metadata:service http; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5904; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware download accelerator plus runtime detection - get ads"; flow:to_server,established; content:"/cgi-bin/ads9.dll?"; fast_pattern; nocase; http_uri; content:"HTML="; nocase; http_uri; content:"DAUI="; nocase; http_uri; content:"INC="; nocase; http_uri; content:"DL="; nocase; http_uri; content:"CX="; nocase; http_uri; content:"CY="; nocase; http_uri; content:"IIA="; nocase; http_uri; content:"IIG="; nocase; http_uri; content:"IIP="; nocase; http_uri; content:"III="; nocase; http_uri; content:"V="; nocase; http_uri; metadata:service http; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5903; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware download accelerator plus runtime detection - startup"; flow:to_server,established; content:"/cgi-bin/ads9.dll?R="; fast_pattern; nocase; http_uri; content:"User-Agent|3A| DA"; nocase; http_header; metadata:service http; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5902; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker shopnav outbound connection - self-update request 2"; flow:to_server,established; content:"/9899/srng/jrnl.php"; nocase; content:"PCID="; distance:0; nocase; content:"OS="; distance:0; nocase; content:"Category="; distance:0; nocase; content:"Field="; distance:0; nocase; content:"Description="; distance:0; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=582; classtype:misc-activity; sid:5891; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker shopnav outbound connection - self-update request 1"; flow:to_server,established; content:"/9899/srng/reg.php?"; fast_pattern; nocase; http_uri; content:"IpAddr="; nocase; http_uri; content:"OS="; nocase; http_uri; content:"RegistryChanged="; nocase; http_uri; content:"RegistryUpdate="; nocase; http_uri; content:"Basedir="; nocase; http_uri; content:"SrngInstalled="; nocase; http_uri; content:"SrngVer="; nocase; http_uri; content:"PCID="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=582; classtype:misc-activity; sid:5890; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker shopnav outbound connection - collect information"; flow:to_server,established; content:"/dat/bgf/trpix.gif?"; nocase; http_uri; content:"rdm="; nocase; http_uri; content:"dlv="; nocase; http_uri; content:"dmn="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"search2.ad.shopnav.com/9899/search/results.php"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=582; classtype:misc-activity; sid:5889; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker shopnav outbound connection - ie auto search hijack"; flow:to_server,established; content:"/searchcat.jsp?p="; fast_pattern; nocase; http_uri; content:"appid="; nocase; http_uri; content:"id="; nocase; http_uri; content:"url="; nocase; http_uri; content:"type="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=582; classtype:misc-activity; sid:5888; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker shopnav outbound connection - ie search assistant hijack"; flow:to_server,established; content:"/9899/search/results.php?"; fast_pattern; nocase; http_uri; content:"source="; nocase; http_uri; content:"pa="; nocase; http_uri; content:"keywords="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=582; classtype:misc-activity; sid:5887; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Other-Technologies saria 1.0 outbound connection - send user information"; flow:to_server,established; content:"op="; nocase; http_uri; content:"vic="; nocase; http_uri; content:"ip="; nocase; http_uri; content:"port="; fast_pattern; nocase; http_uri; content:"pass="; nocase; http_uri; pcre:"/pass=(YAHOO|(XP\s+)?MSN|PALTALK)/Ui"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080923; classtype:misc-activity; sid:5883; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"PUA-ADWARE Snoopware pc acme pro outbound connection"; flow:to_server,established; flowbits:isset,PCAcmePro; content:"Attached file is PC Acme report"; fast_pattern:only; metadata:service smtp; reference:url,www.spywareguide.com/product_show.php?id=2271; classtype:successful-recon-limited; sid:5874; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"PUA-ADWARE Snoopware pc acme pro outbound connection"; flow:to_server,established; content:"X-Mailer|3A| mPOP Web-Mail"; fast_pattern:only; flowbits:set,PCAcmePro; flowbits:noalert; metadata:service smtp; reference:url,www.spywareguide.com/product_show.php?id=2271; classtype:successful-recon-limited; sid:5873; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Snoopware hyperlinker outbound connection"; flow:to_server,established; content:"/lm/rtl3i.asp"; nocase; http_uri; content:"si="; nocase; http_uri; content:"k="; nocase; http_uri; content:"Host|3A| www.serverlogic3.com"; fast_pattern:only; metadata:service http; reference:url,www.doxdesk.com/parasite/Hyperlinker.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090785; classtype:successful-recon-limited; sid:5872; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler VX2/ABetterInternet transponder thinstaller outbound connection - post information"; flow:to_server,established; content:"/bi/servlet/Thinstall"; fast_pattern:only; content:"User-Agent|3A|"; nocase; http_header; content:".exe"; nocase; http_header; pcre:"/\x2Fbi\x2Fservlet\x2FThinstall(Pre|Result).*^User-Agent\x3A[^\r\n]*\.exe[^\r\n]*\x7B[\dA-Za-z]{8}-[\dA-Za-z]{4}-[\dA-Za-z]{4}-[\dA-Za-z]{4}-[\dA-Za-z]{12}\x7D\x7C[\dA-Za-z]{8}\x7C\d{5}-\d{3}-\d{7}-\d{5}/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threat_display.cfm?name=ABetterInternet&threatid=14797; reference:url,www.doxdesk.com/parasite/Transponder.html; reference:url,www.geekstogo.com/forum/Aurora_spyware_Nailexe-t24344.html; classtype:misc-activity; sid:5871; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker couponbar outbound connection - view coupon offers"; flow:to_server,established; content:"/CBTerms.asp"; nocase; http_uri; content:"Host|3A| couponbar.coupons.com"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079137; classtype:misc-activity; sid:5868; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware zapspot runtime detection - pop up ads"; flow:to_server,established; content:"/cbb/frame.asp?"; nocase; http_uri; content:"cbb="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"Host|3A| www.zapspot.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1714; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075441; classtype:misc-activity; sid:5865; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker isearch outbound connection - search hijack 2"; flow:to_server,established; content:"/phrase.php?"; fast_pattern; nocase; http_uri; content:"text="; nocase; http_uri; content:"tid="; nocase; http_uri; content:"ref=%user_id"; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=732; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082740; classtype:misc-activity; sid:5863; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker isearch outbound connection - search hijack 1"; flow:to_server,established; content:"/dns.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"Host|3A| auto.isearch.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=732; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082740; classtype:misc-activity; sid:5862; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker daosearch outbound connection - search hijack"; flow:to_server,established; content:"o.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A| daosearch.com"; fast_pattern; nocase; http_header; metadata:service http; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.daosearch.html; classtype:misc-activity; sid:5860; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker daosearch outbound connection - information request"; flow:to_server,established; content:"/advers/zl/version.txt"; fast_pattern; nocase; http_uri; content:"Host|3A| daosearch.com"; nocase; metadata:service http; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.daosearch.html; classtype:misc-activity; sid:5859; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker funbuddyicons outbound connection - request config"; flow:to_server,established; content:"/mySpeedbarCfg2.jsp?"; fast_pattern; nocase; http_uri; content:"s="; nocase; http_uri; content:"p=ZB"; nocase; http_uri; content:"v="; nocase; http_uri; content:"e="; nocase; http_uri; metadata:service http; reference:url,www.pchell.com/support/funbuddyicons.shtml; classtype:misc-activity; sid:5855; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware warez_p2p runtime detection - pass user information"; flow:to_server,established; content:"/cache/cache.php?"; nocase; http_uri; content:"host="; nocase; http_uri; content:"state="; nocase; http_uri; content:"nat="; nocase; http_uri; content:"User-Agent|3A| Warez Beta Client"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/category_show.php?id=5; classtype:misc-activity; sid:5854; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware warez_p2p runtime detection - download ads"; flow:to_server,established; content:"/?e="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"Host|3A| adserver.warezclient.com"; fast_pattern; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/category_show.php?id=5; classtype:misc-activity; sid:5853; rev:14;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware warez_p2p runtime detection - cache.dat request"; flow:to_server,established; content:"/cache/data/cache.dat"; nocase; http_uri; content:"User-Agent|3A| Warez Beta Client"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/category_show.php?id=5; classtype:misc-activity; sid:5852; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware warez_p2p runtime detection - .txt .dat and .lst requests"; flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"Indy Library"; nocase; http_header; content:"Host|3A| data.warezclient.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/category_show.php?id=5; classtype:misc-activity; sid:5851; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware warez_p2p runtime detection - check update"; flow:to_server,established; content:"/upd/check?"; nocase; http_uri; content:"version="; nocase; http_uri; content:"localeId="; nocase; http_uri; content:"affid="; nocase; http_uri; content:"guid="; nocase; http_uri; content:"windowsVersion="; nocase; http_uri; content:"rVersion="; nocase; http_uri; content:"updateValue="; nocase; http_uri; content:"User-Agent|3A| Download Agent"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/category_show.php?id=5; classtype:misc-activity; sid:5850; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware warez_p2p runtime detection - update request"; flow:to_server,established; content:"/updn.php?ver="; nocase; http_uri; content:"Host|3A| data.warezclient.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/category_show.php?id=5; classtype:misc-activity; sid:5849; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware warez_p2p runtime detection - ip.php request"; flow:to_server,established; content:"/cache/ip.php"; nocase; http_uri; content:"User-Agent|3A| Warez Beta Client"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/category_show.php?id=5; classtype:misc-activity; sid:5848; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware warez_p2p runtime detection - p2p client home"; flow:to_server,established; content:"/home.php?"; fast_pattern; nocase; http_uri; content:"ver="; nocase; http_uri; content:"co="; nocase; http_uri; content:"NewUser="; nocase; http_uri; content:"info=WDC"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/category_show.php?id=5; classtype:misc-activity; sid:5847; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler VX2/DLmax/BestOffers/Aurora outbound connection"; flow:to_server,established; content:"/a/Drk.syn"; nocase; http_uri; content:"adcontext="; nocase; http_uri; content:"countrycodein="; fast_pattern; nocase; http_uri; content:"lastAdTime="; nocase; http_uri; content:"lastAdCode="; nocase; http_uri; content:"cookie1="; nocase; http_uri; content:"cookie2="; nocase; http_uri; content:"cookie3="; nocase; http_uri; content:"cookie4="; nocase; http_uri; content:"InstID="; nocase; http_uri; content:"status="; nocase; http_uri; content:"smode="; nocase; http_uri; content:"bho="; nocase; http_uri; metadata:service http; reference:url,www.geekstogo.com/forum/Aurora_spyware_Nailexe-t24344.html; reference:url,www.spywareguide.com/product_show.php?id=1646; reference:url,www.spywareguide.com/product_show.php?id=2012; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076992; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453089623; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096297; classtype:misc-activity; sid:5846; rev:15;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker surfsidekick outbound connection - update request"; flow:to_server,established; content:"/rinfo.htm?"; fast_pattern; nocase; http_uri; content:"host="; nocase; http_uri; content:"action="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"bundle="; nocase; http_uri; content:"client="; nocase; http_uri; content:"guid="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1128; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090721; classtype:misc-activity; sid:5845; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker surfsidekick outbound connection - post request"; flow:to_server,established; content:"/requestimpression.aspx?"; nocase; content:"ver="; distance:0; nocase; content:"guid="; distance:0; nocase; content:"host="; distance:0; nocase; content:"Host|3A| ads.surfsidekick.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1128; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090721; classtype:misc-activity; sid:5844; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker surfsidekick outbound connection - hijack ie auto search"; flow:to_server,established; content:"/search.aspx?"; fast_pattern; nocase; http_uri; content:"q="; nocase; http_uri; content:"guid="; nocase; http_uri; content:"client=SSKD"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1128; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090721; classtype:misc-activity; sid:5843; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler minibug outbound connection - ads"; flow:to_server,established; content:"/RealMedia/ads/adstream_sx.cgi/www.wbug.com/"; fast_pattern; nocase; http_uri; content:"A1="; nocase; http_uri; content:"A2="; nocase; http_uri; metadata:service http; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.weatherbug.html; reference:url,www.spywareguide.com/product_show.php?id=2178; classtype:misc-activity; sid:5842; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler minibug outbound connection - retrieve weather information"; flow:to_server,established; content:"/WxDataISAPI/WxDataISAPI.cgi"; fast_pattern; nocase; http_uri; content:"Magic="; nocase; http_uri; content:"RegNum="; nocase; http_uri; content:"ZipCode="; nocase; http_uri; content:"StationID="; nocase; http_uri; content:"Units="; nocase; http_uri; content:"Version="; nocase; http_uri; content:"Fore="; nocase; http_uri; content:"t="; nocase; http_uri; content:"lv="; nocase; http_uri; metadata:service http; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.weatherbug.html; reference:url,www.spywareguide.com/product_show.php?id=2178; classtype:misc-activity; sid:5841; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker sep outbound connection"; flow:to_server,established; content:"/ad/?"; nocase; http_uri; content:"st="; nocase; http_uri; content:"SE="; nocase; http_uri; content:"SID="; nocase; http_uri; content:"Host|3A| www.searchreslt.com"; fast_pattern:only; metadata:service http; reference:url,process.networktechs.com/sep.dll.php; classtype:misc-activity; sid:5840; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler nictech.bm2 outbound connection"; flow:to_server,established; content:"/cgi-bin/PopupV"; fast_pattern; nocase; http_uri; content:"type="; nocase; http_uri; content:"mSkip="; nocase; http_uri; content:"rnd="; nocase; http_uri; metadata:service http; reference:url,"research.sunbelt-software.com/threat_display.cfm?name=NicTech.BM2&threatid=15195"; classtype:misc-activity; sid:5836; rev:14;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware gamespy_arcade runtime detection"; flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"Gamespy Arcade"; fast_pattern; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1241; classtype:misc-activity; sid:5835; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler clipgenie outbound connection"; flow:to_server,established; content:"/cgi-bin/omnidirect.cgi"; fast_pattern; nocase; http_uri; content:"SID="; nocase; http_uri; content:"PID="; nocase; http_uri; content:"LID="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"PARMR="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=474; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073486; classtype:misc-activity; sid:5829; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware broadcasturban tuner runtime detection - connect to station"; flow:to_server,established; content:"/newsurfer4/"; fast_pattern; nocase; http_uri; content:"brand="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"speed="; nocase; http_uri; content:"title="; nocase; http_uri; content:"artist="; nocase; http_uri; content:"show="; nocase; http_uri; content:"call="; nocase; http_uri; content:"archive="; nocase; http_uri; pcre:"/\x2Fnewsurfer4\x2F[a-zA-Z0-9_-]*\.asp\?brand=/Ui"; metadata:service http; reference:url,www.sunbelt-software.com/research/threat_display.cfm?name=BroadcastURBAN%20tuner&threatid=6093; classtype:misc-activity; sid:5828; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware broadcasturban tuner runtime detection - get gateway"; flow:to_server,established; content:"/newsurfer4/getgateway.asp?"; fast_pattern; nocase; http_uri; content:"userid="; nocase; http_uri; content:"call="; nocase; http_uri; metadata:service http; reference:url,www.sunbelt-software.com/research/threat_display.cfm?name=BroadcastURBAN%20tuner&threatid=6093; classtype:misc-activity; sid:5827; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware broadcasturban tuner runtime detection - pass user info to server"; flow:to_server,established; content:"/newsurfer4/"; nocase; http_uri; pcre:"/\x2Fnewsurfer4\x2F((register\.asp)|(survey\.asp\?nUserId=))/Ui"; metadata:service http; reference:url,www.sunbelt-software.com/research/threat_display.cfm?name=BroadcastURBAN%20tuner&threatid=6093; classtype:misc-activity; sid:5826; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware broadcasturban tuner runtime detection - start tuner"; flow:to_server,established; content:"/newsurfer4/mainplocal.htm?"; fast_pattern; nocase; http_uri; content:"brand="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"call="; nocase; http_uri; content:"speed="; nocase; http_uri; content:"unlock="; nocase; http_uri; content:"archive="; nocase; http_uri; metadata:service http; reference:url,www.sunbelt-software.com/research/threat_display.cfm?name=BroadcastURBAN%20tuner&threatid=6093; classtype:misc-activity; sid:5825; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PUA-ADWARE shop at home select installation in progress - clsid detected"; flow:to_client,established; file_data; content:"C0EF89EE-EEC7-4535-A041-F1EBF79560A7"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0EF89EE-EEC7-4535-A041-F1EBF79560A7/si"; metadata:service http; reference:url,www.nuker.com/container/details/shop_at_home_select.php; classtype:misc-activity; sid:5811; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker shop at home select installation in progress"; flow:to_server,established; content:"GRInstallCL.asp"; fast_pattern; nocase; http_uri; content:"E="; nocase; http_uri; content:"MID="; nocase; http_uri; content:"Refer="; nocase; http_uri; content:"WGR="; nocase; http_uri; content:"Prev="; nocase; http_uri; content:"sGUID="; nocase; http_uri; metadata:service http; classtype:misc-activity; sid:5810; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker shop at home select merchant redirect in progress"; flow:to_server,established; content:"/frameset3.asp"; fast_pattern; nocase; http_uri; content:"MID="; nocase; http_uri; content:"ruleID="; nocase; http_uri; content:"popupID="; nocase; http_uri; content:"doPopup="; nocase; http_uri; content:"version="; nocase; http_uri; content:"requested="; nocase; http_uri; content:"CustomerID="; nocase; http_uri; content:"owner="; nocase; http_uri; content:"refer="; nocase; http_uri; content:"LastPrefs="; http_uri; content:"GUID="; nocase; http_uri; metadata:service http; classtype:misc-activity; sid:5809; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker shopathomeselect outbound connection"; flow:to_server,established; content:"SAHSelect=GUID="; nocase; content:"CustomerID="; nocase; content:"stealth="; nocase; content:"InstallerLocation="; fast_pattern:only; content:"LastPrefs="; nocase; content:"AgentVersion="; nocase; content:"CTG="; nocase; content:"WSS_GW="; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074921; classtype:misc-activity; sid:5807; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware mydailyhoroscope runtime detection"; flow:to_server,established; content:"/mdh/adcr2.aspx"; fast_pattern; nocase; http_uri; content:"API="; nocase; http_uri; content:"UID="; nocase; http_uri; content:"TZ="; nocase; http_uri; content:"LC="; nocase; http_uri; content:"APL="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1184; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088207; classtype:misc-activity; sid:5798; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware keenvalue runtime detection"; flow:to_server,established; content:"/ping.html"; nocase; http_uri; content:"User-Agent|3A| My AppName"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=530; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094138; classtype:misc-activity; sid:5796; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware ist powerscan runtime detection"; flow:to_server,established; content:"adv_id="; nocase; http_uri; content:"campaign="; nocase; http_uri; content:"origin="; nocase; http_uri; content:"program_id="; nocase; http_uri; content:"subprogram_id="; nocase; http_uri; content:"site_id="; nocase; http_uri; content:"ref_url="; nocase; http_uri; content:"Host|3A| www.power-cleaner.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=981; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077266; classtype:misc-activity; sid:5795; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker coolwebsearch.aboutblank variant outbound connection"; flow:to_server,established; content:"/open_console_out.php"; fast_pattern; nocase; http_uri; content:"n="; nocase; http_uri; content:"pin="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=599; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; classtype:misc-activity; sid:5794; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Dialer pluginaccess outbound connection - redirect"; flow:to_server,established; content:"/dlrdir.html?"; fast_pattern; nocase; http_uri; content:"DiallerIP="; nocase; http_uri; content:"dialled="; nocase; http_uri; content:"site="; nocase; http_uri; content:"did="; nocase; http_uri; content:"country="; nocase; http_uri; content:"refid="; nocase; http_uri; content:"udata="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=579; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074883; classtype:misc-activity; sid:5793; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Dialer pluginaccess outbound connection - active proxy"; flow:to_server,established; content:"/activeproxy.php?"; fast_pattern; nocase; http_uri; content:"did="; nocase; http_uri; content:"pin="; nocase; http_uri; content:"refid="; nocase; http_uri; content:"udata="; nocase; http_uri; content:"resdir="; nocase; http_uri; content:"selectbox="; nocase; http_uri; content:"lmi="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=579; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074883; classtype:misc-activity; sid:5792; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Dialer pluginaccess outbound connection - get pin"; flow:to_server,established; content:"/getpin.php?"; fast_pattern; nocase; http_uri; content:"did="; nocase; http_uri; content:"refid="; nocase; http_uri; content:"udata="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=579; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074883; classtype:misc-activity; sid:5791; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware hithopper runtime detection - search"; flow:to_server,established; content:"?search="; nocase; http_uri; content:"Host|3A| www.hithopper.com"; fast_pattern:only; pcre:"/\x2Fs(earch)?\x2Ephp3?\x3Fsearch\x3D/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=746; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079079; classtype:misc-activity; sid:5787; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware hithopper runtime detection - redirect"; flow:to_server,established; content:"/redirectf.php3?"; fast_pattern; nocase; http_uri; content:"url="; nocase; http_uri; content:"id="; nocase; http_uri; content:"adid="; nocase; http_uri; content:"search_parsed="; nocase; http_uri; content:"rank="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=746; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079079; classtype:misc-activity; sid:5786; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware hithopper runtime detection - get xml setting"; flow:to_server,established; content:"/xml/hithopper.xml"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=746; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079079; classtype:misc-activity; sid:5785; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler grokster outbound connection"; flow:to_server,established; content:"P2P-Agent|3A| Grokster"; fast_pattern:only; metadata:service http; reference:url,www.securemost.com/articles/rm_grokster.htm; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060425; classtype:misc-activity; sid:5776; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker freescratch outbound connection - scratch card"; flow:to_server,established; content:"/scratch.php?uid="; nocase; http_uri; content:"Host|3A| www.freescratchandwin.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=478; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073903; classtype:misc-activity; sid:5775; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware forbes runtime detection"; flow:to_server,established; content:"User-Agent|3A| Dripline"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=556; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075448; classtype:misc-activity; sid:5773; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-ADWARE Screen-Scraper farsighter outbound connection - initial connection"; flow:to_client,established; flowbits:isset,Farsighter; content:"|0B 00 00 00 05 00 00 00|OK|00|"; depth:11; nocase; reference:url,www.spywareguide.com/product_show.php?id=587; classtype:successful-recon-limited; sid:5772; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PUA-ADWARE Screen-Scraper farsighter outbound connection - initial connection"; flow:to_server,established; content:"|00 00 05 00 00 00|"; depth:8; offset:2; nocase; flowbits:set,Farsighter; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=587; classtype:successful-recon-limited; sid:5771; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker begin2search outbound connection - play bingo ads"; flow:to_server,established; content:"/adpage2.asp?sourceid="; nocase; http_uri; content:"Host|3A| www.take5bingo.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=924; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088175; classtype:misc-activity; sid:5769; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker begin2search outbound connection - pass information"; flow:to_server,established; content:"/client/fcgi/stats-post2.fcgi"; fast_pattern; nocase; http_uri; content:"User-Agent|3A| WebConnLib"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=924; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088175; classtype:misc-activity; sid:5768; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker begin2search outbound connection - download unauthorized code"; flow:to_server,established; content:".compress"; nocase; http_uri; pcre:"/\x2F(dist|SupportFiles)\x2F[^\r\n]*\.compress/Ui"; content:"User-Agent|3A| NSISDL"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=924; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088175; classtype:misc-activity; sid:5767; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker begin2search outbound connection - install spyware trafficsector"; flow:to_server,established; content:"/install.php?"; fast_pattern; nocase; http_uri; content:"afid=b2search"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"version="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=924; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088175; classtype:misc-activity; sid:5766; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker begin2search outbound connection - fcgi query"; flow:to_server,established; content:"/cgi-bin/"; nocase; http_uri; content:".fcgi"; nocase; http_uri; pcre:"/\x2Fcgi-bin\x2F[a-zA-Z0-9_]*\.fcgi/Ui"; content:"Host|3A| begin2search.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=924; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088175; classtype:misc-activity; sid:5764; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler bearshare outbound connection - chat request"; flow:to_server,established; content:"/chat/chat.php"; nocase; http_uri; content:"nick="; nocase; content:"initchan=BearShare"; distance:0; nocase; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060286; classtype:misc-activity; sid:5763; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler bearshare outbound connection - p2p information request"; flow:to_server,established; content:"/gwcache/lynnx.asp?"; fast_pattern; nocase; http_uri; content:"client=BEAR"; nocase; http_uri; content:"version="; nocase; http_uri; content:"urlfile="; nocase; http_uri; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060286; classtype:misc-activity; sid:5762; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler bearshare outbound connection - ads popup"; flow:to_server,established; content:"/w/pop.cgi?"; http_uri; content:"sid="; nocase; http_uri; content:"u=http"; nocase; http_uri; content:"bearshare"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060286; classtype:misc-activity; sid:5761; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker ezcybersearch outbound connection - download fastclick pop-under code"; flow:to_server,established; content:"/ezsb"; nocase; http_uri; content:"/bar_pl/b.fcgi?"; fast_pattern; nocase; http_uri; content:"aff_id="; nocase; http_uri; content:"cid="; nocase; http_uri; pcre:"/\x2Fezsb\d{4}\x2Fbar_pl\x2Fb\.fcgi/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=476; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072520; classtype:misc-activity; sid:5758; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker ezcybersearch outbound connection - add coolsites to ie favorites"; flow:to_server,established; content:"/ezsb"; nocase; http_uri; content:"/bar_pl/fav.fcgi?"; fast_pattern; nocase; http_uri; content:"aff_id="; nocase; http_uri; pcre:"/\x2Fezsb\d{4}\x2Fbar_pl\x2Ffav\.fcgi/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=476; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072520; classtype:misc-activity; sid:5756; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker ezcybersearch outbound connection - check update"; flow:to_server,established; content:"/ezsb"; nocase; http_uri; content:"/bar_pl/chk.fcgi"; fast_pattern; nocase; http_uri; pcre:"/\x2Fezsb\d{4}\x2Fbar_pl\x2Fchk\.fcgi/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=476; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072520; classtype:misc-activity; sid:5755; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker ezcybersearch outbound connection - ie auto search hijack"; flow:to_server,established; content:"/ezsb"; nocase; http_uri; content:"/bar_pl/shdoclc.fcgi?"; fast_pattern; nocase; http_uri; pcre:"/\x2Fezsb\d{4}\x2Fbar_pl\x2Fshdoclc\.fcgi/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=476; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072520; classtype:misc-activity; sid:5754; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware exactsearch runtime detection - topsearches"; flow:to_server,established; content:"/search.php?Keywords="; fast_pattern; nocase; http_uri; content:"partner=bar"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=475; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072519; classtype:misc-activity; sid:5753; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware exactsearch runtime detection - switch search engine 2"; flow:to_server,established; content:"/setup.asp?src=exact&query="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=475; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072519; classtype:misc-activity; sid:5752; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware exactsearch runtime detection - switch search engine 1"; flow:to_server,established; content:"/d/search/p/exactad/?Keywords="; fast_pattern; nocase; http_uri; content:"Partners=exactad"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=475; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072519; classtype:misc-activity; sid:5751; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker adultlinks outbound connection - ads"; flow:to_server,established; content:"/exit/exit.html?act="; fast_pattern; nocase; http_uri; content:".ADbar|3A|X"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=431; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072505; classtype:misc-activity; sid:5748; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker adultlinks outbound connection - log hits"; flow:to_server,established; content:"/cgi-bin/hits/log.cgi/"; fast_pattern; nocase; http_uri; content:".ADbar|3A|X"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=431; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072505; classtype:misc-activity; sid:5747; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker adultlinks outbound connection - load url"; flow:to_server,established; content:"/logurl/loadURL/"; fast_pattern; nocase; http_uri; content:".ADbar|3A|X"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=431; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072505; classtype:misc-activity; sid:5746; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker adultlinks outbound connection - redirect"; flow:to_server,established; content:"/cgi-bin/lzRedirect.cgi"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"act="; nocase; http_uri; content:"type="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=431; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072505; classtype:misc-activity; sid:5745; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker actualnames outbound connection - online.php request"; flow:to_server,established; content:"/online.php?"; nocase; http_uri; content:"Host|3A| actualnames.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=608; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074941; classtype:misc-activity; sid:5744; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker actualnames outbound connection - plugin list"; flow:to_server,established; content:"/gate.php?plugin="; nocase; http_uri; content:"Host|3A| www.actualnames.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=608; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074941; classtype:misc-activity; sid:5743; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vittalia adware outbound connection - pre install"; flow:to_server,established; content:"/instapi.php?idMk="; http_uri; content:"&state="; distance:0; http_uri; content:"&idTime="; distance:0; http_uri; content:"&idA2="; distance:0; http_uri; content:"&xVal="; distance:0; http_uri; content:"User-Agent|3A| NSIS_ToolkitOffers (Mozilla)"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27915; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vittalia adware - post install"; flow:to_server,established; content:"/report.php?key="; http_uri; content:"User-Agent|3A| NSIS_ToolkitOffers (Mozilla)"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27914; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vittalia adware - get ads"; flow:to_server,established; content:"/afr.php?zoneid="; http_uri; content:"/ads/ox.html"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27913; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Linkury outbound time check"; flow:to_server,established; dsize:72; urilen:8; content:"/utc/now HTTP/1.1|0D 0A|Host: www.timeapi.org|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; fast_pattern:only; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a2c4e162624ddb169542e12e148a3be6bfe79a1fed4adfb28ad1a308a0d1bade/analysis/1380219003/; classtype:trojan-activity; sid:28156; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Schmidti outbound communication attempt"; flow:to_server,established; content:"/widgets/l96f428it5mt/"; fast_pattern:only; http_uri; metadata:service http; reference:url,virustotal.com/en/file/6942313D065F503B6654481A329059DDEACEE09FFC30665C32EFFDDB63D52F5F/analysis/; classtype:misc-activity; sid:28140; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Wajam outbound connection - post install"; flow:to_server,established; content:"/img/icons/2040254.32.png"; http_uri; content:"static.updatestar.net"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/30ab3173d48e3c63d89dcd83eca5d0e28d44f76a9acde9c881a1c40d75771d83/analysis/; classtype:trojan-activity; sid:28280; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Wajam outbound connection - post install"; flow:to_server,established; content:"/install/valid?v"; http_uri; content:"&unique_id="; within:15; http_uri; content:"www.wajam.com|0D 0A|"; fast_pattern:only; http_header; content:!"User-Agent|3A|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/30ab3173d48e3c63d89dcd83eca5d0e28d44f76a9acde9c881a1c40d75771d83/analysis/; classtype:trojan-activity; sid:28279; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE FakeAV runtime detection"; flow:to_server,established; content:"&affid="; fast_pattern:only; http_uri; content:"/api/"; nocase; http_uri; content:"?ts="; nocase; http_uri; content:"&token="; nocase; http_uri; content:"&group="; nocase; http_uri; content:"&nid="; nocase; http_uri; content:"&lid="; nocase; http_uri; content:"&ver="; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28324; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE UpdateStar encapsulated installer outbound connection"; flow:to_server,established; content:"/UpdateStar/?v="; fast_pattern:only; http_uri; content:"updatestarcdn.com|0D 0A|"; http_header; metadata:policy balanced-ips drop, service http; reference:url,www.virustotal.com/en/file/3218fee67b2ea4d1b20a2d06afae6b74c92219a31375b6e8cd8c754a45b10994/analysis/; classtype:misc-activity; sid:28372; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE UpdateStar CIS file retrieval attempt"; flow:to_server,established; flowbits:isset,file.cis; content:"/ofr/"; nocase; http_uri; content:"updatestarcdn.com|0D 0A|"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, service http; reference:url,www.virustotal.com/en/file/3218fee67b2ea4d1b20a2d06afae6b74c92219a31375b6e8cd8c754a45b10994/analysis/; classtype:misc-activity; sid:28371; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE FreePDS installer outbound connection"; flow:to_server,established; content:"/freepds/fileinfo.php?"; fast_pattern:only; http_uri; content:"User-Agent: FreePDS"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/477a9be8e560dc85f3346ad2ee8d271d0c8372cedb2a25e0a4da8fe18b693650/analysis/; classtype:trojan-activity; sid:28531; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Apponic encapsulated installer outbound connection"; flow:to_server,established; content:"/Apponic/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/domain/apponic.com/information/; reference:url,www.virustotal.com/en/file/ecb0151cb71a6e331825235de966e8d6c1f5957e21bbb5f24ab690ab973b5e80/analysis/; classtype:misc-activity; sid:28885; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Apponic encapsulated installer outbound connection"; flow:to_server,established; content:"/?pcrc="; fast_pattern:only; http_uri; content:"&v="; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/domain/apponic.com/information/; reference:url,www.virustotal.com/en/file/ecb0151cb71a6e331825235de966e8d6c1f5957e21bbb5f24ab690ab973b5e80/analysis/; classtype:misc-activity; sid:28884; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Apponic CIS file retrieval attempt"; flow:to_server,established; flowbits:isset,file.cis; content:"/ofr/"; nocase; http_uri; content:".cis"; within:20; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/domain/apponic.com/information/; reference:url,www.virustotal.com/en/file/ecb0151cb71a6e331825235de966e8d6c1f5957e21bbb5f24ab690ab973b5e80/analysis/; classtype:misc-activity; sid:28883; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallBrain software download attempt"; flow:to_server,established; content:"HEAD"; nocase; http_method; content:"/files/products/"; fast_pattern:only; http_uri; pcre:"/^\x2Ffiles\x2Fproducts\x2F\w{1,40}\.(exe|cf)$/Ui"; metadata:service http; reference:url,www.virustotal.com/en/domain/softologicse.com/information/; classtype:misc-activity; sid:28935; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallBrain software download attempt"; flow:to_server,established; content:"HEAD"; nocase; http_method; content:"/files/components/"; fast_pattern:only; http_uri; pcre:"/^\x2Ffiles\x2Fcomponents\x2F\w{1,40}\.(exe|cf)$/Ui"; metadata:service http; reference:url,www.virustotal.com/en/domain/softologicse.com/information/; classtype:misc-activity; sid:28934; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Amonetize installer outbound connection attempt"; flow:to_server,established; content:"/script/display.php"; nocase; http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b0288d9d29652597764b1dcc51ac7a2da217ca69dfd10b6ce865ad43337596eb/analysis/; classtype:trojan-activity; sid:28929; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PUA-ADWARE 4Shared Downloader executable file download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00 5C 00|4|00|s|00|h|00|a|00|r|00|e|00|d|00 5C 00|D|00|o|00|w|00|n|00|l|00|o|00|a|00|d|00|H|00|e|00|l|00|p|00|e|00|r"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/c293e43bbe1a8250742e92fdee422d3c43df0aeaf34e43137f6d6d4f36ef1c41/analysis/; classtype:misc-activity; sid:29501; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE 4Shared Downloader outbound connection attempt"; flow:to_server,established; content:"User-Agent|3A| B1 Tiny Loader/1.0|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,virustotal.com/en/file/c293e43bbe1a8250742e92fdee422d3c43df0aeaf34e43137f6d6d4f36ef1c41/analysis/; classtype:misc-activity; sid:29500; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE The Best All Codecs App runtime detection"; flow:to_server,established; content:"/CM/?v=3.0&c="; fast_pattern:only; http_uri; content:"0A0"; depth:3; http_client_body; isdataat:150,relative; metadata:policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e099a4a8498eec1bd87d691ebac137c5bf2ac6ca1f9c3403c1fcf2ad481aec49/analysis/; classtype:misc-activity; sid:29991; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallMonster follow-up outbound connection"; flow:to_server,established; content:"User-Agent|3A|"; http_header; content:"installmonster"; within:300; fast_pattern; nocase; http_header; pcre:"/User-Agent\x3a\s[^\x0d\x0a]*?installmonster/Hi"; metadata:service http; reference:url,www.virustotal.com/en/file/fc37a569c2e6264a4a81b66c3220ffd911bc283b003ae1db25777847a8f6d62c/analysis/; classtype:misc-activity; sid:30238; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallMonster initial runtime outbound connection"; flow:to_server,established; urilen:10; content:"/api/index"; http_uri; content:"POST"; nocase; http_method; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/fc37a569c2e6264a4a81b66c3220ffd911bc283b003ae1db25777847a8f6d62c/analysis/; classtype:misc-activity; sid:30237; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.FakeAV variant outbound connection"; flow:to_server,established; content:"/cmd/report.php?"; nocase; http_uri; content:"PartnerId="; distance:0; nocase; http_uri; content:"OfferId="; distance:0; nocase; http_uri; content:"action="; distance:0; nocase; http_uri; content:"program="; distance:0; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/adf2e4e680a4933533436bd7456bee7963eefa1be226112dd529e43c801c3ff9/analysis/; classtype:trojan-activity; sid:30930; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Linkular variant outbound connection"; flow:to_server,established; content:"/api/software/?s="; fast_pattern:only; http_uri; content:"&os="; http_uri; content:"&output="; distance:0; http_uri; content:"&v="; distance:0; http_uri; content:"&l="; distance:0; http_uri; content:"&np="; distance:0; http_uri; content:"&osv="; distance:0; http_uri; metadata:policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/adf2e4e680a4933533436bd7456bee7963eefa1be226112dd529e43c801c3ff9/analysis/; classtype:trojan-activity; sid:30927; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.OptimumInstaller variant outbound connection"; flow:to_server,established; content:".exe?mode="; http_uri; content:"&sf="; distance:0; http_uri; content:"&subid="; distance:0; http_uri; content:"&filedescription="; distance:0; http_uri; content:"&adprovider="; distance:0; http_uri; metadata:policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2af815929dbf3aa1535c152a0b3c8301d22f6bc9e384b5afa7041a2ddc996c94/analysis/; classtype:policy-violation; sid:31019; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Outbrowse installation attempt"; flow:to_server,established; content:"|2F|Installer|2F|Flow|3F|pubid|3D|"; http_uri; content:"|26|productid|3D|9415"; distance:0; http_uri; metadata:policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2e8fb978dff63f255ecd3a1cd4b0280011e769f1eb7769fee91c9668501be15e/analysis/; classtype:policy-violation; sid:31042; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Kdupd variant outbound connection"; flow:to_server,established; content:"/debug_report.php?s="; nocase; http_uri; content:"&os="; distance:0; nocase; http_uri; content:"&v="; distance:0; nocase; http_uri; content:"User-Agent|3A| InetURL/1.0|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,virustotal.com/en/file/50466b7394c9aa1986ac751af9bd7c2b3a07d7cafe3bca7f7dc0f73e2f40250a/analysis/; classtype:policy-violation; sid:31052; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.PCSpeedUp variant outbound connection"; flow:to_server,established; content:"&tag="; http_uri; content:"_PCSPEEDUP"; within:14; http_uri; content:"WinHttp.WinHttpRequest.5"; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/42B119767E0465F0FCFE5E2DFAD2BAD8EEC882E0295A5580B9080FE5313D73BB/analysis/; classtype:policy-violation; sid:31048; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Inbox/PCFixSpeed/RebateInformer variant outbound connection"; flow:to_server,established; content:"/RebateInformerSetup.exe"; fast_pattern:only; http_uri; content:"User-Agent|3A| Inno Setup Downloader"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6e598e8ddf7f95542064f41c3a0a4f73b63982948847e40df9dff47186543c46/analysis/; classtype:policy-violation; sid:31091; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.CloseApp variant outbound connection"; flow:to_server,established; content:"/get/?q="; http_uri; content:"User-Agent|3A| win32|0D 0A|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0ec2938841e77e20c5f967bf9b1d7890e18f156ce481568cfe97677d8755ee5d/analysis/; classtype:trojan-activity; sid:31089; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.iBryte variant outbound connection"; flow:to_server,established; content:"/impression.do/?user_id="; http_uri; content:"&event="; distance:0; http_uri; content:"&spsource="; distance:0; http_uri; content:"&implementation_id="; distance:0; http_uri; metadata:policy security-ips drop, service http; reference:url,www.virustotal.com/file/c3339ce316926de4d79a7d8ca7f7e26eb33c80b8f4d5de81659d14875403e031/analysis/; classtype:trojan-activity; sid:31146; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallRex bundled installer outbound activity"; flow:to_server,established; urilen:>400; content:"step_id="; fast_pattern:only; http_uri; content:"installer_id="; nocase; http_uri; content:"publisher_id="; within:35; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/80129484d40c28f66426247b74f1a2c92d93ac2d9a08709a4da712e34d6605af/analysis/; classtype:misc-activity; sid:31167; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallRex bundled installer outbound activity"; flow:to_server,established; urilen:>14; content:"report_version="; fast_pattern:only; http_uri; content:"User-Agent: TixDll"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/80129484d40c28f66426247b74f1a2c92d93ac2d9a08709a4da712e34d6605af/analysis/; classtype:misc-activity; sid:31166; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Ticno Multibar installation attempt"; flow:to_server,established; content:"Host: static.install.ticno.com"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b3f928b4be1ff7454d19f357b3e9d2926d0a8607dffeb3bab124208c9e59554b/analysis/; classtype:trojan-activity; sid:31313; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vsearch installer request"; flow:to_server,established; content:"/static/get-js?dc_id="; fast_pattern:only; http_uri; content:"&sub_id"; http_uri; metadata:service http; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:misc-activity; sid:32120; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vsearch installer User-Agent"; flow:to_server,established; content:"User-Agent: VSInstaller/1 CFNetwork/"; fast_pattern:only; http_header; metadata:service http; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:misc-activity; sid:32119; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE MplayerX malvertising connectivity check"; flow:to_server,established; content:"User-Agent: Lavf/5"; fast_pattern:only; http_header; metadata:service http; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:misc-activity; sid:32118; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE MplayerX malvertising browser hijacker"; flow:to_server,established; content:"mac-products/MplayerX.tgz"; fast_pattern:only; http_uri; metadata:service http; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:misc-activity; sid:32117; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Nosibay Bubble Dock freeware auto update outbound connection"; flow:to_server,established; content:"bootstrap/update.php"; fast_pattern:only; http_uri; content:"User-Agent: NSIS_Inetc"; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/b58fb2ae8307a93da6abca9c96fcde91a1cfb6bacaf56adc110bd8ca1842b1e4/analysis/; classtype:misc-activity; sid:32339; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PUA-ADWARE SoftPulse variant HTTP response attempt"; flow:to_client,established; file_data; content:",|22|installerBehavior|22|:{|22|hideOnInstall|22|:"; fast_pattern:only; content:"{|22|time|22|:"; content:"|22|country|22|"; within:30; content:",|22|countryId|22|:"; within:20; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/7aa774bffa2eb38c691774c1cc59e0adf6186da62afc417baa6333670e1e3011/analysis/1421687954/; classtype:trojan-activity; sid:33212; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.iBryte variant outbound connection"; flow:to_server,established; content:"/impression.do/?event="; fast_pattern:only; content:"User-Agent: download manager"; http_header; metadata:policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4799117bbb82df3bee7babb09dca80c3d77899046f89660e25567c3fd18b8092/analysis/; classtype:trojan-activity; sid:33280; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Gamevance variant outbound connection"; flow:to_server,established; content:"/aj/"; fast_pattern; http_uri; content:".php?p="; distance:0; http_uri; content:!"Referer|3A|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/c626804d99195bb0c74e276c49ad48278c8f3723180323c767c60cc8c9f43f7d/analysis/; classtype:trojan-activity; sid:33304; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.OptimizerPro variant outbound connection"; flow:to_server,established; content:"/op?sid="; http_uri; content:"&dt="; distance:0; http_uri; content:"&gid="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b0d4c2769dd0841b95b4bbd9f0cc8e36f8aaaf5fbba056a429b402903bc50740/analysis/; classtype:trojan-activity; sid:33311; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE MediaBuzz malvertising browser redirect attempt"; flow:to_server,established; content:"/sync"; depth:5; http_uri; content:"/?q=hfZ"; within:8; http_uri; metadata:service http; reference:url,blogs.cisco.com/security/talos/bad-browser-plug-ins; classtype:misc-activity; sid:33532; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE MediaBuzz malvertising browser redirect attempt"; flow:to_server,established; content:"/amz/a"; depth:6; http_uri; content:".js"; distance:0; http_uri; pcre:"/^\/amz\/a[a-zA-Z0-9]+?\.js$/U"; metadata:service http; reference:url,blogs.cisco.com/security/talos/bad-browser-plug-ins; classtype:misc-activity; sid:33531; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.InstallMonster variant outbound connection"; flow:to_server,established; urilen:4,norm; content:"POST"; http_method; content:"/api"; http_uri; content:"Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; fast_pattern:only; http_header; content:!"Referer|3A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3069db86885e209e72f4df275dbe34d3ba893ca1a490f121067bfde8d4ec46f9/analysis/; classtype:trojan-activity; sid:33483; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.DownloadGuide variant outbound connection"; flow:to_server,established; content:"/1/dg/3"; fast_pattern:only; http_uri; content:"|22|BuildId|22 3A|"; http_client_body; content:"|22|ProductShown|22|"; http_client_body; content:"|22|TrackBackUrl|22|"; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/0a6335e90bb9e3b5c9551c867b04e71e315734eff2a74d3b37c90c460c5df761/analysis/; classtype:trojan-activity; sid:33480; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.iBryte variant outbound connection"; flow:to_server,established; urilen:>55; content:"/impression.do/?event="; fast_pattern:only; http_uri; content:"&user_id="; nocase; http_uri; metadata:policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4799117bbb82df3bee7babb09dca80c3d77899046f89660e25567c3fd18b8092/analysis/; classtype:trojan-activity; sid:33553; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SuperFish adware outbound connection attempt"; flow:to_server,established; content:"/set.php?ID="; fast_pattern:only; http_uri; content:"&Action=1"; http_uri; metadata:service http; reference:url,www.us-cert.gov/ncas/alerts/TA15-051A; classtype:policy-violation; sid:33580; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SuperFish adware outbound connection attempt"; flow:to_server,established; content:"/set.php?ID="; fast_pattern:only; http_uri; content:"&Action=3"; http_uri; metadata:service http; reference:url,www.us-cert.gov/ncas/alerts/TA15-051A; classtype:policy-violation; sid:33645; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware Goobzo/CrossRider variant outbound connection"; flow:to_server,established; content:"/ping.ashx?action="; fast_pattern:only; http_uri; content:"&usid="; http_uri; content:"&aff="; distance:0; http_uri; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/bace69ffe133e7693b3b77994a3c81e990288ca4b642cffe12938d705c7019df/analysis/; classtype:misc-activity; sid:33816; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware Goobzo/CrossRider variant outbound connection"; flow:to_server,established; content:"/install.ashx?id="; fast_pattern:only; http_uri; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/bace69ffe133e7693b3b77994a3c81e990288ca4b642cffe12938d705c7019df/analysis/; classtype:misc-activity; sid:33815; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE User-Agent adware OutBrowse/Amonitize"; flow:to_server,established; content:"User-Agent|3A 20|"; http_header; content:" in my heart of heart.|0D 0A|"; within:150; fast_pattern; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:33835; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE User-Agent adware OutBrowse/Amonitize"; flow:to_server,established; content:"User-Agent|3A 20|"; http_header; content:" Pi/3.1415926|0D 0A|"; within:150; fast_pattern; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:33834; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE User-Agent adware OutBrowse/Amonitize"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla"; http_header; content:" Loader|0D 0A|"; within:150; fast_pattern; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:33833; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vitruvian outbound connection"; flow:to_server,established; content:"/inst?"; http_uri; content:"sid="; http_uri; content:"&st="; distance:0; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest."; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a59f0e717dc530814dea3fdf65597faaad90ed8bfe3c8b8f6cea0e708049a784/analysis/1426449345/; classtype:misc-activity; sid:34127; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vitruvian outbound connection"; flow:to_server,established; content:"/inst?"; http_uri; content:"hid="; http_uri; content:"&sid="; distance:0; http_uri; content:"&tr="; distance:0; http_uri; content:"&a="; distance:0; http_uri; content:"&adm="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest."; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a59f0e717dc530814dea3fdf65597faaad90ed8bfe3c8b8f6cea0e708049a784/analysis/1426449345/; classtype:misc-activity; sid:34126; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE User-Agent Vitruvian"; flow:to_server,established; content:"User-Agent|3A 20|Vitruvian"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a59f0e717dc530814dea3fdf65597faaad90ed8bfe3c8b8f6cea0e708049a784/analysis/1426449345/; classtype:misc-activity; sid:34125; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallMetrix reporting fetch offers stage status"; flow:to_server,established; content:"/report.php?"; http_uri; content:"download_id="; distance:0; http_uri; content:"&mode="; distance:0; http_uri; content:"&combo_id="; distance:0; http_uri; content:"&os_name="; distance:0; http_uri; content:"&os_add="; distance:0; http_uri; content:"&os_build="; distance:0; http_uri; content:"&proj_id="; distance:0; http_uri; content:"&offer_id="; distance:0; http_uri; content:!"Connection"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34122; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallMetrix reporting binary installation stage status"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; fast_pattern:only; http_header; content:"|22|event_type|22|"; offset:1; http_client_body; content:"|22|environment|22|"; distance:0; http_client_body; content:"|22|machine_ID|22|"; distance:0; http_client_body; content:"|22|result|22|"; distance:0; http_client_body; content:"|22|failure_reason|22|"; distance:0; http_client_body; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34121; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallMetrix fetch offers stage outbound connection"; flow:to_server,established; content:"/installer_gate_client.php?"; fast_pattern:only; http_uri; content:"download_id="; http_uri; content:"&mode=getcombo"; distance:0; http_uri; content:"&offers="; distance:0; http_uri; content:!"Accept"; http_header; content:!"Connection"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34120; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallMetrix precheck stage outbound connection"; flow:to_server,established; content:"/installer_gate_client.php?"; fast_pattern:only; http_uri; content:"download_id="; http_uri; content:"&mode=prechecking"; distance:0; http_uri; content:!"Accept"; http_header; content:!"Connection"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34119; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SuperOptimizer geolocation request"; flow:to_server,established; content:"/ip/?client=sp"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/1df4d1f316bd526e56b5fa0f84704bac365484c049e6a7c76145cb45e5e32049/analysis/1426449377/; classtype:misc-activity; sid:34146; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SuperOptimizer encrypted data transmission"; flow:to_server,established; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; fast_pattern:only; http_header; content:"|22|encryptedKey|22|"; depth:20; offset:1; http_client_body; content:"|22|encryptedData|22|"; distance:0; http_client_body; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/1df4d1f316bd526e56b5fa0f84704bac365484c049e6a7c76145cb45e5e32049/analysis/1426449377/; classtype:misc-activity; sid:34145; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SuperOptimizer installation status"; flow:to_server,established; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; fast_pattern:only; http_header; content:"|22|event_type|22|"; depth:15; offset:1; http_client_body; content:"|22|installation_session_id|22|"; within:100; http_client_body; content:"|22|environment|22|"; distance:0; http_client_body; content:"|22|command_line|22|"; distance:0; http_client_body; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/1df4d1f316bd526e56b5fa0f84704bac365484c049e6a7c76145cb45e5e32049/analysis/1426449377/; classtype:misc-activity; sid:34144; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SearchProtect user-agent detection"; flow:to_server,established; content:"User-Agent|3A 20|SearchProtect|3B|"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/cbddccb934d302497ac60f924088034a1852c378cc51df20c2e53b401ffc4651/analysis/; classtype:misc-activity; sid:34137; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Eorezo get advertisement"; flow:to_server,established; content:"/cgi-bin/advert/getads.cgi?"; http_uri; content:"did="; distance:0; http_uri; content:"User-Agent|3A 20|mpck_"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a31d47e5d6885c32cad2fb5799033982e7f9d070ed350cd2025dd8594d067651/analysis/1426449407/; classtype:misc-activity; sid:34237; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Eorezo outbound connection"; flow:to_server,established; urilen:30<>65; content:"/atJs/v"; fast_pattern; http_uri; content:"/Client/"; within:8; distance:1; http_uri; content:!"Accept"; http_header; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a31d47e5d6885c32cad2fb5799033982e7f9d070ed350cd2025dd8594d067651/analysis/1426449407/; classtype:misc-activity; sid:34236; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE PullUpdate installer outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest."; fast_pattern:only; http_header; content:"/advert/"; nocase; http_uri; content:"x_mode="; distance:0; nocase; http_uri; content:"x_format="; distance:0; nocase; http_uri; content:"x_dp_id="; distance:0; nocase; http_uri; content:"x_pub_id="; distance:0; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/0ea62d52d9206b4eac4e713064afea8db5354441c669e9418d16753a93376b7f/analysis/; classtype:misc-activity; sid:34927; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Sendori user-agent detection"; flow:to_server,established; content:"User-Agent|3A 20|Sendori-Client-Win32"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/26ee215c531b6c50d28ef9b9a48db05b08139e460b997167de1813484beb7a9e/analysis/; classtype:misc-activity; sid:34964; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE DealPly Adware variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/?pcrc="; depth:7; fast_pattern; http_uri; content:"&v="; http_uri; content:!"Referer|3A 20|"; http_header; pcre:"/^\/\?pcrc=\d+&v=[\d\.]{3}$/U"; metadata:policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/88ca52405945ff5e7bf3ab21bfc8be9e9518d4a2a2e08f0fc666092ef838af85/analysis/; classtype:misc-activity; sid:36825; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Genieo Adware framework User-Agent"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla/5.0 (compatible|3B| Genieo"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/30f42d7f42cfdecef88f35f6e7a95e558120de4fc8dc0e1d09018abdb7263310/analysis/; classtype:trojan-activity; sid:37621; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Genieo Adware framework variant outbound connection"; flow:to_server,established; content:"/track?uid="; fast_pattern:only; http_uri; content:"&partner="; depth:75; offset:11; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/30f42d7f42cfdecef88f35f6e7a95e558120de4fc8dc0e1d09018abdb7263310/analysis/; classtype:trojan-activity; sid:37620; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Dealply outbound POST attempt"; flow:to_server,established; content:"POST"; http_method; content:"/?v="; depth:4; fast_pattern; http_uri; content:"&pcrc="; http_uri; content:!"Referer|3A 20|"; http_header; content:!"Accept-"; http_header; pcre:"/^\/\?v=[\d.]+&pcrc=\d+$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/fdb0a6182a3fd6cc96a3b5aea946bd22c6e73e8b264200ef6f78d4bfb4fa5e3c/analysis/1454336512/; classtype:misc-activity; sid:37642; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt"; flow:to_server,established; content:"/info.php?"; http_uri; content:"quant="; fast_pattern:only; content:"f="; http_uri; content:"h="; http_uri; content:"size="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/829918eb3edb26deccd2d80c7ac8bc8ad58b4fb76a370c11731884b408a21a73/analysis/1463575824/; classtype:trojan-activity; sid:38953; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt"; flow:to_server,established; content:"/optin.php?"; fast_pattern:only; http_uri; content:"f="; content:"quant="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/829918eb3edb26deccd2d80c7ac8bc8ad58b4fb76a370c11731884b408a21a73/analysis/1463575824/; classtype:trojan-activity; sid:38952; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt"; flow:to_server,established; content:"/installer.php?"; http_uri; content:"CODE="; fast_pattern:only; content:"UID="; http_uri; content:"action="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/829918eb3edb26deccd2d80c7ac8bc8ad58b4fb76a370c11731884b408a21a73/analysis/1463575824/; classtype:trojan-activity; sid:38951; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.InstallFaster variant outbound connection attempt"; flow:to_server,established; content:"source="; http_uri; content:"uid="; http_uri; content:"uc="; http_uri; content:"ap="; http_uri; content:"i_id="; http_uri; metadata:service http; reference:url,virustotal.com/en/file/7a6c52c189e19f6888465cdddb8a6efdda2c5fdfa0648c65e50626843c745e6f/analysis/1467389266/; classtype:misc-activity; sid:39443; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Antivirus Container.exe referral link attempt"; flow:to_server,established; content:"click-7147843-"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/7f895ed556eda3186b3632c34e7e26302eada5bdc83fe3aba80942fe089cd7e8/analysis/1468260333/; classtype:misc-activity; sid:39587; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Antivirus Container.exe referral link attempt"; flow:to_server,established; content:"image-7147843-"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/7f895ed556eda3186b3632c34e7e26302eada5bdc83fe3aba80942fe089cd7e8/analysis/1468260333/; classtype:misc-activity; sid:39586; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Mizenota outbound connection"; flow:to_server,established; content:"Net1.1="; depth:7; http_client_body; content:"&Net2="; distance:0; http_client_body; content:"&OSversion="; distance:0; http_client_body; content:"browser="; distance:0; http_client_body; metadata:service http; reference:url,virustotal.com/en/file/0B4275FA994A3DD8A534705910EAAF672B4C9D899A5942136BFCD4D11D26C77A/analysis/; classtype:trojan-activity; sid:39633; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.EoRezo outbound ad download attempt"; flow:to_server,established; content:"/cgi-bin/advert/getads?did="; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/a8901a8e2523fdb4c08fb71c0cefe0069532ae9a73209ec732f11724b263bad4/analysis/1469031009/; classtype:trojan-activity; sid:39682; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.StartPage variant outbound connection"; flow:to_server,established; content:"/Userclass"; fast_pattern:only; http_uri; urilen:10; content:!"User-Agent:"; nocase; http_header; content:!"Referer:"; nocase; http_header; content:!"Accept"; nocase; http_header; metadata:service http; reference:url,virustotal.com/en/file/cd1770d4789eb7ec603a25262ab4f70579c881a01e499bcf6ca46738b1926b71/analysis/1469030157/; classtype:misc-activity; sid:39741; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Dowadmin.Adware outbound connection detected"; flow:to_server,established; content:"/install"; fast_pattern:only; http_uri; content:"bc="; nocase; http_uri; content:"brand="; nocase; http_uri; content:"osName="; nocase; http_uri; content:"browserName="; nocase; http_uri; content:"productKey="; nocase; http_uri; metadata:service http; reference:url,virustotal.com/en/file/07D874DB9DE82C1F67D8C83413653304883A72BB82B5F2A16E266F6E99C7D3A2/analysis/; classtype:trojan-activity; sid:39787; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Dowadmin.Adware outbound connection detected"; flow:to_server,established; content:"/products/BM2/"; fast_pattern:only; http_uri; content:".mht"; nocase; http_uri; metadata:service http; reference:url,virustotal.com/en/file/07D874DB9DE82C1F67D8C83413653304883A72BB82B5F2A16E266F6E99C7D3A2/analysis/; classtype:trojan-activity; sid:39786; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Techsnab outbound connection detected"; flow:to_server,established; content:"/api/offer-status"; fast_pattern:only; http_uri; content:"offer_id="; nocase; http_client_body; content:"offer_status="; nocase; http_client_body; content:"uuid="; nocase; http_client_body; content:"user_hash="; nocase; http_client_body; metadata:service http; reference:url,virustotal.com/en/file/18DDB52EA6E7C93C6B480E4EE0A90512B86FE530F4907424A2C9EE7921D21D56/analysis/; classtype:misc-activity; sid:39902; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Techsnab outbound connection detected"; flow:to_server,established; content:"/index.php/api/updater-status"; fast_pattern:only; http_uri; content:"uuid="; nocase; http_client_body; content:"nuuid="; nocase; http_client_body; content:"version="; nocase; http_client_body; metadata:service http; reference:url,virustotal.com/en/file/18DDB52EA6E7C93C6B480E4EE0A90512B86FE530F4907424A2C9EE7921D21D56/analysis/; classtype:misc-activity; sid:39901; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Techsnab outbound connection detected"; flow:to_server,established; content:"/api/install-status"; fast_pattern:only; http_uri; content:"uuid="; nocase; http_client_body; content:"user_os="; nocase; http_client_body; content:"nuuid="; nocase; http_client_body; content:"user_hash="; nocase; http_client_body; metadata:service http; reference:url,virustotal.com/en/file/18DDB52EA6E7C93C6B480E4EE0A90512B86FE530F4907424A2C9EE7921D21D56/analysis/; classtype:misc-activity; sid:39900; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Techsnab outbound connection detected"; flow:to_server,established; content:"/api/get-configs"; fast_pattern:only; http_uri; content:"uuid="; nocase; http_client_body; content:"user_os="; nocase; http_client_body; content:"proc="; nocase; http_client_body; content:"nuuid="; nocase; http_client_body; content:"user_hash="; nocase; http_client_body; metadata:service http; reference:url,virustotal.com/en/file/18DDB52EA6E7C93C6B480E4EE0A90512B86FE530F4907424A2C9EE7921D21D56/analysis/; classtype:misc-activity; sid:39899; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Dorv Adware variant outbound connection"; flow:to_server,established; content:"/ToDownload/"; fast_pattern:only; http_uri; content:"v="; nocase; http_uri; content:"c="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,virustotal.com/en/file/30C16AA86B92548C125D3ECD9853553F559DDCEF21E62927C88C4BE05175C3EE/analysis/; classtype:trojan-activity; sid:39888; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Google Chrome Google Contacts extension adware"; flow:established,to_server; content:"page?url="; fast_pattern; http_uri; content:"user"; http_uri; content:"iframe="; http_uri; content:!"Referer|3A|"; http_header; metadata:service http; reference:url,virustotal.com/en/file/8f43f60ffd98b58bae5d5d9c7aeb39c919ec38abaeebd70406304a3cb5cd0196/analysis/1472668142/; classtype:trojan-activity; sid:40037; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.EoRezo outbound connection"; flow:to_server,established; content:"/cgi-bin/advert/settags?x_mode="; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/5ba07b1d512f166392bc4b20c5ce27d3f3b6a816e2382b16ad472f105cc61c50/analysis/1473341832/; classtype:misc-activity; sid:40211; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.SupTab external connection attempt"; flow:to_server,established; content:"/v4/"; depth:4; http_uri; content:"?action"; distance:0; http_uri; content:"&update"; distance:0; http_uri; content:","; within:20; http_uri; metadata:service http; reference:url,virustotal.com/en/file/2b6c33611cd7e9533fda4c07d2368717b83f77ee6c2222c2d1430f6f930d9b43/analysis/; classtype:misc-activity; sid:40305; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Downloader.OpenCandy variant outbound connection"; flow:to_server,established; content:"/ie-error.gif"; fast_pattern:only; http_uri; content:"action="; nocase; http_uri; content:"installtime="; nocase; http_uri; content:"os="; nocase; http_uri; content:"browserver="; nocase; http_uri; metadata:service http; reference:url,virustotal.com/en/file/0a17096248c88195941c1680d3e2f396ed4434dc23aa5a6e598b4b0949031884/analysis/; classtype:misc-activity; sid:40457; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.DownloadManager outbound connection"; flow:to_server,established; urilen:16; content:"/taveara?q=setup"; fast_pattern:only; http_uri; metadata:service http; reference:url,virustotal.com/en/file/25ad7de5e24d03faca9f242976a04141a0a906215868311bfbfdca851bbce6fc/analysis/; classtype:misc-activity; sid:40492; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Downloader.Instally variant outbound connection attempt"; flow:to_server,established; content:"stats/getMlOffer"; fast_pattern:only; http_uri; content:"nk="; nocase; http_client_body; content:"data="; nocase; http_client_body; metadata:service http; reference:url,virustotal.com/en/file/672bac1a0dbd10b6904bf2801a3bc329588fddee4b8ed81fffa8aacb5d15efbd/analysis/; classtype:misc-activity; sid:40532; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Downloader.Instally variant outbound connection attempt"; flow:to_server,established; content:"/stats/initDebug"; fast_pattern:only; http_uri; content:"nk="; nocase; http_client_body; content:"data="; nocase; http_client_body; metadata:service http; reference:url,virustotal.com/en/file/672bac1a0dbd10b6904bf2801a3bc329588fddee4b8ed81fffa8aacb5d15efbd/analysis/; classtype:misc-activity; sid:40531; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Downloader.Instally variant outbound connection attempt"; flow:to_server,established; content:"/stats/initialize"; fast_pattern:only; http_uri; content:"nk="; nocase; http_client_body; content:"data="; nocase; http_client_body; metadata:service http; reference:url,virustotal.com/en/file/672bac1a0dbd10b6904bf2801a3bc329588fddee4b8ed81fffa8aacb5d15efbd/analysis/; classtype:misc-activity; sid:40530; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Downloader.Instally variant outbound connection attempt"; flow:to_server,established; content:"/stats/startDebug"; fast_pattern:only; http_uri; content:"|22|ui_loaded|22|:"; nocase; http_client_body; content:"|22|is_admin|22|:"; nocase; http_client_body; content:"|22|session_id|22|:"; nocase; http_client_body; content:"|22|js_enabled|22|:"; nocase; http_client_body; metadata:service http; reference:url,virustotal.com/en/file/672bac1a0dbd10b6904bf2801a3bc329588fddee4b8ed81fffa8aacb5d15efbd/analysis/; classtype:misc-activity; sid:40529; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.CoolMirage outbound ad download attempt"; flow:to_server,established; content:"/ping2.asp"; fast_pattern:only; http_uri; content:"uid="; http_uri; content:"tuid="; http_uri; content:"sref="; http_uri; content:"gid="; http_uri; content:"bundles="; http_uri; content:"fmrp="; http_uri; content:"avdt="; http_uri; content:"grid="; http_uri; content:"tba="; http_uri; content:"yodt="; http_uri; content:"cnt="; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/1168499c5d2b5cb7762cd8ec5ab8899bb9b0993459a2fe0540b1f638271bbddb/analysis/1476294711/; classtype:trojan-activity; sid:40595; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.CoolMirage outbound ad download attempt"; flow:to_server,established; content:"/country.asp"; fast_pattern:only; http_uri; content:"st="; http_uri; content:"uid="; http_uri; content:"tuid="; http_uri; content:"sref="; http_uri; content:"vmdt="; http_uri; content:"bld="; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/1168499c5d2b5cb7762cd8ec5ab8899bb9b0993459a2fe0540b1f638271bbddb/analysis/1476294711/; classtype:trojan-activity; sid:40594; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.CoolMirage outbound ad download attempt"; flow:to_server,established; content:"/ping.php?"; fast_pattern:only; http_uri; content:"partner="; http_uri; content:"product="; http_uri; content:"build="; http_uri; metadata:service http; reference:url,www.virustotal.com/intelligence/search/?query=1168499c5d2b5cb7762cd8ec5ab8899bb9b0993459a2fe0540b1f638271bbddb; classtype:trojan-activity; sid:40593; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Trojan.Miuref variant outbound connection"; flow:to_server,established; content:"pid="; nocase; http_uri; content:"tid="; nocase; http_uri; content:"status="; nocase; http_uri; content:"subid="; fast_pattern:only; http_uri; content:"v="; nocase; http_uri; metadata:policy security-ips drop, service http; reference:url,virustotal.com/en/file/fb0db4bcf2ea296937f9eb2dbbd3fa433b3200703a6b74336c3a99f15bf4d406/analysis/; classtype:misc-activity; sid:40772; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE MindSpark framework installer attempt"; flow:to_server,established; content:"User-Agent|3A 20|Mindspark MIP "; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/9f2cc1688bee96849ced91ade04d4d51e6fd18fa47ab1dc2c12a029aa672f7ce/analysis/; classtype:trojan-activity; sid:40827; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Sokuxuan outbound connection attempt"; flow:to_server,established; content:"/UpgSvr/"; fast_pattern:only; http_uri; content:".xml"; http_uri; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dcdaa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:trojan-activity; sid:40839; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Xiazai variant outbound connection"; flow:to_server,established; content:"/xml/LinkConfig"; fast_pattern:only; metadata:service http; reference:url,www.virustotal.com/en/file/E9FFDB0EA3D9CD388C39330065E2E368231E633EADA0AD358BCB3B5D598ED180/analysis/; classtype:misc-activity; sid:41664; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Hotbar variant outbound connection"; flow:to_server,established; content:"/InstallUI/AppBundlerIndirect_FMF/222/index.htm"; fast_pattern:only; http_uri; content:"rnd="; nocase; http_uri; metadata:service http; reference:url,virustotal.com/en/file/a470b81dfa1dc57bdccc293ec4a61b08c16d561bbc8686700ff9d7c1964212ca/analysis/; classtype:misc-activity; sid:43219; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Hotbar variant outbound connection"; flow:to_server,established; content:"/trackedevent.aspx"; fast_pattern:only; http_uri; content:"rnd="; nocase; http_uri; content:"ver="; nocase; http_uri; metadata:service http; reference:url,virustotal.com/en/file/a470b81dfa1dc57bdccc293ec4a61b08c16d561bbc8686700ff9d7c1964212ca/analysis/; classtype:misc-activity; sid:43218; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE DealPly Adware variant outbound connection"; flow:to_server,established; content:"|00 08 DC 33 45 AB 51 29 5F 6C 14 79 12 D7 0F 4B|"; fast_pattern:only; http_client_body; content:"Accept|3A| */*"; http_header; content:"Cache-Control|3A| no-cache|0D 0A 0D 0A|"; http_header; content:!"Referer|3A|"; http_header; metadata:service http; reference:url,virustotal.com/#/file/1c77a8af5a93f14172518a130b1c00cdf0abecb546594edbcae80564124060d0/detection; classtype:misc-activity; sid:44358; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Techsnab variant outbound connection detected"; flow:to_server,established; content:"/index.php/api/heartbeat"; fast_pattern:only; http_uri; content:"user_os="; nocase; http_client_body; content:"hdd_serial="; nocase; http_client_body; content:"win_uuid="; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,virustotal.com/en/file/18DDB52EA6E7C93C6B480E4EE0A90512B86FE530F4907424A2C9EE7921D21D56/analysis/; classtype:misc-activity; sid:44395; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Techsnab variant outbound connection detected"; flow:to_server,established; content:"/index.php/api/update"; fast_pattern:only; http_uri; content:"uuid="; nocase; http_client_body; content:"version="; nocase; http_client_body; content:"channel="; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,virustotal.com/en/file/18DDB52EA6E7C93C6B480E4EE0A90512B86FE530F4907424A2C9EE7921D21D56/analysis/; classtype:misc-activity; sid:44394; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.OutBrowse variant outbound connection detected"; flow:to_server,established; content:"/Installer/Flow"; fast_pattern:only; http_uri; content:"campaignid="; nocase; http_uri; content:"macaddress="; nocase; http_uri; content:"machineguid="; nocase; http_uri; content:"downloadip="; nocase; http_uri; metadata:service http; reference:url,virustotal.com/en/file/F4BAD73F372654826AF7042072C6D3F2DA3C52C42756A7CA5667817B83656303 /analysis/; classtype:misc-activity; sid:44476; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Clover outbound connection"; flow:to_server,established; content:"/install/clover/"; fast_pattern:only; http_uri; content:".dat"; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/ca94b5ba198febac27f3212104110e4f23468f84e9a51664705187be2a1c85f8/analysis/; classtype:misc-activity; sid:44691; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.SurfBuyer adware outbound connection detected"; flow:to_server,established; urilen:>1000; content:"/click?h="; fast_pattern:only; http_uri; content:"subid="; http_uri; content:"data_fb="; http_uri; content:"data_rtt="; http_uri; content:"data_proto="; http_uri; content:"data_ic="; http_uri; content:"data_ss="; http_uri; metadata:policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/baed00c6e6b157f3a53c76a200de84927f5c9d448cf76438c55d62c18033ba1b/analysis/; classtype:trojan-activity; sid:45398; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.SurfBuyer adware outbound connection detected"; flow:to_server,established; content:"/report/?application="; fast_pattern:only; http_uri; content:"guid="; http_uri; content:"details="; http_uri; content:"action="; http_uri; metadata:policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/baed00c6e6b157f3a53c76a200de84927f5c9d448cf76438c55d62c18033ba1b/analysis/; classtype:trojan-activity; sid:45397; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.Mughthesec outbound connection attempt"; flow:to_server,established; content:"/screens/"; fast_pattern; http_uri; content:"/"; within:1; distance:8; http_uri; content:"=="; within:2; distance:6; http_uri; metadata:ruleset community, service http; reference:url,objective-see.com/blog/blog_0x20.html; classtype:trojan-activity; sid:45545; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Slimware Utilities variant outbound connection"; flow:to_server,established; urilen:>200; content:"/ulc.php?ev="; nocase; http_uri; content:"User-Agent: SLIMHTTP/1.1"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4074d4ba6c319a407539a5e1cb5d0461c6c266636c5099ad49e1042aab91574f/analysis/; classtype:trojan-activity; sid:46486; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Pua.Softonic installer variant outbound connection"; flow:to_server,established; content:"/universaldownloader-prefetch"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/d1e6f7651d6dff96c8c7aa15d68b370fe44384d5fd364f94de62c5e7bf7aab1f/detection; classtype:trojan-activity; sid:46874; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.OneSystemCare download attempt"; flow:to_server,established; content:"/331003290/OneSystemCare.exe"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/536148b202ddf00bf76f28bea53399ac16764de8628c71209ea22f5aa31a9681; classtype:trojan-activity; sid:48078; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Wajam variant outbound connection"; flow:to_server,established; content:"/addon/mapping"; fast_pattern:only; http_uri; content:"os_mj="; http_uri; content:"os_bitness="; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/155c30dc0cf262a5222e443f79c26c37ba05035e3a304048f492b10a89fbba61; classtype:trojan-activity; sid:48077; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Wajam variant outbound connection"; flow:to_server,established; content:"Log?"; fast_pattern:only; http_uri; content:"unique_id="; http_uri; content:"affiliate_id="; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/155c30dc0cf262a5222e443f79c26c37ba05035e3a304048f492b10a89fbba61; classtype:trojan-activity; sid:48076; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Magic Downloader BHO variant outbound connection"; flow:to_server,established; content:"/reg_install.php?"; fast_pattern:only; http_uri; content:"param="; nocase; http_uri; content:"aid="; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/32f7e804e233ffea61382a461d50f02d6f3e20a008d099add588b48c99d7cdb3/detection; classtype:trojan-activity; sid:47536; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Magic Downloader BHO variant outbound connection"; flow:to_server,established; content:"/reg_accept.php?"; fast_pattern:only; http_uri; content:"param="; nocase; http_uri; content:"aid="; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/32f7e804e233ffea61382a461d50f02d6f3e20a008d099add588b48c99d7cdb3/detection; classtype:trojan-activity; sid:47535; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Slimware Utilities variant outbound connection"; flow:to_server,established; content:"/installer/init_v"; fast_pattern:only; http_uri; content:"attributes"; nocase; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4074d4ba6c319a407539a5e1cb5d0461c6c266636c5099ad49e1042aab91574f/analysis/; classtype:trojan-activity; sid:47418; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Slimware Utilities variant outbound connection"; flow:to_server,established; content:"/api/flow/action"; fast_pattern:only; http_uri; content:"session_id="; nocase; http_client_body; content:"action"; nocase; http_client_body; content:"attributes"; nocase; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4074d4ba6c319a407539a5e1cb5d0461c6c266636c5099ad49e1042aab91574f/analysis/; classtype:trojan-activity; sid:47417; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Pbot variant outbound connection"; flow:to_server,established; content:"/installended"; fast_pattern:only; http_uri; content:"de="; nocase; http_uri; content:"_v="; nocase; http_uri; content:"_s="; nocase; http_uri; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/5e3dc49c1f4b57ab27000befd128fad77eba9a6e07f8766c7e1393cae890fdf6/detection; classtype:misc-activity; sid:47095; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Pbot variant outbound connection"; flow:to_server,established; content:"/collect.php"; fast_pattern:only; http_uri; content:"pid="; http_uri; content:"cid="; http_uri; content:"sid="; http_uri; content:"act="; http_uri; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/5e3dc49c1f4b57ab27000befd128fad77eba9a6e07f8766c7e1393cae890fdf6/detection; classtype:misc-activity; sid:47094; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Pbot variant outbound connection"; flow:to_server,established; content:"/installstarted"; fast_pattern:only; http_uri; content:"de="; nocase; http_uri; content:"_v="; nocase; http_uri; content:"_s="; nocase; http_uri; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/5e3dc49c1f4b57ab27000befd128fad77eba9a6e07f8766c7e1393cae890fdf6/detection; classtype:misc-activity; sid:47093; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.MacSearch variant outbound connection detected"; flow:to_server,established; content:"User-Agent: macsearch/1 CFNetwork/"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/f54bb130f750f77546aebf690ba4b89f0ddb3c27a5e297383d0a30bcaa5f9cb4; classtype:trojan-activity; sid:49044; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.Genieo variant outbound connection detected"; flow:to_server,established; content:"User-Agent: LinqurySearch"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/850b4f620e874ed6117c7e1d15dd1c502d7e38cd4dd872753d502f39e3a5c8d8; classtype:trojan-activity; sid:49043; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.FairyTail variant outbound connection detected"; flow:to_server,established; content:"User-Agent: SpellingChecker/22"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/a9a7a1c48cd1232249336749f4252c845ce68fd9e7da85b6da6ccbcdc21bcf66; classtype:trojan-activity; sid:49042; rev:1;)