Cam from the U of Texas Austin has given us permission to
publish a
couple of signatures he's worked up. Here's his initial
discussion, and
the sigs are below that we've committed.
--------
we've been using the following signature to identify the
bloody image
spams for the past month or so with decent success.. i
can't seem to
get our anti-spam vendor to adopt them, but feel free to see
if they
work for you..
/-----------------------------------------------------------
---------
; simpler, but potentially more false positives
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 25
(msg:"BLEEDING-EDGE POLICY
Possible Image Spam Inbound (simple rule)";
flow:established,to_server;
content:"Content-Transfer-Encoding|3A|";
content:"AMAgAOAgAABAACBAAEBAAGBAAIBAAKBAAMBAAOBAAABgA
CBgAEBgAGBgAIBgAKBgAMBgAOBg";
depth:575;
content:"AACAACCAAECAAGCAAICAAKCAAMCAAOCAAACgACCgAECgA
GCgAICgAKCgAMCgAOCgAADAACDA";
content:"AEDAAGDAAIDAAKDAAMDAAODAAADgACDgAEDgAGDgAIDgA
KDgAMDgAODgAAAAQCAAQEAAQGAA";
classtype:misc-activity; sid:2003096; rev:1;)
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 25
(msg:"BLEEDING-EDGE POLICY
Possible Image Spam Inbound (complex rule)";
flow:established,to_server;
content:"Content-Transfer-Encoding|3A|";
content:"AMAgAOAgAABAACBAAEBAAGBAAIBAAKBAAMBAAOBAAABgA
CBgAEBgAGBgAIBgAKBgAMBgAOBg";
depth:575;
content:"AACAACCAAECAAGCAAICAAKCAAMCAAOCAAACgACCgAECgA
GCgAICgAKCgAMCgAOCgAADAACDA";
content:"AEDAAGDAAIDAAKDAAMDAAODAAADgACDgAEDgAGDgAIDgA
KDgAMDgAODgAAAAQCAAQEAAQGAA";
content:"QIAAQKAAQMAAQOAAQAAgQCAgQEAgQGAgQIAgQKAgQMAgQ
OAgQABAQCBAQEBAQGBAQIBAQKBA";
content:"QMBAQOBAQABgQCBgQEBgQGBgQIBgQKBgQMBgQOBgQACAQ
CCAQECAQGCAQICAQKCAQMCAQOCA";
content:"QACgQCCgQECgQGCgQICgQKCgQMCgQOCgQADAQCDAQEDAQ
GDAQIDAQKDAQMDAQODAQADgQCDg";
content:"QEDgQGDgQIDgQKDgQMDgQODgQAAAgCAAgEAAgGAAgIAAg
KAAgMAAgOAAgAAggCAggEAggGAg";
content:"gIAggKAggMAggOAggABAgCBAgEBAgGBAgIBAgKBAgMBAg
OBAgABggCBggEBggGBggIBggKBg";
content:"gMBggOBggACAgCCAgECAgGCAgICAgKCAgMCAgOCAgACgg
CCggECggGCggICggKCggMCggOCg";
content:"gADAgCDAgEDAgGDAgIDAgKDAgMDAgODAgADggCDggEDgg
GDggIDggKDggMDggODggAAAwCAA";
content:"wEAAwGAAwIAAwKAAwMAAwOAAwAAgwCAgwEAgwGAgwIAgw
KAgwMAgwOAgwABAwCBAwEBAwGBA";
content:"wIBAwKBAwMBAwOBAwABgwCBgwEBgwGBgwIBgwKBgwMBgw
OBgwACAwCCAwECAwGCAwICAwKCA";
content:"wMCAwOCAwACgwCCgwECgwGCgwICgwKCgwMCgwOCgwADAw
CDAwEDAwGDAwIDAwKDAwP/78KCg";
classtype:misc-activity; sid:2003097; rev:1;)
/-----------------------------------------------------------
----------
this base64 appears to be common to all of the image spam i
have run across
recently (2.6M+ samples) and i am fairly certain that it
represents the
global color table of the GIFs. the image spams all use the
same identical
global color table, perhaps based on the tool used to
convert the text to a
GIF, etc?
it is surprising to me that the spammers haven't noticed
this, since they've
gone to the effort to put random pixels in the images to
make them each
unique and thus foil signature-based schemes. the anti-spam
community may
have already identified this but i wanted to propose it none
the less...
perhaps this is known, but generates too many false
positives?
or perhaps it is easily defeated?
--
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
http://my.infotex.com
http://www.infotex.com
http://www.bleedingsnort
.com
--------------------------------------------
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs bleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
|