24 lines
726 B
Text
24 lines
726 B
Text
|
|
||
|
rule SVG_LoadURL {
|
||
|
meta:
|
||
|
description = "Detects a tiny SVG file that loads an URL (as seen in CryptoWall malware infections)"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "http://goo.gl/psjCCc"
|
||
|
date = "2015-05-24"
|
||
|
hash1 = "ac8ef9df208f624be9c7e7804de55318"
|
||
|
hash2 = "3b9e67a38569ebe8202ac90ad60c52e0"
|
||
|
hash3 = "7e2be5cc785ef7711282cea8980b9fee"
|
||
|
hash4 = "4e2c6f6b3907ec882596024e55c2b58b"
|
||
|
score = 50
|
||
|
id = "c3d4c95f-ef8b-52ff-9cf9-d66d9b99a490"
|
||
|
strings:
|
||
|
$s1 = "</svg>" nocase
|
||
|
$s2 = "<script>" nocase
|
||
|
$s3 = "location.href='http" nocase
|
||
|
condition:
|
||
|
all of ($s*) and filesize < 600
|
||
|
}
|
||
|
|
||
|
|
||
|
|