SIGS: OneStartAI.PUA

A nasty PUA.  56b7183db8ba4cb6580415f8905ae2d29cf2d6fbe0e6bc1fc9521c43d4cf1eed | Triage

alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS (msg:“ET PUA W32/OneStartAI.PUA HTTP POST M1”; flow:established,to_server; content:“POST”; http_method; urilen:1; content:“/”; http_uri; depth:1; content:“{|22|action|22 3A 22”; http_client_body; depth:11; content: content:“|22|background_mode|22 3A 22|”; http_client_body; distance:0; content:“|22|check_updates_on_startup|22 3A 22|”; http_client_body; distance:0; content:“|22|current_new_tab_url|22 3A 22|”; http_client_body; distance:0; content:“|22|is_user_admin|22 3A 22|”; http_client_body; distance:0; content:“|22|launch_browser_on_startup|22 3A 22|”; http_client_body; distance:0; content:“|22|launch_browser_on_wake|22 3A 22|”; http_client_body; distance:0; content:“|22|startup_reg|22 3A 22|”; http_client_body; distance:0; content:!“User-Agent|3A|”; http_header; classtype:trojan-activity; reference:md5,1d599092628613f06912ec455ca61f96; sid:120001; rev:1;)

alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS (msg:“ET PUA W32/OneStartAI.PUA HTTP POST M2”; flow:established,to_server; content:“POST”; http_method; urilen:1; content:“/”; http_uri; depth:1; content:“{|22|action|22 3A 22|”; http_client_body; depth:11; content:“|22|iid|22 3A 22|”; http_client_body; distance:0; content:“|22|name|22 3A 22|”; http_client_body; distance:0; content:“|22|ver|22 3A 22|”; http_client_body; distance:0; content:“|22|wver|22 3A 22|”; http_client_body; distance:0; content:!“User-Agent|3A|”; http_header; classtype:trojan-activity; reference:md5,1d599092628613f06912ec455ca61f96; sid:120002; rev:1;)

Kind regards,
Kevin Ross

Hey @kevross33,

Thanks for the tip, we’ll get these in today’s release!

Have a great weekend!
Isaac

  2059955 - ET ADWARE_PUP Onestart AI Host Profile Checkin (POST) (adware_pup.rules)
  2059956 - ET ADWARE_PUP Onestart AI Program Version Checkin (POST) (adware_pup.rules)```