GROUP_NAME=SPYWARE
GROUP_DESCRIPTION=This group contains Dragon signatures for various known spyware / malware websites and tools.
# $Id: SPYWARE.lib,v 1.12 2005/12/29 15:22:34 jsmith Exp $

NAME=SPY:SITE-180SEARCHASST
SIGNATURE=T D A S 10 300 W SPY:SITE-BUNDLEWARE /0d/0ahost/3a/20www/2e180searchassistant/2ecom/0d/0a
DESCRIPTION=Backdoors have been found in the wild that send this hardcoded string when downloading malware from malicious sites. Most of the malware seems to be related to spyware, but they also include IRC bots and other remote-control backdoors.  This signature detects any web request sent to www.180searchassistant.com.
URL=http://www.google.com/search?q=%22www.180searchassistant.com%22
MODIFIED=Y
DISABLED=N

NAME=SPY:SITE-ADBEHAVIOR
SIGNATURE=T D A S 10 300 W SPY:SITE-ADBEHAVIOR /0d/0ahost/3a/20 , ad/2dbehavior/2ecom/0d/0a
DESCRIPTION=Backdoors have been found in the wild that send this hardcoded string when downloading malware from malicious sites. Most of the malware seems to be related to spyware, but they also include IRC bots and other remote-control backdoors.  This signature detects any web request sent to a host in the ad-behavior.com domain.
MODIFIED=Y
DISABLED=N

NAME=SPY:SITE-AIDINTIME
SIGNATURE=T D A S 10 300 W SPY:SITE-AIDINTIME /0d/0ahost/3a/20 , aidintime/2ecom/0d/0a
DESCRIPTION=Backdoors have been found in the wild that send this hardcoded string when downloading malware from malicious sites. Most of the malware seems to be related to spyware, but they also include IRC bots and other remote-control backdoors.  This signature detects any web request sent to a host in the aidintime.com domain.
URL=http://www.google.com/search?q=%22aidintime.com%22
MODIFIED=Y
DISABLED=N

NAME=SPY:SITE-BLAZEFIND
SIGNATURE=T D A S 10 300 W SPY:SITE-BLAZEFIND /0d/0ahost/3a/20www/2eblazefind/2ecom/0d/0a
DESCRIPTION=Backdoors have been found in the wild that send this hardcoded string when downloading malware from malicious sites. Most of the malware seems to be related to spyware, but they also include IRC bots and other remote-control backdoors.  This signature detects any web request sent to www.blazefind.com.
URL=http://www.google.com/search?q=%22www.blazefind.com%22
MODIFIED=Y
DISABLED=N

NAME=SPY:SITE-BUNDLEWARE
SIGNATURE=T D A S 10 300 W SPY:SITE-BUNDLEWARE /0d/0ahost/3a/20www/2ebundleware/2ecom/0d/0a
DESCRIPTION=Backdoors have been found in the wild that send this hardcoded string when downloading malware from malicious sites. Most of the malware seems to be related to spyware, but they also include IRC bots and other remote-control backdoors.  This signature detects any web request sent to www.bundleware.com.
URL=http://www.google.com/search?q=%22www.bundleware.com%22
MODIFIED=Y
DISABLED=N

NAME=SPY:SITE-CLKOPTIMIZER
SIGNATURE=T D A S 10 300 W SPY:SITE-CLKOPTIMIZER /0d/0ahost/3a/20 , clkoptimizer/2ecom/0d/0a
DESCRIPTION=Backdoors have been found in the wild that send this hardcoded string when downloading malware from malicious sites. Most of the malware seems to be related to spyware, but they also include IRC bots and other remote-control backdoors.  This signature detects any web request sent to a host in the clkoptimizer.com domain.
MODIFIED=Y
DISABLED=N

NAME=SPY:SITE-DLFNPRJ-CNTNT
SIGNATURE=T D A S 10 300 W SPY:SITE-DLFNPRJ-CNTNT /0d/0ahost/3a/20content/2edelfinproject/2ecom/0d/0a
DESCRIPTION=Backdoors have been found in the wild that send this hardcoded string when downloading malware from malicious sites. Most of the malware seems to be related to spyware, but they also include IRC bots and other remote-control backdoors.  This signature detects any web request sent to content.delfinproject.com.
URL=http://www.google.com/search?q=%22content.delfinproject.com%22
MODIFIED=Y
DISABLED=N

NAME=SPY:SITE-ELTEMDAGRP-BINS
SIGNATURE=T D A S 10 300 W SPY:SITE-ELTEMDAGRP-BINS /0d/0ahost/3a/20bins/2eelitemediagroup/2enet/0d/0a
DESCRIPTION=Backdoors have been found in the wild that send this hardcoded string when downloading malware from malicious sites. Most of the malware seems to be related to spyware, but they also include IRC bots and other remote-control backdoors.  This signature detects any web request sent to bins.elitemediagroup.net.
URL=http://www.google.com/search?q=%22elitemediagroup.net%22
MODIFIED=Y
DISABLED=N

NAME=SPY:SITE-ELTEMDAGRP-CABS
SIGNATURE=T D A S 10 300 W SPY:SITE-ELTEMDAGRP-CABS /0d/0ahost/3a/20cabs/2eelitemediagroup/2enet/0d/0a
DESCRIPTION=Backdoors have been found in the wild that send this hardcoded string when downloading malware from malicious sites. Most of the malware seems to be related to spyware, but they also include IRC bots and other remote-control backdoors.  This signature detects any web request sent to cabs.elitemediagroup.net.
URL=http://www.google.com/search?q=%22elitemediagroup.net%22
MODIFIED=Y
DISABLED=N

NAME=SPY:SITE-EZULA-COM
SIGNATURE=T D A S 10 300 W SPY:SITE-EZULA-COM /0d/0ahost/3a/20app/2eezula/2ecom/0d/0a
DESCRIPTION=The eZula TopText spyware searches through the Windows Registry as well as Web Searches performed by the user for specific keywords that have been downloaded from the app.ezula.com website.  This signature detects any web request sent to app.ezula.com.
URL=http://www.google.com/search?q=%22app.ezula.com%22
MODIFIED=Y
DISABLED=N

NAME=SPY:SITE-LOWESTAPR-COM
SIGNATURE=T D A S 10 300 W SPY:SITE-LOWESTAPR-COM /0d/0ahost/3a/20lowestapr/2ecom/0d/0a
DESCRIPTION=Backdoors have been found in the wild that send this hardcoded string when downloading malware from malicious sites. Most of the malware seems to be related to spyware, but they also include IRC bots and other remote-control backdoors.  This signature detects any web request sent to lowestapr.com.
URL=http://www.google.com/search?q=%22lowestapr.com%22
MODIFIED=Y
DISABLED=N

NAME=SPY:SITE-LOWESTAPR-NET
SIGNATURE=T D A S 10 300 W SPY:SITE-LOWESTAPR-NET /0d/0ahost/3a/20lowestapr/2enet/0d/0a
DESCRIPTION=Backdoors have been found in the wild that send this hardcoded string when downloading malware from malicious sites. Most of the malware seems to be related to spyware, but they also include IRC bots and other remote-control backdoors.  This signature detects any web request sent to lowestapr.net.
URL=http://www.google.com/search?q=%22lowestapr.net%22
MODIFIED=Y
DISABLED=N

NAME=SPY:SITE-MRKTSCR-CNTNT
SIGNATURE=T D A S 10 300 W SPY:SITE-MRKTSCR-CNTNT /0d/0ahost/3a/20oss-content/2emarketscore/2ecom/0d/0a
DESCRIPTION=The Marketscore spyware gathers information about web browsing activity, sensitive data submitted to any web form, session cookies, etc, and phones home to upload it.  This signature triggers on web requests to the host oss-content.marketscore.com, to which the spyware uploads its harvested data.
URL=http://www.cit.cornell.edu/computer/security/marketscore/technical.html
MODIFIED=Y
DISABLED=N

NAME=SPY:SITE-MRKTSCR-PROX
SIGNATURE=T D A S 10 300 W SPY:SITE-MRKTSCR-PROX /0d/0ahost/3a/20proxycfg/2emarketscore/2ecom/0d/0a
DESCRIPTION=The Marketscore spyware gathers information about web browsing activity, sensitive data submitted to any web form, session cookies, etc, and phones home to upload it.  This signature triggers on web requests to the host proxycfg.marketscore.com, from which the spyware downloads configuration data.
URL=http://www.cit.cornell.edu/computer/security/marketscore/technical.html
MODIFIED=Y
DISABLED=N

NAME=SPY:SITE-ODYSSEUSMKT
SIGNATURE=T D A S 10 300 W SPY:SITE-ODYSSEUSMKT /0d/0ahost/3a/20 , odysseusmarketing/2ecom/0d/0a
DESCRIPTION=Backdoors have been found in the wild that send this hardcoded string when downloading malware from malicious sites. Most of the malware seems to be related to spyware, but they also include IRC bots and other remote-control backdoors.  This signature detects any web request sent to a host in the odysseusmarketing.com domain.
URL=http://www.google.com/search?q=%22odysseusmarketing.com%22
MODIFIED=Y
DISABLED=N

NAME=SPY:SITE-ONLYGALS
SIGNATURE=T D A S 10 300 W SPY:SITE-ONLYGALS /0d/0ahost/3a/20onlygals/2ecom/0d/0a
DESCRIPTION=Backdoors have been found in the wild that send this hardcoded string when downloading malware from malicious sites. Most of the malware seems to be related to spyware, but they also include IRC bots and other remote-control backdoors.  This signature detects any web request sent to onlygals.com.
URL=http://www.google.com/search?q=%22onlygals.com%22
MODIFIED=Y
DISABLED=N

NAME=SPY:SITE-PACIMEDIA
SIGNATURE=T D A S 10 300 W SPY:SITE-PACIMEDIA /0d/0ahost/3a/20www/2epacimedia/2ecom/0d/0a
DESCRIPTION=Backdoors have been found in the wild that send this hardcoded string when downloading malware from malicious sites. Most of the malware seems to be related to spyware, but they also include IRC bots and other remote-control backdoors.  This signature detects any web request sent to www.pacimedia.com.
URL=http://www.google.com/search?q=%22www.pacimedia.com%22
MODIFIED=Y
DISABLED=N

NAME=SPY:SITE-QOOLAID
SIGNATURE=T D A S 10 300 W SPY:SITE-QOOLAID /0d/0ahost/3a/20 , qoolaid/2ecom/0d/0a
DESCRIPTION=Backdoors have been found in the wild that send this hardcoded string when downloading malware from malicious sites. Most of the malware seems to be related to spyware, but they also include IRC bots and other remote-control backdoors.  This signature detects any web request sent to a host in the qoolaid.com domain.
MODIFIED=Y
DISABLED=N

NAME=SPY:SITE-STATBLST
SIGNATURE=T D A S 10 300 W SPY:SITE-STATBLST /0d/0ahost/3a/20www/2estatblaster/2ecom/0d/0a
DESCRIPTION=Backdoors have been found in the wild that send this hardcoded string when downloading malware from malicious sites. Most of the malware seems to be related to spyware, but they also include IRC bots and other remote-control backdoors.  This signature detects any web request sent to www.statblaster.com.
URL=http://www.google.com/search?q=%22www.statblaster.com%22
MODIFIED=Y
DISABLED=N

NAME=SPY:SITE-WINDUPDATES
SIGNATURE=T D A S 10 300 W SPY:SITE-WINDUPDATES /0d/0ahost/3a/20public/2ewindupdates/2ecom/0d/0a
DESCRIPTION=Backdoors have been found in the wild that send this hardcoded string when downloading malware from malicious sites. Most of the malware seems to be related to spyware, but they also open IRC backdoors.  This signature detects any web request sent to public.windupdates.com.
MODIFIED=Y
DISABLED=N

NAME=SPY:SITE-WRLDTRKR
SIGNATURE=T D A S 10 300 W SPY:SITE-WRLDTRKR /0d/0ahost/3a/20worldtracker/2ebiz/0d/0a
DESCRIPTION=Backdoors have been found in the wild that send this hardcoded string when downloading malware from malicious sites. Most of the malware seems to be related to spyware, but they also open IRC backdoors.  This signature detects any web request sent to worldtracker.biz.
URL=http://www.google.com/search?hl=en&lr=&sa=G&q=%22worldtracker.biz%22
MODIFIED=Y
DISABLED=N

NAME=SPY:SITE-W12BIZ
SIGNATURE=T D A S 10 300 W SPY:SITE-W12BIZ /0d/0ahost/3a/20w12/2ebiz/0d/0a
DESCRIPTION=Backdoors have been found in the wild that send this hardcoded string when downloading malware from malicious sites. Most of the malware seems to be related to spyware, but they also open IRC backdoors.  This signature detects any web request sent to w12.biz.
URL=http://www.google.com/search?hl=en&lr=&sa=G&q=%22w12.biz%22
MODIFIED=Y
DISABLED=N

NAME=SPY:SITE-YESADVERT
SIGNATURE=T D A S 10 300 W SPY:SITE-YESADVERT /0d/0ahost/3a/20 , yesadvertising/2ecom/0d/0a
DESCRIPTION=Backdoors have been found in the wild that send this hardcoded string when downloading malware from malicious sites. Most of the malware seems to be related to spyware, but they also include IRC bots and other remote-control backdoors.  This signature detects any web request sent to a host in the yesadvertising.com domain.
MODIFIED=Y
DISABLED=N

NAME=SPY:URL-CONTENTIDPOST
SIGNATURE=T D A S 10 300 W SPY:URL-CONTENTIDPOST post/20/2fscripts/2fcontentidpost/2edll
DESCRIPTION=The Marketscore spyware gathers information about web browsing activity, sensitive data submitted to any web form, session cookies, etc, and phones home to upload it.  This signature triggers on the DLL to which the harvested data is POSTed.
URL=http://www.cit.cornell.edu/computer/security/marketscore/technical.html
MODIFIED=Y
DISABLED=N

NAME=SPY:URL-DARKACID
SIGNATURE=T D A S 10 300 W SPY:URL-DARKACID get/20/2fdarkacid/2eexe/20http/2f1/2e
DESCRIPTION=Backdoors have been found in the wild that send this hardcoded string when downloading malware from malicious sites. Most of the malware seems to be related to spyware, but they also include IRC bots and other remote-control backdoors.  This signature detects any web request for the file darkacid.exe (which is used by the staprew backdoor).
URL=http://www.google.com/search?q=%22staprew%22
MODIFIED=Y
DISABLED=N