# DNS spyware rules by Jack Pepper ( pepperjack@autoshun.org ) # regenerated daily from the domains.txt file at David Glosser's Black hole DNs project # The URL for BHDNS project: http://www.malwaredomains.com/files/domains.txt # The source URL for this http://www.autoshun.org/downloads/rbhdns.rules # # # Tue Mar 9 02:12:18 CST 2010 # sid 2637227 includes 1 (0 - 1) 5 character domains in the ".ae" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.ae)"; content:"|05|";content:"|02|ae|00|";nocase;within: 8;pcre: "/pinoy/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637227; rev:9;) # sid 2637228 includes 1 (0 - 1) 10 character domains in the ".asia" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.asia)"; content:"|0a|";content:"|04|asia|00|";nocase;within: 13;pcre: "/34jh7alm94/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637228; rev:9;) # sid 2637229 includes 1 (0 - 1) 4 character domains in the ".asia" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.asia)"; content:"|04|";content:"|04|asia|00|";nocase;within: 7;pcre: "/cxim/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637229; rev:9;) # sid 2637230 includes 2 (0 - 2) 8 character domains in the ".asia" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.asia)"; content:"|08|";content:"|04|asia|00|";nocase;within: 11;pcre: "/(bonacoop|visatour)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637230; rev:9;) # sid 2637231 includes 3 (0 - 3) 10 character domains in the ".at" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.at)"; content:"|0a|";content:"|02|at|00|";nocase;within: 13;pcre: "/(gib-online|russkiytoy|hotelthier)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637231; rev:9;) # sid 2637232 includes 1 (0 - 1) 11 character domains in the ".at" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.at)"; content:"|0b|";content:"|02|at|00|";nocase;within: 14;pcre: "/dawnofmetal/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637232; rev:9;) # sid 2637233 includes 4 (0 - 4) 13 character domains in the ".at" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.at)"; content:"|0d|";content:"|02|at|00|";nocase;within: 16;pcre: "/(bestplaceapts|jukeboxjunkie|readysetcargo|fetzenflieger)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637233; rev:9;) # sid 2637234 includes 2 (0 - 2) 14 character domains in the ".at" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.at)"; content:"|0e|";content:"|02|at|00|";nocase;within: 17;pcre: "/(daysinparadise|usv-krakaudorf)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637234; rev:9;) # sid 2637235 includes 2 (0 - 2) 19 character domains in the ".at" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.at)"; content:"|13|";content:"|02|at|00|";nocase;within: 22;pcre: "/(maximilian-wachmann|spengler-dachdecker)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637235; rev:9;) # sid 2637236 includes 1 (0 - 1) 20 character domains in the ".at" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.at)"; content:"|14|";content:"|02|at|00|";nocase;within: 23;pcre: "/instrumentenschmiede/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637236; rev:9;) # sid 2637237 includes 1 (0 - 1) 24 character domains in the ".at" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 24 chars (.at)"; content:"|18|";content:"|02|at|00|";nocase;within: 27;pcre: "/gipfelsturm-scuba-diving/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637237; rev:9;) # sid 2637238 includes 40 (0 - 40) 3 character domains in the ".at" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.at)"; content:"|03|";content:"|02|at|00|";nocase;within: 6;pcre: "/(a(5(l|g|f|h|j|m)|3(h|l|q))|b(9g|3a|5(c|r)|6(l|t)|7(g|p))|c(1z|5(e|p|y)|e5|6(p|h)|8(b|t)|9(e|m|u)|7(h|r))|f(5(x|l)|6(e|p|y)|7(g|p|y)|8a))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637238; rev:9;) # sid 2637239 includes 1 (0 - 1) 4 character domains in the ".at" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.at)"; content:"|04|";content:"|02|at|00|";nocase;within: 7;pcre: "/iuyf/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637239; rev:9;) # sid 2637240 includes 4 (0 - 4) 5 character domains in the ".at" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.at)"; content:"|05|";content:"|02|at|00|";nocase;within: 8;pcre: "/(a(reps|-s-f)|bests|kirgo)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637240; rev:9;) # sid 2637241 includes 2 (0 - 2) 6 character domains in the ".at" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.at)"; content:"|06|";content:"|02|at|00|";nocase;within: 9;pcre: "/(brunga|nutpic)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637241; rev:9;) # sid 2637242 includes 2 (0 - 2) 8 character domains in the ".at" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.at)"; content:"|08|";content:"|02|at|00|";nocase;within: 11;pcre: "/(ff-aigen|movehits)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637242; rev:9;) # sid 2637243 includes 1 (0 - 1) 9 character domains in the ".at" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.at)"; content:"|09|";content:"|02|at|00|";nocase;within: 12;pcre: "/feda-wien/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637243; rev:9;) # sid 2637244 includes 6 (0 - 6) 10 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.be)"; content:"|0a|";content:"|02|be|00|";nocase;within: 13;pcre: "/(greenbuddy|indigoline|whiteflash|koenvanroy|msrvtpp10(1|2))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637244; rev:9;) # sid 2637245 includes 2 (0 - 2) 11 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.be)"; content:"|0b|";content:"|02|be|00|";nocase;within: 14;pcre: "/(evaracollin|awardsmenen)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637245; rev:9;) # sid 2637246 includes 3 (0 - 3) 12 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.be)"; content:"|0c|";content:"|02|be|00|";nocase;within: 15;pcre: "/(misterplasma|chance2dance|onderwijsnet)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637246; rev:9;) # sid 2637247 includes 2 (0 - 2) 13 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.be)"; content:"|0d|";content:"|02|be|00|";nocase;within: 16;pcre: "/(vuurwerkessen|liesbethmilan)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637247; rev:9;) # sid 2637248 includes 1 (0 - 1) 14 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.be)"; content:"|0e|";content:"|02|be|00|";nocase;within: 17;pcre: "/kljnoorderwijk/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637248; rev:9;) # sid 2637249 includes 2 (0 - 2) 18 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.be)"; content:"|12|";content:"|02|be|00|";nocase;within: 21;pcre: "/(octopus-multimedia|webpetitesannonces)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637249; rev:9;) # sid 2637250 includes 1 (0 - 1) 19 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.be)"; content:"|13|";content:"|02|be|00|";nocase;within: 22;pcre: "/artemaliciacapoeira/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637250; rev:9;) # sid 2637251 includes 1 (0 - 1) 3 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.be)"; content:"|03|";content:"|02|be|00|";nocase;within: 6;pcre: "/bde/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637251; rev:9;) # sid 2637252 includes 1 (0 - 1) 4 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.be)"; content:"|04|";content:"|02|be|00|";nocase;within: 7;pcre: "/lsdc/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637252; rev:9;) # sid 2637253 includes 2 (0 - 2) 5 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.be)"; content:"|05|";content:"|02|be|00|";nocase;within: 8;pcre: "/(kstdr|2live)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637253; rev:9;) # sid 2637254 includes 8 (0 - 8) 6 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.be)"; content:"|06|";content:"|02|be|00|";nocase;within: 9;pcre: "/tref(cc|f(b|d|g|q|r|w|x))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637254; rev:9;) # sid 2637255 includes 13 (0 - 13) 7 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.be)"; content:"|07|";content:"|02|be|00|";nocase;within: 10;pcre: "/(sweeter|vispace|yospace|hftiili|qewasqs|dirddrf|ftpddrs|tacticz|gerfas(e|o|r|x|y))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637255; rev:9;) # sid 2637256 includes 10 (0 - 10) 8 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.be)"; content:"|08|";content:"|02|be|00|";nocase;within: 11;pcre: "/(goldbase|m(ymarket|odertps)|picoband|redbuddy|lacabane|fotothhi|dlsports|te(h10ll1|rrrfsd))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637256; rev:9;) # sid 2637257 includes 4 (0 - 4) 9 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.be)"; content:"|09|";content:"|02|be|00|";nocase;within: 12;pcre: "/(bestspace|redfriend|silvertag|whitemart)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637257; rev:9;) # sid 2637258 includes 19 (0 - 19) 10 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.biz)"; content:"|0a|";content:"|03|biz|00|";nocase;within: 13;pcre: "/(s(e(ekingloh|tcontrol)|pyfighter|linkadult)|exp(loitbla|ressbay)|j(avacsript|obstopfil)|b(ellezkino|oxenstopp)|xssipforum|msn-search|fsc-global|t(oprambler|rustlevel)|new(soption|carsdot)|garmin-win|lmageshack)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637258; rev:9;) # sid 2637259 includes 11 (0 - 11) 11 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.biz)"; content:"|0b|";content:"|03|biz|00|";nocase;within: 14;pcre: "/(m(sn-gallery|oneychanel)|s(iski-piski|can-pc-now)|nua06032009|crytheriver|ram06032009|trafficaway|d(nsregister|asfkjsdsfg)|idnsservice)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637259; rev:9;) # sid 2637260 includes 15 (0 - 15) 12 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.biz)"; content:"|0c|";content:"|03|biz|00|";nocase;within: 15;pcre: "/(s(ys-scan-wiz|top-(malware|spyware))|g(uardlab2009|oogle-forum)|webinspector|idhomesearch|p(rivatestore|orno-movies)|quickclickgo|m(egahostname|a(lware-scan|d-millions))|billmeplease|asyouwishwed)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637260; rev:9;) # sid 2637261 includes 10 (0 - 10) 13 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.biz)"; content:"|0d|";content:"|03|biz|00|";nocase;within: 16;pcre: "/(sys(-(look-scan|scanner-1)|tem-scan-1)|coreguard2009|infoseeklegal|pilimerkazana|theloandirect|escorthosting|fuckthecrisis|zarcoexchange)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637261; rev:9;) # sid 2637262 includes 10 (0 - 10) 14 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.biz)"; content:"|0e|";content:"|03|biz|00|";nocase;within: 17;pcre: "/(deadseanatural|vse-buddet-zae|sp(yware-killer|ortsbook2009)|bestautoportal|porn-free-tube|malware-scaner|fundholdingllc|onlinetubeporn|tubepornonline)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637262; rev:9;) # sid 2637263 includes 6 (0 - 6) 15 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.biz)"; content:"|0f|";content:"|03|biz|00|";nocase;within: 18;pcre: "/(goooogleadsence|f(reak-vkontakte|ootballcappers)|malware-scanner|world-tube-free|sex-online-tube)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637263; rev:9;) # sid 2637264 includes 8 (0 - 8) 16 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.biz)"; content:"|10|";content:"|03|biz|00|";nocase;within: 19;pcre: "/(individualpeople|coreguardlab2009|free-web-scaners|xillercollection|everytimewetouch|porn-online-tube|a(fternoonteamenu|dvertcatalogwww))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637264; rev:9;) # sid 2637265 includes 2 (0 - 2) 17 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.biz)"; content:"|11|";content:"|03|biz|00|";nocase;within: 20;pcre: "/(online-casino-lpt|thenutritiongroup)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637265; rev:9;) # sid 2637266 includes 2 (0 - 2) 18 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.biz)"; content:"|12|";content:"|03|biz|00|";nocase;within: 21;pcre: "/(businessdatacenter|intelligentservice)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637266; rev:9;) # sid 2637267 includes 3 (0 - 3) 19 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.biz)"; content:"|13|";content:"|03|biz|00|";nocase;within: 22;pcre: "/(badwareexterm(enator|inator)|moviedownloadreview)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637267; rev:9;) # sid 2637268 includes 2 (0 - 2) 20 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.biz)"; content:"|14|";content:"|03|biz|00|";nocase;within: 23;pcre: "/(free-spyware-scanner|badware-exterminator)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637268; rev:9;) # sid 2637269 includes 2 (0 - 2) 21 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 21 chars (.biz)"; content:"|15|";content:"|03|biz|00|";nocase;within: 24;pcre: "/(download-software-now|scanner-download-free)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637269; rev:9;) # sid 2637270 includes 2 (0 - 2) 22 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 22 chars (.biz)"; content:"|16|";content:"|03|biz|00|";nocase;within: 25;pcre: "/(online-spyware-remover|spyware-online-remover)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637270; rev:9;) # sid 2637271 includes 1 (0 - 1) 23 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 23 chars (.biz)"; content:"|17|";content:"|03|biz|00|";nocase;within: 26;pcre: "/ultracreative-solutions/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637271; rev:9;) # sid 2637272 includes 1 (0 - 1) 25 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 25 chars (.biz)"; content:"|19|";content:"|03|biz|00|";nocase;within: 28;pcre: "/eliteproctologyforyourass/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637272; rev:9;) # sid 2637273 includes 1 (0 - 1) 3 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.biz)"; content:"|03|";content:"|03|biz|00|";nocase;within: 6;pcre: "/n34/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637273; rev:9;) # sid 2637274 includes 11 (0 - 11) 4 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.biz)"; content:"|04|";content:"|03|biz|00|";nocase;within: 7;pcre: "/(al9s|f(p3s|lo4)|ldj5|ru98|7ioi|k(u98|yod)|1mov|52av|w0rk)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637274; rev:9;) # sid 2637275 includes 32 (0 - 32) 5 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.biz)"; content:"|05|";content:"|03|biz|00|";nocase;within: 8;pcre: "/(n(o(-ip|t99)|a(h77|t77)|it99)|an(xin|ush)|kroto|tr(uff|oia)|c(lunk|hits)|d3m0n|jcash|h(o(hoh|t99)|at(77|99))|pv(d(en|iz)|sex|cox)|g(it77|roov)|zaiki|f(it77|at77)|bot77|memll|l2yes|veton|ebaat)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637275; rev:9;) # sid 2637276 includes 16 (0 - 16) 6 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.biz)"; content:"|06|";content:"|03|biz|00|";nocase;within: 9;pcre: "/(g(e(odll|twin)|oople)|k(uplon|onter)|s(hop86|a(laka|berg))|d(andon|link4)|naifos|linoge|insorg|oiuyrw|traffs|unb0rn)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637276; rev:9;) # sid 2637277 includes 14 (0 - 14) 7 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.biz)"; content:"|07|";content:"|03|biz|00|";nocase;within: 10;pcre: "/(s(lalaka|ay-yes)|riconah|k(rona98|erchex)|d0lphin|m(s-scan|google)|p(iratik|uppsik|roname|es2009)|vsdftpp|textsex)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637277; rev:9;) # sid 2637278 includes 20 (0 - 20) 8 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.biz)"; content:"|08|";content:"|03|biz|00|";nocase;within: 11;pcre: "/(playmp3z|s(eotraff|idarada|rv-scan)|m(ainssrv|onsterr|irexint)|a(77e1468|beclick|n90fwq9|dmzjyda)|k(hdjehsk|ilogid2)|h(vfbecvw|amzabx1)|eremenko|wc-zone2|topshost|zmcby6vg|853c9e57)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637278; rev:9;) # sid 2637279 includes 25 (0 - 25) 9 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.biz)"; content:"|09|";content:"|03|biz|00|";nocase;within: 12;pcre: "/(b(a(nners4u|dmodels)|est-scan)|glublubiz|n(ews-(blog|week)|ayzielzp)|zeus-logs|projectns|sd9-forum|ebnetwork|lucidmind|freeguard|a(rbclicks|lert-pay)|dotmarket|m(icralokp|ynetstat|obylearn|p3review)|2short2be|curbmaker|in(trostep|clabtec)|valuecard)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637279; rev:9;) # sid 2637280 includes 1 (0 - 1) 7 character domains in the ".br" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.br)"; content:"|07|";content:"|02|br|00|";nocase;within: 10;pcre: "/barddal/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637280; rev:9;) # sid 2637281 includes 1 (0 - 1) 4 character domains in the ".by" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.by)"; content:"|04|";content:"|02|by|00|";nocase;within: 7;pcre: "/eyes/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637281; rev:9;) # sid 2637282 includes 2 (0 - 2) 11 character domains in the ".ca" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.ca)"; content:"|0b|";content:"|02|ca|00|";nocase;within: 14;pcre: "/(bouncenplay|trademakers)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637282; rev:9;) # sid 2637283 includes 1 (0 - 1) 12 character domains in the ".ca" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.ca)"; content:"|0c|";content:"|02|ca|00|";nocase;within: 15;pcre: "/tastemasters/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637283; rev:9;) # sid 2637284 includes 2 (0 - 2) 14 character domains in the ".ca" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.ca)"; content:"|0e|";content:"|02|ca|00|";nocase;within: 17;pcre: "/(movieinthepark|gowebsolutions)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637284; rev:9;) # sid 2637285 includes 1 (0 - 1) 15 character domains in the ".ca" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.ca)"; content:"|0f|";content:"|02|ca|00|";nocase;within: 18;pcre: "/computercabling/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637285; rev:9;) # sid 2637286 includes 1 (0 - 1) 9 character domains in the ".ca" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.ca)"; content:"|09|";content:"|02|ca|00|";nocase;within: 12;pcre: "/infostore/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637286; rev:9;) # sid 2637287 includes 4 (0 - 4) 10 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.cc)"; content:"|0a|";content:"|02|cc|00|";nocase;within: 13;pcre: "/(installing|activision|dummykeath|mn8873nb01)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637287; rev:9;) # sid 2637288 includes 3 (0 - 3) 11 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.cc)"; content:"|0b|";content:"|02|cc|00|";nocase;within: 14;pcre: "/(s(ecure-site|cope-group)|ccn-groupco)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637288; rev:9;) # sid 2637289 includes 5 (0 - 5) 12 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.cc)"; content:"|0c|";content:"|02|cc|00|";nocase;within: 15;pcre: "/(ava-groupsvc|bfs-groupinc|flatgroupfly|libertygroup|margin-group)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637289; rev:9;) # sid 2637290 includes 6 (0 - 6) 13 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.cc)"; content:"|0d|";content:"|02|cc|00|";nocase;within: 16;pcre: "/(armor-groupco|diamond-dream|full-controll|party-reunite|criscom-group|realtek-group)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637290; rev:9;) # sid 2637291 includes 4 (0 - 4) 14 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.cc)"; content:"|0e|";content:"|02|cc|00|";nocase;within: 17;pcre: "/(prime-groupinc|fairline-group|margin-groupco|saturn-groupco)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637291; rev:9;) # sid 2637292 includes 8 (0 - 8) 15 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.cc)"; content:"|0f|";content:"|02|cc|00|";nocase;within: 18;pcre: "/(entrust-groupli|s(cope-groupmain|ummit-groupinc)|v(ector-groupfly|ision-groupinc)|redeye-groupinc|affina-groupsvc|puritan-groupco)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637292; rev:9;) # sid 2637293 includes 6 (0 - 6) 16 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.cc)"; content:"|10|";content:"|02|cc|00|";nocase;within: 19;pcre: "/(massive-groupsvc|annuity-groupnet|re(gency-groupnet|altek-groupnet)|criscom-groupinc|premier-groupnet)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637293; rev:9;) # sid 2637294 includes 1 (0 - 1) 17 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.cc)"; content:"|11|";content:"|02|cc|00|";nocase;within: 20;pcre: "/fairline-groupinc/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637294; rev:9;) # sid 2637295 includes 2 (0 - 2) 18 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.cc)"; content:"|12|";content:"|02|cc|00|";nocase;within: 21;pcre: "/(alliance-groupmain|integrity-groupinc)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637295; rev:9;) # sid 2637296 includes 2 (0 - 2) 3 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.cc)"; content:"|03|";content:"|02|cc|00|";nocase;within: 6;pcre: "/(imm|ms8)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637296; rev:9;) # sid 2637297 includes 1 (0 - 1) 4 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.cc)"; content:"|04|";content:"|02|cc|00|";nocase;within: 7;pcre: "/jost/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637297; rev:9;) # sid 2637298 includes 1 (0 - 1) 5 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.cc)"; content:"|05|";content:"|02|cc|00|";nocase;within: 8;pcre: "/loads/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637298; rev:9;) # sid 2637299 includes 2 (0 - 2) 6 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.cc)"; content:"|06|";content:"|02|cc|00|";nocase;within: 9;pcre: "/(orzsys|xcount)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637299; rev:9;) # sid 2637300 includes 4 (0 - 4) 7 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.cc)"; content:"|07|";content:"|02|cc|00|";nocase;within: 10;pcre: "/(regscan|xsnatch|vcrssd1|zeroday)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637300; rev:9;) # sid 2637301 includes 4 (0 - 4) 8 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.cc)"; content:"|08|";content:"|02|cc|00|";nocase;within: 11;pcre: "/(direct-x|maghdfun|liulanqi|j00k877x)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637301; rev:9;) # sid 2637302 includes 7 (0 - 7) 9 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.cc)"; content:"|09|";content:"|02|cc|00|";nocase;within: 12;pcre: "/(a(res-2009|va-group)|c(ashpopup|cn-group|hernobyl)|bitorrent|ftpaccess)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637302; rev:9;) # sid 2637303 includes 1 (0 - 1) 10 character domains in the ".ch" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.ch)"; content:"|0a|";content:"|02|ch|00|";nocase;within: 13;pcre: "/toureg-cwo/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637303; rev:9;) # sid 2637304 includes 2 (0 - 2) 11 character domains in the ".ch" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.ch)"; content:"|0b|";content:"|02|ch|00|";nocase;within: 14;pcre: "/(uhcwuppenau|erotic-food)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637304; rev:9;) # sid 2637305 includes 1 (0 - 1) 12 character domains in the ".ch" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.ch)"; content:"|0c|";content:"|02|ch|00|";nocase;within: 15;pcre: "/hs-limmattal/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637305; rev:9;) # sid 2637306 includes 1 (0 - 1) 16 character domains in the ".ch" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.ch)"; content:"|10|";content:"|02|ch|00|";nocase;within: 19;pcre: "/vomlichtderberge/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637306; rev:9;) # sid 2637307 includes 1 (0 - 1) 18 character domains in the ".ch" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.ch)"; content:"|12|";content:"|02|ch|00|";nocase;within: 21;pcre: "/wirtschaft-frieden/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637307; rev:9;) # sid 2637308 includes 1 (0 - 1) 23 character domains in the ".ch" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 23 chars (.ch)"; content:"|17|";content:"|02|ch|00|";nocase;within: 26;pcre: "/jugendfeuerwehr-zermatt/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637308; rev:9;) # sid 2637309 includes 1 (0 - 1) 4 character domains in the ".ch" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.ch)"; content:"|04|";content:"|02|ch|00|";nocase;within: 7;pcre: "/glyk/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637309; rev:9;) # sid 2637310 includes 2 (0 - 2) 8 character domains in the ".ch" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.ch)"; content:"|08|";content:"|02|ch|00|";nocase;within: 11;pcre: "/(corsaire|fivestar)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637310; rev:9;) # sid 2637311 includes 1 (0 - 1) 9 character domains in the ".ch" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.ch)"; content:"|09|";content:"|02|ch|00|";nocase;within: 12;pcre: "/server911/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637311; rev:9;) # sid 2637312 includes 1 (0 - 1) 5 character domains in the ".ci" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.ci)"; content:"|05|";content:"|02|ci|00|";nocase;within: 8;pcre: "/aviso/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637312; rev:9;) # sid 2637313 includes 1 (0 - 1) 15 character domains in the ".cl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.cl)"; content:"|0f|";content:"|02|cl|00|";nocase;within: 18;pcre: "/aquaplant-chile/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637313; rev:9;) # sid 2637314 includes 3 (0 - 3) 9 character domains in the ".cl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.cl)"; content:"|09|";content:"|02|cl|00|";nocase;within: 12;pcre: "/(aquaterra|cepsaltda|800doctor)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637314; rev:9;) # sid 2637315 includes 1 (0 - 1) 13 character domains in the ".cm" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.cm)"; content:"|0d|";content:"|02|cm|00|";nocase;within: 16;pcre: "/mt3pvkfmpi7de/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637315; rev:9;) # sid 2637316 includes 184 (0 - 184) 10 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.cn)"; content:"|0a|";content:"|02|cn|00|";nocase;within: 13;pcre: "/(o(riginalcn|therchina)|t(lovechina|vnameshop|r(ipsstart|af(fcount|domins))|i(ntraffic|tlebonus)|h(eyourown|isorthat)|dscounter|omorrrrow|urningout)|l(yboidomen|o(tbetsite|ve(2coffe|storyy)|quat2006)|i(fenaming|tecartop)|a(maze2009|gunabich)|u(boydomen|dingtour)|zkumoozdl)|w(hereismat|o(henleile|qyymmptn)|llvvkjknh|areshield|e(l(comeone|ivehere)|b1movies|stnorths))|b(ytenetcom|a(idu(-1163|duyou)|conguide|rraccuda|nubanasy|gtrustik)|e(st(lotron|findit)|zzpaleva|-secured)|unchguide|o(n(usdream|escaner)|mbermans)|iznesscom|2b-forums|ladespoon)|a(dfsgsdgfb|rhjfgjdrf|inideqian|l(ienmovie|fastream|tgroupco)|n(gryshark|-freeeze|alystics)|mer0test0)|qq163-eild|c(vbnmdgesc|h(i(ckstube|liwilli)|eapsocks)|o(mbinebet|llege360|unterweb)|ss-csript|lowncirus)|r(ainfinish|o(selambda|botbobot)|ikangchen)|n(e(w(guard(4u|2u)|admins7|-proper|crawler)|tcarfind)|ameguards)|xhyydingbi|9(4mekelove|mariasara)|u(kxvgbnmzp|upmeepvej|nlock0452|pdated(b87|ate))|h(o(stnsload|tslotpot)|ead-moron|allownets|sbc-trial)|m(oulitehat|i(ni-socks|digratis|xlotsite|klovania)|a(ria5sara|ps-tiles)|y(bestline|warworld)|egainvest|rmennoisy|19citizen)|p(ubmitzvah|alaceclub|opkadurak|eace-data|izihui169)|g(o(ooodbill|noristan|rbitasnn)|r(e(at(swamp|poets|toast|moder)|enbeers)|a(nata282|phwebgo))|amerszons)|s(e(r(ymercha|vupdate)|xypupsik|cureitem|lladvice|ekingout|ndingout)|o(urcehand|ftportal)|aloongins|h(rekmovie|itstream)|portshots|u(xumzulum|persmans)|ttcounter|canerborn)|y(z(bgoywzmg|huaxiang)|ourlotcar|andexcars)|z(usojbktvo|ombiecorp)|f(i(lmoflife|rstroyal)|otogratis|dsdffdfsf|reemaniya|lxvircorp)|d(a(ily(nylon|2news)|y-orange)|e(tcentral|adly-pie)|omen(zmonz|poxuj)|doshacker)|e(minemlive|urostrade|njnzdfmts|ctdeal055|dit(1china|2china|3china))|k(eeperbook|issfromde)|26860xfart|v(i(deo-tube|p(reactor|imagine))|eraclara5|azegdurak)|jaymarkets|iwanttowin|5mariasara|6mariasara|7mariasara|8mariasara|1monocline)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637316; rev:9;) # sid 2637317 includes 217 (0 - 217) 11 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.cn)"; content:"|0b|";content:"|02|cn|00|";nocase;within: 14;pcre: "/(h(o(neypalace|use(visual|style2))|e(avenplace|llogoodby)|uge(top(nano|diet|seek)|premium|bestbuy)|it-senders|aving-fun2)|l(i(ght-money|te(hitscar|au(ction|totop)|premium)|fecounter)|o(ve(rtoorcn|2coffee)|tbetworld|nglivedvd|ckershoes)|astfmmusic|edyzpizdik)|d(i(rectlink(0|1|2|4|9)|ettopseek|scoverany)|a(ddybigtop|ilyhottie|masgratis|y-evryday)|e(signroots|laizoloto)|r(iveupdate|oppingout)|ownloadsrc)|b(u(lkbaginfo|stedsafer)|e(st(cover(4u|2u)|webfind|finderr|scan0(44|66))|tbigwager)|a(idu-opop1|nanasdogs)|i(g(b(ulkmail|est(find|lite))|top(s(uper|tats)|leads|rocks)|amadillo)|ntus-bahi|ll-bailey|znessnews)|o(xingclubs|goservice))|f(r(eiemuster|istcenter|agus-v1-1)|ind(big(boob|urls|name)|abigrig)|ghnjmdgrse|e(ngyunwudi|rarilatka|liciagirl)|usionheart|latletkick)|j(ust(bargins|paythis)|eans0nline|crewonline)|c(l(ickcouner|ara(5elena|6elena|7elena|8elena))|vbdohdrgyr|o(m(poundlot|icscaner)|ol(hoodies|crosses|wordart))|ubanbigtop|cn-groupco)|n(a(me(buyline|forshop)|notopfind)|ewtransfer|umbersbulk|o(rah-jones|nsensical)|i(ght-whale|ke-petrum))|p(oliticblog|ro(mixgroup|defence1)|e(opleopera|kincenter|rfectofan)|la(yslotbet|cability)|apaanarhia)|r(e(turnmyexe|adymixbet|mainstill)|ain(jukebox|bowlike)|ondo-trips)|k(a(llagoon13|ngaroocar)|ennelclubs|i(libinchek|tichinesi)|rolingermn)|m(e(gavipsite|ldorgroup|dia-news2|iguixiang)|yd(efense4u|ailymail)|i(x(lotworld|betworld)|icrosofft)|ari(a(5clara|clara(6|8)|elena(6|7|8))|necargo)|uliuyiliao)|o(ceandealer|racleoledb|peratedout)|v(i(tamingood|llain7878|russcaner)|olonterkom|seseriozno)|g(o(goserv333|oglenames|wildtours|ld-smerch)|fyjfghdvse|r(eatmixlot|aduatetop)|iantnonfat|a(zsnippets|invictory)|ym0replace)|s(m(ilecasino|sdiarybig|artbiznes)|t(a(keshouse|llvars-(1|2|7|9))|ickingout)|uperlottry|olmixgroup|e(rverinlit|crettales)|inomedical|c(ope-group|a(ry-scary|nersorry))|ftzone2009|aved-space|portfinish|lip-stream)|t(r(avetbeach|uemtstick)|he(yourbest|bettings|homename)|op(litesite|division))|w(owregister|e(bnamemart|generinfo)|innerphone)|you(bonusnew|r(c(atfree|ombine|licker)|litetop))|a(rgosonline|ssdazzxcad|vagroupsvc|pplestore2|nti(policai|dopings|sgetout)|mazonhacks)|qinpengejia|u(sdisturbed|ploadmovie)|02fgu145501|i(spiritatus|n(flame2009|dia-tours)|gt(-groupco|groupinc))|e(dwoodmovie|nginesoons))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637317; rev:9;) # sid 2637318 includes 173 (0 - 173) 12 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.cn)"; content:"|0c|";content:"|02|cn|00|";nocase;within: 15;pcre: "/(a(ll(yourguide|webpublic)|sdfgsdfgsdf|ntivirusvip|grautoparts|mericanliit|chieve21121|dobe6-athun)|b(i(tanalytics|g(defense2u|coverlive|topbrands)|bliagratis|zorderpage|aobrgeroin)|e(tstarwager|st(nameshop|filmlife|starwars))|ookadorable|u(s(candotodo|inessrest)|rgerstreet)|bandtonline|l(ooddiamond|ack-engine)|ayinsurance)|f(eelingchoin|ind(localjob|bigshots)|reefunpages|ormulawebgo)|g(o(o(gle-(traff|credi)|dsovclass)|rillazband)|r(e(atbethere|en-pepper)|oove-salad)|iant(premium|topnano|highest)|etshealth11|ymandcardio)|y(our(f(reebets|ilmlife)|guardpro|liteseek|nameshop)|b-sport-555)|e(x(celsystems|ponentials)|ntrustgroup|ricwanhouse|conomyguide|lectrofunny)|m(ainnameshop|y(healtharea|w(ebtraffic|atermakrs)|betorwager|th-busters)|i(xbetonline|n(nesinger2|isterstvo))|cwanecenter|nogotrafika|ellis-group|oralisefilm)|n(iencos3432d|e(wguard4you|ilwelliver)|ame(martfilm|thatshop))|h(ack(download|andsmack)|o(sskurnelli|neywell-cn)|ugebestbuys|erosima1yet)|c(asinobigtop|o(ol(name(shop|mart)|building|papabell|cruising)|dex-engine)|cn-groupsvc)|p(laybetwager|harmacyeasy|r(estigecard|i(vetmedved|nt-design)|o(analytics|ductguide))|oligraphiya)|d(rawingstyle|o(wnload-123|ve-groupli)|vdmovieclub|unkinsworld|mitrygaiduk|isturbedweb)|s(t(a(ts(analist|counter)|rgroupinc|llvars-10)|uptime-new)|ymphonygold|u(per(betfair|-choice)|rgingnurse)|e(rvergloria|cur(eimages|ityland)|ar(chgroovy|ra-ditol))|i(tesupports|ftozzillaa|rius-socks)|o(uthunion77|cks(ikovnet|5servic))|can(sponline|4(malware|spyware)|erexcuse)|p(onlinescan|acecountry|ysystemcom)|jkmerirtokm|leepatnight|havedpoints|weet-memory|amplermovie|vinopavstvo)|w(eb(s(itecheck|ecurity2)|-paradise)|orld(namebuy|ofshore)|illsmithinc)|r(esorttravet|ogerscenter|hrhrhrhereo|iaasoftware|ubber-plant)|i(slandtravet|hrhrhrhereo|ng-groupsvc|want2berich)|t(r(ydirectjob|a(veltravet|nsliators))|he(filmmusic|riverlive)|opfindworld)|l(ongyitiaov7|ekiraovnie3|ittle-bitty)|1(09438129432|nonsensical)|234(273849543|871938123)|438723847234|james-taylor|k(eygroupmain|imosimotuma)|zoolanalizer|onlybestnews|usertoolbars|384756783900|783456788839)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637318; rev:9;) # sid 2637319 includes 176 (0 - 176) 13 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.cn)"; content:"|0d|";content:"|02|cn|00|";nocase;within: 16;pcre: "/(u(pdatedrivers|sednamestore|e4x08f5myqdl)|a(c(tiveprotect|hieve21-121)|utodirection|sjkghajkgh15|rmor-groupco|bc-webdesign|fternoontime|dobe9-mytdup|ntisollushin)|m(e(damphetamin|gauplodplus|na-groupsvc|ssengerinfo)|y(defense4you|guardforyou|ne(wnameshop|s-consult))|i(l(lionsdream|et-company)|xgroupguide)|t3pvkfmpi7de|f6gy4lj79ny5|o(dern-design|zzillaclone)|a(ilboxinvite|ngo-culture))|your(ownplanet|bestworld|guard4you|filmmovie|-security)|s(e(e-something|archsuggest|curityearth|parator2009|rvicesocks5)|t(ar(tgetaways|-groupsvc)|ruckyorluck)|u(per(dietfind|filmlife)|baruservice)|ho(p(movielife|filmworld)|otersworld)|ocks5servi(ce|se)|itemechanics|pace2009city|ymyho3393245)|b(rabuscoctail|e(st(finda(home|loan)|cover4you|litevideo|secureweb)|tworldwager)|igtop(escorts|artists|cabaret)|a(idujkljasda|tman-comics)|ulkdvdreader)|c(a(sinoslotbet|tchmysafety)|h(eapslotplay|ristmasclub)|o(ol(ringtones|video4dom)|nsensualart)|eceshishi888|di-groupmain|wbnewsonline)|h(ugetop(nonfat|locate)|o(me(nameworld|brandname)|nda-recycle|lding-group|useholdsout)|it-inspector|xc7jitg7k57e)|1(63-sohu-sina|economyguide)|d(ddbbbddbbdbd|ressnowbeach|linktransfer)|w(e(bsiteflower|ekendtravet)|orldofwarcry|indowspcline|atermelonfun)|g(oogle-(newbot|awards|bot004)|r(eat(shopfilm|ingcards|time2009|names-12)|oundhogday2)|jpwsc5p7oem3|uidetogalaxy|idroanalizer)|li(tetopdetect|me-group(net|svc))|f(i(lmtypemedia|refox(avatar|fowner))|r(ee(defense2u|universis|giftslive)|iendship888)|1uq1dfi3qkcm|yivbrl3b0dyf|bheadquaters)|n(o(nfatcarbest|abuseplease)|amesupermart|udecelebrity|e(w(agehosting|-age-music|sdownloads)|imeetsmysla))|p(r(e(mium(locate|nonfat)|stotunerst|dposledniy)|otectyourpc|ime-groupco)|arkinglotbet|0umob9k2g7mp|7keflvui9fkl|owercapacity)|t(he(lotmachine|-offspring|usbwebsite)|echno(opmizer|tronics)|1eayoft9226b|r(ust-service|ytowintoday|affic4stats)|o(tal(-groupli|groupinc)|pmusicstore))|r(a(cquelsworld|dioheadicon)|ncocnspr44va|over-machine|epeatability)|e(n(ginecoolant|tombing2009)|verlastmovie)|jumbobestrate|z(enitchampion|6ailnvi94jgg|frexendzorex)|0ni9o1s3feu60|4go4i9n76ttwd|7(bs5nfzfkp8q8|zju2l82i2zhz)|k(t4lwumfhjb7a|zvi4iiutr11e|eepmeupdated)|o(d32qjx6meqos|rdinaryvoice|nlinestarter)|q2bf0fzvjb5ca|i(n(finitccoopp|terposition)|deallegue662)|vk-mastersoft)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637319; rev:9;) # sid 2637320 includes 103 (0 - 103) 14 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.cn)"; content:"|0e|";content:"|02|cn|00|";nocase;within: 17;pcre: "/(n(e(paxek-domain|w(guardforyou|netnameshop))|onfatautobest|ame(buypicture|claimstore|storevideo))|g(oogle-analab(a|b|c)|ianttoplocate|reat(namemovie|stories00)|lobal(mixgroup|nameshop)|artnerdedault|e(tflashplayer|niouspartner))|l(i(te(autorepair|upyourride)|veicqnetwork|nmaoshuiqing)|ot(wageronline|ultimatebet))|your(nonfatbest|guardstore)|d(otcomnameshop|reamheartsnow)|f(i(n(d(big(thinker|brother)|yourbigwhy)|anceimprove)|lm(bridgelife|lifeimages))|ree(coverstore|hostforyou)|ullclickstats|a(irline-group|shionovernet))|b(dbdbddbdddbdd|ig(premium(lite|find)|skytopguide|topf(indsite|estival))|eachhousename|rain(-groupsvc|groupmain))|m(i(x(mediadirect|grouptravel)|crofreelance|ssing-codecs)|a(s(hroomtheory|tergroupinc)|rgin(-groupco|groupinc))|o(ral-theology|bilerevision))|t(henetnameshop|urbonamestore|eacherslounge)|joomlaprojects|s(uper(betsports|7decision)|aturn-groupco|msphonesymb02|ecretalltrue2|tillsnapshots|howmelovetube)|q(uakeworldlive|ingchun-meinv)|c(utheatergroup|h(i(nafavorites|ldbirth2000)|ris25project)|ncdatanetwork|iscocommunity|riscomgroupco|old-random312)|zenitvsspartak|p(r(ime-groupinc|emiumbullets)|laying-sports|hoenixgroupco|ower-security)|re(deye-groupco|centshopping)|virtuozbilnyak|w(ejlk298798324|heels-on-fire|indows-update)|a(d(eptofmastery|obe(5-peltion|10-togeam))|rgentinastyle)|usaworkinghard|h(istorycontext|o(stingdomains|tflashmovies))|index-groupinc|online-counter|1onlinestarter|estimategood32)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637320; rev:9;) # sid 2637321 includes 106 (0 - 106) 15 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.cn)"; content:"|0f|";content:"|02|cn|00|";nocase;within: 18;pcre: "/(p(l(easeclickhere|atinumdefence)|ri(va(teaolemail|cy-protect)|celessfinish)|uritan-groupco|aul-mc-cartney)|on(lineanalytics|epiece-online)|m(i(llion-dollars|crosoftoutlaw)|a(croviewonline|s(sivegroupsvc|ter-groupsvc)|rketingsmoney)|y(-bilderrahmen|newworldorder))|f(alloutneferwin|ree(coveronline|infoandpass)|i(nd(bigthinkers|yourbigidea)|rmware-update))|s(tats-analytics|dahidsahidsahi|cope-groupmain|ho(ppicturelife|wmethesecret)|aturn-groupsvc|e(cure-networks|xyteengallery)|ummit-groupinc|olidresistance)|li(eliteautobody|te(premiumlist|topseeksite))|c(o(nsignmena5173|sco-groupmain|uples-retreat)|lubmillionswow|atchynamestore|h(inaoilfactory|aracterscaner))|e(ducationbigtop|agle-groupmain|lectromusicnow)|transformercity|you(benshizaifen|r(guard(online|foryou)|litetopfind))|b(est(defenselive|coverforyou|litetopfind|hockeyteams|wishestoyou|-protection)|ig(topliteworld|findtopguide)|lo(gtransaction|ckcenterplay)|a(iduybaidbrqlm|sketballsport))|j(inzhuangzhuang|eremy-kyle-now)|a(utobestwestern|n(gelinajmovies|tivirusfreec0)|ffina-group(net|svc)|ll-about-steve)|n(a(notopdiscover|mebuyfilmlife)|oth(ern-ireland|ing-to-wear)|vidia-group(net|svc)|ew(worldsuccess|porkeronline))|h(osfikurnellixx|ugetopdiscover|erosima1yet00g)|goo(gle(analytics|-(a(dvisior|nalytcs)|stats008))|d-protection)|xmoviedownloads|d(e(layyouranswer|fendandsecure)|utyfreeairport|riverupdateter)|r(e(deye-groupinc|gency-groupco|altekgroupsvc)|ootzundrground)|vision-group(inc|svc)|w(indows(-up2date|defence(y|r))|onderfullstuff)|i(dl-maxtreasure|n(valda-groupli|dex-groupmain)|-finally-found))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637321; rev:9;) # sid 2637322 includes 75 (0 - 75) 16 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.cn)"; content:"|10|";content:"|02|cn|00|";nocase;within: 19;pcre: "/(p(erfectnamestore|a(ymentvirusmelt|ulmccartneyusa)|uritan-groupinc|re(mier-group(inc|net)|sidentvictory))|d(evinepromotions|reamlitediamond|iscovernewchina|ynamicfilmmedia)|s(e(cure(dosupdates|bizccenter)|x-and-the-city)|uper(litecarbest|-choicenow1|choice-now1)|hopvideoschools|cansecurityhole)|l(ite(autogreatest|topfindworld|downloadseek|highestmodel)|otmachinesguide|evitationwonder)|f(riskdiseaselive|ind(bigmoneygame|itinbigapple)|ull-house-stuff)|yourfrisk(disease|illness)|m(o(mentstohaveyou|rsayniketamere)|icrosoftprogram|ellis-groupmain|ake-statsfamily)|e(asyfriskdisease|xtreme-groupinc)|t(echnologybigtop|r(affic-searches|y-your-destiny)|hebestwaytofind|opbillboardhits)|b(est(litediscover|mortgagefind)|i(g(t(ruckstopseek|opmanagement)|appletopworld)|rthdaypostcard)|usinesscoorptru|randnameshoppin)|na(me(companystore|martfilmlife)|tionaltreasure)|g(iant(topdiscover|beaversdiet)|o(ogle-analitics|gyadexchina0ab)|etfreediscounts)|vector-groupfine|a(rchway-groupinc|n(nuity-group(llc|net)|a(mericanbeauty|listikyandeks))|ssurity-groupco|ttitudecartoons)|hfju38djfhjdi3kd|re(gency-groupnet|altek-groupnet|moveallaswarea)|criscom-groupinc|windows7-catalog|100creativeideas|queenofneworlean)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637322; rev:9;) # sid 2637323 includes 56 (0 - 56) 17 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.cn)"; content:"|11|";content:"|02|cn|00|";nocase;within: 20;pcre: "/(thebest(worldparty|youcanfind)|g(r(ooveyourdestiny|eatliteautobest)|oogle-analystics)|s(oftwareoverworld|hop(film(existence|lifeforce)|moviefestival)|ecuredbizcenter1|uper(mixlotonline|-choice(-now1|here2)|choice-here2))|w(hreismyplugnplay|eisichuanxiongqi)|f(ilmlifemusicsite|a(milyofefounders|irline-groupinc)|reedefenseforyou)|d(aslxzcewralrocjn|ecoratingcatalog)|in(ternetnamestore|valda-groupmain)|n(amestore(filmlife|discount)|orton-protection)|e(asydefenseonline|stimategood32021)|m(y(ascertainpoison|checkdiseasepro|nes-consultings)|akenodifference2)|o(verpoweredsystem|nlinevideowatcch)|b(igprotectionlive|est-live-lottery)|li(te(autobestguide|carfinestsite|top(locatesite|finddirect))|veavantbrowser2)|you(r(friskviruspro|name(heremedia|quickshop))|askedthedomain)|c(reativeblockplay|old-achieve21121)|analitikss-google|hardwarefactories|p(rotectinstructor|ho(enix-groupmain|toscansecurity)|aramauntpicturec)|quickscansecurity|republicdemocracy)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637323; rev:9;) # sid 2637324 includes 43 (0 - 43) 18 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.cn)"; content:"|12|";content:"|02|cn|00|";nocase;within: 21;pcre: "/(t(hankyoufor(smoking|install)|welvemonkeysmovie)|lite(autofinestsite|downloadfinest|greatestdirect)|a(wardspacelooksbig|ll(footballmanager|iance-marketing)|ctivesecurity(card|tool))|e(asy(checkpoisonpro|bestprotection)|x(amine(illnesslive|poisonstore)|celdocumentsinfo)|stimate(-good32021|good32-021))|s(ecur(edupdateslive|ityeverywhere)|hop(filmlifeonline|onlinefilmsite)|upportyourcountry|cansecurityguards)|b(est(examinedisease|friskviruslive|vanillaresorts)|igfirststopnonfat)|your(checkpoisonpro|friskinfection)|f(ilmlifemediaguide|ullxmoviesarchive|riedgreentomatoes)|notebookcomplaints|r(ollerskatesadvise|i(ghtdecisionhere2|singbannerstands))|integrity-group(inc|svc)|onlinemalwareserch|writeloveonherarms|useractivesecurity|personalsystemscan)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637324; rev:9;) # sid 2637325 includes 23 (0 - 23) 19 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.cn)"; content:"|13|";content:"|02|cn|00|";nocase;within: 22;pcre: "/(4thankyouforinstall|my(examinevirusstore|checkdiseasestore)|a(s(certaindiseasepro|nfhaksfhnasf15215)|ctive(layersecurity|security(gates|codes|zones))|dwordsformoneymail)|litetopdiscoversite|nonfathighestlocate|s(hop(filmlifescience|movieproduction|videocommission)|u(per(activesecurity|decision123034)|mmaryscansecurity))|findbigbearproperty|inglouriousbasterds|thefinaldestination|bioregionalistmovie|estimate-good32-021)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637325; rev:9;) # sid 2637326 includes 2 (0 - 2) 2 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 2 chars (.cn)"; content:"|02|";content:"|02|cn|00|";nocase;within: 5;pcre: "/(9v|8u)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637326; rev:9;) # sid 2637327 includes 25 (0 - 25) 20 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.cn)"; content:"|14|";content:"|02|cn|00|";nocase;within: 23;pcre: "/(2d2deozghamea1m1ifn3|h(syzpbavkojdqclhnoqz|omenameregistration)|b(estprotectiononline|uenavistasocialclub)|easyincomeprotection|d(cz9ubei212vp3nrca5i|ihbgbwqryuolfbebgme|e(utschelandservices|lltrustedsecuritya))|l(mempodfzrqqkteyupar|ufwhtelkadvrtaukqjo)|virevpcklvlrxjcqxtij|z(jjrrhhuokjxgmulisxs|nchygdrmelzejjvofji)|c(omp(oundcapitolgroup|uter-antivirusb1)|ustomsoftwareupdate)|martpictureexistence|justintimberlake2009|a(dvancement-statekos|ol-update-installer|ahsdvsynrrmwnbmpklb)|relevant-information|sunhuivchainakonchaj)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637327; rev:9;) # sid 2637328 includes 8 (0 - 8) 21 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 21 chars (.cn)"; content:"|15|";content:"|02|cn|00|";nocase;within: 24;pcre: "/(upd-windows-microsoft|hyperliteautoservices|secur(edsoftwareupdate|ityupdatessystem)|easyserviceprotection|nameshopinternational|advancement-marketing|google-update-checker)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637328; rev:9;) # sid 2637329 includes 12 (0 - 12) 22 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 22 chars (.cn)"; content:"|16|";content:"|02|cn|00|";nocase;within: 25;pcre: "/(mediaho(usename(shopfilm|buyvideo)|mename(martvideo|shopmovie))|securedsystemresources|windowssecurityupdates|constructadvancedblock|easypersonalprotection|liteautogreatestonline|denverfilmdigitalmedia|adobe-updating-service|gogogogogogogogogogogo)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637329; rev:9;) # sid 2637330 includes 4 (0 - 4) 23 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 23 chars (.cn)"; content:"|17|";content:"|02|cn|00|";nocase;within: 26;pcre: "/(worldcommercialbusiness|mediahousenamemartmovie|security-access-control|filmproductionlifemedia)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637330; rev:9;) # sid 2637331 includes 2 (0 - 2) 24 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 24 chars (.cn)"; content:"|18|";content:"|02|cn|00|";nocase;within: 27;pcre: "/(securedprosoftwareupdate|mediahomenameshoppicture)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637331; rev:9;) # sid 2637332 includes 1 (0 - 1) 25 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 25 chars (.cn)"; content:"|19|";content:"|02|cn|00|";nocase;within: 28;pcre: "/mostbeloved-online-magics/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637332; rev:9;) # sid 2637333 includes 1 (0 - 1) 27 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 27 chars (.cn)"; content:"|1b|";content:"|02|cn|00|";nocase;within: 30;pcre: "/michaelsbestway2findalawyer/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637333; rev:9;) # sid 2637334 includes 2 (0 - 2) 3 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.cn)"; content:"|03|";content:"|02|cn|00|";nocase;within: 6;pcre: "/(jp1|kcs)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637334; rev:9;) # sid 2637335 includes 117 (0 - 117) 4 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.cn)"; content:"|04|";content:"|02|cn|00|";nocase;within: 7;pcre: "/(u(in(1|2|3|4)|097|rj0)|6tg7|7(u8f|3yi|iai|y3x)|h(hj(8|9)|i2i)|w(3(og|3o|cc)|q9q|vg(0|4|9|2|3|7)|s91|23q)|3(8(to|zu)|s8v|k70|23o|m70)|b(bg3|18c|n2z)|c(-0p|cj(5|3|7)|v9i|kt(5|4))|l(-ai|il9|1il|v51)|o(kn4|-ap|n65)|i(ht2|18o|8i1)|y(fe5|rd9|x1l)|2(c2d|qtw|k90)|j(d9k|i(-u|17))|q(wr(2|1|7|8|3)|23r|xz7|sng|leo)|m(br(2|8|0|3|5|9|1|7)|voe|77s)|e(o2q|37z|l(1x|2x|3x)|58z)|v(bn5|0id|duz)|d(99q|ztv|ia(1|2)|ox(0|1|2|3)|67c)|s(76z|m44)|f(97q|anv|ei4|d(g5|5a)|cc7|lo5|sus)|r99u|go5v|17xj|4sx2|xsdg|8f8q|9ot4|tmjy|px66)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637335; rev:9;) # sid 2637336 includes 194 (0 - 194) 5 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.cn)"; content:"|05|";content:"|02|cn|00|";nocase;within: 8;pcre: "/(5(2(0sb|4ay)|18mk|4ed4|6jrr|job5|92lv)|s(i(ski|r-t)|trhq|ftcp|xd65|j1j1|uoie)|k(ghh(1|2|3|4|5)|egod|s630|ds85|x111|j400|i2ip|ybbt)|w(-(x-y|e-g)|murl|528e|ytzt|g879)|2(qqmm|0-(12|ka)|ijdi|2ger)|6(te43|sys6|86ip|66de)|9(7sex|8tdw|99fu)|a(t820|b(bcp|eze|uze)|6ga6|gn6m|eeae|olas)|f(gig1|dg43|ayda|o(qij|psl|bsl)|r(ags|wxz))|g(omne|jk67|r(ozv|b7u)|k(iot|sdh)|frjk|d(1di|8bb)|t5ev|4k4h|8856|nfdt)|t(snse|es85|r(unu|afm)|om10)|b(fgr5|oyuo|tyxw|bexe|dcnm|rsqb)|c(0093|j-vv|kdkj)|v(i(eio|vne)|as4k|ert4|ty8p|vvcr)|l(eepe|g(v97|899)|iifd|wctd|xwjp|yglj)|y(mlsw|gfc1)|o(k135|nuka|524q|mayn)|i(e(854|kmn)|r078|n(bus|tbn)|1ii1|3219)|r(6c8d|tbn2|154q|oons|h4df|pmm0|jhao|u168)|d(ew7f|f(g34|rgc)|jl87|821e|dlse|2y2i|10gc|b9qq|s3gj|o(tot|mx(2|0|1))|5(g5l|hsr)|red3)|n(ge68|igmo|t(002|202)|ashk|jhcs)|1(s2d3|1(7la|55g|88d)|0ces|2wds|kfie|job1)|m(sgeo|f555|lsqs|u432|jjia)|x(cbnr|9s7b|zwrn|aker|0(00x|10x))|8(ddfx|8810)|h(e-ro|kwiy|d6bb|8ae8|tiwg)|q(werz|qxnm|jwlb|tdyf)|e(tm-p|lods|f2tr|rrtz)|z(dbbd|okre)|j(y-hx|7c7c)|u(yuoo|p002)|p(op0p|2008|sder)|09xss|7lovr|3(eifj|ba3h|3hrf|4218)|4499a)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637336; rev:9;) # sid 2637337 includes 355 (0 - 355) 6 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.cn)"; content:"|06|";content:"|02|cn|00|";nocase;within: 9;pcre: "/(x(a(njan|zlon)|m6216|h0088|9host|i(qiji|n(x02|y69))|epace|yxiva)|a(d(serv|ayby|oimi|elug)|b(caef|i(dar|ydu))|s(d(awe|y77)|saaa)|ini(ll|gc|uu)|t(i(oqe|awy)|eygi|ofaf)|koede|v(e(myk|yco)|inyk)|l0900|pauzy|rplgm|wixys|xevoq|oaoxs|hoize|cawyr|fyjeq|2dg2o|mebas)|b(ioito|aidmn|g(5460|8028)|szyxy|bvvbb|et(imi|suq))|l(4jsll|j4sll|o(rexx|ve78)|y(uboy|qxfz)|i(t(sed|jnz)|mocs)|preke|wddos|thtgg|zboyi)|8(07090|4(7474|2812)|8wdvd)|h(o(robl|stts|ho-2|mut1)|eyjoy|zcpwl)|g(o(ugom|qfap|wyti|kzed|lary)|g(0987|6781|87(21|65))|stats|roiut|heeny|udxyv|evyta|amno6|inmap)|m(imibn|artuz|m(9860|sifu|togo)|egatt|o(bpvl|shiz|vngs)|y(zevs|-way))|q(q(-new|2(977|018)|bbbb|diao|lc02|xqrz)|wuioz|ian14|vod(69|ax)|epmof|dxybl)|s(l(l(l(4j|j4)|4lj)|4llj)|b(8(632|778)|3589|9835)|h(hdyb|scyy)|waker|u(snoj|myho)|attor|vazal|fanyy)|4slllj|u(k(boox|odun|4you|liit)|p(dvms|uoro)|szers|yuuuu|iouyu|bakeo|niqez|ui8uy)|v(wwx17|ipeks)|z(a(tura|ders)|r(oppy|enie)|koolz)|r(e(zerv|dsol)|deg42|a(ernb|sejo)|jkifj|ipn33)|e(x(plab|odih)|f44ee|rgoer|urccc|d(iyhy|a(mym|yty)|eifu)|1ag1j|g2thg|vouga|wia(va|li)|neuzo|z(enyv|ouwi))|3(f4wws|video)|f(c(0921|3289|67(45|90)|7821)|g(jhnf|4yjv)|hnfff|sdhry|o(brim|gpak|tkum)|a(k888|mpir)|yedit)|y(eziio|tvccc|uyyyu|ihaha|nyxeg|dihuq|gyiqu|mocuw)|j(y(5687|6732|tsit|fugo|goto|noqi|seny)|jxp22|kjjkk|abdup|egaqe|u(gawa|tyja|anmm))|c(om8(2c|7k)|u(tlot|hate)|ds520|xhost|tivnn|i(leky|syto)|exiky|limot)|d(nf-gg|fgyhk|o(m(1(1z|cn)|0cn|2cn)|fawi|quza)|dosor|ecine|ibosh|unhah|ybapi)|t(raxxk|iq38e|htttt|count|a1ch1|e(mpa(1|2|3)|ams3)|olima|sqzsb)|5(dsa4d|566dm)|9(00990|xddw2|4(4dnf|5dnf)|821g9|9c342)|w(ww404|o(wneo|bcyn)|thelp|eueai)|056789|2(37yud|45a34|e7860)|i(l(eron|o(dux|efe)|ipyw|uise)|s(pask|yoti|higo)|g(afep|ivor)|d(unef|oa(fy|pe))|j(uoxe|eife)|k(oiwe|yigy|a(ocy|yvo)|e(uqe|ysi)|ioda)|q(idoh|evun)|x(uyna|ejos)|cepot|fueme|h(ouvi|uere)|n(e(oky|uho)|i(ohi|wuv)|yelu|kkak)|p(emuw|isuw)|r(eoze|ozup)|t(evyx|uyxe)|v(ehod|ofah|uywu)|wuoxo|zesoz|uylqb)|6(5uttt|arada)|o(o(-86(1|2|3|5)|aa88)|pbise|kilas|l(a-la|yety)|mega5|nulor|t(obym|imla)|boy25)|p(p(uerd|123a)|acany|ro(rom|cto)|e(ak-e|i-yi))|k(in(kor|iop)|li(kv(s|p)|tar)|jkkkk|orona|a(nvyz|xuze|deni|bivu)|halej)|1(92idc|23fga|88tan)|n(gnggg|m11df|jbssw)|7(53123|7host))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637337; rev:9;) # sid 2637338 includes 506 (0 - 506) 7 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.cn)"; content:"|07|";content:"|02|cn|00|";nocase;within: 10;pcre: "/(x(x(xvvvv|oo888)|lsf013|yu-bam|ouymiw|ingan5)|s(ll(4362|1209|9026)|o(badar|halar|zefpa|ft4me|siska|uzmov)|c(h(oolh|arts)|omsat)|d(jisbp|elaem)|sdmmri|i(epiwh|lvton)|etuwen|u(xpymi|qiwyk|sund(4|2|5|6))|amorez|kylife)|c(o(nusil|lo(dgo|pin)|mmada)|ximnik|ha(rtse|ujoi)|a(r(loon|rotz)|tovat|fropy|mmaru)|u(talot|namot)|ybipmo|erdiko|i(btare|duswy)|k47hfu)|f(tpgrbz|dsewwe|wef(333|222|r43)|f88567|e(ptuaq|xonhu|zraqo)|ghnklj|i(rstfk|mcuoj|sruba|xguat)|o(m(azej|bual)|cunqa|szecy|xcoll|rum77)|unabho|a(adora|fadvd|pzoew))|l(o(usecn|tante|ng355|wfoll|ginup)|i(zhao5|fe121|agand)|e(lewyt|nisol|iayre|srynu)|a(vasan|zosbu)|y(kenai|tx360)|zsf888)|n(nradio|iuxuzu|e(psoym|ro872)|uzogbf|owpost|trsgov)|q(q(dnf(0(0|1|2)|11|22)|zn109)|jdiejs|sxdeww|vod(88(1|2)|998)|dnzhmz)|9(688kmm|494iei|mckde3|7kanmm)|g(e(geree|mmakt)|u(mblar|bcyil|gkyaf)|hfdgdf|i(lugmo|wgeam|hugyx|opnon)|o(jaxty|t(ceyr|uqjy)|vaqip|xweyc|den42|mbely|gopub|razyn|wlave)|00glee|ymarqe|ate234|r(obin1|eatan))|u(p(date3|eozab|iumry)|haulde|baunki|gezuso|l(eyvom|oumir)|cuywih|zehayb|qapyij|ktimes)|a(c(idbot|yikap|ajelu|uavro)|hz1000|d(iuqga|ocyha|m(nqtc|cp21)|a(engu|ryje))|k(ipahu|oetly|apefi)|ligovs|j(okauz|yawif|uyrme)|p(efovy|oiweh|pplee)|t(eugic|i(guko|voma)|o(ceuk|ylev)|yorzi|uican)|v(a(yhik|gujy)|eylpa|iopuh|o(apyt|tyab)|y(ofzu|xaze))|w(a(kuvi|okfy|pero|viyh)|etudo|ohebu|ulyna)|mmdamm|giaten|b(yvauw|enapi|onyag)|qobeyv|r(abeih|oidla)|a88567|nyhimi)|d(a(ratop|kbesy)|e(ngtai|loput|puxod)|d88567|jhbzsv|o(m(icud|reha)|vzyag|zabes|qypku)|sg3aeg|u(cyqan|zebyn)|izymhe)|m(i(xante|r(stor|ikas)|havom)|egabot|nprfix|ylfix4|ulicon)|b(o(bo111|tlife|mkyvi)|e(ebest|styru|vafzi|wugox|f(ynru|ree2)|t7bet|nz990)|u(lkbin|gagag|enoos)|bssifu|aidupn|ideqta)|h(a(brion|gnuor|rdnut|hdyti)|h(88567|sssee)|u(imzhe|cdase)|zone66|o(stads|zerun)|yyyyf(1|3|4|5|7|8)|iqtacy|0stels)|k(lawesd|i(llhhh|m-key)|o(rtech|topes)|ghytgv|hgggdd|a(ribel|n31ni|defpu|lepod|chmp3|vymsu)|risnet)|r(oomsme|e(dbool|tuskf)|i(wryse|ch198))|t(r(a(vets|f(iks|lab|fok))|ialan)|edixyt|jforie|camala|t99lov|u(danyg|tablb)|haigan|op1959|andkof|ilowgy|yscieq)|v(i(lasse|vilan)|cdywer|e(likan|tcuof)|uaron2)|e(xo(usyt|cuit)|charts|s(enins|uipka)|qaliho|w(odyha|usiyt|iaguh|ezyod)|t7lktf|divuka|v(iyzru|outma|u(egsi|jyog)|ybine)|pu(neyv|vyiz)|negoys|lsemon|zoheyx)|y(2(37yud|y2dfa)|es(04ka|svaz)|lzf002|noubfa|jiakyn|vicawo|andex2|hhh1(0a|3a|4a|5a|8a|9a|a(1|2|3|4|5|6)))|5(yttrre|63f235)|6(tyeeee|0sys60)|j(naff11|jmmmmm|wieiuu|p(chase|jigol)|y(v(layu|alew)|pfeov|w(amfe|qiva|uxiv)|xipat|chape|m(avco|zowi)|qhoki)|i(fekwy|mzeky|dkeyt|scean|whopa|zkulo)|e(stuab|wymvi|mjouw|npyoj)|a(sfezu|tokfi)|u(lxyaf|wciol|zsaon|stin(1|2|4|5))|k35css)|o(rgsite|t(topay|del-k)|npromo|qaezfy|sujyre|gywuep|pyhila|ffnews|utuser)|w(c-host|e(balfa|dskay|cafko)|aztuok)|1(11kuht|23123k)|i(l(ove1j|ixyeq|uefot|eufby|y(ocij|qous))|g(ou(hxe|dix)|uyzmo|a(yzde|kuot)|euvat|ycoat)|h(a(e(gup|rxi)|goin)|o(ekag|gedi)|uqoyr)|fypeod|j(obuaw|e(piyq|siam|lodi)|uebka|y(adpi|oxri)|a(heuw|kony|zofy))|k(orate|yadeh|uaxge)|q(iatwo|o(yxab|akpi)|aotfy|ewano|ywauf)|mgnode|p(oxyid|a(liky|ugli))|u(ulnta|zhejw)|d(isuan|owear)|n(panel|ie(gox|cyb)|agyve|e(igta|jayf)|yxode)|w(i(ekza|pyje)|a(gily|unom)|uveoc|yhuda)|r(aqicu|e(igma|xaym)|i(leto|umjo))|sepihy|v(eigyr|obudy|uxiaq)|x(o(hiyr|uwes|zure)|uzywe)|za(heis|ywur))|777-zlo|p(hotics|ilo(fly|noc)|y(wudar|zuhme)|ay-day|rivet(1|2|3)|o(zemle|bedim)|bjc315|mma888|pmatee)|z(y(fx987|dfaqe)|ivuzjp)|39sys39|8(88b123|000msn)|0739ktv|2(1sys21|2sys22|3sys23))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637338; rev:9;) # sid 2637339 includes 337 (0 - 337) 8 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.cn)"; content:"|08|";content:"|02|cn|00|";nocase;within: 11;pcre: "/(c(o(nexnet|unnter|qhecup|olgifs)|h(ani990|inchoi)|a(kpapaz|zkafuq|rtbank)|ra(wlnet|bcity)|eewe3w2|xim-way|qodezuz|verutuz|c(9jhdsa|ikudor)|ncn88cn|fssixsn)|d(e(renfop|t(guide|empsr))|jspdsie|dddxxx2|4rkst4r|a(rkslim|sda11d|xia123|2ud5ed|ytrnds)|fdfg443|212dddw|o(flolab|zvonic|tvst37)|sade332|zuqiqaz|kles2jc|rghzeap)|q(qqeeeww|icdator)|b(aidusib|enyodil|i(kpakoc|zuklux)|o(lewamg|tnetuk)|r(onotak|endbar)|l(endbet|iyonoc)|bwgroup|jbotnet|sidiket|c(obanut|ugusot)|d(ekowip|onilix)|ubibaba)|y(a(vlarag|h00520|wxowaj)|esandns|vuxksuk)|z(ogmirow|wwderff|a(naga21|potec2)|vonesrv)|h(a(yboxiw|rflash)|e(yxadax|zuo818)|ifgejig|otxasib|ugebest|yedafox|zone666)|k(g(hytghu|apofef)|i(skecaq|llmayi|ruassu)|o(vsutap|qsuyod)|kjjuuii|vumurij|sakksik|p(axikey|izuyuw)|e(ule557|holope)|zayopoq|cczsuzh|wgqkqxn|limskoe|fgrtjer)|m(i(ss(5082|6298)|x(bunch|wager)|troger|ndwork)|e(ng3130|gobill)|a(kefred|gictin|er2008|altsxg)|gekohii|o(rning1|molele)|ychina1|molords|2121212|3131313)|s(e(xbases|hmadac|rvpipe|nrofay|yzones)|i(spewtr|l(zefos|ence7)|pcojeq)|ojjokas|hiko181|t(kgroop|ock888|at2you)|yukadig|we(etfay|dpank)|-domain)|r(a(lcofic|in-man)|uanle88|i(fnasax|dmabed)|o(xmiced|gkadej)|fvv0080|e(ycross|alboss|gtimer)|xumohas|yvigyys)|i(d(fixhim|lkhhcx)|i(dwhxdf|i(dhwwf|mlfex|yhggd)|wwexpd|x(dfhhj|hhwmc))|wwmkkdi|l(iketay|licium)|n(-t-h-e|fosrep|kqoevl)|ooiiooi|zhdjcsu)|t(o(zxiqud|p-name|ringgo|nugood)|ukhemaj|e(yrebuf|amwows)|ix(leloc|wagoq)|aolu163|qeetazx)|8465432(1|3)|x(i(lleixf|aonice|dsasuc)|zcjiiyw|-system)|n(t(krnlpa|vftguu)|i(cdaheb|glonic)|akvgyuy|e(hyzimo|wjijin)|direkoc|vujinaw|fovidab|lequcic|c(ccnnnc|sxfmzp)|olohing|jfarson)|p(e(skufex|renils)|a(ksusic|ylayos)|o(pyodiw|bedaim|dzemje)|r(o(duct(8|9)|xy5my)|adsuyz)|laloorz|gcnbgkk|kpen118)|l(i(tebest|mon4(ik|ek))|otwager|ubaluba|a(fikhex|lalaaa)|evasycu|sggdniu|ytea365)|w(o(rk(sean|fuse)|olcart)|fwwlleo|e(zdujur|-group)|uhwasum|itsibux|wwzapas)|g(ukgifoc|jjiigds|xfyytog|counter|o(og(ghle|lee(1|2|3|4|5|7|8|9))|kzlykr|ldlave|tworse)|ssmedia|a(teshis|mecp12)|wsdwxae|idrasil)|1256hrom|v(avgurac|ilihood|exokope|ciqupoj|otedout)|u(se(-sena|a51la)|u5656uu|yerfbvo)|j(ijiiger|avastat|rizoxom|u(ha8uta|stin1(0|1|2|3|4|5)|lia777))|o(kijihyg|nivgope|gurchik)|a(d(ul8tra|spromo)|l(ifuqin|waysky|alask(1|2|3))|ei(a(csno|ps(ds|n(o|s|y))|wsn(o|r))|c(afde|sipd)|dresa|e(jipd|xi(pd|xd))|j(ck(lo|ro)|nklo)|ky(cjx|e(a(c|x)|jx))|mxpfg|nared|oiuyc|p(ocau|yhku)|s(cwom|ewom|vwom)|v(efci|gchi))|zs10000|vandos8|ntib(oss|alk)|rufeudv|xaldjqt)|f(ixerman|orexsec|ynimytu|dasfadf|ewwe322|guyamoz|reedom3|zegarox|qfmyvii)|2wdqwdqw|66yttrre|9(owe2211|2shaiya|8love98)|7(oydomen|77yo777)|e(baytips|rgemhzx)|51backup)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637339; rev:9;) # sid 2637340 includes 207 (0 - 207) 9 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.cn)"; content:"|09|";content:"|02|cn|00|";nocase;within: 12;pcre: "/(o(r(entraff|derasia)|pm-group|ntraffic|uyayijia)|h(y(nno8744|drateam)|o(t(t-rodd|-table)|stingmd|myak777)|ulasoftz|i(rovecul|tinform))|b(o(tconnet|r(oda888|dertop)|o(bsgirl|kheads))|l(4ckst4r|uesky01|ackboyz)|rrtydwsw|i(gbargin|chalina|zbrobiz)|arginday|xmbaqqd9|bcadmins|zbattery|11335599)|m(a(shrooms|dalwayz|niyakat)|i(xigroup|crosotf|r2games)|y(phpsoft|-oyster|avidity)|e(rielied|dia19(50|60|80)|ssmate2)|uzzon837|4n3x7d4y|onocline|moworlds)|s(dhdfhtyf|hould-be|e(clabnet|amodern|rv(icedm|ersen))|o(rwwwros|cks-vpn|filoren)|untravet|p(acefunk|ort-lab)|ashahost|mallteam|vhostbiz|ymyho331|lepfrend)|d(g(meifeng|fdffdfs)|a(sd11vgz|llynews)|dddxxx1(2|3|4|5)|i(rectmfs|klinodr)|umpscard|jbormand|92378523)|n(a(meashop|ilimpro)|enastiya|ovatoriz|bazhibo5|inerland|mhairong)|t(rustgame|urokgame|h(e(lotbet|mixbet|b(atnet|igben)|trypto)|r(eeways|ownout))|i(nrussia|ssot333)|ech2tech|dsviewer|o(lzcoolz|olskeys|pspeeds))|a(bdulabah|ntipirat|stro-boy|va-group|llowjobs|djamadja)|l(etomerin|itefront|a(b-sport|vandos8)|untaifxc)|w(o(xiaohei|rkforex)|r323e2e2|e(sssrett|eklytop)|ashedout)|y(utergfrg|eartiger)|k(evin-jok|kkooo888|amunyugi)|qqc2009qq|r(efugepro|o(om4info|n(plesco|nytail|gxindj))|ichalina|avelotti|t-online)|0(083vorit|595fushi)|p(a(laceyou|ra-para)|ro(xyrent|100biz)|o(sledniy|pupserf)|i(cshomer|ng(anhao|heyou)))|xuyxuyxuy|f(inditbig|o(r(nistan|exbids)|xy10000)|airydata|ree0game)|123aaddzz|888admins|999admins|c(o(rpamata|ol(facts|belts)|sovowar)|hartseye|cfsdee32|dew32dsw|asinousa|yberfair|iscofans|36996639|58446658)|e(wqdqwd32|mbrari-(1|2)|verystat|ditedout)|765admins|g(r(oupbang|eenhead)|o(5reborn|gotraff|o(glee1(0|1|2|3|4|5)|d-week)|ld(brick|enmac)|rodsnov|tmerged)|vod-down|idromash|e(royvoin|tdasoft)|uotao518|ae1hasdf)|v(ertusale|anni-van|kontalte|olosanka)|6gerere3e|i(magehut(5|3|4)|nbizness)|u(nistasta|ffertyew)|jsguangji|zimzikjun|3chailave)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637340; rev:9;) # sid 2637341 includes 3 (0 - 3) 7 character domains in the ".co" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.co)"; content:"|07|";content:"|02|co|00|";nocase;within: 10;pcre: "/milki1(a|i|l)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637341; rev:9;) # sid 2637342 includes 600 (0 - 600) 10 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.com)"; content:"|0a|";content:"|03|com|00|";nocase;within: 13;pcre: "/(m(a(lware(bot|nix)|c(-videos|romedla)|x(el-vuds|domzhit)|gespages)|i(ndofitus|osmsc(lub|hat)|ddellton|porekilu)|y(s(elfhere|pyguard|tarnet2)|-xmovies|best-xxx|top-porn|10000000)|e(ga(tourus|runner)|dic(hobot|myths)|modreydi|tabb-new|rcuryepm)|u(rka-best|nobatuno)|o(ney(medal|infom)|bsonline)|p3-hunter|s(-antispy|rvtpp10(2|3))|vdhiraagu|btransfer)|p(o(pswatter|r(ntub(e4u|xxx)|t(alpics|orate8))|s-kupang|wermaxxx|avlonini|elzmdayl)|e(tcabtaxi|rsonal08)|c(s(peed-up|ec(assal|uslnk)|cout(inc|lab))|fsupport)|i(nigeliai|fesecond|pisechka)|pcmachine|a(r(sington|a(dis(ios|enj)|m-pram))|sbirrada|ymentgen)|r(o(-voting|m(odelia|ed-net))|ikulamud|amoditya)|l(easagain|cscanner)|udurustur|hotoarana|jmtrading)|s(topingspy|wfutility|g(9scanner|-mistral)|p(wfighter|igotinch|yremover|ellaudit)|u(ckitnow1|per(tvist|0tube))|a(wt-gharb|fewebway|lescamss|nosansar)|vertochka|y(ncupdate|s(report(1|2)|defence))|m(s(clubnet|diretto|pianeta|inlinea)|l-market)|h(aimokale|ontecltd)|fdjmljfep|i(skimoney|licatinc|mulogics|ck-frost|tepalace)|e(archopt7|cure-(gov|me0))|lot-sluts|oftdialog|niozeanvo|can(myzone|netinc|-now24)|kinswhoot|zickfrost|jfdhw395t)|f(lwcoupler|i(lefixpro|rex-labz)|o(r(merlyus|ester66)|xionserl|undguide|lcon-mex)|g(ckeqvvif|ihijmuno)|a(stbrakes|rishtech)|r(ee-xtube|antsuzik)|doublenuk|4n3upyhqj|enghuashi|uturama4u)|h(o(stw(aydcs|ebdns)|me(-intra|av2010)|wareubro|t(xxxtubz|modders|dot2561)|-fashion)|i(eudsjvif|-my-tube|ldjxdves|ccanaght|bernawar|ypfisetn|pspeople|qxjxjtwe)|a(r(ararara|lingens)|shmaking)|d-youporn|q-watches|entaiarmy)|t(r(a(soregon|f(driver|fchela)|k-kreck)|u(countme|steepay)|ojanread|everthis)|e(rrorfear|kiomklos|bdigasbi|am(clouds|erblog)|ch44tech|stbrazer)|yp(yxiolix|ewordxs)|u(be(loyaln|ontvgl)|dorplace|ruwiando|hytalerf)|o(jandglow|p(exesite|billpay)|ysexviet|fu-china)|h(at0world|e(usdrugs|exefile|greatav|bfdshop|pinflow|scandan)|wovretgi)|w(ittercut|9qye1vpw)|vtesttube|fsahnrnvn|aiabrazil|inytubetv)|a(f(ubwbmsce|9f440dcc|flvwetib)|a(gnfdjkgn|idu-6661|qkweoslz)|b(i(tsystem|movdxes)|kzfdilko|jodvsves|tjsgsves|sbillnow|cuylyetn)|g(reeslick|i(xtudkco|lity-ml))|s(ionigolo|mmnation|sayindia)|t(tmyjoker|ubesgirl|iboolkss)|c(ceptslim|plugibgo)|u(gustbody|thorbody|dio-cafe|b-online)|d(imsceibh|ware(feed|gold))|e(ardyrvgt|iconseil)|hylezyiof|nt(spy2008|ivirus(k|j|m|n))|v(pro-labs|-(scan-64|p(ayment|ro2010))|checknow|i(rus(2010|scan)|dentify))|l(-harthia|l-in-exe|etcenter|penkeyss)|r(martshop|t4ukorea)|-ha-group|mazingedu)|e(x(tra(brake|spray)|e-(cosmos|direct))|r(rorstool|2(1012009|0090515))|safetyweb|f(hgdupxes|scgfgves)|urocurrex|c(seonline|oolwatch)|n(dr888999|terinput)|gnegvufvu|koarts-sd)|d(e(inglaube|uagjyvif|signmono|fenderav|ngyan520|kdovbrnu)|o(wnloadv3|ublenuks|nccapone)|ri(nkapola|edshoes)|irtywhore|jstevyvee|ns-lookup|lpersgd09|arkpieces|scexpress|btgkayczo|fahjjijqn|gfhztllhm|hkgpylwrl)|1(1(4central|65651291)|000league|tomohappy)|b(a(idu-6661|nkitrade|ckup20(09|10)|lloonbow)|e(adcareer|rusimcom|st(scanpc|mikeus)|npao2020|t-portal)|o(arddiary|lelshiko|nuscashh)|r(ommercon|ain-cash|i(cezfunz|gada-mx))|l(ack(porn1|chimp)|endament|itzbeatz)|i(dstrafen|llmenowx)|uysoftoem|cplcwytwe)|c(a(tjepzcft|bkyykbbg|r(olzfunz|eyzfunz)|s(ghnamia|hnzamia))|b(fkzhtyik|bugltjud)|c(ytvpbsdg|mguyldmn)|d(pvaqnlod|ouidmvif|qn(edvves|ydpves)|dcrjuwwz)|e(zqtessjo|cilzfunz|rtljzigo|ment-bag)|f(siqejclo|agzbnyzx)|g(ymwmlcaa|bzoqoixz|hokaqugr)|h(yaicpvxo|orussoft|eesesoft|argefish)|s(teenhoff|shippers)|licktolog|3uconnect|u(antosexo|turanger)|o(inheaven|ol(count1|tube4u)|untymove)|krack-lab)|i(s(pscenter|ettatech|-antispy|suenews1)|n(t(riangle|erepass)|etavirus|boxme555|novavids|spectsun)|j(lfhysxes|hagtvves|mkkyjves|nphysght)|c(d-fibres|qsystemc)|phonefull|directwww|9mr9u6i35|mages-dns|talianmec)|n(e(t(citycab|medtest|telplus)|w(fileexe|-plugin|esafety))|uclear777|o(rtel2010|tproblem)|nfoehfeff)|g(o(s(can(e(ver|ase)|f(use|ine|lex)|only|s(l(ot|im)|tep|ole)|h(ard|igh)|m(ind|ute)|p(ort|ark|ick)|d(ata|oer)|auto|rich|iron|back|l(ook|ike)|t(une|ech|rio)|code|keep|neat|xtra)|idescan|tarscan|o(onscan|lescan)|limscan|alerbas)|m(aldef09|utescan)|hardscan|d(atascan|oerscan|trafmar)|l(itescan|ookscan)|o(nlyscan|gle-cdn|dhao168)|workscan|autoscan|f(inescan|lexscan|atescan)|richscan|ironscan|backscan|p(arkscan|ickscan)|t(unescan|rioscan)|ea(chscan|sescan)|n(eatscan|amescan)|xtrascan|-scan00(1|3|6))|e(tpcguard|n(ie-hkfc|eral(-av|avs)|-av-pay))|a(me(paslog|zprumz)|ymeeting)|h(npacgvif|abimdves|uqihsves|plzwgtwe|edlfvuno|tsxuguno)|mail-pop3|re(tdinner|atcrypt))|k(e(nedysite|rleymira)|a(r(diotele|mandala)|dingames|npurmart)|nifes4you|ruptorums|fredukilo|icks-shop)|j(eepworker|a(gfiuyvif|hanradio|vascrlpt)|ornaloeco|remubacom|kgarments|ikoladrem|u(ixefresh|mbotubes|stinnew(4|5|6|1|2|3|7|8|9)))|v(i(ewworldx|sitcouns|perteens|v(alatube|ilhavin)|rcheckpc)|renutredo|olkanboya|a(seacubmw|luescana)|lachosoft|elocityps)|l(a(st(co(untc|done)|-visit)|fastfind|bsmedcom|rgextube)|i(nkcanpro|veiframe)|o(shadinet|wrysigns))|344session|8(345server|8code-tcp)|r(a(mpartech|velbabel)|e(opsakwww|coveryer|ychohica|port-cnn|astunolk|sbuszone)|undaqimao|julythree|idebullet)|y(ou(r(length|avplus)|thwonju|video(ss|zz))|co-nature|kdju27be4)|4(3553panel|8rdirjava|-computer)|w(i(n(5millon|ishield|s(-guard|regfix)|-scan0(2|5|7|9))|ldmansai)|ww-images|e(althleaf|b(antispy|biztest|taxfree))|antfinest|hite-test|n(20090504|ames1404)|op(timizer|ayments)|-optimize)|xretrotube|0(87control|118099987|pcscanner)|6(54control|4tianwang)|o(rferhuijj|n(ames0603|ejob4you|line(2168|-cnn)|yxmovers)|light-usa|ptimumorg)|q(qcfwaigua|uickolink)|z(e(mtewrwww|rowestor)|1-scanner|guarddata)|2(2pixelbox|high-five)|5824125537|9049629062)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637342; rev:9;) # sid 2637343 includes 28 (601 - 629) 10 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.com)"; content:"|0a|";content:"|03|com|00|";nocase;within: 13;pcre: "/(fireasseye|o(duvanchic|rder-info)|s(e(curepcav|rverdrom)|canvirtek|lovestond)|windef2010|b(r(evard-fl|ozsearch)|a(siscause|rterbing))|d(ixon-link|omen-2010)|av-(command|protect)|evertrands|l(maoimages|onvirtuel)|nbsolution|plainjapan|redriveruk|yswzrjkpsp|maxcardinc|t(odayileft|radeyainc)|curlicious|goldmaniac)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637343; rev:9;) # sid 2637344 includes 575 (0 - 575) 11 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.com)"; content:"|0b|";content:"|03|com|00|";nocase;within: 14;pcre: "/(g(e(t(-(torrent|secure2)|allstats|hotgames|pcmovies)|fjcrpgtwe)|o(l(d(pcguard|-es-net)|f-dieppe)|ogle(-cdma|v2010))|lobe(rstube|xtubes)|ra(ndchasse|bmymotor)|a(smaskbong|nscompany|btibbgtwe|ravangzik)|uredatizer|-antivirus|hy65hjghjg|vbsoftware)|z(xcsolution|afiraworld|erocleaner|tgsoftware|guard-data)|m(i(c(rosof(tmg|ftt)|yberclub)|osmsworld|lantrezur)|urom-hotel|shomegroup|o(refreesms|ntagnasrl|ugoalivee|bi-sripts|v(ereports|iesforpc))|a(l(-waredoc|ware(-url|take))|gicpincer|teoarriba|rkokaldur)|gjmnfgbdfb|y(bigportal|sex-adult|wh(oisinfo|itecoat)|-(exe-(work|load)|xxl-tube|tube-dot)|compinfo3|zoneguard|mobiguard|pspcenter)|redkizerut|e(traiciono|vsimevsim)|jisuvrmthr)|t(h(e(installs|mazdacar|s(exybaby|oftbill)|geekdude|handygal|wifihack|cooltube|tubeamps|drugstor)|re(atnuker|eserver))|e(enchickas|st(avrdown|sitesam)|chnewdata)|r(a(c(kppcroi|eslayer)|lalzlocc|velsigna)|unkilopas|iplexfund)|ubes(-xhost|itemap)|o(p(-pornnet|external|defence2)|roplistyn|day(-scan(4|n)|savess))|weetwitter|iffanynoel|tt20091124|atuajeblog|fgsrdttuno)|f(r(e(e(-(spybot|pc-fix)|webtown|tvnews2|av-scan)|shstats1|dekulipo)|b-network)|l(wsolution|ickr-foto|ash-codec)|i(l(movifree|edeepsea)|reholiday|esta-porn)|a(stpcscan3|tburnsite)|gddfgdgdfg|pappalardo|u(t763jrs4l|ntixfreak)|eidingding|orhappysex)|x(p(antivirus|enprotect|ointenemy)|indalawyer|xxbestvids)|s(g(12scanner|viralscan)|p(w-fighter|yware(stop|-out)|guard2008|lash-kids)|i(ngharmony|mplexdoom|tevillain|cha-linna)|c(re(enalias|amstore|msghell)|an(mequick|nerscan|-for-pc)|djnlsdncs)|e(lectusers|curerealy|orakhoney|xygallets|venstars7)|t(a(t(cluster|s-track)|rtexcite|llvars-1)|reet-info|op(spaming|-medias))|o(ft(ware(two|jar)|hotspot|soldier|veteran|barrier)|ma-4-sale)|vazkusavip|h(are-paint|oesarmend)|a(vesoldier|fefighter|lamangzan)|u(mmertoday|ccess-biz|ngminship)|ky-trading|qlinfotech|ystemcodec|mart-shake|beqpirscun)|v(i(de(0portal|oguidez)|r(tualesms|ushooker)|zabelarus|pbuyguide|ewnowfast|cerexshop|n(foonline|efirebot))|scodec-pro|e(gas-vixen|selovrail)|undofixpro|ooiwuuei-2|redrikupop|jxzzqobsyz|aluecardaz)|a(n(ti(v(ir(usup|prof|apro|file)|aresys)|spylist|webcorp)|gle-meter|alexpired)|g(ainstfear|o(liopaner|nlinepro))|b(out(mmgftf|revers)|nc-portal|ckillapop)|d(ware-20(09|10)|eliouotre)|c(ulcoradio|asoftware|d(bxybadve|ls(mladve|vladve)))|l(l(-in-tube|songlife)|soenglish|andalusco|ionerkilo|fanethost)|v(agent-pro|i(r(protect|us-2010)|irusplus)|cheker123|-(pro-2010|scanhere))|r(ioconsult|tschwartz)|p(p(airplane|lea(board|c(ross|tual)))|cdefender)|-virus2010|fsharteam1|s(ianmednet|pstone-co)|evalidform|xbprojects|quawebhost|tthisstage|wesome-dvd|abtiktadve)|d(a(chengkeji|sretokfin|rk-cherep|neshvaran)|i(rect-conv|etcoaches)|o(wnload(flx|avr|src)|tbestshop|minchikis)|e(alsforfun|saqurtung|dicalsels)|vd(protools|xpremium)|bcavsaddve|de(hkyhddve|wphwddve)|ffmjefhfyf)|n(a(ranjasdor|kjimadang)|i(kolaevere|ce(video(44|15)|newtube))|ua20090515|o(virusonpc|scriptnew|w-scan-pc)|e(w(hyipsite|s(cnn2009|oft(core|spot))|esupport)|tcaraudit|imantrick)|ysoftstore|hjayubnuno|fgnmxonuno)|1(-renus2008|024service)|3(45(24online|43online)|gsoftstore)|4(35(34online|79online)|thfirework)|87(976online|3hgf7xx60)|b(e(st(usablog|-(xxxnet|scanpc)|f(ileexe|lvdata)|tubetop|pmgroup)|tivervega|-secured2|lgovision)|l(o(g(ginhell|cubarfe|snstuff)|ckkeeper)|ack(holeme|melisa))|gbtorlopos|a(nner(ads08|09092)|dwetgirls|se(payment|billing)|ck-n-line|jwa786inc)|i(g-pornnet|ngo-babes|ll(-it-now|myccnow|softpay)|rdystudio|tterlicks)|urnandfire|rianazfunz|o(o(mexesite|stpcsite)|dyscanfit)|haratwaves)|e(x(tendedman|e(-(2009-ok|profile)|filedata|loadsite)|p(otech-bg|ertbucks)|changenew)|u(rolinvest|trans-ltd)|pochcoffee|videofreak|rt(ub(edewse|redong)|hjuyt44u)|waxertulio|asynettest|l(xolionave|enailyina)|mrahkeskin|icyxtaecun|fgjhtieuno)|r(o(tateonads|cklamanna)|e(move-a360|porting32|aderszone|quiretake|liable007|gfixguide)|alfscelebs|u(ssnovosti|nningguru)|dafervacex|yanscarter|tmpornlink)|l(o(yal(down(09|99)|tube10|videoz)|gica-tech)|i(ve(-player|pcguard)|lywhipple|onglervoa|meakfjskt)|a(youtscene|stexesite)|u(ckystats1|vyadating)|e(go-fabrik|onfamilia)|bckqbkldve)|w(i(n(pcdown(09|99)|bluesoft|rar-2008)|ldbunchsc)|e(love(sandi|tweet)|b(s(houlder|chemist|pyguard|ecure32)|hosttest|p(cdoctor|ages-it)|-(scan006|euro-it))|s(ecurepcs|st-netts)|tt-profis)|rightcount|ww(worldweb|medpills|-myphoto)|o(aini23456|rld(bestav|ofcole)|w(games168|-systers))|a(re(network|zaccess)|tzthebuzz)|vgoldwings)|7(657control|msdavtraff)|9845account|c(o(decvistaz|o(lvideoss|mmfoorum)|antivirus|untsafe-c)|h(e(mistsmed|elumtech)|adandkimi|lenopopik)|a(mposceola|shspyware|rmenzfunz|p(tchastop|ital2009)|nprotools)|e(driczfunz|ptalavera)|it(i-unlock|ygateinc)|l(oserprups|ick(googlo|-poisk))|gigfahccun|ddvdwriter)|y(ou(r(barrier|tubetop|remover)|goingnow)|esfreescan|uki-takase|buruvaeqcv)|i(persmstext|cedenarena|m(agescolor|justbored)|n(etantivir|kjetkarts|t(aly-tour|egrastor)|lakehouse)|s(-the-boss|oftwaretv)|dofrosting|t(orkalione|vdownload)|-pspaccess|ipghhbnarh)|p(o(r(notubxxx|tal-help)|pupsystem|olballset|lycounter)|c(guardscan|bossguard|-safe2009|ecologist|liveguard|protectar|securenet)|p(croitrack|slaterent)|eople-rank|r(o(linesoft|stodomen|bestclub)|idesoccer)|honesquare|a(ckage(ball|time)|rchezvous)|i(c(recovery|tswizard)|xels-prod|npinpongs|anw(inpdve|xnpdve))|lugininput|decaxcpdve|fg(tihtpdve|eeeepdve)|uddxvixrro)|k(o(ddavinchi|lordat482)|asonkertub|i(cks-stock|ll-virus(a|e|b|c|d)|ngkapadia)|vantvertop)|h(o(t(-xmovies|e(lsaadet|xefiles))|me(-av2010|sitetoo))|i(devideozz|malonline)|qpcscanner|exexeterra|undenhuete|ydraumatec)|q(werty-soft|uierosalud|c(fhgajqcun|dvnhvqdve)|abtihtqdve|jiwptwqdve)|o(r(der-forms|etoderfat)|calabounce|nlygirlstv|vuioipolak|s(aertugern|guard-pro)|pm-groupli|ldman-game|wndefender|ulimelsisi)|j(a(viercubel|mfzuyqyra)|u(lionermon|icypalace|st(innew(1(0|1|2|6|7|8|3|4|5|9)|2(0|1))|proud2b))|baagpepjvc|cdcwxbjthr|efshosjdve)|u(prtrishest|tionakertu|sa(news2009|bodyscan)|ltimaguard|efnwtnudve|bcvesuuthr)|5euroshirts|0day33hours)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637344; rev:9;) # sid 2637345 includes 599 (0 - 599) 12 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.com)"; content:"|0c|";content:"|03|com|00|";nocase;within: 15;pcre: "/(s(ys(procedure|tem(-guard|mguard)|adscanner|defenders)|p(y(defenders|-shredder|ware(cease|scani|-list))|hericalart)|e(r(tuddh33jf|v(ersafety|ingmydns))|cur(e(taxexe|myzone|keeper)|ityztop)|xgirlsteen)|a(feyouthnet|m(jinenginc|ed-resort|bapanashe|andgostar))|o(ft(update09|-(traffic|process)|s(ellfast|afeness)|centrics|infosite|wareanti|forwin25)|jogosfotos)|t(atxservice|yle-boards|op-virus-(4|6))|h(ock--world|a(nghaisisa|reazasite)|reejeebaba|eenalarsen)|uper(xxxporn|tubetop)|i(gnupsystem|roamorello)|can(toolsite|-4-clean|web-zone|mylaptop|ner(-free|spy02)|lifelive)|neakers-buy|kybluephoto|martdnshost)|e(r(rorsweeper|iclapointe|tunagertos|emovemondo)|pisodemetal|x(pert-mails|e(netsfiles|-(xxx-file|file-xxx)|freefiles))|asy(cash2all|launcher)|stoesespana|lektro-boss|c-sportsweb|warningsite|mo-lesbians)|r(e(mov(al-tool|e-av360)|g(antivirus|istrywell)|diropencom|a(d(ing-ease|headsweb|webworld)|ltybestus)|fresh-news)|unpcscannow|aymonddelon|i(ghtsafeway|ttaklassik)|obertomoran)|c(h(erishpoems|risbecfiis|widiglkiad)|r(iticalcool|keys4cheap|azybunchsc)|entral-scan|a(vle-online|meronzfunz|sino7films|rrollzfunz|n(nabisbeer|dyshop451)|pthcabreak|thrynzfunz)|yber(watches|-scan(-(2|1)|0(8|9)))|nnnewspoint|bfreemarket|i(asoftwares|duninstall)|pattwinterp|o(pyrite2009|mpany-euro)|lanscissors|fpjjcjvujsg|gnmydalqgsm)|a(n(t(i(spy(li(nks|sta)|store)|terroris|awarepro|vir(-soft|us-nt)|-glam0ur|plus2010)|yspygoods)|al(iticstat|rapesite)|imalsextoy|obalukager)|d(dantivirus|w(are(-clean|pronow)|restelnin)|-warealert|vancebases)|l(l(to(itworld|ponline)|metalnews|-exe-here|radiohits|vermarket)|izafashion|kbbs-files|tmachtjung|ertonabert)|t(lanticbody|temptright)|iongamemeca|-(searchbest|virus-2010)|v(scanonline|ir(guardian|us-pro21)|-(scan-2009|plus-2009|check-now)|ailablewww|r-download|checker123)|plusmatting|ware(protect|remover)|c(tive-trend|hepizzeria)|g(odaynsbert|ribasal-me)|r(osakilomen|caderesort)|f(edovascevo|kcgicyxcri)|sso-erasmus|u(ditcashing|tobestpack)|eomailer02(3|8)|a(smartmoney|kriticraft)|j(xpeehuvpcv|s(bdicijbps|fiheuvffa))|zisugftqguq)|b(u(ymazdacars|mbiz543112|hervadoska)|e(st(lifeblog|ha(ndycap|rdporn)|-(xmovies|scan-pc|pcguard)|a(vkeeper|lltools)|tube(tech|scan))|protected(9|8)|tgrandslam)|i(t(coreguard|ardhqpaid|laadutlcy)|yiagigfiyy)|l(ackpornmix|endcolours|ockscanner|ueartscube)|a(dxxxchicks|sta(project|kigroup)|byprintart|rter(bureau|genius))|r(u(noramalho|tapukamuk)|iannazfunz|clscounter|ands-(house|s(ales|tock)))|glhqjakihvy)|m(a(zdacarclub|in(15052009|davinchi)|lwar(e(-s(afe|top)|b(tyes|ypes))|detect)|successguy|rijuana(art|use)|maboomboom|gicrevenue)|e(rcadolibro|morysavior|d(iamagnats|netsafety|linepills)|ga(cryptnew|scannera|loadfile|-counter)|zdunar3net)|y(s(uperviser|oft-forum|idesearch|ecretinfo)|-tube-zone|newhostinc|best-adult|compinfo(17|23)|zonesecure|f(oundryart|irstguide))|cdonaldsuck|o(r(etraffcom|tisonline)|vie4thjuly|linasdeals)|s(-asreport1|topantivir)|uch-in-love)|w(or(k(homegold|lifedata)|ld(gymperu|bestpay))|eb(-montagne|pcprotect|s(pydetect|afetybox)|medpills5|billcheck)|unabarakati|i(ldbunchwtf|n(scanner(1(1|6|3|8)|01)|-antispy(2|a)|guardsite|xp7server|ter-smile))|a(ter4health|zprlhzhfvg)|hitejewells)|y(o(ur(mazdacar|p(harmweb|cshield)|c(rackkey|hecksun)|drugsweb|gunparts|enterain)|komagazine|garamatgan)|vaxtdzhbldc)|h(o(t(linkfiles|testfiles|-exe-(area|load)|musicfast)|st(indianet|z-150909)|me(-av-2010|madebong)|ldembloger|wtosecurea)|a(ppycoinbox|r(boroflove|dexeworld))|uladopkaert|q-tube-porn|jgcx7xhjsl4|wqckfphkhyi)|o(p(en21012009|hyemaweito)|nline(detect|scanxp)|dogdisconts|vkanubergan|megaantivir|k(avanubares|to-systems)|s(caviolaner|-guard2010)|rigenalwebs|ttawabarter)|d(i(r(tysellers|ectitfast)|a(-software|mondfever)|no-war1722|trnbibarsp)|e(c-software|bonairblog|n-payments)|ramaserials|fdsfdsfcdsc|o(w(n(softkeys|loadavr(3|2|5|4|6|7|9|8))|inscanpcs)|ctoradware)|uremaderunb|ata(maxstore|historys)|2lifeonline|glbahamassc)|f(i(leuploader|nd(morepill|lostcats)|rst-update|xerrorsoon)|r(ee(colorsms|servesms|warehome|exefiles|-checkpc)|iend(slinks|finder))|o(olmountain|r(uminspace|-sunny-se))|l(ashdollars|oweragents)|e(rnudarogal|ver98radio|astfashion)|as(urinoking|ttracklab)|dscompany4u)|p(a(y(virusmelt|foryounow|cyberbill)|ferbasedos|n(oramapics|therpicso))|i(ngpinghost|petubesite)|harm-on-net|r(imosmsfree|estotuneup|o(je-market|vidensdue|warezsite|filex-usa|tect(-pc(a1|r1|t1|u1)|xyour)))|n(m-software|p2bizforum)|u(ckettphoto|rplehoodie)|o(rn(otube91(2|4|5)|-xmovies|tube(hunt|2000))|ke(r24seven|herstars)|odlesandco|tvaporizer)|c(s(ecurity09|afety2009)|-scanner16|cleantotal|doctor2010)|ebernufeska|l(ugidentity|aythisfuck)|dgsoftstore)|v(i(rus(meltpro|crusher|-pcscan)|deo(fx4you1|4thjuly|lifezzz))|undofixtool|s-codec-pro|ectorplugin|alleybarter)|k(enedydirect|o(ha0kohaweb|stinporest)|athichesnut|scengineers|-softportal|iano-180809|ronosagency)|t(r(a(ff-direct|ckingload|deservise)|u(count300(0|1|2|5)|st(warrior|soldier))|o(banionads|janscan0(4|8)))|o(chtonenado|p-(scanner(2|9)|defencey))|h(e(bl(ueyydns|oodpack)|spamblock|grouttube|netdetect|idealtool|feedwater|realmckoy)|c(extractor|vaporizer))|u(b(e(z-boobez|-2009-on|s-portal)|anerdavaf)|rbo-profit)|dngroupsltd|i(ondapulkat|mezscanner|ssuespritz)|ahulavumbak|ertunavogav|vartsonline|munvictoria)|j(a(panhostnet|zz-brewery)|enesaisrien|obfinder911|h(sbvd67fdkj|vds786dsmg)|nsassociate)|82siddefault|n(u(ovosmsclub|liborkawer)|e(w(-exe-area|tunesclub)|tbios-wait)|a(s(carbrasil|hi-babki2)|noscanner3)|s-free-acc(7|6)|refadoskfer|o(liporedtre|s(atorabumb|ssasfotos)|malwarelab)|mtechmarket|icovideojps|yqoxifkvxga)|g(u(ard(lab2009|dog2009|syszone|zonesys)|rru-turru(1|2)|lfunionbnk)|o(ld(gertdsdf|en-photo)|o(g(le(active|-(rnail|space))|ie-stats)|d(sovclass|-spyware))|spel-force|gle-analiz)|itchigaming|e(rtrudo8ddd|t-(acnefree|freescan)|nantivirus)|re(at(tubeamp|inspect|punnett|webarts)|en-av-pr(o|e))|lobalscanme|hostsection|alodankeyss)|x(tube-xmovie|virusdescan|m(ovies-host|as-carols2)|cuilofertun|lgjewczfjqx)|4(gameranking|malwarescan)|i(n(f(idelirium|odrugsnet)|stall(scash|money)|et(gateway1|6scanner)|puttaiment)|mageempires|spspartners|hateyoujess|gt-groupinc|celkumbasar|t-financess)|u(p(date-flash|r200908013)|n(eekhosting|ix-service)|cynopalexyt|iskduiretog|lt(rapc-scan|manheroes)|hajokalesko)|1(secure-test|-(antspy2008|myspyguard)|mytotalscan|year2months|00brandtoys)|l(o(se-control|ve(letter24|bluecard)|wexeonline|cationlite|bzik398809|adpartners)|a(va-antispy|stsecurity|iserattack)|e(t(-exe-2009|sworknowx)|arnherenow)|i(onaserduma|nksafeness|vesoftrock)|uxury-stock)|6(-tube-world|malwarescan)|7killspyware|za(varetalies|nosi-bablo)|qooglesearch)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637345; rev:9;) # sid 2637346 includes 600 (0 - 600) 13 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.com)"; content:"|0d|";content:"|03|com|00|";nocase;within: 16;pcre: "/(v(i(r(us(scansite|alarmpro|kill2009|proktect|-pcscan2|detect24)|scan-live1|checkpc-pc)|deoporntrue)|mfastscanner|enetassicura|uderinopared|aluewebscana)|s(o(ft(spydelete|-for-scan)|l(imantravel|omediasite)|bakaikorova|cks5servise)|e(cur(e(cleaner|xdetect|p(cstats|aysite)|veteran|warrior|order-3|syszone|-admins)|ity(trial|centr))|arch(mysites|rizotto)|ntmenatbici|ekpornworld|rvscanner0(3|7|1))|py(-de(stroyer|tector(a|c|e|f|k))|ware(solver|clean(0|3)|-scan(9|z))|detect2009|remover-k7)|wfinstrument|c(an(dalmature|ner-(wiz-1|infoa)|mydesktop|-spyware2)|ript-meta09)|u(per(p(artycab|uperltd)|fu(turbiz|llpack)|handycap|artswood)|tra-traffic|oerdeuerf44|nshinesrose)|a(fe(tyexamine|billing-2|scannern1)|vemypcnowv1|de-ecrivain|mmyboydeals|ntacruzcall)|dfv-programs|t(jude-rawang|a(bilytukbab|tickingdom|r(-groupsvc|superpack))|eps-ironcup)|m(sconnectnow|a(rtsoftbill|llcyclades))|i(mpletoolbar|tes-counter)|h(owmealltube|uncheng2car)|yst(guard2009|em(fighter|veteran|warrior))|neakers-(mall|sale))|u(havepostcard|s(banknetwork|esomescents|treasurynet)|p(loadantispy|inosatoretr)|ndershotpics)|a(d(waredollars|vancesoftpc|dressoffers)|n(t(i(spy(ware(up|ts|l7)|soft4u|center|-scan(5|b|z))|v(guardian|ir(system|us(nano|xp09)|-scan(1|o|z)))|malware-(3|b))|ovirus-pro)|obhalukager|glemanpower|alys-thread)|ttentionbody|u(dienceright|straliabody)|v(a(ilablebody|ngadershem)|ir(-guardian|aplatinum))|l(i(baster-lab|nadertabug|oneferkilo)|l(tubesplace|-security(0|9)|inonescan3|shoponline)|mullahotels)|1hearing-aid|ctiveantivir|r(tesvitrales|mordefender|equipalinda)|ware-protect|membersignup|hulafertagov|k(esheronline|varyumizmir)|bumasotkamid|ppleacc(ident|urate))|m(a(lware(-alarm|doktor)|r(lene-jones|ijuana-tea|cmoto-tmax)|in-exe-home|steranalyse|gnoliamails|xxdrugstore|nnardiocese|hjongmuseum)|i(cros(oft2010|canner(1|2|3|4|5))|omatrimonio)|e(rcurylabels|d(ia(softplus|eldorado)|homeoffice|procottage)|ta-new-file|ga(security(l|p|q)|1-scanner|2-scanner))|o(l(tbedesigns|ibdeskonad)|vie(s4thjuly|infobank)|use-on-mars|ntaguekorea)|s(ncoreupdate|bitsoftware)|y(nameisboxxy|s(ystemguard|pace-files)|lovsecurity|compscanner|totalscan11)|pisqlhosting|m2-antivirus)|c(h(e(ri(shletter|e-boheme)|m(ist-medic|o-couture)|appharmaad|ck(m(y-pcnow|alware9)|4threats|safecard))|a(tpartyline|assekjhqwe))|l(othingright|s-softwares|ickzcompile|eantraffic1)|o(r(e(guard2009|mediaarea)|pscanalert)|unteringate|pianetworks|ol(-exe-file|besttubes))|ialis-prezzo|qzinomonster|c(-pay-system|hassejhuytr)|annabis(lyric|vodka)|ertovalionas|yber-scan0(0(1|8)|11|26|30))|d(e(mo(locationx|scan4free)|btbgonesite|fendsyszone|signer4host)|droomabartcc|o(llarrevenue|wnload(s-123|ingxl|4safe|avr(1(0|5)|2(2|5|0)|30|40|50|60))|tworldgroup|rothycooley)|nk-softwares|u(nyadabiryer|baigatehost)|ai(hoigamethu|lynews(7x24|6x24))|r(ewpol-drzwi|iverchecker))|e(banknetworks|asyworldnews|ccellentesms|x(tr(emetube09|antivirus)|e-(file-boom|load-(area|2009))|plosioncash)|lxolisdonave|rt(u(bredxcong|gasedumil|6nagertos)|anuskayert)|-buypharmacy|medicaldrugs)|g(r(e(at(salestax|lakesdry|t(ubesusa|estprep)|filearea|defender|esupport)|en-av-2010)|o(ufertation|dno-online))|o(o(g-analysis|d(-antispy7|esecurity))|l(dfixonline|inovatorew)|f(astscanner|fin-escrow)|-scansystem|masukanahui|govideotube|ndolfrazrv3)|e(t(-(s(oftwares|afefiles)|mega-tube)|usersvideo|smrtprt-v2)|minicarsltd|rg4tt4tfgdd)|l(amorosasite|oballineinc)|ateway-pay24|uard(-syszone|sys-zone|zone-sys)|idropanikass|hiltypacific)|p(c(s(ecur(etools|atomka|ity-09)|afetyguide)|antimalware|toolsdoctor|-security(09|v(4|6|8))|protect20(09|10)|doctorz2010)|ho(to(galleryy|blogsite)|enixalpine)|o(we(lldirects|rful-tube)|rn(-new-tube|takevideo))|r(i(vatisworld|me-groupco)|o(datadoctor|ofdefender|tectmyzone)|esenthiring)|a(t(latbiforum|rickcadona)|ul-schoenle|fersbasedos|rades-party)|e(skostruikaz|ter-strauch|ncil-netwok|rfumedesire|likanzslatd)|ure-exe-area|i(upiu-110809|ctureviewes)|tsoftwarellc)|t(h(e(mazdaspeed|a(dsensekid|uthorizer)|picturehut|-(blue-tube|start2010)|tubesmovie|s(portstime|ecurebill)|updatetest|finehealth)|anksforscan)|e(r(rorismfree|tunwavogav)|lsizdunyasi|sttubefilms|chno-rescue)|o(daybestscan|p(promooffer|-(portalnet|scanner11))|u(rviaeurope|quetventes)|rrentabuser)|r(ue(pornvideo|safetyweb)|a(ffic(static|growth)|cker-stats|ns(fertplus|portools))|everthisone)|ube-(xxx-work|storages)|mr-unlimited|a(rhujelafert|vakulionkab)|intasecuador|dpc-computer)|b(e(s(t(firesfull|buysystem|e(xeonline|security)|party20(09|10)|yearparty)|afe-fornow)|lljarstudio|nharpergals|-protected6|a-transport|protected-b)|a(yhousehotel|s(tvirusscan|e-scanner3)|dcheckalert)|i(g-tube-list|llsystem-24)|l(o(gger-gamer|ckdefender)|ue-(cardinal|xxx-tube))|r(itneyshaved|o(oksxvideos|wsersafeon)|ands-vendor)|oardexefiles|uteratorader|tctecnologia|jlanjingling|wbministries|bflashplugin)|h(a(rd(warepcnet|-xxx-tube)|ligalibumer)|o(wto(securepc|protect1)|lifireworks|meoftraffic|t(-tube-work|elbistrica|musicgroup)|useartsarea|st127-0-0-1)|u(b(portalzone|raumbensin)|lieropedaso)|i(sarkitabevi|llsdemocrat)|eadlinenews2)|r(nd-softwares|e(dro-stonean|g(istryclear|autorepair)|al(m(ediasoft|ultitool)|tubeworld)|mote(-logger|paybill))|o(l-programms|uletterosie|sariofutbol|yalsecureb1)|a(dio-compact|pidgatewave)|ude-xxx-tube|dafergfvacex|tugamertobes)|w(e(b(smartcheck|widesecure|master-100)|llness-card|stflashdate)|wwsafetyread|i(n(doptimizer|s(yscleaner|pycleaner|hield2009|ecurity12)|guard-2009|-guard2009|coresubmit|vantivirus)|ldgad-poker|ssneswertes)|h(inercentral|electronics|o-let-block)|lsestemlives)|f(r(g-softwares|ee(smsorange|wareseach|forscanpc|ofviruspc|mediaform))|u(turemedshop|ck-me-pumps)|l(yappraisals|owersagents|ashsoftname)|a(st(-exe-load|statistic|tunesclub)|tfreeonline)|i(onaenvirons|le(-exe-2009|addiction)|r(esaverbest|stantispy2))|edostalonkah|tahulabedaso|o(cusinfosoft|r(ceairtools|ward-sleep)))|i(n(t(er(inetskim|homesite)|secureprof)|etantivirus)|mag(esoffline|ination-1)|obacebauiler|torkadflione|antiviruspro|drugsnetwork|ewarningsite)|n(o(-as-scanner|rthpole2000)|umberingcite|e(tgalleryart|brafsofertu|wliveplayer))|k(em-softwares|o(r-programms|linhopewaqs|nitorsabure|misunwinter)|vm(athurabaad|-softwares)|nr-softwares|asongskertub|icks-vendors)|l(e(mmydislikes|t-tube-2009|rsolamaderg|g(endgundogs|o-(billiger|discount)))|a(st-(sex-tube|home-exe)|tinintel-tc)|uxvirus-scan|o(ad(-exe-soft|flashcode|supersoft|moviesoft)|st-exe-site|pastionertu)|i(onglenhrvoa|me-groupsvc|fenightfire|nux-rootkit))|o(n(l(ine(scanxpp|proscan|-bidder|webhits)|ysteeltube)|agerfadusak)|b(ituraneskov|beytheriver)|vuiobvipolak|polertionfer|llinterssecs|kaveanubares)|j(u(stimportant|lionejurmon)|ob-for-yours)|x(xx-tube-2009|tubes-online|sconceptgolf)|your(securedpc|tubeworld|handyhome|findguide|urlsearch|anti(vira(3|7)|spy-(1|8|a))|xxxsource|necessary)|1(-(spguard2008|webspyguard)|23(muabanvltk|-shippings))|2(4-7-gambling|010scannera1)|zaq-softwares|0(1malwarescan|7malwarescan|3killspyware|9killspyware)|4cleanspyware|6cleanspyware|7cleanspyware|q(ualityupload|izhouhuinong))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637346; rev:9;) # sid 2637347 includes 19 (601 - 620) 13 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.com)"; content:"|0d|";content:"|03|com|00|";nocase;within: 16;pcre: "/(m(ega(6-scanner|7-scanner)|iamiheraldsi|ashburnsales|y(unionwallet|playthegame))|richardspizza|thetubeholder|woodfuelwales|a(aafreebarter|naliticterra)|bartercontrol|cfnmmoviesman|learningomaha|oneofakindsxm|premierbarter|s(hifustserver|oftcoregroup)|needno2search)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637347; rev:9;) # sid 2637348 includes 594 (0 - 594) 14 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.com)"; content:"|0e|";content:"|03|com|00|";nocase;within: 17;pcre: "/(a(l(l(protection(s|6)|s(ecurepages|-tube-here)|-tube-world|roundgamers)|ertonbgabert)|n(t(i(v(ir(protect|2009pro|win2009|us(ultra|p(lus(1|7)|2010|ro21)|stock|-live))|aprof2009)|sp(yware(999|top)|amdeluxe)|-spyware2(4|6)|malwarenow|ivirusplus)|virushelpv1|yspywaernow)|gantivirus09|obhwalukager|aliticdirect)|d(v(iceswarning|nameservers)|dedantivirus|warescansite|sense-market)|v(-solutioncom|anceinternet|groupwebsite)|b(igailkathryn|out(golfclubs|billgates)|umaso3tkamid|bottpainting)|r(pinphilately|t(i(sfantastic|ficial2010)|craftjewels|swoodfloors)|abcologistic|rowheadultra)|ppl(icationjet|eaccording)|fedodevascevo|g(odaynsvcbert|ainstspyware)|tdreamholiday)|w(i(n(updatesserv|dows-s(hield|c(an(0(1|6|7|9)|12)|ript))|fixscanner(1|2|7|8|9))|zzelheadclub)|or(kcaredirect|ld(sbestscan|bestscan2)|dpressquest)|e(b(s(ecurecheck|portscheck)|porksecured|chemistsweb|antispysoft)|rynaherdobas)|ww(mobilereads|safeexamine)|aitforsunrise|hite-xxx-tube)|t(h(isfreemovies|ankyou4check|e(i(magesphoto|nputonline)|b(logwebsite|igsoftware)|antimalware|toolsdirect|stopbadware|malwarescan))|a(gged-gallery|hulavubgmbak|lkshoponline)|o(p(securityapp|-porn-tubes|travelsinfo|hotpc-check)|talsurfguard)|r(u(epornupload|stescrowbnk)|aff(marketing|ic(provide|hits247)))|ub(e(sitedirect|pornonline)|anergdavjaf)|sabunerkadosa|e(stavrdownnew|acoffeeguide)|itansecure00(1|2))|h(o(t(pornotube08|-porn-tubes|exedownload|mediaplugin)|mescanstores|stingdnssite)|q(vi(ewworldmy1|russcanner)|onlinemovies)|i(ghlandquebec|storycleanup|toncleanatpc)|ustlerscanner|a(llecodecdivx|ppytreeporno))|g(e(t(adultaccess|-(safe-files|free-files|this-video))|dmediaplugin|nesis-market)|r(e(at(mazdacars|virusscan|starhotel|essential)|enpowerguns)|andresorthot)|00gleadserver|l(k-softportal|obalunitrack)|o(ogle(adserver|-(reseach|counter)|xistence)|ldmine-sachs|virusscanner|rbaritosaona|westmarriott)|a(zconsultancy|nionasetugav|meonlinesite)|uliopalektori|cillustration|hostantivirus)|s(e(c(ur(e(instruct|d-client|-syszone|sys-zone)|ity(verpcs|-field|adjust|modify))|soft-estore)|ssionnewid83|kurpaslanmaz|rvingsupport)|c(an(worldguide|erdownload|baseonline|al(ertspage|lviruses)|onlinesite|-and-clear|f(ilesherea|reeonline))|orptechstore)|t(a(bility(audit|tools|suite)|t(usinfotech|careonline)|r(ssuperpack|brands-ltd))|o(padvaresoft|ckbuzzindia))|im-softportal|a(fe(ty(scansite|webspace|utilitys|-updated)|-(pay-vault|fileshere))|cvalleyhomes|lvagemyfiles|uipeswimwear)|h(o(wpromooffer|es-supplier)|uretrobaniso|ieldsafeness)|u(per(futurebiz|imagesart|-(tube-all|exe-home)|medprefer|tubeworks|available|smsshpion)|ndownercomic)|py(ware(out2009|-scaner)|-scanneri07)|oft(ware(strike|rising)|stronghold|-protected|metalgroup)|neakers-s(ales|tock)|ystem(announce|-resolve)|mart(winmarket|-av-scan(1|3|5|7|9)))|you(r(valueready|w(ebexamine|aybaskets)|-antivirus|medicstore|skinonline|toolscheap|bestmarket)|porn-online)|c(h(a(t(loveonline|el-watches)|llenges-cup)|i(na(mobilesms|aaredarmy)|ttoorpalace)|e(mist(s(-medic|medico)|manager)|shirecousin|ck(malware02|filesnowa))|hassekjhytre)|o(dec(ouponsite|-networks)|m(p(uterscanv1|ris2fres7x)|anda-parfum)|reygoldfeder|lemanranahan|ol(p(ixgallery|rojectnew)|nssecurity)|ntentcleaner)|l(ear(-politics|wayshield)|ick-counter2)|ybernetsafety|cpaymentsys24|a(nnabisrecipe|lilanoticias|sinoelegance|bellowrecker))|b(e(adworkdirect|s(t(couponfree|b(logdirect|illingpro)|-(tube-home|scanner-f)|w(ebexamine|aytoscanz)|removerpro|mobidirect|tubesworld|pffers2010)|ecurepctrue)|tter-fitness)|l(o(gsitedirect|og-aranking|ckprotector)|ueartsstudio)|r(eakingnewsfm|a(nd(-s(upplier|canner4)|s-vendors)|in-groupsvc)|o(oksinfotech|thervonmash))|u(f(falogoesout|ertongamoda)|ckhavenranch|teralksaweda|mganoskatios|l(akeskatorad|er(kosedasko|opihertan))|h(ervadonuska|afertadosag))|o(mkafeguilert|utique-world)|i(omedinternet|gfreepackage|keweekrallys)|arteranywhere)|e(-banknetworks|r(oticagateway|t(anueskayert|u(gaskedumil|6naygertos))|ubamerkadolo)|asy(webexamine|petcarrier|giftgiving)|qrocksthemall|x(e-soft-files|cellencesoft)|t(otalsecurity|herealtravel)|cologygreenpc|n(kafuleskohuj|lightenedver)|meraldsunarts|va(mendesochka|npublishing))|m(a(zdaspeedzone|nage(system32|aproject)|l(taintravels|ware(-reaper|bytes(i0|y0)|alsscan|examine)|ibuexchange)|rtinhorngren|xpaidsurveys)|i(mmomastermix|cro(antivirus|-scanner(1|3|4|5))|nimultimedia|rroronerotwo|ssing-codecs)|o(ms-in-office|vie(fireworks|-paradise)|dulobradesco|r(eflashmedia|cnsterpiss8))|e(etstripvideo|ga-statistic|d(ia(retention|toolsarea|datahouse)|financeflow)|trobrokerage|s-lamination)|y(-(fuck-movies|exe-profile|p(c-scanner7|rotection1))|s(ystemshield|ecurityland)|totalscanner|l(uxurychalet|ovebusiness)|zunedownload)|xviewworldmy(1|2)|u(l(inerkasolas|timediafact)|sicanacional|chtubebetter)|sfreesoftware|tcpowersystem)|v(i(ewvideopatch|rus(infocheck|topshield|-(analysis|detect08))|lla-azur-djb)|arrugilanto-2|ertigonasotra|u(lerdasonatka|retronulevka|ilerdomegase))|n(e(ts(pywarescan|uitemarket)|xt(freedollar|stepgrowth)|w(toolsonline|movieflicks))|a(dsamcabran12|mukulu-motel|ncy-woodward)|refadoteskfer|u(l(cdiborkawer|kersonatior)|herfodaverta)|itrousantispy|o(rthstarsocal|-vironyourpc))|l(o(ngballonline|ad-exe-world|lkabernadofa|opsoftmarket|cotailgaters)|e(vitra-4-sale|rsolamgaderg|o(-arts-galls|nardandself)|xusbestparts)|xl-softportal|i(posdakoferda|nkertagubert|sttubeonline|veguardforpc)|abnolsoftware|uxproproducts)|q(u(icks(earchnet|tatistic)|eerdiscdeals)|wedasertafoas)|o(f(f(er-provider|icial-emule)|aderhabewuit)|gggooogoggoog|u(rlittleducky|tlawyoung972)|nline(scanxppp|tubeporn|worldcar|pcwizard|-web-net)|p(aserduchiosa|ilesnatorkas)|lafeskanotiro|b(amanewterror|uleskinrodab)|zguvenplastik|rangebeemoney)|9aga999a9gg99a|p(a(ntispyware09|ckageprovide|fefrsbasedos)|c(-(on-internet|cleaner2009|antispy2010|bug-remover)|top-freescan|online-guard|digitalguard|s(ecuritycorp|afetyonline))|e(rfect-banner|bergenufeska)|o(rn-tube(-host|s-hub)|l(inerkalohaj|kajiuolioer)|werdatamedia)|ro(tect(-my(-web|zone)|edfield|ion(labs|2010)|s(yszone|oldier))|security-14)|haselistravel)|z(sgszzzszggzzs|one(-(searching|exe-files)|mediafiles)|xc-sofftwares)|r(a(pidantivir09|nking-charts)|e(d(irectclicks|eye-groupco)|tro(xporntube|baziliona)|a(linnovation|d(mailonline|riteonline))|p(ortsystem32|a(ir(problems|registry)|re-windows))|gistry(genius|doktor)|cruitmoranna)|ingtone-radio|ss-checkfeeds|vertundfertug|tugamer5tobes)|k(i(r-fileplanet|ck(s-(discount|supplier)|withcolors)|ngofbelgrade|ll-spywarem(2|7))|onitorswabure|athrynmetcalf)|x(tubes-xmovies|cuidflofertun|xx-white-tube)|u(n(i(qtrustedweb|tarstudents)|dergroundseo)|p(todatesystem|datesystem0(1|2|0))|i(hertubilosas|skddcuiretog)|hajokvfalesko|lio(ndarvasoka|perdanogad)|vgaderbotario|t(kamerdosubor|o(rganedoskaw|piantravels))|sepetrol2earn)|1(-antispystore|stwebsitehost|protectthispc)|f(a(n(cystarlight|tastictools)|llsoftsafety|stscansecure)|i(r(eworkspoint|stantispy01)|nislamicbank)|l(ywell-travel|owersshoping|ashlabelsite)|hg-softportal|or(dearfriends|mulatedform)|ree-(scan-here|arts-2009)|u(ziongraphics|ckbriankrebs))|4schoolsonline|j(un(iorbuilding|e-crossover)|80-trinitains)|d(bs-softportal|e(l-softportal|fend(-syszone|sys-zone)|velopmentene|adlockedpics)|i(gitalbillnow|scounts-shop)|ns-systems123|abertugaburav|vdloadstorage|ugunhikayemiz)|3(65daysbilling|removespyware|allfolderscan)|i(lluminatigear|antivirus-pro|n(v(ersiontrace|oiceclinton)|dex-groupinc|et-antivir(1(1|2)|2(1|2|6)))|ts(afetyonline|upportworld)|virusidentify|qmediamanager)|00(6all-scanner|9all-scanner)|5removespyware|7removespyware|8removespyware)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637348; rev:9;) # sid 2637349 includes 581 (0 - 581) 15 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.com)"; content:"|0f|";content:"|03|com|00|";nocase;within: 18;pcre: "/(n(e(w(year(withlove|andsanta|desgings)|santimalware|eca-payments|-(s(ystemguard|earch-zone)|av-scannera)|virusbexsite)|t(securitycode|paidshopping))|u(lerotkabelast|refadertogafe)|icecodestorage|otebooks-store|azarethimaging)|s(py(ware(isolator|-(fighter|removeb)|glossary|scansite|maxscan(1|3|4|6|9))|detector2009|eraser-trial)|ystem(-defender|scanner19|virusscan|mdefender)|a(fe(ty(alertings|scanguide)|websecurity|-your-pc004)|turn-groupsvc)|ma(rt(salesgroup|1antivirus|2antivirus|4antivirus)|ilionovkajio)|c(an(ner-(work-av|av-fast)|online(world|guide|poker)|mypc-online|-(file-clear|computerab)|copyservice)|oringsessions|ukonherproger)|gh-topprograms|hopping-pharma|oft(newsblogcom|ware(altsite|ordersx|threats)|-multimedia)|e(cur(e(topshield|fileshere|scantools)|ity(w(idgets|wwsite)|scanweb|rundlll|prosoft|-estore|center1))|bastienleabse|guroecompleto)|to(ckshopimages|pspyware2009)|lubwobiektywie|vetyivanrilski|ilver-metscorp|u(reameritradex|per(matingsite|a(ctualtube|rtsstudio)))|sdfsdfwefwefwe)|w(i(n(quickupdates|-p(c-defender|rotection9)|dows(guardpro|antispy3)|rescueupdate)|ficafe-search)|e(b(widesecurity|s(ecurityread|cansecurepc)|anti-spyware|-antispyware)|rvaferganiota|ststartelecom)|a(s(ponlinemedia|hingtontruth)|lmartsoftware|tch2010movies)|wwanti-malware|hite-xxxx-tube)|h(o(t-(pornotube08|tub(ecodec20|sandmore))|liday(firework|-spirits)|met(oolsonline|eaminspect)|st192-168-1-2)|e(x-programmers|ad-concussion)|a(ndyphoneworld|ydikaradenize|ztek-software)|istorywashdown|qvirusscanner(2|5|7|8)|jgfw34rwedfgds)|x(p(antivirussite|onlinescanner|-protect-2008)|tube(-downloads|s-hot-porn)|moviedownloads)|b(e(autywithbeads|s(t(mazdadealer|britneypics|-(antivirus(3|8|9)|topscanner)|securityinc|antispysoft|toolsdirect)|ecuresallpcs)|ckandpartners|rvuilendosate)|r(eakingnewsltd|avemousepride|owsingthrough)|o(nuspromooffer|y-meets-world)|l(ogaboutonline|uemuntaincard)|a(rackobamainfo|nginbeckyblog)|i(ngos-totonya2|llibonskanzas|gmediastorage|z2bizcommerce)|u(germanosatora|l(er(k(anostrase|oseddasko)|opihdertan)|letproofsoft)|teratorionasd|ycheapsoftnow))|t(o(p(bannersystem|s(ecurity4you|pyfreecheck)|-downloadnet)|talvirushield)|ntbreakingnews|h(e(mostrateblog|s(tabilityweb|hipmangroup)|-(crack-place|dragon-cave)|noble-locker|craziestidea|toolsbargain|antyspywares|progressclub|bestantispys|warriorgroup)|reatpcscanner|ankyouforscan)|r(i-visionhomes|uevirusshield|o(jan(er-doktor|removerpc)|yproductions)|a(in-modelisme|defastsecure|nsmarecuador)|yantivir-scan)|iger-protector|u(be-(collection|best-4free|porn-today)|rbonavigators)|e(ambuildamovie|ststation2654|rtfunwavosgav)|ypeofmarijuana|sarbunerkadosa|avakulio5nktab|wilight-garden)|c(o(nnectserverup|mputerdef2009|sco-groupmain|unterstrikefc)|h(inesefreewebs|eck(filesherea|-files-now|experiment)|ateaudecoisse)|lean(downloaded|controller|vir-onmypc|-your-pc(a(1|2)|b(1|2)|c1|d(1|2)|e2|r1))|a(llmepleasecom|nnabispicture|poeirakayseri)|r(ack-the-place|enshawdesignz)|gpay-re-230609|ertificates-db|yberneticmoney)|f(edwirenetworks|a(s(t(antivirus09|virusscanv6|scan-se(arch|cure)|zonescannow)|hion-vendors)|ctmediacenter|milyhomes4you|vorit-network)|r(ee(-webscaners|c(elebsvideo|hinaonline)|mediasoftxx)|veou438tjfmri)|i(rst-antivirus|vefilesmarket|ndprotectiona)|u(tureselfdeeds|ll-led-matrix)|or-sunny-smile)|g(r(e(at(couponclub|s(alesgroup|valentine|canonline)|-pcprotect)|en(-tube-site|billsystem|peaceleage))|andfilesstore|izzli-counter)|l(o(balstube2009|ck-softwares)|avnij20090809)|o(o(oogleadsence|gl(e(-analytae|analinics)|an(aliktics|tivirus(a|c|t|u|w)))|dflashsource)|ldvideocenter)|et(securitywall|requesttrest|livesoccertv)|umertagionader|host-antivirus)|l(ookportableftp|i(ves(topbadware|oftbilling)|nkertaguboert)|a(belshoesstore|st-exe-portal|m(orecosmetics|smotorsports)|rosmontenegro))|u(p(timedownloads|laserdunavats)|s(a(breakingnews|fastshopping)|graphicsource)|n(i(quexsoftware|versoulbeats|onkorneuburg)|limitedmarvin)|l(iopewrdanogad|timatepcscana)|t(ka3merdosubor|orgtanedoskaw)|vgadferbotario)|v(i(s(tamicrozsoft|ion-groupsvc)|va-delpinata2|r(us(ermoverpro|-detector(a|c|d|j|t)|scanlevela)|scan-online1|curemy-pcnow)|deopluginload|pfashiongroup)|russtatuscheck|eterinarytoday|u(l(isandoratosa|ertagulermos)|il(ertumegated|leskomandar)))|y(ou(r(breakingnew|anti(malware|virus-4)|guardonline|freescanner)|ng-in-mature)|esonamendment3)|m(o(bilephotoblog|vie(sfireworks|artscenter|playonline)|skaritobanios|neyversionpro|rcnsterpiss1(1|2|3|4))|y(antivirusplus|f(ucking-pussy|reebestadult)|-(cheerful-dns|porn-archive|garden-state)|realsecuritys|compscanner(0(2|7)|22|42)|virusscanner2|pc-protection)|s(-antivir-scan|n-messenger-9)|a(crosoftwarego|ingovermnfer5|l(ware(urlblock|mechanic)|icious-sites)|r(ijuanarecipe|vidzstravels)|ybankaccounts|x(1antispyware|2antispyware|4antispyware|6antispyware|7antispyware)|zra3ati-sudan)|e(ssenger-msn-9|ga(-crack-zone|spywarescan|funtainment)|dia(flvservice|pluginsite|onlinebank))|u(lti(airservice|media(check|tally))|stscanzonenow)|irroronerofive)|r(e(s(idencehunter|cuesysupdate)|vistamollendo|ddogdiscounts|t(organionader|ropc-checker|ardedcutlery)|g(istry-doktor|ency-groupco)|movespyware(-7|v(1|3))|adpressonline)|icksmusicstore)|a(v(-(plus-support|scan(-2009-up|ner-2009))|ondaleacademy)|n(ytoplikedsite|t(i(wareprotect|virus(-(alert|p(ppro|2010))|p(lus09|-2010|c2009)|doktor|better|0(0help|1help|3help|6help|8help)|omega(0|1|6|8|9))|-(payed-porn|virus-best|spywarenet)|spy(internet|ware(2(0(09|12)|4x7)|file|snet|-l14|comp)|are(2help|4help|5help|7help|9help)))|y(spyproducts|virusdevice))|g(-antivirus09|elsinuniform)|a(liticcontrol|bolic-pharma))|l(l(virusscannow|russianstrip|s(urveillance|ecuritysoft)|filesstorage|protectiona(2|3))|fouzantrading)|b(beynational(29|52|76|93)|s(olute-sports|tateverytime)|umaso3thkamid)|u(toperformspec|ditexperiment|stria-skitest)|d(ipex-for-sale|ware(removerxp|-pro-2009)|min-services1|ult-tube-free|vancededgeins)|1-adipex-4sale|sialoverfinder|ha-shame-shame|ffina-groupnet|r(deana-couture|myprotection4|esdownloadnow)|myslittleworld)|d(o(wn(oalsdcenter|load(-pro-as|freesms)|-softportal)|ubleclick-rss|ctorfreedrugs|llymultimedia)|i(scount(freesms|s-store)|e-grenzreiter)|e(l(uxeprotector|iverspeedltd)|tect-spyware(1|3|5|7|9))|ma-businessclt|gzhangfeiyijue|a(yoneskateshop|bertugabusrav))|k(o(l-(development|programmers)|malinovskatas)|eyworddelivery|i(cks-discounts|ralikarababul)|athmandumutual)|28sslput-search|p(a(ntispyware09a|y-virusdoctor|ckagebusiness)|c(cleansolution|s(ecurity-(2009|soft)|afety2009pro)|threatremover|protectdirect|-computerload)|o(rn-hub-online|elkingbowling|pupkillersite|l(serdagoniosa|anermogalios))|hurious-george|r(otect(ionimage|ed-field|pconline|defender)|i(vacyguardpro|cecheckjapan))|ul(iskanotasotr|aseskanovios)|eakgrouptravel|ineguard-of-pc)|e(s(netscanonline|ecure-federal)|njoyspringtime|bayauctiondata|x(e(-soft-portal|archstortage|downloadfull)|trememadhouse)|lgallitoingles|m(aternitystore|phasis-online)|r(asehistorynow|t(onaferdogalo|anue5skayert)|ubamerkafdolo|stugaskedumil)|kolgistictrans)|1(quickpcscanner|0-open-davinci)|i(t(unes-vouchers|aliavideoclip)|-antivirusplus|syouimageshere|obacebyuauiler|n(valda-groupli|diatouragency|ter(-antivirus|1antivirus|3antivirus|6antivirus|8antivirus|9antivirus)))|j(spipesanddrums|aagobangladesh|et-arts-center)|qu(eilesaventura|ickmedialinks)|o(nline(scanxppro|quickscan|chipguide|world(club|tech)|-defense7)|rav4abustorabe|mgyaksaresohot|f(aderhpabewuit|fseasonstudio)|urhomeinternet|s-guardpro20(09|10))|ze(usformyfriend|romediaplugin)|4eay-protection)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637349; rev:9;) # sid 2637350 includes 505 (0 - 505) 16 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.com)"; content:"|10|";content:"|03|com|00|";nocase;within: 19;pcre: "/(a(lls(ecurity(links|notes)|killedtrades|taffdefender)|n(t(i(malware(-(scan|2010)|giard)|spy(scanner13|available|worldwide|internet(2|4|8))|vir(us(-(remote|d(oktor|eluxe)|p(-2010|ro-21)|live-6|wizard)|a(dvance|cademy)|pr(emium|o2010)|livepro|2010pro)|systempro|-freescan|aprof2009)|-perspirants)|hony-campbell|yspywaresshop)|g(antivirus2009|elcitytrading)|xietymigraines|alitic-manager|nu(ity-groupllc|nciationgsk8))|v360removaltool|c(quisto-levitra|t(ualmultimedia|ivehealthpack))|b(ateoforegon-ne|outsoftwarelab)|p(lusworkbenches|eskolinoskager)|r(ch(i-tube-world|way-groupinc)|myprotection01|es-downloadnow)|dv(ancedetective|ersting-media)|m(inoserbuhavata|ateursex-heart)|skthegoalkeeper|ttentionspyware|wesomeesecurity)|n(e(w(yearcards2008|-systemshield|soverworldhot|antivirussoft|mediastandart|virusbexstore)|tsecurityworks|oinvestmentllp|xtgen-scanner(b|c|d|r|t))|a(rcotictramadol|talie-coughlin|nosoftwarecart)|u(lermagolasenda|mbergatoriosso)|ordstromexpress)|h(o(t-sextubecodec|lidaysfirework|meamateurclips)|upersecuritydot|eroesmultimedia)|y(ou(r(privacyguard|countycoupon|ma(zdatribute|lwarescan(3|7))|valentineday|netascertain|windowsvista|s(oftwarelist|afetysearch)|kidssecurity|-protection8)|porn-for-free|-were-nervous)|esterdays-party)|s(e(tupdatdownload|cur(ity(to(pagent|ol(s(pro|ite|now)|blog|code|edit))|s(cansite|oftblog)|fastscan|uniqscan|milescan|announce)|e(dvirusscan|orderstore)))|u(p(er(salesonline|cleanonline|0multimedia|protection3)|portnetcenter)|nny-tube-world)|py(ware(remover21|scannerv4|-remove9(4|2))|removeronline)|can(-(antispy-4pc|spyware-now|your-pc-now)|yourpconline|worldwideweb|4youpconline|systemonline)|a(jobelectronics|fe(billsolution|onlinescanv4)|veyourwireless|muraineverdiee)|t(reaming-united|oreonlineguide|artscanlabatpc)|i(gurd-media-api|dewebvirusscan)|o(ft(-transaction|portal-files|ware-shopper)|cialbeautytips|urcemediafiles|methingsunique)|ystem(-(guard2009|deffender)|scan-check)|mart(protectorv2|virus-scan(1|3|4|6|8))|nowandchristmas)|e(asywinscanner17|x(e-(file-project|online-world)|press-currency)|r(otic-baby-girl|tadbuferytagol)|nkafuulgeskohuj|lectionprogress)|b(est(breakingfree|journalguide|webscantools|-(music-sites|texasholdem|anti-virus6|ever-movies)|crisisprices|antispyware7|viruskiller(a|t|z)|securitymall|yearantispy5)|reaking(kingnews|goodnews)|u(l(kerotravontiy|erkoseddgasko)|reltanovaderta|mergonagortaut|sinesscosult4u)|ill-service-365|bsoftwareonline|arter(brokersusa|newengland|ofsandiego))|d(i(ssolute-office|rect-antivirus|amondsbydavids)|e(fenderupdates2|l(lilawservices|hicakesngifts)|xteracreations)|realwebnamescan|atatrustprotect|ou(bleclickredir|glasequipment))|g(lobal(antiterror|toolsmedia)|e(t(paymentsystem|myprotection1|video2010-now|smartscanofpc)|neric-tramadol)|o(ogle-an(alytlcs|olytics)|malwarescanner|tnewfriendbook)|isecurityshield|r(e(at(gallerypost|estsecscans|toolsonline|onlineguide)|en-power-zone)|oupe-rouquette)|uidetosecurity3)|t(he(a(ntivirus(plus|free)|lertsecurity)|greatsecurity|paymentonline|s(ecuritytools|tabilityfund)|warningcenter|toolsdiscount|b(bflashplugin|estcleanofpc)|northstarauto|creativevirus|livingdeserta)|r(uescansecurity|yantivirusscan|ojan-scanner01|ade-statistics)|o(pwinsystemscan|tal(viruss(hield|canc3)|-eliminator|spywarescan)|daysecuritytop|wn-classifieds|olsonlineworld|-scanyourpcnow|borochihosting)|ubes-xxx-movies|ypicalprecedent|eamspiritrealty)|c(o(n(tr-softportal|signbuydesign)|mpu(tercode(high|work)|rerthreats(2|9|4))|lonizemoon2010)|a(nyonshadowlabs|tedralsoftware)|he(apticketslist|ck(s-files-now|forspywarea))|l(i(entmanagercom|nichomeclinic)|angamingleague|ean(malware(easy|f(ast|ree))|yourpc-nowx))|c-payment-sys24|eliminerkariota|r(adleoffilthfan|escenthorizons|ystal-pro-scan)|yberstrongstore)|f(re(e(hostinternet|webhostguide|-(x(xx-central|tubes-host)|antiviruses|best-movies|web-scaners|tube-orgasm)|independence|filesarchive|antyspywares|datatransfer)|sh(-xxx-movies|flashplugin))|ast(viruscleaner|-(virus-scan(7|4)|systemguard|zonescannow)|scan-protect|zone(-scannow|scan-now))|i(reworks(holiday|network)|naluninstaller)|o(ndos-messenger|rwardartstools)|elixandjennifer|l(oattubesonline|ash(playeradobe|downloadv11))|untixandcompany)|p(r(i(vacy(scanner15|update447)|cksandpussies|scillapresley)|o(per(-tube-site|1antivirus|3antivirus|5antivirus|7antivirus|8antivirus)|gressmovement|tect(orservice|ion1(1scan|2scan|4scan|5scan|8scan)))|e(serveatetowah|mier-groupinc|fect-defence(m|y)|ventiondenver))|o(rn-(tube(-movies|s-world)|hub-xmovies)|lakestrovanios|cosecuritymall)|lusantiviruspro|h(armacyforwomen|il-soft-center)|e(titbijouonline|rf(ect(uninstall|esecurity)|umechaletusa))|ay-securesystem|u(r(itan-groupinc|ewellnessherb)|nktnaznachenia)|c(safetyplatinum|privacycleaner)|irandelloaspect|ghtradealliance)|l(oad(-pro-antispy|softwarebase)|i(lusanotraserta|siobubucamacho|veguardfordata)|awfirmincubator|e(eds-consulting|t(-ustrytoclean|us(-trytoclean|try(-toclean|to-clean)))|adingedgetrade))|w(e(b(s(ecurityvoice|toresecurity|afetynetwork|oftwarecloud)|-antivirusq(10|20|30|60|90))|r(ta(bulionsedaf|gulionaders)|agumasekasuke)|ddingscatalina)|i(fisecurityscan|n(dows(guard-pro|altserver)|networkstatus|securepro2009|-antimalware(2|a|z)|6best-scanner))|ww(onlinescanner|antispyware-1)|heel-visualizer)|r(a(pidantivirus09|kkasanwarriors)|-d-cgpay-090709|e(alsecurityspot|tulahertomanof|directcounter1|move-threatsl2)|bsunitedkingdom|oyaldefensescan)|m(s(-anti-vir-scan|scanner-top-av)|a(lware(removebot|-destroy6|scan(world|guide))|n(agetelevision|ualmultimedia)|rcalanfreedman)|u(s(ic-megaupload|t(-scanzonenow|scan(-zonenow|zone-now)))|l(ikostarokaser|timedia(secret|figure)))|i(cro(antivirusxp|soft-spynet)|lleniumleaders)|o(likasontrasota|neytransferltd)|y(protect(ed-zone|ionzone)|-protectedzone|c(omputerscan14|areermychoice)|virusscanner25|s(pyware-scan12|ecurity-suite)|databasedirect|extrassecurity)|e(gaspywarescan(2|5)|lson-groupmain|diadriveonline))|0texkax7c6hzuidk|i(magesrepository|eprotectionlist|-dont-care-much|nte(l(inet-global|1-antivirus|3-antivirus|5-antivirus|7-antivirus|9-antivirus)|r(netproscan(m|q|r|w|y)|0virus-scan|8virus-scan|a-antivirus|c-antivirus|d-antivirus|e-antivirus))|rentphotobooths)|u(n(iqviruscleaner|securewebsites|cutsouthmovies)|pdates(oftserver|erversoft)|i(lerdobavonader|terbunagoretas)|li(bertagolionas|ope3wrdanogad)|s-windowsupdate|tka3medrdosubor)|k(il(ometrplenkiru|l-malware-012)|eno-chance-game)|z(one-celebs-tube|drowieczlowieka)|1st(choice-hoists|antivirusplus)|o(n(eplace-all-exe|line(s(ecur(escan|ityn(1|2|3|4|5))|ystemscan)|-(pcscanner|antispy(i(1|2|5)|m(1|3|5)|l(1|5)))))|s(trov-velikanov|adwarekill2009)|penhouseinspect|rganicnecessary)|quick(healcleaner|sitehostdns)|v(i(deo(tubeplanete|chatbuilder)|r-cure(-mypcnow|mypc-now))|udermaguliermot|a(rgogolfcompany|luecardarizona))|3(d-family-orgies|000channelsplus)|xxxodnoklassniki)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637350; rev:9;) # sid 2637351 includes 452 (0 - 452) 17 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.com)"; content:"|11|";content:"|03|com|00|";nocase;within: 20;pcre: "/(r(e(gistrycleanerxp|move(-virus-melt|virusonline))|apidantivirus-09|oyaldefensescana)|a(n(ti(spy(ware(master|global|formac|1(1scan|2scan|3scan|5scan|7scan)|scan5(1|2))|centerprof|-security(1|3|5|7))|vir(us(checkout|2009plus|-(pro2010|2010pro)|pro(-2010|2scan|7scan|8scan|9scan)|live(-pro|2010)|tooledit|scansite)|-(4pc-ms-av|systempro)|protection)|terrornetwork|-malware-2010|malwarescan(v7|a4))|g(antivirus-2009|lointerpacific)|ispy-storage-ms|-ty-flu-service)|l(l(owedwebsurfing|entruesecurity|inonesecurity(a|0)|-staffdefender)|eksandrhomepage)|pproved-payments|d(dedantiviruspro|vancedvirusscan|obef(lashupdates|reesoftware))|r(chiv(eexefiles09|-tube-world)|ventertainments|myprotection00(1|9))|mericangrants-4u|ssociatesexports|utousbestsellers|v(iraplatinum2009|ailablegambling)|ttention-scanner)|w(i(n(spywareprotect|dows(-(virusscan|update210)|guardsuite|serverinfo)|proantivirus99)|ld-(online-poker|texas-holdem|gangbang-sex))|eb(protectionscan|s(ecurity(master|bureau|police)|pydetectunlim)|design-lessons|-(download-free|free-download)|virusscanner(33|22))|o(menlosingweight|rld(rolemodeling|s(bestscanner|antispysoft)|antispyware1|domainoutlet|cashlessbanc))|a(rningvirusalert|chovia-onlineuk)|hatsupgreenville)|b(a(dware-protector|bes-fuck-online|ttle-for-europe|sesecuritypromo|rterforbusiness)|e(st(-(crystal-tube|light-search|world-actors)|supportcenter|antimalware08|virusidentify|discounts2010)|ncaputoprinting)|i(tsecuritycenter|ll-solution-365)|l(a(ckjackbeauties|stertroops2011)|1-virus-scanner|3-virus-scanner|5-virus-scanner|8-virus-scanner|9-virus-scanner))|x(pvirusprotection|movies-downloads|xx(-hot-tube-porn|camerasexcheap))|s(e(cur(ity(s(canworld|oftware(1|3|5|e))|t(rustscan|ool(world|maker|today|s(blog|menu|shop|tool|user)))|i(mplement|nfos4you)|360update|antivirus|-tool2010)|e(-data-group|billingsoft))|arch(scan-online|-everywhere)|lected-antiques)|ystem-cleanerpro|c(an(s(pywareonline|ystem-online)|t(rustsecurity|-antispyware)|ner-(malware(0(1|2|4|5|6)|1(1|2|3))|on-line0(2|3))|-and-destroy(a|e|t|w|z)|a-antispyware|c-antispyware|e-antispyware|i-antispyware)|ript-search-www)|p(y(-protector-pro|fighterantivir|ware(-(scannerv2|max-scan(2|3|5|7|9))|detector24))|e(cialsuggestion|edysalesletter))|t(a(bility(inetscan|scantool)|tistic-manager|mex-expedition)|ructuredannuity|op(andscanyourpc|-(read-message|virus-server))|ephens-laughlin)|o(uptotalsecurity|ftware(listworld|directusa))|mart(protectorpro|-online-shop)|afewindowsupdate|uper(deletethreat|game978jnnn2|pharmasystar|onlinedirect|filmutilites|1antispyware|4antispyware|6antispyware|7antispyware)|hop(online-motors|pingxxxsource))|c(h(e(ck(updateplayer|er-pc-pro-av)|apnetdiscounts)|aepantispyforpc)|o(mp(rare-propecia|u(rerthreats07|terguardsoft))|legiopenacorada|ntraspywaresoft|upons2discounts)|r(acktheplanet-v(2|3)|iticalmentality)|lean-all-spyware|a(nnabisvaporizer|tcherin-the-rye|rtoon-sex-links)|cleaner-portable|elebrate(-designs|2009year))|g(e(t(playerdownload|downloadmovies|livefootballtv)|rmanamericantax|neral-antivirus)|re(at(scansecurity|-connections|lakesinspect)|en-av-2010-pro)|o(ldsoftwarestore|o(gle-(anal(itiics|y(stisc|itics|tiics)|lytics)|-analytics)|d(antivirusplus|-antispyware(7|8)))|-scan(andprotect|yoursystem))|uletrubanionader|lobal(zoneprotect|superonline|-(a-security|b-security|c-security|d-security|z-security)))|p(a(tchvideoplayers|mperingdelights|ymentsolution24|r(asecurityscans|ksensorucenter)|nchungpatwotong)|r(o(-scanner-av-pc|tect(ionexamine|-(yourself3|my-system))|pecia-generico|updatescentral|ofdefender2009)|emiumlivescanv1|imeareanetworks)|o(r(notubeonline(10|09)|tablevaporizer)|malinkovasilons|likolsantrevasd|undsofinterests)|c(secureredirect2|antispyware2010|trouble-remover)|er(sonalguard2009|fect-security3)|harmasystarworld|ipelogicservices)|t(h(e(coupondiscount|valentineparty|onlinesecurity|securitynsyard|masterengraver|raymondgallery|bestantivirus(a|b|g|r))|reatalertonline)|erroralertstatus|w(inkthewonderkid|ofinestutilites)|a(kecarepleasecom|borfilmfestival)|o(beschumachercom|tals(ecuritysite|pywarescan(3|4|5))|pnameappraisals|olsonlinedirect)|r(yantivirscanner|ust(-systemguard|ed-security3)))|e(x(tr(a(fastdownload|ssecuritynow)|emeanalonline)|presstubeonline)|asyplusantivirus|z-scanner-online|rtidonaferdogalo|liminater2009pro|sysprotector2009|uromaxsecurities)|m(o(ms-and-swingers|vie(aboutblogcom|independence|toolsstorage))|e(ga(-anti(viral-ms|spywaret)|antivirusplus)|diastorageworld)|s(antivir-storage|protectionscan0)|alware(baseupdate|urlirblock|detectsite)|u(sic(moviesnbooks|playercenter)|ltimedia(analyze|rainbow|techinc))|y(computer(scanner|update5)|securityupgrade|p(rivatesoft2009|csecureadvisor)|flashmultimedia)|inisterios-saude|creativeservices)|i(n(te(rnet(homecheck|otherwise)|linet-secure(1|d))|valda-groupmain)|magescopybetween|wantsweepviruses)|o(nline(s(canservice|toresystem)|-(defenderv9|s(ystemscan|ecurtiyv(1|4|5)))|anti(spysoft|virus(46|r4))|viruskilla(0|2|4|6|8))|verviewforexbids|penbiglibrarynow|megacomputersllc)|h(o(t(-girl-sex-tube|el-centralclub)|meantivirus2010)|idef-porn-movies|appy(independence|-newyear2010|hardcoreporn))|your(countrycoupon|-guide-online|p(lusantivirus|icturehoster)|malwarescan04)|f(e(deralbanksystem|tuchinioskajera)|r(ee(-(porn-xmovies|web-download|download-net|limewire-now)|internetindia)|itzcomforthomes)|ull-free-xmovies|a(st(-(mortgage-4-u|filedownload|virus-scan01)|search-secure|estonlinescan)|cebook-security)|i(x-registry-here|lesplugindirect|rewallprotector))|l(i(vesystemupdates|berty-exchanger)|oved-online-tube|v(1-virus-scanner|2-virus-scanner|3-virus-scanner|5-virus-scanner|8-virus-scanner))|v(i(r(us(remove(r-2008|online)|protectionxp|onlinescanv3|-scannerdot(1|2|3|6|7))|identifycenter|tualemediasoft)|deo(independence|studiodirect))|ertuganoskilotas|al(leybartergroup|uecardalliance))|n(us(ecurityshields|atorkaleprovis)|o-spyware-thanks|e(xtantivirusplus|wholidaydesigns)|a(vy-antispywarea|turecoastbarter)|itro-antispyware)|u(n(itedinnuremberg|seenproductions)|pcleanyour-pcnow)|d(o(wnloadnativeexe|lce-unt-gabbana)|elawarepokernews|nsresourcecenter)|justseethisonline|qu(a(litysoftonline|dpaymentsystem)|ick(softwarecart|timeshipping|-antispyware|aantispyware|bantispyware|cantispyware|dantispyware))|zamniracollection|1classantispyware)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637351; rev:9;) # sid 2637352 includes 369 (0 - 369) 18 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.com)"; content:"|12|";content:"|03|com|00|";nocase;within: 21;pcre: "/(1(80searchassistant|st-mortgage-leads|class(-antispyware|antispyware(c|d)))|m(errychristmasdude|i(lehighhomefinder|shkigammy-060809|cro(antiviruslive|1soft-scanner|2soft-scanner|4soft-scanner|6soft-scanner|7soft-scanner))|s(-av-storage-best|scanner-files-av)|y(p(lusantiviruspro|c-secureadvisor)|s(afecomputerscan|ystemprotection|pyware-scanner2)|computer(online0(3|4|6|7)|winscan2|update01)|-computer-scan43)|a(l(ware(s(destructor|eradicator)|protectionz|examination)|icioussiteblock)|rijuana(vaporizer|wallpaper)|ilserver-updates)|oviesindependence|u(seum-mputantular|ltimedia(homesoft|softmore))|cafeevirusremover)|t(h(e(-(spyware-review|best-antivirus|experts-review)|valentinelovers|healthisgoldcom|greatdadventure|antyspywaretool)|is-is-protection)|r(ust(edwebsecurity|scan-onmyzone)|yantivir-scanner|ansportvirustool)|o(olswebstoragecom|pmultimediaworld)|eflonhealthhazard)|h(o(t(-pornotube-2008|el-wizardcenter)|me(-antivirus2010|anti(-virus2010|virus-2010)|madesandwiches|softwareonline)|wtosecyourpcsnow|ldonyourzonescan)|ypnoticacolectiva)|u(serpaymntdownload|pdateyoursecurity|liboktebededmakar|tilitiesdiscounts|nitedsafetysupply)|a(nt(i(spy(ware-(pro-dl|center|engine)|interactive)|v(ir(alscanner14|us(-(live-(pro|one)|pro-(2010|live)|scanner6|online-(2|5))|p(rotector|c-update)|scan(nerv9|store))|-(my-pc-scan|scan-my-pc))|rusfreescan0(1|2|4|7|8))|malwarescanner|terroralliance|-(spyware(-scann|center)|viruspro-2010))|y(detectivewares|operativewares))|d(wareprofessional|van(edspywarescan|cedpcscanner(2|3|6|9)))|v(-plus-pay-online|protectioncenter|isuallandscaping|ailablemediamore)|1-(mortgage-finder|tramadol-online)|gro-files-archive|ll(securityshields|digitalchannels)|pplicationairline|k-networkcommerce|wardantivirusscan|ctivate-antivirus|ttention-scanner3|mazingsupersocial|utoactionsoftware)|b(e(st(a(nti-virusscan|ddedantivirus)|netcheckonline|s(ecurityupdate|tabilityscans)|computerscanv7|-(folder-scanv3|antimalware-1|wishes-design)|parishotelsnow)|llevuemultimedia|comemybestfriend)|usiness-grants4-u|a(sicsystemscanner|ltimorecrashpads)|nbsuubtvvsyy4ndvg|il(ling365solution|giseldershanesi)|l(ue(starmultimedia|greenallegator)|oggingforsuccess))|c(o(mputer(onlinescan|jobsportal|codeplanet|-scanner(02|12))|urtsecuritygroup)|heck(-ms-antivirus|mypcantivirus|recentupdates|windowsupdate)|a(s(tsecurityshield|hmandevelopment)|rtsandhandtrucks|mpinglesbruyeres)|rusade-affiliates|lean(-safe-gateway|viron-mypc-pc)|ustomizeyourstory)|f(orwardpatchplayer|u(llsecurity(shield|action)|tureshortsonline)|re(e(securityonline|-blackjack-4-u|antyviruspills)|nchpropertyshop)|i(delitytitletexas|r(st-aid-software|emultimediazone))|a(st(s(canandprotect|earch-protect)|loadmultimedia)|cilicaresavannah)|lashplaginsmirror)|p(r(o(anti(malwarescan|virusscanv(3|2))|downloadmanager|tect(i(on(updates2|-check07)|ve-program)|yourpc-now(1|x))|-2in1-securityh|per(0antispyware|6antispyware|7antispyware|8antispyware|9antispyware)|spywarescanner(1|5|7|8|9))|ivacy-tools-pack|eciousmultimedia)|c(-privacydefender|antispyware(-2010|20-10))|uttsoftwareupdate|er(fect(uninstaller|-security11)|sonal(foldertest|guard-2009))|ayment-solution24|owermediautilites)|s(p(yware(fighter2009|detect24pro|-remover071)|acetrafficsafety)|o(ft(sales-discount|ware(listfinder|-updatesv6|marketsite))|mefilesportalnow|cialsecurityscan)|e(cur(e(d(liveuploads|websafesurf|scantoolspc)|softwarebill|winupdatesv3)|ity(helpcenter|onlinesite|pcscanner2|bestonline|centertool|tool(s(click|exist|store|today)|player)|softwaree7|0(10scanner|20scanner|30scanner|40scanner|50scanner)))|ekprotection2009|tsoftwaresupport)|wiftsafetyexamine|ystemsecurity(line|site)|a(fe(internettoolv1|transferonline)|vecedarcreekpark|ratogasteakhouse)|lk-softwareportal|can(spywaresonline|online(-protect|pharmacy)|4virus-onlin(e(a|d|t|w)|ne))|uper(driverblogcom|safetysystems|billingsystem|protectionact)|t(o(reyourimagehere|p(-smoking-today|warsintheworld))|reammediastorage|a(ndartmultimedia|rtechmultimedia)))|w(o(kutonoken-online|rldsoftwarestore)|eb(browsersecurity|-(safe-and-clean|virus-scanner1))|in(pcantivirus2010|d(ows(pc-defender|-(pcdefender|update20(10|20))|s(ystemsuite|p3download))|esktop(defender|security)))|ait-for-scanning2)|your(valentinepoems|netcheckonline|addedantivirus|designservices|s(afetyservices|tabilitystudy)|tireprotection|pcbestdefender)|e(asy(netcheckonline|addedantivirus|removeviruspro)|litedigiscrappers|x(ecutive-officers|pressmediaplugin|cellentesecurity|trassecuritysite))|i(n(etsecuritycenter|fosecuritycenter|itpcsecurityscan|sta(ntebusinesses|llprotection2)|vestmenttooltips|te(grity-groupsvc|r(auto-shippers|net(-scanner41|hostingdns)))|digosecurityshop)|willhavesexygirls)|r(apid-antivir-2009|e(mo(ve-(ie-security|virus-alarm)|delclarksville|te-pc(-scannerv|1-scanner))|gistry(cleaner911|repairsite|doktor2009))|o(oftopsfordollars|llingwithrubicon)|ussiancharityfund)|quickstabilityscan|online(s(ecurityhost|afesoftware)|-(pro-scanner|best-scanv3|tooth-fairy)|antispyworld|centralstore)|g(irlteenxxxfreemov|et(antivirusplus09|freemediaplugin)|reat(s(tabilexamine|afetysystems)|esecurityshop)|df4fsf46hgfesdfu5|lobaltechsoftware|oldhostingservice)|x(xx(-movies-central|toywebsitecheap)|presscanon-yourpc)|d(ownloadfixandlove|iabolus-in-musica|e(fen(seinteractive|derwebadvisor)|lete-all-virus0(1|3|7|9)|signsoftwaresite)|riverupdatesystem)|ke(epuptodatesystem|yboard-mouse-fun)|l(astshanse26032009|i(ttleboxcreations|vepaymentssystem)|ovingliferetreats)|visacardpoorcredit|n(o(chedebuenosaires|rdamerika-invest)|eoinvestmentgroup|itro-antispyware(a|c|d|t))|005threats-scanner)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637352; rev:9;) # sid 2637353 includes 321 (0 - 321) 19 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.com)"; content:"|13|";content:"|03|com|00|";nocase;within: 22;pcre: "/(a(nt(i(malware-scanner|v(ir(us(360remover|livescanv3|-(xppro2009|2009-ppro|scan(-2009|nerv(6|9))|wizard-(d5|e6))|es-for-all|s(yspro2009|cannerv10)|freeonline|doktor2009|quickscan(3|5|2)|xppro-2009|contraviro|0(10scanner|30scanner|50scanner|70scanner|90scanner))|-scan-online)|rus-freescan0(1|2|4|7|8))|s(py(-scan-4freee|w(are(-(for-all|systems)|onlinel(1|8))|orldwideint))|spywarescenter)|-virus(security3|-p(ro-2010|lus201(1|2))))|y(spyvarescanshop|virusinstrument))|l(l(s(oftwarepayments|ecuredpcshields)|internetfreebies)|ternativeviagra4u|imonionasertosado)|d(dedantivirusstore|van(cedvirscanner3|edprovirusscan))|bout-home-security|ut(horized-payments|obargainsnetwork)|fxsecuritysoftware|resgalaxydownloads)|b(e(st(anti(spy(wares(can|oft)|soft2010)|virus(check2|scanv8))|-(security-tools|virus-scanner(4|6|5)|antispyware-11)|multimediaworld)|llwetherlabradors)|l(uevalentineonline|ogsexnakedgirlxxx|ackhatcodebreaker)|a(sic-security-scan|dwareexterminator)|rowsersecurityinfo|iosecurityservices|ordersecuritytools)|li(teantispywarescan|ve(-payment-system|internetupdates|antivirusinfov2|timevirusscaner))|c(anadasfinestplants|h(e(ck(onlinesecurity|-for-malwarev3)|mistsonlineworld)|aritycashlessbanc)|o(untedantiviruspro|ntinental-systems|me-face-the-truth|operativeunionesp|llectible-trading)|lean-all-spyware(0(7|3)|10))|f(u(nnyvalentinessite|ll(virusprotection|antispywarescan))|ast(antimalwarescan|-scan(ner-av-pro|-your-pcv3))|ree(onlinehostguide|antivirusplus09|-scan-antivirus)|dheropytrqazepisak|lashsettingsonline)|g(reat(s(alesavailable|ecurityshield)|valentinepoems|es(tnamesonline|ecuritytoday))|lobal(securityscans|zoneprotected)|o(ldeninternetsites|-search(protection|andprotect)|tomyprotectedzone|odsoftwarestorage)|c4fg456hfghfss6sg4|et(antivirusplusnow|livebasketballtv))|r(e(laydownloadupdate|move(-(system-guard|all-adware06)|allmalwarenow)|al(antivirusplus09|-secure-payment)|gistryeasycleaner|centbaseupdatesv6)|o(fl-wedding-toasts|ute1eventservices|yalprotectionscan)|un(1-antivirus-scan|3-antivirus-scan|5-antivirus-scan|7-antivirus-scan|9-antivirus-scan))|p(ro(-antispyware2009|tectionsystemlab|malwarescannerv2|internetdefence2)|o(werdownloadserver|rn-movies-central)|er(sonal(cleaner2009|de(luxeguard|tailsinfo)|-guard-2009)|formspywarescan5|manentgoodazmark)|u(rchase-clonazepam|blicsecuritygroup)|c(-anti(malwaresuite|-spyware2010|spyware(-2010|20-10))|anti(-spyware-2010|spyware-20-10))|aysoftbillsolution|harmasyspaceonline)|m(a(lware(defender2009|professional|-doktor-2009)|ture-sperm-lovers|nagement-overview|rijuanavaporizers)|y(f(irstsecurityscan|reeantyviruspill)|bestantivirusplus|computer(s(canner1(1|5)|virscan2)|-scanner(a|p)|livescan2|proscan11|threats(03|1(1|5))|updates0(1|6)|antispy04)|system-protection|-computer-check(01|15|24))|iamicaraccessories|oviedownloadaccess)|s(ta(bility(scandirect|onlineskim)|rmultimediagroup)|a(meshitasiteverwas|tisfatcionvulture|nta-christmas2010)|e(cur(edvirusscanner|ity(-(components|softwareo(5|7|9))|examination|onlineworld|codereviews|t(hreatalert|ools(filter|listed|quotes|thanks))))|arch-systemshield|negalinfoservices)|upersearch20090330|vseducationcollege|oftwarepackagelist|mart-(phone-reviews|2-antispyware|3-antispyware|7-antispyware|8-antispyware|9-antispyware)|isters-try-strapon|ystem(searchandscan|pc-scan-check|restoreupdate)|py(seraser-security|waredestroyerone))|o(nline(updatessystem|virusbusterv2|bestscannerv3|-scanner-free)|utdoorindependence|fficialsoftwarelab|ceanicbk-ng-online|hioautoshippersllc)|i(n(itialsecurityscan|doseasenterprises|gloriousbastardsx|ternet-antivir(us(4|9)|0(22|33|44)))|mgesinstudioonline)|t(he(best(securityspot|antispywarei)|truesecurityscan|legallywildbunch|pascoedifference|stabilitycontrol|dynamicstability|multimediaplayer)|r(ustsecurityshield|iton-friendlyclub|yantivirusscanner|affic-filter-201(1|2))|exaswhitetailfever|o(talcomputerscan12|pantimalwarescan5))|xxxtube-for-xxxtube|h(ypersecurityshield|o(me(-anti(-virus2010|virus-2010)|anti(-virus-2010|spywarescan))|ld(-onyourzonescan|on(-yourzonescan|your(-zonescan|zone-scan)))|wtoscanforviruses)|d-mature-pornfilms)|k(xc-softwaresportal|amarilloskukarekas)|un(iversal-antivirus|dercoversquilting)|v(irus(destroyerboost|protection(soft|tool)|treatmentforpc|eliminater2009|identifycenter)|alueantivirusshop1|ostravauxcleenmain)|you(cityesdrugstores|r(firstpaydayloan|s(upplements4you|ecuritynetwork)|-pc-protection2|legalprotection|multimediagroup|pcbest-defender))|d(o(wnload(oemsoftware|fixandlove1|-free-files|serialcrack)|roszewicz-clausen)|jkksdjfkkldjslkdfj|elete-all-virus-33|iscovertotalhealth)|e(xe-web-development|litesecurityonline|vents-team-manager)|n(atural-barleygreen|jsdjl4bdjsa7t78dsf|e(twork(maniasecrets|stabilityinc)|wadvancedsyscheck))|jo(in-the-poker-room|nebrosengineering)|w(eb(masters-paradise|-virus-scanner11)|in(dows(securityinfo|-systemguard|protection-(9|8))|softwareupdatev2|agreatprizetoday)|arning(malwarealert|spywarealert|virusspreads)|orthathousandwords)|1worldupdatesserver|09computerquickscan|quick-antimalware-2)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637353; rev:9;) # sid 2637354 includes 256 (0 - 256) 20 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.com)"; content:"|14|";content:"|03|com|00|";nocase;within: 23;pcre: "/(l(ive(antivirus(scanner|proscan)|timesecurityscan|-computer-scanb2)|akekeoweerealestate)|a(nt(i(-(malware-scanner|spyware-scan-v1)|spyware(fastcheck|pcscanner|s(canner(v9|08)|oftware2)|downloads|-(products|scanner2))|v(irus(-(xppro-2009|components|scanner-v1|free-tools|promo-scan)|quickscanv1|pcscannerv(1|7)|doktor-2009|filter-zone|onlinescan6)|rus-free-scan0(1|2|4))|malware(masterpro|scanner(v9|-7)|-software))|yvirusservice(site|blog))|ctivesecurityshield|d(dedantivirusonline|v(isorywebcentercom|ancedvirusremover))|llianceleicester-bk|rgentmarketingtools|mericanautobargains)|o(nl(ine(pcvirusscanner|brandsecuritys|safetyscansite|-s(ecure(-scanv7|scanner)|oft-payments|ystemscanner))|yfreeoffersonline)|fficesecuritysupply|utofcontrolproducts)|t(otal(virusprotection|antispyware2009)|he(-crack-(area-4free|zone-4free)|essentialresource|freeantyviruspill)|r(ichurcricketonline|ojaner-doktor-2009|adeexchangenetwork))|m(a(zdaautomotiveparts|l(ware(liveproscanv1|antivirusscan)|iciousbaseupdates)|quinaslitograficas)|s(-antivirus-storage|scan-files-antivir)|y(co(ntraadwareonline|mputer(-scanner1(1|a)|totalscan2))|machinedefenderpro|antispywarecheck(1(7|1)|0(7|0)))|e(sothelioma-abestos|dicalmarijuanablog)|o(netaryunitsoftware|vies-hidden-places)|istresslorisdungeon|ultimedia(flvservice|helpcenter))|w(i(relessvalentineday|n(dowsxp-reparieren|ningantivirusscan|securityupdatesv2))|orld(-payment-system|bestonlinescan(5|9)|searchassistant)|ellingboroughportal|arningmalwarealert(2|5))|b(r(eakingfreemichigan|ows(ersecurityaddon|inginternetcafe))|e(st(countedantivirus|-s(afety-software|ecurity-scanv8)|internetoverview|spywarescanner(05|1(2|5))|antyvirusservice)|nnysaintscathedral|wareofvirusattacks)|uy-(levitra-cheap-4u|internetsecurity)|l(ogsoftwaredownload|ackwater-ironworks)|asicsystemscannerv(3|6|8)|i(llingsecurepayment|gdownloadboxessss1))|d(e(sktoprepairpackage|pressionstresspain)|igitalimpressionist|ns(protectionservice|serverbackupzones))|re(m(ove(spywarethreats|-(a(ntivirus-360|ll-pc-adware)|spyware-guard))|inisceproductions)|gistry-doktor-2009|almultimediaonline)|f(ull(andtotalsecurity|securitydefender)|ast(-s(canner-4pc-pro|earchandsecure)|nofaxpaydayloans|search(andprotect|protection)|guardcleaneronpc)|ree(antispywarescan2|-(webhosting-plus|spyware-cleaner)|internetvacation)|i(n(d-u-that-mortgage|alspywarescanner(0|1|4|7|9))|beropticinstrument)|lashmediaoriginsite)|your(countedantivirus|zonebestdefender)|s(can-antispyware-4pc|e(cur(e(dpaymentsystem|-(safe-download|plus-payments))|ity(onlinedirect|s(hieldcenter|caninternet|upplycenter)|designonline))|arch-systemprotect)|martantivirusplus09|uper(-antiviral-scan|safetysolutions)|pyware(fastscannerv(6|9)|remov(ediretto|alguides))|oft(ware(premiumstore|alertprogram)|-scanguardmyzone|scan(-guardmyzone|guard(-myzone|my-zone)))|afe(tywirelessonline|hostingsolutions)|doosdne774bsd3s83bn|y(camorecanyonschool|stem-searchandscan)|tabilitytoolsonline)|c(licksmanagementscom|dcdcdcdc2121cdsfdfd|o(re-guard-antivirus|okingwithmarijuana|mputer-antivirus03|ntrolmovieutilites)|reditcardsunsecured|ustomsecurityonline|heck-threats-online)|u(p(dates(erversoftware|oftwareserver|centralsystem)|todate-your-system)|n(securewebsiteblock|itedbankofmalaysia))|i(n(te(rnets(afebrowsing|ecurityscan)|l(inet-dll-repair|-z(1-antispyware|3-antispyware|5-antispyware|6-antispyware|7-antispyware)))|surance-4-your-car)|m(mobiliare-ruscigni|portacionesenergia))|n(akedfridaydresscode|e(tbusinessmarketing|w(-systemprotection|freeantyviruspill))|ortel-antivirus-pro)|v(ir(us(softwareremoval|-quickscan-2009)|tualsecuritycheck)|oyageurscowansville)|h(ead-trauma-resource|ighmaintenancemusic|armonhomeinspection|ome-anti-virus-2010)|p(a(in-relief-tramadol|radise-lost-island|y-down-my-mortgage)|ro(antispywarescanv3|tect(mycomputernow|yourpc-(againx|fastsx|todayx))|jectbasedbrowsing)|ersonal(onlinescanv3|folderscanv2)|owersystemstability|c-anti(-spyware(-2010|20-10)|spyware-20-10)|ick-blocked-buddies|xcallcentercareersx)|g(izliilimlerhazinesi|etyoursecuritynowv2|lobalfreemultimedia|oldenhillsroseville)|j(o(urnalist-adventure|in2bestsecuritynow)|ennifer-hudson-site)|e(x(e-soft-development|press-transporters|trassecurityonline)|ffects-of-marijuana|lectronicwebbilling)|kingfamilyphotoalbum|qualityflashsettings|zimmermannindustries|2010-antivirus-scan(a|h|m|n|v))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637354; rev:9;) # sid 2637355 includes 234 (0 - 234) 21 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 21 chars (.com)"; content:"|15|";content:"|03|com|00|";nocase;within: 24;pcre: "/(a(nt(i(malware(proscanner|guard-plus|onlinescan|-scannerv2|scanner-v(2|4))|vir(us(-(xp-pro-2009|av-ms-check|quickscanv5|doktor-2009|fast-scan0(1|2|4|5)|promo-scan(1|9))|onlinescan(v(2|9)|03)|folderscanv5|protection(01|11|22))|-scanner-ms-av|scanmycomputer)|spyware(proupdates|-scannerv3|livescanv5|totalscan(5|8|9))|-virus-(xp-pro2009|scanner0(51|71)))|yspyvarescanonline)|ll(-software-payments|filesstoragecenter)|dvanedmalwarescanner|r(ch-grandsoftarchive|ticlecentralstation)|1(-thesisdissertation|plastic-storagebins))|l(i(te-antispyware-scan|vrariacrescendonafe)|earnwholesalesecrets)|f(a(st(-(antimalware-scan|search(andprotect|protection))|search-protection)|llsmediaproductions)|r(ee(portalsoftwarenow|-(sexy-porn-videos|antivirus-engine)|an(tyviruspillsite|alsextubemovies))|aternidadsinaloense)|ederalreserve(-(direct|online)|bank-(al|nc|sd))|orumsoftwaredownload|irstspywarescannerv1)|s(e(cur(ity(-check-center|s(oftwarecheck|cantool(guide|world))|test(available|netonline)|bugfixupdate6)|e(billingsoftware|d-virus-scanner|personalscanner))|rv(icenetworktoolcom|ertransporternews))|oft(ware(updatessystem|support-group|download(audio|intel))|portal-extrafiles)|can(stabilityinternet|-virusremover2009)|y(stem(internetupdates|securitysupport)|mlabssoftwareupdate)|uper(-scanner-av-soft|b-antivir-scan01)|pywareprotectionsite|df388fsh6767fsbb4ba7)|d(ownload(antivirusplus|systemcleaner|-secure-files)|ubaialuminiumcompany|efenderbaseupdatesv2)|i(n(ternet(safetyexamine|antivirusplus|downloadstore)|vestmentallianceltd)|dentitysecuritysuite)|p(c(antimalwaresolution|-anti-spyware-20-10)|r(o(antivirusscannerv2|fessionalblackbook)|ivatevirusscannerv(8|2|5))|arade-float-supplies|-c-anti-spyware-2010|ersonalpurchuasesite|ower(-virus-scannerv2|toolsproductions))|t(o(tal(-virusprotection|weightlosscenter)|p-antispyware-scan(0|9|8))|he(trueshiledsecurity|-best-poker-online|neworderoftheworld)|eflonlawsuitattorney|r(opicalplantparadise|ustedmicrosoftscan2)|u(ggingonapronstrings|bepornvideoethebest))|n(etworkstabilitytrace|ow-software-download|anoprotection-scan0(1|2|4|7|9))|r(e(move(-(total-security|winpc-defender)|virustoolonline)|gistry-cleaner-2009|finance-lead-online|al(bestantivirusplus|mediaplayerdirect)|par(ation-windows-xp|er-windows-vista))|ofl-wedding-speeches)|o(nline(virus-scannerv2|filesviruscheck|anti(virusscanv4|spywareremo)|-(s(oftware-store|pyware-(scanl8|killl8))|antispyware611)|personalscanner|s(ecur(escannerv3|ityscanv15)|oftwarebilling))|urbestsecurityshield|perasoftwaredownload|rder-software-online|emsoftwarediscounter)|w(eb-programmersportal|orlds(cheapestwebhost|bestantivirscan)|indows(ultimate-guard|-protectonline)|atchesjewelryfashion)|b(e(st(buysoftwaresystem|contraadwarestore|s(erverdefenderpro|canantispywarev3)|-poker-tournament|foldervirusscanv3|antispywarescanv4)|xtralawsuitattorney|hindtheshadowonline|wareofvirusattacks3)|ursa-smart-transport|londiespizzasunriver|ooikingaccrosseurope)|c(ityesdrugstoressuper|entralamrecanculture|o(mputer(on-linescan0(3|4|9)|-protection(03|23|-(1|2|7)))|rporatebarteronline)|rystal-pro-antivirus|anadauniversitypress)|vi(llas-cyprus-larnaca|deo(toflashconverter|producedsoftware))|e(a(sy(contraadwarestore|serverdefenderpro|versusadwarestore)|rthsoftwaredownload)|lectronicbillinghost|xplorersecuritysuite)|m(y(o(pposingadwarestore|nline-casino-guide)|serverdefenderstore|computersecurescan2|tha-epaycentertrend)|arijuanascreensavers|u(ltimediaarchivedata|sicplayer-downloads))|your(contraadwarestore|serverdefenderpro|browserprotection)|1stbest-online-casino|j(ancollegeofeducation|ohnhamrickrealestate|ustanotherwebhosting)|g(amessoftwaredownload|lobalsecuritymonitor|reatpeopleoftheworld|et-spyware-destroyer)|83892jhasld4bkjbaskdj|h(omepersonalantivirus|elpyourpcsecuritynow)|quick(-virus-scanner0(1|2|7|8)|selectmultimedia|0-antivirus-scan|2-antivirus-scan|4-antivirus-scan)|u(s(-business-shop-2019|tintimberlakestream)|p(datedownloadcenter2|rightfireprotection)|niversallogisticsltd)|001yourprivatescanner)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637355; rev:9;) # sid 2637356 includes 111 (0 - 111) 22 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 22 chars (.com)"; content:"|16|";content:"|03|com|00|";nocase;within: 25;pcre: "/(l(iteantispywarescanner|eading-antivirus-scan)|a(nti(spyware(liveproscan|-components)|-malware-live-scan|virus(onlineproscan|bestscannerv1|p(aymentsystem|remiumscanv2)|folderscanner|-scan-wizard(a|c|d|e|f))|anxiety-clonazepam)|rkansastrackofficials|parthotel-bellehelene)|s(tabilitysolutionslook|pyware(-(protector-2009|online-remover)|folderscannerv2)|ecur(e(d(antivirusonline|virusproscanner)|-virus-scannerv5)|ity(scantooldirect|toolsavailable))|oftware(downloadcounts|addonsuploadv3)|mart-antivirus-online|can-your-computer-now)|t(otal(malwareprotection|securityscannerv3)|r(adeshowdisplaysystem|ustsusyem-protection)|herealsecurityshields)|p(r(o(systemonlinescanner|pertysearchlistings)|ivatesecuredpayments|emium-antispy-scanv(3|7))|la(tinum(securityupdate|hostingservice)|yersoftwaredownload)|urchuaseonlinedefence|cfastest-onlinedefend)|in(ternet-(antivirus-pro|mortgage-loan|free-webgames)|diansoftwaredownload|sideout-construction)|online(s(tabilityscanada|pywarescannerv3)|proantivirusscan|internetpayments|-spyware-remover|antimalwareworld)|re(move-spyware-protect|gistrycleanerreviews)|c(reampie-olders-orgies|heck-your-pc-onlinev3|omputervirusscanner31)|1(bestprotectionscanner|computeronlinescanner|st-texas-holdem-poker)|d(ownloadsoftwareserver|avajtemnedenegsejchas)|n(arrowroadpublications|ewcellphones-overview)|y(ou(r(securitydisability|contraadwareonline|m(achinedefenderpro|edicinelaboratory))|-were-not-like-that)|ahoo-account-services)|b(est(contraadwareonline|machinedefenderpro|-world-celebrities)|huvanapharmaceuticals|u(talbital-is-fioricet|y-car-insurance-4-us))|e(asy(contraadwareonline|machinedefenderpro)|xp(lorersecurityhelper|atraite-visa-office))|m(y(machinedefenderstore|opposingadwareonline|s(erverdefenderonline|hadowofyoursecurity)|computer(virusscanner|onlinescan(0(4|8|9)|11)|totalscann11))|icroantivirusscanner(1|2|6|8|9)|ohammedistechnologies)|w(eightloss-pills-4sale|indows(protectionsuite|defenderupdate5|enterprisesuite)|orldbestonlinescanner)|keoweejocasseehartwell|f(ree(-security-software|antyviruspillstore)|uck-celebrities-movie)|justintimberlakestream)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637356; rev:9;) # sid 2637357 includes 104 (0 - 104) 23 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 23 chars (.com)"; content:"|17|";content:"|03|com|00|";nocase;within: 26;pcre: "/(a(nti(malware(-(pro-scanner|online-scan|live-scanv3)|internetscan|s(uperproscan|ecurescanv2)|proscannerv(8|9)|onlinescanv4)|virus(-(av-ms-checker|pro-live-scan|live-software)|websitereviews|forcomputrerv5)|spywareupdatesystem|-virus-professional)|glifestylesmarketplace|vansystemsecuritystore|micableresolutionsintl)|b(est(antispywarelivescan|-(antivirus-s(olution|ecurity)|life-insurance-4-u|mortgage-leads-4-u)|opposingadwarestore|serverdefenderstore)|uy-adipex-prescription)|o(nline(-(pc-virus-scanner|secure-scannerv2)|antispywarescanv6)|pen-an-ty-spyware-pill)|l(i(te-anti-virus-scanner|veantivirusproscanner)|e(galizationofmarijuana|hmanbrotherbankruptcy))|p(ro(-anti(malware-scanner|virus-scannerv2)|tectionsystemupdates)|hysicssoftwaredownload|urchuaseliveprotection|xcallcentercareersx333)|f(jfnfnfnaaswwospotyacai|ree(-antispyware-system|anty(spysoftwarepill|viruspillonline))|older-antivirus-scanv1|lashplayerpluginonline)|t(otal-malwareprotection|ractors-agiaffairs-ltd)|re(move-malware-defender|staurantemiguelcerdan)|m(a(lware(liveproscannerv1|-live-pro-scanv1)|x-antivirus-security(4|5|6|7|9))|edicalquestionsanswers|icroantivirus-scanner(0|1|3|5|9))|n(e(tworkstabilityexamine|wshadowofyoursecurity)|azionalepugilifootball)|s(ecur(e-(center-antivirus|antivirus-scanv3)|itysoftwarewebsite)|oftwaredownloadinstall|hadowofyoursecuritynow)|virtualinternetsecurity|d(ownloadsoftwareserver(3|4)|a(ta-recovery-usb-drive|ds-sperm-in-daughters)|iscoverwellnessweekend)|e(asy(opposingadwarestore|serverdefenderstore)|lectronicssense-search|nergiagrowthstrategies|bay-purchaseprotection|xcellenthostingservice)|your(opposingadwarestore|serverdefenderstore)|24-7-free-online-casino|4sale-spanishproperties|j(2-ssl-account-commbank|ustthingsyouneedtoknow)|c(ollegeeducationacademy|apitalofficeautomation|rusadesecurityservices)|in(dustrialsteelshelving|te(r(activeindependence|n(et(protectioncheck|-antivirus-scan)|ationalbrandimage)|hostingservicesnet)|llectual-vir-scan0(8|9)))|w(orldbestonlinescanner2|indowsantivirusserver2)|growingmarijuanaindoors)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637357; rev:9;) # sid 2637358 includes 82 (0 - 82) 24 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 24 chars (.com)"; content:"|18|";content:"|03|com|00|";nocase;within: 27;pcre: "/(a(nt(i(spyware(-scanner-2009|updateservice)|virus(-pro(tection-kit|mo-scanner3)|licensepurchase|folderscannerv5)|-malware-live-scanv3|malwareaupdateserver)|yoperativewaemergency)|d(vanedpro(malwarescanner|spywarescanner)|ipex-weightloss-online)|1-online-masters-degree)|c(o(mputeronlineproscanner|nference-professionals)|reatefinancialstability)|online(proantispywarescan|-tramadol-pharmacy)|p(cantivirusscanneronline|urchuase-onlinesoftware|owerfulvirusremover2008)|f(ast(-antimalware-scanner|securityupdateserver)|ull-antispyware-scanner|olderantispywarescanner|reeshadowofyoursecurity)|s(can(ner-antispy-av-files|yourcomputeronlinev1)|uperiorinternetsecurity|i(ntellectsecurityshield|mpsontrainingsolutions)|tudentcreditcardissuers|oftwaredownloadfestival|e(cur(e-spyware-scannerv3|ity(folderprotection|softwareinternet))|e-the-live-block-stats))|qualitycollisionbodyshop|internet(safebrowsinghelp|antivirus(scanner|proscan)|passwordrecovery)|b(est(machinedefenderstore|opposingadwareonline|serverdefenderonline|personalprotectionv(2|7))|uy-life-insurance-cheap)|e(asy(machinedefenderstore|opposingadwareonline|serverdefenderonline)|z-master-degrees-online)|your(machinedefenderstore|opposingadwareonline|serverdefenderonline)|1st-credit-cards-issuers|tr(adeshow-displaysystems|ufficseovciezlocovnert)|g(d453gd5ybfd4vbd4gdsssb5|rowingmarijuanaoutdoors|oogle-statistics-uk-two)|l(iveantimalware(scannerv3|proscanv2)|e(ading-antispyware-scan|-king-de-linformatique))|m(a(lwareinternetscanner03|x-(bounty-block-checker|antivirus-security(11|22|55|77))|rketingtechnologymaven)|icrosoft-server(1-update|2-update|3-update|4-update|5-update))|w(indowsprotectionupdate4|eb-information-services)|digital(multimediaservice|protectionservice)|registrycleanersreviewed)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637358; rev:9;) # sid 2637359 includes 40 (0 - 40) 25 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 25 chars (.com)"; content:"|19|";content:"|03|com|00|";nocase;within: 28;pcre: "/(p(r(emium-antivirus-defence|ofessional(malwarescanv7|spywarescanv8))|owerfullantivirusproduct|erfect-mortgage-lead-4-u|ittsburgh-trade-alliance)|m(alwareprosecurityscanner|obile-an-ty-spyware-pill)|1antispywareupdateservice|a(nti(virus(onlineproscanner|-(online-pro-scan|powerful-scanv2))|malware-online-scanv3|spywarecomputerscan01)|dvanced(-virusremover2009|virus(-remover2009|remover-2009)))|greats(tabilitytraceonline|ecuritytestinternet)|re(move-ultra-antivir-2009|parer-internet-explorer)|s(ecur(e(donlinecomputerscan|-antispyware-scanv3)|itytestinternetguide)|oftwaredownloadlicensing)|in(ternet(-explorer-cleaner|protectectionscan)|dustrial-drum-equipment)|w(ebcontentdistributioncom|indowsenterprisedefender)|fremontdigitalphotography|bestma(chinedefenderonline|lwareinternetscanv4)|easymachinedefenderonline|nationalmediterannee-auto|onlineproantivirusscanner|c(omputer-antivirus-scanv9|afeinternationalcatering)|you-blocked-me-now-suffer|digitalmultimediasoftware)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637359; rev:9;) # sid 2637360 includes 23 (0 - 23) 26 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 26 chars (.com)"; content:"|1a|";content:"|03|com|00|";nocase;within: 29;pcre: "/(a(nti(spywareinternetproscan|virus-protection-tools|malwareonlinescannerv3)|dvanced-virus(-remover20(09|10)|remover-2009))|4(powerfullantivirusproduct|-baccarat-gambling-online)|fullantispywareonlinescane|virusdoctor-onlinedefender|m(esothelioma-settlementnow|icrosoft-windows-security)|online-(cheap-car-insurance|masters-degrees-4-u)|1live(-antimalware-pro-scan|antimalwarequickscnan)|data-recovery-mobile-phone|p(urchuase(-premium-software|premiumprotection)|rofessionalcomputerscanv2)|s(ecuritytestinternetdirect|pywareretransitiondiretto|hadowofyoursecurityonline))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637360; rev:9;) # sid 2637361 includes 13 (0 - 13) 27 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 27 chars (.com)"; content:"|1b|";content:"|03|com|00|";nocase;within: 30;pcre: "/(computerantivirusproscanner|p(r(ofessionalsoftwareupdates|ivate-antivirus-scannerv2)|ersonal(-antivirus-software|antivirusprotection))|remove-(spyware-protect-2009|ultra-antivirus-2009)|a(ntispyware-online-pro-scan|dvanced-virus-remover-20(09|10))|give-u-the-perfect-mortgage|in(dustrial-storage-cabinets|ternetantivirusproscanner))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637361; rev:9;) # sid 2637362 includes 11 (0 - 11) 28 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 28 chars (.com)"; content:"|1c|";content:"|03|com|00|";nocase;within: 31;pcre: "/(a(nt(i(virus-powerful-scannerv2|spywareprotectiontoolcom|malwareinternetproscanv3|-malware-internet-scanv3)|ydetectivewaemergencyroom)|rchitecturesoftwaredownload)|1stmaterials-handlingsystems|trichurmanagementassociation|data-recovery-digital-camera|polaris-transportation-group|free-screen-capture-software)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637362; rev:9;) # sid 2637363 includes 2 (0 - 2) 29 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 29 chars (.com)"; content:"|1d|";content:"|03|com|00|";nocase;within: 32;pcre: "/(adult-tube-for-usa-and-europe|jacksonville-air-conditioning)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637363; rev:9;) # sid 2637364 includes 2 (0 - 2) 3 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.com)"; content:"|03|";content:"|03|com|00|";nocase;within: 6;pcre: "/(lei|41z)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637364; rev:9;) # sid 2637365 includes 3 (0 - 3) 30 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 30 chars (.com)"; content:"|1e|";content:"|03|com|00|";nocase;within: 33;pcre: "/(signmakingequipmentandsupplies|best-debt-consolidation-online|mega-business-online-shop-2009)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637365; rev:9;) # sid 2637366 includes 3 (0 - 3) 31 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 31 chars (.com)"; content:"|1f|";content:"|03|com|00|";nocase;within: 34;pcre: "/(best-online-masters-degrees-4-u|international-freight-transport|smallbusinesssecretstomarketing)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637366; rev:9;) # sid 2637367 includes 1 (0 - 1) 32 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 32 chars (.com)"; content:"|20|";content:"|03|com|00|";nocase;within: 35;pcre: "/1st-mesothelioma-asbestos-lawyer/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637367; rev:9;) # sid 2637368 includes 1 (0 - 1) 33 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 33 chars (.com)"; content:"|21|";content:"|03|com|00|";nocase;within: 36;pcre: "/casino-on-line-gambling-directory/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637368; rev:9;) # sid 2637369 includes 1 (0 - 1) 34 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 34 chars (.com)"; content:"|22|";content:"|03|com|00|";nocase;within: 37;pcre: "/world-class-online-casino-gambling/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637369; rev:9;) # sid 2637370 includes 2 (0 - 2) 35 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 35 chars (.com)"; content:"|23|";content:"|03|com|00|";nocase;within: 38;pcre: "/(4-casinos-online-real-online-casino|exclusive-mortgage-leads-online-4-u)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637370; rev:9;) # sid 2637371 includes 62 (0 - 62) 4 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.com)"; content:"|04|";content:"|03|com|00|";nocase;within: 7;pcre: "/(9(cdn|ke8)|t(y(d8|42)|cp3)|wuc(8|9)|lqxw|5(we5|i28)|0dax|1(76r|1qe|8xn)|a(oc8|zm8|l25)|y(s8c|f3e|zzs)|d(v7q|w(wt|sx)|nf5|y61)|s(8m1|e56)|k(xso|azz|p49)|m(09b|10b)|n(sdy|fsx)|c0jm|7te3|2(tgs|3zb)|r(d7y|7n7)|xs8g|ezua|zbea|io7f|q(7sp|vod)|v8dc|bu-v|4(upd|1ac|4fj)|3(45s|18x)|88mw|6(1wg|7pp|6xb)|foo6|p(txk|d41)|oast|jv-s)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637371; rev:9;) # sid 2637372 includes 218 (0 - 218) 5 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.com)"; content:"|05|";content:"|03|com|00|";nocase;within: 8;pcre: "/(3(5(561|mju)|344g)|4(3242|-job|e4en|pppp)|p(towl|djsj|zxz8|jirc|akkw|i(isp|nua))|1(a123|3(opd|spl)|jjhl|77bt|ilhf|69ol|0(gay|y10)|-(adm|upd)|188c)|a(cs86|sd(12|6u)|noze|w(yeg|kxw|awu)|g268|rs-q|loxx|duka|mhes)|j(jckr|x3wg|ud4g|hiri|otya)|w(d(swe|ldt)|opxs|ixww|wlax|gcn8|kald|bavv)|c(u(108|z-i)|d(ju9|fg8)|frsc|sygg|mepi|hkwl|vskr|lxwe|nn08|ysha|ekc2)|v(f(dsa|yte)|dmjl|bfdt|klom|vind|oiew|uicy)|g(osgd|hy67|thju|fr24|zhhy|eo95)|b(hj4w|nret|oksx|gsew|koaf|u520)|d(sews|nfdf|xjyh|o(pxk|inw|xws|fvs)|rjwv|2707|bakd|ddcc|h818)|e(peiy|gu8c|ra3d|tcpn|ddxx)|f(g(67i|ddx|age)|rt7k|sdfe|t5yj)|h(hgg3|jkio|f3y5|ubys)|r(tgma|bckc|ucoc|afwa|efda|o777)|s(3f5n|s-01|qwyt|amkr|peha)|x(boxa|gguy|ompe|wsfx)|z(sde4|bbey|hike|alaa|upde)|i(n(4(c(o|k|s)|s(k|t)|tk|iv)|5(c(h|t)|i(d|v|t)|st))|t3s5|gr5s|uyxc)|0(2sta|314w|5916|7073)|n(h(diw|aej)|mbrx|jpfw|kwxs|0one|utua|ei28)|o(kwit|dltd|pxxw|chak|0w0o)|9(e7fs|9(813|081)|1rpp|down)|l(1j1f|gmin|2707|xwar|nxwy)|m(tsou|jbox|yb88|gema|sr(mn|re)|csdp|m2dc|dwyt)|y(x(dlq|njs)|y12s|omua|inav|t118|hxoo|83h2)|5(l2o8|1(6my|se8|yes)|78la)|2(4dat|7pay|u264|6044|1npc)|866pp|q(8588|sjyy|lzwg)|t(es10|csrz|gula|reav|w789)|k(at15|sxwa|is-u|ripw)|7(klik|8195|1709)|uone2)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637372; rev:9;) # sid 2637373 includes 296 (0 - 296) 6 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.com)"; content:"|06|";content:"|03|com|00|";nocase;within: 9;pcre: "/(1(3(5mp3|69zz|00li)|8(6188|lxkl)|23dcy|5l2o8|paket|0gala)|b(nably|a(mrot|rigi)|styjx|ornaz|i(umer|rdab|nd88)|yhelp|ezhyn)|e(qcorn|x(e(316|doc)|odig)|nvate|r(gota|aean|iade)|yeexe|bator|co-av|pilot)|m(gaazz|u(u998|swou)|y(teqw|s(nda|ecl)|erap|lipc)|i(lllk|arci)|o(me(no|yz)|loky))|o(kokss|xdiet|c00co|ughwa|ye777)|3(6(6ent|5ftf|4736)|ttman|3iqst|71777)|g(e(tdew|nwjq|cahe)|a(me(zv|cj)|leon)|o(rodu|ogep)|lousc)|j(ltao8|sjj56|a(trja|yfor)|ejsaj|mpads)|s(p(ylee|a(tsz|mit)|-777)|tased|e(xtds|o-on)|bmb08|o(upay|mnoy)|derfg|mophi|2kill|u(bsul|n(kub|qtr))|sapee|ixife|hilee)|p(akras|i(bidu|nesk)|hrong|tdwrx|rerre|ozeml|cqook)|0(nfind|lenfo)|v(ippif|armer|psvip|erycd|fgtyp|kpriz|csltp)|x(sert5|in(fa8|765)|psweb|k(jrfe|code)|4team|ombag|durex)|7(4(1239|5970)|s(hark|esex)|777(ee|tt|69))|a(88b88|b(dns1|c-pl)|dioro|m(cara|g777|x367|eimx)|gag44|hkjkw|nathe|r(esmu|mtol)|lmfox|tinna|xul13)|u(wgcn8|y(e123|veza)|srv03|kboox|dikey|eopen|-toys)|d(ayrss|e(fstu|ntyx|scin)|umoid|d(ipro|krss)|i(pexe|mage)|ownbt|zadsl|y2004|nusax)|l(eaphe|i(pesr|fe93|tmai)|o(wexe|addd|xmad)|amsa1|u(xexe|flat)|j1tl(i|l)|tlil1|rearn)|r(o(tkid|djer)|e(ione|nlan)|i(pway|bcot|oner)|ascop|ulzan)|w(m5588|1s2d3|o(ptim|yo8g)|ebbob|ww(cfg|ldr)|-opay|bdica)|t(ube(ee|84)|risem|b2car|iaexe|athli|yp(ekn|key)|onset)|z(z-dns|ljtl8|gsysz|nwork|exmad)|h(bsfhg|ppwed|anrss|e(xexe|rwsx|swar)|r-mag|idost|cmdmc)|i(hackr|rate4|n(a(4(c(k|h)|id)|6(iq|co|sk))|b(4(ch|iv)|6(it|sq)))|mpeel|framr|t(iluk|4net)|a-pro|j1tli|babiz)|c(h(lejf|nrun)|bcbag)|y(a7loo|orkza|uesha|bcyyy)|k(o(oloo|puna)|vgrtt|dvcxp|i(rosi|evsk)|uport|aliuz)|n(e(tbob|ztro)|iupan|t(-act|wira)|yu(hh(c|f|h|r|t|u|v|x|y|z)|z(1a|2a|3a|5a))|oloid)|8(07037|49jfg|52159)|f(i(lomo|reee)|r(eett|umin|amtr)|usimu|el(l4u|0ny)|a(kyha|volu)|orety|fsvrs|crazy)|q(iqijs|ccggz|oeirq|b(xq16|zq16))|9(9boxx|53333)|58sese|4(-scan|allns)|2youre|6alava)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637373; rev:9;) # sid 2637374 includes 462 (0 - 462) 7 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.com)"; content:"|07|";content:"|03|com|00|";nocase;within: 10;pcre: "/(2(mgames|019wyt|u-fuck|tvtube)|s(n(lilac|-gzzx)|i(plank|kkaro|dlife|xlice|ndhpk)|t(a(ts4x|gech)|i(kkso|ggba)|orepc|eggba)|a(thalf|farel|sheen)|hotgol|ulidev|e(xlool|mihow|t(clit|xlif)|dhyof|rdb01)|o(ftmet|l(namu|idws)|mesir)|p(loday|ecipa)|v(ertok|nline)|xserve|l(avik(1|2|3|6|4|5)|owide|wride)|drukap|kynety|wanjin)|a(r(clane|achka|gulmi|ntool|shard)|uctlva|l(leips|m7aba|-soft)|m(-scan|zinas)|d(obeus|slash)|n(et123|jacam|tiaid)|e(rmiso|mtool)|v-cash|b(outav|data1|emauf)|221008|aaaxxx|xdrock|weleon)|r(mk-lgs|-state|scserv|e(d-exe|fsl(st|it))|a(manvk|kerkc|udget)|okobon)|u(t99889|k(ropin|wirex)|pr0306|s(ssakc|-logs|rv10(1|2|3|4)|a-irs)|ygurie|nvirex|eber30)|z(e(tross|uxmad)|honghr|-state|ztools|yujgss|onephp)|c(hildhe|o(kiran|n(scop|feop|ikor)|laran|rclan)|r(u(stat|cism)|azeyt|x-web)|l(i(psno|ckxz)|anazo)|gcream|y(panel|cloro)|e(rt-db|fincf)|ahyvil|ftb-uk|qb-inc)|g(zsyqzx|o(v9988|sscan|to-my|od(712|516))|pdvinc|uardav|e(ninch|mells|ejohn)|hterwa|labmed|swheel|comweb|re(atns|enpl)|atemx1)|l(o(paman|osale)|wstats|eonads|-state|kmpmlm|i(teurl|stven|ftven)|a(bormi|stexe|o7777)|yy-exe|l1tlii)|m(a(c(ride|atte)|aroto|s2009)|mhills|pmaher|i(korki|wcmac|jui1b|polas)|y(sscan|mkans|f2you)|o(fmeta|r(anna|orun)|noreg|salep|lendf)|dflrpp)|w(in9987|j-asys|e(h8dnb|edruk|bmin1)|anggui|-(netex|optim)|nymenu|ldomen|oonhae)|9(4saomm|7feihu|9999pk)|b(a(by178|areeq)|vakjyr|e(idzan|stexe|lmond)|u(m-biz|tirat)|o(omexe|thlok)|yuuhg(n|t|z)|bbboom|i(g(sald|xale|5gun|lard)|teuro)|newage|r(voice|iankc)|de(lles|sata))|v(i(lknew|vabot|ndcar|wterm)|a(fuiek|rmers)|vinrar|s(dftpp|mprot)|unkonf|kitaep|frtssd|odkalv|exmarc)|y(our(lol|got)|a(b(ombs|lozo)|maill)|11der(a|b|c|d|e|f|g|h|i|j|k|l|m|n|o|p|q|r|s|t|u|v|w|x|y|z)|ersfde|hh(h1(7a|9a|a8)|ssz(a|i|o|p|z))|typein|imiweb)|5rublei|n(jihemi|i(g(ht69|sale)|ckpie)|e(glite|tco(de|m3)|rinsk|o-job|swage)|a(bobil|zmins)|bakoff|ovaetc|yuvvas|newage|ct2000)|x(uan666|buzzer|m-cash|-(daily|pager)|xawq10|in(9999|hh20))|f(r(yroll|ostep|udget)|jtiili|o(ustka|liono|xyfis)|071108|a(ckaaa|brugs)|un(aman|oyun)|llcorp|i(l(eden|atok)|vejet)|x-chat|kokids|viejet)|t(a(gdebt|ngopu)|h(evann|ingre)|r(uconv|eeful)|udouwg|tiirk5|o(ng-ji|wnwet)|i(ngcao|kihub|uokan|oplus)|echddi|y(rdssl|tpein|p(true|eley))|m-stat|j1fiil)|o(irooke|dmarco|utporn|ctacet|molayo|tfi(i11|ll1)|n(snote|togen)|lypoos)|q(dvideo|qqrehy|adrock|v(od-50|artzs))|p(-state|ipicom|o(rnneo|nti30|pmpam)|e(stbot|kipug|tdoso)|u(broll|r(ethc|gand))|rufder|tfill1|a(inkee|ntali|thoph))|h(ost800|e(llnax|xhome|rangi)|a(o-duo|ftusa|vvvha|aszap|st-eg)|kzj520|i(hanin|ndger)|u(chinu|lmeux)|sheval|yu111a|lrtfe(k|t|y))|1(23-ptp|39shop)|d(u(rnosy|nered)|jellow|a(mhost|odan8|zinfo)|o(ggody|trpet|cxmad|apost)|2ecars|wlsoft|z-evil|e(ropen|dstar|xlife|viliz)|ikoool)|i(n(gclip|stann)|anndex|riskas|want-x|dllsit|ftwall)|k(e(rchon|ep(cop|lan))|laomta|a(rlast|never|zbegi)|urskoi|nenote)|e(n(drizi|t(rank|osum)|zyman)|achbul|xe(-(box|get)|easy)|ra-exe|uro(gtd|rot)|inrock|lltime|cdrums|molloy|shreya)|4w8loss|8(07037(2|1)|2movie|88viet)|7hacker|j(igfish|u(hh1w(e|f|g|h|j|n|p|q|r|t)|dlife)|1t1iil)|0tfiil1|3-scans)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637374; rev:9;) # sid 2637375 includes 540 (0 - 540) 8 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.com)"; content:"|08|";content:"|03|com|00|";nocase;within: 11;pcre: "/(t(he(oreon|cowrd)|r(edinsa|a(ff(box|2go)|vicil)|u(ghtsa|esepl)|ypekey)|cpaidui|a(obaoot|kilant|hribat|lmeris)|ds4self|o(p(4scan|scan(3|2))|dolust)|i(anheby|itk(iil|lil)|l1tlli|msmurf)|e(st(-biz|ress)|lleraw|xasref)|u(ttakto|masolt)|ypetr(ie|us))|r(e(g(clean|fixit|sweep)|ycross|dstyar)|a(y4scan|indrip|cder1x|rder1g)|o(asocks|-skill|bo-exe|orbong)|stdeals|nyspece|ube-exe|zasder1|fastnet)|m(mcodecs|a(in-dns|ko(toro|mset)|rtanbg|jimura)|s(kphoto|rpros1)|o(ykamin|tionvm)|ypage12|e(disont|gasiti|roeart)|i(llenyi|tropox|ndleak)|tkstrip|u(rianin|ddbowl))|x(p-extra|t(jhvcjh|uberpl)|h(-intra|tmlweb)|-pronet|x(zonexx|xlilly))|n(o(tvirus|wscan6|adware|v(oxexe|adeva)|nprobs)|uovosms|e(w(7scan|s(bot2|kyag)|tvset)|t(s(pond|eoul)|fetch)|rfaas(a|h|l|x|z))|affsdas|s-srv10|malodbp)|1(1(4(anhui|graph)|f1iili)|-cancer|ptfi(ill|lli)|211news)|l(u(ck(ffxi|nets)|sia777)|i(n(-long|ezing)|zingss)|o(mianki|nelost|gequip|kosale)|a(uzpeog|kpfish|cylucy|orexue|stping))|2828hfdy|c(a(rvertv|hoot(1(4|7)|5(0|5|7)|6(2|5)|7(0|2)|89)|sionew)|h(e(viram|mist2)|berger)|o(ralarm|lqrand)|ri(mrgay|sis1s)|d(xudong|arwash|matool|gi-inc)|nn-bcc2|bt4real|losstab|ismosis|urztech|mpmiami)|s(w(wfight|oooper)|p(lo2day|aeioer|endolo)|c(an(mix4|4(mix|ray|gen)|top4|ner(g|h|r))|orzion|hoolaz|r(ollin|iptwb))|e(result|xm(amba|oney)|jongit|curixp)|m(sluogo|okin57)|0l1ng3n|o(ft(dnss|omet|-cop)|m(veots|e(-air|clen)|rtype)|ilness|procms|rbauto|ldatus)|sc-club|kystels|a(broski|fepcav|lefale)|t(a(r(t(exe|url)|ware)|vanga)|erlate|orepcx|xtrade)|h(aurman|eralbu)|l(iwride|avik11)|ng-soft)|g(o(s(canit|stroy)|nesite)|u(ard(lab|vac|www)|mentha)|lintsun|ame24x7|e(n(scan4|er-av|avpay)|rfas1(i|j|k|m))|reen(-av|lpl)|hregypt)|j(a(mbaboo|zzhigh|inpage|bdata1|crafts)|i(zhouhx|ppings)|cpallet|ej(nahob|ucasa)|rigutto|osecure|2c-crib)|4(23adobe|realzed)|5(4(5adobe|35core)|may2009)|6(75adobe|85adobe|37login|54panel|may2009|6aaaaaa)|9(87(adobe|panel)|0-music)|i(vefound|n(crates|dex(333|683)|nex-la|fo(zack|sayt|leaf)|viagra)|i(oo4567|itklil)|zhangye|ptfiil(i|l)|mgframe|rcbelem)|k(a(everak|uitour|tibeth|pa8080|4estvo|mpfish)|o(lpinik|kkosik)|q-china|nocklis|u(sa-knu|libaka|kusiki)|i(lllabs|zliar1)|r(aijfaw|ejcovi)|tvsongs|eysymol|l(imabul|a(ikius|lkius))|-litetk)|a(ksajans|n(y(scan6|6scan)|imal36|tikeep)|untbody|l(fafoxx|deanos|yarica|avench)|r(o-auto|t-(valy|kyiv)|mysun3|raysaw)|d(warexp|itopia)|p(layful|pcheap|rotect)|b(le(rsio|gang)|clllab|undder|t-logq)|xessint|flamsat|-vpro21|mmednet|eroninc|galzoff|qaqaqaq|ckstone)|h(a(nsali4|oxia18|ck-icq|ha(888l|999b)|dwares)|i5-book|d(-codec|dvd520)|zone666|o(ngse88|ooools|tpmail|rnalfa|meunix|ploawq|ureena)|ernewdy|yhoppeo|kindoor|cardoso|ter4re(e|w))|y(ou(rwent|ku321|viewx|xview)|u(sitymp|cibaby)|t(shirts|fushan)|aplogjp)|8(76panel|5580000|0-music|8888wyt)|v(e(stelia|rivell)|odcotha|retupak|modertp|cashpay|irgin-x|nhdjolg)|f(cuebook|i(kjugsg|higxeb|lesexe|fiopod|nedcar|rstrew|vewjet)|tpgeoit|o(xproff|undwow)|utusvet|-gaming|e(quervo|tholye|das1a(a|b|c|d|e|f|g|h|i|j|k|l|m|n|o|p|q|r|s|t|u|v|w|x|y|z)|rdasw(q|r)|efooof)|fxi(name|down)|ra(ntsuz|meste)|a(stnety|rmeset))|b(u(idnote|wrynko|zizoo2|lkleen)|a(keloaf|b(i2009|oeing|lodos)|fstone|se7711|girans|rterne)|r(izcafe|ukamus|ollton|d-jobs|andine)|o(bmassa|mbas10|nnapet)|ybyybyb|l(ghacks|4ck(0ut|b0y))|e(dioger|biland|llians)|fg-7340|chokies|i(codehl|zelitt))|w(e(b(s(scan|rv09|amba)|deoro|nameg)|e(lshow|eeeld))|vvexfux|ile-exe|orldbob|alji-co|wwipnot|polemon|hyviral)|z(e(terods|leboba)|onement|ipclube|mmoscow)|e(gangoff|n(dsolar|cybest)|s(zafiry|tguard)|rcdebts|x(celout|plexpl)|dulands|vipshop|lowride|ccinput|ometype|mule-it)|p(o(l(otomo|evand)|sofler)|a(nties3|ymentg|lmfosx)|r(o(ftpss|strpp|twork)|e(ssket|xskey|zzkey))|sp-shop|i(n(vhost|ggost)|lawyer)|umpidss|laymays)|d(a(v(idius|traff)|rkbitz|yprofi)|e-burda|igipour|rumzine|o(tastoc|ublenk|m(oktov|etype)|nzongo|barter)|ferffdx|-dmusic|j4fe3d2|bsclick|dwworks)|o(n(estar5|lyomne|iframe)|braczki|mizerto|ur(sting|hobby)|s-guard|liftben|ppiomna)|u(p(r15may|oyansa)|s(trania|cguard)|ksprite|akegame)|q(i(cai818|yidgab)|vodcom1|aqaqaqa)|39042084|0rgazmer|70-music)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637375; rev:9;) # sid 2637376 includes 525 (0 - 525) 9 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.com)"; content:"|09|";content:"|03|com|00|";nocase;within: 12;pcre: "/(c(o(dec(vids|play)|sasmias|ol4tube|3453453)|cqmjcthr|h(e(zswing|aplcom)|a(rtseye|mitron|ikrman)|inakofo|risexpo)|a(sh(panic|array)|m(camera|foruss))|gpay0406|uestausa|leanmyos|elebyama|r(osilile|e(kirtik|m(uklip|shell))|ackness)|badvance|tsrmspos)|m(ilk0soft|e(g(as(can4|aite|iter)|icpatt)|prosoft|t(ascan4|tgroup)|nshuans)|a(in(scan6|efr4u)|ujidoon|vr-best|rcusmed|masanta|trix007|sterpsp|zeratis)|y(t(hahost|op-xxx)|bank-of|facelol)|lodapara|o(ocelebs|neyinfo)|u(stronge|rimkhan)|s(marians|tsc2005)|dsimmons|kmohanty)|n(e(w(porntv|hotvid)|t(-intra|ronage)|ro-2008|asqw21(s|y)|xinsinc|swbrand)|i(t(iloqka|rotros)|c(leaner|ovedeo)|zomerss)|o(lagtime|s(pam(-ns|net)|ternos)|tescan4|kiamoon)|uwofteuz|a(ilxpert|noscan6)|twportal|joykorea)|s(e(x(mosaic|-abses)|arch890|o-traff|c(modify|ondome)|edflash|leventy|rvebeer)|can(data4|6(main|tool|fast|step)|best6|li(ne6|st6)|step6|4note|atom6)|t(epscan6|oned-ip|r8upent|ar2gams)|k(ype-fly|ullsmod)|yst(guard|emjud)|a(fetywww|m(hwaeng|arkets)|sihuing)|u(p(tullog|rotect)|cupdate|ibianla)|h(eep-crc|tifobpy|moo3-ad)|zederjei|p(ywarexp|asicomp|lsystem|fighter)|o(rpresor|mecelan|sbaysos|le-doro)|i(nisteer|inshoot|mpsonet)|m(otri123|utbeach|artbuyc|ithyguy)|dfjnjsdn|neakyboy)|w(in(ifixer|-scan0)|o(payment|o(nyoung|casino))|tssurvey|hjiadian|ww(config|udacha|aaa101|bypost)|eb(-(scanm|pings)|filess))|a(dware(pro|bot)|-(n-d-the|scanner)|n(rdlauno|tispyme|dysgame|alytiss)|a(q2jcthr|fawards|asublet)|l(wayssam|l(incorx|-scan9)|erytfix|keichah)|gu4idfir|v(tode777|-lookup|advance|pro2010)|irplugin|t(om4scan|ewikijp)|s(vpayout|lowride)|wconsult|13092008|2(2092008|zthings)|kajjcthr|r(e(a03601|s-2009)|alowsiv|-global|bsecret|ketwood)|m(broston|usecity)|p(pz-blog|csecure)|b(dulahuy|xbarter)|udiodrv7)|g(ame(codec|icity|rsabc)|o(anyscan|s(can(bay|web|a(ny|dd)|dir)|mrtprt)|wayscan|newscan|fanscan|l(uxscan|des-it)|tipscan|genscan|-exe-go|mapscan|od(pk168|-nets)|dirscan|barscan)|r(a(ndtraf|tisweb|ves111)|gdidfir|u(zzilla|bdango)|eattaby)|h(uvidfir|ost(-pay|pays))|-vantage|dq4hevif|e(qpgfxes|ektuned|ocities|r(radsz1|enstar)|n(-avpay|av-pay|propay)|tbigfat)|fxpamtwe|gbdehght|jdybllev|pjyamtwe|xkyhevif|u(neyauto|ards-pc)|ink22hok)|f(lycodecs|a(rboards|stinate)|earalert|i(l(l-moms|eexess)|re(porno|bit32))|-concord|otoakces|r(e(e(-full|dmans|nstar)|shyork)|audgedt)|y(cmkbdve|pewords)|subasket)|p(o(r(tenotu|esskey)|shlivse|pingred)|hotos-id|e(rsdata7|djulino|tervink)|yrisiman|r(adotour|efiranc|oadware)|pihelper|i(e-maker|xphotos)|c(enter5(6|7)|-scan23|ssecure)|a(y-cc-24|lmainfo|nestate)|sgtech72)|x(p-police|vydesign|17012009)|h(q(uvkbdve|dedikit)|e(roextra|bmipenn|mlytool)|o(mescan4|t-plays|peextra)|a(ppy(-fxs|tata)|ndellee)|ilotavus|beykbdve|cgalleri)|1(14baines|-mas2009|2(xinsoft|scanner)|gigabayt|data-upd)|d(e(a(th(taxi|5536)|livery)|onixion|fendapc)|a(ta6scan|y-today|ntor777|styrust)|uplozavr|o(kymentu|r-cargo)|mpacking|lsmrtprt|z-hacker|kinshoot|vdxultra)|u(snewnews|rbanfear|pdate-xp|gochaves|kaszohat|atoolbar)|i(n(t(hestat|elfarm)|fo(dist1|-(yimg|bill))|didrugs)|belgique|p(shougou|itworld)|g(o(rbogun|oddeal)|ecanneg)|rcleaner|ckgetaph|dr(ugsnet|eadweb)|opentech)|b(i(g(myfuck|routfe|fatisp)|nt-tjnn)|e(stscan7|vaccine)|a(ck(thoud|stats|upzzz)|sdzsdas|n(kavenu|consol)|booa562|rterbam)|mw3coupe|btv-chat|giyjcthr|o(bo-tube|xhidden|chkbank|thlooik)|l(o(g20fc2|cketpc)|uepadma)|uhsvarna|terkulas|porntube|champion|rekercon)|v(i(rusmelt|kd3jj-(1|2))|oltsuper|e(ikalerd|rt(icalt|elitt))|dslprot1|sdflpttt)|7(36signin|65access|-job-net)|r(e(n(us2008|omicji)|dir(1805|3105)|ad-cnn2|spyware|fslisrt)|a(rambler|dyoliva)|i(bboninn|adkenzo)|uslan777|oyalfuls)|2(3(49panel|setting)|47orders|2may2009|-scanner)|l(a(2planet|stlabel|rgeface|ubrotel)|i(te6scan|eshazhe|karaoke|n(gobest|kuwant)|feecond)|ds-amdin|o(ots-leg|ngez209|adssell|jasdiko)|u(fbracsa|xherbal)|e(ad-trix|ssabler|ungting|ysymbol))|t(ube(loyal|ssite)|e(x(asvino|tnchat)|cnocuer|mateman)|r(ue6scan|datasft|o(dlocho|mbocit|ytabor)|adenton)|o(mohappy|o(mouths|ratios|lzsite)|ngji520|pdns241)|he(newpic|zasite|piggin)|w(oserver|in-2009)|imesmeta|ypesords)|o(ymomahon|l(inredr2|ampfish)|ptionyst|uterinfo|gzhnsltk|h(myflash|yeah213)|s-shield|wn-shoes|cscanner|eysymbol)|33control|49control|06may2009|5(97update|86523333)|qu(est4goa|a(livids|oegame))|e(renlerim|very(log1|bots)|x(pertalt|c(edoweb|itysjp)|e(-(4free|p(aste|or01))|reload|smooth)|odus1(10|30))|freeflow|testtube|kivoonly|meddrugs|agleznet|ssentiuz|-mule-it)|z(e(lensoft|us-logs|vakaru1)|ss5dfggd|ocleaner|angmusic|6scanner|7scanner)|y(o(ocelebs|utube19)|esgogame)|k(i(l(l52000|erodik)|cks-buy|vokonly|nolinks)|n(avishly|otnilla)|orcacity|ayadizel)|j(-vintage|ucefresh|allabyah|tfonline|ikurakis))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637376; rev:9;) # sid 2637377 includes 1 (0 - 1) 13 character domains in the ".coms" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.coms)"; content:"|0d|";content:"|04|coms|00|";nocase;within: 16;pcre: "/nescafelayout/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637377; rev:9;) # sid 2637378 includes 1 (0 - 1) 10 character domains in the ".cz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.cz)"; content:"|0a|";content:"|02|cz|00|";nocase;within: 13;pcre: "/bazar-shop/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637378; rev:9;) # sid 2637379 includes 3 (0 - 3) 11 character domains in the ".cz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.cz)"; content:"|0b|";content:"|02|cz|00|";nocase;within: 14;pcre: "/(bezproudoff|lakyrnikcup|nedelnilide)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637379; rev:9;) # sid 2637380 includes 3 (0 - 3) 12 character domains in the ".cz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.cz)"; content:"|0c|";content:"|02|cz|00|";nocase;within: 15;pcre: "/(salonpavlina|ceskyjiretin|fotbalzasova)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637380; rev:9;) # sid 2637381 includes 1 (0 - 1) 13 character domains in the ".cz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.cz)"; content:"|0d|";content:"|02|cz|00|";nocase;within: 16;pcre: "/agenturadomov/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637381; rev:9;) # sid 2637382 includes 2 (0 - 2) 14 character domains in the ".cz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.cz)"; content:"|0e|";content:"|02|cz|00|";nocase;within: 17;pcre: "/(atlantis-party|samsonite-shop)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637382; rev:9;) # sid 2637383 includes 3 (0 - 3) 15 character domains in the ".cz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.cz)"; content:"|0f|";content:"|02|cz|00|";nocase;within: 18;pcre: "/(a(iredaleterrier|lternativateam)|zlinske-reality)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637383; rev:9;) # sid 2637384 includes 1 (0 - 1) 16 character domains in the ".cz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.cz)"; content:"|10|";content:"|02|cz|00|";nocase;within: 19;pcre: "/autodopravaskoda/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637384; rev:9;) # sid 2637385 includes 2 (0 - 2) 4 character domains in the ".cz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.cz)"; content:"|04|";content:"|02|cz|00|";nocase;within: 7;pcre: "/(kuma|seno)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637385; rev:9;) # sid 2637386 includes 6 (0 - 6) 5 character domains in the ".cz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.cz)"; content:"|05|";content:"|02|cz|00|";nocase;within: 8;pcre: "/(komik|bufur|impol|forad|smaug|nexon)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637386; rev:9;) # sid 2637387 includes 11 (0 - 11) 6 character domains in the ".cz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.cz)"; content:"|06|";content:"|02|cz|00|";nocase;within: 9;pcre: "/(autokd|cistus|dyndns|gerdas|hadser|jioyfu|nvbgfy|pasder|u(daswy|ijghy)|yuferd)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637387; rev:9;) # sid 2637388 includes 5 (0 - 5) 7 character domains in the ".cz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.cz)"; content:"|07|";content:"|02|cz|00|";nocase;within: 10;pcre: "/(cernvir|hotspot|jupiukl|lopiukl|uopiukl)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637388; rev:9;) # sid 2637389 includes 1 (0 - 1) 8 character domains in the ".cz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.cz)"; content:"|08|";content:"|02|cz|00|";nocase;within: 11;pcre: "/drinkbar/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637389; rev:9;) # sid 2637390 includes 3 (0 - 3) 9 character domains in the ".cz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.cz)"; content:"|09|";content:"|02|cz|00|";nocase;within: 12;pcre: "/(ambergold|bauerpetr|immikiut1)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637390; rev:9;) # sid 2637391 includes 8 (0 - 8) 10 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.de)"; content:"|0a|";content:"|02|de|00|";nocase;within: 13;pcre: "/(j(ingle4you|unior-cup)|tom-merkle|woltermann|d(ivambee35|eaf-video)|geld-bonis|meinedosis)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637391; rev:9;) # sid 2637392 includes 6 (0 - 6) 11 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.de)"; content:"|0b|";content:"|02|de|00|";nocase;within: 14;pcre: "/(vista-store|photopath49|imc-krefeld|barcoaching|dance-alarm|abasonic-ig)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637392; rev:9;) # sid 2637393 includes 6 (0 - 6) 12 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.de)"; content:"|0c|";content:"|02|de|00|";nocase;within: 15;pcre: "/(afrimidurimi|e(bookexpress|ntryservice|vgs-hohwald)|c(ash-inferno|himera-crew))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637393; rev:9;) # sid 2637394 includes 6 (0 - 6) 13 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.de)"; content:"|0d|";content:"|02|de|00|";nocase;within: 16;pcre: "/(h(appy-winners|uette-ohmden)|waldbauverein|tb-media-shop|celik-schmuck|evolutionzone)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637394; rev:9;) # sid 2637395 includes 5 (0 - 5) 14 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.de)"; content:"|0e|";content:"|02|de|00|";nocase;within: 17;pcre: "/(baumann-oliver|geschenkpuzzle|haus-huemmling|84chatterworks|kjf-holzminden)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637395; rev:9;) # sid 2637396 includes 5 (0 - 5) 15 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.de)"; content:"|0f|";content:"|02|de|00|";nocase;within: 18;pcre: "/(radio-rendevous|pagerank-submit|b(undesregeirung|rauhaus-vetter)|conexionmusical)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637396; rev:9;) # sid 2637397 includes 5 (0 - 5) 16 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.de)"; content:"|10|";content:"|02|de|00|";nocase;within: 19;pcre: "/(i(mmo-it-services|bdf-deutschland)|canasta-banditen|werkgruppe-donau|aaskereia-online)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637397; rev:9;) # sid 2637398 includes 3 (0 - 3) 17 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.de)"; content:"|11|";content:"|02|de|00|";nocase;within: 20;pcre: "/(souvenirgeschaeft|eurorscgabc-space|flying-multimedia)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637398; rev:9;) # sid 2637399 includes 1 (0 - 1) 18 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.de)"; content:"|12|";content:"|02|de|00|";nocase;within: 21;pcre: "/pagerank-backlinks/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637399; rev:9;) # sid 2637400 includes 1 (0 - 1) 19 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.de)"; content:"|13|";content:"|02|de|00|";nocase;within: 22;pcre: "/aegypten-mit-stefan/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637400; rev:9;) # sid 2637401 includes 1 (0 - 1) 20 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.de)"; content:"|14|";content:"|02|de|00|";nocase;within: 23;pcre: "/express-translations/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637401; rev:9;) # sid 2637402 includes 2 (0 - 2) 22 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 22 chars (.de)"; content:"|16|";content:"|02|de|00|";nocase;within: 25;pcre: "/(stahlhandel-mechernich|fliegenfischen-lehmann)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637402; rev:9;) # sid 2637403 includes 1 (0 - 1) 23 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 23 chars (.de)"; content:"|17|";content:"|02|de|00|";nocase;within: 26;pcre: "/plastischechirurgie-web/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637403; rev:9;) # sid 2637404 includes 1 (0 - 1) 25 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 25 chars (.de)"; content:"|19|";content:"|02|de|00|";nocase;within: 28;pcre: "/digital-ist-individueller/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637404; rev:9;) # sid 2637405 includes 1 (0 - 1) 27 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 27 chars (.de)"; content:"|1b|";content:"|02|de|00|";nocase;within: 30;pcre: "/brandschutztechnik-hartmann/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637405; rev:9;) # sid 2637406 includes 1 (0 - 1) 28 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 28 chars (.de)"; content:"|1c|";content:"|02|de|00|";nocase;within: 31;pcre: "/baessler-befestigungssysteme/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637406; rev:9;) # sid 2637407 includes 1 (0 - 1) 29 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 29 chars (.de)"; content:"|1d|";content:"|02|de|00|";nocase;within: 32;pcre: "/russisches-staatsballett-perm/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637407; rev:9;) # sid 2637408 includes 2 (0 - 2) 4 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.de)"; content:"|04|";content:"|02|de|00|";nocase;within: 7;pcre: "/(krob|obyz)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637408; rev:9;) # sid 2637409 includes 1 (0 - 1) 5 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.de)"; content:"|05|";content:"|02|de|00|";nocase;within: 8;pcre: "/f-cat/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637409; rev:9;) # sid 2637410 includes 3 (0 - 3) 6 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.de)"; content:"|06|";content:"|02|de|00|";nocase;within: 9;pcre: "/(tusset|look22|brauen)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637410; rev:9;) # sid 2637411 includes 5 (0 - 5) 7 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.de)"; content:"|07|";content:"|02|de|00|";nocase;within: 10;pcre: "/(limitin|dateing|kcr-net|reishus|almetal)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637411; rev:9;) # sid 2637412 includes 7 (0 - 7) 8 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.de)"; content:"|08|";content:"|02|de|00|";nocase;within: 11;pcre: "/(jingle4u|hfs-haus|basic-it|gluebert|projekt2|spin-nds|kalowweb)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637412; rev:9;) # sid 2637413 includes 8 (0 - 8) 9 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.de)"; content:"|09|";content:"|02|de|00|";nocase;within: 12;pcre: "/(engekurda|abi07-pgg|datescout|81wordfly|90snapset|malogrado|bussacker|rub-a-dub)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637413; rev:9;) # sid 2637414 includes 3 (0 - 3) 10 character domains in the ".dk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.dk)"; content:"|0a|";content:"|02|dk|00|";nocase;within: 13;pcre: "/(bloch-data|chromecoat|magnumopus)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637414; rev:9;) # sid 2637415 includes 1 (0 - 1) 11 character domains in the ".dk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.dk)"; content:"|0b|";content:"|02|dk|00|";nocase;within: 14;pcre: "/bodegazonen/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637415; rev:9;) # sid 2637416 includes 1 (0 - 1) 12 character domains in the ".dk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.dk)"; content:"|0c|";content:"|02|dk|00|";nocase;within: 15;pcre: "/bokongerslev/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637416; rev:9;) # sid 2637417 includes 3 (0 - 3) 13 character domains in the ".dk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.dk)"; content:"|0d|";content:"|02|dk|00|";nocase;within: 16;pcre: "/(vad-mortensen|a(nderspaludan|tddlgeo-ucad))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637417; rev:9;) # sid 2637418 includes 1 (0 - 1) 14 character domains in the ".dk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.dk)"; content:"|0e|";content:"|02|dk|00|";nocase;within: 17;pcre: "/branderideklub/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637418; rev:9;) # sid 2637419 includes 2 (0 - 2) 16 character domains in the ".dk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.dk)"; content:"|10|";content:"|02|dk|00|";nocase;within: 19;pcre: "/(avnstrupoverdrev|mad-i-bevaegelse)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637419; rev:9;) # sid 2637420 includes 1 (0 - 1) 18 character domains in the ".dk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.dk)"; content:"|12|";content:"|02|dk|00|";nocase;within: 21;pcre: "/detkreativeselskab/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637420; rev:9;) # sid 2637421 includes 1 (0 - 1) 20 character domains in the ".dk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.dk)"; content:"|14|";content:"|02|dk|00|";nocase;within: 23;pcre: "/strandvejen-bisserup/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637421; rev:9;) # sid 2637422 includes 1 (0 - 1) 5 character domains in the ".dk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.dk)"; content:"|05|";content:"|02|dk|00|";nocase;within: 8;pcre: "/xyber/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637422; rev:9;) # sid 2637423 includes 1 (0 - 1) 6 character domains in the ".dk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.dk)"; content:"|06|";content:"|02|dk|00|";nocase;within: 9;pcre: "/cassie/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637423; rev:9;) # sid 2637424 includes 1 (0 - 1) 7 character domains in the ".dk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.dk)"; content:"|07|";content:"|02|dk|00|";nocase;within: 10;pcre: "/smartgt/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637424; rev:9;) # sid 2637425 includes 3 (0 - 3) 9 character domains in the ".dk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.dk)"; content:"|09|";content:"|02|dk|00|";nocase;within: 12;pcre: "/(bk-teknik|lr-online|motorpsyk)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637425; rev:9;) # sid 2637426 includes 1 (0 - 1) 6 character domains in the ".ee" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.ee)"; content:"|06|";content:"|02|ee|00|";nocase;within: 9;pcre: "/enimex/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637426; rev:9;) # sid 2637427 includes 2 (0 - 2) 8 character domains in the ".ee" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.ee)"; content:"|08|";content:"|02|ee|00|";nocase;within: 11;pcre: "/(freshcom|albatros)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637427; rev:9;) # sid 2637428 includes 1 (0 - 1) 9 character domains in the ".ee" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.ee)"; content:"|09|";content:"|02|ee|00|";nocase;within: 12;pcre: "/kaspersky/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637428; rev:9;) # sid 2637429 includes 1 (0 - 1) 11 character domains in the ".es" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.es)"; content:"|0b|";content:"|02|es|00|";nocase;within: 14;pcre: "/balaperdida/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637429; rev:9;) # sid 2637430 includes 1 (0 - 1) 13 character domains in the ".es" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.es)"; content:"|0d|";content:"|02|es|00|";nocase;within: 16;pcre: "/hotelgoldcard/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637430; rev:9;) # sid 2637431 includes 1 (0 - 1) 14 character domains in the ".es" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.es)"; content:"|0e|";content:"|02|es|00|";nocase;within: 17;pcre: "/leucodistrofia/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637431; rev:9;) # sid 2637432 includes 1 (0 - 1) 16 character domains in the ".es" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.es)"; content:"|10|";content:"|02|es|00|";nocase;within: 19;pcre: "/aplikapublicidad/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637432; rev:9;) # sid 2637433 includes 1 (0 - 1) 22 character domains in the ".es" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 22 chars (.es)"; content:"|16|";content:"|02|es|00|";nocase;within: 25;pcre: "/universalpicturesspain/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637433; rev:9;) # sid 2637434 includes 1 (0 - 1) 6 character domains in the ".es" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.es)"; content:"|06|";content:"|02|es|00|";nocase;within: 9;pcre: "/provis/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637434; rev:9;) # sid 2637435 includes 8 (0 - 8) 10 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.eu)"; content:"|0a|";content:"|02|eu|00|";nocase;within: 13;pcre: "/(eurogoogle|newfriends|katamaking|vusaeurope|msrvtpp103|poezd-v-ad|creative71|rkdefender)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637435; rev:9;) # sid 2637436 includes 3 (0 - 3) 11 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.eu)"; content:"|0b|";content:"|02|eu|00|";nocase;within: 14;pcre: "/(mode-sstr04|beautybooty|stahuj-foto)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637436; rev:9;) # sid 2637437 includes 6 (0 - 6) 12 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.eu)"; content:"|0c|";content:"|02|eu|00|";nocase;within: 15;pcre: "/(idrefnum-03s|t(pminstitute|raceback-ip)|m(egabesucher|angoclub301)|lozkawodne24)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637437; rev:9;) # sid 2637438 includes 1 (0 - 1) 13 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.eu)"; content:"|0d|";content:"|02|eu|00|";nocase;within: 16;pcre: "/euroassistant/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637438; rev:9;) # sid 2637439 includes 2 (0 - 2) 14 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.eu)"; content:"|0e|";content:"|02|eu|00|";nocase;within: 17;pcre: "/(idesetcalendes|espantservices)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637439; rev:9;) # sid 2637440 includes 2 (0 - 2) 17 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.eu)"; content:"|11|";content:"|02|eu|00|";nocase;within: 20;pcre: "/(governmentfunding|thalassapromotion)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637440; rev:9;) # sid 2637441 includes 2 (0 - 2) 19 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.eu)"; content:"|13|";content:"|02|eu|00|";nocase;within: 22;pcre: "/(googlefastanalytics|yourgoogleanalytics)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637441; rev:9;) # sid 2637442 includes 1 (0 - 1) 3 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.eu)"; content:"|03|";content:"|02|eu|00|";nocase;within: 6;pcre: "/d87/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637442; rev:9;) # sid 2637443 includes 2 (0 - 2) 5 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.eu)"; content:"|05|";content:"|02|eu|00|";nocase;within: 8;pcre: "/(niiii|bleee)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637443; rev:9;) # sid 2637444 includes 74 (0 - 74) 6 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.eu)"; content:"|06|";content:"|02|eu|00|";nocase;within: 9;pcre: "/(dfilii|wtlili|pietka|gippin|k(i(ytre|d1hx)|tsoft)|shipal|y(h1(weq|qa(b|k|l|o|z))|oky1(a|c|d|e|f|g|n|r|t|v|w|x|y|z))|i11(ate|bte|ete|hte|ite|mte|nte|ote|pte|rte|tte|ute|wte|xte|zte)|uh1asu|mi11f(1|a|d|e|f|i|p|q|r|s|t|u|y)|naj1za|xyg1qe|ttt1w(a|p)|ololi(i|w|y|z)|l(onaz(q|t|v|z)|isoft)|ha(xopk|llum)|fcrazy|1vgtpp)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637444; rev:9;) # sid 2637445 includes 164 (0 - 164) 7 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.eu)"; content:"|07|";content:"|02|eu|00|";nocase;within: 10;pcre: "/(h(yg12z(k|q|r|u)|1erfa(e|i|j|q|r|t|u|w|y)|erats(b|d|f|g|h|k|l|m|n|o|q|r|s|t|y))|n(yusa2(a|b|s)|111sa(q|e|k|p|y|z)|niu(j(i(1|h)|o1)|ki(f|h|k|w|z)|xi(h|w)))|losawzs|j(aha1ws|bha1ws|dha1ws|gha1ws|jha1ws|kha1ws|mha1ws|nha1ws|pha1ws|qha1ws|rha1ws|tha1ws|uha1ws|vha1ws|wha1ws|1t1iil)|b(erasz(f|z)|y(uuhgo|yyhze))|f(edzza(b|i|s)|asaza(b|d|e|f|g|m|v))|p(o(likk(a|i|o|p)|uiki(b|c|e|f|g|r|s|t|v|w|x|y))|fg-inc)|s(ersoft|a(aasa(k|v)|zzawf))|wsasde(c|p|r|v)|yhhsszo|uj(ihk(oi|ei|ni|ui)|huy7(d|e|f|k|l|m|n|p|t|u))|dilokq(v|m)|t(t(1qwa(1|e|q|r|t)|tera(a|b|c|d|e|f|g|n|q|s|t|v|x|z))|ygera(h|k|w)|ellion)|asqwazr|eiye1u(a|c|e|f|g|r|s|t|v)|qqqqas(c|f|h|j|k|l|o|r|y)|v(crssd1|smprot))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637445; rev:9;) # sid 2637446 includes 149 (0 - 149) 8 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.eu)"; content:"|08|";content:"|02|eu|00|";nocase;within: 11;pcre: "/(seotraff|b(iztraff|ertdff(e|m|o|w)|oatnews)|h(y(u11he(b|p|w|c|h|j|r)|y12cyl)|e(iiik(o(k|y)|u(l|m|v|y))|rrazz(d|h|j|o|r|y)))|dferffdc|gerfas1(i|m)|n(erfaas(h|m)|y(hhh12(a|r)|uh1aw(a|b|c|d|e|f|g|h|m|n|s|t|v|x|z)))|o(ikkkku(a|f|h|y)|kk(ki(kkl|lkf)|tylkf)|ooease(f|g))|tiitkiil|modesftp|e(dilokq(f|i|m|n|r|s|u|x)|rsd12w(b|c|g|h|j|k|l|m|o|v|y))|yy(1azsv(a|q|z)|y(1(a(svf|z(sy|vg))|zsve)|asza(i|l|o|p|q|r|u)))|i(bbaswze|ooolio(b|c|e|g|q|r|s|t|v|x|y))|l(ef(1asza|a(s(sza|z(a(n|v)|xa))|wsza))|llujio(b|c|d|f|g|h|i|j|n|t|v|x|y|z))|poresaw(e|g|q|u|v|x)|u(jtqwaq(1|b|k|m|o)|uuutyr(e|i|o|p|r|t|v|w|y))|xxxasqw(e|p|z)|zaaaasaa)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637446; rev:9;) # sid 2637447 includes 32 (0 - 32) 9 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.eu)"; content:"|09|";content:"|02|eu|00|";nocase;within: 12;pcre: "/(idsrt-d02|b(jpagency|ezfazsda)|gerra(dsz1|h(awa|owa)|k(awa|owa)|lowa|oowa|sas(a|e|q))|n(errasss(b|o|p|t|u|w|x|y)|yuy12qw(f|g|s)|tueeera1)|rrref(1(okz|a(az|kz)|ykz)|jokz)|experrior|qlcleaner)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637447; rev:9;) # sid 2637448 includes 1 (0 - 1) 4 character domains in the ".fi" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.fi)"; content:"|04|";content:"|02|fi|00|";nocase;within: 7;pcre: "/kltv/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637448; rev:9;) # sid 2637449 includes 2 (0 - 2) 10 character domains in the ".fr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.fr)"; content:"|0a|";content:"|02|fr|00|";nocase;within: 13;pcre: "/(bellangora|lebonresto)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637449; rev:9;) # sid 2637450 includes 1 (0 - 1) 11 character domains in the ".fr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.fr)"; content:"|0b|";content:"|02|fr|00|";nocase;within: 14;pcre: "/lionelsorin/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637450; rev:9;) # sid 2637451 includes 4 (0 - 4) 12 character domains in the ".fr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.fr)"; content:"|0c|";content:"|02|fr|00|";nocase;within: 15;pcre: "/(b(run-sylvain|usinesstech)|levraicyrano|syndiconomie)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637451; rev:9;) # sid 2637452 includes 1 (0 - 1) 14 character domains in the ".fr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.fr)"; content:"|0e|";content:"|02|fr|00|";nocase;within: 17;pcre: "/stg-jeanmoulin/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637452; rev:9;) # sid 2637453 includes 1 (0 - 1) 15 character domains in the ".fr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.fr)"; content:"|0f|";content:"|02|fr|00|";nocase;within: 18;pcre: "/sensetautonomie/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637453; rev:9;) # sid 2637454 includes 1 (0 - 1) 19 character domains in the ".fr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.fr)"; content:"|13|";content:"|02|fr|00|";nocase;within: 22;pcre: "/herault-automobiles/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637454; rev:9;) # sid 2637455 includes 1 (0 - 1) 20 character domains in the ".fr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.fr)"; content:"|14|";content:"|02|fr|00|";nocase;within: 23;pcre: "/laudunlardoiseavenir/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637455; rev:9;) # sid 2637456 includes 3 (0 - 3) 6 character domains in the ".fr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.fr)"; content:"|06|";content:"|02|fr|00|";nocase;within: 9;pcre: "/(knoweb|neobts|straks)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637456; rev:9;) # sid 2637457 includes 1 (0 - 1) 7 character domains in the ".fr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.fr)"; content:"|07|";content:"|02|fr|00|";nocase;within: 10;pcre: "/loribel/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637457; rev:9;) # sid 2637458 includes 1 (0 - 1) 8 character domains in the ".fr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.fr)"; content:"|08|";content:"|02|fr|00|";nocase;within: 11;pcre: "/medisite/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637458; rev:9;) # sid 2637459 includes 1 (0 - 1) 9 character domains in the ".fr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.fr)"; content:"|09|";content:"|02|fr|00|";nocase;within: 12;pcre: "/cubicolor/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637459; rev:9;) # sid 2637460 includes 1 (0 - 1) 1 character domains in the ".gd" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 1 chars (.gd)"; content:"|01|";content:"|02|gd|00|";nocase;within: 4;pcre: "/a/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637460; rev:9;) # sid 2637461 includes 1 (0 - 1) 3 character domains in the ".ge" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.ge)"; content:"|03|";content:"|02|ge|00|";nocase;within: 6;pcre: "/get/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637461; rev:9;) # sid 2637462 includes 1 (0 - 1) 12 character domains in the ".gr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.gr)"; content:"|0c|";content:"|02|gr|00|";nocase;within: 15;pcre: "/e-autosystem/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637462; rev:9;) # sid 2637463 includes 1 (0 - 1) 17 character domains in the ".gr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.gr)"; content:"|11|";content:"|02|gr|00|";nocase;within: 20;pcre: "/aggelies-akiniton/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637463; rev:9;) # sid 2637464 includes 1 (0 - 1) 4 character domains in the ".gr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.gr)"; content:"|04|";content:"|02|gr|00|";nocase;within: 7;pcre: "/esoe/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637464; rev:9;) # sid 2637465 includes 3 (0 - 3) 6 character domains in the ".gr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.gr)"; content:"|06|";content:"|02|gr|00|";nocase;within: 9;pcre: "/(hayvan|webtec|ermisp)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637465; rev:9;) # sid 2637466 includes 1 (0 - 1) 7 character domains in the ".gr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.gr)"; content:"|07|";content:"|02|gr|00|";nocase;within: 10;pcre: "/ebazaar/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637466; rev:9;) # sid 2637467 includes 2 (0 - 2) 9 character domains in the ".gr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.gr)"; content:"|09|";content:"|02|gr|00|";nocase;within: 12;pcre: "/(taxheaven|xenonshow)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637467; rev:9;) # sid 2637468 includes 1 (0 - 1) 6 character domains in the ".hk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.hk)"; content:"|06|";content:"|02|hk|00|";nocase;within: 9;pcre: "/usrv03/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637468; rev:9;) # sid 2637469 includes 3 (0 - 3) 7 character domains in the ".hn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.hn)"; content:"|07|";content:"|02|hn|00|";nocase;within: 10;pcre: "/(g(ertsdw|ircsdw)|qemuide)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637469; rev:9;) # sid 2637470 includes 1 (0 - 1) 8 character domains in the ".hr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.hr)"; content:"|08|";content:"|02|hr|00|";nocase;within: 11;pcre: "/megabyte/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637470; rev:9;) # sid 2637471 includes 1 (0 - 1) 10 character domains in the ".hu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.hu)"; content:"|0a|";content:"|02|hu|00|";nocase;within: 13;pcre: "/sportmedia/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637471; rev:9;) # sid 2637472 includes 2 (0 - 2) 11 character domains in the ".hu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.hu)"; content:"|0b|";content:"|02|hu|00|";nocase;within: 14;pcre: "/(somfaigabor|bolcsvolgyi)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637472; rev:9;) # sid 2637473 includes 1 (0 - 1) 12 character domains in the ".hu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.hu)"; content:"|0c|";content:"|02|hu|00|";nocase;within: 15;pcre: "/zoldtermekek/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637473; rev:9;) # sid 2637474 includes 1 (0 - 1) 14 character domains in the ".hu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.hu)"; content:"|0e|";content:"|02|hu|00|";nocase;within: 17;pcre: "/magneskapcsolo/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637474; rev:9;) # sid 2637475 includes 1 (0 - 1) 19 character domains in the ".hu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.hu)"; content:"|13|";content:"|02|hu|00|";nocase;within: 22;pcre: "/ingatlanforgalmazas/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637475; rev:9;) # sid 2637476 includes 1 (0 - 1) 5 character domains in the ".hu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.hu)"; content:"|05|";content:"|02|hu|00|";nocase;within: 8;pcre: "/pampa/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637476; rev:9;) # sid 2637477 includes 2 (0 - 2) 7 character domains in the ".hu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.hu)"; content:"|07|";content:"|02|hu|00|";nocase;within: 10;pcre: "/(gombajo|palmtev)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637477; rev:9;) # sid 2637478 includes 1 (0 - 1) 8 character domains in the ".hu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.hu)"; content:"|08|";content:"|02|hu|00|";nocase;within: 11;pcre: "/t-online/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637478; rev:9;) # sid 2637479 includes 1 (0 - 1) 6 character domains in the ".ie" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.ie)"; content:"|06|";content:"|02|ie|00|";nocase;within: 9;pcre: "/isgorg/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637479; rev:9;) # sid 2637480 includes 1 (0 - 1) 4 character domains in the ".im" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.im)"; content:"|04|";content:"|02|im|00|";nocase;within: 7;pcre: "/vdsl/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637480; rev:9;) # sid 2637481 includes 1 (0 - 1) 5 character domains in the ".im" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.im)"; content:"|05|";content:"|02|im|00|";nocase;within: 8;pcre: "/tdsmc/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637481; rev:9;) # sid 2637482 includes 7 (0 - 7) 6 character domains in the ".im" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.im)"; content:"|06|";content:"|02|im|00|";nocase;within: 9;pcre: "/(ponbon|y(hnba(d|k|m)|ttt4(l|r))|ujjiks)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637482; rev:9;) # sid 2637483 includes 1 (0 - 1) 7 character domains in the ".im" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.im)"; content:"|07|";content:"|02|im|00|";nocase;within: 10;pcre: "/haqwaz1/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637483; rev:9;) # sid 2637484 includes 10 (0 - 10) 10 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.in)"; content:"|0a|";content:"|02|in|00|";nocase;within: 13;pcre: "/(p(hoto-host|rivetsite)|naemnitibo|m(agicjoker|on(casesdd|stclick))|avtest-now|supergh0st|blinvishka|googleinru)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637484; rev:9;) # sid 2637485 includes 9 (0 - 9) 11 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.in)"; content:"|0b|";content:"|02|in|00|";nocase;within: 14;pcre: "/(cityheights|trustedsite|m(ioanalitic|wrtorks2cv)|av-scanhere|g(et-av-scan|oogleinrus)|bestfreedns|httptraffic)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637485; rev:9;) # sid 2637486 includes 7 (0 - 7) 12 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.in)"; content:"|0c|";content:"|02|in|00|";nocase;within: 15;pcre: "/(my-honey-pet|a(v-test-here|llowolverin)|free-av-scan|get-freescan|trustservice|lightcounter)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637486; rev:9;) # sid 2637487 includes 4 (0 - 4) 13 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.in)"; content:"|0d|";content:"|02|in|00|";nocase;within: 16;pcre: "/(a(ginvestments|naliticmondo)|scan-mypc-now|enteri1llisec)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637487; rev:9;) # sid 2637488 includes 6 (0 - 6) 14 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.in)"; content:"|0e|";content:"|02|in|00|";nocase;within: 17;pcre: "/(theautocompany|atomniekacheli|besafe-with-us|newsysdefender|protectedfield|secure-scanner)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637488; rev:9;) # sid 2637489 includes 5 (0 - 5) 15 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.in)"; content:"|0f|";content:"|02|in|00|";nocase;within: 18;pcre: "/(trafficgateway1|besttrackerplus|protectedsystem|newsystem-guard|royalautomodule)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637489; rev:9;) # sid 2637490 includes 5 (0 - 5) 16 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.in)"; content:"|10|";content:"|02|in|00|";nocase;within: 19;pcre: "/(agriculturetoday|virtualeanalitic|new-system-guard|phiesookaeruaxah|waimaighaiphahxi)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637490; rev:9;) # sid 2637491 includes 2 (0 - 2) 17 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.in)"; content:"|11|";content:"|02|in|00|";nocase;within: 20;pcre: "/(search-pcdefender|bestsysprotection)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637491; rev:9;) # sid 2637492 includes 2 (0 - 2) 18 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.in)"; content:"|12|";content:"|02|in|00|";nocase;within: 21;pcre: "/(2009securitycenter|advance-pcdefender)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637492; rev:9;) # sid 2637493 includes 3 (0 - 3) 19 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.in)"; content:"|13|";content:"|02|in|00|";nocase;within: 22;pcre: "/(m(essenger-messenger|undopumavirtualx01)|useclean-atyour-sys)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637493; rev:9;) # sid 2637494 includes 1 (0 - 1) 20 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.in)"; content:"|14|";content:"|02|in|00|";nocase;within: 23;pcre: "/yourzonebestdefender/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637494; rev:9;) # sid 2637495 includes 3 (0 - 3) 21 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 21 chars (.in)"; content:"|15|";content:"|02|in|00|";nocase;within: 24;pcre: "/(fastguard(-cleaneronpc|cleaneron-pc)|yourzone-bestdefender)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637495; rev:9;) # sid 2637496 includes 27 (0 - 27) 3 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.in)"; content:"|03|";content:"|02|in|00|";nocase;within: 6;pcre: "/(f1y|q(1(k|n|x)|5y)|x(8(l|u|b)|9d|h9|t6|0a|1g|3(a|v)|6p|7b|b4|c6|g8)|u(0(r|s)|1(9|j)|3h|8h|9a))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637496; rev:9;) # sid 2637497 includes 31 (0 - 31) 4 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.in)"; content:"|04|";content:"|02|in|00|";nocase;within: 7;pcre: "/(c(acl|iqx)|r(bgt|klr)|s(pzr|oac)|i(abm|xcx|pqk)|atxh|g(asa|gmt|zpf)|h(xzv|hbg)|zsyr|u(dta|ppd)|l(tkq|zwn)|vwui|o(aty|ufc)|y(iiw|naa)|bqtl|k(bgg|kxv)|nqrl|xrbw|qq66)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637497; rev:9;) # sid 2637498 includes 6 (0 - 6) 5 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.in)"; content:"|05|";content:"|02|in|00|";nocase;within: 8;pcre: "/(pclxl|barba|s(olis|pl0a)|dsfad|kozzz)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637498; rev:9;) # sid 2637499 includes 6 (0 - 6) 6 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.in)"; content:"|06|";content:"|02|in|00|";nocase;within: 9;pcre: "/(w(abimp|herei)|p(anmap|oolst)|malpro|arabco)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637499; rev:9;) # sid 2637500 includes 12 (0 - 12) 7 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.in)"; content:"|07|";content:"|02|in|00|";nocase;within: 10;pcre: "/(wc-host|trialoc|googlle|c(-o-c-o|avally)|pohsoft|erlsoft|solodov|mtm9wqz|boolred|anatine|rolstop)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637500; rev:9;) # sid 2637501 includes 11 (0 - 11) 8 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.in)"; content:"|08|";content:"|02|in|00|";nocase;within: 11;pcre: "/(gevitvox|agriexpo|f(5rrtnti|dglsoft)|d(a(posoft|ncerte)|omnwiit)|nihilism|mgtlsoft|contempt|bablodos)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637501; rev:9;) # sid 2637502 includes 12 (0 - 12) 9 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.in)"; content:"|09|";content:"|02|in|00|";nocase;within: 12;pcre: "/(junglemix|bestplace|a(nalitics|crologic)|gathernet|topig12ma|dapohsoft|ma(marubik|il2book)|pingcrews|kitaydomn|nn31415en)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637502; rev:9;) # sid 2637503 includes 1 (0 - 1) 11 character domains in the ".inf0" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.inf0)"; content:"|0b|";content:"|04|inf0|00|";nocase;within: 14;pcre: "/jabrastatic/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637503; rev:9;) # sid 2637504 includes 55 (0 - 55) 10 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.info)"; content:"|0a|";content:"|04|info|00|";nocase;within: 13;pcre: "/(k(nizhechka|olonochka|lopfstein)|b(ank4trade|ukake3890|e(stscanpc|ztakrezt))|l(-security|ogssearch)|r(-security|eview2009|yacleaner|imofoixaf)|g(o(ld-sutra|odknight)|uard-gate|googgllee|hostusers|rezasadaf)|sufujilisi|o(nlinetube|aofmsckue)|video-info|w(wwdegrees|ikirocksa)|1207477564|d(jdropzone|e(rcleaner|-my-page)|irecionex)|f(dns6mar09|irstplumb|o(odcaters|r(redasto|umsblog)))|p(ro-secure|ussypiska|c-scanner|eyamnetsd)|m(egauplaod|itexlight)|i(haveit777|ron-words|ndexparty)|a(vchecknow|zvtracker)|updateload|quartertin|t(rashiugar|drfhdzxyb)|compuguard|jvoamkvyxv|xtunbiifnl|ezqaxnmsbs|zsrsjnihnb)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637504; rev:9;) # sid 2637505 includes 59 (0 - 59) 11 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.info)"; content:"|0b|";content:"|04|info|00|";nocase;within: 14;pcre: "/(s(uperioradz|afari-full|e(archearth|curitysun)|pywares(hop|ite)|can-pc-now)|b(iglendlive|dsm-movies|ezsdornost|azqrhafrrh)|k(eepongoing|ingofrings)|v(a(zasaki-ji|lentinsss)|idscollect)|m(alwareconf|o(vieshouse|scow4city))|xxxbestvids|e(mule-emule|liyisgtkaj)|a(lwebsearch|vast-avast)|h(epofishycs|otopikalar|jvcnunmtzc)|g(uardincorp|et-updates|amesforums)|t(rustshield|o(ptubehunt|mmyshield)|ech-review|hestatsgov|bxierkoqze|luaweyermg)|w(atch-video|xrzufdrzzn)|l(phant-plus|svoenxxyya)|d(ealsplanet|kitistnoif|wldxeqavts|ygpcewrjnw)|r(dr20090924|etdownload)|c(ristymisty|hocolatery)|p(erfectsoft|ortablapps)|j(jotqkhqymp|klnznqvztu|easoftware)|fywthroeasx|inxvwrxogrc|nbtislvidmq|ocryspyjvkh|zelhnalbivd)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637505; rev:9;) # sid 2637506 includes 94 (0 - 94) 12 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.info)"; content:"|0c|";content:"|04|info|00|";nocase;within: 15;pcre: "/(m(a(lware(front|-stop)|ttoomatuyz|kingtmoney)|ega-(tracker|manager)|iraklegroup|kzyajiujoiq|stbannerunz|nuzqxerjufm|uhrlwuzyaly)|s(p(yware-file|hamifoaqpx)|opcast-(plus|full)|e(archtemple|cretshoper)|top-malware)|u(pdateserver|torrent-net|sa-top-news|entfkblzpxx|oncvsqcuclx|uyvsrbtpjhl|wbhpcrydgta)|a(d(aware-full|ulttopvids|warealerts|d-block-11|s-block-13)|uto-checker|ozjuvcbkupv)|d(irectx-full|jxyazxjpfnf|bvvwrkgycfa|cghkoixsagu|fxlhdyffzho)|e(lisoft-plus|ututrywxvhd)|i(havemalware|ztep14mrkde)|w(ebsystemsec|wkzrjfuhmjg)|b(est-protect|locked-site|riderscapes|idxctvqvwrw|yuigracdnjj)|c(lean-pc-now|oloradoshop|xdnvwapzezk|kzqfrxaxihi|vybexpnqhlx)|y(ournewvideo|fguydudorip|ggxvnwumcqv|haidebpfltr|ynspckhyebi)|l(ou-ferrigno|ive-counter)|g(alileoboots|opbaqvgprvh)|n(etworkshark|oltvoqmhoce|lfgjehbotwi)|p(r(omozzmoon4|trkmxkpctw)|mxjpigimsdv|zignbfxspou)|friavuzpsvxc|h(nstetlseuop|zlyaejcvmat)|j(estywtvadgj|gvsjnhmvngn|ttyhhvcxmbz)|k(ijksoeohxze|mpbfdtknwsh|zpkpehthbgn)|omvdbdcknpct|qlgkmytdvyjx|r(mkbyklbhawd|tkffbmmgkpw|xflhciirups)|t(idawgeihqch|klaxlxvedkt)|v(gmhlwrixzxz|ujpgvscrjbk|wrvqmvrvjwi)|x(ewffvnixdyk|kduqnxfpnfg|nboetuqunld)|z(ejdcqsoglao|ugponkeqtzz)|5536megabyte)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637506; rev:9;) # sid 2637507 includes 34 (0 - 34) 13 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.info)"; content:"|0d|";content:"|04|info|00|";nocase;within: 16;pcre: "/(onlinesiteav1|checkantiddos|s(p(yware-files|rut-cluster)|afeandsearch|hounbakerpro|dfnucleartqg|exyshowvideo|creensavers1)|bitcomet-(2009|plus)|ddirectx-plus|emule-proyect|utorrent-plus|www-kaspersky|hostresellinc|m(y(antispyware|officeguard|checkonline)|a(lware-bytes|zerattikrak))|a(dultacnecure|vira-antivir)|p(ro(tection(lol|url)|grammerpro)|orn-new-tube)|kaspersky-com|get-f(iles-now|ree-scan)|newwayscanner|t(hescanonline|ube5000-free)|zarcoexchange)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637507; rev:9;) # sid 2637508 includes 38 (0 - 38) 14 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.info)"; content:"|0e|";content:"|04|info|00|";nocase;within: 17;pcre: "/(a(v1-click-site|ngantivirus09|dult-you-tube)|e(dwardhomepage|mule-gratuito)|houseoftreding|i(mage(-facebook|n-myspace)|explorer-full)|n(koreawarefare|trytodownload|ewcheckonline)|b(ittorrent-net|est(scanonline|gooogffh33))|directx-9-full|m(e(ssenger-(2009|soft)|imeitiantang)|alware-scaner)|s(hdfas23uh2398|cannerpc-2012)|c(dburnerxpsoft|heckonlinenow)|photoscapesoft|virtualdj-soft|free(-tube-porn|scanonline)|kingpinservers|g(et-files-here|oldwonderful9)|t(welfth-blocks|ubepornonline)|o(nlinetubeporn|utoffinternet)|xwealthprivate|locateyourlove|usagooglevideo)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637508; rev:9;) # sid 2637509 includes 31 (0 - 31) 15 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.info)"; content:"|0f|";content:"|04|info|00|";nocase;within: 18;pcre: "/(c(heck(click-site|onlinesite)|pu-help-online)|s(pyware-systems|ex-online-tube|oftware1update)|b(ittorrent-plus|rasilianstoree|estcheckonline|ubble-preorder)|di(vxplayer-full|rectmegastock)|lime-wire-basic|m(essenger-msn-9|o(viemaker-plus|nstersoftware)|sn(-messenger-9|updateserver)|a(lware-scanner|kingtmoneyadv))|openoffice-(plus|full)|p(hotoscape-plus|iramidsoftware)|anti-virus-best|world-tube-free|t(welfth-banners|ommahercompany)|freecheckonline|xwealthprivates|just-protect-pc)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637509; rev:9;) # sid 2637510 includes 25 (0 - 25) 16 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.info)"; content:"|10|";content:"|04|info|00|";nocase;within: 19;pcre: "/(ad(d-block-filter|obereader-full)|b(est-protect-av1|itdefender-plus)|f(reemalwarealert|lashplayer-plus)|divx-player-plus|m(ediaplayer-(full|plus)|akingtmoneydown)|t(issuetransplant|welfth-counters)|s(ystemprotectinc|can-for-threats)|3gpconvertersoft|c(ounter-block-11|heckonline(store|today))|xfire-hot-pornxx|porn-online-tube|only-free-videos|videos-for-free(1|2|3|4))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637510; rev:9;) # sid 2637511 includes 14 (0 - 14) 17 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.info)"; content:"|11|";content:"|04|info|00|";nocase;within: 20;pcre: "/(onlinedownloadav1|b(usiness-networks|est-antivirus-pc)|c(lick-my-download|cleaner-portable|heckonlineonline)|3gpconverter-plus|adobeacrobat-plus|protectinstructor|s(pybotsearch-full|tatisticanalysis)|free-download-net|mineralcarebeauty|getr1chordietry1n)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637511; rev:9;) # sid 2637512 includes 9 (0 - 9) 18 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.info)"; content:"|12|";content:"|04|info|00|";nocase;within: 21;pcre: "/(a(v1-click-download|proximosstyle0112)|m(essengerplus-2009|akingtmoneybanner)|xbeauty-hot-pornxx|registrydoktor2009|cleanvirusesonline|trafficfromtwitter|fast-sys-downloads)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637512; rev:9;) # sid 2637513 includes 13 (0 - 13) 19 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.info)"; content:"|13|";content:"|04|info|00|";nocase;within: 22;pcre: "/(checkclick-download|anti-virus-2010-pro|best-click-download|plasticsurgeryworld|m(e(diaplayer-classic|ssenger-messenger)|a(kingtmoneygateway|jorsoftwareupdate))|o(ffsiteoptimization|nline-free-scanner)|windows-movie-maker|scanner-free-online|teensfuckteenvideos)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637513; rev:9;) # sid 2637514 includes 2 (0 - 2) 20 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.info)"; content:"|14|";content:"|04|info|00|";nocase;within: 23;pcre: "/free(bsdadministrator|-spyware-scanner)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637514; rev:9;) # sid 2637515 includes 2 (0 - 2) 21 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 21 chars (.info)"; content:"|15|";content:"|04|info|00|";nocase;within: 24;pcre: "/(download-software-now|scanner-download-free)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637515; rev:9;) # sid 2637516 includes 7 (0 - 7) 22 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 22 chars (.info)"; content:"|16|";content:"|04|info|00|";nocase;within: 25;pcre: "/(download-antivirus2010|youtubedownloader-full|altmaforbetchrono00000|online-spyware-remover|spyware-online-remover|mineralcarebeautyadv2(3|4))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637516; rev:9;) # sid 2637517 includes 1 (0 - 1) 25 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 25 chars (.info)"; content:"|19|";content:"|04|info|00|";nocase;within: 28;pcre: "/arbitrageconspiracylaunch/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637517; rev:9;) # sid 2637518 includes 1 (0 - 1) 26 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 26 chars (.info)"; content:"|1a|";content:"|04|info|00|";nocase;within: 29;pcre: "/downloads-best-antispyware/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637518; rev:9;) # sid 2637519 includes 1 (0 - 1) 29 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 29 chars (.info)"; content:"|1d|";content:"|04|info|00|";nocase;within: 32;pcre: "/anti-virus-2010-pro-downloads/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637519; rev:9;) # sid 2637520 includes 1 (0 - 1) 3 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.info)"; content:"|03|";content:"|04|info|00|";nocase;within: 6;pcre: "/b35/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637520; rev:9;) # sid 2637521 includes 31 (0 - 31) 4 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.info)"; content:"|04|";content:"|04|info|00|";nocase;within: 7;pcre: "/(oldv|rsfq|a(gkt|7ii)|s(gqw|1p5|kje)|l(siu|tnc|a34)|x(fcg|6x6)|tdxs|ctuf|fuls|kuxx|m(g(1(a|b)|2a|3a|4a|5a|6a|7a|8a|9a|0b)|e-1)|n950|6623|vasd)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637521; rev:9;) # sid 2637522 includes 52 (0 - 52) 5 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.info)"; content:"|05|";content:"|04|info|00|";nocase;within: 8;pcre: "/(88wyt|1(m4ge|1aaa|7xmm)|p(vden|a(nte|sio))|jump1|666pz|erewx|2you7|zavan|m(pssm|oont|utw(a|c|e))|t(iton|our6|wold)|s(ys32|awme|peen|bkqd)|g(aehh|ehae|icke)|h(t(srh|hja)|aer(h|e)|orum)|d(i(le1|sea)|olet)|w(zand|ashy|wdot)|a(vrev|sbro)|n(roof|atos)|c(heir|ompy|xsar|ihaz|sjbo)|fedar|odest|uikkl|51she|idfc2)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637522; rev:9;) # sid 2637523 includes 159 (0 - 159) 6 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.info)"; content:"|06|";content:"|04|info|00|";nocase;within: 9;pcre: "/(1speed|c(tfmon|a(scas|r(741|963|etz)|ptum|mlet)|omitt|ressy|hafes)|z(odune|ussia)|g(e(t(ips|sup)|lded)|rumio|audad|uiany|irded)|l(itler|a(psek|v(yer|olt)|ryju)|owatt)|o(loomz|nclew|rodes|utliv|bsque)|b(azina|e(eves|nber|d(ash|rid)|sort|ttev|wray)|otled|roths|btedd)|w(pills|ovens|ashts|iving|6mail)|x(dsabc|-desc|filex)|3xpics|j(natek|organ)|n(e(oled|vils)|cnzfh|arowz|umben|otsex)|9sp(eed|ice)|t(e(sekl|n(shy|ted)|rman)|owton|sfxzg|i(cedu|thed)|a(ulus|kest))|u(rsley|n(owed|root|clin|deaf|wept|ioke)|pwize|sicam)|a(hthja|palet|djudg|nmast|rgier|twain|valaz)|s(l(eave|atch)|i(bble|cyon|ghal)|a(llat|bber)|earce|p(elem|inge)|t(onek|ampo|eepy)|c(arre|rowl)|woons|uivez|owner)|r(eglet|a(ught|mpir))|in(clin|quir)|m(ylbbs|ayray|e(yrie|anly)|iloty|obled)|e(n(larg|vied)|r(peer|walk)|spied|elcd5|xtrip|m(nity|oore))|f(i(ggle|fthz|lths)|r(oday|e(ckl|iny))|a(ites|tted)|osset|ulier|crazy)|p(l(each|a(met|zec))|o(lear|tinz)|envie|ittie|rarie)|v(agrom|oided|eldun)|d(roope|e(buty|clin)|olchi)|h(o(ldit|wnet)|illoa)|k(edder|nivel|rapen)|quoifs|53kkk1)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637523; rev:9;) # sid 2637524 includes 59 (0 - 59) 7 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.info)"; content:"|07|";content:"|04|info|00|";nocase;within: 10;pcre: "/(hitslog|u(pdatez|nvelir|kwirex)|x(prmn4u|nescat|omusti)|krantik|m(urotex|s-scan|ixsoul|tm(4cbk|5omt))|info(4us|ket)|a(v-best|brikos|ddjest|phobos|rtcell|nywayi)|v(irtyoz|vinrar|entsol|sdftpp)|zuxmash|3xpussy|t(ratata|op4hot|mclean)|s(py-lab|wfover|trelyk|f-plus|df9er1|undery)|best-av|l(e(ntopl|zgogo)|oacher|rxsoft|astspy)|w(owmail|iinzip)|plantof|g(ersoft|ame1(58|63)|h3pop0)|o(planet|xefyde)|cuplift|devicel|nnieqee|e(ratile|gygate)|f(raskes|iloups)|qzeo-ad)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637524; rev:9;) # sid 2637525 includes 106 (0 - 106) 8 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.info)"; content:"|08|";content:"|04|info|00|";nocase;within: 11;pcre: "/(m(a(inssrv|xifeed)|egapain|i(xscan6|nemane)|yskynet|ooshooh|tmadvgb)|r(us-shop|ootscan|iupdate)|w(a(lterex|y(4scan|scan(4|6)|6scan))|ww-ares|owyesgo)|c(larafin|rferari)|s(can(w(eb4|ay6)|log6|new4|4(l(ux|og)|way|fix|key|bay)|gen(4|6)|f(an6|ix4)|mix6|ray6|6(fix|way|key|top))|topssse|undalet)|l(og(6scan|4scan|scan4)|uxscan6|isthtml)|n(e(wscan4|atsore)|o-virus|amearra|neroitt)|f(ormybro|ix(4scan|scan4)|ffkkeee)|p(echenka|ickknob|a(styono|pirosi)|chomei5)|g(e(n(4scan|scan(4|6)|6scan)|otisto)|oxxxweb)|k(eyscan4|anibali|keeoopp)|e(m(-event|ule-it)|krclean)|unmarine|i(cq-full|aplakal)|t(op(4scan|s(can6|host))|heremin|ip(4scan|scan4|osoft))|a(b(rigade|outdot)|nti-spy)|o(ne4scan|p(en-dns|ifdngm))|v(ip-meds|lc-full)|b(ayscan4|bortixx|ckjtrkg|lagoinc)|xtraroom|33duraka|de(luz666|vsshop)|z(emla-50|onetech)|00ewr00m|h(a(kasimq|ck-off|nadoki)|omelezo))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637525; rev:9;) # sid 2637526 includes 155 (0 - 155) 9 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.info)"; content:"|09|";content:"|04|info|00|";nocase;within: 12;pcre: "/(4utraffic|p(ilsudano|uerkoric|l(umsauce|anscan4)|ort4scan|spvideo9|alata666|erreduno)|f(i(minauar|lescan4)|lex4scan|ullscan4|re(shhost|e(best4|capch)))|g(itoeanai|o(al4scan|ldtraff)|agtemple|lobostep)|s(c(an(4(best|m(ain|o(de|re))|true|user|zoom|live|a(uto|rea)|f(i(ne|le)|ull)|note|goal|h(ard|igh)|p(ort|age)|work)|easy4|line(6|4)|t(ool(4|6)|rue(4|6))|m(ain4|eta(4|6))|auto4|f(lex4|ine4)|note(4|6)|6(meta|t(ool|rue)|zoom|note|user)|star6|zoom6|user6)|oregame)|l(im(4scan|scan4)|ashrock)|tarscan6)|b(est(6scan|xmovs)|armatuxa)|t(r(adepark|ue(4scan|scan(4|6)|6scan)|ollgold)|ool(4scan|6scan|scan6)|apiroten|ipocat06)|d(a(ta(4scan|6scan|scan4)|obrains)|uffimail)|e(asy(4scan|scan4)|ver(4scan|6scan|scan(4|6))|ljupdate)|l(in(e(scan6|4scan)|gobest)|endshaft|llllllll)|m(ai(n(6scan|scan(6|4)|4scan)|lzippo)|e(ta6scan|ankirdo|lhordia)|orescan4)|8addition|u(ser(scan4|6scan)|rlupdate)|z(oomscan4|apalinfo)|a(utoscan4|r(ea4scan|madaneo|ticlesi)|tomscan6|vira-net|cid4roll)|n(o(te(scan4|6scan)|d32(-net|soft))|tlligent|a(morinho|cjalneg)|panelsrv)|7(zip-2009|security)|k(lamniton|1ngartur)|i(n(toscan4|folator|koclear)|glimario)|c(ashpopup|ounter1(1|3)|enturiox)|w(orkscan4|allgates)|h(igh(4scan|scan4)|mcompany)|q(uangpham|wecvgfjk)|x(enotraf1|ingfu5yt)|y(ankdream|ouneyoum)|jtmqypcgt)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637526; rev:9;) # sid 2637527 includes 1 (0 - 1) 16 character domains in the ".io" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.io)"; content:"|10|";content:"|02|io|00|";nocase;within: 19;pcre: "/hot-mature-women/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637527; rev:9;) # sid 2637528 includes 2 (0 - 2) 6 character domains in the ".ir" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.ir)"; content:"|06|";content:"|02|ir|00|";nocase;within: 9;pcre: "/(garant|opchki)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637528; rev:9;) # sid 2637529 includes 2 (0 - 2) 7 character domains in the ".ir" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.ir)"; content:"|07|";content:"|02|ir|00|";nocase;within: 10;pcre: "/i(photos|escrow)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637529; rev:9;) # sid 2637530 includes 1 (0 - 1) 9 character domains in the ".is" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.is)"; content:"|09|";content:"|02|is|00|";nocase;within: 12;pcre: "/alfaheidi/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637530; rev:9;) # sid 2637531 includes 3 (0 - 3) 10 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.it)"; content:"|0a|";content:"|02|it|00|";nocase;within: 13;pcre: "/(recanatini|cheapitaly|telecarsys)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637531; rev:9;) # sid 2637532 includes 2 (0 - 2) 11 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.it)"; content:"|0b|";content:"|02|it|00|";nocase;within: 14;pcre: "/(saiprogetti|rescuenergy)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637532; rev:9;) # sid 2637533 includes 1 (0 - 1) 12 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.it)"; content:"|0c|";content:"|02|it|00|";nocase;within: 15;pcre: "/materetcaput/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637533; rev:9;) # sid 2637534 includes 1 (0 - 1) 13 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.it)"; content:"|0d|";content:"|02|it|00|";nocase;within: 16;pcre: "/brtconsulting/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637534; rev:9;) # sid 2637535 includes 2 (0 - 2) 14 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.it)"; content:"|0e|";content:"|02|it|00|";nocase;within: 17;pcre: "/a(nnunci-motori|bruzzobooking)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637535; rev:9;) # sid 2637536 includes 3 (0 - 3) 20 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.it)"; content:"|14|";content:"|02|it|00|";nocase;within: 23;pcre: "/(i(stitutomicoterapico|olavorodacasaonline)|giandomenicolombardi)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637536; rev:9;) # sid 2637537 includes 1 (0 - 1) 3 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.it)"; content:"|03|";content:"|02|it|00|";nocase;within: 6;pcre: "/eom/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637537; rev:9;) # sid 2637538 includes 1 (0 - 1) 34 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 34 chars (.it)"; content:"|22|";content:"|02|it|00|";nocase;within: 37;pcre: "/accademiaitalianadellaviteedelvino/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637538; rev:9;) # sid 2637539 includes 1 (0 - 1) 35 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 35 chars (.it)"; content:"|23|";content:"|02|it|00|";nocase;within: 38;pcre: "/italianostracastiglionedellapescaia/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637539; rev:9;) # sid 2637540 includes 1 (0 - 1) 4 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.it)"; content:"|04|";content:"|02|it|00|";nocase;within: 7;pcre: "/geda/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637540; rev:9;) # sid 2637541 includes 1 (0 - 1) 5 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.it)"; content:"|05|";content:"|02|it|00|";nocase;within: 8;pcre: "/15min/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637541; rev:9;) # sid 2637542 includes 1 (0 - 1) 6 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.it)"; content:"|06|";content:"|02|it|00|";nocase;within: 9;pcre: "/cybion/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637542; rev:9;) # sid 2637543 includes 3 (0 - 3) 8 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.it)"; content:"|08|";content:"|02|it|00|";nocase;within: 11;pcre: "/(mepradio|jacarise|bandbmlc)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637543; rev:9;) # sid 2637544 includes 4 (0 - 4) 9 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.it)"; content:"|09|";content:"|02|it|00|";nocase;within: 12;pcre: "/(medialabs|l(astuacoe|ineaidea)|nontipago)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637544; rev:9;) # sid 2637545 includes 1 (0 - 1) 10 character domains in the ".jp" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.jp)"; content:"|0a|";content:"|02|jp|00|";nocase;within: 13;pcre: "/lock-stock/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637545; rev:9;) # sid 2637546 includes 1 (0 - 1) 14 character domains in the ".jp" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.jp)"; content:"|0e|";content:"|02|jp|00|";nocase;within: 17;pcre: "/vanilla-resort/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637546; rev:9;) # sid 2637547 includes 2 (0 - 2) 5 character domains in the ".jp" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.jp)"; content:"|05|";content:"|02|jp|00|";nocase;within: 8;pcre: "/(fitme|a-roi)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637547; rev:9;) # sid 2637548 includes 1 (0 - 1) 7 character domains in the ".jp" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.jp)"; content:"|07|";content:"|02|jp|00|";nocase;within: 10;pcre: "/mikyaku/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637548; rev:9;) # sid 2637549 includes 1 (0 - 1) 9 character domains in the ".jp" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.jp)"; content:"|09|";content:"|02|jp|00|";nocase;within: 12;pcre: "/ai-studio/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637549; rev:9;) # sid 2637550 includes 1 (0 - 1) 10 character domains in the ".kg" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.kg)"; content:"|0a|";content:"|02|kg|00|";nocase;within: 13;pcre: "/investment/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637550; rev:9;) # sid 2637551 includes 3 (0 - 3) 4 character domains in the ".kr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.kr)"; content:"|04|";content:"|02|kr|00|";nocase;within: 7;pcre: "/(come|desz|ersm)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637551; rev:9;) # sid 2637552 includes 3 (0 - 3) 6 character domains in the ".kr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.kr)"; content:"|06|";content:"|02|kr|00|";nocase;within: 9;pcre: "/reilk(a|i|o)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637552; rev:9;) # sid 2637553 includes 4 (0 - 4) 7 character domains in the ".kr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.kr)"; content:"|07|";content:"|02|kr|00|";nocase;within: 10;pcre: "/(molendf|oki8uu(q|u|w))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637553; rev:9;) # sid 2637554 includes 2 (0 - 2) 8 character domains in the ".kr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.kr)"; content:"|08|";content:"|02|kr|00|";nocase;within: 11;pcre: "/m(tkstrip|ypoints)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637554; rev:9;) # sid 2637555 includes 1 (0 - 1) 10 character domains in the ".kz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.kz)"; content:"|0a|";content:"|02|kz|00|";nocase;within: 13;pcre: "/resonabhuy/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637555; rev:9;) # sid 2637556 includes 1 (0 - 1) 13 character domains in the ".kz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.kz)"; content:"|0d|";content:"|02|kz|00|";nocase;within: 16;pcre: "/verissimocafe/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637556; rev:9;) # sid 2637557 includes 4 (0 - 4) 3 character domains in the ".kz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.kz)"; content:"|03|";content:"|02|kz|00|";nocase;within: 6;pcre: "/(rnw|blt|xbl|amr)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637557; rev:9;) # sid 2637558 includes 1 (0 - 1) 4 character domains in the ".kz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.kz)"; content:"|04|";content:"|02|kz|00|";nocase;within: 7;pcre: "/iner/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637558; rev:9;) # sid 2637559 includes 1 (0 - 1) 6 character domains in the ".kz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.kz)"; content:"|06|";content:"|02|kz|00|";nocase;within: 9;pcre: "/skylog/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637559; rev:9;) # sid 2637560 includes 1 (0 - 1) 7 character domains in the ".kz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.kz)"; content:"|07|";content:"|02|kz|00|";nocase;within: 10;pcre: "/geh-ins/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637560; rev:9;) # sid 2637561 includes 1 (0 - 1) 8 character domains in the ".kz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.kz)"; content:"|08|";content:"|02|kz|00|";nocase;within: 11;pcre: "/myrussia/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637561; rev:9;) # sid 2637562 includes 1 (0 - 1) 2 character domains in the ".la" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 2 chars (.la)"; content:"|02|";content:"|02|la|00|";nocase;within: 5;pcre: "/51/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637562; rev:9;) # sid 2637563 includes 1 (0 - 1) 5 character domains in the ".lk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.lk)"; content:"|05|";content:"|02|lk|00|";nocase;within: 8;pcre: "/vista/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637563; rev:9;) # sid 2637564 includes 1 (0 - 1) 12 character domains in the ".lt" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.lt)"; content:"|0c|";content:"|02|lt|00|";nocase;within: 15;pcre: "/miestozinios/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637564; rev:9;) # sid 2637565 includes 1 (0 - 1) 10 character domains in the ".lv" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.lv)"; content:"|0a|";content:"|02|lv|00|";nocase;within: 13;pcre: "/amataklubs/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637565; rev:9;) # sid 2637566 includes 1 (0 - 1) 6 character domains in the ".lv" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.lv)"; content:"|06|";content:"|02|lv|00|";nocase;within: 9;pcre: "/psycho/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637566; rev:9;) # sid 2637567 includes 1 (0 - 1) 3 character domains in the ".ma" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.ma)"; content:"|03|";content:"|02|ma|00|";nocase;within: 6;pcre: "/dma/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637567; rev:9;) # sid 2637568 includes 1 (0 - 1) 5 character domains in the ".ma" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.ma)"; content:"|05|";content:"|02|ma|00|";nocase;within: 8;pcre: "/jaybi/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637568; rev:9;) # sid 2637569 includes 1 (0 - 1) 9 character domains in the ".ma" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.ma)"; content:"|09|";content:"|02|ma|00|";nocase;within: 12;pcre: "/entreamis/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637569; rev:9;) # sid 2637570 includes 1 (0 - 1) 6 character domains in the ".md" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.md)"; content:"|06|";content:"|02|md|00|";nocase;within: 9;pcre: "/server/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637570; rev:9;) # sid 2637571 includes 4 (0 - 4) 6 character domains in the ".me" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.me)"; content:"|06|";content:"|02|me|00|";nocase;within: 9;pcre: "/juiha(a|s|x|z)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637571; rev:9;) # sid 2637572 includes 9 (0 - 9) 7 character domains in the ".me" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.me)"; content:"|07|";content:"|02|me|00|";nocase;within: 10;pcre: "/(hfriili|lyrics2|milki1(a|e|g|y)|tt1qwa(1|e)|napznet)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637572; rev:9;) # sid 2637573 includes 1 (0 - 1) 9 character domains in the ".me" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.me)"; content:"|09|";content:"|02|me|00|";nocase;within: 12;pcre: "/orzsystem/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637573; rev:9;) # sid 2637574 includes 1 (0 - 1) 7 character domains in the ".mn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.mn)"; content:"|07|";content:"|02|mn|00|";nocase;within: 10;pcre: "/vstdrrr/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637574; rev:9;) # sid 2637575 includes 1 (0 - 1) 10 character domains in the ".mobi" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.mobi)"; content:"|0a|";content:"|04|mobi|00|";nocase;within: 13;pcre: "/840384tony/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637575; rev:9;) # sid 2637576 includes 4 (0 - 4) 11 character domains in the ".mobi" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.mobi)"; content:"|0b|";content:"|04|mobi|00|";nocase;within: 14;pcre: "/(shock-world|347dj27dh21|recoverdata|itauempresa)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637576; rev:9;) # sid 2637577 includes 1 (0 - 1) 16 character domains in the ".mobi" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.mobi)"; content:"|10|";content:"|04|mobi|00|";nocase;within: 19;pcre: "/softwarelinksite/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637577; rev:9;) # sid 2637578 includes 3 (0 - 3) 4 character domains in the ".mobi" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.mobi)"; content:"|04|";content:"|04|mobi|00|";nocase;within: 7;pcre: "/(jopi|p-dd|traf)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637578; rev:9;) # sid 2637579 includes 1 (0 - 1) 7 character domains in the ".mobi" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.mobi)"; content:"|07|";content:"|04|mobi|00|";nocase;within: 10;pcre: "/vsdftpp/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637579; rev:9;) # sid 2637580 includes 1 (0 - 1) 6 character domains in the ".mx" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.mx)"; content:"|06|";content:"|02|mx|00|";nocase;within: 9;pcre: "/madcmx/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637580; rev:9;) # sid 2637581 includes 5 (0 - 5) 10 character domains in the ".name" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.name)"; content:"|0a|";content:"|04|name|00|";nocase;within: 13;pcre: "/(mybigmoney|goldenkeys|nirmjika31|pop-market|xxxdessert)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637581; rev:9;) # sid 2637582 includes 5 (0 - 5) 11 character domains in the ".name" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.name)"; content:"|0b|";content:"|04|name|00|";nocase;within: 14;pcre: "/(silentpanel|48reg-sslid|online(films|gazik)|xyseinobama)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637582; rev:9;) # sid 2637583 includes 2 (0 - 2) 13 character domains in the ".name" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.name)"; content:"|0d|";content:"|04|name|00|";nocase;within: 16;pcre: "/(cmdidverify82|mchedlishvili)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637583; rev:9;) # sid 2637584 includes 1 (0 - 1) 3 character domains in the ".name" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.name)"; content:"|03|";content:"|04|name|00|";nocase;within: 6;pcre: "/tnx/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637584; rev:9;) # sid 2637585 includes 3 (0 - 3) 6 character domains in the ".name" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.name)"; content:"|06|";content:"|04|name|00|";nocase;within: 9;pcre: "/(getway|tobaco|nadvet)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637585; rev:9;) # sid 2637586 includes 1 (0 - 1) 7 character domains in the ".name" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.name)"; content:"|07|";content:"|04|name|00|";nocase;within: 10;pcre: "/bzzz666/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637586; rev:9;) # sid 2637587 includes 2 (0 - 2) 9 character domains in the ".name" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.name)"; content:"|09|";content:"|04|name|00|";nocase;within: 12;pcre: "/(x-systems|zeuspanel)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637587; rev:9;) # sid 2637588 includes 1 (0 - 1) 11 character domains in the ".ne" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.ne)"; content:"|0b|";content:"|02|ne|00|";nocase;within: 14;pcre: "/nicevideo18/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637588; rev:9;) # sid 2637589 includes 1 (0 - 1) 21 character domains in the ".ne" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 21 chars (.ne)"; content:"|15|";content:"|02|ne|00|";nocase;within: 24;pcre: "/securityexternaltools/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637589; rev:9;) # sid 2637590 includes 1 (0 - 1) 5 character domains in the ".ne" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.ne)"; content:"|05|";content:"|02|ne|00|";nocase;within: 8;pcre: "/fra22/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637590; rev:9;) # sid 2637591 includes 1 (0 - 1) 6 character domains in the ".ne" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.ne)"; content:"|06|";content:"|02|ne|00|";nocase;within: 9;pcre: "/mobiec/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637591; rev:9;) # sid 2637592 includes 133 (0 - 133) 10 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.net)"; content:"|0a|";content:"|03|net|00|";nocase;within: 13;pcre: "/(d(a(mqrgldev|vidkramm|iemzuops)|b(sjxuvijx|icrgzykf)|c(orbtfyni|lbfsnrkp)|d(zmuatncz|lmusvidr)|e(tjstniup|dkeopght|npcysght)|fhatnjfjw|g(lcxlcfmk|ejngkait)|hxkycjmrg|i(ngsmedia|scoverup)|omaintens)|g(ujjipuzzi|reatfound|e(ekspoker|noceidas|rgrafiks)|hlyhwpght|o(ldstats1|odstats1|safezone))|m(y(realtube|medstore)|e(tr(icshop|o-tube)|dianet08)|agicsuser|icroscoop|uchomucho)|s(h(ikofotot|ells4you)|e(zhongse8|ksburada|rver-(a55|b(37|77)|c(02|26)|d50|e60)|cline333)|can(-virus|myzone)|a(vemywork|loongins)|ystem(-dns|tlds)|oft(0world|warexp)|tevenlang)|n(e(w(-mrcash|pcguard)|oconflux|tnetnets)|oproblemz|atointros)|b(a(zrvxedfe|nd-sites)|batzkvfha|c(oxihfvvh|jiqkguno|7560e69a)|ddanhdnfl|e(wfsnfwka|st(scanpc|-kicks))|fcysytdze|gukeumzwz|hlmxnopqc|radykeith|otsystems|irdmobile|8997e2123|ulletcool)|p(art(-owner|ner777)|illsintop|rinthouse|latpro-db)|easycracks|video(sdivx|fresh)|a(gainstspy|ndateneer|ctualtube|dcounters)|originalsp|xtremeporn|web-e-mail|the(camsnow|kingpin)|l(uxartpics|ovingmoms)|i(framecash|jgfshjuno|net(-guard|guard2))|c(dmhsxdght|oolstats1|7cf793d83|heckvirus)|h(iccanaght|ackengine|sbc-trial)|ja(esupgght|oxiavght)|f(ilemarket|luousness|eroydayss)|k(anabiolka|elandiciv)|1(699online|ac09b9715|bfc5c8aac)|2(029online|6484764bd|ee91680f2)|7(d44f12b6e|60d4f9975)|04aa44713f|4(8b5bb6b73|fcb08ef77)|5d6f85739f|6(a1003a634|ded52ce69)|realixlove)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637592; rev:9;) # sid 2637593 includes 86 (0 - 86) 11 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.net)"; content:"|0b|";content:"|03|net|00|";nocase;within: 14;pcre: "/(t(he(installs|yaredead)|ripgetlong)|d(e(nsitytrim|forum1980)|rugly-cats|on(tstop185|ald-dark))|g(lobal(stats|insss)|rummerhens)|f(il(es250362|mjournal)|orestnymph)|loading-(atm|n(rp|so))|p(hoto-posts|rimemovier|lay(888euro|euro888|todayss)|ageupndown)|i(tcoreguard|vanstadniy|n(ternetbfd|digozeus1)|kbalvockal)|s(dfiiixkoas|ystemstock|oftware(sky|jar|the)|a(ncalogero|fetyearth)|e(xfreetube|arch-info|rieonline)|tylestats1|can(-secure|webzone)|pace-share)|7stepsmedia|emule-emule|w(ww-azureus|e(bmedstore|ekendgolf)|inamp-2009)|a(nt(i(virus09|poollss|-scamco)|yflutool|conspool)|d(clickmate|warecheck)|zginkizlar|rtsmartint|lt(-groupco|medstore))|c(lip-n-save|o(mputeralt|nnectapac))|1-myantispy|n(eosoftware|o(nfluguide|lif3-clan)|avigate777)|houpacisite|j(avaruntime|ookjunacro)|m(e(ssenger-9|lissamoss)|yz(oneguard|ipitfast)|a(rkandrews|lwares-in))|kostenlosie|best(-scanpc|fire(log|red))|updateslive|outyourflux|v(scodec-pro|idscentral)|888playeuro|your-ebooks)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637593; rev:9;) # sid 2637594 includes 94 (0 - 94) 12 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.net)"; content:"|0c|";content:"|03|net|00|";nocase;within: 15;pcre: "/(h(ello-to-you|ot(-exe-area|freestuff|girldream)|uliganseres)|livelnternet|m(y(supervisor|zonesecure)|a(gnificents|fiavirtual|lware-scan)|onkey-squad|ega-manager|u(lticentrum|nsterjeger))|b(est(guideinc|-scan-pc|drugclub)|i(tcoreguard|gfreepussy)|rands-(house|stock))|c(at-browse30|entralfilms|lean-pc-now|rystal-arts)|i(pdatacenter|iikaolllxxx|smailia1928|n(civfalitss|etguardlab))|g(uard(lab2009|syszone)|roovemusics|lobalscanme|etpersprtv2)|vi(ruscatcher|fiogod7com)|t(he(renothing|medallion|antyvirus)|o(urprovence|talcaresix)|echnigoyous)|zvezdu-porno|p(rost(mirkost|ruction)|laybosssiks|agadodireto)|1-againstspy|2-againstspy|a(gentprotect|teslidullar|v(-test-here|iavavilons)|nt(y(spywares|virusnow)|ivi(rustop|-areus))|llmoviesnow|bouttraffic)|d(irtylivesex|roplapstill|elicesevdam)|jackofspades|w(ww-facebook|oorizip1004|ebnicrisoft)|re(gistryfast|cicladores)|s(can-(your-pc|malware)|itepostoana|ystem-guard|e(archdefend|cur(emyzone|ity2010)|tmoviesoft)|pyware-test|t-resources|oft(ware(20(0(8|9)|10)|anti|spam)|scan-pro))|errorkillers|f(iminalisimo|reeemailnow)|koreadefence|netantivirus|ubojnajasila|oberaufseher|yourweekends)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637594; rev:9;) # sid 2637595 includes 79 (0 - 79) 13 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.net)"; content:"|0d|";content:"|03|net|00|";nocase;within: 16;pcre: "/(p(c2009-antivr|ro(-antivirus|tectmyzone)|orn-new-tube|dsproperties|aymentsafety)|o(lders-orgies|nline(medsite|games25))|c(o(reguard2009|unterengine)|heck(-updates|4-forvir)|licksurfcash)|w(eb(trustrank1|company-es)|ww-msnspaces|hippeddreams)|t(eenagersporn|racker-stats|dpc-computer)|b(lacksexygirl|admintonblog|ikingrealtor|esttubeworld|onuseurodice)|vi(deoporntrue|rus-catcher)|lookforfriend|m(y(prosoftware|an(tyspyware|-ty-virus))|arketservers|ifconsulting)|s(oftware(unity|alarm)|pywarealerts|e(archpcguard|cur(e(-admins|syszone|antibot)|itysofts))|tar-groupinc|martmechanic)|a(llyouwantbuy|merican-avto|uto(uploaders|tradersuk))|n(ucleargaming|ewmoon-movie|o(rtonantiflu|vironyourpc))|g(o-scansystem|uard(-syszone|sys-zone|zone-sys)|amescoresite|reat(medstore|esttubes))|kicks-vendors|d(e(fendsyszone|eprightnews)|ra(gonfiremed|ft5sticks4)|ice(bonuseuro|eurobonus))|j(atulintarhan|opiterazania)|yo(kserezantia|pilazankaza)|hometubevideo|indexgroupinc|f(airplaygames|eelcleardown)|e(lectro-place|uro-shopping)|roomafterhide|ustreasurynet|zarcoexchange)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637595; rev:9;) # sid 2637596 includes 91 (0 - 91) 14 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.net)"; content:"|0e|";content:"|03|net|00|";nocase;within: 17;pcre: "/(c(urrentsession|eskarepublika|leanvironmypc)|liveprotection|an(t(i(spyware(pro|web)|fludirect1|-virusshop|virus-live)|yvirus(store|tools))|drewberggren|-ty-virusnow|alizersyscom)|fa(cebook-photo|stscanse(cure|arch)|rmers-trader|irytailworld)|n(ikkicatsouras|ew(antyspyware|mediatravel|softscanner))|p(hoto(bucket-id|-facebook)|e(technologies|ople(medstore|-and-job))|rotect(-myzone|syszone)|artmultimedia)|s(e(arch-(adverts|protect)|cur(e(-syszone|sys-zone|medstore)|ityholder))|a(markand-city|vageconsulyb)|oftware(budget|rising|secure)|p(yware-scaner|ortsmansclub|inkingcazino)|tarscasinoweb|uperantivirus)|m(essenger-plus|issing-codecs|yvirusscanner|oviemidifiles|a(lware-scaner|kesafeyourpc))|1-agentprotect|2-agentprotect|g(reat(newlifeuk|viptravel)|o(scan-protect|ldtechonline|odstonetubes|inforcure-pc)|lobalzonescan)|k(hmerdailynews|i(cks-discount|ng(cazinospin|spincazino)))|b(r(and(-supplier|s-vendors)|itishsupport)|lanshinblansh|onusvegasgame)|d(iscounts-shop|efend(-syszone|sys-zone))|xxx-white-tube|e(markating4you|daddywarbucks)|online(drugsweb|medworld|shopmart|tubeporn)|t(he(flashplugin|an-ty-virus)|ubepornonline)|v(egas(bonusgame|gamebonus)|irus-detector)|internet-guard|whatismyipinfo|realpc(-scannow|scan-now))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637596; rev:9;) # sid 2637597 includes 100 (0 - 100) 15 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.net)"; content:"|0f|";content:"|03|net|00|";nocase;within: 18;pcre: "/(a(d(vertisedpanel|min-services1|ult-tube-free|obe-config-s3)|n(-ty-virus(blog|s(hop|ite))|t(i(-virustoday|virus(center|expert))|yvirus(device|gadget))|aliticcontrol)|uto(-doitscanpc|doit(-scanpc|scan-pc)))|f(a(cebook-photos|s(t(scan-search|zonescannow)|hion-vendors))|ree(-webscaners|an(tyspyware|-ty-virus)))|s(ilver-services|marttech-house|ystemprotect(ed|or)|canmypc-online|o(lomediaonline|ftware(defense|gateway|ranking|s(canner|pyware)|threats))|pringhousearts|toptibetcrisis)|re(pair-registry|al-pc-scannow)|e(secure-federal|lektronservice)|t(orrent(oreactor|areactor)|e(rtechet-vings|chhomeservice)|he-evil-empire|v-world-online|ube-sex-online|dpc-computer22)|g(oogleanalytlcs|lamourexchange|r(oupmomsorgies|eatactualtube))|m(sn-messenger-9|ed(iastreamdata|generalstore|pillsbargain|storebargain)|alware-scanner|u(stscanzonenow|ltimediafiles)|yantyvirustool)|c(ialis-generico|omprare-(cialis|viagra)|heck(-files-now|virus-zone)|e(rtificates-db|ntermediaarea)|asinoroyalopen)|vi(agra-generico|deotoolonline)|i(-am-porno-star|m(mitations-all|oviedownloads)|ndeep-scanonpc)|d(ownloadfilenow|iscounts-store)|kicks-discounts|p(rotect(-syszone|sys-zone|ionsuite)|h(oenix-groupco|armacyvipsite)|c-scanner-2012|ublicdomainsss|ineguardofmypc)|xenonflashtubes|o(nlinemeddirect|pen(casinoroyal|royalcasino))|2009antispyware|be(stan-ty-virus|autifull-life)|w(orldprotection|hite-xxxx-tube|ebcompany-euro)|hold-uponyourpc|new(-sysdefender|sys-defender))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637597; rev:9;) # sid 2637598 includes 78 (0 - 78) 16 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.net)"; content:"|10|";content:"|03|net|00|";nocase;within: 19;pcre: "/(e(rotic-solutions|verytimewetouch)|go(ogle-anali(styc|tics)|vernmetfunding|ldenstarevents)|t(otalantispyware|ubezzz-boobezzz|echnologyplayer|hemultimediahot)|f(a(cebook-gallery|st(-(systemguard|zonescannow)|scan-protect|zone-scannow))|ree-(web-scaners|tube-orgasm|adult-sites)|i(lesarchivesite|nal-years-scan)|lashmediasource)|p(rofit-marketing|a(rtnergreatest8|illeantireflux)|ine-guardofmypc)|v(irus(shield-scan|filter-zone)|ampizdecvsemnax)|b(e(xtrasideeffect|stmedfirealarm)|argain(firestore|heatstore)|urnstoresunrise)|s(e(archinfoonline|cur(e-antivirus|ityutilitys))|canvirus-online|torageutilities|ystem(scan-check|y-grzewcze))|in(telinet-global|stantloadflash)|online(websupport|s(cansystem|ystemscan|ecurebill)|datingmart)|m(y(securityshield|protected-zone|-(protectedzone|newprotection)|databasedirect)|icrosoftantiflu|u(ltimediare(gion|load)|st(-scanzonenow|scan(-zonenow|zone-now)))|edia(datastorage|artsgallery)|oremediaplugins)|westend-payments|c(harlottegaspard|apitolbartering)|r(affaellopaolino|eal(-zonescannow|zonescan-now))|up(dateexperiment|cleanyourpcnow)|detroitfirestore|hugemoviestorage|a(n-ty-virus(store|today)|llstaffdefender)|new(antyvirustool|staffdefender)|keep-your-pcsafe|letustryto-clean)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637598; rev:9;) # sid 2637599 includes 64 (0 - 64) 17 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.net)"; content:"|11|";content:"|03|net|00|";nocase;within: 20;pcre: "/(windows(xp-privacy|-virusscan|pcdefender)|s(canspywareonline|pywaredeletehere|i(licon-solutions|teadvertise4you)|e(archscan-online|curity(toolsuser|onlinenow))|oftinternational)|b(oormansjewellers|est(movieutilites|antyvirustool)|ar(rysphotography|terforbusiness)|usinessboard6124)|exstra-av-scanner|hot(-tube-tuberzzz|cleanof-yourpc)|f(ederalbanksystem|ree(antivirusinfo|-(celeb-videos|download-net))|astsearch(-secure|protect))|3-antispyware3000|i(nstalldiskscaner|slandperformance)|ne(osoftwareonline|t(-download-free|worksolutions5))|t(hetrafficcontrol|rustscanonmyzone)|vi(russweeper-scan|deoplugindirect)|londonescortslist|consumers-reviews|m(y(protection-zone|-system-scanner|system-defender)|ultimedia(private|techinc)|oviedownloadsnow)|online(-systemscan|med(discount|fixtures))|a(utoonlineadvisor|n(-ty-virusonline|t(i(-spyware-2010|spywareonline|virus-service)|yvirustool(blog|s(hop|ite))))|dvanced-defender)|g(lobalzoneprotect|o(odkinoutilities|-scanyoursystem))|p(ersonalprotector|ineguard-of(-mypc|my-pc))|d(vdplayersstorage|ecomanufacturing))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637599; rev:9;) # sid 2637600 includes 41 (0 - 41) 18 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.net)"; content:"|12|";content:"|03|net|00|";nocase;within: 21;pcre: "/(f(ree(-scan-service1|securityonline)|iles-download-now|astscanandprotect)|m(essengerplus-2009|y(systemprotection|-pcsecureadvisor)|ovieutilitesworld|ailserver-updates)|a(nt(ivirus-solution|yvirus(accessory|tooltoday))|dd-content-filter|proximosstyle0112)|perfectuninstaller|s(c(an(spywaresonline|online-protect)|ienceinvestments)|ystemprotect-zone|ecurity(toolsprior|onlineblog))|t(rust(-scanonmyzone|scan(-onmyzone|formyzone|on(-myzone|my-zone)))|hesecurityutility)|o(nline(casinosstore|shopmedguide)|ptioptix45-serche)|enterprisedefender|holdonyourzonescan|instantmovieplugin|wholemanministries|rockvillelocksmith|cosmeticspermanent|new(s(ecurityutility|ystem-defender)|-systemdefender)|bestsecurityonline|lastcheckonmy-zone)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637600; rev:9;) # sid 2637601 includes 51 (0 - 51) 19 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.net)"; content:"|13|";content:"|03|net|00|";nocase;within: 22;pcre: "/(m(essenger-messenger|y(system-protection|-pcsecure-advisor|pcs-ecure-advisor))|a(mateuralluremovies|ntyvirus(instrument|toolonline))|onlinecentersupport|s(afetysystem-shield|ecur(e-systemshield|ity(toolslisted|utility(b(elt|log)|disc|shop|tool)|online(today|forum)))|oft(scanguardmyzone|ware-discounter)|ystemsearchandscan|canner-free-online)|win(protection-suite|dows-systemguard)|f(a(st(-scanandprotect|cureat-yourcomp)|rmsecurityutility)|ree(-scanner-online|securityutility))|trust(s(ystem-protect|can(-formyzone|for(-myzone|my-zone)))|-scanformyzone)|g(lobal-certificates|uardsystem-scanner|o-systemprotection)|let-meguardyourzone|implementmultimedia|p(illsonlinerxhealth|ersonalprotectorv2)|hold(-onyourzonescan|on(-yourzonescan|your(-zonescan|zone-scan)))|b(estsecurityutility|luesecurityutility|adwareexterminator)|download-free-files|new(advancedsyscheck|systemprotection))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637601; rev:9;) # sid 2637602 includes 30 (0 - 30) 20 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.net)"; content:"|14|";content:"|03|net|00|";nocase;within: 23;pcre: "/(adult-tube-downloads|online(s(pywarescanner|hoppingmarket)|-scanandsecure)|directdownloadcenter|virusalarm-scanvirus|f(ree-spyware-(c(leaner|hecker)|scanner)|ast(-searchandsecure|searchprotection))|new(-(systemprotection|advancedsyscheck)|advanced-syscheck)|s(e(arch-systemprotect|curity(toolsediting|utility(store|today)))|oft(-scanguardmyzone|scan(-guardmyzone|guard(-myzone|my-zone)))|ystem-searchandscan)|pacificcreditfinance|qatar-business-guide|m(yreservedomainforz(6|7)|ost(-safepcscanguard|safepcscan-guard))|badware-exterminator)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637602; rev:9;) # sid 2637603 includes 21 (0 - 21) 21 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 21 chars (.net)"; content:"|15|";content:"|03|net|00|";nocase;within: 24;pcre: "/(e(ducationdegreeonline|archsafetyprotection)|online(billingsolution|-scaner-malware|check-andscanpc)|blackwter-cuprumworks|f(ast(-s(earch(andprotect|protection)|canandcleansoft)|search-protection)|ederalreservebank-(mt|n(h|j)|t(n|x)))|clearstreammultimedia|download-free-scanner|securityutilityonline|n(y-federalreservebank|ew-system-protection)|videodivertentigratis)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637603; rev:9;) # sid 2637604 includes 12 (0 - 12) 22 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 22 chars (.net)"; content:"|16|";content:"|03|net|00|";nocase;within: 25;pcre: "/(commerceonline-service|n(iche-tube-videos-here|ew-advanced-sys-check)|virussweeper-scanvirus|altmaforbetchrono00000|multimediaexpertsgroup|online-spyware-remover|s(pyware-online-remover|oftware-scaner-online)|windows(additionalguard|enterprisesuite)|useranalyticsreporting)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637604; rev:9;) # sid 2637605 includes 6 (0 - 6) 23 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 23 chars (.net)"; content:"|17|";content:"|03|net|00|";nocase;within: 26;pcre: "/(free-tube-video-central|spyware-remover-reviews|electronicbillingonline|windows(-protectionsuite|protection-suite)|caninespecialtyservices)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637605; rev:9;) # sid 2637606 includes 3 (0 - 3) 25 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 25 chars (.net)"; content:"|19|";content:"|03|net|00|";nocase;within: 28;pcre: "/(registry-cleaners-reviews|windowsenterprisedefender|securityintelligencetools)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637606; rev:9;) # sid 2637607 includes 3 (0 - 3) 3 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.net)"; content:"|03|";content:"|03|net|00|";nocase;within: 6;pcre: "/(b76|7o8|ub8)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637607; rev:9;) # sid 2637608 includes 29 (0 - 29) 4 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.net)"; content:"|04|";content:"|03|net|00|";nocase;within: 7;pcre: "/(d(zuc|o21)|g(szk|mt7|ana|365)|an92|m(bd2|ykr)|b(1du|iig)|fi97|q(tas|qnn)|ru98|kmip|uleg|vicp|xicp|y(fyf|qqz)|3god|pczx|z360|oyks|7pp7|iark|s0so|281s)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637608; rev:9;) # sid 2637609 includes 47 (0 - 47) 5 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.net)"; content:"|05|";content:"|03|net|00|";nocase;within: 8;pcre: "/(991uu|m(yrx8|twns|urrr|aqcu|gmcr)|w(ansf|osms)|p(vden|e2pe)|5(944v|1edm)|t(dsdm|t(xhh|rpg)|rfdb)|4root|h(avha|ub-z|ellh)|c(odei|ncsz|urah)|0fees|a(xtos|nalf|dm-1)|kepko|n(ormb|iggs)|s(l(yip|oon|111)|sdnb)|e(usun|rorr|pcat)|zeuro|reeni|oiluk|1(-(adm|upd)|5556)|judns|vi2tu|bahoy|gromz)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637609; rev:9;) # sid 2637610 includes 67 (0 - 67) 6 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.net)"; content:"|06|";content:"|03|net|00|";nocase;within: 9;pcre: "/(d(eewoo|vlorg|igi-1)|t(itmix|oncom)|m(a(ilol|sevi|bira)|vilcd|count)|j(xjlwg|ackvn)|u(pdvms|kliit)|h(i(-bro|vids|t168)|omesy)|c(enpak|lipan|om222)|k(entik|l(ozep|irok)|ijojg)|s(unlux|der44|h(kens|urus))|r(egkey|aktor)|x(dosug|sddss|xxsss)|w(orkst|h0rse)|a(siamo|xl-jp|cminc|ndige)|n(hjui9|anomx|od-32|yuz(1a|3a|4a|5a))|p(encer|roege)|vippif|3dcgfx|e(yepro|inoyy|den21)|i(ngrus|j1tli)|f(oxsrl|farms)|b(esher|ianmi)|l(oadir|j1tl(i|l)|tlil1)|zother|1limbo|6arada)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637610; rev:9;) # sid 2637611 includes 101 (0 - 101) 7 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.net)"; content:"|07|";content:"|03|net|00|";nocase;within: 10;pcre: "/(h(qcodec|0tabi4|eycool|ot2009)|201(8wyt|5wyt)|c(a(shtor|rbozy|mpani)|o(nystu|rlock)|ert-db)|b(asesrv|rugeni|eladen|iggerz|halive|ob(o555|band)|fdmart|kmedia|ymusti)|51gouwu|i(lirida|balefo|ntleft)|kingf0x|999mimi|s(ykalab|t(ar(mak|art)|ep2me)|blocco|cykocn|poshss)|m(s-scan|p3-now|ailgov|edkeep|tfi(i(11|l1)|ll1))|n(iklejo|alepki|yuvvas|ewsoff|b(a1001|click))|de(isvop|ca200)|a(080908|l(masto|andar)|ntyflu|v-crew)|v(erymad|-i-e-w|sdftpp|tfii11)|fo(rserv|xlink)|t(urbina|rimecs|j1fiil|hetraf)|l(e(adpod|reftu|groom)|aoding|chiil1)|p(helios|tfi(i(11|l1)|ll1)|mvideo|oolsss)|g(alz177|oo(gapa|d412))|ro(adone|price)|y(e(stour|rsfde)|hhsszz|dsalon)|0tfii(11|l1)|o(tfii11|rbapou)|qqqreh(k|o|y)|w(e(edies|bmin1)|ithkor)|j(1t1iil|apimen)|xcdx169|u(nacorn|sa-irs|aetoon))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637611; rev:9;) # sid 2637612 includes 116 (0 - 116) 8 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.net)"; content:"|08|";content:"|03|net|00|";nocase;within: 11;pcre: "/(d(htianyu|anchung|o(t-soft|lbanov|suguss))|g(ameones|ceakrpa|erfas1(i|k))|qa(rchive|qaqaqa)|m(ixstrip|a(gicwap|niacos)|unagami|xm-host|oviewiz)|p(rororo7|ts-soft|idersli|edersii)|c(aricare|oco-ifc|dev7rpa|elebsxx|lick-12|r4ckr0x|hulaiba|cviill(i|l))|r(ingfall|d-point|e(almovs|ycross)|a(cder1c|eder1f|xsder1|yahari))|t(eleporn|akilant|hetests|iitk(iil|lil)|ll1tlli|ds-info)|ya(ndexzz|magiku)|b(a(se(srv(3|4)|1925)|blomet|zarish)|o(yworld|ing747)|rainzzz|ert8ihd)|w(wwfbcdn|e(rmacht|sst-es))|1(bnk-log|ptfiili)|o(nlyfind|pen(log1|2009)|rg-tech)|n(ameleap|oadware|e(tflyer|rohome|w(smeta|2body|-soft))|yyherd(x|y)|ukaszqz)|jaednrpa|i(spartof|iitkiil|ptfiili|n(nkeyhr|guards))|videoaaa|8teenboy|x(hottube|iitkiil)|a(v-guard|migos24|fgolion|ctitech|r(t-port|raysaw)|dwoords)|24x7live|s(mile-me|o(ft-exe|ckslab)|kiloper)|h(ostvids|ter4re(q|t)|ausvogt|uesosam)|l(awnwith|iitkiil|ongulen)|e(mulenet|uroliit|verydns)|u(rodinam|tc-shop|saadmin|ltrapay)|k(eysiolo|olaider)|f(ouineur|ag-clan))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637612; rev:9;) # sid 2637613 includes 83 (0 - 83) 9 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.net)"; content:"|09|";content:"|03|net|00|";nocase;within: 12;pcre: "/(2600warez|t(r(a(ckgame|nsfreg|de-usa)|yithere)|o(phostbg|talunix)|inytanks)|s(t(atclick|evebasu)|h(-hostz9|karkimi|uchinsk)|p(ynomore|ortsedu)|ervadmin|unstats1|iadesign|ruprekut)|p(r(ostolab|epaider)|nfzetnax|ublicpub)|web(aliser|mester)|a(v(scan-pc|rilnude|persona|ailname|command)|moretour|ctupdate|res-2009|dultping|n(-ty-flu|tiddoss))|d(o(fulfill|gstudio)|a(ta0rder|dadadas))|b(o(lapaqir|mbabaab)|hagidari|a(rmatuxa|daosoft)|gaforyou|u(benchik|magajet)|est-scan)|m(y(antispy|mobilas)|edwaynet)|ezeematch|112346547|i(nvomedia|webkorea)|k(opapdi14|icks-buy|abinaout)|re(gion495|-active|albossa)|c(ar-motor|hinamega|o(olbayss|diframe))|o(nline358|wn-shoes)|uniqstats|f(ilmkolik|ludirect|reekpeeg)|v(i(da-soft|nodelam)|s(project|etutvse)|-questtx)|n(ewsplaza|inivekha)|g(ifts2010|uard-lab)|zontrhost|live-soft)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637613; rev:9;) # sid 2637614 includes 3 (0 - 3) 10 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.nl)"; content:"|0a|";content:"|02|nl|00|";nocase;within: 13;pcre: "/(kindaanzet|stormgroep|nokia-6303)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637614; rev:9;) # sid 2637615 includes 3 (0 - 3) 11 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.nl)"; content:"|0b|";content:"|02|nl|00|";nocase;within: 14;pcre: "/(maffia-star|luinstra-vt|newminiclub)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637615; rev:9;) # sid 2637616 includes 2 (0 - 2) 12 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.nl)"; content:"|0c|";content:"|02|nl|00|";nocase;within: 15;pcre: "/(inboxstorage|theoschepens)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637616; rev:9;) # sid 2637617 includes 2 (0 - 2) 13 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.nl)"; content:"|0d|";content:"|02|nl|00|";nocase;within: 16;pcre: "/(krommeknilles|woudstravogel)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637617; rev:9;) # sid 2637618 includes 4 (0 - 4) 14 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.nl)"; content:"|0e|";content:"|02|nl|00|";nocase;within: 17;pcre: "/(d(ave-wijnhoven|ogphotography)|clubhuistrem01|frigologistics)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637618; rev:9;) # sid 2637619 includes 2 (0 - 2) 15 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.nl)"; content:"|0f|";content:"|02|nl|00|";nocase;within: 18;pcre: "/(desirevandoorne|postcodeknaller)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637619; rev:9;) # sid 2637620 includes 1 (0 - 1) 16 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.nl)"; content:"|10|";content:"|02|nl|00|";nocase;within: 19;pcre: "/melstra-techniek/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637620; rev:9;) # sid 2637621 includes 1 (0 - 1) 18 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.nl)"; content:"|12|";content:"|02|nl|00|";nocase;within: 21;pcre: "/nordicholidayhomes/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637621; rev:9;) # sid 2637622 includes 1 (0 - 1) 19 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.nl)"; content:"|13|";content:"|02|nl|00|";nocase;within: 22;pcre: "/autobedrijfstolwijk/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637622; rev:9;) # sid 2637623 includes 1 (0 - 1) 5 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.nl)"; content:"|05|";content:"|02|nl|00|";nocase;within: 8;pcre: "/asoka/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637623; rev:9;) # sid 2637624 includes 3 (0 - 3) 6 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.nl)"; content:"|06|";content:"|02|nl|00|";nocase;within: 9;pcre: "/(trador|mibris|iproxy)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637624; rev:9;) # sid 2637625 includes 2 (0 - 2) 8 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.nl)"; content:"|08|";content:"|02|nl|00|";nocase;within: 11;pcre: "/(avunitas|bizzybee)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637625; rev:9;) # sid 2637626 includes 2 (0 - 2) 9 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.nl)"; content:"|09|";content:"|02|nl|00|";nocase;within: 12;pcre: "/(sunderman|crazyrats)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637626; rev:9;) # sid 2637627 includes 1 (0 - 1) 10 character domains in the ".no" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.no)"; content:"|0a|";content:"|02|no|00|";nocase;within: 13;pcre: "/aumamandel/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637627; rev:9;) # sid 2637628 includes 2 (0 - 2) 13 character domains in the ".no" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.no)"; content:"|0d|";content:"|02|no|00|";nocase;within: 16;pcre: "/(butikk-senter|gratisprogram)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637628; rev:9;) # sid 2637629 includes 1 (0 - 1) 18 character domains in the ".no" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.no)"; content:"|12|";content:"|02|no|00|";nocase;within: 21;pcre: "/staubokultursenter/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637629; rev:9;) # sid 2637630 includes 1 (0 - 1) 6 character domains in the ".no" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.no)"; content:"|06|";content:"|02|no|00|";nocase;within: 9;pcre: "/el-buy/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637630; rev:9;) # sid 2637631 includes 1 (0 - 1) 7 character domains in the ".no" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.no)"; content:"|07|";content:"|02|no|00|";nocase;within: 10;pcre: "/weibell/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637631; rev:9;) # sid 2637632 includes 3 (0 - 3) 8 character domains in the ".no" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.no)"; content:"|08|";content:"|02|no|00|";nocase;within: 11;pcre: "/(abstract|rettwest|tidworld)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637632; rev:9;) # sid 2637633 includes 1 (0 - 1) 12 character domains in the ".nu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.nu)"; content:"|0c|";content:"|02|nu|00|";nocase;within: 15;pcre: "/sjobergsbygg/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637633; rev:9;) # sid 2637634 includes 1 (0 - 1) 14 character domains in the ".nu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.nu)"; content:"|0e|";content:"|02|nu|00|";nocase;within: 17;pcre: "/beautifulmilfs/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637634; rev:9;) # sid 2637635 includes 1 (0 - 1) 6 character domains in the ".nu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.nu)"; content:"|06|";content:"|02|nu|00|";nocase;within: 9;pcre: "/e-mule/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637635; rev:9;) # sid 2637636 includes 1 (0 - 1) 9 character domains in the ".nu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.nu)"; content:"|09|";content:"|02|nu|00|";nocase;within: 12;pcre: "/magic4you/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637636; rev:9;) # sid 2637637 includes 38 (0 - 38) 10 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.org)"; content:"|0a|";content:"|03|org|00|";nocase;within: 13;pcre: "/(kabanyonok|p(o(rn-money|dgribami)|arisvideo|ullingout)|n(etcorbina|pcbonline|omalwares)|f(ace-books|indproper)|directseek|w(inscanner|hite-tube)|i(lyichevsk|meyerhome)|r(uralreach|efleksltd)|harvestusa|c(ccpcodecs|abeloduro|ontred033)|l(uckystats|mageshack)|gobcounter|b(estscanpc|logcasino)|1ssl-certs|a(dmin-data|lfaharpun)|upd-center|m(iss(ionoch|boston)|etaiframe)|ye(llowsoft|spacknet)|journalweb|viewiframe|tdsstdstds)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637637; rev:9;) # sid 2637638 includes 42 (0 - 42) 11 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.org)"; content:"|0b|";content:"|03|org|00|";nocase;within: 14;pcre: "/(m(edvezhonok|ydb4umuser|i(cronetsys|llionmany))|p(ropayments|df-creator|videoguide|atriotflag)|j(ennavideos|ust-photos)|t(allinnblog|he-oratory)|a(eromexicov|lltime4you|jzplrakzui|bdelmohsen)|f(ullprotect|indeditors|lower-show)|xyseinobama|n(iph-kosova|etscapeweb)|c(erao-aceao|rissycriss|he(atengine|rnobylcc)|orexchange)|i(icon-metal|ss9w8s89xx)|best-scanpc|s(sl-updates|cottstuart|earch(radar|henry))|u(pd-central|sastopaids)|ha(ppykinder|ckershell)|zennullvoid|winxpupdate|r(etranslate|oyalsearch))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637638; rev:9;) # sid 2637639 includes 33 (0 - 33) 12 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.org)"; content:"|0c|";content:"|03|org|00|";nocase;within: 15;pcre: "/(s(e(rvicheckon|arch(images|thomas))|can-your-pc|torage84030)|w(ww-(facebook|advanced)|omenslabour)|m(oviesdesert|ydb4umusers|e(sengerplus|d-payments|ga-manager)|ilfifezaboq)|deffinancing|b(urgmanspain|est-scan-pc)|emailhacking|removeadware|c(lean-pc-now|ajadomestic)|prvacy-ce(ntr|ter)|landingerfor|1ssl-network|fi(rst-update|nd(multiple|credible))|upd-services|a(v-test-here|nkursociety)|icewatergame|tradevintage)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637639; rev:9;) # sid 2637640 includes 27 (0 - 27) 13 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.org)"; content:"|0d|";content:"|03|org|00|";nocase;within: 16;pcre: "/(www-messenger|a(boutyourbizz|dmin-systems)|c(rackpassword|ert-services|ars-shipping)|me(cgrassroots|ssenger-msn)|fi(reofliberty|nd(copyright|elsewhere))|p(r(ivacy-centr|vacy-centre|o(brosikanet|gressiveol))|orn-new-tube)|hdvideoforums|s(mart-trading|e(cure-admins|arch(reveals|feature))|unkenlibrary|weethotteens)|ontvertenchio|do(wnloadsetup|gmasoftware)|zarcoexchange)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637640; rev:9;) # sid 2637641 includes 25 (0 - 25) 14 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.org)"; content:"|0e|";content:"|03|org|00|";nocase;within: 17;pcre: "/(p(rivacy-cent(ar|er|or|re)|erfect-center)|yoursearchword|britneyexposed|xxx-(video-tube|white-tube)|christoncampus|w(ww-realplayer|adefamilytree)|ebooks-archive|kpeoplepower21|updateadvanced|m(alware-scaner|issing-codecs)|findreasonable|onlinetubeporn|t(ubepornonline|rafficrevenue)|globalstopaids|a(v-online-scan|llinadayswork)|derryrailtrail)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637641; rev:9;) # sid 2637642 includes 23 (0 - 23) 15 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.org)"; content:"|0f|";content:"|03|org|00|";nocase;within: 18;pcre: "/(greeting-ecards|elearningschool|a(vs-online-scan|rkbroadcasters|d(min(datacenter|-services1)|ware-pro-site)|ntiviruswizard)|m(essenger-msn-9|sn-messenger-9|aster-groupinc)|katiereesphotos|c(ityofalexander|e(rtificates-db|ntral-updates)|hernobylhrmail)|s(sl-datacontrol|ex-(online-tube|tube-online))|pacificshipping|f(fwbcwashington|reresbethlehem)|tube-sex-online)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637642; rev:9;) # sid 2637643 includes 15 (0 - 15) 16 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.org)"; content:"|10|";content:"|03|org|00|";nocase;within: 19;pcre: "/(i(dealadvertising|ndividualpeople)|m(asterxwebplanet|inisterio-saude)|facebook-gallery|system-protector|c(laremontfinance|haritytradebanc)|p(rotectionsystem|orn-online-tube)|xpressforummoney|www-3gpconverter|governmetfunding|analytic-manager|navigationsearch)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637643; rev:9;) # sid 2637644 includes 6 (0 - 6) 17 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.org)"; content:"|11|";content:"|03|org|00|";nocase;within: 20;pcre: "/(keyloggerdownload|paymate-solutions|nixserver-systems|free-download-net|ch(ernobylcchrmail|aritybarterbanc))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637644; rev:9;) # sid 2637645 includes 10 (0 - 10) 18 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.org)"; content:"|12|";content:"|03|org|00|";nocase;within: 21;pcre: "/(registry(cleanerpro|doktor2009)|businesproject4you|a(dult-porn-gallery|ntivirus-live-pro)|porn-tube-for-free|mailserver-updates|dunkerquepromotion|searchenginecenter|nepaaudubonsociety)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637645; rev:9;) # sid 2637646 includes 9 (0 - 9) 19 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.org)"; content:"|13|";content:"|03|org|00|";nocase;within: 22;pcre: "/(o(rthodoxie-oostende|nline-(free-scanner|scanner-free))|anti-virus-solution|2sdfhs8d7fsh34d8f7s|u0asd9fua0sd8fuasdf|lakeshorevolleyball|s(canner-free-online|horeculturalcentre))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637646; rev:9;) # sid 2637647 includes 7 (0 - 7) 20 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.org)"; content:"|14|";content:"|03|org|00|";nocase;within: 23;pcre: "/(f(ast-spyware-cleaner|ree-spyware-(checker|scanner))|antimalware-software|download-(free-online|online-free)|badware-exterminator)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637647; rev:9;) # sid 2637648 includes 3 (0 - 3) 21 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 21 chars (.org)"; content:"|15|";content:"|03|org|00|";nocase;within: 24;pcre: "/(scan(-active-securitys|ner-download-free)|activesecuritylivepro)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637648; rev:9;) # sid 2637649 includes 3 (0 - 3) 22 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 22 chars (.org)"; content:"|16|";content:"|03|org|00|";nocase;within: 25;pcre: "/(www-windowsmediaplayer|online-spyware-remover|spyware-online-remover)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637649; rev:9;) # sid 2637650 includes 2 (0 - 2) 24 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 24 chars (.org)"; content:"|18|";content:"|03|org|00|";nocase;within: 27;pcre: "/wo(rldclassinvestmentsllc|odstocklandconservancy)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637650; rev:9;) # sid 2637651 includes 1 (0 - 1) 25 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 25 chars (.org)"; content:"|19|";content:"|03|org|00|";nocase;within: 28;pcre: "/bulgaristanuniversiteleri/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637651; rev:9;) # sid 2637652 includes 1 (0 - 1) 28 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 28 chars (.org)"; content:"|1c|";content:"|03|org|00|";nocase;within: 31;pcre: "/burgesshillfairtradefestival/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637652; rev:9;) # sid 2637653 includes 6 (0 - 6) 3 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.org)"; content:"|03|";content:"|03|org|00|";nocase;within: 6;pcre: "/(3b3|k8l|17o|71w|c42|a0v)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637653; rev:9;) # sid 2637654 includes 17 (0 - 17) 4 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.org)"; content:"|04|";content:"|03|org|00|";nocase;within: 7;pcre: "/(3322|d(1ez|b-1)|m(bd2|11b)|rtcb|kotz|7766|arws|gncr|tdos|ohsn|1-db|2288|6600|88(00|66))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637654; rev:9;) # sid 2637655 includes 22 (0 - 22) 5 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.org)"; content:"|05|";content:"|03|org|00|";nocase;within: 8;pcre: "/(t(rffc|ohva)|b(idwm|gdir)|s(l1ms|exmx|kytz)|n(ahyu|iana)|o(kapt|rkul)|xj220|h1t3m|mcsmc|wipex|a(fnhb|dm-1|cbid|lbr1)|cert1|1-(adm|upd))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637655; rev:9;) # sid 2637656 includes 31 (0 - 31) 6 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.org)"; content:"|06|";content:"|03|org|00|";nocase;within: 9;pcre: "/(f(angyu|mmkor)|r(a(mder|zved)|gmbiz)|l(eosex|aenas)|a(res-3|chren)|biz-er|i(shaaq|lieva)|m(a(xbam|gdaf|ctep)|memba|irctr|ytijn)|w(-ares|wooww)|s(trima|h1908)|vpopku|d(igi-1|hszgh|link2)|1-(cert|data)|kcmusa|ghdinc|ntmeda)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637656; rev:9;) # sid 2637657 includes 41 (0 - 41) 7 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.org)"; content:"|07|";content:"|03|org|00|";nocase;within: 10;pcre: "/(r(mpezrx|emover)|m(s-scan|ultaka|iafery|oretds)|s(osiska|eistic)|c(imrman|zenate|hroome|ert-db|padm21)|b(ook-ua|uminch|esenok)|i(raqisa|shndor)|fackoff|v(i(vaweb|aclan)|sdftpp)|x(tycoon|mancer)|w(-emule|eb(min1|-mix|reed)|ww(meta|true))|t(raiden|ypirew)|p(smellc|ipetro|wsd1pc)|lioleng|1-admin|atatata|g(acogop|eewong)|kaizerr)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637657; rev:9;) # sid 2637658 includes 39 (0 - 39) 8 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.org)"; content:"|08|";content:"|03|org|00|";nocase;within: 11;pcre: "/(vip-ddos|l(isyonok|mon2web|ogartos)|a(llavers|nal-toy|res-net|dmin-db)|c(qfcusco|ecilcap)|ho(stteam|tshows)|d(sdialog|omishko|rovosek)|gccgroup|tu(rkey-h|beperu)|fi(rearts|ndlots)|sigatrio|o(ption-1|uttouch|yunland)|n(gelitik|extpics|develop)|porntake|u(p(1-mail|dat(a-1|e(rg|vl|qs|ct|gr)))|saadmin)|boqeouti|1federal|metafarm)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637658; rev:9;) # sid 2637659 includes 37 (0 - 37) 9 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.org)"; content:"|09|";content:"|03|org|00|";nocase;within: 12;pcre: "/(a(dwarepro|res-2008|tatatata)|o(lenyonok|neupdate)|z(aychonok|ubryonok|eus-logs)|msnimages|p(hoto-msn|orn-free|assionim)|w(ww-emule|sdcf2009)|s(e(oclicks|rvadmin)|i(tzkeybm|va4kids)|ave-file)|ymcacoosa|e(astcarib|mule-pro)|i(le-de-re|tmasterz|frameoff|needcash)|t(herockcc|ennoneou)|compcycle|limevvire|7addition|1(-central|data-upd)|homelinux|rainmannn|driverpro|nokrizis2)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637659; rev:9;) # sid 2637660 includes 1 (0 - 1) 11 character domains in the ".ph" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.ph)"; content:"|0b|";content:"|02|ph|00|";nocase;within: 14;pcre: "/royrose1939/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637660; rev:9;) # sid 2637661 includes 2 (0 - 2) 6 character domains in the ".ph" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.ph)"; content:"|06|";content:"|02|ph|00|";nocase;within: 9;pcre: "/(i-site|bauzon)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637661; rev:9;) # sid 2637662 includes 1 (0 - 1) 8 character domains in the ".ph" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.ph)"; content:"|08|";content:"|02|ph|00|";nocase;within: 11;pcre: "/krasotka/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637662; rev:9;) # sid 2637663 includes 1 (0 - 1) 10 character domains in the ".pk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.pk)"; content:"|0a|";content:"|02|pk|00|";nocase;within: 13;pcre: "/healthmann/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637663; rev:9;) # sid 2637664 includes 4 (0 - 4) 10 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.pl)"; content:"|0a|";content:"|02|pl|00|";nocase;within: 13;pcre: "/(auto-gazda|expert-alu|kardiotele|nazarkebab)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637664; rev:9;) # sid 2637665 includes 1 (0 - 1) 11 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.pl)"; content:"|0b|";content:"|02|pl|00|";nocase;within: 14;pcre: "/healing-tao/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637665; rev:9;) # sid 2637666 includes 1 (0 - 1) 12 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.pl)"; content:"|0c|";content:"|02|pl|00|";nocase;within: 15;pcre: "/visionstudio/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637666; rev:9;) # sid 2637667 includes 4 (0 - 4) 13 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.pl)"; content:"|0d|";content:"|02|pl|00|";nocase;within: 16;pcre: "/(hotel-holiday|m(e(ble-kuchnie|tin2-handel)|ilena-rosner))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637667; rev:9;) # sid 2637668 includes 1 (0 - 1) 14 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.pl)"; content:"|0e|";content:"|02|pl|00|";nocase;within: 17;pcre: "/apartamencik69/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637668; rev:9;) # sid 2637669 includes 1 (0 - 1) 18 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.pl)"; content:"|12|";content:"|02|pl|00|";nocase;within: 21;pcre: "/restauracje-zlotow/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637669; rev:9;) # sid 2637670 includes 1 (0 - 1) 19 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.pl)"; content:"|13|";content:"|02|pl|00|";nocase;within: 22;pcre: "/bialapodlaskaonline/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637670; rev:9;) # sid 2637671 includes 1 (0 - 1) 2 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 2 chars (.pl)"; content:"|02|";content:"|02|pl|00|";nocase;within: 5;pcre: "/1k/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637671; rev:9;) # sid 2637672 includes 1 (0 - 1) 20 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.pl)"; content:"|14|";content:"|02|pl|00|";nocase;within: 23;pcre: "/osrodekterapiinerwic/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637672; rev:9;) # sid 2637673 includes 3 (0 - 3) 3 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.pl)"; content:"|03|";content:"|02|pl|00|";nocase;within: 6;pcre: "/(2mj|a3j|bij)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637673; rev:9;) # sid 2637674 includes 5 (0 - 5) 4 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.pl)"; content:"|04|";content:"|02|pl|00|";nocase;within: 7;pcre: "/(z(ief|pit)|xorg|4max|tabs)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637674; rev:9;) # sid 2637675 includes 4 (0 - 4) 5 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.pl)"; content:"|05|";content:"|02|pl|00|";nocase;within: 8;pcre: "/(br(enz|ans)|litka|warco)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637675; rev:9;) # sid 2637676 includes 5 (0 - 5) 6 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.pl)"; content:"|06|";content:"|02|pl|00|";nocase;within: 9;pcre: "/(lometr|bonata|pwvita|drbach|anande)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637676; rev:9;) # sid 2637677 includes 1 (0 - 1) 7 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.pl)"; content:"|07|";content:"|02|pl|00|";nocase;within: 10;pcre: "/roleski/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637677; rev:9;) # sid 2637678 includes 2 (0 - 2) 8 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.pl)"; content:"|08|";content:"|02|pl|00|";nocase;within: 11;pcre: "/(fotoreng|przeklej)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637678; rev:9;) # sid 2637679 includes 3 (0 - 3) 9 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.pl)"; content:"|09|";content:"|02|pl|00|";nocase;within: 12;pcre: "/(fotoakces|sscnapoli|ksi-klasa)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637679; rev:9;) # sid 2637680 includes 1 (0 - 1) 4 character domains in the ".pt" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.pt)"; content:"|04|";content:"|02|pt|00|";nocase;within: 7;pcre: "/spai/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637680; rev:9;) # sid 2637681 includes 1 (0 - 1) 8 character domains in the ".pt" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.pt)"; content:"|08|";content:"|02|pt|00|";nocase;within: 11;pcre: "/promoluz/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637681; rev:9;) # sid 2637682 includes 5 (0 - 5) 10 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.ro)"; content:"|0a|";content:"|02|ro|00|";nocase;within: 13;pcre: "/(autoextrem|romproiect|urbanglass|didasinike|gsmthebest)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637682; rev:9;) # sid 2637683 includes 1 (0 - 1) 12 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.ro)"; content:"|0c|";content:"|02|ro|00|";nocase;within: 15;pcre: "/filetransfer/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637683; rev:9;) # sid 2637684 includes 2 (0 - 2) 13 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.ro)"; content:"|0d|";content:"|02|ro|00|";nocase;within: 16;pcre: "/(sunset-travel|automaticauto)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637684; rev:9;) # sid 2637685 includes 1 (0 - 1) 15 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.ro)"; content:"|0f|";content:"|02|ro|00|";nocase;within: 18;pcre: "/lianadumitrescu/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637685; rev:9;) # sid 2637686 includes 1 (0 - 1) 16 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.ro)"; content:"|10|";content:"|02|ro|00|";nocase;within: 19;pcre: "/manastireanicula/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637686; rev:9;) # sid 2637687 includes 2 (0 - 2) 18 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.ro)"; content:"|12|";content:"|02|ro|00|";nocase;within: 21;pcre: "/(kulturzentrum-iasi|comunicat-de-presa)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637687; rev:9;) # sid 2637688 includes 1 (0 - 1) 25 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 25 chars (.ro)"; content:"|19|";content:"|02|ro|00|";nocase;within: 28;pcre: "/mutari-mobilier-accesibil/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637688; rev:9;) # sid 2637689 includes 1 (0 - 1) 5 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.ro)"; content:"|05|";content:"|02|ro|00|";nocase;within: 8;pcre: "/focus/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637689; rev:9;) # sid 2637690 includes 7 (0 - 7) 6 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.ro)"; content:"|06|";content:"|02|ro|00|";nocase;within: 9;pcre: "/(evidek|danice|neprom|s(optex|igura)|bestcv|mediam)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637690; rev:9;) # sid 2637691 includes 2 (0 - 2) 7 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.ro)"; content:"|07|";content:"|02|ro|00|";nocase;within: 10;pcre: "/(parcons|softset)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637691; rev:9;) # sid 2637692 includes 1 (0 - 1) 8 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.ro)"; content:"|08|";content:"|02|ro|00|";nocase;within: 11;pcre: "/euroexpo/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637692; rev:9;) # sid 2637693 includes 3 (0 - 3) 9 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.ro)"; content:"|09|";content:"|02|ro|00|";nocase;within: 12;pcre: "/(dadrbacau|romsigmed|tunet-one)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637693; rev:9;) # sid 2637694 includes 1 (0 - 1) 11 character domains in the ".rs" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.rs)"; content:"|0b|";content:"|02|rs|00|";nocase;within: 14;pcre: "/dzzrenjanin/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637694; rev:9;) # sid 2637695 includes 1 (0 - 1) 7 character domains in the ".rs" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.rs)"; content:"|07|";content:"|02|rs|00|";nocase;within: 10;pcre: "/redcode/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637695; rev:9;) # sid 2637696 includes 52 (0 - 52) 10 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.ru)"; content:"|0a|";content:"|02|ru|00|";nocase;within: 13;pcre: "/(f(indrosain|eruchiman|r(anchjump|eehotvid)|unwebmail)|h(o(ntserrey|stvegass|zeisland)|ellzoness|aphoptool)|v(psspeedin|bssssffff|oyageclub|alidating|kovntakte)|r(amshanabc|e(zident77|altydesk))|s(aveourass|econdgate|m(icrosoft|ert-test)|upermovie)|t(ayforlive|estodrome|he(aonline|laceweb))|m(egapupseg|ini-socks|oneypress)|p(or(noland7|evovsem)|arikmaher)|c(h(eappower|ance-car)|o(nfsonort|mzonedom)|lickmeter|arswebnet)|n(adegda-95|oveltyweb)|glacierice|b(a(g-portal|by2girls|ck-shure)|estaguide)|ar(tbernard|chnadzor)|urmantseva|w(eblessnet|orldsouth)|xx4b83603e)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637696; rev:9;) # sid 2637697 includes 41 (0 - 41) 11 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.ru)"; content:"|0b|";content:"|02|ru|00|";nocase;within: 14;pcre: "/(t(ns-counter|elkiiporno|hemobisite|ransport96)|d(ollar(point|admin|dream)|a(vidbredov|tafolders))|w(topcompany|ebnetloans)|a(fricazebra|l(exadesign|l-browser)|rnika-tour|vtopizitiv)|f(oxsemprost|reshsummer)|v(i(pmaterial|deoxporno)|-murmanske)|b(mwx6foreva|igamadillo|odybulding)|co(nfbigbang|untrystar)|happyhippol|s(ex(y-pornoz|ualporno)|tarcountry|oft-profit|uperaguide)|m(yhoneyspot|iyamibiach|ebel-hotel)|porno-inter|100-web-top|kostyushcko|letterssite|xboxliveweb|enzoforfree)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637697; rev:9;) # sid 2637698 includes 32 (0 - 32) 12 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.ru)"; content:"|0c|";content:"|02|ru|00|";nocase;within: 15;pcre: "/(famajormusic|zvezdu-sosut|a(erokazachok|dulttraffic|ntivirus360)|c(rab(sinatack|industry)|learrecords|ometruestar)|ill(usionfest|egaloffer)|gold-service|m(ymoney-blog|obydickrock|arket-stabl|ebel-garant)|n(orma-market|ewlifeworld)|p(olygraphy-p|reviouslife)|the(-previous|easyriver|atticsale)|bannerdriven|supersidecar|double(banner|clickr)|qualitysuper|webnetlender|your(maxmedia|true(game|mate)))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637698; rev:9;) # sid 2637699 includes 30 (0 - 30) 13 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.ru)"; content:"|0d|";content:"|02|ru|00|";nocase;within: 16;pcre: "/(g(oogle-search|reatwebradio|enuinecolors)|s(u(nmaiamibich|per(propicks|truelife))|tartdontstop|andiiegoexpo|ms-vkontakte|ite(analitycs|transport))|c(on(funderload|tentserver)|hildren-life)|borishoffbibi|nightplayauto|a(rsenal-music|ut(odoregison|hentictype)|dsyndication)|obama2welcome|y(andexcounter|ourauthentic)|tra(madolspace|fficsupple)|klimat-rostov|isorecordernn|w(eb(desktopnet|netenglish)|orldwebworld))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637699; rev:9;) # sid 2637700 includes 15 (0 - 15) 14 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.ru)"; content:"|0e|";content:"|02|ru|00|";nocase;within: 17;pcre: "/(photo-uploader|f(ileuploadinto|otomasterstvo)|co(ol-resources|nfmasterdump|balttrueblue)|wqtcorporation|hotsummerstaff|street-peppers|t(heanotherlife|ruelifefamily)|r(ss-lenta-news|ealtorrentltd)|mmsfoundsystem|inversiontrace)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637700; rev:9;) # sid 2637701 includes 13 (0 - 13) 15 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.ru)"; content:"|0f|";content:"|02|ru|00|";nocase;within: 18;pcre: "/(zakazat-seichas|ontest112233311|rapidsystemsend|u(pdateservisetf|saworldwideweb)|videoforamateur|adwordanalitycs|easytabletennis|the(chocolateweb|mobilewindow)|webdirectbroker|yahoomailcenter|google-freehost)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637701; rev:9;) # sid 2637702 includes 6 (0 - 6) 16 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.ru)"; content:"|10|";content:"|02|ru|00|";nocase;within: 19;pcre: "/(yourelitehosting|dr-w-corporation|londondirect252z|sergej-nagovicin|burkewebservices|33pingvina-chita)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637702; rev:9;) # sid 2637703 includes 6 (0 - 6) 17 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.ru)"; content:"|11|";content:"|02|ru|00|";nocase;within: 20;pcre: "/(t(rafficmonsterinc|he-previous-life)|yllowpagesnotstop|p(orno-video-devki|ast-another-life)|kripakripchampion)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637703; rev:9;) # sid 2637704 includes 2 (0 - 2) 18 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.ru)"; content:"|12|";content:"|02|ru|00|";nocase;within: 21;pcre: "/(illegaltopcounters|hostmann-steinberg)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637704; rev:9;) # sid 2637705 includes 1 (0 - 1) 19 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.ru)"; content:"|13|";content:"|02|ru|00|";nocase;within: 22;pcre: "/ushenkohuivolosatiy/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637705; rev:9;) # sid 2637706 includes 1 (0 - 1) 27 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 27 chars (.ru)"; content:"|1b|";content:"|02|ru|00|";nocase;within: 30;pcre: "/information-technology-news/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637706; rev:9;) # sid 2637707 includes 304 (0 - 304) 3 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.ru)"; content:"|03|";content:"|02|ru|00|";nocase;within: 6;pcre: "/(1gb|0(ci|md|6w)|mz3|a(3(l|h|q|t|j)|5(m|f|g|h|i|j|l)|j4|6(n|o)|8(d|e)|9(j|k))|b(5(r|c|z)|7(p|g)|1a|6(l|t)|8(e|o)|9g|3a)|c(5(p|e|y)|1z|7(r|h)|3q|6(h|p|y)|e5|8(b|k|t)|9m|z8)|u(0(c|b|s|t|r|e)|1(b|a|l|m|w|x|y|j|9)|5(c|d|e|k|l|t|w|m|v)|6(l|b|c|d|v|x|k|n)|7(p|f|g|o|z|e|n|x)|3(h|w|j|m|v|y)|8(i|j|r|t|v|b|h)|9(a|c|i|b|k|j))|q(4(1|0|7|6)|1(w|b|d|k|m|u|v|x|f|l|n|e)|3(s|b|e|n|o|c|8|t)|0(a|c|i|k|l|u|x|j|w|5|7)|5(a|c|e|l|m|n|u|v|y|k|9)|qe)|edz|x(b(6|8|4|5)|c(8|6|7)|8(l|m|n|o|u|v|w|b|c|e|f|y|3)|9(o|p|d|e|f|g|m|n|u|y|v|w)|h(3|4|9)|i(3|5)|j(5|4|7)|m(9|0)|q(0|1|8|9)|0(a|b|c|q|o|v)|1(g|v|h|i)|3(a|v|y|b)|5o|6(i|r|g|h|p|q)|7(c|k|l|o|d)|d4|e(5|9|6)|f(0|7|8|9)|g(0|8|9)|t(6|7|8)|v(8|9)|k(7|9)|r3|w0)|3(9(t|v|b|j|q|u|w|y)|b(f|h|j|q|4|5|6|7|8|9|p)|c(7|8|9|a|f|i|l|q|w|y)|e(0|q|w)|f(0|2|4|6|7|8|9|b)|a(1|2))|6w2|f(5(l|x)|6(p|e|y)|7(p|y)|8a)|wa0|9ix)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637707; rev:9;) # sid 2637708 includes 29 (0 - 29) 4 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.ru)"; content:"|04|";content:"|02|ru|00|";nocase;within: 7;pcre: "/(4tun|us18|z(lzu|3d7|ctk)|e(tyj|adj|lku)|s0si|a(f(oi|rr)|jal|a(eg|i(c|g|v))|clc)|m(amj|bd2)|laed|3bor|omit|fpgo|nwac|pm13|ytdb|ge-t|cird|6ccc)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637708; rev:9;) # sid 2637709 includes 21 (0 - 21) 5 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.ru)"; content:"|05|";content:"|02|ru|00|";nocase;within: 8;pcre: "/(eddii|s(ciam|tael|exyy)|k1l3r|nokel|juste|vpk66|opili|x(j220|3wap)|a(d(bnr|s-t|tcp)|ikyu)|qiiiq|t(-age|empr)|lifoo|galoh|yrots)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637709; rev:9;) # sid 2637710 includes 35 (0 - 35) 6 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.ru)"; content:"|06|";content:"|02|ru|00|";nocase;within: 9;pcre: "/(criter|o(kfilm|dmina|likar|iav84)|u(s(zn66|rv(03|zi|nu))|intoo)|n(ipels|ekovo)|t(r(ffc3|ahme)|agini)|000007|litana|dvstep|syscet|gasdry|a(ncom1|cline|dmiin)|xewyny|p(ropan|icula)|biozov|y(omobi|trewq)|i(cqtel|qckly)|htaqua|fundkb|vobhod|elnasa)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637710; rev:9;) # sid 2637711 includes 66 (0 - 66) 7 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.ru)"; content:"|07|";content:"|02|ru|00|";nocase;within: 10;pcre: "/(c(o(smosi|mp-sp)|ityfit)|s(exdvds|varkon|t(elsis|omaid)|uesite)|n(lhotel|e(o-lit|wsneg)|ightup)|2icqmag|t(dsblog|ubered|heiwbl|estoid|ssauto)|1(000-ga|remont)|m(p3base|n-room|o(ldiag|rehod)|roblom|anbest)|f(e(r5woi|elife)|x-news|ructik|ontana)|h(aos-in|0tabi4|tmlads|orosta)|p(okjuyt|ro-buh)|go(-file|og-le)|i(kf2007|ndexjs|wantr8)|l(3world|ivebmx)|a(llmuzz|dd-pay|ndrozo|psight)|d(-sport|ocplus|edlife)|einheit|b(iozavr|annert|e(ofree|stbob)|-i-o-v)|org-edu|v(-bonus|iphack)|7806320|re(c(essa|rush)|dondo)|warbest|x-drugs)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637711; rev:9;) # sid 2637712 includes 51 (0 - 51) 8 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.ru)"; content:"|08|";content:"|02|ru|00|";nocase;within: 11;pcre: "/(t(raffurl|hesims2|abakoff)|l(endrive|i(besouz|fedrom|turile)|agworld)|h(ack-off|orosta1)|b(klinkov|ezo(bizn|pbiz)|oomroot|ig-dick)|f(ox(bevip|xpriv)|actoria|inksayq|ructik3)|a(ng-news|ge-free|robeska)|g(ruzovki|isr2008|uidebat)|xxxfiles|p(ro(ektov|nline)|owermig|lusbest)|s(ex-suki|scanner|yandexx|tyleicq|criptjs|uper(nil|ore)|negyear)|w(ebbablo|orldrat)|re(d-wolf|lstagu)|y(ou(loads|ramps)|earsneg)|n(okiaicq|ight-up)|j(sportal|ohnsite)|inttools)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637712; rev:9;) # sid 2637713 includes 64 (0 - 64) 9 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.ru)"; content:"|09|";content:"|02|ru|00|";nocase;within: 12;pcre: "/(t(uning063|yres4suv|estometr|heaworld)|c(ooltrick|atch-you|upit-dom|iti-bank|licks100|hina-top)|v(sedlysna|zlom-icq)|a(bfintour|m(nepofig|psguide)|lex-bron|erostuff)|f(irstgate|ox(belive|holter))|g(oodtraff|rafjasqq|ameshort)|b(izoplata|lade2009|ezopbizn)|y(uppistar|ahoosite|ear-sneg)|s(e(xy-zone|o-fraud)|u(jetline|perkahn))|x(clublove|xx-loads)|p(olimerco|werwerwe)|e(lenahysd|xitguide)|z(abotinku|-paiment)|i(gorhhasy|moviemax|quotient)|l(i(ventsov|fezilla)|arkmedia)|w(insofter|apdodoit)|d(e(fensive|th-test)|ubnahome|irectwap|c-market|owmowvid)|m(udstrang|y(zonedom|freemov)|ravinsky|edia1960)|o(tsmotrel|nceworld)|hsbcgroup|niposedas)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637713; rev:9;) # sid 2637714 includes 1 (0 - 1) 10 character domains in the ".se" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.se)"; content:"|0a|";content:"|02|se|00|";nocase;within: 13;pcre: "/vinstraden/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637714; rev:9;) # sid 2637715 includes 2 (0 - 2) 11 character domains in the ".se" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.se)"; content:"|0b|";content:"|02|se|00|";nocase;within: 14;pcre: "/(gamlabodens|powmagazine)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637715; rev:9;) # sid 2637716 includes 2 (0 - 2) 12 character domains in the ".se" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.se)"; content:"|0c|";content:"|02|se|00|";nocase;within: 15;pcre: "/(internetfoto|sksolvesborg)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637716; rev:9;) # sid 2637717 includes 2 (0 - 2) 13 character domains in the ".se" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.se)"; content:"|0d|";content:"|02|se|00|";nocase;within: 16;pcre: "/(jassportfolio|nippontrading)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637717; rev:9;) # sid 2637718 includes 3 (0 - 3) 14 character domains in the ".se" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.se)"; content:"|0e|";content:"|02|se|00|";nocase;within: 17;pcre: "/(s(imonsoderberg|wedishacademi)|harmonyhudospa)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637718; rev:9;) # sid 2637719 includes 1 (0 - 1) 16 character domains in the ".se" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.se)"; content:"|10|";content:"|02|se|00|";nocase;within: 19;pcre: "/irminsulchoppers/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637719; rev:9;) # sid 2637720 includes 2 (0 - 2) 4 character domains in the ".se" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.se)"; content:"|04|";content:"|02|se|00|";nocase;within: 7;pcre: "/(ogis|diwa)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637720; rev:9;) # sid 2637721 includes 1 (0 - 1) 7 character domains in the ".se" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.se)"; content:"|07|";content:"|02|se|00|";nocase;within: 10;pcre: "/devline/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637721; rev:9;) # sid 2637722 includes 4 (0 - 4) 8 character domains in the ".se" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.se)"; content:"|08|";content:"|02|se|00|";nocase;within: 11;pcre: "/(trekkers|phosphor|anzantra|upp100km)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637722; rev:9;) # sid 2637723 includes 2 (0 - 2) 9 character domains in the ".se" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.se)"; content:"|09|";content:"|02|se|00|";nocase;within: 12;pcre: "/(ekespangs|norrtulls)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637723; rev:9;) # sid 2637724 includes 1 (0 - 1) 13 character domains in the ".sg" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.sg)"; content:"|0d|";content:"|02|sg|00|";nocase;within: 16;pcre: "/seassociation/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637724; rev:9;) # sid 2637725 includes 1 (0 - 1) 15 character domains in the ".sg" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.sg)"; content:"|0f|";content:"|02|sg|00|";nocase;within: 18;pcre: "/internethosting/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637725; rev:9;) # sid 2637726 includes 1 (0 - 1) 11 character domains in the ".si" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.si)"; content:"|0b|";content:"|02|si|00|";nocase;within: 14;pcre: "/tk-gregoric/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637726; rev:9;) # sid 2637727 includes 1 (0 - 1) 4 character domains in the ".si" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.si)"; content:"|04|";content:"|02|si|00|";nocase;within: 7;pcre: "/kult/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637727; rev:9;) # sid 2637728 includes 1 (0 - 1) 6 character domains in the ".si" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.si)"; content:"|06|";content:"|02|si|00|";nocase;within: 9;pcre: "/limnos/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637728; rev:9;) # sid 2637729 includes 1 (0 - 1) 8 character domains in the ".si" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.si)"; content:"|08|";content:"|02|si|00|";nocase;within: 11;pcre: "/bistrium/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637729; rev:9;) # sid 2637730 includes 1 (0 - 1) 9 character domains in the ".si" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.si)"; content:"|09|";content:"|02|si|00|";nocase;within: 12;pcre: "/felicijan/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637730; rev:9;) # sid 2637731 includes 1 (0 - 1) 10 character domains in the ".sk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.sk)"; content:"|0a|";content:"|02|sk|00|";nocase;within: 13;pcre: "/investrade/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637731; rev:9;) # sid 2637732 includes 1 (0 - 1) 11 character domains in the ".sk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.sk)"; content:"|0b|";content:"|02|sk|00|";nocase;within: 14;pcre: "/office1sevt/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637732; rev:9;) # sid 2637733 includes 1 (0 - 1) 12 character domains in the ".sk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.sk)"; content:"|0c|";content:"|02|sk|00|";nocase;within: 15;pcre: "/hotelhrabovo/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637733; rev:9;) # sid 2637734 includes 1 (0 - 1) 17 character domains in the ".sk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.sk)"; content:"|11|";content:"|02|sk|00|";nocase;within: 20;pcre: "/cokoladovefigurky/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637734; rev:9;) # sid 2637735 includes 1 (0 - 1) 4 character domains in the ".sk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.sk)"; content:"|04|";content:"|02|sk|00|";nocase;within: 7;pcre: "/vaav/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637735; rev:9;) # sid 2637736 includes 6 (0 - 6) 6 character domains in the ".sk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.sk)"; content:"|06|";content:"|02|sk|00|";nocase;within: 9;pcre: "/(bvgips|dyndns|canada|natali|agrico|tweety)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637736; rev:9;) # sid 2637737 includes 2 (0 - 2) 8 character domains in the ".sk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.sk)"; content:"|08|";content:"|02|sk|00|";nocase;within: 11;pcre: "/(betradar|dadajozo)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637737; rev:9;) # sid 2637738 includes 1 (0 - 1) 12 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.su)"; content:"|0c|";content:"|02|su|00|";nocase;within: 15;pcre: "/sirius-debil/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637738; rev:9;) # sid 2637739 includes 1 (0 - 1) 13 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.su)"; content:"|0d|";content:"|02|su|00|";nocase;within: 16;pcre: "/yandexcounter/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637739; rev:9;) # sid 2637740 includes 1 (0 - 1) 14 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.su)"; content:"|0e|";content:"|02|su|00|";nocase;within: 17;pcre: "/hostingservice/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637740; rev:9;) # sid 2637741 includes 2 (0 - 2) 15 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.su)"; content:"|0f|";content:"|02|su|00|";nocase;within: 18;pcre: "/(hosting-service|cryaboutmeasure)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637741; rev:9;) # sid 2637742 includes 1 (0 - 1) 16 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.su)"; content:"|10|";content:"|02|su|00|";nocase;within: 19;pcre: "/google-analytics/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637742; rev:9;) # sid 2637743 includes 1 (0 - 1) 3 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.su)"; content:"|03|";content:"|02|su|00|";nocase;within: 6;pcre: "/r0t/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637743; rev:9;) # sid 2637744 includes 1 (0 - 1) 4 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.su)"; content:"|04|";content:"|02|su|00|";nocase;within: 7;pcre: "/zbot/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637744; rev:9;) # sid 2637745 includes 1 (0 - 1) 5 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.su)"; content:"|05|";content:"|02|su|00|";nocase;within: 8;pcre: "/morde/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637745; rev:9;) # sid 2637746 includes 4 (0 - 4) 6 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.su)"; content:"|06|";content:"|02|su|00|";nocase;within: 9;pcre: "/(sotana|botnet|rustat|mordes)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637746; rev:9;) # sid 2637747 includes 2 (0 - 2) 7 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.su)"; content:"|07|";content:"|02|su|00|";nocase;within: 10;pcre: "/(sex4fun|dotroot)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637747; rev:9;) # sid 2637748 includes 3 (0 - 3) 8 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.su)"; content:"|08|";content:"|02|su|00|";nocase;within: 11;pcre: "/(arkanoid|goldtraf|lumibonu)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637748; rev:9;) # sid 2637749 includes 2 (0 - 2) 9 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.su)"; content:"|09|";content:"|02|su|00|";nocase;within: 12;pcre: "/(vam-pismo|badserver)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637749; rev:9;) # sid 2637750 includes 1 (0 - 1) 5 character domains in the ".tc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.tc)"; content:"|05|";content:"|02|tc|00|";nocase;within: 8;pcre: "/emule/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637750; rev:9;) # sid 2637751 includes 2 (0 - 2) 7 character domains in the ".tc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.tc)"; content:"|07|";content:"|02|tc|00|";nocase;within: 10;pcre: "/t(1fliil|j1fiil)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637751; rev:9;) # sid 2637752 includes 1 (0 - 1) 10 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.tk)"; content:"|0a|";content:"|02|tk|00|";nocase;within: 13;pcre: "/parliament/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637752; rev:9;) # sid 2637753 includes 2 (0 - 2) 11 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.tk)"; content:"|0b|";content:"|02|tk|00|";nocase;within: 14;pcre: "/(cyberagthor|spy-sheriff)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637753; rev:9;) # sid 2637754 includes 1 (0 - 1) 4 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.tk)"; content:"|04|";content:"|02|tk|00|";nocase;within: 7;pcre: "/x-on/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637754; rev:9;) # sid 2637755 includes 1 (0 - 1) 6 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.tk)"; content:"|06|";content:"|02|tk|00|";nocase;within: 9;pcre: "/gilani/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637755; rev:9;) # sid 2637756 includes 1 (0 - 1) 4 character domains in the ".tv" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.tv)"; content:"|04|";content:"|02|tv|00|";nocase;within: 7;pcre: "/get2/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637756; rev:9;) # sid 2637757 includes 1 (0 - 1) 5 character domains in the ".tv" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.tv)"; content:"|05|";content:"|02|tv|00|";nocase;within: 8;pcre: "/barba/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637757; rev:9;) # sid 2637758 includes 1 (0 - 1) 6 character domains in the ".tv" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.tv)"; content:"|06|";content:"|02|tv|00|";nocase;within: 9;pcre: "/c21vox/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637758; rev:9;) # sid 2637759 includes 1 (0 - 1) 7 character domains in the ".tv" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.tv)"; content:"|07|";content:"|02|tv|00|";nocase;within: 10;pcre: "/food114/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637759; rev:9;) # sid 2637760 includes 4 (0 - 4) 9 character domains in the ".tv" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.tv)"; content:"|09|";content:"|02|tv|00|";nocase;within: 12;pcre: "/(4utraffic|antonella|thyselius|vallesina)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637760; rev:9;) # sid 2637761 includes 1 (0 - 1) 11 character domains in the ".tw" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.tw)"; content:"|0b|";content:"|02|tw|00|";nocase;within: 14;pcre: "/trafficshop/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637761; rev:9;) # sid 2637762 includes 3 (0 - 3) 13 character domains in the ".tw" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.tw)"; content:"|0d|";content:"|02|tw|00|";nocase;within: 16;pcre: "/(excel-groupco|market-vision|nuris-groupco)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637762; rev:9;) # sid 2637763 includes 4 (0 - 4) 14 character domains in the ".tw" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.tw)"; content:"|0e|";content:"|02|tw|00|";nocase;within: 17;pcre: "/(aurora-groupco|excel-groupinc|nuris-groupinc|render-groupco)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637763; rev:9;) # sid 2637764 includes 5 (0 - 5) 15 character domains in the ".tw" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.tw)"; content:"|0f|";content:"|02|tw|00|";nocase;within: 18;pcre: "/(aurora-groupinc|citizen-groupco|measure-groupco|render-groupinc|success-groupco)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637764; rev:9;) # sid 2637765 includes 4 (0 - 4) 16 character domains in the ".tw" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.tw)"; content:"|10|";content:"|02|tw|00|";nocase;within: 19;pcre: "/(c(itizen-groupsvc|lassic-groupsvc)|measure-groupinc|success-groupinc)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637765; rev:9;) # sid 2637766 includes 1 (0 - 1) 17 character domains in the ".tw" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.tw)"; content:"|11|";content:"|02|tw|00|";nocase;within: 20;pcre: "/financial-groupco/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637766; rev:9;) # sid 2637767 includes 2 (0 - 2) 18 character domains in the ".tw" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.tw)"; content:"|12|";content:"|02|tw|00|";nocase;within: 21;pcre: "/(financial-groupinc|millennium-groupco)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637767; rev:9;) # sid 2637768 includes 1 (0 - 1) 19 character domains in the ".tw" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.tw)"; content:"|13|";content:"|02|tw|00|";nocase;within: 22;pcre: "/millennium-groupsvc/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637768; rev:9;) # sid 2637769 includes 3 (0 - 3) 3 character domains in the ".tw" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.tw)"; content:"|03|";content:"|02|tw|00|";nocase;within: 6;pcre: "/(bro|xbx|jkk)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637769; rev:9;) # sid 2637770 includes 2 (0 - 2) 4 character domains in the ".tw" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.tw)"; content:"|04|";content:"|02|tw|00|";nocase;within: 7;pcre: "/(mias|esli)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637770; rev:9;) # sid 2637771 includes 1 (0 - 1) 6 character domains in the ".tw" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.tw)"; content:"|06|";content:"|02|tw|00|";nocase;within: 9;pcre: "/waigua/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637771; rev:9;) # sid 2637772 includes 1 (0 - 1) 4 character domains in the ".ua" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.ua)"; content:"|04|";content:"|02|ua|00|";nocase;within: 7;pcre: "/roks/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637772; rev:9;) # sid 2637773 includes 10 (0 - 10) 10 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.us)"; content:"|0a|";content:"|02|us|00|";nocase;within: 13;pcre: "/(h(i5-images|8i(2easter|9easter))|dkpeaster(2|6)|f9o85(1test|2test)|guitar-pro|clickonhit|pc-scanner)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637773; rev:9;) # sid 2637774 includes 7 (0 - 7) 11 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.us)"; content:"|0b|";content:"|02|us|00|";nocase;within: 14;pcre: "/(m(sn-gallery|ioclickdvd)|imageholder|e-bitorrent|ultradefrag|citifunding|barterbucks)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637774; rev:9;) # sid 2637775 includes 3 (0 - 3) 12 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.us)"; content:"|0c|";content:"|02|us|00|";nocase;within: 15;pcre: "/(f(ederalbanks|ree-scan-pc)|moviemusicuk)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637775; rev:9;) # sid 2637776 includes 3 (0 - 3) 13 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.us)"; content:"|0d|";content:"|02|us|00|";nocase;within: 16;pcre: "/(e-bitdefender|messengerhome|free-av-check)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637776; rev:9;) # sid 2637777 includes 3 (0 - 3) 14 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.us)"; content:"|0e|";content:"|02|us|00|";nocase;within: 17;pcre: "/(images-gallery|porno-tube-xxx|messenger-2009)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637777; rev:9;) # sid 2637778 includes 3 (0 - 3) 15 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.us)"; content:"|0f|";content:"|02|us|00|";nocase;within: 18;pcre: "/(f(eds-r-watching|acebook-groups)|esecure-federal)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637778; rev:9;) # sid 2637779 includes 4 (0 - 4) 17 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.us)"; content:"|11|";content:"|02|us|00|";nocase;within: 20;pcre: "/(federalbanksystem|check-for-threats|emule-telecharger|download-for-safe)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637779; rev:9;) # sid 2637780 includes 4 (0 - 4) 18 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.us)"; content:"|12|";content:"|02|us|00|";nocase;within: 21;pcre: "/(a(wardspacelooksbig|rlingtonlocksmith)|download-filez-now|google-analystisks)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637780; rev:9;) # sid 2637781 includes 2 (0 - 2) 19 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.us)"; content:"|13|";content:"|02|us|00|";nocase;within: 22;pcre: "/(nationalyellowpages|vocational-training)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637781; rev:9;) # sid 2637782 includes 1 (0 - 1) 20 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.us)"; content:"|14|";content:"|02|us|00|";nocase;within: 23;pcre: "/antivirus-protection/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637782; rev:9;) # sid 2637783 includes 2 (0 - 2) 21 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 21 chars (.us)"; content:"|15|";content:"|02|us|00|";nocase;within: 24;pcre: "/federalreserve-(direct|online)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637783; rev:9;) # sid 2637784 includes 1 (0 - 1) 23 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 23 chars (.us)"; content:"|17|";content:"|02|us|00|";nocase;within: 26;pcre: "/americanmedicalproducts/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637784; rev:9;) # sid 2637785 includes 2 (0 - 2) 3 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.us)"; content:"|03|";content:"|02|us|00|";nocase;within: 6;pcre: "/(16a|su7)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637785; rev:9;) # sid 2637786 includes 3 (0 - 3) 4 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.us)"; content:"|04|";content:"|02|us|00|";nocase;within: 7;pcre: "/(lilj|hjhj|4ura)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637786; rev:9;) # sid 2637787 includes 5 (0 - 5) 5 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.us)"; content:"|05|";content:"|02|us|00|";nocase;within: 8;pcre: "/(finik|biaze|a(ghdg|rber)|2cash)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637787; rev:9;) # sid 2637788 includes 12 (0 - 12) 6 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.us)"; content:"|06|";content:"|02|us|00|";nocase;within: 9;pcre: "/(googli|0kfzzl|a(v(4321|astt)|2porn|3porn|4porn|5porn|6porn|7porn)|e-mule|ovideo)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637788; rev:9;) # sid 2637789 includes 9 (0 - 9) 7 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.us)"; content:"|07|";content:"|02|us|00|";nocase;within: 10;pcre: "/(karavan|aresnet|flrefox|utor(ent|ren)|v(vinrar|stdrrr)|winzipp|hotlife)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637789; rev:9;) # sid 2637790 includes 11 (0 - 11) 8 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.us)"; content:"|08|";content:"|02|us|00|";nocase;within: 11;pcre: "/(srv-scan|f(9o(5test|8test)|f7test5)|g2g1test|duiguide|aresfull|bearflix|emule(net|pro)|nerohome)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637790; rev:9;) # sid 2637791 includes 23 (0 - 23) 9 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.us)"; content:"|09|";content:"|02|us|00|";nocase;within: 12;pcre: "/(hj(0easter|8easter)|njeaster7|01may2009|f(9o8(6test|7test)|acebookk)|m(1m(1(1test|3test|4test|5test|6test|7test|8test|9test)|2(0test|1test))|asstrade)|andrewkim|www-emule|lmageshak|sulikavan|taxsimple)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637791; rev:9;) # sid 2637792 includes 1 (0 - 1) 10 character domains in the ".uz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.uz)"; content:"|0a|";content:"|02|uz|00|";nocase;within: 13;pcre: "/photovideo/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637792; rev:9;) # sid 2637793 includes 1 (0 - 1) 3 character domains in the ".uz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.uz)"; content:"|03|";content:"|02|uz|00|";nocase;within: 6;pcre: "/sjb/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637793; rev:9;) # sid 2637794 includes 1 (0 - 1) 14 character domains in the ".vc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.vc)"; content:"|0e|";content:"|02|vc|00|";nocase;within: 17;pcre: "/internazionale/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637794; rev:9;) # sid 2637795 includes 2 (0 - 2) 6 character domains in the ".vc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.vc)"; content:"|06|";content:"|02|vc|00|";nocase;within: 9;pcre: "/sucip(e|y)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637795; rev:9;) # sid 2637796 includes 1 (0 - 1) 9 character domains in the ".vc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.vc)"; content:"|09|";content:"|02|vc|00|";nocase;within: 12;pcre: "/antivirus/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637796; rev:9;) # sid 2637797 includes 1 (0 - 1) 6 character domains in the ".vg" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.vg)"; content:"|06|";content:"|02|vg|00|";nocase;within: 9;pcre: "/cracks/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637797; rev:9;) # sid 2637798 includes 1 (0 - 1) 6 character domains in the ".vn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.vn)"; content:"|06|";content:"|02|vn|00|";nocase;within: 9;pcre: "/mevabe/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637798; rev:9;) # sid 2637799 includes 5 (0 - 5) 10 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.ws)"; content:"|0a|";content:"|02|ws|00|";nocase;within: 13;pcre: "/(authserver|1analytics|safewhales|4analytics|egn14142nn)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637799; rev:9;) # sid 2637800 includes 3 (0 - 3) 11 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.ws)"; content:"|0b|";content:"|02|ws|00|";nocase;within: 14;pcre: "/gold(1-h111b|2-ht61b|3-1gf1b)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637800; rev:9;) # sid 2637801 includes 2 (0 - 2) 12 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.ws)"; content:"|0c|";content:"|02|ws|00|";nocase;within: 15;pcre: "/(cheapcameras|bear-groupco)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637801; rev:9;) # sid 2637802 includes 3 (0 - 3) 13 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.ws)"; content:"|0d|";content:"|02|ws|00|";nocase;within: 16;pcre: "/(ecounterstats|bear-groupinc|nuris-groupco)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637802; rev:9;) # sid 2637803 includes 5 (0 - 5) 14 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.ws)"; content:"|0e|";content:"|02|ws|00|";nocase;within: 17;pcre: "/(aurora-groupco|excel-group(inc|svc)|nuris-groupinc|render-groupco)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637803; rev:9;) # sid 2637804 includes 10 (0 - 10) 15 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.ws)"; content:"|0f|";content:"|02|ws|00|";nocase;within: 18;pcre: "/(webcom-software|googie-anaitlcs|aurora-groupinc|render-groupinc|c(itizen(-groupco|groupinc)|lassic(-groupco|groupinc))|measure-groupco|success-groupco)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637804; rev:9;) # sid 2637805 includes 4 (0 - 4) 16 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.ws)"; content:"|10|";content:"|02|ws|00|";nocase;within: 19;pcre: "/(partner-groupinc|m(arket-visioninc|easure-groupinc)|success-groupsvc)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637805; rev:9;) # sid 2637806 includes 1 (0 - 1) 17 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.ws)"; content:"|11|";content:"|02|ws|00|";nocase;within: 20;pcre: "/financial-groupco/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637806; rev:9;) # sid 2637807 includes 1 (0 - 1) 18 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.ws)"; content:"|12|";content:"|02|ws|00|";nocase;within: 21;pcre: "/financial-groupsvc/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637807; rev:9;) # sid 2637808 includes 2 (0 - 2) 19 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.ws)"; content:"|13|";content:"|02|ws|00|";nocase;within: 22;pcre: "/millennium-group(inc|svc)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637808; rev:9;) # sid 2637809 includes 5 (0 - 5) 4 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.ws)"; content:"|04|";content:"|02|ws|00|";nocase;within: 7;pcre: "/(gph5|5fgh|seca|mefa|bale)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637809; rev:9;) # sid 2637810 includes 4 (0 - 4) 5 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.ws)"; content:"|05|";content:"|02|ws|00|";nocase;within: 8;pcre: "/(s(w-ww|omer)|28zxc|div-x)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637810; rev:9;) # sid 2637811 includes 6 (0 - 6) 6 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.ws)"; content:"|06|";content:"|02|ws|00|";nocase;within: 9;pcre: "/(mabira|noplit|winamp|yasmin|sensor|zeon29)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637811; rev:9;) # sid 2637812 includes 6 (0 - 6) 7 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.ws)"; content:"|07|";content:"|02|ws|00|";nocase;within: 10;pcre: "/(wee4wee|hostned|ukwirex|gld111b|pokerne|qwzxase)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637812; rev:9;) # sid 2637813 includes 2 (0 - 2) 8 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.ws)"; content:"|08|";content:"|02|ws|00|";nocase;within: 11;pcre: "/(uploader|alssayer)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637813; rev:9;) # sid 2637814 includes 5 (0 - 5) 9 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.ws)"; content:"|09|";content:"|02|ws|00|";nocase;within: 12;pcre: "/(capitalex|metroking|newadmins|ybsportcn|pussytoip)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2637814; rev:9;)