# DNS spyware rules by Jack Pepper ( pepperjack@autoshun.org ) # regenerated daily from the domains.txt file at David Glosser's Black hole DNs project # The URL for BHDNS project: http://www.malwaredomains.com/files/domains.txt # The source URL for this http://www.autoshun.org/downloads/rbhdns.rules # # # Sat Jul 4 03:12:10 CDT 2009 # sid 2631445 includes 1 (0 - 1) 4 character domains in the ".asia" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.asia)"; content:"|04|";content:"|04|asia|00|";nocase;within: 7;pcre: "/err7/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631445; rev:9;) # sid 2631446 includes 2 (0 - 2) 5 character domains in the ".asia" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.asia)"; content:"|05|";content:"|04|asia|00|";nocase;within: 8;pcre: "/(host8|traff)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631446; rev:9;) # sid 2631447 includes 4 (0 - 4) 6 character domains in the ".asia" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.asia)"; content:"|06|";content:"|04|asia|00|";nocase;within: 9;pcre: "/(73comm|2share|8ipsec|42cert)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631447; rev:9;) # sid 2631448 includes 2 (0 - 2) 7 character domains in the ".asia" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.asia)"; content:"|07|";content:"|04|asia|00|";nocase;within: 10;pcre: "/(report7|cximnik)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631448; rev:9;) # sid 2631449 includes 1 (0 - 1) 8 character domains in the ".asia" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.asia)"; content:"|08|";content:"|04|asia|00|";nocase;within: 11;pcre: "/default2/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631449; rev:9;) # sid 2631450 includes 1 (0 - 1) 13 character domains in the ".at" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.at)"; content:"|0d|";content:"|02|at|00|";nocase;within: 16;pcre: "/bestplaceapts/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631450; rev:9;) # sid 2631451 includes 1 (0 - 1) 3 character domains in the ".at" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.at)"; content:"|03|";content:"|02|at|00|";nocase;within: 6;pcre: "/a5l/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631451; rev:9;) # sid 2631452 includes 1 (0 - 1) 4 character domains in the ".at" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.at)"; content:"|04|";content:"|02|at|00|";nocase;within: 7;pcre: "/iuyf/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631452; rev:9;) # sid 2631453 includes 3 (0 - 3) 5 character domains in the ".at" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.at)"; content:"|05|";content:"|02|at|00|";nocase;within: 8;pcre: "/(areps|bests|kirgo)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631453; rev:9;) # sid 2631454 includes 3 (0 - 3) 6 character domains in the ".at" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.at)"; content:"|06|";content:"|02|at|00|";nocase;within: 9;pcre: "/(lookin|brunga|nutpic)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631454; rev:9;) # sid 2631455 includes 3 (0 - 3) 10 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.be)"; content:"|0a|";content:"|02|be|00|";nocase;within: 13;pcre: "/(greenbuddy|indigoline|whiteflash)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631455; rev:9;) # sid 2631456 includes 1 (0 - 1) 11 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.be)"; content:"|0b|";content:"|02|be|00|";nocase;within: 14;pcre: "/krchaaltert/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631456; rev:9;) # sid 2631457 includes 1 (0 - 1) 13 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.be)"; content:"|0d|";content:"|02|be|00|";nocase;within: 16;pcre: "/vuurwerkessen/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631457; rev:9;) # sid 2631458 includes 1 (0 - 1) 14 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.be)"; content:"|0e|";content:"|02|be|00|";nocase;within: 17;pcre: "/kljnoorderwijk/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631458; rev:9;) # sid 2631459 includes 1 (0 - 1) 18 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.be)"; content:"|12|";content:"|02|be|00|";nocase;within: 21;pcre: "/rodekruisboomrumst/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631459; rev:9;) # sid 2631460 includes 1 (0 - 1) 19 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.be)"; content:"|13|";content:"|02|be|00|";nocase;within: 22;pcre: "/artemaliciacapoeira/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631460; rev:9;) # sid 2631461 includes 2 (0 - 2) 5 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.be)"; content:"|05|";content:"|02|be|00|";nocase;within: 8;pcre: "/(32reg|kstdr)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631461; rev:9;) # sid 2631462 includes 2 (0 - 2) 6 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.be)"; content:"|06|";content:"|02|be|00|";nocase;within: 9;pcre: "/(appid1|page73)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631462; rev:9;) # sid 2631463 includes 9 (0 - 9) 7 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.be)"; content:"|07|";content:"|02|be|00|";nocase;within: 10;pcre: "/(iamleet|7driver|8encode|folder7|csj-ath|sweeter|vispace|yospace|hftiili)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631463; rev:9;) # sid 2631464 includes 4 (0 - 4) 8 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.be)"; content:"|08|";content:"|02|be|00|";nocase;within: 11;pcre: "/(goldbase|mymarket|picoband|redbuddy)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631464; rev:9;) # sid 2631465 includes 4 (0 - 4) 9 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.be)"; content:"|09|";content:"|02|be|00|";nocase;within: 12;pcre: "/(bestspace|redfriend|silvertag|whitemart)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631465; rev:9;) # sid 2631466 includes 35 (0 - 35) 10 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.biz)"; content:"|0a|";content:"|03|biz|00|";nocase;within: 13;pcre: "/(a(ce-assist|rttraffic|tomakayan|udiotrash|b0utblank)|c(roionmail|mdidini32|orebank98)|ocrservice|p(revedtraf|2psharing)|wi(licenwww|n-pool21)|s(e(arch-biz|ekingloh|tcontrol)|kwarovski)|b(lueskyltd|ilbobalbo|ellezkino)|f(ramemoney|sc-global)|rightonadz|zerx-virus|traffsale1|glkzckadwu|ihnvoeprql|j(hvlfdoiyn|avacsript)|m(yrmifyuqo|sn-search)|qpcizvlvio|exp(loitbla|ressbay)|xssipforum)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631466; rev:9;) # sid 2631467 includes 26 (0 - 26) 11 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.biz)"; content:"|0b|";content:"|03|biz|00|";nocase;within: 14;pcre: "/(about-blank|f(ortunebird|mkopswuzhj)|greatsearch|expressdeal|s(earch(2find|world)|iski-piski)|ymctrsztriv|buyanydream|c(allbackgsm|lickomania|fhlglxofyz|peadyepcis|bchyttgqay|ode-func42|rytheriver)|j(kisptknsov|onson-camp)|kgeoaxznfms|ms(vhmlcmkmh|n-gallery)|7batchshare|nua06032009|ram06032009|trafficaway)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631467; rev:9;) # sid 2631468 includes 12 (0 - 12) 12 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.biz)"; content:"|0c|";content:"|03|biz|00|";nocase;within: 15;pcre: "/(hi(tijeoairnv|romatokoko)|ma(nukazorada|lwaremodel)|dimeccommand|virusprotect|32rundllfunc|sys-scan-wiz|g(uardlab2009|oogle-forum)|webinspector|idhomesearch)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631468; rev:9;) # sid 2631469 includes 17 (0 - 17) 13 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.biz)"; content:"|0d|";content:"|03|biz|00|";nocase;within: 16;pcre: "/(c(ruise-copier|oreguard2009)|dressing-gown|e(asy-transfer|llionusgroup)|m(edia-content|y-profitable)|freesexonline|pharmacy-4you|trasferimento|a(ntispy(spider|knight)|dmin-batch97)|59comm-cookie|sys(-(look-scan|scanner-1)|tem-scan-1))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631469; rev:9;) # sid 2631470 includes 10 (0 - 10) 14 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.biz)"; content:"|0e|";content:"|03|biz|00|";nocase;within: 17;pcre: "/(ecommerceguide|s(mart-security|e(archanything|rvicedirwelt))|anti-virus-pro|w(orld-transfer|indownupdates)|de(bug-script40|adseanatural)|vse-buddet-zae)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631470; rev:9;) # sid 2631471 includes 5 (0 - 5) 15 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.biz)"; content:"|0f|";content:"|03|biz|00|";nocase;within: 18;pcre: "/(eastwestfinance|search-and-more|go(ld-collection|ooogleadsence)|freak-vkontakte)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631471; rev:9;) # sid 2631472 includes 8 (0 - 8) 16 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.biz)"; content:"|10|";content:"|03|biz|00|";nocase;within: 19;pcre: "/(pharmacy-for-you|directoryfinance|t(rafficconverter|hewindowsupdate|upnak-sdes-kuku)|individualpeople|coreguardlab2009|free-web-scaners)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631472; rev:9;) # sid 2631473 includes 2 (0 - 2) 17 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.biz)"; content:"|11|";content:"|03|biz|00|";nocase;within: 20;pcre: "/(detecting-spyware|maso-zlobnuy-trup)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631473; rev:9;) # sid 2631474 includes 1 (0 - 1) 18 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.biz)"; content:"|12|";content:"|03|biz|00|";nocase;within: 21;pcre: "/antispyware-review/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631474; rev:9;) # sid 2631475 includes 1 (0 - 1) 19 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.biz)"; content:"|13|";content:"|03|biz|00|";nocase;within: 22;pcre: "/antispyware-reviews/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631475; rev:9;) # sid 2631476 includes 1 (0 - 1) 23 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 23 chars (.biz)"; content:"|17|";content:"|03|biz|00|";nocase;within: 26;pcre: "/ultracreative-solutions/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631476; rev:9;) # sid 2631477 includes 3 (0 - 3) 3 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.biz)"; content:"|03|";content:"|03|biz|00|";nocase;within: 6;pcre: "/(9gg|8(v8|q8))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631477; rev:9;) # sid 2631478 includes 12 (0 - 12) 4 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.biz)"; content:"|04|";content:"|03|biz|00|";nocase;within: 7;pcre: "/(nigr|yop(s|t)|ejeg|al9s|dl7s|fp3s|ldj5|ru98|7ioi|ku98|1mov)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631478; rev:9;) # sid 2631479 includes 29 (0 - 29) 5 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.biz)"; content:"|05|";content:"|03|biz|00|";nocase;within: 8;pcre: "/(l4m3r|t(ende|r(uff|oia))|e7da7|n(o-ip|przq)|c(ool0|lunk)|s(tred|lole)|wever|d(cads|ll82|3m0n)|a(sp(62|x8)|bleh|n(xin|ush))|j(ngrn|io1a|cash)|mozsj|y(prpg|asir)|ohtas|ffp4g|kroto)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631479; rev:9;) # sid 2631480 includes 21 (0 - 21) 6 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.biz)"; content:"|06|";content:"|03|biz|00|";nocase;within: 9;pcre: "/(elseif|a(kella|spx56)|c(yhawk|heck9)|d(educt|kgate|ooyoo|andon)|s(rvs4u|ornor|hop86|alaka)|miloni|xxxgra|g(e(zjwr|odll)|kenjj)|listop|k(uplon|onter))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631480; rev:9;) # sid 2631481 includes 39 (0 - 39) 7 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.biz)"; content:"|07|";content:"|03|biz|00|";nocase;within: 10;pcre: "/(a(d(river|welth|ssite)|rtella|vcheck)|d(iz4you|kadmin|nsserv|0lphin)|e(cstazy|helper|wioygq)|r(bkvebf|iconah)|p(hi6aym|iratik)|fethard|c(cu(uuag|muag)|auksxf|ljivsb)|i(ebdesp|cbmulj|wtrubh)|b(btguag|htoesp|dzpfiu)|g(izmosb|htileh)|hhaouag|m(yspacy|imdezm|s-scan)|jradvwa|qtcnfvf|vupnwmw|slalaka|k(rona98|erchex))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631481; rev:9;) # sid 2631482 includes 69 (0 - 69) 8 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.biz)"; content:"|08|";content:"|03|biz|00|";nocase;within: 11;pcre: "/(u(cleaner|v(eovbef|joqbef))|m(oreporn|rrdzwsz|ainssrv)|p(laymp3z|olicija|v(fjgram|jj(9bef|lbef)))|deborah2|e(ncumber|powhost|lkaribe|banuzza|v(dxybef|ix8bef))|a(ll1info|v(etbbef|jttbef)|77e1468)|s(pycrush|jkkfjcx|vcm(rbef|wbef)|eotraff|idarada|rv-scan)|y(mctzqav|vds(qbef|tbef))|v(esidcxt|ggdbocd|vgpiram)|c(kujcgxi|vgv(6bef|fbef))|h(alkjaer|v(gbkbef|fbecvw))|n(icebots|v(dhcram|hh(hbef|mbef)))|l(mswntmc|vaf(fbef|nbef))|t(deghkjm|khnvhmh|xeixqeh)|x(hazhbir|virmram)|k(uja-piz|veecbef|hdjehsk)|g(oldarea|v(fa(5bef|dbef)|atemal))|ivhc7bef|jvid(jbef|obef)|oveieram|qvaksbef|wv(bq(pbef|ubef)|cqcram|hqkram))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631482; rev:9;) # sid 2631483 includes 25 (0 - 25) 9 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.biz)"; content:"|09|";content:"|03|biz|00|";nocase;within: 12;pcre: "/(s(e(xgoogle|arch-4u|rvice28)|d9-forum)|p(harmaceu|rojectns)|dhjqoiuwy|e(xtrahand|bnetwork)|ymct(a(njpn|vxiz)|-zqav)|udefender|m(cprivate|egacodec|icrosomt)|n(yam-nyam|ews-(blog|week))|tidport85|banners4u|glublubiz|zeus-logs|lucidmind|freeguard)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631483; rev:9;) # sid 2631484 includes 1 (0 - 1) 4 character domains in the ".by" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.by)"; content:"|04|";content:"|02|by|00|";nocase;within: 7;pcre: "/maza/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631484; rev:9;) # sid 2631485 includes 3 (0 - 3) 4 character domains in the ".bz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.bz)"; content:"|04|";content:"|02|bz|00|";nocase;within: 7;pcre: "/(4ssl|5jsp|id92)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631485; rev:9;) # sid 2631486 includes 4 (0 - 4) 5 character domains in the ".bz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.bz)"; content:"|05|";content:"|02|bz|00|";nocase;within: 8;pcre: "/(user9|icmp5|err05|vbs27)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631486; rev:9;) # sid 2631487 includes 3 (0 - 3) 6 character domains in the ".bz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.bz)"; content:"|06|";content:"|02|bz|00|";nocase;within: 9;pcre: "/(http76|sslid8|58keep)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631487; rev:9;) # sid 2631488 includes 3 (0 - 3) 7 character domains in the ".bz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.bz)"; content:"|07|";content:"|02|bz|00|";nocase;within: 10;pcre: "/(5offset|6domain|0secure)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631488; rev:9;) # sid 2631489 includes 1 (0 - 1) 11 character domains in the ".ca" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.ca)"; content:"|0b|";content:"|02|ca|00|";nocase;within: 14;pcre: "/bouncenplay/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631489; rev:9;) # sid 2631490 includes 1 (0 - 1) 14 character domains in the ".ca" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.ca)"; content:"|0e|";content:"|02|ca|00|";nocase;within: 17;pcre: "/danicamarkovic/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631490; rev:9;) # sid 2631491 includes 1 (0 - 1) 5 character domains in the ".ca" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.ca)"; content:"|05|";content:"|02|ca|00|";nocase;within: 8;pcre: "/7func/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631491; rev:9;) # sid 2631492 includes 4 (0 - 4) 6 character domains in the ".ca" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.ca)"; content:"|06|";content:"|02|ca|00|";nocase;within: 9;pcre: "/(23html|8event|9store|code11)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631492; rev:9;) # sid 2631493 includes 1 (0 - 1) 8 character domains in the ".ca" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.ca)"; content:"|08|";content:"|02|ca|00|";nocase;within: 11;pcre: "/control7/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631493; rev:9;) # sid 2631494 includes 1 (0 - 1) 9 character domains in the ".ca" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.ca)"; content:"|09|";content:"|02|ca|00|";nocase;within: 12;pcre: "/infostore/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631494; rev:9;) # sid 2631495 includes 10 (0 - 10) 10 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.cc)"; content:"|0a|";content:"|02|cc|00|";nocase;within: 13;pcre: "/(in(fomarket|stalling)|b(buftxpskw|dykhlnhak)|jpppffeywn|rbhixtifxk|uyhgoiwswn|y(uvudlsdop|whaunsyez)|activision)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631495; rev:9;) # sid 2631496 includes 5 (0 - 5) 11 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.cc)"; content:"|0b|";content:"|02|cc|00|";nocase;within: 14;pcre: "/(axaxmhzndcq|rozhtnmoudg|torhobdfzit|wumvjpbbmse|secure-site)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631496; rev:9;) # sid 2631497 includes 2 (0 - 2) 12 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.cc)"; content:"|0c|";content:"|02|cc|00|";nocase;within: 15;pcre: "/(updateonline|conclusion00)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631497; rev:9;) # sid 2631498 includes 1 (0 - 1) 13 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.cc)"; content:"|0d|";content:"|02|cc|00|";nocase;within: 16;pcre: "/astro-physics/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631498; rev:9;) # sid 2631499 includes 1 (0 - 1) 14 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.cc)"; content:"|0e|";content:"|02|cc|00|";nocase;within: 17;pcre: "/criticalfactor/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631499; rev:9;) # sid 2631500 includes 4 (0 - 4) 4 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.cc)"; content:"|04|";content:"|02|cc|00|";nocase;within: 7;pcre: "/(c0re|vicp|5cfm|6680)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631500; rev:9;) # sid 2631501 includes 6 (0 - 6) 5 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.cc)"; content:"|05|";content:"|02|cc|00|";nocase;within: 8;pcre: "/(loads|traff|20ver|69reg|fthil|koaqe)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631501; rev:9;) # sid 2631502 includes 7 (0 - 7) 6 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.cc)"; content:"|06|";content:"|02|cc|00|";nocase;within: 9;pcre: "/(m(ode85|sview)|cinsns|or(vfkx|zsys)|poplie|xcount)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631502; rev:9;) # sid 2631503 includes 16 (0 - 16) 7 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.cc)"; content:"|07|";content:"|02|cc|00|";nocase;within: 10;pcre: "/(64crypt|s(ecure4|iteid9|sl(put3|com5))|4(aspssl|driver)|5netmsg|9hostid|l(ocator|agcrxz)|exxkvcz|gsvrglz|x(xmgkcw|snatch)|regscan)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631503; rev:9;) # sid 2631504 includes 11 (0 - 11) 8 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.cc)"; content:"|08|";content:"|02|cc|00|";nocase;within: 11;pcre: "/(itakkasa|fsupdate|atnsoiuf|gbgklrka|ljizrzxu|mouvmlhz|sdjnaeoh|x(wrrxwmo|xabrkhb)|ycceqdmm|direct-x)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631504; rev:9;) # sid 2631505 includes 10 (0 - 10) 9 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.cc)"; content:"|09|";content:"|02|cc|00|";nocase;within: 12;pcre: "/(fullspace|a(iiflkgcw|res-2009)|bzagbiwes|jhanljqti|meqyeyggu|wdrvyudhg|4utraffic|operative|cashpopup)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631505; rev:9;) # sid 2631506 includes 3 (0 - 3) 10 character domains in the ".ch" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.ch)"; content:"|0a|";content:"|02|ch|00|";nocase;within: 13;pcre: "/(kosovastar|t(etovachat|oureg-cwo))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631506; rev:9;) # sid 2631507 includes 1 (0 - 1) 12 character domains in the ".ch" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.ch)"; content:"|0c|";content:"|02|ch|00|";nocase;within: 15;pcre: "/tetovahacker/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631507; rev:9;) # sid 2631508 includes 1 (0 - 1) 17 character domains in the ".ch" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.ch)"; content:"|11|";content:"|02|ch|00|";nocase;within: 20;pcre: "/akademikerzeitung/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631508; rev:9;) # sid 2631509 includes 3 (0 - 3) 5 character domains in the ".ch" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.ch)"; content:"|05|";content:"|02|ch|00|";nocase;within: 8;pcre: "/(jomos|p(wn3d|rinc))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631509; rev:9;) # sid 2631510 includes 1 (0 - 1) 7 character domains in the ".ch" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.ch)"; content:"|07|";content:"|02|ch|00|";nocase;within: 10;pcre: "/sabrina/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631510; rev:9;) # sid 2631511 includes 1 (0 - 1) 8 character domains in the ".ch" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.ch)"; content:"|08|";content:"|02|ch|00|";nocase;within: 11;pcre: "/patrizio/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631511; rev:9;) # sid 2631512 includes 3 (0 - 3) 9 character domains in the ".ch" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.ch)"; content:"|09|";content:"|02|ch|00|";nocase;within: 12;pcre: "/(hamakarin|thekiller|server911)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631512; rev:9;) # sid 2631513 includes 1 (0 - 1) 3 character domains in the ".cl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.cl)"; content:"|03|";content:"|02|cl|00|";nocase;within: 6;pcre: "/cfr/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631513; rev:9;) # sid 2631514 includes 1 (0 - 1) 8 character domains in the ".cl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.cl)"; content:"|08|";content:"|02|cl|00|";nocase;within: 11;pcre: "/synopsis/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631514; rev:9;) # sid 2631515 includes 108 (0 - 108) 10 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.cn)"; content:"|0a|";content:"|02|cn|00|";nocase;within: 13;pcre: "/(b(u(ytraffic|nchguide)|iztech-co|est(tryour|lotron|findit)|ytenetcom|aidu(-1163|duyou))|h(ardstream|eartgames|idatabase|jcxnhtroh|o(st(ingmd2|nsload)|tslotpot))|i(nfulizing|-platform)|p(erosanala|ubmitzvah|alaceclub)|s(a(muraildr|teliting)|upersmoke|erymercha|ourcehand)|x(h(frzjwsel|yydingbi)|abmiphabh|iaoxiao02)|f(o(rex-shit|togratis)|connorlaw|ilmoflife)|jn-project|kroklovers|u(ltrasmoke|kxvgbnmzp|upmeepvej|nlock0452|pdatedb87)|g(iftapplys|angle2008|oo(glebots|oodbill)|reat(swamp|poets|toast))|l(i(mpodrift|fenaming|tecartop)|o(veinlive|okfor010|tbetsite)|yboidomen)|y(ouximoney|zbgoywzmg)|d(llupdates|o(ngdu2008|menzmonz)|urkadurka|dddsss123|ailynylon|etcentral)|2373498294|a(ctiveware|dfsgsdgfb|rhjfgjdrf|inideqian)|m(i(crosofiz|ni-socks|digratis)|ybesttube|oulitehat)|q(ingfeng01|zktamrsgu|q163-eild)|t(he(-format|yourown)|lovechina|vnameshop|ripsstart|intraffic)|video-news|e(gypt-shop|minemlive)|r(rrrrrryyy|ainfinish|oselambda)|c(znutchuei|vbnmdgesc|hi(ckstube|liwilli)|ombinebet)|w(inesamile|6rt67ew7d|hereismat|o(henleile|qyymmptn)|llvvkjknh|areshield|elcomeone)|originalcn|newguard(4u|2u)|94mekelove|z(usojbktvo|ombiecorp))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631515; rev:9;) # sid 2631516 includes 141 (0 - 141) 11 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.cn)"; content:"|0b|";content:"|02|cn|00|";nocase;within: 14;pcre: "/(f(i(rewalllab|nd(big(boob|urls|name)|abigrig))|r(e(elifenet|iemuster)|istcenter)|leshkatera|knacmvowib|ghnjmdgrse|engyunwudi|usionheart)|b(mwwindowss|lacksun-sl|aidu(yuxire|-opop1)|i(jkyilaugs|g(b(ulkmail|est(find|lite))|topsuper))|reakss78jh|e(st(live-tv|cover(4u|2u)|webfind|finderr)|tbigwager)|ulkbaginfo)|g(lobalsmoke|asperoblue|r(ibontruck|eatmixlot)|o(goserv333|oglenames)|fyjfghdvse|iantnonfat)|m(i(crosoftes|rengeqian|x(lotworld|betworld))|eg(srdomain|avipsite)|sdownloads|ciuomjrsmn|ydefense4u)|r(x-pharmacy|psctacalyd|omsoftware|e(turnmyexe|adymixbet)|ainjukebox)|z(eynczuhei7|monstergov)|industry-it|s(ta(teandfed|keshouse)|zxintianli|m(ilecasino|sdiarybig)|uperlottry|olmixgroup|erverinlit)|w(uqing17173|inwupdates|atch-video|owregister|ebnamemart)|a(s-cannabis|dult9films|rgosonline)|l(o(ve(qianlai|rtoorcn)|banabucks|tbetworld)|i(ght-money|te(hitscar|au(ction|totop)|premium))|astfmmusic)|d(a(tinrelax8|ddybigtop|ilyhottie|masgratis)|i(rectlink(8|0|1|2|4|9)|ettopseek)|e(signroots|laizoloto))|j(ffhkvhweds|ustbargins|eans0nline|crewonline)|k(krxwcjusgu|allagoon13|ennelclubs)|c(enterifart|lickcouner|vbdohdrgyr|u(tpricepot|banbigtop)|o(mpoundlot|ol(hoodies|crosses|wordart)))|h(o(neypalace|usevisual)|eavenplace|uge(top(nano|diet|seek)|premium))|p(untryworld|oliticblog|romixgroup|eopleopera|layslotbet)|n(a(me(buyline|forshop)|notopfind)|ewtransfer|umbersbulk)|oceandealer|vi(tamingood|llain7878)|t(r(avetbeach|uemtstick)|he(yourbest|bettings|homename)|oplitesite)|you(bonusnew|r(c(atfree|ombine)|litetop)))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631516; rev:9;) # sid 2631517 includes 92 (0 - 92) 12 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.cn)"; content:"|0c|";content:"|02|cn|00|";nocase;within: 15;pcre: "/(f(e(idqaadppta|elingchoin)|ree(dom2mind|funpages)|ind(localjob|bigshots))|i(gekqzeabkwz|slandtravet)|l(uewusxrijke|i(angminghao|fe-tablets)|ongyitiaov7)|m(wqqmuedzddg|ainnameshop|yhealtharea|ixbetonline|cwanecenter)|u(fnfvqqanftj|rgentnews3(0|1))|x(dinzdtftkkd|iaoaistudio)|w(o(aishizixiu|rldnamebuy)|ebsitecheck)|b(e(st(worldcom|nameshop)|tstarwager)|i(g(sellstaff|defense2u|coverlive|topbrands)|tanalytics|bliagratis)|aidujkljlxx|ookadorable|uscandotodo)|n(e(w(oneforyou|guard4you)|ilwelliver)|a(tionwide2u|szza-klasa|memartfilm)|ohtingherez|iencos3432d)|g(r(upogaleria|eatbethere)|oogle-(traff|credi)|iant(premium|topnano|highest))|h(o(ursebuilds|sskurnelli)|ackdownload|ugebestbuys)|p(olkerdesign|laybetwager|harmacyeasy|restigecard)|c(o(ntent-type|ol(nameshop|building|papabell))|asinobigtop)|t(eachersgood|r(ydirectjob|aveltravet)|hefilmmusic|opfindworld)|384756783900|783456788839|a(brakadasbra|llyourguide|sdfgsdfgsdf|ntivirusvip)|your(f(reebets|ilmlife)|guardpro|liteseek|nameshop)|excelsystems|d(rawingstyle|ownload-123|vdmovieclub|unkinsworld)|s(tatsanalist|ymphonygold|uperbetfair|ervergloria|itesupports)|resorttravet)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631517; rev:9;) # sid 2631518 includes 84 (0 - 84) 13 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.cn)"; content:"|0d|";content:"|02|cn|00|";nocase;within: 16;pcre: "/(ra(moneymayker|cquelsworld)|u(pdatedrivers|sednamestore)|europeansmoke|s(ta(tofcountry|rtgetaways)|itra-perugno|e(e-something|archsuggest)|uper(dietfind|filmlife)|hopmovielife)|a(ct(iveprotect|ualization)|utodirection)|w(indowsupdeta|atchepisodes|e(bsiteflower|ekendtravet)|orldofwarcry)|d(atingforyou6|ddbbbddbbdbd|ressnowbeach)|zworksoftware|b(aidu(-baiduyi|yuxirebn|jkljasda)|rabuscoctail|e(st(finda(home|loan)|cover4you)|tworldwager)|igtop(escorts|artists|cabaret))|c(ntotalizator|asinoslotbet|h(eapslotplay|ristmasclub)|oolringtones)|n(ymedcenter30|onfatcarbest|amesupermart|udecelebrity|ewagehosting)|g(oogle(nations|-(credit|a(nla(bc|cc)|wards)|newbot))|etluckytoday|reat(shopfilm|ingcards))|f(ree(girlinbad|castingus|defense2u|universis)|ilmtypemedia)|m(edamphetamin|y(defense4you|guardforyou|newnameshop)|i(llionsdream|xgroupguide))|itsyouronline|l(aspaceevents|itetopdetect)|your(ownplanet|bestworld|guard4you|filmmovie)|h(ugetop(nonfat|locate)|ome(nameworld|brandname)|it-inspector)|163-sohu-sina|p(remium(locate|nonfat)|arkinglotbet)|t(helotmachine|echnoopmizer))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631518; rev:9;) # sid 2631519 includes 74 (0 - 74) 14 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.cn)"; content:"|0e|";content:"|02|cn|00|";nocase;within: 17;pcre: "/(s(ervice-google|uperbetsports)|b(ig(getonething|premium(lite|find)|skytopguide|topf(indsite|estival))|aidu-(baiduzi(1|2|3|4|5|6|7|8)|dudouai(1|2|3|4|5|6|7|8|9))|dbdbddbdddbdd)|th(ingforyoutoo|enetnameshop)|c(omputershello|adeaux-avenue)|f(i(restnamestea|n(d(big(thinker|brother)|yourbigwhy)|anceimprove)|lm(bridgelife|lifeimages))|reecoverstore|ullclickstats)|d(ating(fromsms3|weekend(4|5))|otcomnameshop)|n(o(isedetection|nfatautobest)|e(paxek-domain|w(guardforyou|netnameshop))|ame(buypicture|claimstore|storevideo))|09021030408721|h(osikurneilivv|ealthathome18)|whereismyclick|g(oogle-anal(yze|ab(a|b|c))|ianttoplocate|reatnamemovie|lobal(mixgroup|nameshop))|infinitilancer|y(qwt5efe56w56e|our(nonfatbest|guardstore))|l(i(te(autorepair|upyourride)|veicqnetwork)|ot(wageronline|ultimatebet))|mixmediadirect|joomlaprojects)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631519; rev:9;) # sid 2631520 includes 65 (0 - 65) 15 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.cn)"; content:"|0f|";content:"|02|cn|00|";nocase;within: 18;pcre: "/(c(ndatingforyou6|onsignmena5173|lubmillionswow|atchynamestore)|datingsmsvideo9|s(uspendeddomain|paceindustrial|tats-analytics|dahidsahidsahi)|b(aidu(-(baidu(dou(1|2|3|4|5|6|7)|xin(1|2|3|4|6|7|8|9))|dudouai10)|ybaidbrqlm)|est(defenselive|coverforyou|litetopfind)|ig(topliteworld|findtopguide)|lo(gtransaction|ckcenterplay))|n(ew-med-offer77|a(notopdiscover|mebuyfilmlife))|a(n(algize-google|gelinajmovies)|labamafasha001|utobestwestern)|p(leaseclickhere|ri(vateaolemail|celessfinish))|onlineanalytics|m(illion-dollars|acroviewonline|y-bilderrahmen)|f(alloutneferwin|reecoveronline|ind(bigthinkers|yourbigidea))|li(eliteautobody|te(premiumlist|topseeksite))|educationbigtop|transformercity|you(benshizaifen|r(guard(online|foryou)|litetopfind))|jinzhuangzhuang|h(osfikurnellixx|ugetopdiscover)|google(analytics|-advisior))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631520; rev:9;) # sid 2631521 includes 32 (0 - 32) 16 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.cn)"; content:"|10|";content:"|02|cn|00|";nocase;within: 19;pcre: "/(s(peedofsearching|ecuredosupdates|uperlitecarbest|hopvideoschools)|d(iscountcentre66|evinepromotions|reamlitediamond)|perfectnamestore|l(ite(autogreatest|topfindworld|downloadseek|highestmodel)|otmachinesguide)|f(riskdiseaselive|ind(bigmoneygame|itinbigapple))|yourfriskdisease|momentstohaveyou|easyfriskdisease|t(echnologybigtop|raffic-searches|hebestwaytofind)|b(est(litediscover|mortgagefind)|ig(t(ruckstopseek|opmanagement)|appletopworld))|name(companystore|martfilmlife)|g(iant(topdiscover|beaversdiet)|oogle-analitics))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631521; rev:9;) # sid 2631522 includes 38 (0 - 38) 17 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.cn)"; content:"|11|";content:"|02|cn|00|";nocase;within: 20;pcre: "/(m(icrosofp(supports|center71)|y(ascertainpoison|checkdiseasepro))|t(ellicolakerealty|hebest(worldparty|youcanfind))|c(huangzaohuihuang|reativeblockplay)|li(ve(updateservice|avantbrowser2)|te(autobestguide|carfinestsite|top(locatesite|finddirect)))|g(oogle(syndixation|-anallytics)|r(ooveyourdestiny|eatliteautobest))|n(ewlyclickssystem|amestore(filmlife|discount))|s(oftwareoverworld|hop(film(existence|lifeforce)|moviefestival))|w(hreismyplugnplay|eisichuanxiongqi)|f(ilmlifemusicsite|amilyofefounders|reedefenseforyou)|daslxzcewralrocjn|internetnamestore|easydefenseonline|overpoweredsystem|bigprotectionlive|your(friskviruspro|nameheremedia))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631522; rev:9;) # sid 2631523 includes 19 (0 - 19) 18 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.cn)"; content:"|12|";content:"|02|cn|00|";nocase;within: 21;pcre: "/(whywelive-success4|thankyoufor(smoking|install)|lite(autofinestsite|downloadfinest|greatestdirect)|awardspacelooksbig|e(asy(checkpoisonpro|bestprotection)|xamine(illnesslive|poisonstore))|s(ecuredupdateslive|hopfilmlifeonline)|b(est(examinedisease|friskviruslive)|igfirststopnonfat)|your(checkpoisonpro|friskinfection)|filmlifemediaguide)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631523; rev:9;) # sid 2631524 includes 11 (0 - 11) 19 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.cn)"; content:"|13|";content:"|02|cn|00|";nocase;within: 22;pcre: "/(winxpdownloadcenter|discountmedcentre90|4thankyouforinstall|my(examinevirusstore|checkdiseasestore)|ascertaindiseasepro|litetopdiscoversite|nonfathighestlocate|shop(filmlifescience|movieproduction|videocommission))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631524; rev:9;) # sid 2631525 includes 1 (0 - 1) 2 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 2 chars (.cn)"; content:"|02|";content:"|02|cn|00|";nocase;within: 5;pcre: "/9v/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631525; rev:9;) # sid 2631526 includes 14 (0 - 14) 20 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.cn)"; content:"|14|";content:"|02|cn|00|";nocase;within: 23;pcre: "/(2d2deozghamea1m1ifn3|h(syzpbavkojdqclhnoqz|omenameregistration)|bestprotectiononline|easyincomeprotection|d(cz9ubei212vp3nrca5i|ihbgbwqryuolfbebgme|eutschelandservices)|l(mempodfzrqqkteyupar|ufwhtelkadvrtaukqjo)|virevpcklvlrxjcqxtij|z(jjrrhhuokjxgmulisxs|nchygdrmelzejjvofji)|compoundcapitolgroup)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631526; rev:9;) # sid 2631527 includes 6 (0 - 6) 21 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 21 chars (.cn)"; content:"|15|";content:"|02|cn|00|";nocase;within: 24;pcre: "/(upd-windows-microsoft|hyperliteautoservices|secur(edsoftwareupdate|ityupdatessystem)|easyserviceprotection|nameshopinternational)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631527; rev:9;) # sid 2631528 includes 10 (0 - 10) 22 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 22 chars (.cn)"; content:"|16|";content:"|02|cn|00|";nocase;within: 25;pcre: "/(mediaho(usename(shopfilm|buyvideo)|mename(martvideo|shopmovie))|securedsystemresources|windowssecurityupdates|constructadvancedblock|easypersonalprotection|liteautogreatestonline|denverfilmdigitalmedia)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631528; rev:9;) # sid 2631529 includes 3 (0 - 3) 23 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 23 chars (.cn)"; content:"|17|";content:"|02|cn|00|";nocase;within: 26;pcre: "/(worldcommercialbusiness|mediahousenamemartmovie|security-access-control)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631529; rev:9;) # sid 2631530 includes 2 (0 - 2) 24 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 24 chars (.cn)"; content:"|18|";content:"|02|cn|00|";nocase;within: 27;pcre: "/(securedprosoftwareupdate|mediahomenameshoppicture)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631530; rev:9;) # sid 2631531 includes 2 (0 - 2) 25 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 25 chars (.cn)"; content:"|19|";content:"|02|cn|00|";nocase;within: 28;pcre: "/(internetinterestingplaces|mostbeloved-online-magics)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631531; rev:9;) # sid 2631532 includes 1 (0 - 1) 27 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 27 chars (.cn)"; content:"|1b|";content:"|02|cn|00|";nocase;within: 30;pcre: "/michaelsbestway2findalawyer/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631532; rev:9;) # sid 2631533 includes 5 (0 - 5) 3 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.cn)"; content:"|03|";content:"|02|cn|00|";nocase;within: 6;pcre: "/(bzx|hzs|zzz|1ku|jp1)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631533; rev:9;) # sid 2631534 includes 137 (0 - 137) 4 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.cn)"; content:"|04|";content:"|02|cn|00|";nocase;within: 7;pcre: "/(6(8yu|54x|3(mv|d4)|700|tg7)|b(koz|vr2|bg3|18c|n2z)|c(uyd|88a|56f|66(f|i|b|d|g)|c(h2|j(5|3|7))|re4|-0p|v9i)|e(snt|7du|o2q)|q(x13|w(18|r(2|1|7|8|3)))|h(-(ss|tt)|hj(2|3|5|7|8|9))|1(30w|6aq|7ge)|d(08r|er8|4(25|6g)|5d3|o2a|99q)|y(qsf|cn6|6dq|fe5|rd9)|5(11a|9cn|2-o|uzj)|v(ccd|okx|vk(2|5|7|9)|ika|bn5|0id)|xise|02to|9i5t|n(b88|an7)|o(7n9|wz8|6ls|kn4|-ap|n65)|j(1bc|ha2|d9k|i(-u|17))|k1ks|a(814|c86|xa(1|3)|ve(2|3))|s(ani|76z)|3(s9t|8(to|zu))|4s3w|84ws|g(d3w|o5v)|i(co6|ht2)|r(43w|99u)|w(d2a|3og|q9q|vg(0|4|9|2|3))|u(in(1|2|3|4)|097)|7u8f|m(nv3|br(2|8|0|3|5|9|1|7))|l(-ai|il9)|2(c2d|qtw|k90)|f97q)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631534; rev:9;) # sid 2631535 includes 1 (0 - 1) 44 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 44 chars (.cn)"; content:"|2c|";content:"|02|cn|00|";nocase;within: 47;pcre: "/vip-qqcongqq-woyaocongqq-duoduoqqyiqiqq-qbqq/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631535; rev:9;) # sid 2631536 includes 189 (0 - 189) 5 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.cn)"; content:"|05|";content:"|02|cn|00|";nocase;within: 8;pcre: "/(5(2(0sb|xmm|gxy)|4(60w|417|ed4)|91sa|fera|1(ysc|8mk))|r(ouoo|kjhc|6c8d|tbn2)|s(iski|rjkc|trhq|ftcp|xd65)|0fish|a(ero4|vse2|a(mkn|dpw)|t820|b(bcp|eze|uze))|j(x(zol|hy5)|n538|mmbk)|t(e(l-8|iri|s85)|fdyw|o(tar|pfe)|apki|snse|runu)|y(yzmx|aajo|nlsw|rwap|mlsw)|b(albv|s(oil|ybr)|fgr5|oyuo|tyxw)|h(otbb|anme|zrj8|3hs4|mwzq|e-ro)|i(p1(91|27)|l(3er|one)|e854|r078|n(bus|tbn))|l(lzjz|u158|kjrc|eepe|gv97)|c(erin|hanm|dkdd|bp7t|c4y(0|1|2|3|4|5|6|7|8|9)|arse|vb1(1|2|3|4|5)|0093)|m(m(y88|boi)|y745|o98g|e1me|u555|cuve|figu|nvk8|sgeo)|q(pack|q188|tsnk|werz)|1(1(1ct|7la)|s2d3|0ces|2wds)|2(0(3pk|-(12|ka))|tutu|40av|qqmm)|g(xess|wtqx|o(asi|mne)|jk67|rozv)|k(a(obt|ngk)|kads|o1(1(8|3|5)|09)|ghh(1|2|3|4|5)|egod|s630|ds85|x111)|u(5188|sssr)|v(b(008|sjs)|vvbw|i(eio|vne)|as4k|ert4)|z(a123|l123|dbbd)|9(u(ser|9u9)|7sex|8tdw)|w(ornm|hv67|xjyb|-x-y|murl)|345bi|d(ajao|o(ups|c9c)|r(myy|520)|ew7f|fg34|jl87)|8(00mg|ddfx)|f(stat|yesn|gig1|dg43|ayda)|e(gfor|tm-p)|o(n(lyi|uka)|uwou|cedx|k135)|x(qgbn|cbnr|9s7b)|ppkok|6te43|nge68)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631536; rev:9;) # sid 2631537 includes 301 (0 - 301) 6 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.cn)"; content:"|06|";content:"|02|cn|00|";nocase;within: 9;pcre: "/(o(bebos|tlili|1o2qq|7o8gm|c(dona|e(gal|rnx)|f(ail|ede)|00co)|p(exti|bise)|o-86(1|2|3|5))|k(jhds3|o(waru|resh)|i(llpp|nkor)|e(hu99|ke03)|likv(s|p))|m(umaqq|a(lasc|igol|rtuz)|h8888|si7ka|m(d178|nnps|9860)|i(mibn|5663)|egatt|obpvl)|n(awolb|m(colo|b360)|uxtzd)|x(a(kepy|njan|zlon)|epace|fsare|m6216|h0088)|a(ll4ad|d(serv|ayby)|ppall|b(b192|c(rot|bef|aef)|adef)|ooooa|sd(awe|y77)|ini(ll|gc|uu)|tioqe)|d(n(s911|f-gg)|f(88ed|gyhk)|o(ta11|m11z)|aoqaz|bffky|udu0(1|2|3|4|5)|x(p002|line)|y3369)|f(fvv88|oursn|afa56|talyl|mgcjv|irnop|c(0921|3289|67(45|90)|7821)|gjhnf|hnfff|sdhry)|j(dztcw|ackkk|z(m01(0|3|4|5)|ll-(1|2|4|9))|y(m562|5687|6732)|jxp22)|p(p(film|uerd)|acany|rorom)|s(itama|meisp|s(11qn|a387)|800qn|oobao|jxhfa|vtube|l(l(l(4j|j4)|4lj)|4llj)|dfg74|b(8(632|778)|3589|9835)|hhdyb)|77xxmm|8(070(80|90)|51733|78772|8site)|c(q(wudu|fywg)|skick|cjj68|ut(eqq|lot)|nzuma|xaaaa|om8(2c|7k)|ds520)|h(untin|ao929|e(rezh|yjoy)|s7yue|xg008|o(ho-3|robl)|hh345|zcpwl)|l(lxxcx|iwejr|ftsbc|o(lika|rexx|ve78)|4jsll|j(4sll|s(4ll|l(4l|l4)))|yuboy)|q(q(5108|stup|-new)|i(qicc|an14)|w(e(234|345|567)|uioz))|05(39df|6789)|1(1(7275|1222|8fox)|000(mg|yb)|88tan)|5(0blog|1(3389|7891)|traff|dsa4d|566dm)|t(r(t544|axxk)|obild|haexp|iq38e)|v(b008t|odone|erynx|wwx17)|w(o(w(112|eye|gm(1|2)|neo)|9188|nthe)|r(t518|mfw(h|l|o|p|a|b|c|d|e|f|g|i|j|n|q|t|u|z))|yxing|ww404)|6(888ip|161(h(1|2)|q(1|2))|dsoft|5uttt)|r(d(aceq|eg42)|sdown|ezerv|aernb)|2(3(2313|7yud)|52623|82850)|9(76801|4(2dnf|4dnf|5dnf)|00990|xddw2)|i(nfomm|ttool|leron)|z(kd520|dq0(0(4|5|9)|10)|atura)|3(traff|68500|f4wws)|y(xwdwg|eziio)|b(ai(kec|dmn)|btu0(1|2|3|4|5|6|7)|ioito|m-740|g(5460|8028)|szyxy)|e(hkvku|qw00(2|3|4|6|8|9)|x(plab|odih)|f44ee|rgoer)|g(ougom|g(0987|6781|87(21|65))|stats)|4slllj|u(kboox|pdvms|szers))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631537; rev:9;) # sid 2631538 includes 324 (0 - 324) 7 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.cn)"; content:"|07|";content:"|02|cn|00|";nocase;within: 10;pcre: "/(1(390578|000(dog|ylc)|7173dl|817520)|a(l(ltraf|i(mama|govs))|idd123|9rhiwa|boutdr|ayears|znylsf|sdf456|c(idbot|yikap|ajelu)|hz1000|d(iuqga|ocyha)|kipahu)|c(nc-inc|dnhost|ha(cent|rtse)|s158cs|c(swzx(6|7|3|9)|cbbbb)|o(okie7|nusil)|znylsf|ximnik)|5(22love|yttrre)|88huang|m(ulfika|kdsine|i(mi(223|531)|xante)|egabot)|t(imoxin|ypk520|znylsf|ra(vets|f(iks|lab))|edixyt|jforie|camala)|y(anxiau|ibanle|tgw123|znylsf|237yud|es04ka)|b(ismoke|qgqnfc|luexzz|znylsf|c-s350|aomaaa|o(bo111|tlife)|eebest|ulkbin)|l(o(t(rain|ante)|usecn|ng355)|ucky(cn|ie)|x-hack|i(ve322|zhao5)|znylsf)|n(etpace|vsvc32|ihao(29|jz)|cwjlti|nradio)|s(i(n(life|akis)|epiwh)|a(n0539|morez)|ll(wbd(1|2|3|4|5|6|7|8|9)|a(qsb|nmb)|b(qsb|nmb)|d(qsb|nmb)|eqsb|fqsb|gqsb|hqsb|i(qsb|nmb)|knmb|lnmb|mnmb|onmb|pnmb|qnmb|rnmb|4362|1209|9026)|s(y1688|dmmri)|znylsf|o(badar|halar)|choolh|d(jisbp|elaem)|etuwen|uxpymi)|w(rbhnuw|wwwool|o(ai117|wyeye)|znylsf|ew2223|c-host)|3(40safe|800vip)|6(658588|tyeeee)|j(esuser|8j8hei|j(yyzmj|jaaa1)|mrlmgg|ustbt1|znylsf|naff11)|p(i(pdown|terfm)|sp11(11|22)|acoast|opo321)|x(vgaoke|yblack|znylsf|x(xvvvv|oo888)|iaoyx8)|008dfds|i(cafe88|znylsf)|o(k(ey123|16899)|noncom|uthang|celect|mbb888|rgsite)|q(iqi111|q(117cc|cc123|-7758|dnf(0(0|1|2)|11|22))|s(lhoks|xdeww)|znylsf|jdiejs)|r(iriwow|o(nin08|omsme)|zenter|rrzzzz)|f(i(r(e321|stfk)|fa-09)|znylsf|arus56|tpgrbz|dsewwe|wef(333|222)|f88567|e(ptuaq|xonhu)|ghnklj)|e(oai114|aruldx|znylsf|rhaha2|xousyt)|h(iwowpp|a(nrou7|o3832|brion)|ryspa(c|h|n|o|p|q|v)|znylsf|hhjjjj)|z(fzuguo|mjjjyy|arazza|lwrnm(9|1|2|3|4|5|6|7|8)|g(hncs(a|b|c|d|e|f|g|h|i|j|k|l|m|n|o|p|q|r|s|t|u|v|w|x|y|z)|ynkm(a|b|c|d|e|f|g|h|i|j|k|l|m|n|o|p|q|r|s|t|u|v|w|x|y|z))|jz-(aaa|bbb|ccc|ddd|eee|fff|ggg|hhh|iii)|qekqyq)|g(o(gocom|jaxty)|znylsf|egeree|umblar|hfdgdf|i(lugmo|wgeam|hugyx))|u(usmoje|pdate3)|k(kk(kppp|uuuk)|znylsf|lawesd|illhhh|ortech|ghytgv|hgggdd|aribel)|70(6sese|9sese)|9(688kmm|494iei|mckde3)|d(aratop|engtai)|v(ilasse|cdywer))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631538; rev:9;) # sid 2631539 includes 270 (0 - 270) 8 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.cn)"; content:"|08|";content:"|02|cn|00|";nocase;within: 11;pcre: "/(3(4portal|60share)|c(h(portal|an(choi|i990)|inchoi)|cqqq123|r(ossred|awlnet)|o(nexnet|unnter|qhecup|olgifs)|akpapaz)|l(o(vemmll|ndoncn|rentil|twager)|plsebah|itebest)|w(e(berror|zdujur)|o(show11|709394|rk(sean|fuse)|olcart)|hitebiz|contact|fwwlleo|uhwasum)|g(am(e9988|berro)|ukgifoc|jjiigds|xfyytog|counter)|i(p(seeker|dnswow|luginu)|udqzypn|yfcmcaj|d(fixhim|lkhhcx)|i(dwhxdf|i(dhwwf|mlfex|yhggd)|wwexpd|x(dfhhj|hhwmc))|wwmkkdi|liketay)|k(a(lengzi|rasing)|i(ll(wow1|mayi)|skecaq)|rasotki|e(yclubs|fjwfev)|k(kppptt|jjuuii)|ghytghu|o(vsutap|qsuyod))|n(vupdate|tkrnlpa|icdaheb|akvgyuy|ehyzimo)|a(d(server|ul8tra)|nyinglm|soidakm|vweqdcr)|h(a(okandi|yboxiw)|e(iheinn|lpdown|yxadax)|hhh8886|ifgejig|otxasib|ugebest)|q(q(770520|hudong|q(qttrr|eeeww))|wertycn|icdator)|t(rafagon|e(mp-biz|yrebuf|amwows)|i(moxinn|x(leloc|wagoq))|o(zxiqud|p-name)|ukhemaj|aolu163)|2(pj5udv7|009(aaaa|bbbb|cccc|dddd|eeee|ffff|gggg|hhhh|iiii|jjjj|kkkk|llll|mmmm|nnnn))|520xyyyy|m(a(ilhunt|kefred)|1ibeian|4gatube|e(ga(-aaz|utbe)|ng3130)|dntwxhj|i(ss(5082|6298)|x(bunch|wager)))|f(engnima|i(rstblu|xerman)|alali(ee|ii|oo|qq|tt)|ffddd11|orexsec|ynimytu)|o(p(tioner|ilired|kawiqb)|oudifyw|cextend|k(8uuer5|ijihyg))|r(a(tedhot|lcofic)|xgssll(a|d|l|t)|uanle88|ifnasax|o(xmiced|gkadej)|fvv0080)|998flash|b(l(ackhei|endbet)|aidusib|enyodil|ikpakoc|o(lewamg|tnetuk)|ronotak|bwgroup|jbotnet)|d(o(uhunqn|wn8888)|i(gfree8|vinets)|wrtwgsm|urudik6|e(renfop|t(guide|empsr))|ddd(dsaa|xxx2)|stsettx|jspdsie|4rkst4r|arkslim)|s(t(abroom|okshot|kgroop)|llw(bd10|rnm(1|2|4|5|6|7|8|9))|o(think(1|2|3|4|5|6|7|8|9)|jjokas)|ynflood|e(xbases|hmadac|rvpipe)|i(spewtr|lzefos|pcojeq)|hiko181)|u(nivnext|se-sena)|v(olchara|e(stepau|xokope)|avgurac|ilihood)|e(wotrost|gxbsppn|vqvmwgw)|p(l(otfive|aloorz)|sbdfflh|o(loi999|rgacig|pyodiw)|roduct(4|8|9)|eskufex|a(ksusic|ylayos))|z(yzhuiku|zzz(2233|6655)|lwrnm(1(0|1|2|3|4|5|6|7|8|9)|20)|ogmirow|wwderff)|j(cl-000(6|7)|ordans0|ijiiger)|1(00alexa|ni8sami|256hrom)|x(i(a(ndaic|onice)|lleixf|dsasuc)|zcjiiyw|-system)|ya(vlarag|h00520)|8465432(1|3))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631539; rev:9;) # sid 2631540 includes 147 (0 - 147) 9 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.cn)"; content:"|09|";content:"|02|cn|00|";nocase;within: 12;pcre: "/(1(0000xing|23aaddzz)|o(r(entraff|derasia)|n1000000)|c(nxiguayb|aocaowow|o(rpamata|ol(facts|belts))|hartseye)|s(11523822|sreaader|llwrnm10|o(think10|rwwwros|cks-vpn|filoren)|dhdfhtyf|hould-be|e(clabnet|amodern|rvicedm))|a(liletian|dwim8812|bdulabah)|q(hzaixian|q(qqkkkss|c2009qq))|b(a(nkdiyed|idu-du(1|2|3|4|5|6|7|8|9)|rginday)|e(ngchi(tt|zz)|stloads)|o(tconnet|roda888)|l(4ckst4r|uesky01)|rrtydwsw|igbargin|xmbaqqd9|bcadmins)|d(i(y(edbank|banked)|rty-boy)|a(ditraff|sd11vgz)|bckbkscw|ddd(sss12|xxx1(2|3|4|5))|gmeifeng)|m(i(orosoft|anfei58|xigroup)|u(sicbox1|rakamus)|a(ngust32|shrooms)|yphpsoft)|p(iaoyaowl|o(davanda|sheng21)|a(nelstop|laceyou)|ro(xyrent|100biz))|t(akenames|i(mefreet|nrussia)|r(afffive|ustgame)|urokgame|h(e(lotbet|mixbet|batnet|trypto)|reeways))|x(ingaide8|uyxuyxuy)|222online|l(i(anyixia|tefront)|uckbird8|kjdlfior|etomerin)|h(e(ihei117|linking)|ynno8744|o(tt-rodd|stingmd))|u(p(date999|ononjob)|yvtuutxm|sacaaugb)|w(o(oollstx|rk(nssrv|forex)|xiaohei)|wwwyyyyy)|g(erosname|ro(botron|upbang)|o5reborn)|z(soforoms|gcgssll(e|f))|j(intian12|0rykafwn|ustcctv6)|k(o(lonka17|rmflek3)|umaojoke|evin-jok|kkooo888)|v(ampizdec|idstream|ertusale)|iklzskqoz|f(engtianc|unikuler|inditbig)|4mcmeta4v|r(rrr(pppkk|ggggg)|efugepro|oom4info)|e(ryfghfdc|wqdqwd32)|na(meashop|ilimpro)|yutergfrg|0083vorit|888admins|999admins|765admins)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631540; rev:9;) # sid 2631541 includes 1 (0 - 1) 13 character domains in the ".co" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.co)"; content:"|0d|";content:"|02|co|00|";nocase;within: 16;pcre: "/thegogosearch/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631541; rev:9;) # sid 2631542 includes 1 (0 - 1) 14 character domains in the ".co" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.co)"; content:"|0e|";content:"|02|co|00|";nocase;within: 17;pcre: "/sergej-grienko/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631542; rev:9;) # sid 2631543 includes 1 (0 - 1) 5 character domains in the ".co" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.co)"; content:"|05|";content:"|02|co|00|";nocase;within: 8;pcre: "/83asp/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631543; rev:9;) # sid 2631544 includes 1 (0 - 1) 9 character domains in the ".co" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.co)"; content:"|09|";content:"|02|co|00|";nocase;within: 12;pcre: "/outerinfo/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631544; rev:9;) # sid 2631545 includes 600 (0 - 600) 10 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.com)"; content:"|0a|";content:"|03|com|00|";nocase;within: 13;pcre: "/(i(e(d(nserror|efender)|safepage|u(ptodate|iu01143)|xpllorer|renewals)|-barclays|n(n2coming|okuchi-c|t(ervidds|riangle)|etavirus)|riverplus|tsnotjoke|d(entid-ad|olhotels)|qsearches|a(-(license|payment|s(can(ner|pro)|upport|tat-ia))|bestscan)|m(mediallc|g(directz|zportal))|spscenter)|m(a(lwar(e(bot|war|ray)|rior)|c(sweeper|-videos|romedla)|sminutos)|y(me(tavids|diasex|gatube)|s(tic-r0x|elfhere)|-xmovies)|i(l(fondick|an-fans)|c(oirsoft|rovsoft)|n(imal345|dofitus)|sdnspage|osmsclub|ddellton)|cafeepack|e(morisebu|ga(tourus|runner))|o(v(utility|sonline|ie(ndola|zlibs)|wmwares|zportal)|mocortes|bifonika|neymedal)|p(eg(addons|helper|update|system)|3(for-you|directz|zooming))|s(srv10256|as2009dl)|u(rka-best|nobatuno))|o(cnservice|leniny123|mi-update|n(webmedia|ewedhost)|qwerzxcew|rferhuijj)|g(h(ktoolkit|npacgvif)|e(t(-faster|youneed|sysgd09|pcguard)|npayment)|o(2-search|l(nanosat|itescan)|godownnn|yourscan|-go-cash|o(dboomer|nlyscan)|easybill|s(can(ever|f(use|ine|lex)|only|s(lot|tep)|h(ard|igh)|mind|port|data|auto)|idescan|tarscan)|maldef09|hardscan|datascan|workscan|autoscan|f(inescan|lexscan))|a(me(zonetw|paslog)|te(ietool|tofind)|bfundopv|udihouse)|uzhijijin|reatadore|nyluuxneo|t-websoft)|p(o(p(swatter|okimoki)|r(n(-focus|o(4teen|-(babe|titi)|chunk|droid|heros|forex)|sp(ital|ying)|tube(0(8|9)|4u))|talpics)|s-kupang)|a(nda-2008|ris-hack)|c(assertor|-cleaner|s(ecurise|peed-up)|turbopro)|l(us-codec|ay(0nlnie|swomen|-error)|sexbnytn)|e(kkangrup|t(smovies|cabtaxi))|i(lot-porn|nigeliai)|roantispy)|s(t(opingspy|artwarez)|i(iprogram|n(ataques|senales)|lviocash)|dajk46546|-(redirect|freeware)|a(fe(pctool|onebar|-strip|tyhall)|wt-gharb)|e(x(rusfuck|akaporn)|cure(only|warn)|archres(1|2))|h(iny-stat|a(mpoojob|imokale))|p(onsernet|y(analyst|gangsta|officer|ware(iso|hub)|destroy)|inpalace|wfighter)|wfutility|c(holes-it|ansguard|lassmeet)|g(uardscan|9scanner|productm)|jfdhw395t|uckitnow1|vertochka|yncupdate|ms(clubnet|diretto|pianeta|inlinea))|w(e(eproject|rtionase|althleaf|bantispy)|h(itecodec|ocherish)|i(rusukyua|n(d(efensa|ows-av)|pluspak|5millon))|spscanner|w(vyoutube|w-images)|a(le(direkt|online)|ntfinest))|0(websearch|nlyvideos|87control)|2(020search|greatfind|quickfind)|b(kvcompany|o(omgirltv|arddiary|lelshiko)|u(g-strike|haoyishi)|l(a(ckcodec|nchdisc|zervips)|essedads)|e(st(-codec|barack)|adcareer|rusimcom)|r(o(kenurls|mmercon)|akeextra)|a(ryouneed|nk(sguard|itrade)|idu-6661)|jnwsqtwth|splupdate)|c(o(ntrolmeh|olmelife|dec(-scan|space)|mp-(adult|porno))|r(azy(clits|-tits)|uelmoney)|u(m-attack|rerrores)|a(atadgouk|shbotnet|tjepzcft)|d(p(uvbhfzz|vaqnlod)|ouidmvif)|e(lebstape|zqtessjo)|h(aritymob|huslfffu|yaicpvxo|orussoft)|l(i(pzocean|cktolog)|smateees)|bfkzhtyik|cytvpbsdg|fsiqejclo|gymwmlcaa|steenhoff|3uconnect)|h(o(hoho2008|stwaydcs|me-intra)|a(nashteam|rararara)|e(althlike|retofind)|uytegygle|i(5-(images|spaces)|eudsjvif)|d-youporn)|a(a(rmrgdxrv|q(arkznvb|kweoslz)|gnfdjkgn|idu-6661)|b(mmrvthjr|erdwylan|out-(porn|sexy)|itsystem|kzfdilko)|d(b(iz-pool|eplayer)|donfiles|i(rectbar|msceibh)|-protect|tctqypoa|ult(-(comp|mega|name|want)|idate|xx-18)|ore(lyric|songs)|hiqzytub)|f(hncitbkg|ubwbmsce|9f440dcc|flvwetib)|h(cieqdgbv|iiptjsto|ryafujpb|ylezyiof)|c(ce(ss(-dvd|sexy)|ptslim)|dedblshd|t(ive(xobj|-max)|hkqyzex)|hongsoft|ademcity|plugibgo)|e(vqritikn|ardyrvgt)|g(flvkgwef|reeslick|ixtudkco)|l(bedohost|ex(-clips|finker)|g-search|l(mypills|datanow))|n(dfinance|ti(spykit|vir-64)|y(trafppc|kindmp3)|zentsuru|vimaster)|v(completo|iutility|-(pro2009|xp-2008)|scan-pro)|s(dafdgfgf|weatpage|ionigolo|mmnation)|t(macasoft|gcges51x|tmyjoker)|resdeluxe|u(gustbody|thorbody))|d(v(brehberi|gdfg4650)|a(isymails|sistporn|tingnoon)|doservice|e(l(ficodec|uxenote|shiktds)|vilxsite|inglaube|uagjyvif)|gbusiness|i(d(itounts|osearch)|gikeygen|ocleaner|plomytut|rty(files|-zone)|skretter)|j(fha31847|hdhdshds)|ksuosdhsd|ns(404(page|rule)|duepage|mislead)|o(nkeljoin|wnload(bf|v3)|lcebrava|main5124|rnaboret)|rive-sexy|tlproduct|wrdferfd6)|f(a(pparatus|yhvkfnvu|st(webway|pcscan|brakes))|g(hie87134|ckeqvvif)|i(xthemnow|re(oniraw|-extra|x-labz)|lefixpro)|o(ijv18073|r(m(atmpeg|erlyus)|cedscan)|xionserl)|l(wcoupler|ucksbuck|yonfiles|ingstone)|ree(adobes|-xtube)|vtnksbjqo|fxionlion)|j(e(e(nnervel|pworker)|dzasowaz)|iuhn08750|sactivity|oyshanley|agfiuyvif)|l(e(adygyved|tssearch)|a(dyteapot|belfreak|st(count(b|c)|-visit)|fastfind)|i(mpietodo|nk(ietool|canpro)|st-black)|o(nglifepc|loplanet|shadinet)|loydsterm|uckyclipz)|n(a(vi-movie|thangann)|iggarulez|o(spywares|rtonsoft)|etcitycab|uclear777)|q(uara-best|tcpplugin|clangroup|qcfwaigua)|t(e(klanotis|ledisons|rrorfear)|h(e(coolbar|stars08|deadpit)|ink-adz2)|o(olsicuro|sserhost|jandglow)|u(ttoscemo|be(-4free|porn0(8|9)|loyaln|ontvgl)|dorplace)|ianjisuan|rasoregon|ypyxiolix)|v(oodofiles|a(mpirings|ccinespy)|ery(monkey|blomar)|i(pantispy|rtrigger|ew(formex|worldx)|sitcouns)|wwredtube|m-codec18)|x(p(defender|-as-2009)|s(oftwares|ismdirys)|n--mg-kka|retrotube)|1(1(88224372|4central)|ii1i1ii11|d27c9b8fb|sweethost|000league)|4(04(dnspage|mispage)|3553panel|8rdirjava)|e(a(systyler|elzkkodp)|-gold(4bet|play)|l(iteshell|xtrading)|n(gineplay|hancedie)|passporrt|s(earcheng|passport|t(expired|planete|virtuel)|afetyweb)|x(e(revenue|trafflc)|p(ertcash|lorerex)|tra(ultra|brake|spray))|btadejfqm|hagvzyfrt|c(unglllos|apeskcab)|fbkfqpcdh|datamedic|mpresalda|r(abl-pict|rorstool))|k(e(ineviren|ygenguru|nedysite)|ingmaxone|jfbk07814|vm-secure|nowholove|lassmanes|ukuzhmuku|oliartoge)|3(dpokerpkr|gigabytes|0plusbill|44session)|9yimeiyuan|y(m(ct(aaqada|-ueorn)|eproject)|our(-adult|ipment|length)|andexshit)|r(e(newfiles|stekiste|alpicmov|opsakwww)|uler-cash|modelismo|ocktheads|a(shagirls|mpartech))|u(p(date(s-(os|xp)|mic(s|z))|orn-tube)|s-bankers)|z(anewnovel|jofficial|emtewrwww)|8(345server|8code-tcp)|654control)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631545; rev:9;) # sid 2631546 includes 68 (601 - 669) 10 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.com)"; content:"|0a|";content:"|03|com|00|";nocase;within: 13;pcre: "/(b(rain-cash|lackporn1)|jornaloeco|labsmedcom|m(edic(hobot|myths)|p3-hunter|y(best-xxx|top-porn|spyguard)|s-antispy|obsonline|alwarenix)|s(fdjmljfep|iskimoney|earchopt7|pigotinch|upertvist|lot-sluts|ysreport(1|2))|w(hite-test|n(20090504|ames1404))|a(bimovdxes|gility-ml|dwarefeed|ntspy2008|vpro-labs|l(-harthia|l-in-exe)|ssayindia)|d(rinkapola|esignmono)|e(fhgdupxes|r21012009|urocurrex|cseonline)|i(jlfhysxes|s(ettatech|-antispy)|nterepass)|p(owermaxxx|pcmachine)|t(uruwiando|h(at0world|eusdrugs)|raf(driver|fchela)|ekiomklos|wittercut)|0118099987|22pixelbox|5824125537|f(arishtech|oundguide)|on(ames0603|ejob4you|line2168)|ravelbabel|g(o(richscan|s(canrich|oonscan)|ironscan)|aymeeting)|h(i-my-tube|owareubro)|viperteens)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631546; rev:9;) # sid 2631547 includes 552 (0 - 552) 11 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.com)"; content:"|0b|";content:"|03|com|00|";nocase;within: 14;pcre: "/(4(04dnserror|35(34online|79online))|g(et(-torrent|newfiles|as2008xp)|o(tosex4all|ld(vipclub|pcguard)|-scan-pro|dsaveporn|sgscanner)|r(e(g-search|atvideo3)|and(-sale4|chasse))|u(mgangfarm|nbrethren|tvjbektzq)|lobe(rstube|xtubes))|i(e(homepages|antivirus|dnserrors)|s(afetypage|earchtech|-the-boss)|c(-helpdesk|edenarena)|n(et(traffic|antivir)|s(tallcash|anempegs)|jectpanel|kjetkarts)|wantsearch|gloofamily|a-scan-(now|pro)|m(g-library|ages(mazda|color))|idqkzselpr|persmstext)|m(a(l(ware(wipe|b(urn|ell)|core|-doc)|-waredoc)|mbomarket|ngleworld|x(imumhost|youripod)|kingadore)|i(c(ro(sof(tmg|ftt)|a(dplus|v2009))|yberclub)|neforsale)|o(teurpcpro|vs(devices|highway)|on-player|refreesms|ntagnasrl|ugoalivee)|y(flydirect|p(harmshop|spcenter)|bigportal|sex-adult|whoisinfo|-(exe-work|xxl-tube))|peg(utility|version)|e(ga(1search|lithusa)|dialibsms|etclassns)|urom-hotel|shomegroup|gjmnfgbdfb)|v(i(r(us(rescue|v(anger|ijand)|escape)|tualesms)|d(sdevices|zdevices|e0portal)|enmoreter|zabelarus)|mcodec2008|coenutrmsi|scodec-pro|egas-vixen)|w(e(b(dnserror|movies-(a|b)|bestlink|-help247|s(houlder|chemist|pyguard))|lovesandi)|i(n(fixtools|defender|pcdo(ctor|ktor|wn(09|99))|bluesoft)|llposting|dget-porn)|a(r(inmyarms|enetwork)|ntcherish|leprojekt|pcitynews|watoolbar)|o(r(ldbakers|shiplove)|aini23456)|rightcount|wwworldweb)|b(splaycodec|i(hsecurity|tbytesoft|g-pornnet|ngo-babes)|e(st(-(cracks|xxxnet)|bloggin|hostdot|search3|pro(host|scan)|usablog)|t(tasearch|ivervega)|rvioneeil)|u(lkwatcher|rnandfire)|xbo9tgcgqu|mmjbsjidmt|l(ack(-extra|holeme)|og(ginhell|cubarfe))|gbtorlopos|a(nnerads08|dwetgirls))|l(ive(antispy|-player)|u(ckyfinder|ngavitapc)|argavidapc|yunicoming|o(veoursite|calhost-2|senowfast|ok4celebs|yal(down(09|99)|tube10|-porno|videoz)))|x(i(edefender|ndalawyer)|maturelife|p(antivirus|enprotect|protector)|-softwares|videocodec|axiangzhan)|24-7-search|a(n(ti(spy(-pro|ware|list)|v(er2008|ir(gear|2009|us(gl|-x|up)|ware|xp08|prof)|aresys))|alpornmag|onymwinpc)|aqadaueorn|b(dullahost|outmmgftf|nc-portal)|d(d(2profile|ioerrori)|eskonline|netserver|ult(-(drive|great|visit|x2008)|finder)|ver(daemon|lounge)|ware(alert|tools|-2009))|l(ex-thumbs|l(camguide|kindporn|-in-tube)|phabekltd)|rtaroundme|s(afe(center|ty(head|list|menu|site))|e(arch(gate|pool|nget)|cure(head|info|mask))|pxservice)|ucun(efaute|menace)|xvideoplay|v(-pro-2009|10antivir|agent-pro)|prostilere|gainstfear|culcoradio)|d(e(us(cleaner|payment)|fectshuri|luxelinks|nixsearch|movideons)|o(ginhispen|ubler2007|-(progress|stepscan)|step-scan|csofyours|wnload(-es|flx)|thesearch|llstories)|34thnation|bdecicated|i(abloxporn|gi-keygen|osoftware|s(coseguro|k(rensare|sparare)|ukushuri)|vrsystems|rect-conv)|ltsolution|ns(mserrors|allabout)|r(ivecleanr|spectscan|eanopaker)|dellywwear|j-xxx-tube|wnld-files|a(chengkeji|sretokfin))|h(e(alth-hack|re4search)|o(t(bookmark|-(sextube|codec18|xmovies)|vidstube|ecodec18|movies69)|mepagenir|stingprod|lidayxmas)|qsextube08|propellero)|s(h(ockbabetv|a(ohen6677|ngaicons)|in(gaidome|raihogo))|a(nta(pcards|-inbox)|dukkanora|fesharing)|y(percasino|s(homepage|-scanner))|o(ft(cashier|waretwo)|m(ehelpful|a-4-sale))|w(apixtreme|eetmoomoo)|i(n(rrastros|gharmony)|stemupyua)|u(rf(forsure|remover)|persameas)|e(arch(-(deal|into|west)|early|isall|tubez)|cureprior|opharmacy|lectusers)|p(y(a(way2007|dvanced)|guardpro|w(are(-(buy|out)|labs|stop)|protect))|acemynews|w-fighter|guard2008)|t(a(r-google|bleclick|tcluster)|eveellery)|quinento96|slpostedll|g(1(2scanner|0scanner|1scanner)|viralscan)|creenalias)|z(xcsolution|ilya-sosal|afiraworld|erocleaner)|3(6(5fastcash|0sharepro)|younggirls|45(24online|43online))|c(r(eatonsoft|utosearch)|a(r(ordriver|dnewyear)|sh(bagmoll|engines|slinger)|mposceola)|o(okingluck|nnecttous|metcursor|decvistaz)|l(ean(pctool|uptool)|ipz(portal|saloon))|yhawkmedia|mplcoupler|ntradeshop|h(emistsmed|adandkimi))|f(a(rmasearch|voredtube|stpcscan3)|i(reballftp|nd(itquick|slocate)|l(e(upyours|deepsea)|movifree))|r(e(e(-spybot|xxxmovz|webtown)|sh(-women|stats1))|iggingtra|b-network)|l(wsolution|ickr-foto)|ed-reserve|sshdardhwd|1organizer)|p(as(engewood|derreurs)|o(stcards-(2|6)|r(n(cannabs|magpass|o(farmer|infosn|magnat|pervoi|-codec|tubxxx)|popular|-(poster|tube09)|t(hefilm|ubenew))|tal-(porn|help))|perkiller)|c(forfender|sdefender|guardscan)|i(n-l-games|cturewest)|r(ettycodec|intlength|omosoft24)|sbill-help|e(st(-patrol|sweeper)|ople-rank)|yroantispy|0rn-movies|pcroitrack)|t(h(e(installs|f(reesite|unny-08)|playlove|s(tars-08|exybaby)|mazdacar|geekdude)|re(atnuker|eserver))|o(p(gameland|100(clipz|image)|-(cumshot|pornnet))|olbar(gate|unit))|ra(sheraser|c(kppcroi|eslayer)|lalzlocc)|u(kangbecak|rbo-extra|bes-xhost)|i(cketlight|meforfuck|ffanynoel)|eenchickas|weetwitter)|e(z(coolpages|ycontract)|as(iestgals|yinquire)|bony-stars|commerce88|fcsoftware|n(gine(porno|-sexy)|tmainpage|ewwindows)|r(otica2sex|ror(patrol|d(nsurl|igger)))|-statistic|visolution|x(change-wm|p(andvideo|ressdist)|t(asycodec|endedman)|e-2009-ok)|kapharmacy)|y(fyculpefvz|mct-aaqada|ou(goodheer|likehere|ng-angel|r(analsex|regards|teamdoc|barrier)|tube-see)|lnytttckyc)|1(webservice|01freehost|-renus2008)|k(o(nsekiauto|ddavinchi)|illspy-adv)|n(e(t-nucleus|w(meetning|techwork|smozilla|hyipsite))|o(wherepage|virusonpc)|a(noantivir|ranjasdor)|i(kolaevere|cevideo(44|15))|ua20090515)|o(nline-scan|ftendollar|m(gfreehost|egasearch)|urlinklist|dile-marco|r(egomisore|der-forms)|calabounce)|r(a(ngersales|temyblog1)|yhakoputko|us0396kuku|e(vohosting|port(radio|ing32)|move-a360|aderszone)|rdcfoouyhm|xpromotion|otateonads)|u(pdate(s-all|mics1)|niqueadult|bxxtnzdbij|ekmqqedtfm|ltra-extra)|j(iayimarket|aviercubel)|q(werty(pages|-soft)|iuyipin668)|50label-map|87976online|7657control|9845account)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631547; rev:9;) # sid 2631548 includes 559 (0 - 559) 12 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.com)"; content:"|0c|";content:"|03|com|00|";nocase;within: 15;pcre: "/(4(w-wrestling|04(dnserrors|errortool)|gameranking)|i(e(s(afetyli(ne|st)|ecurepage)|defender-x|-antivirus)|b(lockpopups|anking-net)|n(et-traffic|dafuckfuck|f(o-records|idelirium)|stallscash)|quicksearch|ascannerpro|s(afeantivir|pspartners)|ma(ageshaack|ge(chicken|empires))|-love-porno)|m(a(lware(alarm|-s(can|afe)|wiped|crush)|in(feedhere|-scanner|15052009)|nagedns404|kemesearch|zdacarclub|successguy)|o(onstarfood|viezdirect|retraffcom)|y(n(aagencies|udedirect|ewhostinc)|-(nude-girl|tube-zone)|freespace3|s(uperviser|oft-forum|idesearch)|best-adult)|c(afee(bundle|-suite)|donaldsuck)|e(di(casntred|am(swares|ovware))|ntirasdatv|talmorning|mbersphoto|rcadolibro)|p(gassistant|egstandard)|i(cro(billsys|-av2009)|nnesparere)|usiconelove|s-asreport1)|w(i(n(antivirus|x(defender|pspeedup)|spykiller|fixmaster|pc(docteur|rens(are|ere))|-defender)|rusushuryo)|e(rdagoniotu|tsoftwares|bsecurebar)|m(va(ppliance|ssistant)|adirection|pappliance)|o(winterfcae|r(ld(vedrcoo|news(dot|eye)|gymperu)|k(homegold|lifedata)))|a(ytoprotect|pdailynews|tcher-scan)|udiliuliang|holoveguide|bh-provider|conlinenrue)|g(u(ard(-center|lab2009|dog2009)|rru-turru(1|2))|e(t(lawonline|this4free|avideonow|clocksync|-acnefree)|rtrudo8ddd)|ra(n(d-sale-4|adapadel)|yreseller)|t-mp3portal|o(ld(en(-corps|survey)|gertdsdf)|nelovelife|-your-scan|ogl(-status|eactive))|i(ftsforzips|tchigaming))|f(i(le(s-secure|uploader)|ndmorepill)|r(ee(moviepro|december|colorsms|servesms|warehome)|iends(teerr|links)|ankiezfunz)|e(thard-best|dnewsworld)|jernervirus|bceeefbdede|lwassistant|ast(pyroscan|erupdate|spycheck)|wlprocedure)|l(a(bmicrosoft|dyxxxworld|va-antispy)|skdfjlerjvm|i(ttlesoring|kethisone1|nksyoulike)|o(velifecash|piures3713|okvideonew|se-control))|s(o(ft(webvideo|homepage|layerdll|update09|-traffic|sellfast)|menudefuck)|ys(procedure|temhoover|guard2009)|e(l(fsearchro|lbuytraff)|jour-crete|r(vice-porn|tuddh33jf)|arch(-(angle|daily)|mantis|usanet|ingall)|cure(addons|pcnaki|harley|click1|-(ebank|ibank))|x(hotcodec1|tube20008))|u(itedhealth|per(anonimo|-figura|paylink)|rf-scanner)|af(e(-install|projects|surf2006|homesite|youthnet)|udaijoubu)|c(hijfredder|an(andclea(n|r)|ner-(tool|prot)))|p(eichertool|y(axeupdate|defenders|-(partners|shredder)|wareguard)|hericalart)|t(ocklownews|a(bleclicks|txservice))|iteresults1|-avirus2009|hock--world)|1(00(pantyhose|0pornvids|girlsporn)|80solutions|secure-test|-(antspy2008|myspyguard))|a(boutclicker|n(ti(sp(y(check|guard|stor(m|e)|links)|ionage|amgold)|evidence|vir(us(-ib|777|dwl)|al(pro|rep)|-soft)|wurm2008|nameserv|a(menazas|warepro)|terroris|-glam0ur)|im(epornmag|alsextoy)|onimutente|y(dnserrors|kindclips)|vi-scanner|dromeda-av|al(iticstat|rapesite))|d(d(iction561|linkworld|antivirus)|hokuspokus|ult(adscash|chatgay|dvdlist|finderc|-(incest|line-x)|popular|webfind|18codec)|w(orldmedia|are(deluxe|patrol|safety|-clean)))|t(t(ockonline|emptright)|inlovesite|lanticbody)|aqada-ueorn|l(l(cummovies|dataworld|toitworld|metalnews|-exe-here)|te6yacvjac|izafashion)|m(ediasource|istypedurl)|p(rotectinfo|idefault57|lusmatting)|retheymales|s(afe(browser|t(oolbar|y(liner|value)))|e(cur(e(paper|value)|itybar)|a(rchflame|chengine))|oftwarepro|t(alaprofit|rumavrpro))|utomapostos|v(i(direction|execution)|p(aymentpro|roinstall)|scanonline)|iongamemeca|-searchbest)|e(rror(s(weeper|review)|browser|fighter|allhere)|asy(fastfind|midnight|sprinter|cash2all)|bonysexland|c(hterschutz|oartmuseum)|-goldstores|sbaloncesto|u(forextrade|ro(adultsex|gayvideo|clubinfo))|v(erydaygays|il-fucking)|x(tr(a(-ticket|billing|antivir)|ime-list)|lporernews|efileshere|pert-mails)|dcomparison|pisodemetal)|p(a(rentscards|sdesfautes|yvirusmelt)|o(landdreams|rn(-(popular|matures)|magbucks|s(itefarm|lutfuck)|tubesite|wizardry|o(18codec|tube912))|intedclips|ker24seven)|c(boosterpro|ohnespuren)|r(i(vacy(waker|-care)|mosmsfree)|estotuneup)|h(ilsdomains|arm(acy-eur|-on-net))|sbill-query|wrantivirus|i(cturesbase|ngpinghost)|u(bdomainstr|ckettphoto)|estguardian|nm-software)|qu(inquecahue|alitaetips)|r(e(mov(al-tool|e-av360)|gantivirus|diropencom|ading-ease)|iparasubito|dzmtzbvsfby|a(pidantivir|ymonddelon)|unpcscannow)|c(ustomsubmit|e(roamenazas|lebsnofake|ntral-scan)|o(mputervagt|n(exaostore|t(actporno|rol(adult|porno|-sexy)))|dec(reviews|upgrade|adult18))|r(uise-adult|iticalcool)|mjmachining|a(s(h-babules|ino7films)|ntlosedata|vle-online|meronzfunz)|inselliknet|lassmatesus|herishpoems|yberwatches)|j(ieneesterns|orgelopezdj|apanhostnet|enesaisrien)|6starreviews|b(a(n(kfeatures|ner-count)|kasoftware)|e(ginner2009|st(bookblog|yearcard|goodnews|l(ove(long|help)|ifeblog)|ha(ndycap|rdporn)|-xmovies|avkeeper))|u(ymazdacars|mbiz543112)|itcoreguard|lackpornmix)|d(a(ily(pornmag|dotnews)|rksidebros)|deeffgghhii|ir(ect(gold4u|itfast)|ty(xxxvids|sellers))|nserror(tool|view|name)|o(ctorpc2008|tdailynews|-(powerscan|step-scan)|power-scan|wn(load(s777|-fls)|softkeys))|r(eam32works|ivemyclick|amaserials)|ult-porn-4u|vdvideosoft|e(fender2009|lshikandco|c-software)|fdsfdsfcdsc)|h(istorialout|o(t(bevakning|2008codec|linkfiles|testfiles|-exe-area)|me(siteurls|pageroze)|stindianet)|a(zardsource|ppycoinbox|rboroflove)|q-pharmacy(1|2))|k(hairulanuar|urinkonseki|ingpaylasim|e(epupsecure|nedydirect)|9instructor|oha0kohaweb|athichesnut|scengineers)|n(ational-bbb|iche-planet|e(w(sworldnow|wmpupdate|jetdevice|-exe-area)|tisecurity|sco-online)|o(wantivirus|compromaat)|uovosmsclub)|t(akahashisrv|r(y(gpcbruger|outietool)|aff-direct|ucount300(0|1|2))|o(olbarusage|p(virusscan|-resource)|taltorture|chtonenado)|mptmpservvv|he(stars2008|worldpool|blueyydns)|d(svassarium|ngroupsltd)|ube(z-boobez|-2009-on|s-portal))|u(p(load2world|orntube-07|date-flash)|shealthmart|-tube-verse|n(i-tube-911|eekhosting))|v(i(rus(urimuva|freedom|resplab|-doctor|meltpro)|d(zs(elector|olution)|eo(pupdete|fx4you1)))|ombanetwork|erynicebank|-codec-2008|m-codec2008|assariumbig|undofixtool|s-codec-pro)|o(fficedepott|p(aadownload|en21012009|hyemaweito)|r(itrsunwart|ldlovelife)|wndocuments|mega-search|nline(detect|scanxp))|y(ou(pornztube|r(d(ecember|atabank)|yearcard|mazdacar|p(harmweb|cshield)))|uaccounting)|z(hizhuwang01|uoyouweinan)|556677889900|365zhaosheng|x(p(yburnerpro|-police-(av|09))|xxporn-tube|tube-xmovie|virusdescan|movies-host)|82siddefault)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631548; rev:9;) # sid 2631549 includes 575 (0 - 575) 13 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.com)"; content:"|0d|";content:"|03|com|00|";nocase;within: 16;pcre: "/(i(e(pro(tect(ions|page)|gramming)|se(cur(itybar|epages)|rvicegate)|dnsallerror|xplorerclue|tool(supdate|express|machine))|bank-halifax|web-commerce|mage(rydomain|soffline)|a-scanner(-pc|pro)|lookgoodpale|n(formtoolbar|terinetskim|etantivirus)|safeantvirus)|v(i(rus(b(ursters|estscan)|scansite|isolator|-trigger|alarmpro)|ew(mpgdevice|erarchive)|deo(external|tubezone|wincodec|porntrue))|ermont-trust|mfastscanner)|w(i(n(-antivirus|errorfixer|reanimator|pckontroll|s(pycontrol|ecuritydl|yscleaner)|doptimizer)|ldgad-poker)|orld(softnews|lovelife)|-w-w-dot-com|h(o(isknowlove|lovedirect)|yisdnserror)|eb(-checkout1|s(afenotice|martcheck)|widesecure)|mpinstrument|ww(-avasthome|safetyread))|e(za1netsearch|asy(bestdeals|-midnight|worldnews)|b(ony(adultsex|bangmovs|-pornmag)|anknetworks)|dailywinners|ffaceurvirus|ntertain(list|site|tool)|rcoinsurance|ver(yoneguide|ifforsale)|x(e(softportal|-file-boom)|tr(emetube09|antivirus))|mailsupports|ccellentesms)|d(r(-protection|antispyware|i(lledasians|vemedirect))|o(uga-tengoku|llar(s-green|revenue)|wnload(-base|s-123|ingxl)|-power-scan|tworldgroup)|i(gi(tal-porno|wexonline)|mdediagroup|ocleanerpro|sksizesaver)|mn-financial|n(serroralert|k-softwares)|a(ta(center001|infoplace)|ilyhomesite|mnedspyware|rksidespeed)|e(scribeenter|fender-(scan|2009)|positcredit|molocationx|btbgonesite)|sredirection|droomabartcc|unyadabiryer)|x(vsenterprise|xx(girlsgirls|-tube-2009)|iqingwedding|tubes-online)|n(atural-amber|e(w(bieadguide|funnyvideo|sforusacnn)|gativebeats)|o(thingdomain|-as-scanner|rthpole2000)|umberingcite)|s(oft(s(pydelete|uppliers)|-archives|waretitle)|py(ware(quake2|zapper|alaram|-(help(1|2|3|4|5)|wiper)|locker|isopro|deluxe)|-destroyer|preventers)|t(a(rpapertube|bleclickz1)|jude-rawang)|c(iencesecure|hijfbewaker|an(stability|dalmature|ner-wiz-1))|w(iifatecihno|f(instrument|compressor)|e(athomepage|etblondies))|a(yonarabaggu|fe(tye(achday|xamine)|shortcuts|pccleaner)|vem(oneyshop|ypcnowv1)|de-ecrivain)|e(c(retoseguro|ur(e(invites|cleaner|pc(clean|guard)|web(info|news)|surface|xdetect)|itypills))|funahimitsu|nzadoppioni|a(rch(erparty|-expand|wonders|inggate|thruweb|mysites|rizotto)|mastersoft)|x(codecstars|18tube2008|ho(tcodec(09|1(1|2)|90)|rnyparty)|-tube20008|yescortdal)|lectedclipz|rveronlines|tup(rupdates|player10))|i(kkerbrukere|sutemuantei|bercar-card|mplefreedns)|ys(sauvegarde|temtrigger|av-storage)|h(areownfiles|elovehimtoo|redder-scan|o(pmoneyback|rtlinkings))|u(per(sharebox|yearcard|partycab|futurbiz)|nnyporntube)|fwinstrument|dfv-programs|msconnectnow)|u(havepostcard|n(idadessanas|delete-plus)|s(ps-mailcorp|banknetwork)|p(date-direct|orntube2009|loadantispy))|a(c(tivexupdate|akemegood24)|n(t(i(spy(s(hield|pider|oft4u)|knight|alerts|ware(xp|dl|up)|expert)|v(ir(us(00(0(3|4|5|6|7)|15)|cash|-cs(1|4|5|8)|nano)|alprep|online|system)|guardian)|-(spyware(4|8)|virus-xp))|ovirus-pro)|chiwamu2008|imal-palace)|aakemegood24|bakemegood24|d(trafficserv|ult(asperger|blogster|-co(ntrol|dec08))|waredollars|akemegood24|-eliminator|removergold|obeflash107|vancesoftpc)|g(ooddaytoday|akemegood24)|ho(mep(csafety|agepark)|rrememoria)|l(faantivirus|l(oversafety|secure(info|news)|collisions|musicsshop|tubesplace)|tawebgl-500|ertsafenews|ibaster-lab)|mediaproject|s(afety(always|office)|e(cur(eportal|ity(desk|here|view))|archreview)|sjustfucked|fadaptation)|u(cunserreurs|dienceright|straliabody)|v(i(adaptation|instrument)|ailablebody)|xvideoplugin|k(tivoreonmas|mainsystech)|eakemegood24|fakemegood24|jakemegood24|rsofcaribion|ttentionbody|1hearing-aid)|b(e(st(dailyvids|webleader|lovelyric|valuenews|f(unnyvids|iresfull)|adulttube|-scan-pro|mirabella|buysystem)|namor-group|autyscreens)|orresuspasos|makemegood24|phostdomains|r(o(wseroption|oksxvideos)|itneyshaved)|ig(codecadult|-tube-list)|l(ue(homepages|-cardinal)|ogger-gamer)|a(yhousehotel|stvirusscan))|f(i(l(terprogram|eprotector)|ncaschicote|onaenvirons)|r(ee(-(porn-art|viruscan)|s(e(archway|xeurope)|msorange)|homepages|doconline|wareseach|forscanpc|ofviruspc)|g-softwares)|a(xmonitoring|cial-splash|st(mp3player|shortcuts|-exe-load))|l(winstrument|yappraisals)|u(nloveonline|turemedshop|ck-me-pumps))|l(oveyoushipin|i(wenqianggtt|nkworldnews)|a(tin(teencash|lovesite)|st(chronicle|-sex-(news|tube)))|emmydislikes|uxvirus-scan)|m(a(lware(alarms|-(alarm|crush)|schutz)|in-(porn-hub|exe-home)|rlene-jones|steranalyse)|vvproduction|y(nudenetwork|pspdownload)|e(nace(fighter|monitor)|gatradetds0|rcurylabels)|p3files4free|i(cro(soft(msns|2010)|-av-2009)|rabella(club|news))|o(vieexternal|yapodruzhka|re(access4me|newsforch)|bilecontact|untainready|ltbedesigns)|gconstrucoes|s(antivirusxp|ncoreupdate))|t(h(e(technorati|gogosearch|hotcodec(21|gt|hq|lk|rt|xx|zz|12|99)|lo(veparade|catelost)|baracksite|mazdaspeed|adsensekid)|anksforscan)|o(p(fivesearch|s(afetysoft|oftupdate)|promooffer|-portalnet)|d(osjuntosrb|aybestscan)|taltrygghet|u(rviaeurope|quetventes))|r(ysearchhere|aff(checking|icstatic)|ue(pornvideo|safetyweb))|ube(universes|-(more-sex|xxx-work|storages))|errorismfree|mr-unlimited)|g(lobal(-(finder|advers)|toolbar)|o(cybersearch|o(dnewsgames|g-analysis)|ld(-software|fixonline))|et(r(esultnoew|idspyware)|-(softwares|mega-tube))|re(etingguide|at(salestax|lakesdry)))|ziyoulonglive|2(sexualwizard|008adult2008|4-7-gambling)|3xclipsonline|4(monsterdeals|04dnswebsite)|c(a(ndy-country|shtransferz)|h(ickenkiller|e(apdecember|ri(shletter|e-boheme)|mist-medic))|l(ubsexygirls|i(psmachines|ckchecker6)|othingright|s-softwares)|o(n(fident(surf|user)|t(act-porno|enteraser|rol-porno))|decs(ervice(1|6)|factory)|olwebsearch|reguard2009|unteringate|pianetworks)|uteasianbabe|ialis-prezzo)|p(a(sdesmenaces|rticepation|zmogutionsa|tlatbiforum|ul-schoenle)|r(iva(cyredder|t(etube08|isworld))|o(filemspace|tect(alerts|notice)|ductsnames))|h(arma(rcworld|cyeshop)|oto(uplodaer|galleryy|blogsite))|o(rn(newsdaily|o(-private|xxxmovie)|timeguide)|p(ular-adult|adprovider|protection)|we(lldirects|rful-tube))|ur(chase-anti|e-exe-area)|ictures-base|e(s(tprotector|kostruikaz)|ter-strauch)|c(securetools|antimalware))|r(e(p(ar(aerrores|emenaces)|ocarfinder)|gistry(great|debug|fixup)|leasedvideo|dro-stonean)|iparaminacce|apid-antivir|nd-softwares|o(l-programms|uletterosie))|h(o(t(videostube|codecstars)|mepage(today|onweb|reset)|wtosecurepc)|ybridtraffic|u(ntdetective|bportalzone)|ardwarepcnet)|k(wsearchguide|alitebelgesi|srisegersubs|em-softwares|or-programms)|o(n(l(ine(-dvdrip|scanxpp)|yhotvideos)|enewtoolbar)|therhomepage|bservesecure|s(petroglifos|-protection))|you(mailonline|ng-peaches|pornzztube|r(greatlove|securedpc|tubeworld))|j(ohndrobinson|gkdofjggkjlh|etexestorage|ustimportant)|queenshussars|1(8x-adult2008|-(spguard2008|webspyguard)))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631549; rev:9;) # sid 2631550 includes 478 (0 - 478) 14 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.com)"; content:"|0e|";content:"|03|com|00|";nocase;within: 17;pcre: "/(a(l(l(protections|s(ecure(pages|tools)|tarsvideos|-tube-here)|trafficsite|windowssoft)|e(x-galleries|rtnewsblock)|mostgayvideo)|c(cessgenerate|tive-scanner)|n(t(i(spy(premium|2008pro|checker|w(erepro|are999))|vir(protect|us(xp-08|proxp|-(buy1|cs1(4|5))|wista))|-(spyware11|vir-toolz))|virushelpv1)|gantivirus09)|rchivepornxxx|s(afe(guardinfo|ty(product|warning))|e(cur(ityclick|evillage)|archservice))|ucuninfection|d(ult-s-portal|v(ertisercash|iceswarning|nameservers)|wareplatinum|dedantivirus)|globaltoolbar|v-solutioncom|bigailkathryn)|i(esecuritytool|ndustryexpect|hatemondayand|a-(install-pro|scanner-pro|payment-pro)|mages(-library|copyleft)|safeantivirus|-av-sscan2009)|w(i(n(updatesserv|d(ows(defends|afesurf|updatas|logonex)|firesearch)|-x-defender)|rusufinisshu)|ay(totheprofit|sofsecurity)|ww(-(microsofts|onlinedown)|mobilereads|safeexamine)|or(ld(stars2008|tracknews)|kcaredirect)|sp2008scanner|henudownloads|eb(s(ecurecheck|portscheck)|porksecured|chemistsweb))|h(a(ppy(cards2008|2008toyou)|rddriveguard|cker-bolivia)|e(llo(santa2008|friendsdi)|artofthesoul)|o(t(-(daily-pics|porn-(xtube|tubes))|pornotube08|elmontblanc|adulttube08|200818codec|codecadultz)|me(cashcredit|securesite)|wtoiexplorer)|dtv-onlinerip|q(viewworldmy1|onlinemovies))|t(h(isfreemovies|e(bigstars-08|imagesphoto)|ankyou4check)|irateuncentro|o(p(-p(c-scanner|orn-tubes)|securityapp)|tal-defender)|echsearchsite|ube-4you-best|agged-gallery|r(uepornupload|affmarketing))|b(ackdoor-guard|l(acktiehsbdcs|o(gsitedirect|og-aranking))|b(aakemegood24|bakemegood24|cakemegood24|dakemegood24|eakemegood24)|e(st(b(ettingsky|aracksite|logdirect|illingpro)|-(soft-maxi|tube-home)|lettercard|fatgallery|gaygallery|infosearch|couponfree|webexamine)|a(utypornpost|dworkdirect))|reakingnewsfm|uffalogoesout)|f(r(e(e(ezinebucks|codesource)|shcards2008)|onthomepagez)|ejlreparering|i(rstaidclicks|ndxproportal)|unwebproducts|loadnewplayer|a(cebook-top10|ncystarlight))|g(o(ldwindos2000|-advertising|o(gl(e(-(analyze|reseach)|adserver)|-analisys)|dnewsreview))|e(heugenredder|t(adultaccess|dailyvideos|weathercast|-frsh-files))|p-eurocapital|ubbishremover|mail-security|00gle(-analyze|adserver)|a(meproadvance|zconsultancy)|reat(mazdacars|virusscan)|lk-softportal)|ne(w(scorpalerts|resultshere|oneplayersl)|rashtionline|tspywarescan|xtfreedollar)|p(o(stcards-2008|lsenstanford|rn(kingmovies|mov(ieshell|sonline)|ot(humbgals|ube20008)|filmdirect|exearchive|-tube(-host|s-hub)))|erfect(choice1|-banner)|c(-(antispyware|on-internet|cleaner2009)|antiviruspro|healthkeeper|libredevirus|virussweeper|defender2008)|r(eservingtool|ivacy(warrior|outpost)|o(fessiionals|tectioncase|ducemorning))|sbill-support|lutoantivirus|harmacy-earth|antispyware09)|s(i(sperformance|ttinghereona|m-softportal)|e(arch(explorer|-(4-pills|and-win|for-use)|mandrake|virtuoso|quick(one|two))|c(retosasalvo|ur(e(guidance|in(struct|fotool)|lifetime|managing|alertbar)|ity(iepage|advizr)))|x(tube(codec(93|55|67|01|31)|18adult)|i(18tube2008|codecstars)|-tube-20008|lookupworld|ycodecadult)|ssionnewid83|kurpaslanmaz)|kitodayplease|c(rappysonline|desktopicons|an(labsonline|safeonline|worldguide|erdownload|baseonline|al(ertspage|lviruses)))|a(fe(ty(d(efender|ownload)|homepage|includes|s(ettings|cansite)|u(ptodate|tilitys)|webspace)|nsecurebar)|-vir2009-buy)|p(y(defenderpro|-eliminator|ware(i(so2008|nvader)|out2009)|protect2009)|-protect2009|wprotect2009)|t(ream(xxxvideo|hotvideo)|a(t(enewsworld|usinfotech)|rt(dedicated|edwebsite)|bility(audit|tools))|opadvaresoft)|martnewsradio|uper(lovelyric|futurebiz|imagesart|-tube-all)|oft(-and-codec|warestrike)|-avir2009-buy|ys(netsecurity|av-download|-protection)|howpromooffer)|d(e(stroythemoon|fensecelebre|uscleanerpay|tectivehound)|i(gitalroute69|sksaeuberung|zainostudija|rect-revenue)|o(freepornvids|ubledefender|wn(load(spaces|exenow)|townpolice)|browsesecure|-monsterscan|m(onster-scan|ain(ameshome|worksite)))|psrecruitment|rive(rsecurise|s-cleaner)|atabase-virus)|u(n(bestersmaven|i(nstall-free|qtrustedweb)|dergroundseo)|tilisateursur|p(todatekeeper|loadeservers)|s-bankconnect)|c(o(linsfreehost|dec(-(portal08|networks)|reviews21|ouponsite)|n(nect-secure|trolcentrch)|mputerscanv1|reygoldfeder)|yber(homeshows|tvpartner)|l(assicmediapl|ea(ner2009pro|r-politics)|icksoverview)|um-on-virgins|h(china-jinpin|atloveonline|i(n(esedoublec|amobilesms)|ttoorpalace)|emist(s(-medic|medico)|manager)))|e(creditsecrets|gold-roulette|l(iteprotector|mejorcuidado)|nt(ertaintoday|iremedianet)|r(otica(bsolute|gateway)|r(eurchasseur|orprotector))|scrow-members|uros(tockpicks|ystemspay)|x(imiousinvest|tracoolfiles)|zdialeronline|asy(findsystem|webexamine|petcarrier)|-(antiviruspro|banknetworks)|qrocksthemall)|k(a(kujitsutsuru|ujebrtggatgc)|hnqfkv-vqnwrn|orkdevelopers|ir-fileplanet)|m(a(rketinaflash|lwar(emonitor|rior2008)|zdaspeedzone|nagesystem32)|e(nacescrubber|ga(-soft-2008|soft-codec)|etstripvideo)|o(vperformance|renewsonline|m(oelectronic|s-in-office))|p(3downloading|egadaptation)|y(nameisseller|-(fuck-movies|exe-profile))|ulti-defender|santivirus-xp|immomastermix|xviewworldmy(1|2))|r(e(questedlinks|gistry-great|namehomepage|t(urnhomepage|roxporntube)|directclicks|alinnovation|portsystem32)|2d2adverising|apidantivir(us|09))|z(entaiwakuchin|uoyoukongjian|sgszzzszggzzs|one-searching)|v(i(pantis(pyware|canner)|rus(-(isolator|labs2009|response|triggers|analysis)|fighter4u|infocheck|topshield)|deo2008codec|acodecright1|ewvideopatch)|eryhodownload|a(ssariumpromo|lusearch2004))|l(abels-systems|e(-guide-photo|opardsclicks|vitra-4-sale)|i(teraryaccess|censingvideo|n(k(fordesktop|sondesktop)|skondesktop))|o(llypopycandy|ve(isknowlege|kingonline|markonline|lifeportal)|ngballonline))|2(00(8adults2008|9happytubes)|antivirus2008)|1(clickspyclean|s(pywarekiller|ecurebanking|twebsitehost)|-antispystore)|you(r(l(oveletter|ettercard)|onlinelove|valueready|webexamine|-antivirus|medicstore)|porn-online)|3antivirus2008|5antivirus2008|6antivirus2008|8antivirus2008|x(p(ertantivirus|-p(rotect(soft|ions)|olice-2009)|2008-protect|antiviruspro)|tubes-xmovies)|o(nl(yiesettings|inescanxppp)|ll11iz0oil-ol|ff(er-provider|icial-emule)|gggooogoggoog|urlittleducky)|quicks(earchnet|tatistic)|9aga999a9gg99a)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631550; rev:9;) # sid 2631551 includes 445 (0 - 445) 15 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.com)"; content:"|0f|";content:"|03|com|00|";nocase;within: 18;pcre: "/(a(d(vanced(cleaner|xpfixer|scanner)|ult(18tube2008|-(codec2008|youtube-8)|videos4all|codec(-2008|stars))|ware(-download|commander)|ipex-for-sale)|b(cdperformance|etterinternet|beynational(29|52|76|93))|n(ti(sp(y(ware(boss|post)|response|advanced)|ionagepro|ambastion)|espi(adorado|onspack)|gusanos2008|virus(f(iable|orall)|g(enial|olden)|xp(200(8|9)|-pro)|2008xp|-(help(1|2|3|4|5|6|7|8|9)|alert|pppro))|trojan-2008|malware2009|wareprotect|-payed-porn)|chisupaisutsu|ytoplikedsite|g-antivirus09)|c(eleradorlisto|tivitycleaner)|l(l(p(ornhardcore|rivatelinks)|s(ecuritypage|urveillance)|-(teen-dreams|videos-home)|virusscannow|russianstrip)|fouzantrading)|protect(service|ionhelp)|s(afetyhomepage|i(ansexybikini|uoqgusdbaksd)|martershopper)|toolbarservice|wesomehomepage|morcardamizade|uto(sellergroup|performspec)|resdownloadnow|v-plus-support|1-adipex-4sale)|i(esafetywarning|n(stantsafepage|ternetexamine)|a-free-scanner|banking-secure|safe(-antivirus|rantivirus)|t(unes-vouchers|aliavideoclip))|v(i(rus(protectpro|webprotect)|v(ofot0torpedo|a-delpinata2)|deo-sensation|stamicrozsoft)|adesujadesikas|russtatuscheck|eterinarytoday)|w(eb(s(ecurity(page|read)|cannertools)|experience13|widesecurity)|or(1dofwarcraft|ld(webupdates|news-video))|in(quickupdates|d(ifesavirale|ow(-defender|s-(scanner|defense))|efender2009)|xp-antivirus|-(x-defenders|pc-defender))|asponlinemedia)|ne(w(year(withlove|cardfree)|contents2008|lifeyearsite|-york-images|santimalware)|t(mp3downloads|s(pyprotector|ecuritytech)))|f(i(nd(whatevernow|onlineworld|zproportal1)|les(-upload-21|portalhere)|rst-antivirus)|a(c(king-glamour|ebook-online)|st(-av-pc-scan|antivirus09))|r(ee(-(porntube-8|microsofts|webscaners)|pornclips2u|celebsvideo)|ankietomattos)|orbidden-clips|u(ckmaturewhore|ture(-pictures|selfdeeds))|edwirenetworks)|h(a(ppysantacards|rdmoviesporno)|o(t(-(pornotube08|tubecodec20|adulttube08)|codecadult(g(h|s)|56|-d)|stars2008-17|18-codec2008|2008-18codec)|mepagerestart)|e(x-programmers|ad-concussion))|s(a(ntawishes2008|fe(instuctions|ty(alertings|scanguide)|surfingpage|websecurity))|pyw(are(isolator|-fighter)|protect2009)|ystem(-defender|guard2009|scanner19|virusscan)|e(c(retopertutti|ur(ity(feature|widgets)|e(shortcuts|-(ebanking|ibanking)|topshield)))|arch(bestguide|-(c(armania|radlers)|dracaena|entrepot|f(or-item|ugleman)|halakoth|imblazed|ochering|p(e(rlitic|terloo)|rostoon|uddlers)|t(e(chnist|iglech)|he-(best|prey))|lasslorn)|operation)|x(-18tube-2008|ysoftwaredom)|lectedtoolbar|kasanehvataet)|i(cherheitstool|kkerpcredskap)|u(bplot-poussie|perlettercard)|t(o(pbadware2008|ckshopimages)|abilityonline)|c(reenshortcuts|an(onlinefreee|ner-(work-av|av-fast)))|0ftvvareportal|martsalesgroup|gh-topprograms|hopping-pharma|oftnewsblogcom)|c(r(eatonprojects|ack-the-place)|a(r(teirovirtual|olina-clicks)|llmepleasecom)|on(ducteurprive|cours-accesd|nectserverup)|elebritiesvidz|l(assicplupdate|ickandgetfile|ean(downloaded|controller))|hinesefreewebs)|e(x(plorethepearl|e(-soft-portal|archstortage)|trememadhouse)|inaprivadesapc|n(hanceyourbust|miendaerrores|ergydownloadr|joyspringtime)|quipoantiespia|ryx-investment|s(sentialeraser|netscanonline|ecure-federal)|urotwinkmovies|asyvideoaccess|bayauctiondata|lgallitoingles)|g(anarpastafacil|e(t(secur(eaccess|itywall)|defender2009|totalsec2008)|nsoftdownload)|oo(g(le(botdirect|-analy(sis|tae))|ol-analisys)|d(meetingsoon|newsdigital)|oogleadsence)|uerrero-tuning|lo(bal(websearch|stube2009)|ck-softwares)|reat(obamaguide|couponclub|s(alesgroup|valentine))|t-websoftcodec)|k(e(ntuckianfuker|yworddelivery)|o(ntentsufiruta|l-(development|programmers))|litegeneration)|l(o(vesi(nchesadds|tlongerst)|okportableftp)|a(ufwerkcleaner|st-porno-news)|i(ve(antispy-adv|s(oftsupport|topbadware))|nkprivatedocs)|ead-protection)|1(8-flesh-online|000funnyvideos|securitycenter|quickpcscanner)|360-share-music|6(9freegalleries|stardvdrentals)|b(p(arfectchoice1|brfectchoice1|crfectchoice1|drfectchoice1|erfectchoice1|frfectchoice1)|r(ossedesfautes|eakingnewsltd)|andofbranleurs|e(st(s(oft-ware08|canner-pro)|canadianmed|locatehomes|obamadirect|mazdadealer|britneypics)|autywithbeads)|onuspromooffer|logaboutonline)|d(arkrootkillers|e(bellaworm2008|fen(s(ed(edriver|udisque)|ivesystem)|der-review)|jitarufukugen|luxeprotector)|i(gitalerschutz|r(tygirlsworld|ectrevisions)|scountfreesms)|o(lcevita-mails|wn(load(mediaax|centrer|2009exe|-pro-as|freesms)|oalsdcenter|-softportal)|-managed-scan|ctor(sforchild|adwarepro))|rug(dealerforum|store24meds)|ma-businessclt)|o(nline(-traffeng|xpscanner|s(cannerxp|ervclass))|ldpostcardshop)|p(r(o(tectionconue|internetscan)|iva(cy-(watcher|scanner)|tetube2009)|e(vedmarketing|mium(livescan|-pc-scan)))|uraibashihosho|h(armcydirctory|urious-george)|orn(videosteens|o(-tube20008|tube-20008|codec-2008)|-hub-online)|ersonalantispy|c(totaldefender|cleansolution)|a(ntispyware09a|y-virusdoctor))|r(iservatezzanet|apid-antivirus|e(gistryadvance|v(erse(dnscheck|ipsearch)|istamollendo)|sidencehunter)|omanticsloving)|t(h(e(lastdefender|bigstars2008|mostrateblog|stabilityweb|-crack-place|noble-locker|craziestidea)|reatpcscanner)|o(p(ingatlaninfo|greetingsite|bannersystem|security4you|-downloadnet)|talvirushield)|r(ue(safetyrules|virusshield)|i-visionhomes)|ube(scollection|-(xxx-tv2009|collection))|exasimages2009|ntbreakingnews|iger-protector)|x(p(antivirus(2008|site)|onlinescanner|-(protect-2008|registration))|xxstreamonline|tube(-downloads|s-hot-porn)|moviedownloads)|m(i(cro(soft-files|-antiv2009)|rabella(motors|online))|u(sicportalfree|ltibrand-shop)|a(k(eloveforever|ingloveworld)|lwarecrashpro|crosoftwarego|ingovermnfer5)|s(as2009storage|-antivir-scan)|y(virusguardian|-(bestpov-tube|cheerful-dns|porn-archive)|best-pov-tube|antivirusplus|fucking-pussy)|obilephotoblog|e(ssenger-msn-9|ga-crack-zone))|2(008(-adult-2008|a(dult-s2008|ntivirusxp))|8sslput-search)|u(s(oftserverbill|a(breakingnews|fastshopping))|rlsofdnserrors|p(datingwindows|timedownloads)|n(iquexsoftware|limitedmarvin))|y(ourbreakingnew|esonamendment3)|jspipesanddrums)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631551; rev:9;) # sid 2631552 includes 365 (0 - 365) 16 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.com)"; content:"|10|";content:"|03|com|00|";nocase;within: 19;pcre: "/(a(l(l(security(links|notes)|diskscheck300)|parslanovayurt)|b(outyourprivacy|solutepatience|ateoforegon-ne)|c(tivexvideopage|quisto-levitra)|dult(-(3d-content|freetube-8|soft-codec)|hot-codec08)|n(ti(virus(forall(a|e)|magique|proshop|xp-2008|2008exp|-(help10|remote|doktor)|website)|malware(guard|-scan)|spy(ware(2008(a|c|y)|sales)|scanner13)|-perspirants)|otherdnserrorz|gantivirus2009|xietymigraines)|rchi(vosenestado|-tube-world)|s(afe(information|typrocedure)|ecurityservice)|v360removaltool|plusworkbenches)|e(rtinmdesachlion|l(evarendimiento|ite-emarketing|mejorantivirus)|n(tertain(for(ever|free)|ingpage)|ergysavecenter)|s(crowservicepro|trel-logistics)|urofinancegroup|xe(fileshere2009|-file-project)|asywinscanner17)|n(e(w(yearcards2008|content-s2008)|t(s(urfageassure|ecurityworks)|toyeurdevirus))|o(chanceforvirus|nstopantivirus)|arcotictramadol)|s(t(orage(protector|guardsoft)|ream(adultvideo|ing-united)|artpagepreview)|e(arch(onlineinfo|-(affabrous|b(est-auto|ovenland)|co(ckboats|stander)|damningly|for-avail|h(ackeymal|edgebote)|insulator|klondiker|microzoon|r(esuspect|ogersite)|s(coptical|poradial)|univocals|wolf-eyed)|findsearch)|c(ur(e(proservice|connect-us|filesshred|-netbanker|dwwwclicks)|ity(brochure|infohere|topagent|scansite|fastscan|uniqscan))|retissimosoft)|x(icodecadult-(s|w)|-tapes-celebs)|tupdatdownload)|c(hijfcontroleur|an(-(onlinefreee|antispy-4pc)|yourpconline))|hisutemudifensu|i(sutemuorugurin|gurd-media-api|dewebvirusscan)|ys(tem(esansfaute|guard2009m)|antivirus2009)|a(fe(applications|tyonlinepage)|jobelectronics)|oft(worldnetwork|-(collections|transaction))|uper(drugtesting|obama(direct|online)|salesonline)|-soft08freeware|py(ware(preventer|commander|guard2009|remover21)|protector-pro|-protect-2009)|martantivirusv2)|c(a(desfinjeriokas|rlosassociacao|nyonshadowlabs)|o(n(t(enidoseguros|r(olantiespia|-softportal))|ceptinvestin(1|2|3))|deccollections|lumnacafenegro|mpleteadplayer)|r(iticalinternet|eatenewsforccn)|bp(crfectchoice1|drfectchoice1|arfectchoice1|brfectchoice1)|elebsvidsonline|l(earcontentsite|i(cking2rewards|entmanagercom|nichomeclinic))|h(ristmasclasses|eapticketslist))|u(p(date(m(ysettings|icrosofts)|s(antivirus|oftserver|erversoft))|grade-pc-softz)|s(uarioprotegido|-securebanking)|niqviruscleaner)|v(ozemiliogaranon|ir(us(bestscanner|-(scanonline|webscanner)|cleaner2008|remover2008|trigger2009)|tualbambiland))|w(i(n(xpperformance|d(owsvistasoft|efender-2009)|systemsupport)|rusushattodaun|fisecurityscan)|e(stminsterakron|bs(ecurityvoice|toresecurity|afetynetwork|oftwarecloud))|orld(ofwarcrokft|postcardart))|1(23step-solution|s(pyware-removal|tchoice-hoists))|4563maturemovies|b(est(valueoemshop|downloadsoft|guardownload|breakingfree|journalguide|webscantools|-(music-sites|texasholdem))|u(lletproofstuff|siness-informs)|reaking(kingnews|goodnews))|d(ark-xxx-factory|e(fen(der-scanner|saantivirus)|jitaru(kyoikira|wakuchin))|i(a(mondsantiques|nnaoqingjieji)|g(enaroantiques|itsdndletters)|rectlinecasino|ssolute-office)|o(minion-finance|tsubscriptions|wnload(filesldr|bigclips|servers7)|-(make-progress|scan-progress)))|f(e(rramentasegura|d(eralreserveus|reservesystem))|a(ckinginnocents|st(-viruscanner|updateserver|viruscleaner))|re(e(vidshardcore|download2009|chrismassite|hostinternet|webhostguide|-(x(xx-central|tubes-host)|antiviruses|best-movies|web-scaners))|sh-(video-news|xxx-movies))|ilesstorage(2009|4you))|h(ot(-sextubecodec|codecadult-gs)|upersecuritydot)|i(n(f(osecurestatus|ectionscanner)|haltsaeuberung|ternetgameboxx)|eantiavdownload|magesrepository)|o(melhorantivirus|n(rainpurotekuta|line(streamvide|-(xpcleaner|sex-video)|xpsecurity|av-scanner)|eplace-all-exe)|uterinfonetwork)|p(a(nda-anti-virus|sendommagement)|o(rn(-(tube(codec20|-movies|s-world)|hub-xmovies)|maggalleries)|pup(-protection|blockersite))|sbill-help-desk|r(ivacy(conductor|defender(3|4)|scanner15|update447)|o(tectdownloads|dsnameservers|stflashplayer|per-tube-site))|wrantivirus2009|c(privacycleaner|-security-scan)|ictures-library|lusantiviruspro|harmacyforwomen)|r(egistrycleanfix|a(tedcontentsite|pidantivirus09))|t(iskoviny-online|ru(stedantivirus|escansecurity)|u(rnkeyantivirus|bes-xxx-movies)|o(p(less(dailynews|newsradio)|winsystemscan)|tal(-(secure2009|eliminator)|protect2009|virusshield)|daysecuritytop)|he(antivirus(scan|plus)|locatemissing|mirabellahome|cleanersystem|greatsecurity|paymentonline|securitytools|warningcenter)|ypicalprecedent)|you(r(privacyguard|favoritetube|gamblingzone|countycoupon|mazdatribute|valentineday|netascertain|windowsvista)|ng-and-mature|tube-spyvideo|porn-for-free)|g(oo(qle-analytics|gle-anal(i(stic|tucs)|yt(iss|lcs)))|e(ner(alantivirus|ic-tramadol)|tpaymentsystem)|re(etingcardgarb|at(barackguide|obamaonline))|lobalantiterror|isecurityshield)|m(e(hmetciklerimiz|gantivirus2009)|a(lware(patrolpro|crush2008|removebot)|nmoneylistener|kinglovedirect|sterspitetds09|t(tsearchengine|ure-porn-gate))|ysoft-and-codec|s(-anti-vir-scan|scanner-top-av))|x(p(downloadcenter|onlinescanner9|securitycenter|cleaner-online)|-filesstorehere)|2(008(-adult-s2008|x-adult-2008)|2ewrowieu210205)|jabezinformatica|k(amikazewargames|ilometrplenkiru|eno-chance-game)|l(ifegreetingcard|oad-pro-antispy)|0texkax7c6hzuidk|zone-celebs-tube)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631552; rev:9;) # sid 2631553 includes 337 (0 - 337) 17 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.com)"; content:"|11|";content:"|03|com|00|";nocase;within: 20;pcre: "/(m(a(lware(destructor|baseupdate)|ximumexperience)|o(nitordeamenazas|ms-and-swingers|vieaboutblogcom)|e(ga(-(games-search|antiviral-ms)|bestsoftnah08|antivirusplus)|eteingchristams)|icro(softtransfer|-antivir2009|antivir-2009)|y(securitysupport|computerscanner)|santi(spyware2009|vir-storage)|usicmoviesnbooks)|d(e(uscleaneronline|fensenetsurfage|tectiveadvanced|cemberchristmas)|i(rectnameservice|gipayments-soft)|ailyxratedimages|o(ctorantispyware|mainedutrapadis|wnload-(all4free|softarch))|r(-protection-adv|ugsonlinesearch))|vi(deomoviesonline|r(us(9-webscanner|-scan-online|re(sponse2009|mover-2008))|triggersupport)|acodecright---1)|0aazzz0x0z0x0z0z0|a(d(vertisementhost|ult(videosportal|streamportal|-tubecodec08)|wareremover2007|dedantiviruspro)|confidenceonline|l(guiennoteadmite|lowedwebsurfing)|n(ti(malwareshield|sp(y(ware(seigyo|master|expert|2008xp)|deluxe2009)|amassistant)|vir(us(f(ueralle|ree2008)|solusjon|-(200(8(pro|-xp)|9pro)|scanner|telemex)|200(8(free|-pro)|9(free|plus))|advanced|pro-2009|checkout)|-4pc-ms-av|protection)|terrornetwork|-malware-2010)|ytimeshopforall|gantivirus-2009|ispy-storage-ms)|p(rotectionwizard|proved-payments)|ging-information|r(chiv(eexefiles09|-tube-world)|ventertainments)|mericangrants-4u|ssociatesexports)|o(nline(s(earch4meds|canservice)|gameblogger|videosoftex)|dysseusmarketing)|r(e(gistry(cleanerxp|assistant)|move(-virus-melt|virusonline))|apidantivirus-09)|s(t(ructured(reading|annuity)|a(rtinstalladobe|bility(traceweb|inetscan))|eamtubesoftware)|a(nsendommagement|fe(-strip-secure|informservice))|e(arch(-(b(arbascoes|lack-belt)|c(hinawoman|ole-goose|yno(graphy|podous))|for-travel|galactosis|hullabaloo|irrelevant|non-indian|outbleated|p(a(ntechnic|thonomia)|lagiarize)|s(aucerleaf|hepherdly)|t(oothproof|r(aversely|ekometer)|urniplike)|ungladsome)|online-ease)|cur(e(network2000|banking-net|dliveclicks|-data-group)|ity(s(afeguard|canworld)|trustscan|implement))|xy-celeb-photos)|o(ft(worldnetwork2|2008-freeware|vvareportal08)|uptotalsecurity)|py(w(are(-(software(1|2|3|4|5|6|7|8|9)|protector)|isoscanner|quarantine|guard2009m)|rprotect-2009)|-protector-pro|fighterantivir)|uper(greetingcard|christmasday)|y(stem(scanner2009|-cleanerpro)|licomservicious)|0ftvvareportal08|c(hoolswitzerland|an(spywareonline|trustsecurity))|martcardgreeting)|u(rpal43sourpalhuh|tiledereparation)|b(a(stioneantivirus|dware-protector|bes-fuck-online)|i(g(savingpharmacy|codecadult2008|hot18codec2008|imagecatalogue)|tsecuritycenter)|est(-(freeware2008|crystal-tube)|antivirus(2009|scan)|m(aturegallery|ytubeonilne(1|2|3))|christmascard)|lackjackbeauties)|c(o(m(ersetlogistics|prare-propecia)|ntroledemenaces|decvideo2008-18|llectrefund-irs)|r(edits-counselor|acktheplanet-v(2|3))|h(e(apest-pharmacy|ck(updateplayer|er-pc-pro-av))|aepantispyforpc)|learpornurlssite|elebs4you-online)|e(litefinancegroup|asy(consultingltd|plusantivirus)|videnceeraserpro|x(periencetoolbar|trafastdownload)|nemyisraelattack)|h(erramientasegura|o(t(-(pornotube2008|girl-sex-tube)|thecodecadult(q|u|x)|el-centralclub)|mepageprotector)|idef-porn-movies)|i(nt(e(lligence-tech|r(activebrands|net(-defenses|o(ptimizer|therwise)|homecheck)))|3rn3t-d3f3ns3s|alldetrosflash)|eavdownloadstart|lovethatdownload|willseethatvideo|m(age-big-library|pressiontracker)|safeantiviruspro)|knowhowprotection|p(a(ndasecurity2008|sswordinspector|tchvideoplayers|mperingdelights)|cveiligheidstool|r(o(tec(aoconfiavel|t(ion(assuree|examine)|edgoclicks))|-scanner-av-pc|pecia-generico|updatescentral)|ivacyprotect-cs|e(ttyblondywoman|miumlivescanv1))|harmacy-supplier|er(fect-uninstall|sonal-defender)|ornotubeonline(10|09))|t(ry-anything-else|he(s(oft-portal-08|securitypages)|m(usic-08portal|irabellaguide)|coupondiscount|valentineparty|onlinesecurity)|o(p(antivirus-scan|directdownload)|beschumachercom)|e(styourantivirus|rroralertstatus)|winkthewonderkid|akecarepleasecom)|w(e(llsfargo-usa-uk|stpacsecuresite|b(s(cannerfreever|ecurity(master|bureau|police))|protectionscan|design-lessons))|i(n(spyware(protect|scanner)|dows-scannernv|updates-server)|ld-(online-poker|texas-holdem))|o(rldgreetingcard|menlosingweight))|g(o(og(le-anal(yticks|itiics)|iesindication)|ldsoftwarestore)|re(etingsupersite|atscansecurity)|et(downloadmovies|livefootballtv|playerdownload))|n(e(w(-content(-s2008|x-2008)|content-s2008a|er-pon-hub2009|yearc(lassmates|ardonline)|mediayearguide)|tsecurity(bureau|online))|oadwareantivirus)|you(ng-girls-board|r(p(harmacydepot|lusantivirus)|countrycoupon|-guide-online)|tube-top-video)|f(ast(updateservice|securescanner|-mortgage-4-u)|ree(2008antivirus|antivirus2009|-(mp3-paradise|porn-xmovies)|scratchandwin|christmassite)|irewallprotector|ederalbanksystem|ull-free-xmovies)|2008(antivirusfree|freeantivirus|-xp-antivirus)|x(p(-(2008-antivirus|antivirus-2008|licensingpages)|virusprotection)|movies-downloads|xx-hot-tube-porn)|l(asvegasusacasino|ive(christmas(gift|card)|systemupdates)|ove(centralonline|d-online-tube))|justchristmasgift|3d-softwareportal)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631553; rev:9;) # sid 2631554 includes 264 (0 - 264) 18 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.com)"; content:"|12|";content:"|03|com|00|";nocase;within: 21;pcre: "/(0bucksforpornmovie|1(80searchassistant|st-mortgage-leads)|b(e(st(c(umshotgallery|artoongallery)|vistadownloads|a(nti-virusscan|ddedantivirus)|netcheckonline|s(ecurityupdate|tabilityscans))|llevuemultimedia)|an(doalleinfezioni|ners-adsmanager)|ighot18-codec2008|lackchristmascard|usiness-grants4-u)|m(e(rrychristmasdude|ga-search-online)|a(kingmoneynetwork|lwaresdestructor)|i(crosofts-updates|lehighhomefinder)|s(-av-storage-best|scanner-files-av)|yplusantiviruspro)|h(o(st-domain-lookup|t(-pornotube-2008|thecodecadultas|el-wizardcenter))|istorycleaner2009)|s(py(shredderscanner|ware(disinfector|-(software1(0|1|2|3|4|5)|quick-scan)|isodownload|removersite|fighter2009))|e(vendownloadshost|arch(-(ac(idifiable|ronyctous)|homoeogenic|mussinesses|octahedrite|preinserted|retroacting|uncoguidism)|boxavailable|completeness|directonline|thebestworld|yourinternet)|cur(e(softwarelist|fileshredder|dliveuploads)|ity(webupdates|onlines(can|ite)|helpcenter|pcscanner2))|xporntubecodec(14|32|77|98))|tation-appraisals|uperd(iscountpills|riverblogcom)|o(ft(ware-downloadz|portalforfun08|sales-discount)|mefilesportalnow|cialsecurityscan)|can(ner-protection|spywaresonline)|-softwaredownload|ys(antivirus-check|temsecurityline)|wiftsafetyexamine|afeinternettoolv1|lk-softwareportal)|e(a(sy(spywarecleaner|netcheckonline|addedantivirus|removeviruspro)|ntivirus-payment)|currencydiscounts|xtrafilesonlyhere)|t(he(-(spyware-review|programsportal|best-antivirus)|mirabelladirect|valentinelovers|healthisgoldcom)|rusted(paymenssite|websecurity)|ube-4-free-center|oolswebstoragecom|eflonhealthhazard)|a(c(cesskeygenerator|robatdownload-ib)|nti(spyware(-(doctor|xp2009|pro-dl|center|engine)|2008buy|xp-2009)|vir(us(almassimo|paratodos|-(200(8-pro|9-pro)|database|pro-(2008|s(can|ite))|freescan|live-pro)|2008(t-pro|a-pro|o-pro|q-pro|y-pro)|quickscan|xppro2009)|alscanner14)|-(virus-defence|spyware-scann)|malwarescanner|terroralliance)|s(ecurityassurance|-pro-xp-download)|d(ulthot(-codec2008|codec(2(9(0(18|98|08)|208)|0008|3008)|02008|12008))|vancedxpdefender|wareprofessional)|v-plus-pay-online|1-(mortgage-finder|tramadol-online)|gro-files-archive|llsecurityshields)|c(o(ntrolloreprivacy|mp(anynewsnetwork|uter(onlinescan|jobsportal)))|h(eck(system-online|-ms-antivirus)|ildrenlaughusual|ristmaslightsnow)|a(stsecurityshield|rtsandhandtrucks))|d(efensaantimalware|igenarocollection|o(wnload(itrightnow|f(orupdates|ixandlove)|allsoftnow)|monster-progress))|l(o(mejorenantivirus|okfornewsoftware)|astshanse26032009)|p(a(ndaantivirus2008|yday-cash-direct|ckedownloadvideo)|r(o(tec(cioncompleta|tion(dedriver|purchase|toolbars|updates2))|-(scanner-online|antivirus-scan)|anti(malwarescan|virusscanv(3|2))|downloadmanager)|emiumlivescanner|ivacy-tools-pack)|owerantivirus2009|c-(anti-virus-scan|privacydefender)|uttsoftwareupdate)|u(nistream-shipping|p(date(-microsoftes|s-microsofts|yoursecurity)|todateprotection)|ltraantivirus2009|serpaymntdownload)|w(eb(softcodecdriver|browsersecurity)|o(rld(ofwarcraftvcr|softwarestore)|kutonoken-online)|in(spywareprotects|-system-support|pcantivirus2010)|atchnetprotection)|f(ree(-(adult-porn-4u|blackjack-4-u)|postcardonline|onlinescanner9|christmasworld|securityonline)|i(les(check-list303|innet4you2009)|delitytitletexas|rst-aid-software)|orwardpatchplayer|ullsecurity(shield|action))|vi(ruses-scanonline|deo(videoiditenah|freeforonline)|ewerdownload2009|sacardpoorcredit)|i(n(ternet-(antivirus|optimizer)|sta(llincomputers|ntebusinesses)|etsecuritycenter|fosecuritycenter|itpcsecurityscan)|tsfatherchristmas|sraelgazaconflict)|g(ooglescanners-360|reatmirabellasite|amecentersolution|irlteenxxxfreemov|etantivirusplus09)|on(ine-antivirus-09|line(-nude-videos|securityhost))|x(p(-(antispyware2009|download-center)|antispyware-2009)|xx-movies-central)|n(a(vigationcatalyst|noantiviruscheck)|e(t(digitalsecurity|securityupdates)|wyearcard(company|service)))|r(apid(antivirus2009|-antivir-2009)|e(gistrydoctor2008|move-(ie-security|virus-alarm))|ooftopsfordollars)|your(valentinepoems|netcheckonline|addedantivirus)|quickstabilityscan|keepuptodatesystem)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631554; rev:9;) # sid 2631555 includes 219 (0 - 219) 19 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.com)"; content:"|13|";content:"|03|com|00|";nocase;within: 22;pcre: "/(f(a(milypostcards2008|st(anti(spywarescan|malwarescan)|-scanner-av-pro))|orgotabouttroubles|ree(-(2008-antivirus|antivirus-2008)|nonline-scanner|onlinehostguide|antivirusplus09)|e(stplattenreiniger|deralservicesinfo)|u(nny(christmasguide|valentinessite)|ll(virusprotection|antispywarescan))|dheropytrqazepisak)|c(o(mmercetranslation|untedantiviruspro)|h(asseurdeserreures|e(ckonlinesecurity|mistsonlineworld))|leansoftportal2009|rystalfilesarchive|anadasfinestplants)|e(quoteautoinsurance|x(terminadordevirus|e-web-development)|urotradeinvestment|antivirus-payments|ternalgreetingcard)|a(ccelerateurmaligne|nti(spy(ware(controle|-(2008buy|for-all|systems)|2008(-buy|soft))|-scan-4freee)|virus(-(antivirus|200(8(-free|y-pro|a-pro|o-pro|q-pro|t-pro)|9-ppro)|best-2008|free-2008|plus-2009|xppro2009|scan-2009)|2009online|360remover|livescanv3|es-for-all)|malware(guardpro|-scanner)|-virussecurity3)|ucunchoixpourvirus|d(ulthot(codec(0(32008|72008|92008)|1(02008|22008))|-codec20008)|obereunionplayers|dedantivirusstore)|securenotification|rchiveviewsoftware|l(l(softwarepayments|internetfreebies)|ternativeviagra4u)|bout-home-security)|b(e(s(kyttendevaerktoj|t(sellerantivirus|-(porncollection|security-tools)|hardcoregallery|moviesitefreein|anti(spywarescan|viruscheck2)))|collectionoffiles|llwetherlabradors)|uysysantivirus2009|l(uevalentineonline|ogsexnakedgirlxxx))|d(ataconfidentiality|efensedinformation|o(wnloa(d(-(soft-(4free|basez)|allsoftnow|everything)|allsoft-now|playersnews|filesportal|oemsoftware)|bsecurehere(1|2|3|4))|-monster-progress)|irectchristmasgift)|m(e(di(a-tubecodec2008|cineonlinestore)|etwithyourfriends|gaporntubesonline)|a(in-downloadportal|lware(defender2009|professional)|ture-sperm-lovers)|icrosoftcihwindows|yfirstsecurityscan)|n(ightlifetelevision|orton2009antivirus|atural-barleygreen)|p(a(ndaantivirus-2008|ypal-secure-login)|r(o(tec(cionasegurada|tion(-livescan|systemlab))|-antispyware2009)|t(3ctionactiv3scan|ectionactivescan)|emiumadvancedscan)|ur(aibashitoshinrai|chase-clonazepam)|o(wer(antivirus-2009|downloadserver)|pupprotectionsite|rn-movies-central)|c(privacycleanerpro|-security-scanner)|ersonal(cleaner2009|deluxeguard))|w(ebsoftcodecdriver2|i(n(chesterprotector|spywareprotectdl|dows(-scanner2009|updateonline|plaeyraddons))|sta-antivirus2009)|orld-widinnovation|hitewhitechristmas)|s(a(fe-strip-download|meshitasiteverwas)|e(cur(ity(-(bancochile|components)|scanner(free|site|2009)|examination|onlineworld)|e(so(ftwaretools|lutions-net)|expertcleaner|filesshredder|dvirusscanner))|archresultsdirect)|pywareisolator2008|upers(oft21freeware|earch20090330)|t(einbergyasociados|orage-antispyware|ability(scandirect|onlineskim))|oft(ware(-pc-archive|viewers2009)|vvareportal2008))|2008-(antivirus-free|free-antivirus)|in(ternets(canner2009|erviceteam)|itialsecurityscan)|virus(-onlinescanner|andspywarescan|destroyerboost|protectionsoft|treatmentforpc)|x(p(antivirussecurity|-antispyware-2009)|xxtube-for-xxxtube)|r(e(parateurdesysteme|laydownloadupdate|move-system-guard|alantivirusplus09)|apid(antivirus-2009|spywarescanner)|ofl-wedding-toasts)|u(ltimate-anti-virus|pgrade-soft-serv20|niversal-antivirus)|1federalreservebank|li(ve(-(antivirus-scan|payment-system)|antispywarescan|internetupdates)|teantispywarescan)|t(estonsecuritypages|he(uptodatesecurity|bestsecurityspot)|r(ustsecurityshield|iton-friendlyclub))|you(r(christmaslights|mirabelladirect|firstpaydayloan)|cityesdrugstores)|o(fficerestartupdate|nline(updatessystem|virusbusterv2))|quicksoftupdate2008|g(reat(s(alesavailable|ecurityshield)|valentinepoems)|lobalsecurityscans|oldeninternetsites)|hypersecurityshield|kxc-softwaresportal|join-the-poker-room)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631555; rev:9;) # sid 2631556 includes 171 (0 - 171) 20 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.com)"; content:"|14|";content:"|03|com|00|";nocase;within: 23;pcre: "/(34t34lkerngeedrtu2w2|8cqd5ie9vwggcfs4c9wv|e(r(klg34t3rkglne4er9r|sklglkeere5t4rd5ct)|liminadordeamenazas|x(pressantivirus2009|efilesdownload2009))|j(qc8bqy8h5jen8x4mc9r|yewrkjfwkjvseraeshq)|n(9zzfdpfjh3chyd4d5ct|hbiryujmuvgipjnu2w2|et(toyeurdeserreures|businessmarketing)|ortons(2009antivirus|antivirus2009)|akedfridaydresscode)|p(er(formanceoptimizer|sonaldefender2009)|a(nda-antivirus-2008|in-relief-tramadol)|r(ivacidadyseguridad|essdownloadtostart|otection(onlineinfo|liveupdate))|ower-antivirus-2009)|w(2qdzq7iux6v8wuaeshq|kjeheret44eree4c9wv|ebscweb-scannerfree|irelessvalentineday|orld-payment-system)|b(alancedintelligence|e(autifulcollegeview|st(-(ps-download-4pc|safety-software)|antivirus(defen(se|ce)|proscan)|filesarchive2009|myscanneronilne(2|3|6)|countedantivirus))|igcodecadult2008-17|r(assnuts-brassbolts|eakingfreemichigan)|uy(msantispyware2009|-levitra-cheap-4u))|a(d(ultwebmasterempire|wareprotectionsite|dedantivirusonline|v(isorywebcentercom|ancedvirusremover))|nti(spy(ware(con(ductor|trollo)|kontrolle|expertpro|2008(sales|-soft)|-2008(-buy|soft)|fastcheck|pcscanner)|guard-scanner)|virus(gereedschap|s(ecuritypro|ofware2008)|-(scan(online|ner-v1)|quick-scan|xppro-2009|components)|online-2009|2008scanner|fulldefence|p(rogramsite|cscannerv1)|quickscanv1)|malware(suite2009|masterpro)|-(malware-scanner|spyware-scan-v1))|ctivesecurityshield)|f(ree(-(download-center|webhosting-plus)|anti(virus(-online|webscan)|spywarescan2)|nonline-scanner(a|w))|ull(andtotalsecurity|securitydefender)|ast(-scanner-4pc-pro|nofaxpaydayloans)|ind-u-that-mortgage)|m(a(turecreampieorgies|lware(bellagreement|alarm-scanner|protector2008|liveproscanv1)|zdaautomotiveparts)|degunjderinkdasewin|icro-antivirus-2009|s(-antivirus-storage|scan-files-antivir)|y(contraadwareonline|machinedefenderpro)|esothelioma-abestos)|s(e(xoffender-registry|arch4financeonline|cur(e(d(ownload(center|direct)|paymentsystem)|-plus-payments)|ity(onlinedirect|shieldcenter)))|pyware(extermination|onlinescanner)|can(ner-pwrantivirus|-antispyware-4pc)|martantivirus(2009v2|plus09)|oft(-upgrade-network|portalforfun2008)|uper(christmaslights|-antiviral-scan))|t(he(musicsmembersarea|-crack-(area-4free|zone-4free))|otal(virusprotection|antispyware2009)|richurcricketonline)|d(e(p(ositodinegrimorti|ressionstresspain)|sktoprepairpackage)|igitalaudiopostcard|ownload(all-soft-now|filesservice))|xpprotectionsoftware|virus(-scanner-online|remover2008plus|softwareremoval)|in(ternet(-defense2009|antiviruspro|countercheck|safebrowsing)|surance-4-your-car)|r(e(alonlinevideo-2008|move(spywarethreats|-(antivirus-360|spyware-guard)))|apidantiviruspcscan)|he(ntaimoviesdownload|ad-trauma-resource)|g(o-downloadz-pc-soft|reetingcardcalendar|izliilimlerhazinesi)|live(updateprotection|antivirus(scanner|proscan))|update(yourprotection|s(erversoftware|oftwareserver|centralsystem))|online(pcvirusscanner|brandsecuritys|safetyscansite)|yourcountedantivirus|c(licksmanagementscom|dcdcdcdc2121cdsfdfd|ore-guard-antivirus|reditcardsunsecured))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631556; rev:9;) # sid 2631557 includes 138 (0 - 138) 21 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 21 chars (.com)"; content:"|15|";content:"|03|com|00|";nocase;within: 24;pcre: "/(f(indthewebsiteyouneed|ast-antimalware-scan|r(ee(portalsoftwarenow|-(sexy-porn-videos|antivirus-engine))|aternidadsinaloense)|ederalreserve-(direct|online))|a(r(es-galaxy-music-p2p|izonaenterprisesllc|ch-grandsoftarchive)|d(ultstreamportal2008|van(cedantivirusscan|edmalwarescanner))|nti(vir(us(200(9-scanner|8software)|freescan2009|solution2008|-(premiumscan|scan-online|xp-pro-2009|av-ms-check)|onlinescanv2)|-scanner-ms-av)|spyware(-(2008-soft|freecheck)|proupdates)|malware(proscanner|guard-plus|onlinescan|-scannerv2))|v-mc-antivir-checker|ppels-offres-tunisie|ll-software-payments|1(-thesisdissertation|plastic-storagebins))|e(currencyprofitsystem|uropeanpharmacystore|asy(contraadwarestore|serverdefenderpro|versusadwarestore))|in(genmulighetforvirus|ternetsafetyexamine)|m(cafee-antivirus-2007|ain-softwaredownload|y(se(cureexpertcleaner|rverdefenderstore)|o(pposingadwarestore|nline-casino-guide)))|p(harmacysuperdiscount|r(iva(c(idadgarantizada|ysoftwarereport)|tesecuritycenter)|o(tectedupdatesystem|antivirusscannerv2))|erformance-optimizer|c(-antispywarescanner|antimalwaresolution)|arade-float-supplies)|d(o(cumenti-elettronici|wnload(-top-software|antivirusplus))|reamfully-chilostoma)|s(e(arch(4pharmacyonline|-teacher-online)|cur(e(d(igitalpayments|downloadserver|online(payments|webspace)|updatetransfer|serverdownload)|billingsoftware)|ity(deliversystem|-check-center|softwarecheck))|rvicenetworktoolcom)|oftware(2008antivirus|antivirus2008|updatessystem|support-group)|uper-s(oftwareportals|canner-av-soft)|tabilityinternetscan|can(stabilityinternet|-virusremover2009)|ysteminternetupdates)|c(anadiandiscountsmeds|heck-pc-antivir-2009|onstruction-barascud|ityesdrugstoressuper|entralamrecanculture)|t(o(p(antispywarereviews|registrydoctor2008)|tal(-virusprotection|weightlosscenter))|r(ustedsoftportal2008|opicalplantparadise)|he(trueshiledsecurity|-best-poker-online)|eflonlawsuitattorney|uggingonapronstrings)|w(in(dows-virus-scanner|-antivirus-protect)|eb-programmersportal|orldscheapestwebhost)|2008(antivirussoftware|softwareantivirus)|b(rowsersecuritycenter|e(st(antivirusfastscan|buysoftwaresystem|contraadwarestore|serverdefenderpro|-poker-tournament)|xtralawsuitattorney))|n(orton-antivirus-2007|etworkstabilitytrace)|vi(rus-securityscanner|llas-cyprus-larnaca)|upgrade-your-software|o(czyszczaczkomputerza|nline(-(malwarescanner|virus-scanning)|virus-scannerv2|filesviruscheck)|urbestsecurityshield)|r(e(gistry(doctorpro2008|-cleaner-2009)|move-(total-security|winpc-defender)|finance-lead-online)|ofl-wedding-speeches)|li(ve-anti(spyware-scan|viruspc-scan)|te-antispyware-scan)|xpvirusprotection2009|your(contraadwarestore|serverdefenderpro)|1stbest-online-casino)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631557; rev:9;) # sid 2631558 includes 98 (0 - 98) 22 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 22 chars (.com)"; content:"|16|";content:"|03|com|00|";nocase;within: 25;pcre: "/(g(reece-escort-services|uardiandelaprivacidad)|a(dultmoviesmembersarea|nti(virus(2009-(freescan|software)|-(premium-scan|scan-your-pc)|p(r(otectorsite|emiumscanv2)|aymentsystem)|rapid-scanner|onlineproscan|bestscannerv1)|spyware(2008(s(canner|oftbuy)|buysoft)|liveproscan|-components)|malwarewarrior2009|-malware-live-scan|anxiety-clonazepam))|e(-(currencymoneymachine|investments-provider)|asy(contraadwareonline|machinedefenderpro))|f(ree-satellite-network|ast-antiviruspro-scan)|p(r(o(tect(iondenetsurfage|edsystemupdates)|s(ecureexpertcleaner|ystemonlinescanner)|antivirusprotection)|ivatewebsystemupdate)|harmacy-online-search|owerfullantivirusscan|latinumsecurityupdate)|s(e(arch-(online-pharmacy|pharmacy-online)|c(ure(fileshredder2009|d(-software-order|antivirusonline))|retfilesstoragehere))|canner-xpertantivirus|o(lution-freeantivirus|ft(awe-download-forpc|ware(download2008(hq|sq|tq)|portalexefiles|securedbilling)))|pyware(-(quickscan-2008|protector-2009)|remover2009plus)|tabilitysolutionslook)|m(edicinalternativa-ser|y(machinedefenderstore|opposingadwareonline|serverdefenderonline|computervirusscanner))|w(in(dowsspywaredefender|secureexpertcleaner)|orldprotectedpayments|eightloss-pills-4sale)|internet(securitydeluxe|quarantinesite|-(antivirus-pro|mortgage-loan))|b(est(interracialgallery|-antivirus-(defense|scanner)|contraadwareonline|machinedefenderpro)|huvanapharmaceuticals|u(talbital-is-fioricet|y-car-insurance-4-us))|re(gistrydoctor2008-pro|move-spyware-protect)|virus(andspywarescaning|remover2008-offer)|2009download-best-soft|li(ve-pc-antivirus-scan|teantispywarescanner)|t(ube(portalsoftware2008|softwareviewer200(8|9))|otalmalwareprotection|radeshowdisplaysystem)|onlinestabilityscanada|creampie-olders-orgies|1(bestprotectionscanner|computeronlinescanner|st-texas-holdem-poker)|downloadsoftwareserver|narrowroadpublications|your(securitydisability|contraadwareonline|m(achinedefenderpro|edicinelaboratory)))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631558; rev:9;) # sid 2631559 includes 81 (0 - 81) 23 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 23 chars (.com)"; content:"|17|";content:"|03|com|00|";nocase;within: 26;pcre: "/(e(ducation-forex-trading|asy(opposingadwarestore|serverdefenderstore))|a(froukbusinessdirectory|nti(virus-(2008-software|noadware-2008|software-2008|av-ms-checker|pro-live-scan)|spyware(2008(-buysoft|purchase)|updatesystem)|malware(-(pro-scanner|online-scan|live-scanv3)|internetscan|superproscan)|-virus-professional)|glifestylesmarketplace)|globalsoftwareagreement|m(a(sedinkionderunhasdeun|lware(liveproscannerv1|-live-pro-scanv1))|istikotitatuipologisti|egauplinkbindinstaller)|s(ecur(ity-scanner-online|e-(online-antivirus|center-antivirus))|oftware-(2008-antivirus|antivirus-2008)|upers(olution-antivirus|ecurefileshredder)|pywareremovalutilities|ystemprotectionupdates)|vir(us-detection-scanner|tualinternetsecurity)|2(008-(antivirus-software|software-antivirus|noadware-antivirus)|4-7-free-online-casino)|f(ree(onlineantivirus2008|-antispyware-system)|ast-download-base-free|jfnfnfnaaswwospotyacai)|online-(s(ecurity-systems|pyware-detector)|pc-virus-scanner)|in(ternet(-antivirus-2008|securityexamine)|dustrialsteelshelving)|b(est(se(cureexpertcleaner|rverdefenderstore)|-(anti(-virus-scanner|virus-s(olution|ecurity))|life-insurance-4-u|mortgage-leads-4-u)|anti(virusproscanner|spywarelivescan)|opposingadwarestore)|uy-adipex-prescription)|hypersecurefileshredder|re(gistrydoctor2008-scan|move-malware-defender)|your(se(cureexpertcleaner|rverdefenderstore)|opposingadwarestore)|update-protection-stats|pr(o(fessional-virus-scan|tections(oftwarecheck|ystemupdates)|-anti(malware-scanner|virus-scannerv2))|ivaetprotectedupdates)|lite-anti-virus-scanner|total-malwareprotection|networkstabilityexamine|downloadsoftwareserver3|4sale-spanishproperties|j2-ssl-account-commbank|collegeeducationacademy)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631559; rev:9;) # sid 2631560 includes 53 (0 - 53) 24 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 24 chars (.com)"; content:"|18|";content:"|03|com|00|";nocase;within: 27;pcre: "/(e(ducation-best-directory|asy(machinedefenderstore|opposingadwareonline|serverdefenderonline)|z-master-degrees-online)|win(antivirusprofessional|dows-antispyware-2008|-xp-antivir-hqscanner)|a(nti(virus-(protection(2008|-kit)|online-scanner|secure-scanner)|spyware(2008-(download|purchase)|-(2008purchase|free-scanner|scanner-(free|2009))|updateservice)|-malware-live-scanv3)|d(vanedpromalwarescanner|ipex-weightloss-online)|1-online-masters-degree)|s(mart(-antivirus2009v2buy|antivirus(-2009v2buy|2009v2-buy))|canner-antispy-av-files|uperiorinternetsecurity|intellectsecurityshield|tudentcreditcardissuers)|p(owerfulvirusremover2008|r(o(tecton-antivirus-scan|antiviruscomputerscan)|emium-advanced-scanner)|cantivirusscanneronline|urchuase-onlinesoftware)|b(est(antivirusfastscanner|machinedefenderstore|opposingadwareonline|serverdefenderonline)|uy-life-insurance-cheap)|computeronlineproscanner|online(proantispywarescan|-tramadol-pharmacy)|fast(-antimalware-scanner|securityupdateserver)|qualitycollisionbodyshop|internetsafebrowsinghelp|your(machinedefenderstore|opposingadwareonline|serverdefenderonline)|1st-credit-cards-issuers|tradeshow-displaysystems)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631560; rev:9;) # sid 2631561 includes 36 (0 - 36) 25 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 25 chars (.com)"; content:"|19|";content:"|03|com|00|";nocase;within: 28;pcre: "/(d(sfkjfs8i3jksdfj3hdds3jj3|ownload-citadel-software)|2008adultstreamportal2008|a(nti(virus(2009(-freeverscan|professional)|onlineproscanner|-(online-pro-scan|powerful-scanv2))|spyware(-2008-(download|purchase)|prolivescanner)|-virus-secure-scanner|malware-online-scanv3)|dvanced-virusremover2009)|m(yantivirusprotection2009|alwareprosecurityscanner)|p(r(osecureexpertcleanerpro|emium-antivirus-defence)|owerfullantivirusproduct|erfect-mortgage-lead-4-u)|s(ystemprotectiondownloads|ecur(itysolutionsnetworks|edonlinecomputerscan))|best(-antivirus-protection|antcomputerprotection|machinedefenderonline)|in(ternet(-(antispyware-scan|explorer-cleaner)|protectedpayments)|dustrial-drum-equipment)|1antispywareupdateservice|greatstabilitytraceonline|remove-ultra-antivir-2009|webcontentdistributioncom|fremontdigitalphotography|easymachinedefenderonline)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631561; rev:9;) # sid 2631562 includes 19 (0 - 19) 26 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 26 chars (.com)"; content:"|1a|";content:"|03|com|00|";nocase;within: 29;pcre: "/(discount-pharmacy-online-e|a(nti(virus(2008pro-download(1|2)|security-solution|-protection-tools)|spywareinternetproscan|malwareonlinescannerv3)|dvanced-antivirus-scanner)|winxp-antivir-on-line-scan|update-software-protection|professional-virus-scanner|best-antivirus-pro-scanner|4(powerfullantivirusproduct|-baccarat-gambling-online)|fullantispywareonlinescane|virusdoctor-onlinedefender|mesothelioma-settlementnow|online-(cheap-car-insurance|masters-degrees-4-u))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631562; rev:9;) # sid 2631563 includes 17 (0 - 17) 27 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 27 chars (.com)"; content:"|1b|";content:"|03|com|00|";nocase;within: 30;pcre: "/(digital-investment-projects|s(e(archingforthevhostipadres|curedupdateupdatesoftware)|upersolution-freeantivirus)|in(ternet-security-antivirus|dustrial-storage-cabinets)|a(-nahui-vse-zaebalo-v-pizdu|ntispyware-online-pro-scan)|extremeintelligencesoftware|liveantivirusprotectionscan|bestantispywaresecurityscan|computerantivirusproscanner|p(rofessionalsoftwareupdates|ersonal-antivirus-software)|remove-(spyware-protect-2009|ultra-antivirus-2009)|give-u-the-perfect-mortgage)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631563; rev:9;) # sid 2631564 includes 7 (0 - 7) 28 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 28 chars (.com)"; content:"|1c|";content:"|03|com|00|";nocase;within: 31;pcre: "/(fweerf0d9fergkjehkgkwewm4bpf|anti(virus-powerful-scannerv2|spywareprotectiontoolcom|malwareinternetproscanv3|-malware-internet-scanv3)|1stmaterials-handlingsystems|trichurmanagementassociation)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631564; rev:9;) # sid 2631565 includes 2 (0 - 2) 29 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 29 chars (.com)"; content:"|1d|";content:"|03|com|00|";nocase;within: 32;pcre: "/(stabilityinternetglobalonline|adult-tube-for-usa-and-europe)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631565; rev:9;) # sid 2631566 includes 8 (0 - 8) 3 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.com)"; content:"|03|";content:"|03|com|00|";nocase;within: 6;pcre: "/(369|05p|888|126|265|4pu|6o9|lop)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631566; rev:9;) # sid 2631567 includes 5 (0 - 5) 30 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 30 chars (.com)"; content:"|1e|";content:"|03|com|00|";nocase;within: 33;pcre: "/(s(oftwaredestributiononlinecorp|ignmakingequipmentandsupplies)|verifiedpaymentsolutionsonline|win-downloading-updates-server|best-debt-consolidation-online)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631567; rev:9;) # sid 2631568 includes 1 (0 - 1) 31 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 31 chars (.com)"; content:"|1f|";content:"|03|com|00|";nocase;within: 34;pcre: "/best-online-masters-degrees-4-u/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631568; rev:9;) # sid 2631569 includes 1 (0 - 1) 32 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 32 chars (.com)"; content:"|20|";content:"|03|com|00|";nocase;within: 35;pcre: "/1st-mesothelioma-asbestos-lawyer/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631569; rev:9;) # sid 2631570 includes 2 (0 - 2) 33 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 33 chars (.com)"; content:"|21|";content:"|03|com|00|";nocase;within: 36;pcre: "/(kaipofinancialbusinessinformation|casino-on-line-gambling-directory)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631570; rev:9;) # sid 2631571 includes 1 (0 - 1) 34 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 34 chars (.com)"; content:"|22|";content:"|03|com|00|";nocase;within: 37;pcre: "/world-class-online-casino-gambling/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631571; rev:9;) # sid 2631572 includes 2 (0 - 2) 35 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 35 chars (.com)"; content:"|23|";content:"|03|com|00|";nocase;within: 38;pcre: "/(4-casinos-online-real-online-casino|exclusive-mortgage-leads-online-4-u)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631572; rev:9;) # sid 2631573 includes 111 (0 - 111) 4 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.com)"; content:"|04|";content:"|03|com|00|";nocase;within: 7;pcre: "/(0(0(1y|8(i|k)|hq)|-29|dax)|5(1(2j|ym|1u)|55y|ppc|7ez|2pk|0nb|we5)|2(84b|ppp|tgs)|7(5tz|00k|te3)|a(a(04|vc)|cjp|d(25|45|77|86)|s4a|oc8|zm8)|1(y1w|3ux|7(bs|6r)|tvv)|4(irc|7tu)|m(p(3u|0u)|09b)|u(cdq|rjb)|8(844|tgp|2wg)|c(0(mo|jm)|pdq|qzb)|f3pj|k(yed|433|xso)|p(op6|txk)|y(xoi|kbx|s8c|f3e)|3(7(wg|21)|1(fa|tg))|9(cdn|6my|991|ke8)|b(c0n|fkq)|h(pxw|o0k)|i(n(i7|ac)|d(oo|dh|hh)|win|bmx|cw(b|o|p))|q(suj|850)|d(9qj|dl2|v7q|wwt)|e(r18|wtj)|l(my8|l80|qxw)|n(zpr|s(98|dy)|o0k)|t(g95|yd8)|z(com|0l7|wzj)|6(4do|33r)|s(eeq|8m1)|wuc(7|8|9)|ji88|rd7y)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631573; rev:9;) # sid 2631574 includes 360 (0 - 360) 5 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.com)"; content:"|05|";content:"|03|com|00|";nocase;within: 8;pcre: "/(2(1(380|575)|2vek|3drf|4dat)|3(5(561|mju)|1joy|9-93|rb69|7586|2881|bomb|344g)|4(3(242|129)|4986|-job)|m(eibu|qbol|sfds|b918|xmxr|igks|y(iee|kgb|sy8)|fads|juie|voyo|tsou)|9(8725|1dna|9114|e7fs)|p(towl|i(lli|d72)|ytop|clem|l(gou|jfo)|pexe|bkjh|vden|djsj|zxz8)|x(ll-g|ks08|ml(52|48)|nibi|b(stw|oxa)|pds1|isps|zini|aoyo|gguy)|1(a123|8dmm|0(w(ip|rj)|gay)|3(175|opd)|58dm|dumb|7(1dl|7bt)|o0o1|6(6pp|9ol)|jjhl|ilhf)|a(-137|goga|no(wl|ze)|rtfv|wola|eaer|v(vcc|wav)|d(w95|xtn|drl|pzo|roz)|pp52|s(p(72|27|63)|d(12|6u))|cs86|lxup|iyyw)|b(8591|a(o01|1do)|o(a23|kee)|2adz|n(k(11|sw)|mhg)|bexe|g(dtr|tnh)|tjoy|vyls|izcn|hj4w)|k(ey32|pang|0102|okon|k(wyx|exe)|m153|dvty|at15)|s(b(b22|110|941)|ogou|r(aly|q3h)|id(95|36)|t(212|eoo)|s(l39|-01)|ylip|ucop|kyhu|a7i9|3f5n|qwyt)|u(c(147|mal)|668u|vilo|iiiu|ngds|usee|zapl)|c(a(rjq|z56|wjb)|nnty|ouly|rpay|tynn|webt|zups|f(m78|rsc)|id26|m(iia|epi)|s(l24|ygg)|u(sln|108|z-i)|xdgl|bwej|cqit|d(iqa|ju9|fg8)|hkwl)|d(zpia|101b|asyt|g(nro|jir)|i(psn|v(ww|gg))|ueor|l(l64|251)|xcpm|nsba|c(evr|21s)|yrzj|sews)|g(ator|fbwd|ckry|h(j(fd|yt)|y67)|osgd|thju)|h(e(xun|yud)|f(nvp|3y5)|unll|hgg3|jkio)|i(cpcn|s686|d(7(59|46)|294)|rxxv|mg-(z|o)|uwei|iegf|n4(ik|c(o|k)|s(k|t)|tk)|t3s5|gr5s)|l(sjmp|7l71|lldr|awwb|n1is|1j1f|gmin)|8(243(0|5)|6(8wg|6pp)|1ssl|3166|8vcd)|e(fuyr|kads|z(zuz|gcs)|rr68|x(e94|gif)|uf(ks|nt)|onud|peiy|gu8c)|f(e(eip|myp)|g(hin|67i)|c(321|swr)|rt7k|sdfe|t5yj)|j(ie(od|hg)|j(120|ckr)|hgpq|x3wg|ud4g)|n(zell|s-ok|hdiw|mbrx)|v(369v|n385|omba|j(ccc|hdo)|rtjl|gdes|ip89|vexe|f(dsa|yte)|dmjl|bfdt)|w(o(qkr|pxs)|acsy|i(nvv|xww)|s(pdl|ajx)|e(bng|ixk)|htex|d(swe|ldt)|wlax|gcn8)|y(s(eac|jqb)|rhfn|uiqd|g(pfb|vtf)|hdmi|xdlq|y12s)|z(iude|xs35|b(iqa|bey)|ullc|sde4)|5(2(gol|hdy)|ibsj|1(113|6my)|6ssl|8ssl|l2o8)|t(ag(38|58|95)|id62|cact|wwen|yisp|es10)|0(01yl|scan|2sta|314w|5916)|6(1229|aspx)|7(89xx|6mtv)|r(id34|m510|ycsp|rmkv|tgma|bckc)|o(gjtu|ryfn|d(ros|ltd)|ff34|k(hyf|wit)|ixka|thok|pqxn)|q(n518|pwoi|srch|bpay|owte|8588))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631574; rev:9;) # sid 2631575 includes 401 (0 - 401) 6 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.com)"; content:"|06|";content:"|03|com|00|";nocase;within: 9;pcre: "/(0(32439|n(ovel|find))|1(3(5mp3|69zz|00li)|7(1(203|817)|gamo)|024tb|2(4365|3(cha|dcy))|d1d1d|11281|8(6188|lxkl)|5l2o8|paket)|u(fixer|c8010|uzzvv|insex|jeose|7zywp|s(er93|a(ad(p|w)|bnr)|wow(2|1)|rv03)|pcomd|wgcn8|ye123|kboox)|2(22(360|2mb)|4aspx|1yjxm)|b(n(ably|radw|sdrv)|a(ghli|nk84|se48|mrot)|u(g(upd|xue)|tdrv)|i(n(963|rye)|os47|lcnt)|l(cadw|ufda)|rsadd|styjx|ornaz)|e(qcorn|cnoho|dorio|ltext|n(zoto|tmba)|shop5|u4pro|g(cash|ozdq)|bibuy|-orel|x(e(c51|316)|odig)|osads|zdvdx)|l(t(brew|8818)|jcctv|uxuru|6q7x6|ang34|eaphe)|m(a(bios|zafa|krea)|m5208|eza69|izane|ovist|y(bil(1|2|3|4|5|6|7|8|9)|wlhn|teqw)|gaazz|s-avc|u(u998|swou))|s(nbane|2fnew|e(iudr|xtds)|h(itip|ell8)|u(pbnr|vcnt)|t(iwdd|ased)|3rvak|lrvip|pylee|bmb08|oupay|derfg)|t(ibeam|oggle|ctcow|rap17|ub(ity|eee)|elmex|tfa(fa|bb)|v(bust|tvmg))|3(33292|0to50|dhelp|traff|rzala|66ent)|7(4(9571|1239|5970)|8ting|30lan|91224|traff|66598|shark)|c(gmess|a(iyi8|nkus)|n(spqy|zytv|y(cdw|jwl))|o(untq|nt67)|rutop|yhawk|h(l(iyi|ejf)|k(adw|bnr))|ert83|l(sidw|rbbd)|serv(1|2)|zysgs)|q(83000|azsex|iqigm)|y(un878|tcqft|a7loo|orkza)|9(69222|00666|87255|1(91my|wwmm))|a(d(b(aaz|est|tch)|trgt|rise|s(520|cpm)|w(bnr|rss)|9178|atom|ioro)|jurox|n(dy21|felt|ykuy)|v(pkav|xp08)|osier|riboo|s(p(der|x(88|4(9|6))|707|1tw)|odbr|slad)|wmdev|p(p(s84|dad)|idad)|ttadd|us(add|bnr)|hdirz|88b88|bdns1)|g(ate(ow|dl|mc|hs|qy|bm|gq|iv|pj|uq)|o(-all|lpii|movs)|e(oepd|t(adw|bwd|wsp|sgd|dew)|nwjq)|zoe7w|uid86|brad(p|w)|1g1it)|i(pinin|woser|iiboy|caapi|fengw|hackr|rate4|na4(c(k|h)|id)|mpeel)|n(ame15|0tb4d|bb3g1|opcls|e(frti|eunt|tbob)|injtz)|v(catch|sfuzi|mksxo|i(ew89|ppif)|fgt11|armer)|x(i(uzhe|nfa8)|e(irod|euat)|p(ostx|sweb)|dqs09|sert5)|4(04dns|14151|27224|less2)|5(2hxsh|4htsf|55(8x7|abc)|1(3389|7wyt|much)|31140)|8(72435|81215|5(91tw|85le)|07037)|d(d(gate|ooss|rweb)|ing45|r(u(gsc|pa1)|poex|vadw)|u(lbko|moid)|bupdr|wnld1|e(epdo|rbiz|fstu|ntyx)|xwyt1|lsgd3|ayrss)|h(x0k21|hai01|ao(123|253)|l(padw|towx)|qtube|drcom|otbar|nscsj|bsfhg)|j(e(kdoe|tdbs|liru)|hosts|yfish|mlrmg|ltao8|sjj56)|k(a(nkev|oeds|yidm|rdun)|eyrun|o(ubeo|oloo)|trcom|idsmk|raspa)|o(butan|yezli|kokss|xdiet)|p(esads|i(mp21|llsn|zder|bidu)|owref|pcabc|0(b0ts|llko)|vs360|yttco|ctv4u|akras)|z(ablen|vco6m|inaps|ebald|senet|hbxgs|z-dns|ljtl8|gsysz)|f(dpgb3|ewfwe|r(ee20|ipjt)|f(xxii|seik)|o(ltax|rm43)|i(l(erd|omo)|reee)|uxads|nygfr)|6w6w6w|w(i(n(496|zxm)|eyou)|e(b(923|bob)|weif|sy67)|o(w088|ptim)|07dns|wj666|m5588|1s2d3|albro)|r(e(pluy|zmas)|ikora|bcnew|otkid))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631575; rev:9;) # sid 2631576 includes 449 (0 - 449) 7 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.com)"; content:"|07|";content:"|03|com|00|";nocase;within: 10;pcre: "/(2(0(mbweb|20wyt|19wyt)|mgames|fargon|u-fuck)|s(t(vfirm|a(t(icq|add|s4x)|lbox|gech))|n(lilac|-gzzx)|a(jin88|intea|t(oenn|half)|v2008)|p(y(-(rid|out)|maxx|soap)|loday)|sl(4all|put4)|e(r(d158|ensy)|tup36|ecode|xlool)|h(a(ngdu|re73)|ell54|otgol)|u(ppadw|lidev)|ysid72|ky8000|wp2009|makata|iplank|oftmet|vertok)|e(xiao01|yrenet|campay|dv5ebf|gudkot|aoafir|n(-us18|drizi)|-soft1)|k(qfloat|ronicx|a(serid|dport|rlast)|illgay|ooo546|erchon|laomta)|q(avoter|oogler|w(gates|ehost)|dvideo)|r(izalof|helper|bkvebf|uesiwe|fhwfhw|e(dir94|fer68|xec39)|atloaf|mk-lgs|-state|scserv)|t(u(shove|rkonz|be(-hu|ger)|douwg)|a(ssweq|g(id42|debt))|r(ojan8|ace88|uconv)|mtraff|o(csite|pwale)|estwvr|h(alies|evann)|iktikz|tiirk5)|w(xtaste|33d561|a(tch77|v2008|nggui)|hpsarm|i(rusuk|n9987)|-(speed|netex)|m(vtool|pware)|spsale|e(pykot|h8dnb)|uxiawu|j-asys|nymenu)|1(987324|23-ptp)|7buscar|b(u(dppsh|yaoni|xhere|m-biz)|-warez|a(tch29|raokl|by178|areeq)|lockkd|nrb(ase|tch)|r(owsad|zgeni)|htoesp|b(erimc|tguag)|iedetn|ojifun|vakjyr|eidzan)|p(a(guole|wlacz)|3rs0nx|i(rduxa|ng(adw|bnr)|czway|picom)|o(r(n(qaz|mai|osn|385|neo)|twbr)|pwash)|restra|hi6aym|wrware|psuite|-state)|y(uot(ube|nbe)|yyping|f(rresp|fs369)|171108|hgames|ourlol|ab(ombs|lozo))|a(l(imama|zhead|adbnr|leips)|r(clane|tufex|msart|gukio)|d(o(ptim|beus)|traff|ult-u|-zero|vabnr|w(supp|netw)|block|nuker|servs|k2lev)|hitaly|irlady|n(alliz|oplev|et123)|p(romed|pid37)|quaant|s(d(gate|rugs)|gates|mworm|embli)|c(siaym|glgoa)|v(itool|x(p-08|2008)|egeni|1scan|scan1|-cash)|b(cways|outav)|uctlva|m-scan|ermiso|221008)|d(dlsite|a(phost|tajto|mhost)|ctrick|e(aztec|bug73|stbnp)|i(abler|mfest|zolma)|ns-eye|r(ocheg|ugsfu|amcnt)|word72|bgbron|f(n2etn|sas23)|gbdjsb|urnosy|jellow|oggody)|f(e(edbuk|ihua8)|-consg|bcmfir|gv2fir|a(buzhe|ckaaa)|ile(ave|hog)|l(ux(bux|pay)|ashya)|hp4etn|o(teens|ustka|liono)|r(zvetn|yroll)|u(cuzzy|n(6677|aman))|jtiili|071108)|g(o(-acct|go52o|o(d412|spam)|4scan|myhit|v9988|sscan)|amesrb|f(yjebf|dpves)|ribokk|i(tporg|bserv|qgetn)|goocom|sajetn|e(tsgd3|ninch)|zsyqzx|pdvinc|uardav)|h(q(storm|-vidz)|job123|ao1680|renota|dadwcd|l(pgetw|jwsjd)|wh2ght|tbgetn|ost800|ellnax)|i(h(shsd8|aozhe)|esuper|mbadns|n(trich|dexaa|gclip)|x(codec|ivght)|dbvarm|lizium|ucvetn|getnet)|m(a(i(l333|n(adt|bvd))|waqit|lasha|s(iwer|2009)|cr(oav|ide)|nswar|aroto)|vl0an7|i(dgejs|korki|wcmac)|e(ga(911|-3k)|yolev)|ov(addw|zway)|y(tube4|sscan|mkans)|p(3dowl|maher)|uzi888|mhills)|n(a(izi68|d0nad)|uvodka|e(usoas|wying|vpost|glite)|otlong|i(nonem|ght69)|jihemi)|5(finder|avscan|rublei)|666cams|c(n(nporn|trl62|cn518)|o(mttex|ldwop|kiran)|p(xlife|aypal|vcash)|r(a(ckdb|zeyt)|tbond|ustat|x-web)|walktv|bkjdxf|a(nclvr|tshof)|drpoex|lip(rts|sno)|jfsetn|tsdowg|col365|hi(xxxa|ldhe)|gcream)|o(l(thart|andon)|pernuz|d(iseea|marco)|rikuti|irooke|utporn)|u(n(i(fi5h|gray)|erixs)|av2008|comddv|t(rocnt|99889))|x(hcodec|u(itetw|an666)|xxping|podium|buzzer)|z(h(ai358|bidto|onghr)|z(zping|iyuan|renwu|tools)|aza999|jz-00(1|2|3|4)|kywmqx|xchost|etross|-state|yujgss|onephp)|3prince|j(m11112|um(pbnr|baia))|l(i(bid53|teurl)|o(gid83|ctenv|kriet|opadd|adnew|tvecu|paman)|wstats|eonads|-state|kmpmlm|abormi)|4(56kill|w8loss)|v(a(vscan|fuiek|rmers)|mcodec|erzeih|kpleer|ilknew)|94saomm|807037(2|1))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631576; rev:9;) # sid 2631577 includes 567 (0 - 567) 8 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.com)"; content:"|08|";content:"|03|com|00|";nocase;within: 11;pcre: "/(4(softget|23adobe)|t(v(-codec|codecs|scodec|xffjgu)|heoreon|r(edinsa|aff(low|alo|box))|a(nusito|obaoot)|g(bfiles|sfw7sr)|i(bgtswe|anheby)|e(rrimlo|st-biz)|uwcuuuj|cpaidui|ds4self|op4scan)|u(cleaner|incodec|p(date(34|ad)|r15may)|tl-jobs|zrwvzfe|v(eovbef|joqbef)|serzeus)|v(irusray|av-scan|m-codec|cdrwyia|hxfbwft|yuiwltf|ucewxgw|vgpiram|okcrash|e(stelia|rivell))|c(o(de(cvip|mega)|m(e(infx|food)|otech)|okie68|nfig73|ralarm)|r(ewsins|imrgay)|c(poweri|cpbuck)|a(s(h5678|al192)|tsharp|rvertv|hoot(1(4|7)|5(0|5|7)|6(2|5)|7(0|2)|89))|u(msshut|tedayz)|yhawkco|h(inabnr|e(viram|mist2))|kujcgxi|l(i(ckbnr|ent46)|assmts)|pushpop|softddl|-naver2|elebs69|bhbooks|iynbjwm|vgv(6bef|fbef))|d(a(mndskj|jia789|vi(zinx|dius))|e(signdm|fvirus|nsmail|-burda)|i(genaro|vaporn|rect84)|kebooks|o(lookup|-t-h-e|wncode)|ru(gs(-(cv|sh)|xdr)|mcash)|vaznaka|c(iman32|vivutj)|feuyerl|yjomzyz)|h(o(me-xxx|t(popup|vid(44|55|66))|stpool)|a(steman|n(dou88|sali4)|oxia18|ck-icq)|ujashka|q(ticket|jazhyd)|yperadw|i(wmjqsn|5-book)|njzluwh|rmirvid|bjhejsc|vgbkbef|d-codec)|i(mmunizr|n(festop|thevip|munepc|whores|crates|dex333)|webland|stnight|ddgtvfc|byebecd|e(e(xtend|nttio)|newbar|xujguw)|paguide|rs-2009|v(hc7bef|efound)|ioo4567|zhangye)|3xmaster|b(lackroz|s(ijdjvv|plware)|a(kel(ita|oaf)|nner82|rhkuuu)|igadnet|nrcntrl|o(ywhole|okskys|bmassa)|u(tfcwji|ndlext|idnote)|dhgvjht|rizcafe)|f(eiyu666|a(rm(egen|mext)|ceseee)|o(ckfock|torsge|xproff|undwow)|u(nny-08|tusvet)|g(ienrsi|peinwq)|zbegqnl|lippibi|i(lm-man|kjugsg|higxeb)|cuebook|tpgeoit)|k(ykbonsa|illload|a(t(ynude|ibeth)|everak|uitour)|o(rundas|lpinik)|veecbef|wddfxte|q-china)|p(v(gadget|fjgram|jj(9bef|lbef))|i(terseo|nakola)|o(hayder|r(n(thum|okit)|tadrd)|s(tecit|ofler)|dbitka|lotomo)|a(n(el911|amere|ties3)|ypopup)|h(armasn|pnet77)|pstream|r(o(codec|4scan)|poqpsy)|lp-free|defzone)|r(e(g(clean|fixit)|pare(ja|ya)|toneva|alimgz|winzie|ycross)|u(ndll(41|92)|sibank)|x-white|o(i-labs|asocks)|a(y4scan|indrip))|w(e(llbate|b(1inst|2inst|3inst|4inst|s(scan|rv09)))|awadisk|uzhixin|mptools|i(nbabes|le-exe)|tcsites|w(qwseed|w-svc7|zhbxgs)|v(bq(pbef|ubef)|cqcram|hqkram|vexfux)|orldbob)|6(10times|75adobe|85adobe|37login|54panel|may2009)|a(d(optium|biomed|g(urman|oblin)|ult(app|-(go|sn)|mac|t(he|ow))|zyclon|vertyz|word71|sitelo|nsline|emails|detect)|bccodec|cidhost|l(fa(porn|foxx)|ertspy|deanos)|mazeass|n(y(traff|scan6|6scan)|imal36)|v(seguro|myscan|etbbef|jttbef)|u(tocaes|ntbody)|xelfoto|s(pssl63|2008dl)|ttomega|abb1122|ijingru|extubxn|freexxx|olpound|ksajans|r(o-auto|t-(valy|kyiv)))|g(a(lste(am|en)|munkul)|u(sanito|ardlab)|t-(funny|stars)|iv(uifib|egate)|o(n(zoltd|esite)|scan(pc|it)|go(movz|vidz)|tclipz|lfinau|runger)|sjcwekg|ffsfpey|rogster|vfa(5bef|dbef)|ckivkdx)|m(a(x-gate|ladate|natero|in(ssrv|-dns)|kotoro)|i(arroba|troces|jafolu|daddle|ndseti)|p3sland|yp(c1004|age12)|m(codecs|-warez)|s(shamof|vbvm50|cracks|kphoto)|o(vsdlls|ykamin)|tioebso|e(killer|fenydz)|ultimpp)|s(a(ckhost|vamigo|udi777)|c(lgntfy|ript46|an(6new|mix4|4(mix|ray)|top4))|o(idudrf|syomat|ft(dnss|omet))|p(y(snipe|bitch)|ae(ntri|ioer)|lo2day)|ta(r(tnow|s-08)|venic|t-run)|u(bloads|pertds)|e(elearn|arch(42|rr)|result)|m(ittfri|sluogo)|qmnoopt|iteid(64|38)|dnalgae|s(lnet72|c-club)|ha(keril|ns-ua)|btalilx|yqxvsid|vcm(rbef|wbef)|gdldns1|wwfight|0l1ng3n|kystels)|0(1478963|scanner|0119922)|2(bepower|dayhost|828hfdy)|5(-search|4(5adobe|35core)|may2009)|9(11traff|87(adobe|panel))|e(8675309|arngate|b(genius|n-tube)|n(d(codec|solar)|code72)|r(rordns|cdebts)|tu-cash|x(bugger|e-prod|powale|celout)|z(styler|ivhnbt)|f(fort08|reesky)|wwxbhdh|dgmdxtr|pwqbyya|v(dxybef|ix8bef)|gangoff|szafiry)|j(et(codec|adwor|ztips)|xxzldxx|-naver2|o(in5678|omcash|barack)|sappdad|c(kxjcux|pallet)|ustfree|vid(jbef|obef)|dhvhevg|ambaboo|izhouhx)|l(a(panaka|derses|zymp3z)|eading4|i(onclix|n(enetz|-long))|o(wsmell|cale48|mianki)|yox-lib|vaf(fbef|nbef)|uckffxi)|o(r(uripea|yitugf)|k2bstr8|ffgirls|psfiles|irerbio|veieram|nestar5|braczki|mizerto)|q(wert285|i(uxuegm|weroqw|cai818)|mkaanta|uickcnt|jvtczqu|azextra|vaksbef)|x(crhefvz|eroporn|p(s(hield|ecure)|-(guard|extra)|a(codec|s2009)|bcodec|mcodec|ornsex|tcodec|xcodec)|warezzz|-muiste|xlmpegs|virmram|inerdun|t(jhvcjh|uberpl)|h-intra)|y(our(jizz|went)|mctygco|uan-tai|dspread|pouaypu|vds(qbef|tbef))|n(ihao(rr1|112|el3)|tsearch|a(meself|ffsdas)|swpower|u(clear3|ovosms)|o(nnamee|tvirus|wscan6|adware)|mftyate|e(w(s(can6|bot2|kyag)|7scan)|t(spond|fetch))|v(dhcram|hh(hbef|mbef)))|1(23mania|14(anhui|graph)|8022009|-cancer)|z(irvehit|tioydng|eterods|onement)|876panel)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631577; rev:9;) # sid 2631578 includes 600 (0 - 600) 9 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.com)"; content:"|09|";content:"|03|com|00|";nocase;within: 12;pcre: "/(i(e(updates|warning|-search)|-halifax|m(agesrvr|ergeyou)|reckless|n(gavirus|ncoming|t(way587|e(r(vidd|movz)|lfarm)|hestat)|viadati|fodist1)|g(xdfdfds|jplauno)|dnserror|fastseek|p(chicken|shougou)|wi5fgves|kfjcketn|jthszjlb|hgcxianj|belgique)|t(v-codecs|h(e(zirius|spybot|newpic)|ink-adz|mbunjmd)|servidor|yc0traf0|r(aiplexi|ue6scan|datasft)|ateterop|o(p(virgin|-young)|mohappy)|ubeloyal|ex(asvino|tnchat)|woserver|imesmeta)|v(i(rus(heal|fall|nuke|melt)|pasotka|dzwares|vaextra)|o(mbacash|ltsuper)|-codec18|m(codec18|pmedias)|jofunjmd|hepxlanj)|z(oldgonit|ipitover|b-system|appinads|p304ju3z|x5fxluya|elensoft)|c(o(dec(vids|pl(ay|us)|-fun|name|host|slib)|mp(adult|porno)|-search|okieadw)|h(nsystem|minuten|e(ngjitj|zswing)|artseye|inakofo)|r(e(amlips|dabill)|uelhome)|u(teporns|mbridge|stomlod|estausa)|l(siduser|-amg-63)|dm1djeni|pi2launo|fjmlauno|cqmjcthr|ashpanic|gpay0406)|m(i(lk0soft|g29here|teodemo|r(sosoft|xdkbat)|ngwater)|s(updater|scanner)|e(ga(dwarf|scan4)|anquiet|diabspl)|pggadget|o(vhelper|oncodec)|mcounter|a(sterbar|p-ref95|inscan6)|yt(hahost|op-xxx)|lodapara)|n(e(w(porntv|avante|hotvid)|battoti|egzlh35|ro(giena|-2008)|t-intra)|sworklab|ashepivo|i(c(ecodec|leaner)|t(iloqka|rotros))|urdeinpc|midahena|o(pagedns|lagtime|spam-ns))|s(e(x(mosaic|-abses)|curebbb|arch(pia|ant))|py(watche|schutz)|t(arfeed1|gsfw7sr|epscan6)|livtraf1|a(bpolies|fetywww)|g(lyunjmd|product)|ky(colder|pe-fly)|overoste|can(4(ever|note)|data4|6(main|tool|fast|step)|best6|line6|step6)|yst(guard|emjud)|uptullog)|1(72127112|0(3092804|c0ka49t)|yyyyxxxx|2(3spywar|xinsoft)|480et258|14baines|-mas2009)|e(balashka|fvz-xcrh|m(oney-ex|ulehome|ralauno)|n(chancer|ejkbdve)|r(acheisa|rors404|stesips|enlerim)|stserv01|u-insure|x(trablow|pertalt)|yigehght|kerberos|hwvunjmd|lbusines|ptylugip|z-finder|du2kbdve|ver(6scan|ylog1))|f(a(st(-look|inate)|irukyua|j4ehght|rboards)|-con(sgrp|cord)|e(lfixare|staaqui|aralert)|i(ksdinpc|re(brown|porno)|nkolios|zplauno|ll-moms)|k(lgjslkj|e5nnp8m)|l(ycodecs|w(player|helper)|uxbucks)|reebmwx3|qmgdjeni|oggamtwe|u(adrenal|ck-lady))|p(2passion|i(zdashka|lls(2day|tree)|e-maker)|lanetcnc|arranoik|c(bewaker|eternel|-futter|toolpro|leanser|antispy)|r(icetrim|essrose|o(adware|-extra)|adotour)|o(r(n(brake|-(comp|view)|jango|o(g(rab|uns)|-tds|zver)|debug)|eibrsu|t(ulote|enotu))|s(estory|tepsoe|hlivse)|pingred)|sbill-(bs|cs|hd|sh)|-o-r-n-0|e(stwiper|rsdata7)|n3ekq976|hotos-id|yrisiman|pihelper)|w(eb(soft-(a|b)|probar|readon)|in(ifixer|qfixer|xcodec)|pupdates|a(phunjmd|gerpond)|ww-(skycn|17173)|opayment|tssurvey)|a(a(athemes|q2jcthr|fawards)|b(b-girls|c(-adult|depage)|svdfd87)|d(2profit|comatoz|nserror|poolnet|redired|s(olutio|n(unjmd|iffer))|ult(comp|-(sea|tds|use))|warepro|juncnet|vertbnr|d(-aware|riller)|-logics|ore(poem|song))|erodread|l(ex-vids|l(hqporn|thexxx|-(traff|index)|mygems|spaces)|phadoll|wayssam)|m(erytrad|g-cargo|xtravel|hvcketn)|n(almaids|sadhost|ti(vir64|tests|spyme)|yygfxes|rdlauno|dysgame)|-n-(d-the|k-o-r)|p(ice-snn|owerbar|leprodr)|o(lmaster|yafgves)|r(goshude|jahevif)|v(i(helper|plugin)|alonpay|-(xp2008|lookup)|proscan|scanpro|xp-2008|tode777)|s(centive|laskfds|-xp2009|xpnames|trumavr|sisback|vpayout)|y(kjfgves|rgamtwe)|qlgdjeni|725jv8ik|uf-jeder|gu4idfir|irplugin|tom4scan|wconsult|ckerbell|13092008|22092008)|b(a(hiaserv|n(dateam|nerupd)|s(samtwe|dzsdas)|ck(thoud|stats))|o(omlance|v2bllev)|pmuebles|cash-ddt|d(dr-cash|ydcketn)|nr(compro|basead)|b(jvehght|tv-chat)|kgpfgves|r(prbgok6|oken-tv)|usyfgves|e(s(hragos|t(adore|scan7))|tpunjmd)|fiinwach|goryomek|igmyfuck|mw3coupe)|d(r(pcclean|iveporn)|a(suanban|ohang08|ta6scan)|b(oshserv|yonetim|domaine|ralauno)|e(mo(codec|extra)|ntalmba|s(-group|ignety|klinks)|taripea|fault37|athtaxi)|j-studio|m(ns4sale|iafgves)|ns(4error|bakler|future|errorz)|o(bondage|ctorkei|tmanimg|ugansss|lcevido|maincld)|vd(-codec|ahappy|ladnse)|sfswweas|ieytemsn|8ri1iz5d|hxjkbdve|uplozavr)|g(am(e(house|rival|codec|icity)|aniatw)|icoupler|o(desktop|-iascan|t(videoz|ipscan)|anyscan|scan(bay|web)|wayscan|newscan|fanscan|luxscan|genscan)|t(-movies|rrrreee)|cashback|r(eeetthh|andtraf|gdidfir|uzzilla)|watturar|gqvehght|etsg2008|sagcketn|uiltydns|f(dsgf333|ksamtwe)|huvidfir|-vantage)|j(etseeker|inantogo|oytravel|ust(-tube|urgon)|cc9unjmd|lgvcketn|rdmgfxes|nlyf96v4|hz3launo)|r(otatemeh|e(alsunix|n(us2008|omicji)|dir(1805|3105))|a(vepills|rambler)|undll841|zowqlvco)|2(02124388|--google|coxi8sb6|omitunen|3(49panel|setting)|47orders)|7(77-teens|azwmrsg5|36signin|65access)|924329928|h(a(lla-tri|sdoneit|o(qq1680|ya0909)|r5launo|ppy-fxs)|e(ro(codec|extra)|mjewels)|o(st(filez|swiss)|t-(sexpt|plays)|p(e(ndaso|extra)|s-part)|mescan4)|uramigun|q(-videoz|uvkbdve)|hr2ehght|tb4cketn|ilotavus)|k(ey-codec|yoiireza|vmsecure|i7wvgauf|orienado|litegold)|l(a(vlinsky|2planet|stlabel)|unosoftb|edhatohu|i(te(-corp|6scan)|eshazhe)|qir6s2eo|h(aex9edc|jfxwanj)|ocatedin|ds-amdin)|o(n(e-clean|safepro)|rthelike|p(enmenow|tionyst)|ymomahon|linredr2)|q(weqweqwe|ejuunjmd|06ciwt60|uest4goa)|u(n(irivall|-secret)|p(date(bnr|-xp)|gradead)|hjnxredc|snewnews|rbanfear|gochaves)|x(erocodec|i(n(niankl|huanet)|axia12l)|p(-(shield|police)|as-2009)|bqjunjmd|hcqxdedc|xxxgvtaa|vydesign|17012009)|y(ou(utubee|tube-(r|s)|radore)|mct-ygco|etresult)|4(ourtraff|utraffic|9control)|5(nt(29884j|5r3keh)|97update|86523333)|33control|06may2009)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631578; rev:9;) # sid 2631579 includes 13 (601 - 614) 9 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.com)"; content:"|09|";content:"|03|com|00|";nocase;within: 12;pcre: "/(firebit32|ribboninn|s(uprotect|heep-crc|zederjei)|toomouths|z(eus-logs|ss5dfggd)|cleanmyos|efreeflow|indidrugs|loots-leg|maujidoon)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631579; rev:9;) # sid 2631580 includes 1 (0 - 1) 3 character domains in the ".cx" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.cx)"; content:"|03|";content:"|02|cx|00|";nocase;within: 6;pcre: "/ath/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631580; rev:9;) # sid 2631581 includes 1 (0 - 1) 10 character domains in the ".cz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.cz)"; content:"|0a|";content:"|02|cz|00|";nocase;within: 13;pcre: "/aquasphere/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631581; rev:9;) # sid 2631582 includes 1 (0 - 1) 11 character domains in the ".cz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.cz)"; content:"|0b|";content:"|02|cz|00|";nocase;within: 14;pcre: "/bezproudoff/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631582; rev:9;) # sid 2631583 includes 3 (0 - 3) 12 character domains in the ".cz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.cz)"; content:"|0c|";content:"|02|cz|00|";nocase;within: 15;pcre: "/(salonpavlina|ceskyjiretin|fotbalzasova)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631583; rev:9;) # sid 2631584 includes 1 (0 - 1) 14 character domains in the ".cz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.cz)"; content:"|0e|";content:"|02|cz|00|";nocase;within: 17;pcre: "/atlantis-party/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631584; rev:9;) # sid 2631585 includes 2 (0 - 2) 15 character domains in the ".cz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.cz)"; content:"|0f|";content:"|02|cz|00|";nocase;within: 18;pcre: "/a(iredaleterrier|lternativateam)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631585; rev:9;) # sid 2631586 includes 1 (0 - 1) 16 character domains in the ".cz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.cz)"; content:"|10|";content:"|02|cz|00|";nocase;within: 19;pcre: "/autodopravaskoda/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631586; rev:9;) # sid 2631587 includes 3 (0 - 3) 4 character domains in the ".cz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.cz)"; content:"|04|";content:"|02|cz|00|";nocase;within: 7;pcre: "/cs0(1|3|7)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631587; rev:9;) # sid 2631588 includes 6 (0 - 6) 5 character domains in the ".cz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.cz)"; content:"|05|";content:"|02|cz|00|";nocase;within: 8;pcre: "/(certi|i(c-hk|d017|mpol)|komik|bufur)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631588; rev:9;) # sid 2631589 includes 6 (0 - 6) 6 character domains in the ".cz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.cz)"; content:"|06|";content:"|02|cz|00|";nocase;within: 9;pcre: "/(id-(x0(2|3)|ref)|autokd|cistus|dyndns)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631589; rev:9;) # sid 2631590 includes 5 (0 - 5) 7 character domains in the ".cz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.cz)"; content:"|07|";content:"|02|cz|00|";nocase;within: 10;pcre: "/(strazny|c(lrtemp|ernvir)|id-rt02|hotspot)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631590; rev:9;) # sid 2631591 includes 1 (0 - 1) 8 character domains in the ".cz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.cz)"; content:"|08|";content:"|02|cz|00|";nocase;within: 11;pcre: "/drinkbar/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631591; rev:9;) # sid 2631592 includes 2 (0 - 2) 9 character domains in the ".cz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.cz)"; content:"|09|";content:"|02|cz|00|";nocase;within: 12;pcre: "/(ambergold|bauerpetr)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631592; rev:9;) # sid 2631593 includes 3 (0 - 3) 10 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.de)"; content:"|0a|";content:"|02|de|00|";nocase;within: 13;pcre: "/(aetopoulos|voxinterna|jingle4you)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631593; rev:9;) # sid 2631594 includes 3 (0 - 3) 11 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.de)"; content:"|0b|";content:"|02|de|00|";nocase;within: 14;pcre: "/(clear-clean|sabineanton|ugm-records)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631594; rev:9;) # sid 2631595 includes 2 (0 - 2) 12 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.de)"; content:"|0c|";content:"|02|de|00|";nocase;within: 15;pcre: "/(tch-clubhaus|planet-bitch)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631595; rev:9;) # sid 2631596 includes 1 (0 - 1) 13 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.de)"; content:"|0d|";content:"|02|de|00|";nocase;within: 16;pcre: "/cell-profiler/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631596; rev:9;) # sid 2631597 includes 1 (0 - 1) 14 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.de)"; content:"|0e|";content:"|02|de|00|";nocase;within: 17;pcre: "/mitfahr-portal/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631597; rev:9;) # sid 2631598 includes 3 (0 - 3) 15 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.de)"; content:"|0f|";content:"|02|de|00|";nocase;within: 18;pcre: "/(hot-chilli-shop|firma-thummerer|outwork-for-you)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631598; rev:9;) # sid 2631599 includes 1 (0 - 1) 16 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.de)"; content:"|10|";content:"|02|de|00|";nocase;within: 19;pcre: "/jugendtanzgruppe/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631599; rev:9;) # sid 2631600 includes 1 (0 - 1) 17 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.de)"; content:"|11|";content:"|02|de|00|";nocase;within: 20;pcre: "/nawaro-management/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631600; rev:9;) # sid 2631601 includes 1 (0 - 1) 18 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.de)"; content:"|12|";content:"|02|de|00|";nocase;within: 21;pcre: "/garagentore-frawia/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631601; rev:9;) # sid 2631602 includes 2 (0 - 2) 20 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.de)"; content:"|14|";content:"|02|de|00|";nocase;within: 23;pcre: "/(klapperstorch-dienst|porzellanklinik-hinz)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631602; rev:9;) # sid 2631603 includes 1 (0 - 1) 22 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 22 chars (.de)"; content:"|16|";content:"|02|de|00|";nocase;within: 25;pcre: "/hallenfussballfestival/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631603; rev:9;) # sid 2631604 includes 1 (0 - 1) 28 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 28 chars (.de)"; content:"|1c|";content:"|02|de|00|";nocase;within: 31;pcre: "/baessler-befestigungssysteme/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631604; rev:9;) # sid 2631605 includes 1 (0 - 1) 5 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.de)"; content:"|05|";content:"|02|de|00|";nocase;within: 8;pcre: "/f-cat/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631605; rev:9;) # sid 2631606 includes 1 (0 - 1) 6 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.de)"; content:"|06|";content:"|02|de|00|";nocase;within: 9;pcre: "/tusset/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631606; rev:9;) # sid 2631607 includes 3 (0 - 3) 7 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.de)"; content:"|07|";content:"|02|de|00|";nocase;within: 10;pcre: "/(snoopen|googler|limitin)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631607; rev:9;) # sid 2631608 includes 3 (0 - 3) 8 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.de)"; content:"|08|";content:"|02|de|00|";nocase;within: 11;pcre: "/(dms-clan|lightfly|jingle4u)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631608; rev:9;) # sid 2631609 includes 4 (0 - 4) 9 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.de)"; content:"|09|";content:"|02|de|00|";nocase;within: 12;pcre: "/(dr-mickel|noobskill|santuario|engekurda)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631609; rev:9;) # sid 2631610 includes 1 (0 - 1) 10 character domains in the ".dk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.dk)"; content:"|0a|";content:"|02|dk|00|";nocase;within: 13;pcre: "/hoj-design/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631610; rev:9;) # sid 2631611 includes 2 (0 - 2) 13 character domains in the ".dk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.dk)"; content:"|0d|";content:"|02|dk|00|";nocase;within: 16;pcre: "/(duka-coaching|vad-mortensen)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631611; rev:9;) # sid 2631612 includes 1 (0 - 1) 5 character domains in the ".ec" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.ec)"; content:"|05|";content:"|02|ec|00|";nocase;within: 8;pcre: "/agama/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631612; rev:9;) # sid 2631613 includes 1 (0 - 1) 6 character domains in the ".ee" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.ee)"; content:"|06|";content:"|02|ee|00|";nocase;within: 9;pcre: "/enimex/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631613; rev:9;) # sid 2631614 includes 2 (0 - 2) 8 character domains in the ".ee" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.ee)"; content:"|08|";content:"|02|ee|00|";nocase;within: 11;pcre: "/(freshcom|albatros)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631614; rev:9;) # sid 2631615 includes 1 (0 - 1) 10 character domains in the ".es" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.es)"; content:"|0a|";content:"|02|es|00|";nocase;within: 13;pcre: "/pornocruto/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631615; rev:9;) # sid 2631616 includes 6 (0 - 6) 11 character domains in the ".es" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.es)"; content:"|0b|";content:"|02|es|00|";nocase;within: 14;pcre: "/(defelopour(1|2|3|4|5)|readyonline)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631616; rev:9;) # sid 2631617 includes 1 (0 - 1) 12 character domains in the ".es" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.es)"; content:"|0c|";content:"|02|es|00|";nocase;within: 15;pcre: "/defelopour61/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631617; rev:9;) # sid 2631618 includes 2 (0 - 2) 13 character domains in the ".es" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.es)"; content:"|0d|";content:"|02|es|00|";nocase;within: 16;pcre: "/(amancioortega|hotelgoldcard)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631618; rev:9;) # sid 2631619 includes 1 (0 - 1) 16 character domains in the ".es" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.es)"; content:"|10|";content:"|02|es|00|";nocase;within: 19;pcre: "/decomarmolcuenca/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631619; rev:9;) # sid 2631620 includes 3 (0 - 3) 4 character domains in the ".es" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.es)"; content:"|04|";content:"|02|es|00|";nocase;within: 7;pcre: "/0(1(07|75)|307)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631620; rev:9;) # sid 2631621 includes 12 (0 - 12) 6 character domains in the ".es" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.es)"; content:"|06|";content:"|02|es|00|";nocase;within: 9;pcre: "/(losao(0|1|2|3|5|8|9)|rad(io5|uo4)|newsit|pro(mo2|vis))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631621; rev:9;) # sid 2631622 includes 2 (0 - 2) 7 character domains in the ".es" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.es)"; content:"|07|";content:"|02|es|00|";nocase;within: 10;pcre: "/(dastin1|urresti)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631622; rev:9;) # sid 2631623 includes 7 (0 - 7) 8 character domains in the ".es" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.es)"; content:"|08|";content:"|02|es|00|";nocase;within: 11;pcre: "/torbirt(1|4|5|6|7|8|9)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631623; rev:9;) # sid 2631624 includes 9 (0 - 9) 9 character domains in the ".es" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.es)"; content:"|09|";content:"|02|es|00|";nocase;within: 12;pcre: "/platoniv(1|2|3|4|5|6|7|8|9)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631624; rev:9;) # sid 2631625 includes 3 (0 - 3) 10 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.eu)"; content:"|0a|";content:"|02|eu|00|";nocase;within: 13;pcre: "/(eurogoogle|newfriends|katamaking)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631625; rev:9;) # sid 2631626 includes 3 (0 - 3) 11 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.eu)"; content:"|0b|";content:"|02|eu|00|";nocase;within: 14;pcre: "/(mode-sstr04|beautybooty|stahuj-foto)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631626; rev:9;) # sid 2631627 includes 3 (0 - 3) 12 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.eu)"; content:"|0c|";content:"|02|eu|00|";nocase;within: 15;pcre: "/(nesco-online|idrefnum-03s|tpminstitute)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631627; rev:9;) # sid 2631628 includes 2 (0 - 2) 13 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.eu)"; content:"|0d|";content:"|02|eu|00|";nocase;within: 16;pcre: "/cashtransfer(s|z)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631628; rev:9;) # sid 2631629 includes 1 (0 - 1) 14 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.eu)"; content:"|0e|";content:"|02|eu|00|";nocase;within: 17;pcre: "/cash-transfers/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631629; rev:9;) # sid 2631630 includes 2 (0 - 2) 15 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.eu)"; content:"|0f|";content:"|02|eu|00|";nocase;within: 18;pcre: "/(medicalworldinc|switzerlandgirl)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631630; rev:9;) # sid 2631631 includes 6 (0 - 6) 16 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.eu)"; content:"|10|";content:"|02|eu|00|";nocase;within: 19;pcre: "/(medical(jobsgroup|worldlink)|themedicalmarket|wellnesssurgical|byronadvertising|switzerlandpussy)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631631; rev:9;) # sid 2631632 includes 2 (0 - 2) 18 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.eu)"; content:"|12|";content:"|02|eu|00|";nocase;within: 21;pcre: "/(medicalhealthdeath|womenmedicalcenter)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631632; rev:9;) # sid 2631633 includes 1 (0 - 1) 19 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.eu)"; content:"|13|";content:"|02|eu|00|";nocase;within: 22;pcre: "/advancedcaremedical/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631633; rev:9;) # sid 2631634 includes 1 (0 - 1) 20 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.eu)"; content:"|14|";content:"|02|eu|00|";nocase;within: 23;pcre: "/americanmedicalguide/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631634; rev:9;) # sid 2631635 includes 3 (0 - 3) 4 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.eu)"; content:"|04|";content:"|02|eu|00|";nocase;within: 7;pcre: "/(asp4|cfm3|sec8)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631635; rev:9;) # sid 2631636 includes 10 (0 - 10) 5 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.eu)"; content:"|05|";content:"|02|eu|00|";nocase;within: 8;pcre: "/(dns71|ssl28|a(sp28|pi07)|rid54|18err|91tmp|lhlh1|niiii|bleee)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631636; rev:9;) # sid 2631637 includes 6 (0 - 6) 6 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.eu)"; content:"|06|";content:"|02|eu|00|";nocase;within: 9;pcre: "/(cdport|type53|09init|9frame|dfilii|wtlili)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631637; rev:9;) # sid 2631638 includes 2 (0 - 2) 7 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.eu)"; content:"|07|";content:"|02|eu|00|";nocase;within: 10;pcre: "/(esthost|netmsg5)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631638; rev:9;) # sid 2631639 includes 3 (0 - 3) 8 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.eu)"; content:"|08|";content:"|02|eu|00|";nocase;within: 11;pcre: "/(cevapcic|nastatku|seotraff)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631639; rev:9;) # sid 2631640 includes 6 (0 - 6) 9 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.eu)"; content:"|09|";content:"|02|eu|00|";nocase;within: 12;pcre: "/(unixfreez|d(ream-ads|lls-id01)|mdll-it11|idsrt-d02|bjpagency)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631640; rev:9;) # sid 2631641 includes 1 (0 - 1) 10 character domains in the ".fr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.fr)"; content:"|0a|";content:"|02|fr|00|";nocase;within: 13;pcre: "/01systemes/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631641; rev:9;) # sid 2631642 includes 1 (0 - 1) 15 character domains in the ".fr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.fr)"; content:"|0f|";content:"|02|fr|00|";nocase;within: 18;pcre: "/chantal-carlioz/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631642; rev:9;) # sid 2631643 includes 1 (0 - 1) 17 character domains in the ".fr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.fr)"; content:"|11|";content:"|02|fr|00|";nocase;within: 20;pcre: "/fauteuils-massage/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631643; rev:9;) # sid 2631644 includes 1 (0 - 1) 19 character domains in the ".fr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.fr)"; content:"|13|";content:"|02|fr|00|";nocase;within: 22;pcre: "/bowlingclublimousin/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631644; rev:9;) # sid 2631645 includes 3 (0 - 3) 6 character domains in the ".fr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.fr)"; content:"|06|";content:"|02|fr|00|";nocase;within: 9;pcre: "/(ipag63|knoweb|neobts)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631645; rev:9;) # sid 2631646 includes 1 (0 - 1) 8 character domains in the ".fr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.fr)"; content:"|08|";content:"|02|fr|00|";nocase;within: 11;pcre: "/bakaneko/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631646; rev:9;) # sid 2631647 includes 1 (0 - 1) 1 character domains in the ".gd" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 1 chars (.gd)"; content:"|01|";content:"|02|gd|00|";nocase;within: 4;pcre: "/a/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631647; rev:9;) # sid 2631648 includes 1 (0 - 1) 3 character domains in the ".ge" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.ge)"; content:"|03|";content:"|02|ge|00|";nocase;within: 6;pcre: "/get/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631648; rev:9;) # sid 2631649 includes 1 (0 - 1) 6 character domains in the ".gr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.gr)"; content:"|06|";content:"|02|gr|00|";nocase;within: 9;pcre: "/hayvan/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631649; rev:9;) # sid 2631650 includes 1 (0 - 1) 9 character domains in the ".gr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.gr)"; content:"|09|";content:"|02|gr|00|";nocase;within: 12;pcre: "/taxheaven/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631650; rev:9;) # sid 2631651 includes 1 (0 - 1) 3 character domains in the ".gs" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.gs)"; content:"|03|";content:"|02|gs|00|";nocase;within: 6;pcre: "/nop/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631651; rev:9;) # sid 2631652 includes 3 (0 - 3) 5 character domains in the ".gs" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.gs)"; content:"|05|";content:"|02|gs|00|";nocase;within: 8;pcre: "/(6func|78hit|cid49)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631652; rev:9;) # sid 2631653 includes 6 (0 - 6) 6 character domains in the ".gs" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.gs)"; content:"|06|";content:"|02|gs|00|";nocase;within: 9;pcre: "/(39icmp|74path|login5|snmp52|51(apps|exec))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631653; rev:9;) # sid 2631654 includes 2 (0 - 2) 7 character domains in the ".gs" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.gs)"; content:"|07|";content:"|02|gs|00|";nocase;within: 10;pcre: "/(6secure|sslput7)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631654; rev:9;) # sid 2631655 includes 1 (0 - 1) 8 character domains in the ".gs" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.gs)"; content:"|08|";content:"|02|gs|00|";nocase;within: 11;pcre: "/7confirm/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631655; rev:9;) # sid 2631656 includes 1 (0 - 1) 12 character domains in the ".hk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.hk)"; content:"|0c|";content:"|02|hk|00|";nocase;within: 15;pcre: "/good-traffic/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631656; rev:9;) # sid 2631657 includes 1 (0 - 1) 15 character domains in the ".hk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.hk)"; content:"|0f|";content:"|02|hk|00|";nocase;within: 18;pcre: "/xn--ursa12-110l/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631657; rev:9;) # sid 2631658 includes 1 (0 - 1) 17 character domains in the ".hk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.hk)"; content:"|11|";content:"|02|hk|00|";nocase;within: 20;pcre: "/xn--hjk78-qo7mo3n/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631658; rev:9;) # sid 2631659 includes 3 (0 - 3) 5 character domains in the ".hk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.hk)"; content:"|05|";content:"|02|hk|00|";nocase;within: 8;pcre: "/(fgh(45|67)|losao)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631659; rev:9;) # sid 2631660 includes 2 (0 - 2) 6 character domains in the ".hk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.hk)"; content:"|06|";content:"|02|hk|00|";nocase;within: 9;pcre: "/(host56|usrv03)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631660; rev:9;) # sid 2631661 includes 1 (0 - 1) 8 character domains in the ".hk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.hk)"; content:"|08|";content:"|02|hk|00|";nocase;within: 11;pcre: "/usasrv01/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631661; rev:9;) # sid 2631662 includes 1 (0 - 1) 9 character domains in the ".hk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.hk)"; content:"|09|";content:"|02|hk|00|";nocase;within: 12;pcre: "/mynetwork/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631662; rev:9;) # sid 2631663 includes 1 (0 - 1) 4 character domains in the ".hr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.hr)"; content:"|04|";content:"|02|hr|00|";nocase;within: 7;pcre: "/daka/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631663; rev:9;) # sid 2631664 includes 1 (0 - 1) 9 character domains in the ".hr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.hr)"; content:"|09|";content:"|02|hr|00|";nocase;within: 12;pcre: "/microsoft/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631664; rev:9;) # sid 2631665 includes 1 (0 - 1) 10 character domains in the ".hu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.hu)"; content:"|0a|";content:"|02|hu|00|";nocase;within: 13;pcre: "/sportmedia/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631665; rev:9;) # sid 2631666 includes 1 (0 - 1) 8 character domains in the ".hu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.hu)"; content:"|08|";content:"|02|hu|00|";nocase;within: 11;pcre: "/t-online/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631666; rev:9;) # sid 2631667 includes 1 (0 - 1) 6 character domains in the ".ie" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.ie)"; content:"|06|";content:"|02|ie|00|";nocase;within: 9;pcre: "/isgorg/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631667; rev:9;) # sid 2631668 includes 1 (0 - 1) 6 character domains in the ".im" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.im)"; content:"|06|";content:"|02|im|00|";nocase;within: 9;pcre: "/ponbon/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631668; rev:9;) # sid 2631669 includes 3 (0 - 3) 10 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.in)"; content:"|0a|";content:"|02|in|00|";nocase;within: 13;pcre: "/(joporvatel|photo-host|naemnitibo)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631669; rev:9;) # sid 2631670 includes 2 (0 - 2) 11 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.in)"; content:"|0b|";content:"|02|in|00|";nocase;within: 14;pcre: "/(adrenalline|cityheights)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631670; rev:9;) # sid 2631671 includes 1 (0 - 1) 12 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.in)"; content:"|0c|";content:"|02|in|00|";nocase;within: 15;pcre: "/usersoftware/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631671; rev:9;) # sid 2631672 includes 1 (0 - 1) 15 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.in)"; content:"|0f|";content:"|02|in|00|";nocase;within: 18;pcre: "/trafficgateway1/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631672; rev:9;) # sid 2631673 includes 1 (0 - 1) 16 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.in)"; content:"|10|";content:"|02|in|00|";nocase;within: 19;pcre: "/agriculturetoday/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631673; rev:9;) # sid 2631674 includes 1 (0 - 1) 19 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.in)"; content:"|13|";content:"|02|in|00|";nocase;within: 22;pcre: "/messenger-messenger/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631674; rev:9;) # sid 2631675 includes 3 (0 - 3) 3 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.in)"; content:"|03|";content:"|02|in|00|";nocase;within: 6;pcre: "/(pr1|ck1|s4d)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631675; rev:9;) # sid 2631676 includes 14 (0 - 14) 4 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.in)"; content:"|04|";content:"|02|in|00|";nocase;within: 7;pcre: "/(1url|7hex|c(acl|iqx)|r(bgt|klr)|spzr|i(abm|xcx)|atxh|g(asa|gmt)|hxzv|zsyr)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631676; rev:9;) # sid 2631677 includes 11 (0 - 11) 5 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.in)"; content:"|05|";content:"|02|in|00|";nocase;within: 8;pcre: "/(f(6cbf|1del)|e7da7|yo-yo|s(tred|sl81)|7stat|cid74|11tag|pclxl|barba)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631677; rev:9;) # sid 2631678 includes 9 (0 - 9) 6 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.in)"; content:"|06|";content:"|02|in|00|";nocase;within: 9;pcre: "/(1(parse|route)|34java|8frame|cache6|edit84|inject|wabimp|panmap)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631678; rev:9;) # sid 2631679 includes 3 (0 - 3) 7 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.in)"; content:"|07|";content:"|02|in|00|";nocase;within: 10;pcre: "/(arabica|wc-host|trialoc)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631679; rev:9;) # sid 2631680 includes 4 (0 - 4) 8 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.in)"; content:"|08|";content:"|02|in|00|";nocase;within: 11;pcre: "/(serial43|klanklan|gevitvox|agriexpo)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631680; rev:9;) # sid 2631681 includes 4 (0 - 4) 9 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.in)"; content:"|09|";content:"|02|in|00|";nocase;within: 12;pcre: "/(escrowpay|cutrecord|junglemix|bestplace)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631681; rev:9;) # sid 2631682 includes 52 (0 - 52) 10 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.info)"; content:"|0a|";content:"|04|info|00|";nocase;within: 13;pcre: "/(d(a(w00dbhai|kara-rus)|otfreexxx|jdropzone)|top-pharma|a(bdula8833|-commando|nypicture|utomodelo)|e(bestagent|seconsult)|r(e(feratoff|view2009)|-security)|p(harmalife|orn2world)|s(earch(-(act|biz|hot)|exit|iice)|teelrains|ufujilisi)|vi(agrabest|deo-info)|y(our-needs|bgcjpnzts)|i1ii1ii11i|m(y-page-de|kfugrbowb)|h(ot(freexxx|ellives)|vagbqmtxp)|b(estofasia|ank4trade)|g(amersxpro|old-sutra)|uazwqaxlpq|w(tngipaynh|uzunxevor|wwdegrees)|f(rwaqecvqk|dns6mar09|irstplumb)|jjydznuzxu|k(nizhechka|olonochka)|new-videos|custom4all|l-security|onlinetube|1207477564)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631682; rev:9;) # sid 2631683 includes 53 (0 - 53) 11 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.info)"; content:"|0b|";content:"|04|info|00|";nocase;within: 14;pcre: "/(2searchsold|a(lw(aysproxy|ebsearch)|d(ult-forum|optserver)|ssparadise)|f(ree(dnshost|-6-fuck)|actor-free|ilmstvouty|srljjeemkr)|c(trlsystems|rapsbetter)|loadbalanse|d(nsfreehost|reamworkpa|olchivideo)|e(ffortclass|twnfisdkms|workingout|xpressdeal|mule-emule)|gosufootman|s(e(rbitoname|arch(-2008|4free|earth))|pywarelist|topgeorgia|uperioradz|afari-full)|01800mexico|p(o(rnlesteen|lfjymawjy)|edmeo222nb)|b(aran-eblan|l(yapizdets|owjoborgy)|obthejoker|iglendlive|dsm-movies)|v(erynicejob|azasaki-ji)|m(ysuperload|alwareconf)|rxpromotion|youtube-spy|x(lrqvoqmsxz|xxbestvids)|tqreftcjgzm|newprogress|keepongoing|hepofishycs)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631683; rev:9;) # sid 2631684 includes 29 (0 - 29) 12 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.info)"; content:"|0c|";content:"|04|info|00|";nocase;within: 15;pcre: "/(a(lwaysproxy2|reyouwissel|siansexporn|d(ult-datinq|aware-full)|v1-download)|cluster-club|e(bestcontest|-gold-games|lisoft-plus)|por(n--movies|cacom-dfd)|bubamubaches|s(earch(nclick|temple)|urfing4cash|pyware-file|opcast-plus)|videoxxx-emy|w(p-stats-php|ebsystemsec)|top(available|directory)|your-counter|i(nfidelirium|havemalware)|malwarefront|updateserver|directx-full)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631684; rev:9;) # sid 2631685 includes 36 (0 - 36) 13 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.info)"; content:"|0d|";content:"|04|info|00|";nocase;within: 16;pcre: "/(b(est(cardoffer|firestone)|r0wn-ey3s666|itcomet-(2009|plus))|youngpeyatech|a(fricamiracle|dultacnecure)|d(eletespyware|smemailslist|rops-checker|idierbrockly|directx-plus)|c(eldasdecarga|heckantiddos)|e(xchange(gauge|-keno)|mule-proyect)|inform1ongung|ramoneymayker|s(e(arch-galaxy|cure-update)|pyware-files)|u(niversecodec|torrent-plus)|w(orkpartnners|ww-kaspersky)|t(echsupporter|raffresearch)|m(i(croupdate80|llanchannel)|y(antispyware|officeguard))|o(phywmntzrtew|nlinesiteav1)|hostresellinc)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631685; rev:9;) # sid 2631686 includes 31 (0 - 31) 14 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.info)"; content:"|0e|";content:"|04|info|00|";nocase;within: 17;pcre: "/(d(rugsandhealth|irectx-9-full)|quickfindparts|e(xchange-(craps|poker)|dwardhomepage|mule-gratuito)|g(mbh-inform-de|etsoftwarenow|o(ndolizo18483|ogle-analyze))|lukki6dnd2kdnc|p(harmdoctormed|orntubedirect)|b(powqbvcfds677|ittorrent-net)|west-video-(xxx|ass)|yourglobalsite|regedintheclub|kaspersky-full|a(v1-click-site|ngantivirus09|dult-you-tube)|houseoftreding|i(mage(-facebook|n-myspace)|explorer-full)|nkoreawarefare|messenger-2009|shdfas23uh2398)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631686; rev:9;) # sid 2631687 includes 33 (0 - 33) 15 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.info)"; content:"|0f|";content:"|04|info|00|";nocase;within: 18;pcre: "/(c(razyxxx3dworld|heckclick-site)|k(ukutrustnet(666|9(99|87)|777|888)|jwre9fqwieluoi)|ph(armcydirctory|otoscape-plus)|s(earch(123(direct|online)|-and-more)|pyware-systems)|a(apowqbvcfds677|bpowqbvcfds677|cpowqbvcfds677|d(powqbvcfds677|ultfr(eemarket|iendster))|ntivirus1-site)|freespywareware|ietipsandtricks|u(ncensored-p0rn|sedforspeedupb)|d(ownload-av2010|ivxplayer-full)|o(ffice2007-full|penoffice-plus)|bittorrent-plus|lime-wire-basic|m(essenger-msn-9|oviemaker-plus))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631687; rev:9;) # sid 2631688 includes 19 (0 - 19) 16 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.info)"; content:"|10|";content:"|04|info|00|";nocase;within: 19;pcre: "/(a(tmoffshorecards|llrightreserved|nti(virus(2008pro|-online)|spyware-2008)|d(d-block-filter|obereader-full))|exchangejackpots|f(actor(commission|-treatment)|reemalwarealert|lashplayer-plus)|g1ikddcvns3sdsal|internet-systems|best-protect-av1|divx-player-plus|mediaplayer-(full|plus)|tissuetransplant)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631688; rev:9;) # sid 2631689 includes 14 (0 - 14) 17 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.info)"; content:"|11|";content:"|04|info|00|";nocase;within: 20;pcre: "/(exchange-roulette|p(harmdoctoronline|iratas-numericos)|search-every-time|we-search-for-you|a(s(j(diweur87wsdcnb|idweur87wsdcnb)|djiweur87wsdcnb)|dobeacrobat-plus)|fulldownloadcrack|onlinedownloadav1|business-networks|click-my-download|3gpconverter-plus)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631689; rev:9;) # sid 2631690 includes 9 (0 - 9) 18 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.info)"; content:"|12|";content:"|04|info|00|";nocase;within: 21;pcre: "/(pissing-skills-avi|h(7smcnr1wlsdn34fgv|arrowonthehillsfk)|a(nti(virus-2008-pro|spyware-review)|v1-click-download)|google-video-codec|theuniquetraveller|messengerplus-2009)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631690; rev:9;) # sid 2631691 includes 12 (0 - 12) 19 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.info)"; content:"|13|";content:"|04|info|00|";nocase;within: 22;pcre: "/(herekittykittykitty|a(ll-hallows-evening|nti(virus1-download|-virus-2010-pro))|p(rofessional-tuning|lasticsurgeryworld)|b(alsfhkewo7i487fksd|est-click-download)|checkclick-download|me(diaplayer-classic|ssenger-messenger)|offsiteoptimization)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631691; rev:9;) # sid 2631692 includes 4 (0 - 4) 20 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.info)"; content:"|14|";content:"|04|info|00|";nocase;within: 23;pcre: "/jbal(afhkewo7i487fksd|bfhkewo7i487fksd|cfhkewo7i487fksd|dfhkewo7i487fksd)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631692; rev:9;) # sid 2631693 includes 2 (0 - 2) 21 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 21 chars (.info)"; content:"|15|";content:"|04|info|00|";nocase;within: 24;pcre: "/(atreides-technologies|universal-video-codec)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631693; rev:9;) # sid 2631694 includes 3 (0 - 3) 22 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 22 chars (.info)"; content:"|16|";content:"|04|info|00|";nocase;within: 25;pcre: "/(you(r-alternative-email|tubedownloader-full)|download-antivirus2010)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631694; rev:9;) # sid 2631695 includes 2 (0 - 2) 24 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 24 chars (.info)"; content:"|18|";content:"|04|info|00|";nocase;within: 27;pcre: "/(antispyware2008-download|mybestantivirus-download)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631695; rev:9;) # sid 2631696 includes 1 (0 - 1) 25 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 25 chars (.info)"; content:"|19|";content:"|04|info|00|";nocase;within: 28;pcre: "/antispyware-2008-download/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631696; rev:9;) # sid 2631697 includes 1 (0 - 1) 26 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 26 chars (.info)"; content:"|1a|";content:"|04|info|00|";nocase;within: 29;pcre: "/downloads-best-antispyware/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631697; rev:9;) # sid 2631698 includes 1 (0 - 1) 27 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 27 chars (.info)"; content:"|1b|";content:"|04|info|00|";nocase;within: 30;pcre: "/download-best-antivirus2010/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631698; rev:9;) # sid 2631699 includes 1 (0 - 1) 29 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 29 chars (.info)"; content:"|1d|";content:"|04|info|00|";nocase;within: 32;pcre: "/anti-virus-2010-pro-downloads/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631699; rev:9;) # sid 2631700 includes 5 (0 - 5) 3 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.info)"; content:"|03|";content:"|04|info|00|";nocase;within: 6;pcre: "/(d0r|kv8|m5b|6lw|h3x)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631700; rev:9;) # sid 2631701 includes 26 (0 - 26) 4 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.info)"; content:"|04|";content:"|04|info|00|";nocase;within: 7;pcre: "/(x(xxy|fcg)|i(pv9|hos)|r(00x|sfq)|s(etx|p4m|gqw)|13fr|4iti|a(-cd|dop|gkt|7ii)|wd01|5iyy|c(c86|tuf)|l(epr|siu|tnc)|dvcd|unpc|oldv|tdxs)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631701; rev:9;) # sid 2631702 includes 37 (0 - 37) 5 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.info)"; content:"|05|";content:"|04|info|00|";nocase;within: 8;pcre: "/(g(icia|aher|otds)|hk365|l(eetz|ntop)|z(iziz|tgsd|avan)|a(lsgo|t(bug|jus)|hack|3451)|b(abla|idwm)|e(egar|gbet|zgog|mxmg|rewx)|p(pcan|fath|v(czx|den))|sicil|f(faqk|onzi|wkbt)|xcncp|wvmsa|omeia|88wyt|1m4ge|jump1|666pz|2you7)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631702; rev:9;) # sid 2631703 includes 45 (0 - 45) 6 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.info)"; content:"|06|";content:"|04|info|00|";nocase;within: 9;pcre: "/(b(rbody|azina)|s(tlinx|caned|mil3r|forge|eooss)|d(0d0n0|elikt)|f(1visa|oafau|reefl)|j(slib2|natek)|masgio|portki|reptar|1s(ense|peed)|2speed|a(lotro|rgvss)|c(yhawk|tfmon)|e(krito|ucigs|divid)|naship|g(g(gjjj|jdty)|dfcnt|etips)|idcads|z(slogs|o(osmv|dune))|traffo|7speed|hrypbb|litler|oloomz|w(pills|ovens)|xdsabc|3xpics)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631703; rev:9;) # sid 2631704 includes 48 (0 - 48) 7 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.info)"; content:"|07|";content:"|04|info|00|";nocase;within: 10;pcre: "/(3(65soft|xpussy)|d(i(egohp|nacnt)|e(kalab|ltauk)|umbtec|anunah)|farnero|h(i(tslog|ghjar)|ttpdoc|gfdujt|ugocnt|otvidz|xvyowd)|updatez|a(ckrite|gentmy|v-best)|g(a(yyree|lacnt)|eil-de|rabest|ivecnt)|k(alabok|rantik)|m(jakson|p3tube|urotex|s-scan)|v(olkoeb|i(lacnt|rtyoz)|wmwpcs)|chcpdns|xprmn4u|w(omanht|mrgzac)|p060523|s(8marta|tatweb|py-lab)|bitecnt|oezepyh|info4us|zuxmash|tratata)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631704; rev:9;) # sid 2631705 includes 91 (0 - 91) 8 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.info)"; content:"|08|";content:"|04|info|00|";nocase;within: 11;pcre: "/(u(cleaner|nmarine)|s(omemisc|e(ndspam|archhh)|icil256|can(web4|log6|new4|4(l(ux|og)|way|fix|key)|gen4|f(an6|ix4)|mix6|ray6))|ge(tanews|n(4scan|scan4|6scan))|b(lagoinc|uynvf96|eddenis|bflvxif)|xepacuma|911traff|a(l(phadvd|exinic|fglesj)|v1-site|b(rigade|outdot)|nti-spy)|c(racklab|ounthum|dmusnla|larafin)|di(bcuebc|rektaz)|e(ba(dluck|lmain)|m(-event|ule-it))|h(ack-off|erowood)|i(feelyou|nt-tech|cq-full)|r(ezultsd|us-shop)|p(illname|echenka)|ma(ster-x|inssrv)|t(atushki|op4scan)|50db34d5|63(3f94d3|afe561)|8d77b42a|z(onzamas|wedpmoa)|f(khbumne|pljpuqp|vwugekf|ormybro|ix(4scan|scan4))|k(aonwzkc|tfadsqo|eyscan4)|l(yamwnhh|og(6scan|4scan|scan4))|n(nxqqmdl|suzsjrp|ewscan4)|v(fxifizf|ip-meds)|y(bbfrznr|gmwharv)|jtpigznr|w(a(lterex|y(4scan|scan4))|ww-ares)|one4scan)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631705; rev:9;) # sid 2631706 includes 125 (0 - 125) 9 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.info)"; content:"|09|";content:"|04|info|00|";nocase;within: 12;pcre: "/(n(adnadzzz|ote(scan4|6scan)|tlligent)|m(e(oryprof|ta6scan)|ototrack|ain(6scan|scan(6|4)|4scan))|p(o(kupki24|rt4scan)|-o-r-n-0|ilsudano|uerkoric|l(umsauce|anscan4))|s(uper-tds|earch20s|pcounter|can(4(best|m(ain|ode)|true|user|zoom|live|a(uto|rea)|f(ine|ull)|note|goal|hard|p(ort|age))|easy4|line(6|4)|t(ool(4|6)|rue(4|6))|m(ain4|eta4)|auto4|f(lex4|ine4)|note(4|6)|6(meta|t(ool|rue))|star6))|t(igranuhi|r(a(ff4all|depark)|ue(4scan|scan(4|6)|6scan))|ool(4scan|6scan|scan6))|a(dultseek|n(imecore|amality)|r(tsworld|ea4scan)|vadvisor|bivbwbea|utoscan4)|d(emidroll|icecount|o(cumentu|ublered)|ream2008|zxecapiw|ata(4scan|6scan|scan4))|e(as(tsware|y(4scan|scan4))|f(fortdog|indsite)|uro-cigs|ver(4scan|6scan|scan(4|6)))|i(litelist|pod-talk|ntoscan4)|best(x(vids|movs)|6scan)|w(owtofree|nwqphzao)|g(r(eatvips|idgames)|jbwolesl|itoeanai|oal4scan)|h(ighway69|otel4all|hnvxjdms)|onlinetds|f(fbnpzthj|iminauar|lex4scan|ullscan4)|jrxgtdigb|4utraffic|line(scan6|4scan)|8addition|userscan4|z(oomscan4|apalinfo)|7(zip-2009|security)|klamniton|cashpopup)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631706; rev:9;) # sid 2631707 includes 1 (0 - 1) 7 character domains in the ".ir" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.ir)"; content:"|07|";content:"|02|ir|00|";nocase;within: 10;pcre: "/adscene/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631707; rev:9;) # sid 2631708 includes 3 (0 - 3) 11 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.it)"; content:"|0b|";content:"|02|it|00|";nocase;within: 14;pcre: "/(gigaservice|hotel-bahia|saiprogetti)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631708; rev:9;) # sid 2631709 includes 1 (0 - 1) 13 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.it)"; content:"|0d|";content:"|02|it|00|";nocase;within: 16;pcre: "/handballfondi/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631709; rev:9;) # sid 2631710 includes 1 (0 - 1) 17 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.it)"; content:"|11|";content:"|02|it|00|";nocase;within: 20;pcre: "/orchestragruppo70/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631710; rev:9;) # sid 2631711 includes 1 (0 - 1) 20 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.it)"; content:"|14|";content:"|02|it|00|";nocase;within: 23;pcre: "/istitutomicoterapico/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631711; rev:9;) # sid 2631712 includes 1 (0 - 1) 34 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 34 chars (.it)"; content:"|22|";content:"|02|it|00|";nocase;within: 37;pcre: "/accademiaitalianadellaviteedelvino/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631712; rev:9;) # sid 2631713 includes 1 (0 - 1) 4 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.it)"; content:"|04|";content:"|02|it|00|";nocase;within: 7;pcre: "/geda/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631713; rev:9;) # sid 2631714 includes 2 (0 - 2) 5 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.it)"; content:"|05|";content:"|02|it|00|";nocase;within: 8;pcre: "/(iblon|15min)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631714; rev:9;) # sid 2631715 includes 2 (0 - 2) 6 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.it)"; content:"|06|";content:"|02|it|00|";nocase;within: 9;pcre: "/(rogger|cybion)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631715; rev:9;) # sid 2631716 includes 4 (0 - 4) 5 character domains in the ".jp" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.jp)"; content:"|05|";content:"|02|jp|00|";nocase;within: 8;pcre: "/(22cmd|8host|hit32|pif02)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631716; rev:9;) # sid 2631717 includes 5 (0 - 5) 6 character domains in the ".jp" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.jp)"; content:"|06|";content:"|02|jp|00|";nocase;within: 9;pcre: "/(75main|4(8filt|logon)|63root|ioctl2)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631717; rev:9;) # sid 2631718 includes 2 (0 - 2) 7 character domains in the ".jp" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.jp)"; content:"|07|";content:"|02|jp|00|";nocase;within: 10;pcre: "/(log-in1|portal6)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631718; rev:9;) # sid 2631719 includes 2 (0 - 2) 10 character domains in the ".kr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.kr)"; content:"|0a|";content:"|02|kr|00|";nocase;within: 13;pcre: "/(searchtime|touchnfeel)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631719; rev:9;) # sid 2631720 includes 2 (0 - 2) 9 character domains in the ".kr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.kr)"; content:"|09|";content:"|02|kr|00|";nocase;within: 12;pcre: "/(easypoint|imgserver)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631720; rev:9;) # sid 2631721 includes 1 (0 - 1) 14 character domains in the ".kz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.kz)"; content:"|0e|";content:"|02|kz|00|";nocase;within: 17;pcre: "/iloveeverybody/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631721; rev:9;) # sid 2631722 includes 1 (0 - 1) 3 character domains in the ".kz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.kz)"; content:"|03|";content:"|02|kz|00|";nocase;within: 6;pcre: "/rnw/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631722; rev:9;) # sid 2631723 includes 1 (0 - 1) 4 character domains in the ".kz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.kz)"; content:"|04|";content:"|02|kz|00|";nocase;within: 7;pcre: "/bnmd/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631723; rev:9;) # sid 2631724 includes 1 (0 - 1) 5 character domains in the ".kz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.kz)"; content:"|05|";content:"|02|kz|00|";nocase;within: 8;pcre: "/dft6s/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631724; rev:9;) # sid 2631725 includes 1 (0 - 1) 16 character domains in the ".la" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.la)"; content:"|10|";content:"|02|la|00|";nocase;within: 19;pcre: "/regionaliste2008/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631725; rev:9;) # sid 2631726 includes 1 (0 - 1) 2 character domains in the ".la" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 2 chars (.la)"; content:"|02|";content:"|02|la|00|";nocase;within: 5;pcre: "/51/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631726; rev:9;) # sid 2631727 includes 1 (0 - 1) 3 character domains in the ".la" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.la)"; content:"|03|";content:"|02|la|00|";nocase;within: 6;pcre: "/373/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631727; rev:9;) # sid 2631728 includes 1 (0 - 1) 5 character domains in the ".lv" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.lv)"; content:"|05|";content:"|02|lv|00|";nocase;within: 8;pcre: "/zlkon/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631728; rev:9;) # sid 2631729 includes 4 (0 - 4) 5 character domains in the ".me" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.me)"; content:"|05|";content:"|02|me|00|";nocase;within: 8;pcre: "/(hex72|43ole|55pif|gekko)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631729; rev:9;) # sid 2631730 includes 3 (0 - 3) 6 character domains in the ".me" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.me)"; content:"|06|";content:"|02|me|00|";nocase;within: 9;pcre: "/(97type|aspx37|63mode)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631730; rev:9;) # sid 2631731 includes 1 (0 - 1) 7 character domains in the ".me" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.me)"; content:"|07|";content:"|02|me|00|";nocase;within: 10;pcre: "/hfriili/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631731; rev:9;) # sid 2631732 includes 1 (0 - 1) 9 character domains in the ".me" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.me)"; content:"|09|";content:"|02|me|00|";nocase;within: 12;pcre: "/orzsystem/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631732; rev:9;) # sid 2631733 includes 1 (0 - 1) 4 character domains in the ".mn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.mn)"; content:"|04|";content:"|02|mn|00|";nocase;within: 7;pcre: "/irq0/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631733; rev:9;) # sid 2631734 includes 2 (0 - 2) 10 character domains in the ".mobi" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.mobi)"; content:"|0a|";content:"|04|mobi|00|";nocase;within: 13;pcre: "/(pro-tuning|840384tony)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631734; rev:9;) # sid 2631735 includes 2 (0 - 2) 11 character domains in the ".mobi" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.mobi)"; content:"|0b|";content:"|04|mobi|00|";nocase;within: 14;pcre: "/(shock-world|347dj27dh21)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631735; rev:9;) # sid 2631736 includes 3 (0 - 3) 4 character domains in the ".mobi" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.mobi)"; content:"|04|";content:"|04|mobi|00|";nocase;within: 7;pcre: "/(d(o18|rv9)|jopi)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631736; rev:9;) # sid 2631737 includes 8 (0 - 8) 5 character domains in the ".mobi" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.mobi)"; content:"|05|";content:"|04|mobi|00|";nocase;within: 8;pcre: "/(a(dupd|sp62)|jsp(25|51)|7ntio|err83|hit15|tid84)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631737; rev:9;) # sid 2631738 includes 16 (0 - 16) 6 character domains in the ".mobi" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.mobi)"; content:"|06|";content:"|04|mobi|00|";nocase;within: 9;pcre: "/(adw(ste|adb)|b(kpadd|nradd|ank19)|c(atdbw|onf68)|destad|porttw|tertad|24conf|7ipsec|regect|s(tub12|eocom)|8shell)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631738; rev:9;) # sid 2631739 includes 2 (0 - 2) 7 character domains in the ".mobi" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.mobi)"; content:"|07|";content:"|04|mobi|00|";nocase;within: 10;pcre: "/(allocbn|4client)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631739; rev:9;) # sid 2631740 includes 1 (0 - 1) 9 character domains in the ".mobi" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.mobi)"; content:"|09|";content:"|04|mobi|00|";nocase;within: 12;pcre: "/bnrupdate/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631740; rev:9;) # sid 2631741 includes 8 (0 - 8) 10 character domains in the ".name" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.name)"; content:"|0a|";content:"|04|name|00|";nocase;within: 13;pcre: "/(adultworld|obfuscated|m(acromedia|ybigmoney)|po(ol-org23|p-market)|goldenkeys|nirmjika31)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631741; rev:9;) # sid 2631742 includes 6 (0 - 6) 11 character domains in the ".name" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.name)"; content:"|0b|";content:"|04|name|00|";nocase;within: 14;pcre: "/(lover-world|rdir-site81|silentpanel|48reg-sslid|onlinefilms|xyseinobama)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631742; rev:9;) # sid 2631743 includes 3 (0 - 3) 13 character domains in the ".name" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.name)"; content:"|0d|";content:"|04|name|00|";nocase;within: 16;pcre: "/c(enterkras-tv|omm-cipher67|mdidverify82)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631743; rev:9;) # sid 2631744 includes 1 (0 - 1) 16 character domains in the ".name" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.name)"; content:"|10|";content:"|04|name|00|";nocase;within: 19;pcre: "/antivirus2008pro/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631744; rev:9;) # sid 2631745 includes 2 (0 - 2) 17 character domains in the ".name" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.name)"; content:"|11|";content:"|04|name|00|";nocase;within: 20;pcre: "/antivirus(-2008pro|2008-pro)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631745; rev:9;) # sid 2631746 includes 1 (0 - 1) 19 character domains in the ".name" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.name)"; content:"|13|";content:"|04|name|00|";nocase;within: 22;pcre: "/mnogodenegdljamenja/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631746; rev:9;) # sid 2631747 includes 1 (0 - 1) 3 character domains in the ".name" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.name)"; content:"|03|";content:"|04|name|00|";nocase;within: 6;pcre: "/tnx/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631747; rev:9;) # sid 2631748 includes 6 (0 - 6) 4 character domains in the ".name" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.name)"; content:"|04|";content:"|04|name|00|";nocase;within: 7;pcre: "/(8com|ftp5|go93|obj8|st37|jebo)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631748; rev:9;) # sid 2631749 includes 11 (0 - 11) 5 character domains in the ".name" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.name)"; content:"|05|";content:"|04|name|00|";nocase;within: 8;pcre: "/(googl|e7da7|owned|32ddk|bank7|doc6(2|3)|inet9|ssl(63|37)|83set)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631749; rev:9;) # sid 2631750 includes 9 (0 - 9) 6 character domains in the ".name" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.name)"; content:"|06|";content:"|04|name|00|";nocase;within: 9;pcre: "/(r0bots|diablo|noporn|plugin|0query|47mode|seocom|vetinc|getway)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631750; rev:9;) # sid 2631751 includes 6 (0 - 6) 7 character domains in the ".name" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.name)"; content:"|07|";content:"|04|name|00|";nocase;within: 10;pcre: "/(e(xplode|ncode1)|netapi7|offset9|sslnet3|keystar)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631751; rev:9;) # sid 2631752 includes 4 (0 - 4) 9 character domains in the ".name" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.name)"; content:"|09|";content:"|04|name|00|";nocase;within: 12;pcre: "/(googleads|rspectrum|x-systems|zeuspanel)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631752; rev:9;) # sid 2631753 includes 1 (0 - 1) 11 character domains in the ".ne" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.ne)"; content:"|0b|";content:"|02|ne|00|";nocase;within: 14;pcre: "/nicevideo18/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631753; rev:9;) # sid 2631754 includes 1 (0 - 1) 3 character domains in the ".ne" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.ne)"; content:"|03|";content:"|02|ne|00|";nocase;within: 6;pcre: "/8e9/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631754; rev:9;) # sid 2631755 includes 1 (0 - 1) 5 character domains in the ".ne" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.ne)"; content:"|05|";content:"|02|ne|00|";nocase;within: 8;pcre: "/fra22/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631755; rev:9;) # sid 2631756 includes 133 (0 - 133) 10 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.net)"; content:"|0a|";content:"|03|net|00|";nocase;within: 13;pcre: "/(h(ightstats|b(alr-cash|blr-cash|dlr-cash)|ostverify|xhxl-cash)|k(u(waitarmy|fvkkdtpf)|oolynoody|andidatov|ihbccvqrz)|zerx-virus|a(dpopserve|nti(spyweb|virus(q|r|u|w))|siantgirl|gainstspy)|b(a(rmy-army|zrvxedfe)|lackcodec|uttonware|c(gdbkzlbu|rrfwygup|oxihfvvh)|money-frn|xxxl-cash|f(a(nsbxuow|hfmpyga)|cysytdze)|h(bapvilqc|lmxnopqc)|batzkvfha|ddanhdnfl|ewfsnfwka|gukeumzwz|radykeith|otsystems)|c(lub-adult|sxiwwwcom|ity-codec|elebsvids)|d(a(te-porno|mqrgldev|vidkramm)|e(utchbank|mo(ticket|-codec)|tjstniup)|iplomytut|r(iveporno|ockstore)|vd(-access|s(movies|videos))|b(ca(ah-ddt|bh-ddt|ch-ddt|dh-ddt)|sjxuvijx)|corbtfyni|dzmuatncz|fhatnjfjw|glcxlcfmk|hxkycjmrg)|e(l(lmalionz|xtrading)|s(crowjobs|passport)|urodialer|xp(loitoff|ortporn)|bddr(bcash|acash)|asycracks)|f(resh-film|amoutoito|lucksbuck|hxzvtrtpq)|johnrocket|latinhackz|m(oonticket|y(realtube|medstore)|e(tricshop|dianet08))|s(e(arch(4top|-b(iz|uy))|zhongse8)|noopstick|t(ormcodec|udioart7|msoxiguz)|hi(jiediyi|kofotot)|i-install|ysprotect)|t(u(rbocodec|be-(du(cks|des)|chick))|icketmoon|he(rxdrugs|camsnow)|radingway)|0803071030|p(o(rno(chick|tube8)|dsmotrim)|roantispy|art-owner|illsintop)|n(ew(uploads|v2count|-mrcash)|itrocodec|zsrgzmhay|o(rth-host|problemz))|g(igaticket|bmkghqcqy|ujjipuzzi|reatfound)|us-bankers|w(hitetrack|eb-e-mail)|video(sdivx|fresh)|originalsp|xtremeporn)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631756; rev:9;) # sid 2631757 includes 89 (0 - 89) 11 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.net)"; content:"|0b|";content:"|03|net|00|";nocase;within: 14;pcre: "/(404dnserror|g(fxgraphics|o(ld-bridge|ogle-stat)|lobalstats)|p(c(sbankingc|mightymax)|adrinhojet|h(armacytop|oto-posts)|roxy-socks|orncowboys)|t(heinstalls|ds-service|opvorlagen|ube(-chicks|directs))|f(u(ckingfree|ll-search)|lucksbucks|ed-reserve|i(refox-lab|les250362))|5starvideos|a(bout-adult|ccessporno|l(lfreehere|ianzaviva)|ntiv(ermins|irus09)|s(ianssluts|coprguide)|geofconans|d(netserver|wareguard|clickmate)|mcfussyags)|d(ir(ect-gold|tyfemdom)|jsoundtone|vds-movies|e(llupdates|n(egbolshe|sitytrim))|rugly-cats)|e(goldcasino|mule-emule)|m(artinezfam|e(lsongroup|ga(-player|tubexxx))|kdjqosakje)|r(ealcarding|iskbreaker)|s(earchhowto|iriusinter|dfiiixkoas|ystemstock|oftwaresky)|c(hinahotweb|l(eanticket|ip-n-save)|rackspider|omputeralt)|h(aoliuliang|byzvpeadkb|oupacisite)|u(ltraticket|qruninkqca)|i(bx(axl-cash|bxl-cash|cxl-cash|dxl-cash)|tcoreguard)|x(iaobaishan|pprotector)|online-scan|you(blognews|newsblog)|j(jhajbfcdmk|uqsiucfrmi)|loading-(atm|n(rp|so))|7stepsmedia|w(ww-azureus|ebmedstore)|1-myantispy|neosoftware)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631757; rev:9;) # sid 2631758 includes 72 (0 - 72) 12 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.net)"; content:"|0c|";content:"|03|net|00|";nocase;within: 15;pcre: "/(o(nline(-guard|notify)|ld-and-girl)|vi(gatans1705|pantisetup|ruscatcher)|c(r(a(sh-packet|zycounter)|uise-porno)|ustom-porno|at-browse30)|m(ediatickets|ys(exydreams|upervisor)|agnificents|onkey-squad)|nairalanders|5-starvideos|a(siansplanet|d(eliminator|warekiller)|v-scan-(here|soft)|ctivesecure|gentprotect)|di(gital(adult|names|-porn)|rtylivesex)|e(asylesbians|-gold-games|ngine-porno|rror404site|very-search|xp(ort-porno|lorertool))|g(etxxxmovies|uardlab2009)|s(mart-search|e(archengweb|xtapegirls))|x(olodilnikov|psecurescan)|p(or(nsh(emales|redder)|tal-porno)|rostmirkost)|b(a(kasoftware|nknetworks)|estguideinc|itcoreguard)|qisihuisheng|li(pobpolvean|ght-player|ve(-counter|lnternet))|fav-tube-xxx|t(ube-viewert|herenothing|ourprovence)|usfedreserve|z(lmaukljwyvo|vezdu-porno)|your(blognews|newsblog)|76text-crypt|hello-to-you|i(pdatacenter|iikaolllxxx)|1-againstspy|2-againstspy|jackofspades)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631758; rev:9;) # sid 2631759 includes 50 (0 - 50) 13 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.net)"; content:"|0d|";content:"|03|net|00|";nocase;within: 16;pcre: "/(w(indowupdates|ebtrustrank1|ww-msnspaces)|g(et-certified|oogle(counter|-moogle))|nagitiriheiwu|a(ll(worldstars|youwantbuy)|nti(spy(knight|spider)|virus0003|-virus-xp|malware09))|c(o(ntact-adult|r(spespyware|eguard2009)|olsexmovies)|razy-shemale)|e(ntertain(site|tool)|qualitylinks|xclusivelink)|p(a(rtizangroup|gesuploader)|harmacytop10|orn-pleasure|c2009-antivr|ro-antivirus)|b(e(atchemistry|st-payments)|lacksexygirl|admintonblog)|koplemetation|s(e(archinginfo|cur(e-search|ityindex))|yssafetypage|oftwareunity)|registrygreat|2008antivirus|f(luxmarketing|ast-xxx-tube)|o(nestepsearch|lders-orgies)|teenagersporn|vi(deoporntrue|rus-catcher)|lookforfriend|myprosoftware)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631759; rev:9;) # sid 2631760 includes 52 (0 - 52) 14 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.net)"; content:"|0e|";content:"|03|net|00|";nocase;within: 17;pcre: "/(c(urrentsession|ontraviruspro|e(lebnudestars|skarepublika))|l(iveprotection|enovowireless)|m(a(increditcard|c-imunizator)|yfavoritetube|e(ga-drugstore|ssenger-plus))|3(000tvchannels|2376ohuuuhdss)|dirtystockings|go(ld-directory|ogle-(network|counter))|p(h(armacy-for-u|otobucket-id)|ills-pharmacy|orn(o(bookmarks|stockings)|stargalore|-youtube08|moviestube))|s(afetyuptodate|earch(4results|-adverts)|weetpornmovie|hocking-stars)|vi(rus-isolator|deo-trailers)|f(ree-movie-xxx|luxnewsletter|edreservebank|acebook-photo)|2(008-antivirus|-agentprotect)|a(nti(virus(2008(b|m|n|v)|xp-08)|spywarepro)|dd-block-plus)|on(linecounter1|estopstation)|u(s-bankconnect|pdate-product)|best-tube-2008|nikkicatsouras|1-agentprotect)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631760; rev:9;) # sid 2631761 includes 40 (0 - 40) 15 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.net)"; content:"|0f|";content:"|03|net|00|";nocase;within: 18;pcre: "/(1computerspiele|a(mazing(pornstar|shemales)|ntivirus(2008xp|-xp-08)|dvertisedpanel)|es(crow-services|ecure-federal)|s(earch(-and-more|inspector)|pyware-(sweeper|wizzard)|urfboardhacker|ilver-services)|u(sabestsoftware|pdatemicr0s0ft)|best-(anti-virus|scanner-pc)|2008(antivirusxp|xpantivirus)|xp2008antivirus|f(luxadvertising|acebook-photos|ree-webscaners)|qualitypictures|c(hicks-xxx-tube|ialis-generico|omprare-(cialis|viagra))|opkfgpkogokofdg|t(hesecuritytool|orrent(oreactor|areactor))|g(et-files-4free|oogleanalytlcs)|yahoo-analytics|repair-registry|msn-messenger-9|viagra-generico|i-am-porno-star)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631761; rev:9;) # sid 2631762 includes 29 (0 - 29) 16 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.net)"; content:"|10|";content:"|03|net|00|";nocase;within: 19;pcre: "/(b(alamenterprises|extrasideeffect)|m(ostafaaljaafari|icrosoft-direct|yprivatetubes09)|u(pdate(mysettings|smicrosoft)|s(banksecurities|-securebanking))|a(ntivir(us2008pro|-av-toolz)|v-scan-pc-tools)|online-antivirus|f(edreservesystem|acebook-gallery|ree-web-scaners)|go(ogle-anal(ystic|istyc)|vernmetfunding)|lovelypornovideo|t(hebestwebsearch|otalantispyware|ubezzz-boobezzz)|scanner-pc-toolz|celebsmovies2009|e(xclusive-videos|rotic-solutions)|profit-marketing|virusshield-scan)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631762; rev:9;) # sid 2631763 includes 29 (0 - 29) 17 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.net)"; content:"|11|";content:"|03|net|00|";nocase;within: 20;pcre: "/(drugsonlinesearch|windowsxp-privacy|a(latanindividsite|ntivirus(-(2008pro|scanner)|2008free))|google-analyticks|malwaredestructor|2008(antivirusfree|freeantivirus)|f(ree(2008antivirus|antivirusinfo)|ederalbanksystem)|s(oftwareantivirus|canspywareonline|pywaredeletehere|ilicon-solutions)|connection-secure|pure-download-new|quickly-porn-tube|t(ube-free-4-adult|hetrafficcontrol)|boormansjewellers|exstra-av-scanner|hot-tube-tuberzzz|3-antispyware3000|installdiskscaner|neosoftwareonline|virussweeper-scan)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631763; rev:9;) # sid 2631764 includes 18 (0 - 18) 18 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.net)"; content:"|12|";content:"|03|net|00|";nocase;within: 21;pcre: "/(s(dihsihdsfsofhsohs|ecurity(precaution|safeguards)|tress-relief-tips)|a(dvanced-promotion|lltravelingonline|nti(spywareupdates|virus-2008-pro))|up(date(-microsoftes|s-microsofts)|todateprotection)|free(best-antivirus|-scan-service1)|goodantivirus-free|hot-fuck-tube-site|treasurydepartment|download-files-bak|messengerplus-2009)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631764; rev:9;) # sid 2631765 includes 11 (0 - 11) 19 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.net)"; content:"|13|";content:"|03|net|00|";nocase;within: 22;pcre: "/(2008-(antivirus-free|free-antivirus)|a(ntivirus-(2008-free|pcscanner)|mateuralluremovies)|f(ree-2008-antivirus|iles-download-arch)|m(ain-downloadportal|essenger-messenger)|soft-4-you-download|download-files-plus)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631765; rev:9;) # sid 2631766 includes 7 (0 - 7) 20 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.net)"; content:"|14|";content:"|03|net|00|";nocase;within: 23;pcre: "/(a(dult(webmasterempire|-tube-downloads)|ntivirus(4protection|-scanonline))|camirnetruryeefyeiie|onlinespywarescanner|directdownloadcenter)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631766; rev:9;) # sid 2631767 includes 11 (0 - 11) 21 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 21 chars (.net)"; content:"|15|";content:"|03|net|00|";nocase;within: 24;pcre: "/(h(orseshoebendarkansas|assomeonelostininter)|onlinesoftwarexchange|a(ddictivetechnologies|ntivirus2008software)|2008(antivirussoftware|softwareantivirus)|software2008antivirus|main-softwaredownload|download-top-software|load-software-dowload)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631767; rev:9;) # sid 2631768 includes 5 (0 - 5) 22 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 22 chars (.net)"; content:"|16|";content:"|03|net|00|";nocase;within: 25;pcre: "/(antivirus-bestsolution|top-best-software-area|commerceonline-service|niche-tube-videos-here|virussweeper-scanvirus)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631768; rev:9;) # sid 2631769 includes 9 (0 - 9) 23 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 23 chars (.net)"; content:"|17|";content:"|03|net|00|";nocase;within: 26;pcre: "/(commercialloansolutions|s(tat-diagnostic-imaging|oftware-2008-antivirus)|2008-(antivirus-software|software-antivirus)|antivirus-2008-software|uk-web-hosting-services|new-porn-tubeportal2008|free-tube-video-central)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631769; rev:9;) # sid 2631770 includes 1 (0 - 1) 24 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 24 chars (.net)"; content:"|18|";content:"|03|net|00|";nocase;within: 27;pcre: "/antispyware2008-download/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631770; rev:9;) # sid 2631771 includes 1 (0 - 1) 25 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 25 chars (.net)"; content:"|19|";content:"|03|net|00|";nocase;within: 28;pcre: "/antispyware-2008-download/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631771; rev:9;) # sid 2631772 includes 1 (0 - 1) 26 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 26 chars (.net)"; content:"|1a|";content:"|03|net|00|";nocase;within: 29;pcre: "/hutchinsonkansasnewspapers/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631772; rev:9;) # sid 2631773 includes 7 (0 - 7) 3 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.net)"; content:"|03|";content:"|03|net|00|";nocase;within: 6;pcre: "/(0(08|ad)|kit|3-a|8e9|cjb|new)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631773; rev:9;) # sid 2631774 includes 1 (0 - 1) 31 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 31 chars (.net)"; content:"|1f|";content:"|03|net|00|";nocase;within: 34;pcre: "/googlecomaolcomyahoocomaboutcom/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631774; rev:9;) # sid 2631775 includes 37 (0 - 37) 4 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.net)"; content:"|04|";content:"|03|net|00|";nocase;within: 7;pcre: "/(s0s1|oicp|x(sps|x(sy|kk))|7sec|a(311|b92|n92)|cz88|d(gnp|zuc|o21)|h(avy|nol|cpk)|njnk|1(8dd|ive)|r(nmb|u98)|urkb|tlcn|9(1tg|ssl)|8(ssl|6dx)|vn92|2j1f|g(e92|szk|mt7)|mbd2|b1du|fi97|q(tas|qnn))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631775; rev:9;) # sid 2631776 includes 1 (0 - 1) 42 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 42 chars (.net)"; content:"|2a|";content:"|03|net|00|";nocase;within: 45;pcre: "/c9zuniilbbk4lild8-72bpnla-qz2rjllrczql8l2y/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631776; rev:9;) # sid 2631777 includes 87 (0 - 87) 5 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.net)"; content:"|05|";content:"|03|net|00|";nocase;within: 8;pcre: "/(33391|5(5(189|265)|1edm|944v)|9(9(391|1uu)|aspx)|j(idov|anen)|t(el-8|ulux|dsdm|txhh)|c(o(m94|dei)|cbtv|kabc|at92|hk08|d321|xjsy|zkdu)|g(xgxy|et49)|locop|2(youx|000y|aspx)|a(bsex|meks|xtos)|d(plog|ieoa)|e(7da7|krot|qash)|n(yfan|jhgf)|q(adro|srch)|8(5819|81pp)|borar|f(1del|itjg|wotu)|i(oprd|yxuu|p315|svbr)|set45|u(ytie|ttcx)|w(ww05|ansf)|1(0200|1910|2-2(6|7)|3996|7cha|9ssl|8i16)|k(raji|xxqz)|m(dodo|ap19|fqal|btmw|yrx8|twns)|p(i(d76|toy)|vden|e2pe)|h(irza|avha|ub-z)|74asp|o(le17|iuyt)|r(ccoq|ofxb)|xxhdy|4root|0fees)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631777; rev:9;) # sid 2631778 includes 85 (0 - 85) 6 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.net)"; content:"|06|";content:"|03|net|00|";nocase;within: 9;pcre: "/(070808|a(mtris|jiang|llgov|s(porn|copr|iamo)|ds002|v(xp08|2010)|aidhe)|m(p(zone|3-go)|a(il(zz|ol)|sevi|bira)|mobot|uttus)|r(xmods|egkey)|404dns|c(yhawk|omrus|enpak|lipan)|d(aseek|e(sire|ewoo)|3m00n|ingli|vlorg)|k(h4l3d|ram3r|ent(ty|ik))|q(q-sky|-site)|t(ronko|scmbj|ejary|itmix)|1(63500|11991)|s(ite83|kpoot|h-cap|akang|eofon|unlux)|bank11|f(ood00|ucksb|ewfwe|hlwov)|n(ewfax|imolp|hjui9|anomx)|o(hueli|iuytr)|p(izdos|encer|roege)|x(pldev|uixui|dosug)|84type|y(jytuv|eynxe)|e(spads|gqoab)|gknf21|j(guxjs|xjlwg)|5qzone|i(xfree|lklkc)|h(i(5img|-bro|vids)|omesy)|updvms|workst|vippif)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631778; rev:9;) # sid 2631779 includes 95 (0 - 95) 7 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.net)"; content:"|07|";content:"|03|net|00|";nocase;within: 10;pcre: "/(c(odechq|a(shtor|rbozy))|g(u(sarov|ccime|agaga)|fyjebf|o(oanal|go2me))|3332210|a(kamahi|d(x(anet|rnet|t(net|end)|bnet|cnet|dnet)|2cash|touch)|vcheck|l(phase|masto)|rtisha|csiaym|idushu|080908)|d(fthhre|e(eping|isvop)|r(amsns|oeang)|ate-21)|f(indtop|ami4ka|lux(ads|pay)|gxoesp|orserv)|h(olkers|qcodec|uigezi|e(ifang|ycool)|0tabi4)|i(xcodec|see080|lirida|balefo)|2(4cargo|018wyt)|e(asygay|xflood|livvks)|n(gc1976|ertthl|ybxvgb|iklejo)|p(a(nnama|iuuag)|restra|orno2u|hi6aym)|r(adio(78|ks)|bkvebf|egtime|ckiuag|tpuqxp)|w(earabz|sxhost)|k(i(llspy|ngf0x)|oolbar)|b(el(gius|aden)|loople|asesrv|rugeni|iggerz)|t(dbanks|eirkmm)|v(i(resh2|vidns)|erymad)|louinda|oj(rswlg|zarbw)|51gouwu|999mimi|sykalab|m(s-scan|p3-now|ailgov|edkeep))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631779; rev:9;) # sid 2631780 includes 159 (0 - 159) 8 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.net)"; content:"|08|";content:"|03|net|00|";nocase;within: 11;pcre: "/(u(cleaner|v(eovbef|joqbef)|plevela)|d(htianyu|a(teporn|sgdasg)|dr-cash|jgxhsdt|nsprime|rug(name|sbuy)|omain12|xfvdadx)|g(ameones|lobalpp|odaddyy|ift-vip|reatzus|vfa(5bef|dbef)|ceakrpa)|q(archive|8pilots|vaksbef)|r(i(chgran|ngfall)|e(dcodec|almovs)|tztoupc|d-point)|a(rabhell|bcadult|d(sgiant|-adnet|teksrv)|v(etbbef|jttbef|-guard)|migos24)|b(estnums|utfcwji|a(sesrv3|blomet))|f(ull-tgp|reese-x|luxbuck)|l(e(echnet|coquin)|o(op-ads|ve-day)|bdfwrbz|vaf(fbef|nbef))|t(vxffjgu|r(afagon|n-cash)|eleporn)|x(traload|psecure|skeqrcl|virmram|hottube)|zagryzok|360share|911traff|c(lick(bar|-12)|kujcgxi|o(mtaple|co-ifc)|fm-sid7|vgv(6bef|fbef)|aricare|dev7rpa|elebsxx)|e(a(rngate|stfilm)|v(i(l(-sex|bots)|x8bef)|estars|dxybef)|xportpe)|h(ack5900|q-codec|ost(pool|stat)|vgbkbef)|i(rcstyle|vhc7bef|spartof)|m(ob(-shop|poste)|ydnsweb|usicmoa|ixstrip)|p(o(pcodec|r(n(fire|crew|-the)|enads))|a(y4logs|pampam)|v(fjgram|jj(9bef|lbef))|rororo7)|s(ayphoto|ex(clean|white)|vcm(rbef|wbef)|owonder|tervtut|mile-me)|v(i(p-load|rusmex|deoaaa)|vgpiram)|y(oyocity|vds(qbef|tbef)|andexzz)|1(212l112|bnk-log)|n(slposte|e(t(cshow|flyer)|ssecur)|v(dhcram|hh(hbef|mbef))|ameleap|oadware)|j(knxcxyg|xnyyjyo|vi(kldgo|d(jbef|obef))|aednrpa)|k(qjvmbst|cgxgnny|veecbef)|o(toajxfn|xeeuikd|n(seneka|lyfind)|veieram|penlog1)|w(hgtdhqg|v(bq(pbef|ubef)|cqcram|hqkram)|wwfbcdn)|8teenboy|24x7live)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631780; rev:9;) # sid 2631781 includes 116 (0 - 116) 9 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.net)"; content:"|09|";content:"|03|net|00|";nocase;within: 12;pcre: "/(2600warez|c(o(dec(zang|base)|ckspics|mp-sexy|nnectpt|ol-porn|unt4all)|ca(bh-ddt|ch-ddt|dh-ddt)|ruelporn|yberhawk|hin(azhan|kchoi)|leanlive|a(shpopup|tch-you))|hi(ghstate|5-image)|p(arkhuset|orn-look|icaposte|luscount|hejxcebf|ro(xyrent|stolab)|nfzetnax)|jeiahsdod|m(supdater|egacodec|pegcodec|y(webport|spacess|antispy)|icrogood|ooncodec|mtdsgwfa)|outerinfo|a(bc-porno|d(po(olnet|pshow)|sloaded)|sianxxxx|nimeteam|v(scan-pc|rilnude)|moretour|ctupdate)|b(rakeporn|c(lr-cash|ash-ddt)|ddr-cash|urimilol|esttiger|olapaqir|hagidari)|d(ailleurs|ddr(bcash|ccash|ecash|fcash)|e(lfiporn|sarroya)|-stanley|ofulfill)|e(asytoons|bonyland|trn-aash|u-insure|ytcghixk|zeematch)|f(indhowto|l(ashbill|ux(bucks|ezine))|dicbanks|mdsqasqm|tphtsfuv|unkytube)|guestinef|l(ightporn|ogisigns|vorgucci)|t(he(maleks|countx)|r(y(-count|ithere)|a(ffsale|ckgame))|o(ksikoza|ppharma))|q(dkaitong|uimigama)|zipaiwang|176fc957c|w(i(nifixer|kinedia)|anprofit|ebaliser)|s(o(ftobzor|balyaki)|ervposte|um4count|jkxyjqsx|tatclick|h(-hostz9|karkimi))|u(inticket|nitycard)|youlaiyou|re(d-codec|nderize)|n(e(tcrefer|wdotnet)|udistxxx))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631781; rev:9;) # sid 2631782 includes 2 (0 - 2) 10 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.nl)"; content:"|0a|";content:"|02|nl|00|";nocase;within: 13;pcre: "/(trafficjam|eigenstart)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631782; rev:9;) # sid 2631783 includes 1 (0 - 1) 12 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.nl)"; content:"|0c|";content:"|02|nl|00|";nocase;within: 15;pcre: "/inboxstorage/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631783; rev:9;) # sid 2631784 includes 1 (0 - 1) 13 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.nl)"; content:"|0d|";content:"|02|nl|00|";nocase;within: 16;pcre: "/demokoksander/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631784; rev:9;) # sid 2631785 includes 2 (0 - 2) 14 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.nl)"; content:"|0e|";content:"|02|nl|00|";nocase;within: 17;pcre: "/(payperdownload|dave-wijnhoven)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631785; rev:9;) # sid 2631786 includes 1 (0 - 1) 18 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.nl)"; content:"|12|";content:"|02|nl|00|";nocase;within: 21;pcre: "/hobbyistenkoiforum/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631786; rev:9;) # sid 2631787 includes 1 (0 - 1) 6 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.nl)"; content:"|06|";content:"|02|nl|00|";nocase;within: 9;pcre: "/pixion/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631787; rev:9;) # sid 2631788 includes 1 (0 - 1) 7 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.nl)"; content:"|07|";content:"|02|nl|00|";nocase;within: 10;pcre: "/easybar/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631788; rev:9;) # sid 2631789 includes 2 (0 - 2) 9 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.nl)"; content:"|09|";content:"|02|nl|00|";nocase;within: 12;pcre: "/(delespino|zoom-bags)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631789; rev:9;) # sid 2631790 includes 1 (0 - 1) 9 character domains in the ".no" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.no)"; content:"|09|";content:"|02|no|00|";nocase;within: 12;pcre: "/appaloosa/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631790; rev:9;) # sid 2631791 includes 1 (0 - 1) 15 character domains in the ".nu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.nu)"; content:"|0f|";content:"|02|nu|00|";nocase;within: 18;pcre: "/children-europe/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631791; rev:9;) # sid 2631792 includes 1 (0 - 1) 6 character domains in the ".nu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.nu)"; content:"|06|";content:"|02|nu|00|";nocase;within: 9;pcre: "/e-mule/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631792; rev:9;) # sid 2631793 includes 32 (0 - 32) 10 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.org)"; content:"|0a|";content:"|03|org|00|";nocase;within: 13;pcre: "/(s(earch(-(b(iz|uy)|now)|room)|aken-qlbe)|barmy-army|j(obusiness|fxcvnnawk|avacsript)|mario4ever|d(ailybutts|reamwatch|yatlyonok|irectseek)|a(jesevilla|ibcvienna|resgalaxy)|g(ivetotuck|lobalstat|ood(buynow|netads))|p(harmacy-w|ro-tuning|orn-money|arisvideo)|chat-shqip|kabanyonok|netcorbina|face-books|winscanner|ilyichevsk|ruralreach)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631793; rev:9;) # sid 2631794 includes 38 (0 - 38) 11 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.org)"; content:"|0b|";content:"|03|org|00|";nocase;within: 14;pcre: "/(f(reeforumss|dic-secure|lowgaleria|mhxqutvccr|ullprotect)|a(dult-toons|sianssluts|eromexicov)|c(rackserial|avalldemar)|d(dosmanager|ropbuysell)|e(bonyhunter|mpirenotes|xtra-video|verif(4sale|cyber))|hyipmanager|united-crew|p(orn-server|ropayments)|y(our-travel|wxdggnaaad|eeollvintx)|imageshaack|m(edvezhonok|ydb4umuser)|r(henjqljvty|ighthandup)|sanaltahrip|w(aeqoxlrprp|skzbakqfvk)|t(yoxnaqjrlu|elmemobile|allinnblog)|book-photos|jennavideos|xyseinobama)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631794; rev:9;) # sid 2631795 includes 10 (0 - 10) 12 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.org)"; content:"|0c|";content:"|03|org|00|";nocase;within: 15;pcre: "/(d(o(wnloadfile|zerhosting)|effinancing)|every-search|c(hildrenporn|razycraberz)|servicheckon|www-facebook|m(oviesdesert|ydb4umusers))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631795; rev:9;) # sid 2631796 includes 15 (0 - 15) 13 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.org)"; content:"|0d|";content:"|03|org|00|";nocase;within: 16;pcre: "/(88-107-91-252|carrentalhelp|e(macesrilanka|sibizioniste)|pharmacy-4you|s(earch(forporn|-galaxy)|oft4youupdat)|a(ccountsprivo|dultporntube|boutyourbizz)|viagrageneric|bleedingsnort|yoursexportal|www-messenger)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631796; rev:9;) # sid 2631797 includes 15 (0 - 15) 14 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.org)"; content:"|0e|";content:"|03|org|00|";nocase;within: 17;pcre: "/(download-gamez|loansunlimited|virus-isolator|a(nti(virus-2008|spywareinc|-virus-pro)|v-online-scan)|registryupdate|macfeeresponse|google-analyze|privacy-cent(ar|er)|yoursearchword|britneyexposed|xxx-video-tube)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631797; rev:9;) # sid 2631798 includes 18 (0 - 18) 15 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.org)"; content:"|0f|";content:"|03|org|00|";nocase;within: 18;pcre: "/(greeting-ecards|free-video-wefd|s(oftwarerevenue|pywaresoftstop|earch-and-more)|clubgrandcasino|doctorsearchusa|e(w-financegroup|learningschool)|p(orn-youtube-08|ay-per-install)|a(nti(virusxp2008|spyware2008)|vs-online-scan|rkbroadcasters)|m(essenger-msn-9|sn-messenger-9)|katiereesphotos)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631798; rev:9;) # sid 2631799 includes 12 (0 - 12) 16 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.org)"; content:"|10|";content:"|03|org|00|";nocase;within: 19;pcre: "/(anti(virus2008pro|spy(downloads|ware-2008))|winantivirus2008|rxpharmacyonline|idealadvertising|masterxwebplanet|facebook-gallery|system-protector|claremontfinance|protectionsystem|xpressforummoney)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631799; rev:9;) # sid 2631800 includes 5 (0 - 5) 17 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.org)"; content:"|11|";content:"|03|org|00|";nocase;within: 20;pcre: "/(e(ast-west-finance|roticscreensaver)|statistics-google|antivirus(-2008pro|2008-pro))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631800; rev:9;) # sid 2631801 includes 6 (0 - 6) 18 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.org)"; content:"|12|";content:"|03|org|00|";nocase;within: 21;pcre: "/(iexplorer-security|antivirus-2008-pro|online(registryscan|pharmacy4you)|registrycleanerpro|businesproject4you)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631801; rev:9;) # sid 2631802 includes 2 (0 - 2) 19 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.org)"; content:"|13|";content:"|03|org|00|";nocase;within: 22;pcre: "/(defendmycreditunion|orthodoxie-oostende)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631802; rev:9;) # sid 2631803 includes 3 (0 - 3) 20 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.org)"; content:"|14|";content:"|03|org|00|";nocase;within: 23;pcre: "/(2004synchronationals|apollohostingcompany|eastwestfinancegroup)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631803; rev:9;) # sid 2631804 includes 1 (0 - 1) 21 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 21 chars (.org)"; content:"|15|";content:"|03|org|00|";nocase;within: 24;pcre: "/thelincolnmarkviiclub/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631804; rev:9;) # sid 2631805 includes 1 (0 - 1) 24 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 24 chars (.org)"; content:"|18|";content:"|03|org|00|";nocase;within: 27;pcre: "/antispyware2008-download/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631805; rev:9;) # sid 2631806 includes 2 (0 - 2) 25 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 25 chars (.org)"; content:"|19|";content:"|03|org|00|";nocase;within: 28;pcre: "/anti(virus2008pro-download|spyware-2008-download)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631806; rev:9;) # sid 2631807 includes 4 (0 - 4) 3 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.org)"; content:"|03|";content:"|03|org|00|";nocase;within: 6;pcre: "/(f9i|3b3|k8l|17o)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631807; rev:9;) # sid 2631808 includes 20 (0 - 20) 4 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.org)"; content:"|04|";content:"|03|org|00|";nocase;within: 7;pcre: "/(3322|jqxx|9(966|365)|4wap|a(buz|777)|cvv2|d(seo|1ez)|byet|ewfg|f(-mf|x15)|m(ipr|bd2)|2288|6600|88(00|66))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631808; rev:9;) # sid 2631809 includes 31 (0 - 31) 5 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.org)"; content:"|05|";content:"|03|org|00|";nocase;within: 8;pcre: "/(5(20sf|foot)|t(rffc|fsol)|9(-4-2|1131)|anrom|c(n911|rasy|tapp)|d(ekan|oleg|s-se|bios)|e(7da7|ubiz|w-fg)|n(o-ip|ahyu)|464fg|zqked|16868|ifjak|rheni|xxztb|yeofa|gbrpn|bidwm|s(l1ms|exmx)|okapt)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631809; rev:9;) # sid 2631810 includes 42 (0 - 42) 6 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.org)"; content:"|06|";content:"|03|org|00|";nocase;within: 9;pcre: "/(1ccfcu|noecho|p(epato|orono)|r(eddii|amder)|u(nicat|kdikl)|810810|b(rblue|aidu8|iz-er)|c(lrstr|ounte|preec|n3721)|d(es(1gn|max)|utige|riska)|e(-told|urico|vil-x|rwojl)|h(eidik|ao365)|k(uvajt|odzhq)|zair32|i(56web|dea21|qgnqt|shaaq)|x(prlxl|-gold)|s(irkqq|harax)|gimnow|fangyu|leosex|a(res-3|chren))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631810; rev:9;) # sid 2631811 includes 40 (0 - 40) 7 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.org)"; content:"|07|";content:"|03|org|00|";nocase;within: 10;pcre: "/(n(okhbah|ikitka)|a(cidjet|llhigh|-w-a-y|dultcd)|d(elspam|ns(-dns|4biz)|rdrdrd|i(r4you|cgdsp)|matca6|tosuhc|uahpzq)|e(lvizzz|robest)|s(topmen|osiska|eistic)|c(hajian|imrman|zenate)|f(ulldvd|dicorp|ackoff)|m(ncpssa|s-scan|ultaka|iafery)|tsautah|i(sjjlnv|raqisa)|oadscrk|ucnfehj|x(jnyfwt|fucked)|rmpezrx|b(ook-ua|uminch))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631811; rev:9;) # sid 2631812 includes 51 (0 - 51) 8 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.org)"; content:"|08|";content:"|03|org|00|";nocase;within: 11;pcre: "/(u(cleaner|sbanker)|vip-ddos|f(astfind|ogzchqe|uougcdv)|911traff|a(d-world|bsoluts|llavers|nal-toy|res-net)|c(umocean|hintiwn|nnworld|qfcusco)|d(nserror|uplishe|sdialog|omishko)|e(multrix|vilrode|obvidij)|h(avephun|udphigb|ostteam)|w(atbowon|kstxvzr)|se(arch-w|rver52)|xiangxue|z(latorog|erolost)|11fffa4a|6290046a|75a9047b|l(isyonok|yhivgkd|mon2web)|qarchive|ias-jobs|boadongo|j(louqrgb|dnukedc)|kimonrvh|olgjkxih|r(lrbqpxv|odexcom)|tmdoxfcc|g(bxpxugx|ccgroup))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631812; rev:9;) # sid 2631813 includes 48 (0 - 48) 9 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.org)"; content:"|09|";content:"|03|org|00|";nocase;within: 12;pcre: "/(c(oolboard|ashpopup)|h(o(st-good|usechat)|i5-photo)|livecheck|m(s(updater|nimages)|oney2008|azahacka)|t(o(xiclink|ngji123)|rdfcxclp)|a(dwarepro|nalystic|res-2008)|e(b(onyslut|asearch)|astcarib)|w(e(st-best|discbpi)|inifixer|w(ftlwlvm|w-emule))|p(ornogals|hoto-msn)|s(e(arch-(4u|rc)|oclicks)|hqipkiss|itzkeybm)|udefender|3876373tr|z(o(omovies|ne-game)|aychonok|ubryonok|eus-logs)|j(grftgunh|vnzbsyhv)|y(dxnochqn|jodeikka|mcacoosa)|olenyonok|bontrafic|ratephoto|4utraffic|ile-de-re)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631813; rev:9;) # sid 2631814 includes 1 (0 - 1) 11 character domains in the ".ph" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.ph)"; content:"|0b|";content:"|02|ph|00|";nocase;within: 14;pcre: "/royrose1939/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631814; rev:9;) # sid 2631815 includes 1 (0 - 1) 6 character domains in the ".ph" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.ph)"; content:"|06|";content:"|02|ph|00|";nocase;within: 9;pcre: "/i-site/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631815; rev:9;) # sid 2631816 includes 1 (0 - 1) 8 character domains in the ".ph" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.ph)"; content:"|08|";content:"|02|ph|00|";nocase;within: 11;pcre: "/krasotka/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631816; rev:9;) # sid 2631817 includes 1 (0 - 1) 14 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.pl)"; content:"|0e|";content:"|02|pl|00|";nocase;within: 17;pcre: "/balticatrading/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631817; rev:9;) # sid 2631818 includes 1 (0 - 1) 2 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 2 chars (.pl)"; content:"|02|";content:"|02|pl|00|";nocase;within: 5;pcre: "/1k/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631818; rev:9;) # sid 2631819 includes 3 (0 - 3) 3 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.pl)"; content:"|03|";content:"|02|pl|00|";nocase;within: 6;pcre: "/(ilo|2mj|a3j)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631819; rev:9;) # sid 2631820 includes 2 (0 - 2) 4 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.pl)"; content:"|04|";content:"|02|pl|00|";nocase;within: 7;pcre: "/(zief|xorg)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631820; rev:9;) # sid 2631821 includes 1 (0 - 1) 5 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.pl)"; content:"|05|";content:"|02|pl|00|";nocase;within: 8;pcre: "/brenz/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631821; rev:9;) # sid 2631822 includes 1 (0 - 1) 6 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.pl)"; content:"|06|";content:"|02|pl|00|";nocase;within: 9;pcre: "/lometr/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631822; rev:9;) # sid 2631823 includes 1 (0 - 1) 7 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.pl)"; content:"|07|";content:"|02|pl|00|";nocase;within: 10;pcre: "/roleski/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631823; rev:9;) # sid 2631824 includes 1 (0 - 1) 8 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.pl)"; content:"|08|";content:"|02|pl|00|";nocase;within: 11;pcre: "/megadent/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631824; rev:9;) # sid 2631825 includes 1 (0 - 1) 9 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.pl)"; content:"|09|";content:"|02|pl|00|";nocase;within: 12;pcre: "/susanlabo/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631825; rev:9;) # sid 2631826 includes 1 (0 - 1) 12 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.ro)"; content:"|0c|";content:"|02|ro|00|";nocase;within: 15;pcre: "/autolugojana/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631826; rev:9;) # sid 2631827 includes 1 (0 - 1) 13 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.ro)"; content:"|0d|";content:"|02|ro|00|";nocase;within: 16;pcre: "/sunset-travel/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631827; rev:9;) # sid 2631828 includes 1 (0 - 1) 5 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.ro)"; content:"|05|";content:"|02|ro|00|";nocase;within: 8;pcre: "/xhost/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631828; rev:9;) # sid 2631829 includes 1 (0 - 1) 6 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.ro)"; content:"|06|";content:"|02|ro|00|";nocase;within: 9;pcre: "/evidek/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631829; rev:9;) # sid 2631830 includes 1 (0 - 1) 7 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.ro)"; content:"|07|";content:"|02|ro|00|";nocase;within: 10;pcre: "/upoterm/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631830; rev:9;) # sid 2631831 includes 2 (0 - 2) 8 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.ro)"; content:"|08|";content:"|02|ro|00|";nocase;within: 11;pcre: "/w(hitehat|ishclub)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631831; rev:9;) # sid 2631832 includes 30 (0 - 30) 10 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.ru)"; content:"|0a|";content:"|02|ru|00|";nocase;within: 13;pcre: "/(color-bank|kidos-bank|f(i(lesearch|x(aserver|bserver)|ndrosain)|eruchiman)|b(a(nnerbank|r-moscow)|estcelebs)|alexastats|nevervhudo|ofis-rents|p(avelmoous|ornoland7)|t(rafficinc|ayforlive)|m(akechange|egapupseg|ini-socks)|ho(ntserrey|stvegass)|v(psspeedin|bssssffff)|r(amshanabc|ezident77)|s(aveourass|econdgate|microsoft|upermovie))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631832; rev:9;) # sid 2631833 includes 19 (0 - 19) 11 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.ru)"; content:"|0b|";content:"|02|ru|00|";nocase;within: 14;pcre: "/(a(dastra-ars|real-realt|fricazebra|lexadesign)|f(ixproblems|oxsemprost)|stopgeorgia|d(anacompany|ollar(point|admin))|europalitra|googlestats|w(wwhttpinfo|topcompany)|tns-counter|vipmaterial|bmwx6foreva|confbigbang|happyhippol)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631833; rev:9;) # sid 2631834 includes 14 (0 - 14) 12 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.ru)"; content:"|0c|";content:"|02|ru|00|";nocase;within: 15;pcre: "/(jkh-novgorod|ratingtop100|g(uns-fi-logs|ronxplanets)|blatundalqik|e(batkopatnax|cogroup-vrn)|productthere|newslentarss|famajormusic|zvezdu-sosut|aerokazachok|crab(sinatack|industry))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631834; rev:9;) # sid 2631835 includes 15 (0 - 15) 13 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.ru)"; content:"|0d|";content:"|02|ru|00|";nocase;within: 16;pcre: "/(fixredirector|malafikarubik|removespyware|g(eografystart|oogle-search)|teploplast-nn|s(unmaiamibich|tartdontstop|andiiegoexpo)|confunderload|borishoffbibi|nightplayauto|arsenal-music|obama2welcome|yandexcounter)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631835; rev:9;) # sid 2631836 includes 4 (0 - 4) 14 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.ru)"; content:"|0e|";content:"|02|ru|00|";nocase;within: 17;pcre: "/(baltikaredison|reservpptppp20|photo-uploader|fileuploadinto)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631836; rev:9;) # sid 2631837 includes 6 (0 - 6) 15 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.ru)"; content:"|0f|";content:"|02|ru|00|";nocase;within: 18;pcre: "/(moscow-students|siliconfireware|ebookfinaltrash|koromanskipart1|zakazat-seichas|ontest112233311)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631837; rev:9;) # sid 2631838 includes 8 (0 - 8) 16 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.ru)"; content:"|10|";content:"|02|ru|00|";nocase;within: 19;pcre: "/(e-learningcenter|hyper-space-fuel|google-analitucs|reservpptppp7777|suspended-domain|yourelitehosting|dr-w-corporation|londondirect252z)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631838; rev:9;) # sid 2631839 includes 3 (0 - 3) 17 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.ru)"; content:"|11|";content:"|02|ru|00|";nocase;within: 20;pcre: "/(firestorm-ch-logs|grepware-facility|trafficmonsterinc)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631839; rev:9;) # sid 2631840 includes 1 (0 - 1) 18 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.ru)"; content:"|12|";content:"|02|ru|00|";nocase;within: 21;pcre: "/illegaltopcounters/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631840; rev:9;) # sid 2631841 includes 9 (0 - 9) 3 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.ru)"; content:"|03|";content:"|02|ru|00|";nocase;within: 6;pcre: "/(1gb|x5x|22z|bot|pov|ex6|ten|0ci|mz3)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631841; rev:9;) # sid 2631842 includes 109 (0 - 109) 4 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.ru)"; content:"|04|";content:"|02|ru|00|";nocase;within: 7;pcre: "/(b(bin|4so|ce8|jxt|n(rc|sr)|osf|sko|ts5|gsr|ywd|rbg)|z(dom|lzu|3d7|ctk)|p(zrk|fd2|o(4c|rv))|4(cnw|vrs|tun)|5kc3|9(0mc|jsr|8hs)|a(dwr|311|f(oi|rr)|jal)|c(g(t4|33)|h(35|ds)|v(sr|2e|32)|b3f|nld)|d(5sg|sxc)|e(cx2|tyj|adj)|g(b53|ty5|ooo|pt0)|h23f|i(ogp|roe|bse)|j(ex5|v(e4|ke)|ic2|uc8)|k(c43|e(ec|je)|gj3|j(5s|wd)|odj|po3|r92)|l(k(c2|sr)|ocm|ijg|aed)|n(c(b(2|w)|wc)|emr|jep|udk|bh3|wj4|mli)|o(ics|jns|k(cd|la)|c32)|rrcs|s(dkj|0si)|v(cre|j64|swc|wsc)|3(njx|bor)|8hcs|u(hwc|jnc|s18)|2b24|fst9|m(c2n|j(5f|km)|tno|amj)|1488|wmpd)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631842; rev:9;) # sid 2631843 includes 49 (0 - 49) 5 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.ru)"; content:"|05|";content:"|02|ru|00|";nocase;within: 8;pcre: "/(o(trix|pili)|b(itel|eyr(u|y))|a(gava|dwbn|cr34|sl39|ng42)|k(orfd|remz|1l3r)|l(o(dse|opk)|pbmx)|n(mr43|et(r2|83)|ucop|vepe|okel)|iop(c4|oe)|j(etp6|oksh|uste)|ueur3|22net|4net9|51com|64asp|92prt|c(tiry|hk06)|d(eryv|ruzg|brgf)|mheop|s(el92|avo7|ciam)|v(tg43|pk66)|xenbv|81dns|hedym|pbtgr|eddii)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631843; rev:9;) # sid 2631844 includes 55 (0 - 55) 6 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.ru)"; content:"|06|";content:"|02|ru|00|";nocase;within: 9;pcre: "/(juhost|m(agian|entoe|sngk6)|n(eosap|ipels)|r(ed(med|dii)|cdplc)|cr(utop|iter)|d(educt|dtfff|vstep)|p(o(pups|r(t04|mce))|kseio)|gr(tsel|adul)|s(slwer|pyrix|kytor|yscet)|a(aszx(e|i|o|p|q|r|t|u|w|y)|vel-m)|30area|berjke|errghr|furely|kexlup|l(ang42|i(staz|tana))|vrelel|zeprod|969696|xapads|o(kfilm|dmina|likar)|us(zn66|rv(03|zi))|trffc3|000007)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631844; rev:9;) # sid 2631845 includes 35 (0 - 35) 7 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.ru)"; content:"|07|";content:"|02|ru|00|";nocase;within: 10;pcre: "/(t(aktomi|u(lipes|bered)|dsblog|heiwbl)|c(cpower|osmosi)|n(e(wmail|tcfg9)|lhotel)|asechka|passion|b(rcporb|toperc|o(t-tob|yhome))|wfrules|m(n(benio|icbre|-room)|estkom|p3base)|4log-in|53refer|rsspnet|s(itevgb|exdvds|varkon)|h(otysex|aos-in|0tabi4)|ineks-s|2icqmag|1000-ga|fer5woi)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631845; rev:9;) # sid 2631846 includes 23 (0 - 23) 8 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.ru)"; content:"|08|";content:"|02|ru|00|";nocase;within: 11;pcre: "/(t(raffurl|hesims2)|postcard|j(ino-net|beegvia)|carsfoto|d(omain31|river95)|b(usyhere|klinkov)|medsinfo|a(zocolz8|ng-news)|sexiland|x(apaxapa|xxfiles)|lendrive|hack-off|f(ox(bevip|xpriv)|actoria|inksayq)|gruzovki)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631846; rev:9;) # sid 2631847 includes 39 (0 - 39) 9 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.ru)"; content:"|09|";content:"|02|ru|00|";nocase;within: 12;pcre: "/(rimvoyeur|x(-victory|clublove)|i(cqplanet|predator|gorhhasy)|a(hleinaks|bfintour|mnepofig)|hosting-4|4-seacher|c(o(smo(6766|9998)|oltrick)|atch-you|upit-dom|iti-bank)|oy4b-oykb|ufastanki|l(ovekills|iventsov)|p(elingers|olimerco|werwerwe)|tuning063|v(sedlysna|zlom-icq)|f(irstgate|ox(belive|holter))|g(oodtraff|rafjasqq)|b(izoplata|lade2009)|yuppistar|sexy-zone|elenahysd|z(abotinku|-paiment))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631847; rev:9;) # sid 2631848 includes 1 (0 - 1) 10 character domains in the ".se" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.se)"; content:"|0a|";content:"|02|se|00|";nocase;within: 13;pcre: "/vinstraden/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631848; rev:9;) # sid 2631849 includes 1 (0 - 1) 3 character domains in the ".se" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.se)"; content:"|03|";content:"|02|se|00|";nocase;within: 6;pcre: "/3g6/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631849; rev:9;) # sid 2631850 includes 1 (0 - 1) 7 character domains in the ".se" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.se)"; content:"|07|";content:"|02|se|00|";nocase;within: 10;pcre: "/stabilt/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631850; rev:9;) # sid 2631851 includes 1 (0 - 1) 8 character domains in the ".se" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.se)"; content:"|08|";content:"|02|se|00|";nocase;within: 11;pcre: "/trekkers/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631851; rev:9;) # sid 2631852 includes 1 (0 - 1) 9 character domains in the ".se" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.se)"; content:"|09|";content:"|02|se|00|";nocase;within: 12;pcre: "/glocalnet/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631852; rev:9;) # sid 2631853 includes 1 (0 - 1) 5 character domains in the ".si" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.si)"; content:"|05|";content:"|02|si|00|";nocase;within: 8;pcre: "/iware/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631853; rev:9;) # sid 2631854 includes 1 (0 - 1) 6 character domains in the ".si" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.si)"; content:"|06|";content:"|02|si|00|";nocase;within: 9;pcre: "/limnos/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631854; rev:9;) # sid 2631855 includes 2 (0 - 2) 12 character domains in the ".sk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.sk)"; content:"|0c|";content:"|02|sk|00|";nocase;within: 15;pcre: "/(genesisstore|hotelhrabovo)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631855; rev:9;) # sid 2631856 includes 1 (0 - 1) 17 character domains in the ".sk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.sk)"; content:"|11|";content:"|02|sk|00|";nocase;within: 20;pcre: "/cokoladovefigurky/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631856; rev:9;) # sid 2631857 includes 1 (0 - 1) 4 character domains in the ".sk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.sk)"; content:"|04|";content:"|02|sk|00|";nocase;within: 7;pcre: "/vaav/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631857; rev:9;) # sid 2631858 includes 2 (0 - 2) 6 character domains in the ".sk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.sk)"; content:"|06|";content:"|02|sk|00|";nocase;within: 9;pcre: "/(bvgips|dyndns)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631858; rev:9;) # sid 2631859 includes 1 (0 - 1) 7 character domains in the ".sk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.sk)"; content:"|07|";content:"|02|sk|00|";nocase;within: 10;pcre: "/geoteam/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631859; rev:9;) # sid 2631860 includes 2 (0 - 2) 8 character domains in the ".sk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.sk)"; content:"|08|";content:"|02|sk|00|";nocase;within: 11;pcre: "/(betradar|dadajozo)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631860; rev:9;) # sid 2631861 includes 1 (0 - 1) 4 character domains in the ".st" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.st)"; content:"|04|";content:"|02|st|00|";nocase;within: 7;pcre: "/trek/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631861; rev:9;) # sid 2631862 includes 5 (0 - 5) 10 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.su)"; content:"|0a|";content:"|02|su|00|";nocase;within: 13;pcre: "/(bank(update|verify)|user(update|verify)|verifybank)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631862; rev:9;) # sid 2631863 includes 4 (0 - 4) 11 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.su)"; content:"|0b|";content:"|02|su|00|";nocase;within: 14;pcre: "/(bankconfirm|login(update|verify)|userconfirm)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631863; rev:9;) # sid 2631864 includes 1 (0 - 1) 12 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.su)"; content:"|0c|";content:"|02|su|00|";nocase;within: 15;pcre: "/loginconfirm/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631864; rev:9;) # sid 2631865 includes 1 (0 - 1) 13 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.su)"; content:"|0d|";content:"|02|su|00|";nocase;within: 16;pcre: "/yandexcounter/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631865; rev:9;) # sid 2631866 includes 1 (0 - 1) 14 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.su)"; content:"|0e|";content:"|02|su|00|";nocase;within: 17;pcre: "/hostingservice/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631866; rev:9;) # sid 2631867 includes 11 (0 - 11) 3 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.su)"; content:"|03|";content:"|02|su|00|";nocase;within: 6;pcre: "/(b8c|c(6c|75)|f(38|48)|g26|n73|v(95|vb)|wk8|r0t)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631867; rev:9;) # sid 2631868 includes 5 (0 - 5) 4 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.su)"; content:"|04|";content:"|02|su|00|";nocase;within: 7;pcre: "/(5asp|7asp|app2|1069|zbot)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631868; rev:9;) # sid 2631869 includes 6 (0 - 6) 5 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.su)"; content:"|05|";content:"|02|su|00|";nocase;within: 8;pcre: "/(2bank|5bank|8aspx|asp24|com(45|51))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631869; rev:9;) # sid 2631870 includes 3 (0 - 3) 6 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.su)"; content:"|06|";content:"|02|su|00|";nocase;within: 9;pcre: "/(aspx12|sotana|botnet)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631870; rev:9;) # sid 2631871 includes 4 (0 - 4) 7 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.su)"; content:"|07|";content:"|02|su|00|";nocase;within: 10;pcre: "/(confirm|2online|yanndex|sex4fun)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631871; rev:9;) # sid 2631872 includes 4 (0 - 4) 8 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.su)"; content:"|08|";content:"|02|su|00|";nocase;within: 11;pcre: "/(econfirm|l2manual|arkanoid|goldtraf)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631872; rev:9;) # sid 2631873 includes 2 (0 - 2) 9 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.su)"; content:"|09|";content:"|02|su|00|";nocase;within: 12;pcre: "/(vam-pismo|badserver)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631873; rev:9;) # sid 2631874 includes 1 (0 - 1) 5 character domains in the ".tc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.tc)"; content:"|05|";content:"|02|tc|00|";nocase;within: 8;pcre: "/emule/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631874; rev:9;) # sid 2631875 includes 1 (0 - 1) 14 character domains in the ".tj" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.tj)"; content:"|0e|";content:"|02|tj|00|";nocase;within: 17;pcre: "/iloveeverybody/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631875; rev:9;) # sid 2631876 includes 1 (0 - 1) 11 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.tk)"; content:"|0b|";content:"|02|tk|00|";nocase;within: 14;pcre: "/cyberagthor/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631876; rev:9;) # sid 2631877 includes 1 (0 - 1) 13 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.tk)"; content:"|0d|";content:"|02|tk|00|";nocase;within: 16;pcre: "/cashtransfers/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631877; rev:9;) # sid 2631878 includes 5 (0 - 5) 4 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.tk)"; content:"|04|";content:"|02|tk|00|";nocase;within: 7;pcre: "/(asp8|dtdl|ltdl|mtdl|tkdl)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631878; rev:9;) # sid 2631879 includes 5 (0 - 5) 5 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.tk)"; content:"|05|";content:"|02|tk|00|";nocase;within: 8;pcre: "/(sid57|25cat|93vbs|drv68|html3)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631879; rev:9;) # sid 2631880 includes 10 (0 - 10) 6 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.tk)"; content:"|06|";content:"|02|tk|00|";nocase;within: 9;pcre: "/(lang85|38(lang|rate)|form64|21java|en-us7|walers|9batch|page65|gilani)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631880; rev:9;) # sid 2631881 includes 4 (0 - 4) 7 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.tk)"; content:"|07|";content:"|02|tk|00|";nocase;within: 10;pcre: "/(gbradde|client7|sslcom6|6domain)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631881; rev:9;) # sid 2631882 includes 1 (0 - 1) 8 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.tk)"; content:"|08|";content:"|02|tk|00|";nocase;within: 11;pcre: "/9control/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631882; rev:9;) # sid 2631883 includes 1 (0 - 1) 11 character domains in the ".to" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.to)"; content:"|0b|";content:"|02|to|00|";nocase;within: 14;pcre: "/worldcasino/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631883; rev:9;) # sid 2631884 includes 1 (0 - 1) 10 character domains in the ".tv" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.tv)"; content:"|0a|";content:"|02|tv|00|";nocase;within: 13;pcre: "/cinemacafe/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631884; rev:9;) # sid 2631885 includes 1 (0 - 1) 11 character domains in the ".tv" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.tv)"; content:"|0b|";content:"|02|tv|00|";nocase;within: 14;pcre: "/newprogress/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631885; rev:9;) # sid 2631886 includes 2 (0 - 2) 13 character domains in the ".tv" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.tv)"; content:"|0d|";content:"|02|tv|00|";nocase;within: 16;pcre: "/c(enterkras-tv|um-on-mature)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631886; rev:9;) # sid 2631887 includes 2 (0 - 2) 4 character domains in the ".tv" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.tv)"; content:"|04|";content:"|02|tv|00|";nocase;within: 7;pcre: "/(37id|7get)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631887; rev:9;) # sid 2631888 includes 3 (0 - 3) 5 character domains in the ".tv" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.tv)"; content:"|05|";content:"|02|tv|00|";nocase;within: 8;pcre: "/(12cfm|hit12|barba)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631888; rev:9;) # sid 2631889 includes 3 (0 - 3) 6 character domains in the ".tv" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.tv)"; content:"|06|";content:"|02|tv|00|";nocase;within: 9;pcre: "/(25user|3ntdll|libid5)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631889; rev:9;) # sid 2631890 includes 5 (0 - 5) 7 character domains in the ".tv" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.tv)"; content:"|07|";content:"|02|tv|00|";nocase;within: 10;pcre: "/(3cookie|7import|8netcfg|manage5|food114)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631890; rev:9;) # sid 2631891 includes 3 (0 - 3) 9 character domains in the ".tv" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.tv)"; content:"|09|";content:"|02|tv|00|";nocase;within: 12;pcre: "/(indiborge|4utraffic|antonella)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631891; rev:9;) # sid 2631892 includes 1 (0 - 1) 11 character domains in the ".tw" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.tw)"; content:"|0b|";content:"|02|tw|00|";nocase;within: 14;pcre: "/trafficshop/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631892; rev:9;) # sid 2631893 includes 1 (0 - 1) 3 character domains in the ".tw" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.tw)"; content:"|03|";content:"|02|tw|00|";nocase;within: 6;pcre: "/bro/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631893; rev:9;) # sid 2631894 includes 1 (0 - 1) 4 character domains in the ".tw" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.tw)"; content:"|04|";content:"|02|tw|00|";nocase;within: 7;pcre: "/mias/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631894; rev:9;) # sid 2631895 includes 2 (0 - 2) 5 character domains in the ".tw" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.tw)"; content:"|05|";content:"|02|tw|00|";nocase;within: 8;pcre: "/(60888|gdi24)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631895; rev:9;) # sid 2631896 includes 4 (0 - 4) 6 character domains in the ".tw" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.tw)"; content:"|06|";content:"|02|tw|00|";nocase;within: 9;pcre: "/(en-us9|host15|tray62|waigua)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631896; rev:9;) # sid 2631897 includes 3 (0 - 3) 7 character domains in the ".tw" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.tw)"; content:"|07|";content:"|02|tw|00|";nocase;within: 10;pcre: "/(gamevod|1config|4stream)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631897; rev:9;) # sid 2631898 includes 10 (0 - 10) 10 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.us)"; content:"|0a|";content:"|02|us|00|";nocase;within: 13;pcre: "/(sp(bpolveni|idergame)|usatvshows|h(i5-images|8i(2easter|9easter))|dkpeaster(2|6)|f9o85(1test|2test))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631898; rev:9;) # sid 2631899 includes 10 (0 - 10) 11 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.us)"; content:"|0b|";content:"|02|us|00|";nocase;within: 14;pcre: "/(antivir(uses|2008)|easy-search|your-search|posteonline|reinviadati|updatepanel|image(folder|holder)|msn-gallery)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631899; rev:9;) # sid 2631900 includes 1 (0 - 1) 12 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.us)"; content:"|0c|";content:"|02|us|00|";nocase;within: 15;pcre: "/federalbanks/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631900; rev:9;) # sid 2631901 includes 2 (0 - 2) 13 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.us)"; content:"|0d|";content:"|02|us|00|";nocase;within: 16;pcre: "/(antispyspider|golden-portal)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631901; rev:9;) # sid 2631902 includes 3 (0 - 3) 14 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.us)"; content:"|0e|";content:"|02|us|00|";nocase;within: 17;pcre: "/(virus-isolator|images-gallery|porno-tube-xxx)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631902; rev:9;) # sid 2631903 includes 3 (0 - 3) 15 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.us)"; content:"|0f|";content:"|02|us|00|";nocase;within: 18;pcre: "/(f(eds-r-watching|acebook-groups)|esecure-federal)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631903; rev:9;) # sid 2631904 includes 1 (0 - 1) 17 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.us)"; content:"|11|";content:"|02|us|00|";nocase;within: 20;pcre: "/federalbanksystem/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631904; rev:9;) # sid 2631905 includes 1 (0 - 1) 18 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.us)"; content:"|12|";content:"|02|us|00|";nocase;within: 21;pcre: "/awardspacelooksbig/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631905; rev:9;) # sid 2631906 includes 2 (0 - 2) 19 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.us)"; content:"|13|";content:"|02|us|00|";nocase;within: 22;pcre: "/(antivirusprotection|nationalyellowpages)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631906; rev:9;) # sid 2631907 includes 1 (0 - 1) 20 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.us)"; content:"|14|";content:"|02|us|00|";nocase;within: 23;pcre: "/antivirus-protection/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631907; rev:9;) # sid 2631908 includes 2 (0 - 2) 21 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 21 chars (.us)"; content:"|15|";content:"|02|us|00|";nocase;within: 24;pcre: "/federalreserve-(direct|online)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631908; rev:9;) # sid 2631909 includes 5 (0 - 5) 3 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.us)"; content:"|03|";content:"|02|us|00|";nocase;within: 6;pcre: "/(16a|kk6|y66|2ru|su7)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631909; rev:9;) # sid 2631910 includes 10 (0 - 10) 4 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.us)"; content:"|04|";content:"|02|us|00|";nocase;within: 7;pcre: "/(2365|najd|ka47|see9|usuc|gnaa|6usa|vtrs|lilj|hjhj)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631910; rev:9;) # sid 2631911 includes 15 (0 - 15) 5 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.us)"; content:"|05|";content:"|02|us|00|";nocase;within: 8;pcre: "/(tarog|g(h0st|et31|rtsg)|adbiz|b(oyxx|nk45)|34hit|52exe|edit7|http8|jjwky|spoti|ole55|finik)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631911; rev:9;) # sid 2631912 includes 13 (0 - 13) 6 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.us)"; content:"|06|";content:"|02|us|00|";nocase;within: 9;pcre: "/(r(acrew|dir52)|bank45|fuckuu|crklab|a(pps59|v4321)|en-us3|0(7load|kfzzl)|util13|6query|googli)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631912; rev:9;) # sid 2631913 includes 3 (0 - 3) 7 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.us)"; content:"|07|";content:"|02|us|00|";nocase;within: 10;pcre: "/(peposte|sslweb9|karavan)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631913; rev:9;) # sid 2631914 includes 6 (0 - 6) 8 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.us)"; content:"|08|";content:"|02|us|00|";nocase;within: 11;pcre: "/(rideline|srv-scan|f(9o(5test|8test)|f7test5)|g2g1test)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631914; rev:9;) # sid 2631915 includes 21 (0 - 21) 9 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.us)"; content:"|09|";content:"|02|us|00|";nocase;within: 12;pcre: "/(s(earch4us|menposte)|youchoice|m(sn-space|yfotolog|1m(1(1test|3test|4test|5test|6test|7test|8test|9test)|2(0test|1test)))|hj(0easter|8easter)|njeaster7|01may2009|f9o8(6test|7test))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631915; rev:9;) # sid 2631916 includes 1 (0 - 1) 2 character domains in the ".vc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 2 chars (.vc)"; content:"|02|";content:"|02|vc|00|";nocase;within: 5;pcre: "/99/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631916; rev:9;) # sid 2631917 includes 1 (0 - 1) 9 character domains in the ".vc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.vc)"; content:"|09|";content:"|02|vc|00|";nocase;within: 12;pcre: "/antivirus/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631917; rev:9;) # sid 2631918 includes 2 (0 - 2) 2 character domains in the ".vg" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 2 chars (.vg)"; content:"|02|";content:"|02|vg|00|";nocase;within: 5;pcre: "/(16|rb)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631918; rev:9;) # sid 2631919 includes 1 (0 - 1) 3 character domains in the ".vg" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.vg)"; content:"|03|";content:"|02|vg|00|";nocase;within: 6;pcre: "/w18/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631919; rev:9;) # sid 2631920 includes 1 (0 - 1) 6 character domains in the ".vg" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.vg)"; content:"|06|";content:"|02|vg|00|";nocase;within: 9;pcre: "/cracks/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631920; rev:9;) # sid 2631921 includes 3 (0 - 3) 10 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.ws)"; content:"|0a|";content:"|02|ws|00|";nocase;within: 13;pcre: "/(antiahtung|jayrocykoj|lxhmwparzc)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631921; rev:9;) # sid 2631922 includes 8 (0 - 8) 11 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.ws)"; content:"|0b|";content:"|02|ws|00|";nocase;within: 14;pcre: "/(d(ns-host-at|rpifjfxlyl)|pin-l-games|gavai-pegc9|worldsecret|k(dcqtamjhdx|xujboszjnz)|nxvmztmryie)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631922; rev:9;) # sid 2631923 includes 2 (0 - 2) 12 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.ws)"; content:"|0c|";content:"|02|ws|00|";nocase;within: 15;pcre: "/(agropecuaria|cheapcameras)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631923; rev:9;) # sid 2631924 includes 2 (0 - 2) 13 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.ws)"; content:"|0d|";content:"|02|ws|00|";nocase;within: 16;pcre: "/(adwareremover|ecounterstats)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631924; rev:9;) # sid 2631925 includes 1 (0 - 1) 15 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.ws)"; content:"|0f|";content:"|02|ws|00|";nocase;within: 18;pcre: "/webcom-software/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631925; rev:9;) # sid 2631926 includes 1 (0 - 1) 16 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.ws)"; content:"|10|";content:"|02|ws|00|";nocase;within: 19;pcre: "/encountertracker/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631926; rev:9;) # sid 2631927 includes 1 (0 - 1) 22 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 22 chars (.ws)"; content:"|16|";content:"|02|ws|00|";nocase;within: 25;pcre: "/liveinternetstatistics/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631927; rev:9;) # sid 2631928 includes 5 (0 - 5) 4 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.ws)"; content:"|04|";content:"|02|ws|00|";nocase;within: 7;pcre: "/(5252|a188|4ssl|g(rep|ph5))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631928; rev:9;) # sid 2631929 includes 17 (0 - 17) 5 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.ws)"; content:"|05|";content:"|02|ws|00|";nocase;within: 8;pcre: "/(e7da7|yaman|g(oole|bxyu)|5aspx|ide(72|92)|tmp68|rid31|u(dp96|oieg)|7days|apaix|hewdw|oqsfz|zsatn|sw-ww)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631929; rev:9;) # sid 2631930 includes 11 (0 - 11) 6 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.ws)"; content:"|06|";content:"|02|ws|00|";nocase;within: 9;pcre: "/(s(werjr|eowrz)|5token|63page|c(ode57|qnxku)|amzohx|gmvhjp|m(truba|abira)|uhtmou)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631930; rev:9;) # sid 2631931 includes 9 (0 - 9) 7 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.ws)"; content:"|07|";content:"|02|ws|00|";nocase;within: 10;pcre: "/(pessoal|drvcash|4object|s(slnet6|atmxnz)|bjpmhuk|idvgqlr|kjsxwpq|wee4wee)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631931; rev:9;) # sid 2631932 includes 9 (0 - 9) 8 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.ws)"; content:"|08|";content:"|02|ws|00|";nocase;within: 11;pcre: "/(3confirm|ctmchiae|iqrzamxo|mpqzwlsx|omqxqptc|qfmbqxom|rgievita|vzqpqlpk|zindtsqq)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631932; rev:9;) # sid 2631933 includes 5 (0 - 5) 9 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.ws)"; content:"|09|";content:"|02|ws|00|";nocase;within: 12;pcre: "/(dreamzone|arolseqnu|knqwdcgow|naucgxjtu|capitalex)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2631933; rev:9;)