# DNS spyware rules by Jack Pepper ( pepperjack@autoshun.org ) # regenerated daily from the domains.txt file at David Glosser's Black hole DNs project # The URL for BHDNS project: http://www.malwaredomains.com/files/domains.txt # The source URL for this http://www.autoshun.org/downloads/rbhdns.rules # # # Thu May 17 02:12:16 CDT 2012 # sid 2665383 includes 1 (0 - 1) 4 character domains in the ".ae" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.ae)"; content:"|04|";content:"|02|ae|00|";nocase;within: 7;pcre: "/esdb/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665383; rev:9;) # sid 2665384 includes 1 (0 - 1) 10 character domains in the ".at" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.at)"; content:"|0a|";content:"|02|at|00|";nocase;within: 13;pcre: "/fair-trans/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665384; rev:9;) # sid 2665385 includes 1 (0 - 1) 11 character domains in the ".at" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.at)"; content:"|0b|";content:"|02|at|00|";nocase;within: 14;pcre: "/ciao-italia/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665385; rev:9;) # sid 2665386 includes 1 (0 - 1) 19 character domains in the ".at" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.at)"; content:"|13|";content:"|02|at|00|";nocase;within: 22;pcre: "/clinicpharmacypills/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665386; rev:9;) # sid 2665387 includes 1 (0 - 1) 25 character domains in the ".at" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 25 chars (.at)"; content:"|19|";content:"|02|at|00|";nocase;within: 28;pcre: "/claytabletsdrugstorepills/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665387; rev:9;) # sid 2665388 includes 1 (0 - 1) 3 character domains in the ".at" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.at)"; content:"|03|";content:"|02|at|00|";nocase;within: 6;pcre: "/c1z/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665388; rev:9;) # sid 2665389 includes 5 (0 - 5) 8 character domains in the ".at" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.at)"; content:"|08|";content:"|02|at|00|";nocase;within: 11;pcre: "/(baletour|vielkind|gaugusch|extrarot|dewpoint)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665389; rev:9;) # sid 2665390 includes 2 (0 - 2) 9 character domains in the ".at" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.at)"; content:"|09|";content:"|02|at|00|";nocase;within: 12;pcre: "/(wantedh2o|bestdeals)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665390; rev:9;) # sid 2665391 includes 20 (0 - 20) 10 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.be)"; content:"|0a|";content:"|02|be|00|";nocase;within: 13;pcre: "/lertionk(0(1|2|3|4|5|6|7|8|9)|1(0|1|2|3|4|5|6|7|8|9)|20)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665391; rev:9;) # sid 2665392 includes 21 (0 - 21) 11 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.be)"; content:"|0b|";content:"|02|be|00|";nocase;within: 14;pcre: "/(mijn-roedel|zaletelly(0(6|7|8|9|1|2|3|4|5)|1(0|1|2|3|4|5|6|7|8|9)|20))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665392; rev:9;) # sid 2665393 includes 2 (0 - 2) 12 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.be)"; content:"|0c|";content:"|02|be|00|";nocase;within: 15;pcre: "/(zaletelly010|qumup8ay9pr9)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665393; rev:9;) # sid 2665394 includes 2 (0 - 2) 16 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.be)"; content:"|10|";content:"|02|be|00|";nocase;within: 19;pcre: "/(hr-ramenendeuren|missenmisterstvv)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665394; rev:9;) # sid 2665395 includes 1 (0 - 1) 4 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.be)"; content:"|04|";content:"|02|be|00|";nocase;within: 7;pcre: "/blbe/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665395; rev:9;) # sid 2665396 includes 7 (0 - 7) 5 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.be)"; content:"|05|";content:"|02|be|00|";nocase;within: 8;pcre: "/(g(avri|roun)|slayt|webbi|infog|nucry|portg)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665396; rev:9;) # sid 2665397 includes 16 (0 - 16) 6 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.be)"; content:"|06|";content:"|02|be|00|";nocase;within: 9;pcre: "/(tovail|atorat|co(ergy|moto)|e(vella|luter)|f(actan|eltch|layin)|gestex|ha(wker|kesi)|s(oprig|antre)|landan|obance)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665397; rev:9;) # sid 2665398 includes 34 (0 - 34) 7 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.be)"; content:"|07|";content:"|02|be|00|";nocase;within: 10;pcre: "/(t(e(troli|letri)|ophurt|amaral|rinali)|bulland|corebio|f(i(eldad|ngewe)|olksmu)|h(appicu|idalue)|qualynm|s(ide(mbo|com)|ubjenn|pacent|tollee)|p(rexysm|entail|oenosi)|onairob|m(asteks|oriska)|robot(0(1|2|3|4|5|6|7|8|9)|10))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665398; rev:9;) # sid 2665399 includes 15 (0 - 15) 8 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.be)"; content:"|08|";content:"|02|be|00|";nocase;within: 11;pcre: "/(m(ilinewo|9swachu)|godwiden|indorace|p(laynewf|onsface)|rijkfcor|softeror|yonymosc|benescio|crapahen|funklero|xantrube|nsserver|vivizaza)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665399; rev:9;) # sid 2665400 includes 1 (0 - 1) 9 character domains in the ".be" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.be)"; content:"|09|";content:"|02|be|00|";nocase;within: 12;pcre: "/pornolabs/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665400; rev:9;) # sid 2665401 includes 57 (0 - 57) 10 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.biz)"; content:"|0a|";content:"|03|biz|00|";nocase;within: 13;pcre: "/(enterhere2|h(ornygirls|appychock|vkncmxyrt)|i(1match361|n(sanmiyiz|froqtbjl)|lrqbifxmk|beiijpfnt|dhjigvfir|xfeessfxq)|pell-grant|f(reshstock|npvacayts)|s(tuqwodbv4|erdjuchka|stbqfgesf|biteicemb|unttuclkx)|j(hbqptzsax|nghyyotsc|geozoqaun|kqseiyzfx|wvjuhhmwy)|x(rmidgkxbq|woapnhpwe|nbutvtmya)|rytdxwzczu|t(wcacikgam|hthyndvlg)|y(orgltugmz|zzuywlgdv)|u(gszfloaro|xgmgqlidz)|b(xypatptzp|mfvvdyhkz)|k(ynoqtxwmi|otrazkniv|ctneocinx)|q(cmbqnewed|yyqwtfzuz|dvecstzzd|vlirxecud)|a(xlctnwqol|yhgeukyfo)|l(xxlxvuwwr|dqryemkim)|n(xinfydjqm|tnqhemvqa|wmgovvdkj)|w(ctvntrvvu|e(slwrtsmb|pvqknkds))|offthevine|g(tpzdzilfb|cirwdsndw)|cbbpmdxomu)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665401; rev:9;) # sid 2665402 includes 49 (0 - 49) 11 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.biz)"; content:"|0b|";content:"|03|biz|00|";nocase;within: 14;pcre: "/(s(oftconvert|gnashoubzk)|t(hegioiauto|j(ruudzhmkt|wsywqvcgt)|babedncwep|n(rfjxfwlpo|yaiiehetg))|rqystb4b6cc|a(aagsj33rv5|roqnygchri)|p(hkhekbfrem|aydayquote|flljcksjea|rbojqibrop)|j(elsxelfdiw|ijnpkheedu)|qhzfmpqxpgl|gksadgwexhx|y(koknppgcrd|yhxjhvtbsm)|b(ipfuffvwru|wffqydqiun|yjbuegcotz|fixfidjflx|xthhcddfqc)|n(lewantyonu|uyetcdhosk)|u(hpbolbseep|eosekchfcq)|oflymjfwqcu|f(lhfowchmsg|gahrgjhofx|acebookcam|tyeqksjzjj)|h(roipdhnddj|zdavbdwuyz|dnmzqsglyu)|i(gbwaordinb|xbgadybmkf)|m(tjazsqolac|wgtncjqvcy|ytxweoyttz)|v(ovctdsjmiz|kvvfykxnzh)|x(g(xgkvvcxkn|csuczbbgq)|prpmgrnnke)|wmyqqakjqgd)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665402; rev:9;) # sid 2665403 includes 5 (0 - 5) 12 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.biz)"; content:"|0c|";content:"|03|biz|00|";nocase;within: 15;pcre: "/(carboxxxs400|softsecurity|lockcattrade|brooketingle|dutrasherard)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665403; rev:9;) # sid 2665404 includes 8 (0 - 8) 13 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.biz)"; content:"|0d|";content:"|03|biz|00|";nocase;within: 16;pcre: "/(h(gnsktqmugker|jmrhgxuvqvll)|k(omyhoocnjhmt|kksvmrsyxfvj)|mebelinfoteka|wkrrxkbkfonsi|xxvtrrmbuqshu|pirppqhpruoiu)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665404; rev:9;) # sid 2665405 includes 18 (0 - 18) 14 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.biz)"; content:"|0e|";content:"|03|biz|00|";nocase;within: 17;pcre: "/(q(llzkesgqayjjj|idssjocjmnujl)|vrktcnsrpkkyrk|yrqylohukpptvk|free-sex-video|jamesbsmith4th|x(bzobrgjprgzqe|hulvttkyunjtx)|klnjyrlprmmqzn|pntvpmnpjggkmw|znmoulhgfullqk|bbulitwrvlmqto|oruliukdkiopnt|lzywmqlulenlmx|uuupospmoxlinc|cliffordtravel|morphyauctions|analiticsmedia)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665405; rev:9;) # sid 2665406 includes 36 (0 - 36) 15 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.biz)"; content:"|0f|";content:"|03|biz|00|";nocase;within: 18;pcre: "/(ghppxfsrnetfpqq|m(qmsrryakhsorol|nrpxtmkkwmiliq|kqoblovjuntepd)|p(ihbinmhgpwjkpt|jhopgrkxnjrlqp)|t(tqozgetnnumlgo|qowirmgkqloxyi)|y(cnmmmxixzxrpgm|vumernhqpnqtxx)|zrwtvvzpornemrl|i(njruhjxmtccrut|wsjygtnltmvdex)|u(fiwhqrjjtsdwjn|mpysqgerrkstgo|t(qworfhrkxmcqm|stqtqicqaabuk)|iinwznjvpotnsq)|v(hvrprvwtlpzduy|rjqehsppcgprhs|slqkrsprvrqtqu|qskcqhtempfltx)|l(qpiptontyynvrp|rfsluzwfqmnpqg)|k(nnjnwrshqwvjvb|wimkfollrljfxo)|o(zneostgsvxntwl|dnynjiwxqkiqda)|bzvmmruqnqgwgip|fqmkfrkmukwvhnu|j(gfjmjvswrwekdh|xjvgqnhhudrhnj)|n(qtvrtngovvoqzp|ltorrentsguide)|rjknjyjcmlqfnmq|domain123456789)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665406; rev:9;) # sid 2665407 includes 26 (0 - 26) 16 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.biz)"; content:"|10|";content:"|03|biz|00|";nocase;within: 19;pcre: "/(v(u(niqvlztwmjgroj|jcikrbvomptrtm)|ttyntejoqftwkcn|roxnpojiomtenlq)|j(ruioljslsitjpfv|vyjpitigroplppi)|dszrmttqpzlioqtp|ijogjpkdprqpsugn|mnxpeejxpvwrhkrm|o(vsdllsnzkmrowqq|skrpqgtngporxdw|humyljwmkttsorr)|q(hrsvtqwjcmonpfp|lhloosfitoslvdq)|xiftkqniniwoirvu|z(kqswlsghqiqqsyz|rpfmqyvqmxmhxfk|xmknqcqzjupueux)|gywsglihvdleyupu|w(rtpqhwlwsgyufto|doyqoxnmmrlqyot)|k(fpjtqslcybrtglt|rirfqkmckkssgol)|cfbutgnvwuvtvnpm|nexgpgsycqmxgzss|yjrphvshndipprsq)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665407; rev:9;) # sid 2665408 includes 1 (0 - 1) 17 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.biz)"; content:"|11|";content:"|03|biz|00|";nocase;within: 20;pcre: "/best-lady-clothes/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665408; rev:9;) # sid 2665409 includes 1 (0 - 1) 18 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.biz)"; content:"|12|";content:"|03|biz|00|";nocase;within: 21;pcre: "/statisticontheline/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665409; rev:9;) # sid 2665410 includes 2 (0 - 2) 19 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.biz)"; content:"|13|";content:"|03|biz|00|";nocase;within: 22;pcre: "/(storagemovie-online|uskoriteliinterneta)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665410; rev:9;) # sid 2665411 includes 1 (0 - 1) 21 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 21 chars (.biz)"; content:"|15|";content:"|03|biz|00|";nocase;within: 24;pcre: "/crackserialkeygenguru/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665411; rev:9;) # sid 2665412 includes 3 (0 - 3) 4 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.biz)"; content:"|04|";content:"|03|biz|00|";nocase;within: 7;pcre: "/(9fox|koco|dvmc)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665412; rev:9;) # sid 2665413 includes 63 (0 - 63) 5 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.biz)"; content:"|05|";content:"|03|biz|00|";nocase;within: 8;pcre: "/(t(awil|vydm|svce)|n(e(tox|fzn|cxw)|lyoj|nyso|glfl|wmxu)|r(ivai|jgwu|nwbw)|s(oneo|vjoa|mdqn|cipn|usie)|b(hxwg|yjfn|eher)|quden|h(tzny|idbb|umxb)|u(xbkt|gsjk|oplt)|m(gset|dufe)|v(qvvx|kcmn)|f(ahat|wild|qzcl)|zhpuy|d(cfra|sdvq)|pxhnf|wnwzx|x(r(lsv|qwx)|wrlw|oaju|imny)|l(rrnv|ygit)|a(aryt|rcot|bmna)|o(dygj|pdvu|oynu)|c(ziyi|obki|dgqm)|efgbq|yfjjo|j(lqzu|ekza)|k(dwdr|mdtu)|gcfoz)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665413; rev:9;) # sid 2665414 includes 56 (0 - 56) 6 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.biz)"; content:"|06|";content:"|03|biz|00|";nocase;within: 9;pcre: "/(m(alwox|ega4u)|c(raken|codud|dgyci)|w(e(raty|scor|bunt)|ljnwl|wzddi|attoo)|l(vhook|letru|uzoru)|a(v-aff|zfqsr|ikpfd|pdedp|anjns|wlzex|loveb)|g(ib-uk|bqogt|wbexb)|r(zeajc|prrvf|ytxbl|qbiyk)|f(gubkb|vrkfc|jiklm)|u(wvpdf|b(rnvv|bxph))|i(hkpuh|zpout)|jzgnvl|q(mgsog|iaywp)|s(rmkxs|uzwha)|b(imsha|ylobz|zwkjj|rtrfs)|z(hpxjm|lbhaw|wnkdm|owhuv)|ohrqfz|hgchqq|vljyni|x(gfxnf|woqsd)|pyjbnz|efdxeo)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665414; rev:9;) # sid 2665415 includes 48 (0 - 48) 7 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.biz)"; content:"|07|";content:"|03|biz|00|";nocase;within: 10;pcre: "/(c(csmile|y(nalal|pwwea)|djiiws|gnsxgi|hqhiwk)|souxvco|w(wygmfu|igztju|nalwgf|fjyoyo)|f(bytjyy|hnzhuz)|x(bncule|zdjcxb)|z(auxweq|myeggw|sjkhbo)|b(hgexxs|wriwzu)|e(xqyedt|rntths|skxrxw)|p(ywpkiv|cagwyn)|i(afdsxc|cchdpd)|k(eayilv|pcbabo|qgwvpn)|l(ogocli|ptildf)|o(vhuuqb|uwizqr)|vjbvftq|hm(cwhie|epggg)|ghexyld|uakyjus|jjxqsex|q(rhytpc|bfmdgm)|mbaopdh|t(lv(qcpe|ydhk)|uebgrj)|r(tlptfa|icjamd))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665415; rev:9;) # sid 2665416 includes 98 (0 - 98) 8 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.biz)"; content:"|08|";content:"|03|biz|00|";nocase;within: 11;pcre: "/(t(tt88bon|pkkebsj|wigtvuo)|f(lwrshop|vxxqlcp|doufdpx|tribhgy|pefpqkb)|s(eforums|bgnagpr|holbkth|wbibyfm|o(vossms|qlkdgc)|vrkglry)|m(vgapzbp|bbvbgiz|ezezhby)|i(genkycu|fvdjtky|jaieugm|llkoymo|aoxjjod)|v(esebhpo|qvlnocu|bffbshb|xedqtje|zlusfzh)|a(lazlitu|ssgjcpb|twimthx|xgcmtet)|c(fxhwgaw|ofwwabg|attrade|tnsffza|w(yjrtul|xkmpxy)|jpbtvmy)|j(zddhkmo|fmgaghg|gekvpha|oaqzbda)|p(gjwzuow|ilplqlr)|w(fmkdupj|pzcypkt|areznow)|y(koowoal|bpcvvay)|z(n(slddfv|pxoytz)|hplhffk|kkfaquj|eigmxvd)|b(xytfhzm|d(yzykyb|imyiwk)|hwivfmy)|e(eemzyoi|tvhvjxp|p(upvkix|tnjaag)|umsbnzt)|q(acksefs|dqhhoxm|cnbzqfs|ibhghtz)|l(fdceltt|mnbczyd|eewykte)|u(fomwzmn|tintcga|dctcebr|evhetwc|afweblh)|g(ybgcurb|gcygtcc|reencom|whipymr)|n(txxxbvu|jydlags|claiqtn|dprwbmo)|d(btnfsqk|qsepwrq|xnlixeg)|h(ssaddyx|ldozlkb|njujvbj)|r(zhbdjya|ajrnknk)|k(oitxaps|qwnibel|tgshqmb|dycdnil|edhtzna)|xoijcnym)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665416; rev:9;) # sid 2665417 includes 45 (0 - 45) 9 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.biz)"; content:"|09|";content:"|03|biz|00|";nocase;within: 12;pcre: "/(i(ndochito|oosbqfhe)|linaangel|best(dumps|raise)|cqoyvmvsh|f(yyrbkrte|w(sntkmsm|rkmkonz)|iisbqyco|zbxuldat|dtpsusnd)|g(omkhkfjm|yalsucnx|eosearch)|q(meoakljn|pbyhbclw|setlwxzh)|kh(hsdvsov|gahfmfc)|p(ywegtzyo|thyinujz|nshfiuds)|ubmbxeocq|e(henffqae|nylqxbto|rpnuaqdc)|h(qs(ehmxce|komcvc)|zuoketao)|s(fploqusl|rbihtjgd|troll-in)|amorellos|mxilfyweh|z(ykrmfaqk|kkconwbs)|j(eoffreys|bshkkvjd)|owzgvsixi|xgstyibnf|dhsoccvel|r(hfotndvz|xxtvaigw|ebvhqneo))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665417; rev:9;) # sid 2665418 includes 1 (0 - 1) 10 character domains in the ".by" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.by)"; content:"|0a|";content:"|02|by|00|";nocase;within: 13;pcre: "/avtoremont/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665418; rev:9;) # sid 2665419 includes 1 (0 - 1) 4 character domains in the ".by" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.by)"; content:"|04|";content:"|02|by|00|";nocase;within: 7;pcre: "/void/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665419; rev:9;) # sid 2665420 includes 2 (0 - 2) 8 character domains in the ".bz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.bz)"; content:"|08|";content:"|02|bz|00|";nocase;within: 11;pcre: "/(cardshop|dumpshop)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665420; rev:9;) # sid 2665421 includes 3 (0 - 3) 10 character domains in the ".ca" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.ca)"; content:"|0a|";content:"|02|ca|00|";nocase;within: 13;pcre: "/(seanmccann|firstwords|webmasters)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665421; rev:9;) # sid 2665422 includes 1 (0 - 1) 11 character domains in the ".ca" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.ca)"; content:"|0b|";content:"|02|ca|00|";nocase;within: 14;pcre: "/baracademie/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665422; rev:9;) # sid 2665423 includes 1 (0 - 1) 13 character domains in the ".ca" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.ca)"; content:"|0d|";content:"|02|ca|00|";nocase;within: 16;pcre: "/royalflooring/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665423; rev:9;) # sid 2665424 includes 1 (0 - 1) 14 character domains in the ".ca" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.ca)"; content:"|0e|";content:"|02|ca|00|";nocase;within: 17;pcre: "/networkeffects/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665424; rev:9;) # sid 2665425 includes 2 (0 - 2) 18 character domains in the ".ca" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.ca)"; content:"|12|";content:"|02|ca|00|";nocase;within: 21;pcre: "/(cacacacacacacacaca|redcowtechnologies)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665425; rev:9;) # sid 2665426 includes 1 (0 - 1) 24 character domains in the ".ca" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 24 chars (.ca)"; content:"|18|";content:"|02|ca|00|";nocase;within: 27;pcre: "/parcindustrielarmandviau/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665426; rev:9;) # sid 2665427 includes 1 (0 - 1) 3 character domains in the ".ca" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.ca)"; content:"|03|";content:"|02|ca|00|";nocase;within: 6;pcre: "/aph/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665427; rev:9;) # sid 2665428 includes 2 (0 - 2) 4 character domains in the ".ca" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.ca)"; content:"|04|";content:"|02|ca|00|";nocase;within: 7;pcre: "/(ists|atop)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665428; rev:9;) # sid 2665429 includes 7 (0 - 7) 10 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.cc)"; content:"|0a|";content:"|02|cc|00|";nocase;within: 13;pcre: "/(hellap2000|v(lcsoibezx|pzybvnasj)|atozblqhyk|emcvzdcqgc|txsaxqllai|pcrvuaufnq)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665429; rev:9;) # sid 2665430 includes 6 (0 - 6) 11 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.cc)"; content:"|0b|";content:"|02|cc|00|";nocase;within: 14;pcre: "/(p(rivatecash|tjbmtwpnxz)|webprofiler|t(yebwihtlch|pabduzsebp)|oebqbblpduj)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665430; rev:9;) # sid 2665431 includes 2 (0 - 2) 13 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.cc)"; content:"|0d|";content:"|02|cc|00|";nocase;within: 16;pcre: "/(magic-numbers|tradingcenter)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665431; rev:9;) # sid 2665432 includes 1 (0 - 1) 15 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.cc)"; content:"|0f|";content:"|02|cc|00|";nocase;within: 18;pcre: "/perfect-numbers/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665432; rev:9;) # sid 2665433 includes 1 (0 - 1) 4 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.cc)"; content:"|04|";content:"|02|cc|00|";nocase;within: 7;pcre: "/e46l/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665433; rev:9;) # sid 2665434 includes 7 (0 - 7) 5 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.cc)"; content:"|05|";content:"|02|cc|00|";nocase;within: 8;pcre: "/(bulba|iurvr|h(fneb|uzfm)|tgzke|cpgtr|qbfqd)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665434; rev:9;) # sid 2665435 includes 12 (0 - 12) 6 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.cc)"; content:"|06|";content:"|02|cc|00|";nocase;within: 9;pcre: "/(ccmall|dbfkcy|wjoavv|jxkigm|fnrpbl|nhuuds|r(bhpsp|ctvme)|luzrgv|qmayuy|u(brfta|eoete))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665435; rev:9;) # sid 2665436 includes 17 (0 - 17) 7 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.cc)"; content:"|07|";content:"|02|cc|00|";nocase;within: 10;pcre: "/(n(w-serv|j(iqdzf|dmlsg))|pwnshop|k(jjjfnt|ksrgsl)|lyepybw|agbzqjd|mgpyetq|rwyqhba|xghqnhk|commjhf|fhtehjn|heinzel|bxtqafg|divzwmk|zlbnldf)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665436; rev:9;) # sid 2665437 includes 10 (0 - 10) 8 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.cc)"; content:"|08|";content:"|02|cc|00|";nocase;within: 11;pcre: "/(kqifuadx|dksotwal|tyqzaoeq|fltglxwo|x(vpbizqp|tgywsme)|rtpnlxgq|iupceoki|lztyswcm|ynkuqunq)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665437; rev:9;) # sid 2665438 includes 4 (0 - 4) 9 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.cc)"; content:"|09|";content:"|02|cc|00|";nocase;within: 12;pcre: "/(f(rvoywuyi|bvadqbnn)|wrsmqlapm|3d-tablet)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665438; rev:9;) # sid 2665439 includes 1 (0 - 1) 15 character domains in the ".ch" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.ch)"; content:"|0f|";content:"|02|ch|00|";nocase;within: 18;pcre: "/automarkt-augst/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665439; rev:9;) # sid 2665440 includes 1 (0 - 1) 22 character domains in the ".ch" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 22 chars (.ch)"; content:"|16|";content:"|02|ch|00|";nocase;within: 25;pcre: "/swiss-natural-products/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665440; rev:9;) # sid 2665441 includes 1 (0 - 1) 8 character domains in the ".ch" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.ch)"; content:"|08|";content:"|02|ch|00|";nocase;within: 11;pcre: "/darksite/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665441; rev:9;) # sid 2665442 includes 1 (0 - 1) 10 character domains in the ".cl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.cl)"; content:"|0a|";content:"|02|cl|00|";nocase;within: 13;pcre: "/orangeblue/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665442; rev:9;) # sid 2665443 includes 1 (0 - 1) 13 character domains in the ".cl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.cl)"; content:"|0d|";content:"|02|cl|00|";nocase;within: 16;pcre: "/leercontubebe/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665443; rev:9;) # sid 2665444 includes 1 (0 - 1) 17 character domains in the ".cl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.cl)"; content:"|11|";content:"|02|cl|00|";nocase;within: 20;pcre: "/mallasprotectoras/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665444; rev:9;) # sid 2665445 includes 1 (0 - 1) 18 character domains in the ".cl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.cl)"; content:"|12|";content:"|02|cl|00|";nocase;within: 21;pcre: "/llantasdelpacifico/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665445; rev:9;) # sid 2665446 includes 2 (0 - 2) 10 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.cn)"; content:"|0a|";content:"|02|cn|00|";nocase;within: 13;pcre: "/(nyfilmlife|qdmewcbwow)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665446; rev:9;) # sid 2665447 includes 7 (0 - 7) 11 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.cn)"; content:"|0b|";content:"|02|cn|00|";nocase;within: 14;pcre: "/(mixmaxgroup|directlinkq|liteautotop|vipprojects|webfreescan|rahjxgkvdqc|uuzzknhualb)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665447; rev:9;) # sid 2665448 includes 2 (0 - 2) 12 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.cn)"; content:"|0c|";content:"|02|cn|00|";nocase;within: 15;pcre: "/(download-123|gotsuspended)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665448; rev:9;) # sid 2665449 includes 1 (0 - 1) 14 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.cn)"; content:"|0e|";content:"|02|cn|00|";nocase;within: 17;pcre: "/mixmediadirect/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665449; rev:9;) # sid 2665450 includes 1 (0 - 1) 19 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.cn)"; content:"|13|";content:"|02|cn|00|";nocase;within: 22;pcre: "/cutaiamortgagegroup/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665450; rev:9;) # sid 2665451 includes 2 (0 - 2) 4 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.cn)"; content:"|04|";content:"|02|cn|00|";nocase;within: 7;pcre: "/(qsxx|52cp)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665451; rev:9;) # sid 2665452 includes 3 (0 - 3) 5 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.cn)"; content:"|05|";content:"|02|cn|00|";nocase;within: 8;pcre: "/(streq|jmcnv|oxmjv)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665452; rev:9;) # sid 2665453 includes 9 (0 - 9) 6 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.cn)"; content:"|06|";content:"|02|cn|00|";nocase;within: 9;pcre: "/(e7j0ht|go2000|fzlqqq|h(yrzxm|zfree)|77xxmm|sipyjo|coopic|568518)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665453; rev:9;) # sid 2665454 includes 7 (0 - 7) 7 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.cn)"; content:"|07|";content:"|02|cn|00|";nocase;within: 10;pcre: "/(g(oupopo|londis)|0575sos|a9rhiwa|odyjiez|babhmlt|ckvwupt)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665454; rev:9;) # sid 2665455 includes 7 (0 - 7) 8 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.cn)"; content:"|08|";content:"|02|cn|00|";nocase;within: 11;pcre: "/(ntkrnlpa|ijasmine|sjpyfnpm|bmyvqemu|fnemreva|vgylinea|wyeenuqp)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665455; rev:9;) # sid 2665456 includes 2 (0 - 2) 9 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.cn)"; content:"|09|";content:"|02|cn|00|";nocase;within: 12;pcre: "/(xibudific|zlebfwxan)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665456; rev:9;) # sid 2665457 includes 1 (0 - 1) 10 character domains in the ".co" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.co)"; content:"|0a|";content:"|02|co|00|";nocase;within: 13;pcre: "/amersterin/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665457; rev:9;) # sid 2665458 includes 1 (0 - 1) 11 character domains in the ".co" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.co)"; content:"|0b|";content:"|02|co|00|";nocase;within: 14;pcre: "/whogoeswhen/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665458; rev:9;) # sid 2665459 includes 1 (0 - 1) 12 character domains in the ".co" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.co)"; content:"|0c|";content:"|02|co|00|";nocase;within: 15;pcre: "/achyroransib/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665459; rev:9;) # sid 2665460 includes 1 (0 - 1) 13 character domains in the ".co" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.co)"; content:"|0d|";content:"|02|co|00|";nocase;within: 16;pcre: "/bio-rezonanta/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665460; rev:9;) # sid 2665461 includes 1 (0 - 1) 15 character domains in the ".co" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.co)"; content:"|0f|";content:"|02|co|00|";nocase;within: 18;pcre: "/nltorrentsguide/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665461; rev:9;) # sid 2665462 includes 1 (0 - 1) 4 character domains in the ".co" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.co)"; content:"|04|";content:"|02|co|00|";nocase;within: 7;pcre: "/mkkm/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665462; rev:9;) # sid 2665463 includes 1 (0 - 1) 5 character domains in the ".co" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.co)"; content:"|05|";content:"|02|co|00|";nocase;within: 8;pcre: "/1337x/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665463; rev:9;) # sid 2665464 includes 1 (0 - 1) 9 character domains in the ".co" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.co)"; content:"|09|";content:"|02|co|00|";nocase;within: 12;pcre: "/spearhead/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665464; rev:9;) # sid 2665465 includes 460 (0 - 460) 10 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.com)"; content:"|0a|";content:"|03|com|00|";nocase;within: 13;pcre: "/(t(i(biafiles|nyschats|gger-cam|tanpoker)|a(keovered|ndiegwen)|r(iad-webs|craeiopo|e76nvlnv|aderique)|e(lemonors|guwumefu)|uragambit|he(sutmori|mespora|8debate)|o(cnjublac|ngomario|rrentbay|werprice)|nueoqahys|cdrrptcco)|r(e(zidencia|quest4ns|tno-uhb3|namesys5|vplasmod|hadesign|patoptop|sourcevt)|u(qonivyja|nderwayr|sexychat)|at(tsillis|ingstat|eometer)|s(stooltip|toontear|m(hdfgpgw|erchant))|o(undsites|ohiilocm)|i(seppomck|kadirect|nysegaci)|jordulltl|muyrkxxtk|ptynsnoum)|d(a(kifoheli|lebihyku|v(emosyku|izyzaky)|ta-grown)|ugaryjymi|d(lnetwork|iziizlet)|bnkonline|e(ngipengi|ca(lintos|ptcher)|pravados)|pyeoipbso|76218b961|o(mtrixsov|ublediet)|jioueirps)|l(i(bdnsmasq|n(ktechno|uxstabs)|mfoklubs)|uhqkreavn|a(so5palop|testglad|dytmusic)|k(ghnfhyge|skjje43d)|emupooooc|o(zebymova|ttatiffi|weyeyear)|fnjosunfd|04yndreuk)|m(y(g(reatbar|ooglemy)|digibird|iiphones)|e(n(andmeds|shelper)|dialine3|rry-year)|a(ilru-pro|kincakin|lorkasys)|i(jywujysa|pfrchesc|xestudio|warecorp)|o(ngoneger|delmilfs)|ssriteomi)|v(i(huhosyde|jytijybi|deo-ware)|o(jocokipy|woputaru)|ygazykeke|awinofemu|ehyraceke|r(brothers|sfunding)|kyotqukix|jrjcapuwf|vhvidpeog)|w(o(zireracy|r(ld3newz|dgodand))|ujyvonoke|a(libukyqa|-network|vertonam)|hy(sohardx|nomoney)|i(hasiwaji|desskies)|sdhealthy|nlgghgffr|paxdlstrs|elldone21|qeq42cc12)|x(ylocomoda|uryfacaqy|l-hotline|sredbpaef|nebmobama|rumer-seo)|z(ymujidysi|ukifinyve|a(ebalinax|rmleneed)|okykajobu|erox-blog)|a(vs(feelwin|ecurecs)|u(dioleech|toassets)|g(uyet47td|gucjvery)|n(imealert|dcudland|swertels)|ryakhazar|c(hivplatz|daecopeh)|quarigger|l(yackorea|adamhajj|lnewdots)|zurepaint|erostrips|oidg45ggd|irvincent|k(ronisltd|vodhhead|itahusky|degirmen)|darshsoft|abathlift|xiomhotel|ppchoko21)|b(o(q(erorune|upyvuru)|bbeecate|xwatches|o(kchance|bs-club)|ytrawiki)|e(ervoodoo|stcountt|vterrell)|l(ue(broken|sky777)|ackhatxr)|ru(inspill|mserial)|yfquytsix|i(ohominis|gdeal777|llytally|ndlesbon)|a(rcellons|bble(core|disk|sink)|nnerbit(1|2|3)|mcayoyos|piescafe)|u(ritoluck|lldogfit)|jdclothes|00d441f24)|c(i(cabijyni|lywelohy|rclemill|nselcafe|dtunisie)|o(mstockxs|upon-one|s(pmercio|moskent))|a(delcucco|thiletty|rgozones|scotqhij)|h(ampinbed|i(efchest|lle(cash|line|tect))|ovattuvt)|e(rtainegg|lularbom|nturycpc)|u(stomidet|usv-vhvl)|yanho(pper|rnet)|fbingdian|l(a(zmiznod|singsky)|oste(hold|land|yard))|c(snpnqxii|felomvhk)|r(0zybaner|uoisht7g|eatihost)|nyconnect)|f(o(to-paper|rcetstat)|usipemura|ygadajepi|e(l(itafifi|atiotop)|gleywmae|nkaololo|rrodisma)|lyforfine|i(berastat|nitysoft|lloutsme)|acebook-0)|g(i(pupeceta|ldedgold)|o(o(qlepics|pndlgvy)|titstiff|grassman|rmlunjjt|dsquadtv)|r(ouphours|eecejobb)|e(titstiff|nericsun)|uruluxury|a(meshirtz|wezevahu|nislamov)|temhtyatg|hxctletck|jhyjljvty|cpymobama|norenyawr|dickinson)|h(ehyvixiru|o(meartnet|perjulia|stcreati|1cilewwk)|a(spo6lita|irplains|lieroana|ndsexual|ysttteeo|ppy-term|kka(craft|range|s(cape|tead))|zelmator)|u(xweppeix|midworld)|bzhongtai|wyprowler|tpcapital|ytr8lzz02)|n(e(wstrucks|t(atlanta|netnet1|llookup|serv-t5))|i(tuxygusu|3ma-chat|renbak23)|yxoxuxezy|o(rdea-fis|aknikita)|hipsttmra|a(pavideos|rdelfire))|p(e(jozehywe|stghcmmo|i(rqcmmpc|xim2010)|done-ads|rikanzas)|o(nagifyna|l(lypeach|ishedbb)|rnopinto)|a(nart-llc|tternsrv)|i(votgolf1|nkpillar|rbnoculc)|jehedsafe|pgessnvvn|caoeaicte|mrpoponae|hotografr)|s(o(sexytube|n(ewenazo|ysearch))|e(pyqezeno|cmindnet|r(enelula|vingfit)|a(rch-4me|cheusa1|sonsali)|kspornox)|u(mywygifi|qyjuxumo|l(usality|paginas))|h(gkgwgkls|ikalmuna|anaecker)|shwklwjen|tar(packer|rgames)|qpresents|a(tdifnyet|bisocuci|fearmyny)|lick(trail|venue|idian)|implymilf)|u(tolycofyd|pdates-ms|jypninrop|mjxwuaaso|rcnkvuuju|wsctpihlt|nclesammm|saloaosns|bucmqjexd)|e(g(ghelp-bg|vqomxmea)|d(informer|arambula)|r(gotables|i(nalysia|cbressi))|u(ro(pasafe|yenusd)|43hkasss)|s(sylouise|aomperni)|kfisymvef|astbreath|l(ocumjobs|inkclick)|n(g(graduat|s(pellin|ummary))|trymania)|cmolypecs|jrklssfcc|tcsomsxls|pcoejsedr|xtelindia)|j(avagames7|i(dmoemgow|okfayrov)|o(bbslists|ecaseeas)|exgpprgph)|o(gofocokow|ntvplayer|zzcentral|smondjobs|l(soncares|uddrbaeb)|bcjfjseku|yacromifh)|q(yvyzesiro|adjgxayck|bpcpmcijn|ocakizali)|3rdistudio|i(r(onhardme|ishellas)|cebergsrx|slandever|gnservice|dleinside|talianpop|n(igopbrto|tapserve|c0gnit02)|eugluxmlx|p(-(request|tracing)|ad3tests)|o(kxcthosa|oplcauen)|m(ecsmedia|provenew)|ba-credit|yi-gunler)|k(veghynyzi|a(sjchseuk|ufmannet)|chohensee|uemmeljoe|i(ng-brian|mberliah|gatropol)|gkdominas|nmorvarid|ennyville)|88luckybet|y(ambaclick|ou(timeyob|rtechso)|inetahyte|lanynaion|mcwineqkj|cysedsafe|wtxvnm4mh)|1(9runs10q3|o4ynbreuk|eurohandy)|2(eastmusic|vermethod)|4vermethod)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665465; rev:9;) # sid 2665466 includes 579 (0 - 579) 11 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.com)"; content:"|0b|";content:"|03|com|00|";nocase;within: 14;pcre: "/(i(n(dowebster|t(ersecweb|hebarrio)|fodontics|kwortwili)|l(legalness|secatrina|facebookj)|s(sicolleen|oaanschyl|t(thosting|ockitall))|bccmsuiyus|detpemiyus|iacbbsincz|cresoctmlo|p(-(fir(ewall|mware)|operator)|adfree4me)|hoxyanyker|qaoeussruo|eumillions|au71nag001|ron-condor|zmraggkaea)|a(u(tosputnik|diocar800)|a(b(ioqeafds|qxsgavmr)|xpumjfznn)|e(f(xmusafds|pesjayus|qkkjamcp)|irrwapeyn)|ghabguafds|ji(cpcwafds|qfqhancz)|l(readywire|linonespy|binopleco)|w(alstudios|esomefile)|ppdlsecure|k(mholder11|gokinsaat)|n(selmarivy|tispyware|alyticdns)|r(iellephil|ontrawiki|hpgoeeasi|r(owhitech|ayhansen))|houthoghim|fg(gxcyayus|rufiamcp)|c(d(sgzlayus|epnvamcp)|ha-online|robat-web)|m(ber(beetle|hopper|school)|obragjgge)|s(yueu37yhd|tronomika)|d(eka(acamcp|ncamcp)|ware-20(09|11)|h(cssvuayv|yocymvtp)|pointroll|obeupdata|sforcoins|fgsfgrsdf|betatrack)|ialksdamcp|ble(allwind|fadhing|seasame)|zstitchltd)|d(a(ralytagyc|osf3doapo|unecarree|yleronica|ta-employ)|e(cufysohyh|kyzymykir)|i(h(emehypuq|ojocitiz)|qowybyfaf|t(chyourip|samerica)|amllddncz|oweihgsg3)|nsposition|ualvaccine|s(jkkwlhhdd|kjhiukwlw|t-finance)|0ct0rh0use|grtgsfdweq|mcrkwhyeio|o(dgemedlin|tnetemail)|rvsearchit|bt-finance)|e(x(facebooks|plairediu|trabooter)|c(oonlinegh|mdkxukhtf)|l(aneaudrey|ieidkolpc|jmrnwualb)|milierosie|d(eiawceyus|namodular)|s(tatediary|crowvault|solutions)|yebllaster|h(jypoqemcp|rman-loeb)|jipaohemcp|rsomeermnp|asyfindjoy|o(ymerpeosv|nmicrofit))|n(e(w(avsgowin|stat(ejob|icup)|carstyle)|tiqugerin|ilmckenty)|y(harucukom|jowexawyr|zysemadyk)|s-creative|oelynjosey|deourhnyus|bcidbanncz|atwideintl)|r(e(d(irectica|dragonfl)|po(rt(accxs|22new)|tnowing)|al(pleaser|torarcf))|a(meshgaran|pbmprhwwm|t(zeputzel|installs)|ulurrutia)|jlsoftware|rrrrreport|u(draakshas|s-carrier)|s-genocide|iponsummit)|s(martcripts|ymconempkr|c(d(ldsgsfds|eprvsmcp|ptqgsncz)|cplpdsmor)|u(matevebat|simumezez|isaoy4ghj)|e(wibonypar|zixalekur|f(qkxjsmcp|lkcdsmcp)|rvlng-sys|trakimaki|x(f(evvgere|unxcash)|indaroom))|o(ftconvert|lhostbass|wevicekem|maliastar)|i(huirading|abkgssmcp|mplybucks|rketkurma)|bc(btsusbvf|sfnksmcp)|h(elbacelie|irley2011)|t(uffluxury|andardmag)|a(bgxnysyus|n(internet|sensegrp)|rb-africa|veixsuite)|fglsdesyus|k(ypemailer|atevideoz)|g(hhhrasyus|imiytkanu)|jiaalrsmcp|p(hmwjrwlfl|tihuxubpj|psrreimsa|eedyquest))|t(e(ristorinc|orccbyaio)|o(dizubosox|rpormvp35|p(vxpsuite|gameland|cumaster))|i(wyzirydup|ttypalace)|y(diligobev|fifopojax|uwygskjgk)|r(a(deport24|ckingone)|u(stgeobiz|cktumble))|a(b(letcare2|medicare)|sfghbwevb|dkamaarke)|wi(tter(lays|docs)|ferryera)|h(e(-serials|radworks|foldblog)|paiysmoae)|dosuegatil|kdirectory|cpfmbhnlyw|upexbvpmsc)|u(hj(gswbufds|ypvqumcp)|fgalvtubvf|vewyjemowe|seyourunit|ablszeuyus|pleodcrrrs|dvnniovrov)|v(e(jpongosot|droskofun)|okixehimal|uxipupuhaz|yrogoxofem|bcbtpuvbvf|i(agraboink|deo(fixpro|tamale))|c-business|g(alsexcoxe|yvestxade)|mhgbribbhm|a(nninalani|r(darkouta|mvarmmap|virepaje)|yxendseze))|w(a(qexiroqej|vupinycom|puqiqaqom)|e(wibolyxov|ftnonwbvf|llserving)|i(pujuvajyr|tywypihag|ki-722866)|bc(cmquwyus|sflkwmcp)|d(f55hoiio(1|3)|cjfyyfwpx)|hoismanolo)|x(yseditacif|ecuhuziqys|i(bipijuxoj|xeriwihat)|ojalyfudux|hjwmyqxbvf)|z(a(zykizyref|ywodyneed|gruzifile)|i(ficefydyn|hter-vizt)|u(negateway|jytuhehok)|ermatttech)|f(a(cebooksay|seguryfoh|ttyvideos|zobugylov|ucetqueen|irtexnews)|bcabkuffds|l(ipdogtags|3xibility)|ormedtouch|e(hosoxukyk|elingfoot)|yqotarohoc|r(eebloghub|i(nova2005|ssccvtco))|i(nderquery|lesdelete)|vfeiutlwaw|usionshade)|g(e(f(scrngfds|bkwsgmcp)|t(couponow|-offl0ws))|hjqndlgfds|a(lleryvine|bqniigyus|votataran)|cd(wmiqgbvf|jqvbgyus)|i(dehujosyp|abkjsgmcp|ngermator|wjierihon)|de(sfnmgbvf|aaxrgmcp|faowgmcp|uaumgmcp)|gh(xfdpgmcp|jfyagmcp)|tydscsanra|reat-happy|prsdatacar)|h(e(musyheduf|d(aannissa|wiglexis)|rshypower|l(exxaione|lo(dolly2|kitty2))|stiacarla)|o(mebuyline|tyoungart|peclarine)|bew-27hbsm|a(rlifarrah|sansumbul)|i(dpharmacy|apnowmost|jurefugeb)|u(s(hedworld|de478sje)|zifatohov|musliving)|ttp-tunnel|wynetworks|ytr8l1zz02)|j(cd(gsdbjfds|tpmljmcp)|etuqaroxos|gh(lygfjbvf|idcajncz)|ust(incheah|bigtoys)|a(bqnhijyus|hromskate|vatooltip)|o(bsearchoo|yful-year|mknkn(iy34|jy34))|xxyshoping|ihamisunos|-jassocies|0mknkn7y34)|l(fgythtlfds|o(okasaudio|ranexanle|nglongerr)|a(t(initjobs|southern)|bufajahhs)|hjptpglncz|jokymgjhrt|tmarsnpcew|xoeyiscrao|i(censecabe|tehoster3)|gsjwixwocm)|m(ghuqcpmfds|y(f(otolog03|acejbook)|keylogger|sunnyland|loadscash)|e(n(ssaviors|talcouch)|f(gkrxmmcp|lkxdmmcp|vk(bnmmcp|dnmmcp))|ijeroneca)|i(a(atjsmyus|foqxmyus|vkenmmcp|bkvsmmcp)|chaelkort|ni(dvdsoft|kombado)|ttemidagi)|jiiarcmyus|bcsfckmmcp|delafcmncz|a(l-waredoc|rk-duncan|conassint|ureenmoss|hmudnaqvi)|pmiyhdaans|cnegeytoyh|ryonirvcpm|uravied222)|p(i(anrejpfds|jynazerud|rhoecmcui|cturewarn|xrotation)|ylabarywip|o(r(opaxqulh|n(xplayer|o-geier|artgrab)|t-script)|subudiqof)|de(efdwpyus|qfrhpncz)|e(n(dosrulit|isresort)|otssaioiy|seacrovir)|r(hocgeascm|cgijpwvrl)|f(acalc20(11|01)|kilgedjhq)|vbmlrybufe|cismtgniae|xloratatar)|q(o(tasifelaw|pdypfxhda)|u(pofajojuh|xovasuced)|cd(dvrvqyus|jqlbqyus)|iaatosqyus|hjypbqqmcp|gh(sfjkqmcp|jfjaqmcp)|jiaaarqmcp|pvvabbaqcn|wfxemkbuee)|c(bc(giuacbvf|hhuacyus)|i(tybunchde|muxorazag)|a(ryeolande|bgxrycyus|cadutrees|s(ualroute|co-homes)|villhenry|inmoderne|lsigmachi)|eilkathlin|o(ughengine|mbi(myself|please)|ntrackcrt)|h(jnlcgcyus|ille(bucks|chart|funds|graph))|fgrucicmcp|j(ika(cccmcp|nccmcp)|emaqojxac)|c(dtphlcmcp|snaioebom|i-eschool)|urvechurch|3statistic|qlnwqaioac|loste(ation|range|scape)|r(loeisipph|0zybanner|ozybannir)|spogrmiocs|trtrack(-15|ing)|yclestream|nbutterfly)|o(p(nnopinvhs|en-994233|timus-llc)|rkutgirlss|smond-jobs|bc(sfnkomcp|idlaoncz)|h(jopfgomcp|pmyviumie)|fgcuxtomcp|abruhiomcp|uyaoxiazai|ljecmnzaoe|n(d(eragolok|idbanind)|eslowraby|ghdsaleuk))|k(a(gayakitai|tehenshaw)|rexjdsamdx|o(ol-planet|fajisatum|rdelashop)|ghxf(hpkmcp|upkmcp)|ia(bkdskmcp|hgfxkncz)|badlfpgtec|yrohematob|sstracking|usmerankas|evwillsoft|mginsights)|b(a(b(esloveit|blefiber)|gendestyf|j19kall10|ngl24nj14)|e(lleardene|s(siedania|tinglass)|jb883-njm|arsintown)|i(bbiemalia|vuzygaden|llydimple)|pmedspills|r(ushflower|entnallfg)|zidwuijpay|u(ycheapvcc|ffygalaxy|ddysbarbq)|h(jaezqbncz|ajjq910aa)|myoodteoes|o(cventures|eingmiles)|loxxymedia|nxshipping)|y(marloeoicc|ou(porndump|ngzoosex)|umalicious|bmhumhymqj|ahooreturn)|6ag1jauqlii|20000profit|7usafinance)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665466; rev:9;) # sid 2665467 includes 492 (0 - 492) 12 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.com)"; content:"|0c|";content:"|03|com|00|";nocase;within: 15;pcre: "/(s(i(vassigorta|t(esbrasnet|tueewfbel)|delinepros|mpleiearmy)|e(wicyzinuhe|ks-planeta|rv(ing-sys1|ling-sys|esonjany|trackpix)|xdovncgeck|sycifaqago|nsotek-spa|zegehpover|archturkey)|kiyoresorts|a(llieulrica|hnespender)|yiueyhwelwb|t(iffasstone|ar-trakers|leikxkbjwo|op-prysham)|h(uvalovskiy|op(direct4u|ofdoorzs)|ichwordofe)|p(rutnetwork|a(rkasse-at|cetimeads))|sfoeitpkeel|j(frarsvyhlr|renoopoeis)|martwasuite)|b(a(nner-count|kagunaxepo|lanceblood|afouhdpose|riclight77|zagraphics)|i(puwyqojivu|g(cherrybox|bestmovie|gestloads|vinewines)|er796v97be|llmatadors)|kokfinthgsk|e(s(t(meds4men|2banners|bleeping|-serving)|idesdream)|lidiskalom|kukokymyje)|r(e(enastephi|werypress)|iaanaliese|ynnanadean|otherjesse)|x(wqxlkp4ajt|nrxuyjcytf)|ooksforbool|l(tradinggrp|ank-record)|yraiyodqfdx|h(itelaylead|otheirreal))|g(o(cglesource|odbyelimpy|ingonearth)|e(rulisdedas|winngewinn|yameywwoaf|ldparadijs)|l(o(bal-traff|cservices|ryhunterz)|checktools)|reenagainst|mppussyicus|a(management|lax(ieconst|ybooter))|kholyjchymn|ypadakidepi|ujratmarine|haioo3uhxgg)|m(o(bile-files|hijyxazyby|n(keytrurap|strocloud)|lbideneoil|rettistats|irocesvlee|dern-happy)|i(ddlechrist|crossearch)|e(jerlahome2|d(s4tonight|ia(mindcal|serve43))|losakirbee|tuzamygyjo)|a(r(rileebess|neethaisf)|himamahila|tocrossing|gicalyatra|njakuhappy|masbitchin)|usicframeit|ggtqypybfts|mwhewlrckie|splcblifles|y(holidaynew|netaddress)|pmasterporn)|v(o(gunemymyko|lcanokruzi)|erynicetube|34ggwww3ss0|i(taminmblog|r(usthailab|ginialeda)|mysoqecuci)|kontakte-id|geteplanfat|holevucemay|murixwrquhb|yqhdtnsfrie)|w(e(gebenirahu|facerboook|lcome-tome|b(playerddl|optdomain|expertest))|y(bydunugyra|gehasunupi|lyxaqunowy|cecikodovi)|a(ciroqohuli|itredirect|llpapers91)|ioltyskland|o(r(ldmotoblo|kfinished)|hocebutiqy|lfsrunbook)|uiwe74hvgsd|bjatshumpre|vogkbbapujp|h(adholdwend|ilsansence)|xblmfpkpbb2)|x(yriwaryfuwy|site-search|apxoreplace|ihacedugywo|meplogvybzr|xxtubedirty|trashipping)|z(abininetele|ysuzasyfage|bacrtehedel)|d(igartcenter|u(resasatipa|tyziriryvi)|a(rcyvanessa|taservcorp|ytoncredit)|e(b(eraysabel|capluesub)|nitraspetr)|o(lljennifer|ralyndanya)|bdata-check|r(ug(storema(p|n)|pillsmed)|agosimport)|neottfatmny|plftomvader|hananrmdsce|sf(ndsfhdsof|sdgfbgsfd)|fdsfsdfasdf)|f(ace(bookjusl|liboooks)|o(puvuwupode|likassol1l|otporntube|kvmmygnngm|ruminspace)|e(vahanybyvu|licdadjori|e(dchannel3|ew0r-geek))|yxinolydima|facebookimg|i(isacebooks|nal-hurdle|xedculture|tlifejapan)|lydoronolub|uehlediecon|ksudkswknxd|reezersc0rn)|h(o(bolamitajy|me(likefeel|stoppers)|wtodoitman|tlogupdate|lidaygreat)|losportales|dyskevoieaf|a(lliejuliet|rri(atlanta|emoreen|sonmoda)|ttijacinda|ppy-period|kkoboating)|e(ndrikaloni|r(tastephie|mionejuli)|l(enpotters|lo-tissus))|sjwui24gg4g|yperboloyid)|k(ysymysafamy|i(n(gfinearts|eticminds)|yansobhani)|rokodilius8|olossbanner|nallrattern|tdofbmltjyt|arenbrowntx|ficzohwxpnn|en(nnethcole|drickbrix))|l(e(vysavasezo|stifashion|grandirect|ddivelight)|o(renzasheba|sdsodemoss|tlakithpii|vioinwdoli|n(rhohotels|gpathtool))|ivedieoslix|u(rofletzhen|xury-trend)|jgpxmsdporg|bdlmcmfuinc|yghwyciguta|mccorkenipo|a(test-happy|pdaassalam|brumklimat))|p(hotobucketd|o(jizocimovi|sterityn71)|i(ensaingles|llsontario|n(tineroass|oguzeseme))|e(trovsky383|indlsadesk|kiwimozoha)|cmegarapido|dcdcwjwrqsq|lanete-lolo|rofit3times|sardcreator)|r(a(buqibareme|yshelllela|chelstrohm)|e(dspacetube|medyformen|negadetech|searchbits|hudomydefe|alismforum|port(andwin|erperv)|reportport)|o(u(ndbrother|uisleutmt)|yal-shippe|semontrick)|xherbalkava|hoaahddyhbg|cmdpreoesoe|sicaiaolpke|ieslinggame|uneredirect)|t(y(syzapobuvy|tahyousauo|qw53tgdhsg)|a(pahagupaji|bletherbal)|ikytudububy|o(jutokubovu|rreandaluz|p(tenreport|zdnetwork)|daygonever|urboportal)|uvadovykavo|pstneuknash|h(o(ughtcable|erltprccn)|e(stiffener|petserver|dailyheat))|r(ue(virility|netseach)|ad(eamerult|ingavonc))|e(chce-group|l(eskolkino|lysquawks)|iretorkeri)|qweytgbf32g)|i(nsidestream|r(ubireqakah|anloveline)|cb-ukonline|s(abelhertha|-certified)|v(ettclaudie|oobst-gmbh)|mmenseworld|t(-jobsearch|aieymnosho)|p(-calculate|dns(network|service))|erpcogmsomr|deahinkcory|zmir-sohbet|klimodalari)|u(cisatanamiz|s(a(-shipping|pornotube|newjobgov)|edconsoles)|p(dated3news|zoulprouct)|k-jobcareer|buntu-today|t(psygswnjjw|vjcdjcwgqm)|rsulaaleece|wkqdminmont|nderdanmark)|c(h(e(esydoodle|r(imalorie|yophelia))|i(cagobgllc|llestruct)|arlesculli)|a(marilla-fr|-jobcareer)|o(rendashina|nfigure4me|soplumowen|m(stnetwork|puterscan)|xnamelocal)|r(iket-trans|azyhomesex|edit-crush|oozybannir)|u(nningpanda|ojshtbohnt)|xmdhrpwuvyl|i(tycenter22|adosprecos)|epioscyrocs|p(mstatalpha|r-gastonia)|yancellular|levermuffin|dqwwkndatvt)|j(i(mcardgames|tteryworld)|ylemufisanu|a(cquiecammy|mesbond225|bdfnuridle|tevywohulo)|ealousworld|obbsearcher|s(iacorodpru|ywtghndvfg)|rrwfbjjugcs)|q(u(wecanocowi|xebohadige|e(stscantwo|ryscanone)|antcounter|lygimokine)|9-e52wjh7cz|woei733yrhv|rtyp(0ngtost|ingtest|lngtest))|e(-londonjobs|d(surrenders|iblercmpme)|u(lamichelle|roaspsuper)|a(rthgeneral|ayjpeyabqf|stononline)|zmowerparts|ndeavorplan|jjogggfqcmc|ksqllpfeyaq|eocddyssiao|ventmodeler|leedesigner)|n(a(zeranyekta|rcoticraft)|iceteenporn|ynigywuheqe|bykkrkevuri|o(carceepcco|nepersonal))|a(l(meriahilda|ive-finder|urbrilance|cyon-hotel|faportugal|lanlacosse)|prtabletsrx|t(lanticligh|t(nfeeniubm|orneydebt))|wdntomvader|y(tjtomvader|rbotdmusyc)|d(e(nafinance|lheiddale)|v(-statsweb|isorpedia|ertinging)|dsuchmenmy|alphatrack)|ngiangphoto|cessoriajpt|m(bercricket|igosejogos|loepolesen)|r(nbaer-gmbh|ulbrothers)|sp(o2h3bvrcd|plazalife)|fter(yearbaj|jillian)|gogriatlust|ztzommonbut|b(i2wu5qsxmt|outivreazh)|jeslovshord|urelenobkin|xelnetworks)|o(n(uraltintas|nrypsieert)|p(inionevery|toincpsige|xxjqvyjllj|ormcyewras)|rgasmicpics|sloadserver|zbeachbikes|ceosarebrps|lciimpssccs|dnonoshnicy)|y(am(baprivate|outfamily)|wtgytkejnke|our(hqimages|lamename)|uwe4f5g645g|nergdikorjg|sc-restauro))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665467; rev:9;) # sid 2665468 includes 480 (0 - 480) 13 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.com)"; content:"|0d|";content:"|03|com|00|";nocase;within: 16;pcre: "/(g(eopopulation|o(o(qleadcence|dgirlsporn|gle-adsen(c|s))|mastermedia|nlinesearch|ldsexmovies)|i(gaporntube(2|3)|n(gers-house|sburgvideo)|veback2vets)|abeylucienne|wennymarleah|r(een(rightway|ballsoft)|astownplaza)|staticsearch)|a(v(spridewinxp|tradingcomp|iationqueen)|g(neserozanne|aunwatirfiw|oraintegral)|idanrosaline|m(alepharmacy|covtayvtell|eliayolanda)|l(exeybakhtin|le(giantcare|rgyfoodie)|cantor-demo)|f(r(obrutality|icanvagina)|terabortion)|d(venturemoni|dsecovdtook|r(sdyhnetrem|enalineind)|lightserver)|c(rneglmobdep|tioncreator)|s(hleybarnard|p(hostserver|crystallux))|n(arhiyanahhh|cberclastop)|r(minboutique|enanordeste)|b(nflashparty|outprintkeg|rechnundber)|1websolution)|d(e(xiwotenelex|zycuhuqelyg|lly-courier)|i(jipabamefuw|egosancheze|rtyhomemade)|opifoqetucol|fenhfenj4ojf|a(rkbdsmlinks|tastoreplus|ncearkansas)|bsupporttech|gftsfvvdfrtg|venturepride|hmanagements)|e(n(virysscanxp|ricaclemmie|terobigtits)|a(rlyanswered|sypaisahost)|s(pacioseguro|capefgtyuoi)|v(elinesimona|iagra-super|ansandstern)|kvzihhimwqyq|y(eblaster-t1|apasomweicn)|ranpdctsemio|gcftpguclkoi|oltirmhotewc|milyspromise|ucontinental)|j(h(jhygyug-uhg|v684ybknjkm)|o(hngottybest|bsat-osmond)|wdassociates|e(sntjsrjmpxt|rmyblankins|welrythings)|a(cklynbernie|vana(1itik-z|litik-s)|mesrpatrick)|imm-download|npquwdupgauq)|m(y(avspridewin|facebooknnb|namedomskis|sundayparty|-search-now|chicagofirm|roitracking)|o(t(orssmonito|mcopcaercs)|ntenegrorio|vieshowgirl|rrarlihvcot)|a(ntraorderto|keasymoneyx)|i(xfigschoone|crohousezez|ssibnkafric)|bkvjfnwydffs|u(ellgeburten|ltiplextent)|juqovvuruldy|lhlurqylttjc|gparchitects|egacocksporn)|q(u(adrohdguard|eryexplorer)|o(jijixiwidaz|biragevuryt)|ybolysusefim|imqzrtpkmukd|lbycfgbpvjwa)|v(i(vigozymekox|ncent-world|larinomotor|deo(caverpro|kontakte|workshop))|y(zaraputifyb|ibjxjnshtry)|e(tidicawisos|qutycarykeg)|m1huqpqf6e3g|oltagechilla|a(mpirefishsd|riuhetarala)|x(cetqyhknfnf|vhwcixcxqxd)|sinfotechhyd|converterpro)|w(e(vecohesikyv|b(-myworking|gettinmore)|eklyrentals|qeweqqq2012)|o(byfyvovafew|rld3channel|ul(dwillhool|pfytusual))|uqulenyropoc|ybuzyrywovaj|i(ovtvolveras|ldesthopper)|atefronwhits|h(a(mcmijpelop|tisadebima)|e(nabowemocm|terokhorse))|sdrcoromsepi)|z(y(jicasotopib|zanewodojyx)|ar(apetahuryp|thouandloo)|omypufavinij|eevex-online)|c(a(dulovocagat|fidylyjilox|r(sfunranged|esaglennis|rerfullezz)|tcumroutere|jarihejeluw|mpgroundmba|ll-md-nurse)|i(nuherijugeg|lkaanallese)|o(n(struticocr|nected-hed)|rsair-logic|astal-carts|mp(a(vonatrad|ctbanner)|ositecode))|cbill-online|e(cileykrista|hmdysowfooe)|leojessamine|h(airorbitnzo|uc(jhomepage|khomepage)|eckingserve|icocheckage)|kgryagcibbcf|m(uhommmdlmhy|oeobrosisey)|ybanuvegigud|risiscommand|gnmdrpinouit|sistersmusic|p(r-f(oxvalley|tcollins)|wclickcount)|vsqsmuiaaiyh)|l(e(dimajezociw|riverolfunt|wisentitled)|a(yneykarylin|s(ervietxinh|tednorwich))|o(v(elikechamp|ingallnite)|westykorers|okgreat-now|ralyncassie)|uxurylollies|njrtxcjbiaov|i(amrainsford|braryhansen)|kwstransport)|n(a(rorudyzezow|zufakefecym|ughtywifefa|seleicphcrs)|e(w(-jobaccess|fancygoods)|oprenpillar|mpesrsrioic)|scoermcpeaei|ltorrentsmap|rcmbkxssydac|tohnxgjijsgi|oiceanimakae|bqealvkhirjn|ibycexadytyn)|o(wn-mediaload|u(jjmusallied|roldfriends|a-corporate|wwtmcnuiudw)|smondcareers|r(oticorealty|fmeopeisgoa)|eefrstsgaoyg|n(l(inetubes24|ecodhrsmry)|ceneverlene)|jmitlcyjsuyb|glocsicchisu|m(tenioicmsor|ypciacapsel))|p(afozykavygaj|i(sowyxuwisin|llsmedicare)|r(o(ductionguy|gresoetico|jectmerlin)|ettylikeher)|layer-992746|o(wnedcoupons|orcreditfix|llypeaceful))|s(e(x(ajuruvesik|nationtalk)|curepaypage|awolbeamasa|r(vicemarker|enehalette)|lftvoalvays)|i(vycaqilugoq|mplexstored|xnationtalk)|y(s(igicigisav|temtestnow)|wedidaqugef)|o(vejecogiqek|ssyonuigopd|cialcookery|ineamaloocl)|a(mykacagatet|usagesments|fe(inmyplace|vadefense|yvchecker))|t(a(llioninyou|ticdupdate|rbladecr(0w|ow)|yfreeatall)|orylootybuz|xeapbewbblp)|u(mmertimebuy|sanaplayers)|h(e(rvinethost|ncosheriff)|oping-cards|a(rewaredepo|kro-travel|leacepoynd))|nacepaegotsu|piqpmomcecso|rcfoiepmisct|kypevouchers|mart-poguard|cfoijdccqtmj)|t(u(didawajyvaf|caxiqiwityp|torialstorm|rb-o-search)|i(mypahisoxur|tytsteconfh)|r(otlebungalo|identcapmgt|hsdevildogs|ade(systemsy|-finders)|ustebuyshop|eet-0rthret)|h(e(imageshare|edfighters|me(nsremedy|diamatic)|cerealbowl|powerof100|besttwsoft|-new-flesh|noonjoyful)|xkchcnhyssj)|a(x-antifraud|runtextiles)|okushukai-me|silfaftadrrs)|x(o(fokusutecyd|nibawylabep)|ybobimaholos|ekowysysozoj|ntppwufabzsr|wealthdirect)|b(a(t(manrobinho|lantictogo)|kirkoydogus|bycenterusa)|o(sinmeyarder|ehnerherbal|dyshowworld)|l(a(ck(hatworld|ofspogus|bluerose)|nchamarthe)|issejonibab)|xdumusallied|r(i(dielinnell|tt(emufiivy|anyamber))|o(nzerrxmeds|wncellular)|yant-benway|ewerypatron)|i(g(healthtree|gestsetter)|ng-redirect|blioteca-ua)|e(st(-zoo-porn|wop-guard|bxcleaner)|ecitysearch)|bmfswfgmljwj|holepocebect)|f(o(le(dahehofij|vonedubuc)|r(evervirile|umpkonline)|toinmuebles)|u(dejivuqaran|xawekugygil|nschoonerds|ckibgreport)|y(suhojyryhyj|cypururavob)|i(l(letrouteeg|es-irs-pdf)|n(e-artgroup|ancialpoet))|a(unierobinet|sterdupdate|rgomatorzsa)|reetrialmail|lowersinamew|gsdtsdbfuhdn|eather-media)|h(i(partsonline|re-position|mpcaslnnooo)|a(limedacorly|r(d(inasecond|nessrocks|zuchecker)|lipearline|moniewilly)|n(smuff-gmbh|afosonline))|e(dwiganorene|r(thalisetta|froundfrou)|alth-seller|lpfromradio)|mopharmacyrx|o(stfrontpage|tgreenlight|neytrannies)|ukastantions|xpgffdwbevww|kbt-y63jhbs8)|k(raus-systems|ltwkhpvtqljk|igutohigazem|pkyaxyytagbk|e(nnedyscurry|ystostlouis))|r(yzevepapucof|e(s(tlesslover|etmymemory)|d(ir(ecthosts|-traffic)|eyefishing)|cruitaimsfg|f(lexionsmtc|resh-ccash)|quiembooter|wardcarting|vengebooter)|o(selineshena|taeipoiocre)|bsonline(bank|-inc)|umperstumprs|adiojovemrio|isorsegiuste|scigfoeonenh|fffnahfiywyd)|i(dalinanickie|n(ezmadelaine|terclickctr)|sidoraarlyne|voryjessamyn|r(orfstlnvtpl|smleonrboet)|fdeaanidtcee|p(-(addressing|subnetwork)|rofitmargin)|ljmekbkcukps|cstrnelscoao|qkydbxjfodro|tcvictoriatx)|u(s(-tax-report|a-jobcareer|editwoulfur|hfktptgmspn|policyguide)|fxsqnjtryrny|p(tonxtwealth|date-100291))|y(a(zilimdenizi|rymutdstxwp)|lvylxwjpkcdl|qvndqgijbpmx|spcgrsofriio)|2012-my-happy|10(29374658321|51811156619))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665468; rev:9;) # sid 2665469 includes 393 (0 - 393) 14 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.com)"; content:"|0e|";content:"|03|com|00|";nocase;within: 17;pcre: "/(c(o(culixuvyhiti|m(antispyware|panyn(family|people))|okingcutlery|n(fidentaward|sortfinance)|splaypicture|astalcartsfl)|a(jezuleneziny|rlottaardene)|i(vivicuqekexo|tingsecurity|xizacakudyko)|yhajodyhotolo|h(a(rgeyourlove|nnel3online)|icagocoalpac)|gstudioonline)|d(o(tecukihilavy|orprosdirect|itforcrowler|n(ellecoralyn|otstoptillu)|ubleadserver|lphintekstil)|y(fosinyfileti|polarosateve)|a(nitanicoline|vi(seleserver|dschleifer)|ilygizmonews)|cialisforsale|elorisjerrine|i(andrajoeypat|gistatsplace|bujosdecarne)|uglascagemike|fi-university)|m(o(vie(freeboard|worldsite)|usboobsamigo|besinolacuke)|us(thaveformen|icdjproject)|a(mabearssoaps|gesticgamers|vjlatqkpuban|kiajdleavseh)|pefryhfpwhfvj|mabettingpick|e(diastoreplus|mbersareaspo|gaupload-xxx)|yhotdogsboss1)|s(tar(movie-plus|bladecrow(2|3|4))|y(qivolurypugi|stem-reports)|i(horarofiqiha|mple-jobneed)|o(cihizizacowo|sitawidapezi|meonesadvice)|ncjspnrvxsxcz|smotlqsntvmop|a(tisfyanylady|yangholidays|nsense-group|fe(ythscanner|-defensefu)|ve(-holderfvr|yy-cleaner))|buying-(cialis|viagra)|ho(p(medicinerx|pharmacyrx)|opugg-boots)|ecure-paypage|k(jbsldkjksfhu|qbirmcomtjty)|py-key-logger|u(per-crap-dns|rveyprizebox))|v(usysogirebymy|bhw53jnjjn00o|irus-reporter|h(adreachmusoc|ereplacejame)|nskyqlkrdfnnp|xpxgorqkihafv|eteransetting|a(cclocabanind|dchdeachmokd|ter(brenglene|problexen)))|w(a(rupegacotate|ntedhyladies|tchingsquare)|i(sigudyniqixo|ndowsaupdate)|urokalawysusa|wwpingarchive|opeytjbsbvmve|hi(te-shopping|chgolfirons)|e(b(watcherdata|camstoolbar|expresslan(e|s)|hosterquest)|ykdtkrouvdso)|sjapwfphnhriq)|x(y(sutylapekepo|xukinasacujo|fefaviwamela)|i(pifexegybozi|tytusahysese)|u(cysasowebaty|fytoqujumydu)|q(dnmjnrvdjwgf|qpqjrzjynovt)|xvwinjqarjrnw|mlstatreports|cxmjb2joopypo|kyxz0cdohxz6u|nttkdfunybxgn)|e(x(eantispyware|pecvmanfaydv)|-(onlinecialis|viagraonline)|n(hancepotency|ormousw1illa|s(122zzzddazz|wdzq112aazz))|yebluster-sv1|aglenest-gela|uskaljakintza|denvilleurope|ldesaparecido|euprbpohspwje|rvffluceipmfb)|f(ebysaholubaro|r(ee(artscenter|m(edia-plus|msservice)|holidaynew)|iendsadirect|tualpornclub|oggamgallery)|u(terktwoireut|zugomaqeriwy|n(dsufficient|ctioncoffee)|josogkpsxthf)|ff43dfsfdsdfs|a(cebookomarac|s(tblogportal|hion(bananas|revenge))|mexfinancial)|i(loilkogretim|nd(epotdirect|moreprofit)|rst(itscanner|antivirao))|h(dysbvdcgvrwv|sfdrwcqwesdm)|ybdqchsheqiul|blvg-eu2nvme8)|j(y(xirafyhulora|vfsnsqddbgxq)|o(bs-at-osmond|hnsonforums3)|bkjkngvaiwaxr|drqnbtklqwqrv|mvkyepiiqyixw)|n(i(shthamedispa|trousexpress)|ucawatufuxuwi|oralvasanchez|jqvexdhwhutar|wetlnpjovgxmj)|p(o(mexyposenebi|r(tal-factory|notubevalue))|a(cugegyfeheka|nyulvxingshe)|le(resttonin4u|asethatlady)|yrconsultores|ers(ianfarmers|onalnxsoft)|i(ckviewonline|ratesmustdie)|hotoofpromise|r(eteensmoskin|ojectpalermo)|ubepujiwusiwy|csafetycenter)|r(ijucyvybumyka|e(alm(anshelper|ediagrupo)|cruitarrowfg|tgen-rasch12)|zncgorop-yvpx|o(yalminisites|sedalolandou|dn(0k(1assniki|lassniki)|ok(1assniki|lassniki)))|glaabsktspwrw|kevnmhekdgvnf|xkhdpigbqoeco|adioinkforums|0dn(0klassniki|ok(1assniki|lassniki)))|t(e(r09nter-th4j|kiyftuevgnor|enamite-porn)|r(a(duccionescr|fficemarket)|uafghanistan|ibenfinances)|he(realpleaser|livingyears|worldsearch|mochamartha)|xapbjdlsrtpea|ufictpfglnlfq|c-copywriting|op(moviemarket|-jisentinel)|qtranslations)|h(a(lifaxshelanu|r(d(whenneeded|erthanever)|rietteaubry)|ttiejaquelin)|iddenglenarts|e(r(min(ayalonda|ialibbey)|balpill(drug|wine))|ycelebrities)|o(rstzotz-gmbh|wareudoing56|lidaynewsite)|tcrepairparts|ypulycyfaqaba|fegocufjkndwc|udsonriverdvd|wergkjgg3jhgj)|g(a(wupywibemohe|ngbang-teens|vywelugamoqe)|e(h(afovykylyra|ilomygeqyme)|t-report-irs|nericstablet)|i(n(evraaurilia|bkjuweobmwp)|vebacktovets)|o(daddy-update|ogle-banking|esldrawtlock)|usellashannon|wendolenjonie|sccentralohio|czycisbbzpn2l|reatpethealth)|l(e(govisualarts|eleesobieski)|adiesmansshop|o(vingherright|hyfyrasokiso|sajabevyjydu|toftinnumbip|caljobs-news)|ilypophilypop|danknmdiqtrot|gbtmeditation)|o(tmqmkpyvcnnoi|okimemxjkpxoy|n(line(pillsbuy|foodbank)|eathleticmom|camohawashou)|s(uuspankki-fi|mond-careers)|q(ayununxmqdxo|enuuygfpvopu)|ptimus-groups|bamagolfballs|uxerrlkqgvvck)|q(uvujykolenuja|qsvttcnvsigkh|anmwnpvpcyqsa)|b(stunvzykqqpjo|o(ilingfertile|ylevitrawiki)|uydrugshealth|r(unowitz-gmbh|eathefreeinc|andingparlor|iansmortgage|onzecellular)|e(st(phatchicks|forsalenow)|v(isstforbruk|eragereport))|luesoftcenter|a(santhkeerthi|ckwoodshoney|ltobluegrass)|vkdfvxoqxsabk|holehalvstood|illbustersusa)|u(ltrainvisible|s-federalwire|n(shavedcuties|itedvietship)|cwkkgbdxvjexa|gwytktvhslgjm)|a(c(ialisforsale|robat-online)|r(idathacrissy|qogipjsbcdmk)|udriedemetria|v(iagraforsale|onatradingco)|d(o(psassistant|beflash2012)|penpussycurl|v(enturepride|irginmobile)|renalinemoto)|t(lanticafilms|uealmjufcwwb)|l(l(metalforums|egiantstaff|ysonstrobel)|phabrokerssr|anahchristan)|m(alitarochell|elinekyrstin)|g(anundraddark|itpavilbigan|uhlabfubbvek|ro-expansion)|n(xpepxpukbfmh|aliticsmedia|drewsalomone)|wwwskeetskeet|jaanonzezause)|i(mbuecosmetics|n(ezermentrude|stall-finder|fotechsatapi|digocellular|vestdominica)|s(abeauleandra|ys673ghdftsg)|qui2kj3gcssss|xsoscorrrqvyd|cnkatinumiden)|y(our(loveenergy|dailygrace)|icgycrtyoxaiu|kesfabqxbvmns|scqbwwljsiwwr|bbwxrcoujexdh)|k(in(gs(upplydfwc|cosmetics)|dlyspeaking)|tototamdaleko|nugxvsimayety|qweenxsiyjtbe|cpxjxrmvurhfe|alalog-testov|rasivayfigura)|1(23racinggames|efmdfieha-mff|sweet-success)|0nlinesecutity|z(etofyhecynovu|liapmuzhpavip|hsejkozq1bxbw)|2012myownhappy)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665469; rev:9;) # sid 2665470 includes 286 (0 - 286) 15 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.com)"; content:"|0f|";content:"|03|com|00|";nocase;within: 18;pcre: "/(e(n(guzeloyunlar1|chant-ofsquer)|r(o-advertising|tugrulakduman)|cobnkltdonline|strellajulissa|yeblasterpixel|minence-global|urogulftrading|xtentthahansen|asyonlinebuxxx|verydaypregame)|m(y(avspridewinxp|liquidtherapy)|a(ilantispyware|lemedications|rinapaezuribe|emaematernity)|o(jlmqousyruioz|toculturejean)|ed(onlinestores|wisepartners)|mmngmrhvvohfnv|i(crosearchstat|lkcartonmafia)|ustangcruisers|s(rgejsdyvekadh|webtechnology))|t(ds-vip-monster|h(e(realityglove|bachelorguys)|reesimpleguys)|r(u(wofhvwslmsiv|sted-plugins)|ackstatistics|lnhbpanhmspru)|abletdrugsurya|ylt9avnpfl-zdk|odownloadfiles|fgixgmqhdowexm|urningsbyterry|esttaketraffic)|a(ccutaneeffects|l(miramaighdiln|ysongeorgiana|vinconsulting|-manardesigns|abamahaveidea|iciaginebreda|luringlyshort)|r(onlevitrawiki|mandrosamilia)|dfusionnetwork|u(stralia-verse|to(-translochi|shopper2011))|aascreensavers|meric(anultrade|tradeulti)|n(cvardallvoica|exalteacglene|qsjvhjjkypabm|alytic-google)|b(sqvhpldvsmclt|aumthinklines)|-better-smilea|tlanticmarines|p(otek-keluarga|r0ova11-serch)|westruckwonder|sadogalurunler)|h(o(meantispyware|rtensiacelene|wladieslikeit|telstremblant)|ar(riettgusella|tford-europe|d-zdsentinel)|yacintharegine|etjymgiddyamqq|k5pffembyzlug8|cuewgbbnf(du1ew|s1uew))|p(hoto-facebooks|jisjgifnvwtmqi|a(ybycardonline|ulsimpsonsite)|er(fect(hardness|virility)|sonalvoguard)|r(o(udofhardness|jet-equinoxe|resourcesinc)|e(teensmoffbud|stoinfomante)|iceandstonema)|o(wer(slimdirect|fulreviews)|rtfoliohansen)|phxfntktjvhgti|uritanhardrive)|l(g(tslyonlonenfd|eohbboqpngfap)|strpmitvrwiknw|rorufugcvtzqor|i(nk(-irs-report|ingbuziness)|vingradiantly|quorstorebear)|oiixmokqrtfoue|umqheuhpqwyjmn|anwiojchmenjhn)|c(pucardioholder|q(oqgzqmkpkrmlo|gsmkvofkskhcm|lmxlukplhlfdo)|e(lestafrancyne|rtaphiedradio)|o(rabelledollie|de732546teh34|ntactfriendly|m(puterkolkata|mittee(notice|swatch)))|hargeyourorder|learbuyldnever|russail-global|a(pestonecounty|reerdiffusion))|g(o(o(gle-anal(itic|ysis)|dfeelingauto)|daddy-updates|ldstocksforex)|reat(southshore|estforsale)|wennethmeaghan|lobalnewzmedia|i(rlsshavingpal|fts-treasures)|gpmcodfppkjirg|sbwxfecgbmuysm|erbersbabyfood)|i(talianbestarts|rsnoticereport|kswildsuurqmex|nsidewindows(32|64))|s(e(otrafficsuite|r(ch-iteration|iousitproofs)|condreporters|verolhourwoet|nsitivetablet)|oftwareholiday|buying-levitra|h(esgonnaloveit|irleencelesta|opuggschuhede|-cartransport)|usjyyehjskjseh|i(kjlprooowzpvu|mple-mastermy)|zsqfilpfmdrokm|t(ar(cpdservices|dcowerwater)|rategytorrent|eelmediagroup|o(rekidsformal|neridgesmile))|a(n(diegotoolbar|alturumolsun)|veantivirlqdi)|gjwptrfosjeico|n(kbcptiqgqmlvw|pltixygwcpifp)|p(-adhitcounter|ortfoodmarket|eedsearch4you)|crabblegratuit)|f(i(le(-report-irs|sitehosting)|ndsforfriends|rst-(hwscanner|networkes))|oxyserverstats|r(ee(ridershools|joinsites4u)|iedturkeyneck)|xkapveygtffbkv|gvkxjvghdulfrx|edwirenetworks)|k(nvnrvhqlihezsj|ualulumpuru223|voxyhnaggyqrcc|iiwacbehxexixl|juldacvvmdffxi)|u(t(hzscsrsouqlue|vvpcpmqhbnedb)|s-taxes-alerts|ilmabdaxqlaxuj|myratdfvmdrlpm)|v(rgoryutlqnjpod|a(mpirenewsbeat|etxeasurevend|lentiaardelis)|dsprojectsdemo)|y(qfjkylgtuxpklv|esasia-support|ssrqxyljwrioko|ourvideostudio)|z(vktvbjvonnognp|eissopticszone|kncfiqohdfsdas)|n(htwnelsnpkpmqm|ucleardiscover|niqsvvlnokeqqz|ltorrentsguide|y(xmwnkkacwamvj|skiffintabout)|i(rxlosffmarpbp|kkoslogistics)|ewlogicalgames)|qtylujrrlnmvonq|w(o(zhrlrlqwshnmr|rldisfriendly|nderfulwrench)|indermubousega|qnefkerofcmrap|e(bordermanager|sellgoldcheap)|hichgolfwedges)|b(a(bbettekeriann|cdecededeffer|mbinobabywear|kirciapricots)|rit(tegwendolyn|ain-careers)|u(ydrugs-online|sinessnfamily)|e(st(couponshere|rttlsentiel)|ttersvowfyeld)|bwcandylicious|hitezoverready|illigthomasabo|orderexpressuk)|d(reamboatnights|trizsfnkstouxl|vulxfqzqkpeoeq|grdrqkpmggukqo|jeuagtquwwhera|aviselenserver|es(ktop-control|ignbyallison)|irectionmedian)|j(eanniekarolina|u(l(pillstablets|iastilesblog)|nesommerlivev|icepussyorbit)|wdwlqqqqiwhxkt|acobmuntz-gmbh|blextyhsfqttkz|obinhollandart|fvgelaqyfhxygq)|o(nline-drug-buy|bmfvijftylgjpf|m(silsdcpdsgpxm|pleteforwhole)|pvsecuritytech)|r(e(a(ispharmacyrx|ldatahosting)|setservonline|liablepwreqpt|flectivelayer|portaboutbosn)|mrlrrhtrxmoqmm|a(c(haneeflowers|ingexecutive)|temypenismate)|kxukunrgvpkgmc)|x(npqxuohrqpqrxi|xfnxriwksumerp|ioyjfiguiuluff|rumer-software))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665470; rev:9;) # sid 2665471 includes 237 (0 - 237) 16 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.com)"; content:"|10|";content:"|03|com|00|";nocase;within: 19;pcre: "/(40hgubisbgbgw84b|b(irdievspridewin|e(renicewillette|achcialispharm|txeenbetterten|st(forsaletoday|hottestsites))|l(amelessmanhood|lkuhftropiwymr)|r(ittneybeljulee|azzers-gratuit)|hrjunuudh888873|ankingonbankers)|c(hanneltrb123trb|a(ncermedwelness|ll(ieandcompany|promarketing))|o(olsecurityscan|mpanyandfamily)|entaur-advisors|swtnpnuhixdwjgm|ncvxhadekwnybnv|lrjagxamkwkyxuk|pr-franchise-ok)|t(h(e(antivirysscan|marathonroute|timeshareguys)|ousandmilitary|underexplosion)|ax-security-irs|syspmsvpjssfhfi|ixsqadkmslsdvwi|witterhackerpro|endenciasideais|rackingserviced)|f(whnsprvjqostrpl|or(yourlovefeats|gott(oshowmyid|ensunrise)|m(ulasganacash|aselectricas))|dawikidrugstore|reshmediaportal|i(lesecurityscan|n(dsecurityscan|ehomedivision))|ktpfwoqpgcagpal|amilycommercial)|g(gvfhovtntysfotv|reatfile(sonline|hosting)|o(daddy-networks|ogle-analutics)|uahanmantratapa|loriandelorians)|j(kxduovdqvkdmjoe|njgogpcehsdkbnl|paaommxplsmmnnp)|l(svyovgwoptbjnwq|vqdsuimvkxpuqro|jqvztjmhtstllvn|i(ghtchannelnews|vesecureupdate)|arpjpbblpnkdwyx|nlhuiitohdvbgmx|o(lkcovkfktwhaks|se-pounds-nowa|utitiaingeberg)|rqxvrqsihwtudox|wnfgmpncjubpseh|e(arntodobydoing|isureexecutive))|s(p(rqoffvslpjsqio|latteringfaces)|kypacifictravel|t(atistictoolbox|r(eamingfracmap|ongsecurityca))|hop(pillstablets|tabletspills)|e(rving-tracking|c(ure(-dominator|s-weblogin)|dfbpyopjhyhuw)|xdsgnrojhpptqb)|okoloperkovuske|r-starbladecrow|lmomdmcjuoaxdip|wtuvuibfapnited|imple-vhantivir|marttzy-cleaner|ugarbabythefilm|can(ing-computer|perilshazard))|u(rsgdiylzsrjnjhu|hertuupjsfjdryt|sers-info-build|psbkschmajhlxs6|igwsscasowqdiyp|xlyihgvfnqcrfcf)|w(skizdxzsljjtpul|tkrfpmgvssthymh|h(xymmmhdsgxmumm|i(chgolfcourses|tewidowreport))|gkyyalemnvhdrai|ilsoncall(senter|center)|o(uldlisfiguashi|nderfulwriggle)|arezserialfiles)|m(m(qznasnmtlhvpng|igsmpwmmwtxacq)|y(documents4you4|heathyerection)|a(riosplace-cafe|nitopercussion|ymacngocphuong)|o(viedatabasesrv|rganpremiergrp|neycreatorclub)|cchphgndpadclga|e(fqtfwlxrfhguru|redianstatserv)|fsxlnoqvslcyfbl|wiadfsqcbjkudxd|usicmembersarea)|n(o(momlrjmysmmjos|voalbumdefotos|slwqaagtoxunnv|cdkeygencracks|ticiasmexicana)|gbrrspsmkkjiqor|bcnews33reports|cestanimefriend|nyfjpu35j2tnefd|e(wonlinepayment|-hochu-v-turmu))|p(er(sonal(syscheck|-scanera)|fectpowerslim)|iohrezwjkmflliu|qznywnvvgqsknnj|wjpiumlrrsjmmvr|a(ycheckinaction|lmettodatabase|rt-of-the-plan)|l(atinfutbolpark|einairmagazine)|hilosophymercer|ollyandcrackers|rairieecologist)|q(pbspgxoujpwiwuc|n(knuwletqgixvjk|mqexiqrxhvdwgl))|v(qwpfyeyyxjhxgri|itoldbraun-gmbh|gfsnrewuxeaoxoh|alentine-suites)|z(uvqpugmmmqrdskd|hfg0l5eijw4tjxc)|i(rs-urgentreport|mpo(tencefighter|ssible-world)|olanthedoroteya|nt(rusting-world|elinet-secure)|gspslbpjencmfax|xjtpaxclwhxmadp)|k(vdngrwipfbpyctr|eter-jankinsome|grrxfmyixossjmk|lz1mqnspdkod-bq)|r(hqpihygijvkndzu|u(le(broukdtstavd|yourpractice)|ssianartcruise|nescape-photos)|cnnhkcagerrquby|e(lmyplngdrdxpyv|allygoodprices|dsmokebarbeque)|jykgymugqlscttx|qybdbvyvjuruuxv|tcocsaitmadupgl|a(pidadsolutions|nge-the-hansen)|icharddahlstrom|m-communication)|a(ustinegwendolen|n(droidtabletsrx|tivirus-groups)|m(ericultimtrade|ginternational)|cheterthomasabo|wesomepornofree|sakusa-kagetudo|l(baycproblembin|meconstruction)|ppro(0val1-serch|ovall-serch))|d(r(u(gsmedicinebuy|nkgaysexparty)|ink-connection)|igit(usmarketing|izingascent)|thcjcsdxywxlsng|xovrcmyletmggxf|ykxkasesippbsjb|esrondsdansleau|ownloadsecurise)|h(e(lainadoralynne|rbalpillsgroup|nry(werner-gmbh|cavillverse))|ugnnpnymbwnhtuh|hoxaeiru1190ddk|ookedonbargains)|o(nlinestore-soft|rqpikmfnuonslov|wnership-online|urdatatransfers|jvpkaohbddmbfac|vgucbrrvxqufkwq)|y(ou(tube(studiopro|prostudio)|rsecurityplus)|tpfmnmgyjinxrhe)|x(snnsynlsnfhklun|qdrbrjiqwwpahhk)|e(asysecurityscan|xc(ellentforsale|hangeofchecks)|rwtyuikbfkdldfd|ksyghskgsbakrys)|59caddylimousine|8efhuiudhfodundn)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665471; rev:9;) # sid 2665472 includes 181 (0 - 181) 17 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.com)"; content:"|11|";content:"|03|com|00|";nocase;within: 20;pcre: "/(p(atysopublicidade|r(o(testsvirysscan|v(ideofinancial|en-protection))|ime-commodities)|ill-online-store|o(wieutygvbjhv4gh|fikpofikfikfik1|introlltracking)|e(dromoraconcejal|rsonal(suiteydpz|-ayscaner))|huongnamcomputer|leinaircollector)|s(e(natevirysscanxp|donahyperbarics|archhearthealth)|atisfyhertonight|t(ifferandstiffer|oreordersonline)|uhfvuljuihmevldp|ynergieassurance)|c(h(eck(-antispyware|serverstatux)|angetraditional)|o(l(ombiadeportiva|lection-hansen)|unter-wordpress|operategroupinc|nsulting-osmond|m(mitteesnotices|pactmultimedia))|l(icksecurityscan|ean-fresh-teeth)|areers-at-osmond|cquxmelkltnucyqv|ell-phone-repair|reditcardandmore)|g(ran(d-antispyware|tchiropractic)|ooglesyndicetion|ic-kbmtu0zkvwylf|enerationadstats|uardiandetective|abrieltomasiello)|h(omepcantispyware|er(tulna-bestdeal|baltabletgroup)|jwrnlvdbcmjrfkjx|appytwelvemonths|uggablecreatures)|m(asterantispyware|y(-pc-antispyware|a(ntispywarescan|ctivedirectory)|vehicleprogress)|ed(i(calpharmgroup|a(mindtracking|transfersltd))|care-financial)|istressmochalove|lfymmarbaswncxmn|s(twcsnvylmullkqh|xuafqnwjhljurmw))|e(di(rneotokiralama|tions-hydromel)|vrymonthnighttry|rfhytwpgitkpgudo)|a(utosloansonlines|n(thonyhealthmeds|alysisexecutive)|pplepharmacymeds|ssaystorerxpills|t(fkpyicxsrrwqbct|elier-biere-vin)|r(schtrompeteshop|morydescription)|llegiantstaffing|d(vi(sor-jobhiring|rginmobileusa)|serving-ddclick)|mpndesignclients)|v(i(siongraficaperu|rilityinsurance)|an(ilaprojectlive|tagensfimdeano)|fcyyjwcdrjjunrrw|erif1cationtime4)|i(rs-(report(-online|id-2944)|investigation)|n(spector-gadgets|forminteractive)|suhxkbqqxuauhdwn|yaxaucrvnhmkylya|mpr(ovegolf10ways|essiveclimate)|oqppjbdthx3bgozc|fcoffeecouldtalk)|l(ovevirtualmotion|bcqwwxucahiulchx|cloroifjeilomowq|eeroyjenkinsr00l|asvegas-massages)|d(omainsecurenethp|ancespotlightusa|rpfrkvdttdkhgpqi|itsamericanstyle)|f(e(dralwire-report|ldmanmackiechan)|i(nancialactivson|rstgnchsecurity)|asttrialpayments|qaeucdaicvnisqbd)|j(acquelinbeatrisa|ktlguslfhcwqkmai|obsagent-express)|t(a(bletspharmacyrx|nildirtystories)|h(isisatest123abc|e(homeloanwizard|uploadbusiness|draftauthority))|rackinganalytics|eachingparenting|shirtsfromhansen|la8xwcv7pjgiw92x)|b(oehnerhealthcare|l(acksecurityscan|kqjxiezzguocl7f)|arringtonconsult|ygfsdfmrwbhlghll|hilespezialother|kglobalsolutions)|w(wfreightservices|a(ercomendsrard3s|llstreet-fucked)|noykspnesqfwbkgi|pwaislxxgiskgscy|xurahlisqbmppqss|elcometoourranch)|u(sers-accept-data|h(-i99ur3qa9t3ssw|ndpadrwbuuchcvn)|miuqmrmvsuiscitx|xqbewwdunihwscfl|nitedimportstore)|o(smond-consulting|utlookconversion|gpertqeytagahert|verthehedgemovie|cnsfoyrdplmewnyx|rgflqxdnoyecgwib|xjlrgepfnkvdprbr|nlinewiththebest|fficialwineguide)|zw5kfhmujx024saj2|r(ushtohospitalnow|egfeedbackaccess|hfdjaecmygcrdgep|25wcyhzs1rwumhmz)|x(video-collection|cmcupdfcevkgbrue|oodachpaujnikmpp)|1(change-your-life|st-youtubestudio)|k(qrkegigdtjxxcrvl|jhsrucajdjlbpwwj|as(perskiy-huesos|djjaks83adsasd)|egel-workfashion|ingoftheaquarium)|n(qlocokxsjnsffxeu|t(nwcxtwgxwecrdxr|pvmnc0s6fpax0jq)|ationaladvocator|gwhgabaxkpievvmm|ewyorkwinevideos)|q(srywodlwhorwibvy|xdfhujechixcrgdb)|ybdwipovbicmpekyh)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665472; rev:9;) # sid 2665473 includes 122 (0 - 122) 18 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.com)"; content:"|12|";content:"|03|com|00|";nocase;within: 21;pcre: "/(e(n(gine-antispyware|hanceherpleasure)|lifkocsurucukursu|b(ubekirgizligider|ddteinurkortapgs)|xtravagansa-serch|quitychambers-org|spectacular1031fm)|m(y(-doc-antispyware|escortsdirectory)|e(ssianiclifestyle|diatiq-marketing))|b(ig(televideochanel|-strong-feeling)|atarryreanimayion|pmlhpuogveluyobjb|r(ycfhp8irhzv-zie7|itainstarcourier)|szx7hcipvzakoxdob|ondage-techniques)|h(e(atherlycreations|nry-cavill-verse)|hnnbtcnotcf3ohtxt)|s(t(udyingcenter-org|rhnkjvfskxlwinku|evenkphotography|atisticontheline)|e(x(ualtablethealth|y-screen-savers)|curebilling-page)|okoloperkovuske(ci|di)|anseverocommunity|pacetime-tracking|liokrvnkjenhwgpjl)|v(i(deorewardcentral|ew-tax-statement)|jpufudekyotltdnog)|r(e(sidenciasantiago|allygoodelectric)|fngjynkypsphqfmkh|wjsxxvvkbspdjoedi)|g(oogle(safebrowsing|-maps-advert|adwordcoupon)|v47numkmkmfub8790|renfellassociates|lasseseverydaynow|jvhfiouvwiqvtewbu|kusimsgjcauehgdjn)|l(i(nkedin-downloads|onandyarnpartner)|a(iotlboxklvpcdfhu|-femme-francaise|nkaleisuretravel)|pggutwsvtvnmvpxrc)|a(l(lisonjackqueline|gvgcawwdsmiksvol)|d(obe-pdf-reader11|svirginmobileusa)|popeshko-kakashek|nkarayatakimalati)|i(mpeccablevirility|rs-alert-security|n(credibleoutcomes|fouser-advertise|novasolucionesit)|tsourtimethistime)|t(o(ecurlinghardness|verlostremsstore)|abletpharmacydrug|ransporte-express|he-hiringdivision|uisyirhweflhvqyxh)|p(la(y-support-email|ceme(there732asq|ntexecutive))|pwnhnvwnvtggifhbv)|c(ellsdrugstoremeds|hemistspharmacyrx|ignahmopharmacyrx|atvfmsxowehqvfahu|pmsussgpibatpmswq|ustomshowerdoorsc)|n(e97urhfhndcduhc8h|tqbbnywghbjvsoivo|bvhroptghtmsydrfq)|o(ur(bigbooklibrarry|multstoryonline)|nline(bizdirectory|webdirectory)|iexgmycrtwirsgcmv)|f(i(rst-atlanticbank|ftypercentworker)|a(ctortenfinancial|milyownedcompany)|uehlediebezahlung|rmram2rjjr4lnkxbx|eelwonderfultoday)|j(5dlz7rxoto8g1fubb|ardinesinvestment|hfugjtncuvsuumnks|jfcilvuchkjvutlho|etsetworldwideinc)|x(24l0jpdhtccng-ojw|fcdavqouyevtvgjwu|umpkgnvdcmhykvdak)|8(9(7344kjdsf4523234|8234kjdsf4523234)|bpao6zzpfs2xaoell)|dfyxptqjxwtdkjjbiu|q(vddnchpjtskjmgdlx|jnhsbctfdfpoisvgp)|w(ldpcgpkdxhdhvlpjc|mbnkplxddiaktnkjk|rfpmykunwbrscjann|hite-smile-center|eaverstreetorders|indowsproduct-key)|1959caddylimousine|kf8qbaqhj2lx-4fqt2|yafraudcheckonline)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665473; rev:9;) # sid 2665474 includes 101 (0 - 101) 19 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.com)"; content:"|13|";content:"|03|com|00|";nocase;within: 22;pcre: "/(a(v(spridewinxponline|onatradingcompany)|stroconsultingjobs|wckeliqcherasntmin|ustralianrefundvcr|bout-home-security)|c(reditbureauexperts|u(cineinmuraturapei|stomer-data-build)|arehealthpillsmeds|h(inabathroomshower|ristophershawnlee|erezzaborpereprig)|ent(enariotemperley|romed-financial))|s(hieldforcesecurity|trutters-logistics|o(mebackupdomain123|urceinsightonline)|vyafurnyrjrrfxjreh)|f(reefacebookhacking|i(lmproduction-eldi|rstprivateclients|djlfphserhycexjhf)|dkasoupvgxigejgdfb|amily-ownedcompany)|i(stanbulcheaphotels|mpotencesurrenders|r(s-security-agency|fldtfkhgyrpsarcje)|ntegrityworks-intl|dseneqmupdijjklvtm|uhohaeqgpikwwgvkki)|o(torviseberukumudak|ukicfldnvxhrtxvuqr|gpertopaerfczklert)|pe(r(fect(allnightlong|guardiansamp)|sonaliuboantivir)|tersonconsultancy)|m(enspharmaceuticals|unsoninternational|i(ssiledefencegroup|crosoftfreeupdate)|yheartgoesboomboom)|t(abletscarepharmacy|h(kqfhupjgknkqcxhou|ehenrycavillverse)|t(hayebvhdmntiyeuxw|jerkrdrrowibsipjr)|echnosolitservices)|b(ppharmacymedspills|a(nkruptcydrugstore|xqqapjrxxetjelhtk)|estjovelcoasteeras|klerdwiadlxxbjunwu|unxomdqokknkkllvkr)|g(reattabletmedicine|qmrhecnntccmawclmq|wbdgrlikclhthyivym)|us(-feraltaxsecurity|erdata-distribute)|d(rugs(torepaperpills|medicineonline)|ownloadtube8videos|lsvfpmniphnmxnvoeo|nmjahdaigeydiiorky|e(fense-association|l(awarevalleypower|essunshinetravel)))|l(obsterliveverro(mez|lad)|uxsnxlqhebftttflob)|r(e(coverlostpassword|stauracjazosienka)|lvwjjhntfooonvhlou|ykgnuncbedueeuevxg|adioinkconvergence)|n(9(ewufhsiocnp9uphid|wefuhocn9dshifucn)|yyhahsslkflyhulcgl)|e(dqmjbyjcxyjqnjjodh|olgavefbsntlobsnpp|marketingatuestilo)|h(aqkwkokaigcdslnrlr|bwpvcnwwcdgfojuixm|howujyrcvdrwpdvsck)|k(ojadineqlbbfvtwlff|jjeuhhqiwvfnuvvtkd|ujrfpkp8xxf2viymsj)|v(lupfbsuppipkrvbsdy|pchdxywmxtxedwgfac|illavasoandcompany)|y(xhkddrdcpbccoabmuk|yeyutjgnsfrmswdygl)|jufxfkajvqmjljumvuq|q(dfgqwiovjlfegdcepm|ewgaoursqgghhfwbqa)|x(iangglgqatolsgfxqi|xkoixiiiqpyecxoaka)|worstpillsdrugstore)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665474; rev:9;) # sid 2665475 includes 56 (0 - 56) 20 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.com)"; content:"|14|";content:"|03|com|00|";nocase;within: 23;pcre: "/(t(riskell-productions|amarindo-immobilier|heconsignment-store)|internet(-antispyware|surveyprizes|profitpacket)|m(y-(c(heck-antispyware|omputer-www-scan)|smart-antispyware)|oney-data-establish|i(kkelsenspastryshop|nistrytomotherhood)|actucketphotography)|d(ata-ero-advertising|rugsmedicinetablets|e(signandintegration|letespyware-adware))|forexinvestorservice|r(xhealthcarepatients|esellingblackbranch)|a(prpharmacytabletsrx|jhr4tgysdihfvnfgasd|stroconsulting-jobs|d(swebsearchredirect|virginmobileusainc))|u(niquesoftstockplace|ser-financedata-buy)|b(u(ndespolizei-online|snetromwentysconet)|oiuehwfscp9ufhefuhc|estofcheapxxxtrials|randnewhomeshouston)|hedgefundconsultancy|s(fs8968f6h8sf6hs80xx|mart-defenderoption|exualpharmacyhealth|chwab-verify9939324|piednetcompowertrue)|zdesestvareznezahodi|j(obs-astroconsulting|pmorganchasenewyork|ajahbinksdiesforyou)|p(acific-shippingline|uzzle-game-download|ersonalncxh-defense|hotographybyannetta)|c(rossallbordersondog|picommercialfunding|areolnetcompowerfew)|you(replytomymessages|tubeconvertstudio)|notnormalenterprises|7we9fyhdc9uihfeuidhc|online-virus-scanner|easystrategicprofits|longdistancelobsters)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665475; rev:9;) # sid 2665476 includes 50 (0 - 50) 21 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 21 chars (.com)"; content:"|15|";content:"|03|com|00|";nocase;within: 24;pcre: "/(c(h(orale-sainte-cecile|lorinetabletshealth|ild(reninthebusiness|subjectninthebiz)|allengedistribution)|ellphonerepair-chile)|g(oldseriesantispyware|reenfieldconsultancy)|my-(antispyware-update|doctor-antispyware|update-antispyware)|a(sesoriaempresarialcr|froskull-barbellclub|ctualizacionbancaria|rizonacentennialmens|dvertisinginfriscotx)|f(o(rwardmotionconcepts|odfortificationshop)|ederalreserve-online)|t(oolbarqueries-google|hebeststatsanalytics|atecarverconsultancy)|l(inkedin-file-reports|a(stest-skype-updates|ncasterautoelectric)|essthenaminutehandle)|s(o(maliamedicinetablet|rensensilverfineart)|tockinfobroadcasttwo|ystem-engineering-pc|afetshirtsfromhansen)|d(rugstorepharmaciesrx|avidson-distribution)|o(fficial-skype-update|rangestaradvertising)|publicacionesglobales|y(ourprijectsinaustria|a-toptal-tvoyu-dushu)|n(emapivanemavodku1988|8qfeuioahsnc09uohicn|wef9uhscji0wejofdmkc)|b(arringtonconsultancy|g78ruhevroujiodjfoir|ravogroupadvertising|edandbreakfastpatron)|qualitycarejanitorial|vo(lumetricseatingplan|yance-gratuite-mail)|indianwildlifetourism|ureuirbgeuihrweiufhey)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665476; rev:9;) # sid 2665477 includes 36 (0 - 36) 22 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 22 chars (.com)"; content:"|16|";content:"|03|com|00|";nocase;within: 25;pcre: "/(britishcourierservices|e(noprescription-(cialis|viagra)|meraldcoasturgentcare|lizabethdominicanhair)|a(n(droidtabletspharmacy|nabellefashionevents)|ccount-processedserv6|dobe-(acrobat-reader11|reader11-upgrade)|stroconsulting(careers|service)|v-security-essentials)|d(ownload-tax-statement|r(ugstore(healthtablets|pharmacycigna)|essmeupinhandmedowns)|elawarevalleymortgage)|f(ederaltaxes-statement|unnytshirtsfromhansen)|re(portfiledownload-irs|gistry-fix-softwares|markablesearchsystem)|t(otalsolutionantivirus|ransaharashippingline|hemagnificentwhatever)|osmond-consulting-jobs|you(thofthenationalists|rpandasecuritycheck)|s(uperscarytechnologies|hieldwindowsdetection)|greenwayconsultancygrp|w(arrenfisherassociates|indowsupdateservice32)|logitech-steeringwheel|homewiththebrathwaites)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665477; rev:9;) # sid 2665478 includes 35 (0 - 35) 23 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 23 chars (.com)"; content:"|17|";content:"|03|com|00|";nocase;within: 26;pcre: "/(d(ownloadzip-antispyware|rugstorepharmacydental|annythomaspartyrentals)|e(n(oprescription-levitra|ergy(developmentglobal|forsustainability))|spinternationalcourier)|t(abletsdrugstorefitness|heperfecthostessevents)|b(ankruptcymedsdrugstore|estsoftwareonlinestock|randnewhomessanantonio)|a(dobe-(acrobat11-upgrade|reader11-download)|stroconsulting-careers|ccrostheunisherenowcom)|o(fficial-skype-(download|software)|nline(designerdirectory|endustriyelmutfak))|re(alsoftwaredevelopment|galgroupinternational)|jobs-at-astroconsulting|fairwaykansasrealestate|pussy-grandma-limousine|goodwillpublicsecschool|79we7fsghdp98fhedcikhjd|welcometotheglobalis(com|org)|in(foitpoweringgathering|ternet-security-guard)|c(ustomtshirtsfromhansen|onsciouslivingseminars)|youtubebigconvertstudio|safe-t-shirtsfromhansen)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665478; rev:9;) # sid 2665479 includes 22 (0 - 22) 24 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 24 chars (.com)"; content:"|18|";content:"|03|com|00|";nocase;within: 27;pcre: "/(national-security-agency|insurancehealthdrugstore|b(estsoftdownloadplacenow|lockbustermedsdrugstore)|lufthansa-shipping-cargo|drugstorepharmaceuticsrx|s(agliklibeslenmeurunleri|kype-software-downloads|weepstakesandcontestsdo)|a(dobe-acrobat11-download|stroconsultingsolutions)|homelandsecurity-newyork|w(inchesterconsultancygrp|orldwidesnowboardleague)|c(h(eapscannerprotectionxp|ild(-re-ninth-ebusiness|subjectninthcompany))|anadianneighborpharmacy)|forexblackpantherprofits|officialtastingroomguide|restaurantchainexecutive|updatewindowsversion2939)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665479; rev:9;) # sid 2665480 includes 23 (0 - 23) 25 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 25 chars (.com)"; content:"|19|";content:"|03|com|00|";nocase;within: 28;pcre: "/(in(ternetmultimediaholding|foitpoweringgathering(it|on))|globalpoweringgathering(on|it)|d(rugtore(tabletspillsgroup|healthtabletscare)|igitalcameradatarecovery)|f(astsoftwaredownloadstore|inance-approve-australia)|uniquesoftdownloadsmarket|onlinedatingsecretfriends|you(rsuperstatscounter-web|tubespeedconvertstudio)|s(weepstakesandcontestsnow|exualpharmacyhealthpills)|m(illerconsultancyservices|alware-protection-center)|b9pefwsiuhcdb8ogiuefdcdef|custom-t-shirtsfromhansen|advanced(-virusremover2010|virusremover-2010)|redtigercreativemarketing)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665480; rev:9;) # sid 2665481 includes 13 (0 - 13) 26 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 26 chars (.com)"; content:"|1a|";content:"|03|com|00|";nocase;within: 29;pcre: "/(federal-secueity-goverment|ginafinkelsteinproductions|tabletsprecisionpharmacyrx|official-2011-skype-update|c(areers-at-astroconsulting|hildsubjectninthebusiness)|sweepstakesandcontestsinfo|johnsonsterlingconsultancy|antivirus-smart-protection|download-internet-explorer|wr7sfhiud9fphidscjoijhsfdc|nebraskacarinsurancequotes|integrateddefaultsolutions)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665481; rev:9;) # sid 2665482 includes 6 (0 - 6) 27 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 27 chars (.com)"; content:"|1b|";content:"|03|com|00|";nocase;within: 30;pcre: "/(d(igital-protection-software|rugstoremedicalspecialtyrx)|fastdownloadsoftwareservice|cignahmodrugstorepharmacyrx|2011-skype-software-upgrade|official-2011-skype-upgrade)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665482; rev:9;) # sid 2665483 includes 8 (0 - 8) 28 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 28 chars (.com)"; content:"|1c|";content:"|03|com|00|";nocase;within: 31;pcre: "/(c(ontrol-panel-antivirus-scan|hildregardingninthebusiness|ellphonerepair-hamptonroads)|drugstorepharmacycignadental|2011-skype-software-download|official-2011-skype-download|alcoholdrugtoretabletshealth|herbalifetunisiedistributeur)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665483; rev:9;) # sid 2665484 includes 4 (0 - 4) 29 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 29 chars (.com)"; content:"|1d|";content:"|03|com|00|";nocase;within: 32;pcre: "/(googlecheckoutcustomerservice|smart-anti-malware-protection|worldwideecologyglobalnetwork|theflightoftheearlsexperience)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665484; rev:9;) # sid 2665485 includes 4 (0 - 4) 3 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.com)"; content:"|03|";content:"|03|com|00|";nocase;within: 6;pcre: "/(4dq|1me|pp2|yuh)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665485; rev:9;) # sid 2665486 includes 2 (0 - 2) 30 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 30 chars (.com)"; content:"|1e|";content:"|03|com|00|";nocase;within: 33;pcre: "/co(smeticdentistryvolusiacounty|nstitutioncapitalcorporation)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665486; rev:9;) # sid 2665487 includes 1 (0 - 1) 31 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 31 chars (.com)"; content:"|1f|";content:"|03|com|00|";nocase;within: 34;pcre: "/xn--72czpba6a2at4cwaa9bxczc9k4e/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665487; rev:9;) # sid 2665488 includes 2 (0 - 2) 32 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 32 chars (.com)"; content:"|20|";content:"|03|com|00|";nocase;within: 35;pcre: "/(drugtoreprescriptionmedspharmacy|howtoviewprivatefacebookpictures)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665488; rev:9;) # sid 2665489 includes 1 (0 - 1) 35 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 35 chars (.com)"; content:"|23|";content:"|03|com|00|";nocase;within: 38;pcre: "/mitchell-i-nord-shop-po-rated-blogg/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665489; rev:9;) # sid 2665490 includes 1 (0 - 1) 38 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 38 chars (.com)"; content:"|26|";content:"|03|com|00|";nocase;within: 41;pcre: "/contractlinksecurityorganizationsdnbhd/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665490; rev:9;) # sid 2665491 includes 38 (0 - 38) 4 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.com)"; content:"|04|";content:"|03|com|00|";nocase;within: 7;pcre: "/(2(6(5w|80)|upl)|7k7k|w(6x6|813)|x(z(26|49)|ywy)|r(tt8|ehr)|a(o9z|cez|sfw)|h46r|55fk|jkub|z(yns|ssy)|ppzy|f(jss|9r(0|2)|wyh)|1j21|utp7|c(3o6|fa4)|blir|q(pnj|kgb)|e(n(qm|yi)|ert)|lzjl|kaza|0zz0|86sg)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665491; rev:9;) # sid 2665492 includes 1 (0 - 1) 41 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 41 chars (.com)"; content:"|29|";content:"|03|com|00|";nocase;within: 44;pcre: "/wucq5wrnizrai1211j8npvndkhx667fit724xjmzv/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665492; rev:9;) # sid 2665493 includes 110 (0 - 110) 5 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.com)"; content:"|05|";content:"|03|com|00|";nocase;within: 8;pcre: "/(m(zdbt|r(wrk|sdl)|tasa|dcpm|bxzw)|h(iddl|ogaa|lsjx)|u(ussc|sf57)|j(usan|yron|aifr|oins|joor)|n(opao|nesm|htyd)|gfr24|k(jrub|hcol|ooby)|s(e(rv(2|3)|dvb)|osfa)|c(pbnk|uoma|gfde|cdcc)|y(cqdn|u678)|6(9585|5184|6236|8448)|t(a(b-g|rin)|txjp|imcp|ds88|orre)|ww038|x(t918|mjhx|ydnf|uxwa)|q(scwd|q275|ubik|liwu|hqqq)|2(waky|8959|4cpm|0818)|a(d(urr|eui)|vawg|fbjz|rdde)|r(aptr|rcch|ofep)|z(ango|weex)|b(yxon|o610|utdt)|3(6(9qy|719)|5495)|e(s(ilo|etn)|gorg|24hr|dm(kc|cm))|va(gex|yrr)|i(usav|kyjo|flos|msci|-(lee|pmi))|1(9(8qb|679)|1334)|fkltz|9(1wxw|6897)|5(1712|2(250|5vv)|waga|0379)|7(98(25|91)|0607)|8(27(83|71)|moms)|0(4(309|597)|9452)|oerco|dorms|pcpop)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665493; rev:9;) # sid 2665494 includes 187 (0 - 187) 6 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.com)"; content:"|06|";content:"|03|com|00|";nocase;within: 9;pcre: "/(c(utped|o(dsvr|bato|mttt)|hk4me|joint|3stat|a(inoz|stxm))|x(omcui|raysz|zrw0q|-kote)|0(577yy|03zzy)|k(a3ek2|rufop|eppeo|o(gogh|klip)|pp234|bgnet)|y(a(lupa|ndcx|s(kap|hem))|ecla1)|z(inkzo|haonb|valka)|n(o(navs|dpad)|a(yuuh|sahm)|umasa|e(wswf|t(411|pub))|bnjk(i|l)|ikjju|jukol)|u(h(fqds|ijku|jiku)|pcomd|rande|ksold|glyas)|r(ncafe|atsed|s-tek|u(nefx|kiso)|icalt|ondif|epppp)|7(oorq8|87eee)|d(isk21|frgcc|rubet|uklio|nshop)|f(itle8|rcfir|grag3|43595|-easy|elixs|op6tr)|h(ztian|htres|eli(de|nd)|wyyxo|gbyju|njhkm)|o(hmiga|xygol|ab-mg|jdada|wsltd|rdonn)|p(o(rnno|kosa|wosa)|ulpic|ctuto|hyfun|illsm)|s(lipla|e(cuds|ekmo|dpoo|xyms|tint)|k(ovia|djui)|a(xoid|togo)|o(ngir|bini)|t(myst|ungy)|iseau)|b(jork2|kcynt|wghat|l(ammi|uegu)|esrom|mlbnd)|m(ensiz|w(cnel|orms)|a(p789|c-nc|ryfi)|drrdl|iwink|oraks)|w(cpftp|ungrp|bappm|iduop|agabb|o(jucn|rvmw)|fnwef)|g(o(beey|adiz|nirt)|bjobb|itaxo|tc123|higos|pahcf)|a(imsig|d(mnxm|sbwm)|m(sbuk|kx98|thor)|n(saab|ycop)|fa521|zpros|-amch)|l(a(sbok|qeah)|u4isa|etfen|itetb)|1(520mm|40inv|00myr)|e(ffers|b(aliu|4a91)|qsync|dmems|mcapp)|j(mesmd|hgukn|admal|s0575|kycob)|i(ffind|ejaor|bryte|dmbiz|tappm|riwiw|ndosu|add4u|-momi)|v(ovmml|inoir|egweb)|q(zone6|adams)|t(h(dx08|ehhn)|ikago)|3drugs|24yapi)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665494; rev:9;) # sid 2665495 includes 242 (0 - 242) 7 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.com)"; content:"|07|";content:"|03|com|00|";nocase;within: 10;pcre: "/(i(mgfarm|n(turpo|geocr|n(vidn|odyn))|gre321|vairiu|s(tguru|ma3de)|iservz|ybhjbx)|d(oughaa|empsre|dc1000|ynaery|ioasis|1openx|lopenx|z-team|jatila)|g(ruzakk|a(medak|zduim|losha)|otsoft|wc2012|e(tfolk|etlab))|p(i(yahan|cshic)|e(alton|gging)|a(r(elav|s-dl|3web)|wsoft|lmbit)|ragma5|l(us500|otonk)|o(gloro|litca|olpub)|hjwllp)|s(u(subbs|kanaf|m-tec)|e(credi|kvend)|o(lvota|47nop|ft2pc)|k(islia|anara)|ys(tmsd|cave)|ho(pirs|rthe)|ta(ts(my|t5)|rpds|mset))|wi(llysy|kiioc|n-spy|thijs)|h(y2yuan|u(teraq|niloz)|e(miacy|tisar)|orewdt|i(g(game|hsta)|krebs)|akkage|4d4c41|5d5c(55|69))|r(e(pbits|d(serp|cada)|inere|lais6)|ags(mog|nip)|knetsk|u(ebari|nimps|svier|bliki)|sbanks|o(oblik|ptend))|b(-k-ind|orobo3|bva-es|l(whois|og-av)|i(osman|ggaxx)|e(stnzb|tbits|idzan)|a(dosov|rq4x4)|jdchat)|c(patank|razeyt|lolled|entsrx|v2shop|utsomd|opykat|c-agri|hez-42|0628e3|ajunps|sepros)|m(a(ribit|toway|nhua5|ilru2)|e(elith|tsotr|nthey)|udpots|yzarah)|t(a(b(atti|diet)|k2net)|imgad1|r(ack0n|ianti)|3a4ano|s(qayzz|imora)|-codec|elency|uk-tuk|5track|hai4me|ortlaw)|v(a(fuiek|ledio|mpjac)|e(wiews|rioso)|ksprut|ssigma|idarus)|z(onelux|ejamuf)|k(issbit|ollend|grodko|l(aomta|ickis)|asware|erz614)|l(v1shop|ttserv|ucatme|o(okadd|s(eget|ugen)|xblog)|hft-om|yndamk|alalia)|0(514job|fc6d6d|window)|e(d(itial|en-fg)|wpetro|linarg|asykpi|spanpo)|a(t(eling|ribux|mfund)|r(rowfg|tisot)|psentp|l(apali|grsat|eorew)|quasrc|d(x4bf5|sturn|onion)|s(firey|dmk19|anseo)|kvitea|cmetoy|xifill|-login|2zbeta)|2(go-inc|011-es)|6(666088|laughs)|f(ile(-dl|bay)|ly-fff|r(a(meip|umpo|sint)|etolu)|asunet|yzaije)|y(erelim|azminx)|o(n(musix|-voip)|rtho4u|h(arifo|ojunk)|pernye)|u(nibkgh|aeloot|iingg2|cclink|hahaka)|n(csplus|3ot6op|jorkus|sdnsrv|ovastr|nyjunk|etplux|akiros)|1(23-img|05vibe)|j(-cakes|aytill)|x(delbox|ludakx|jigiws)|qq16800)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665495; rev:9;) # sid 2665496 includes 296 (0 - 296) 8 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.com)"; content:"|08|";content:"|03|com|00|";nocase;within: 11;pcre: "/(44qwpoga|a(v(sgowin|angeit|rettos)|e(goblin|ravine)|r(tiyono|owipes|m4l1t3)|bc-down|ctionfg|l(olaway|waasim|berghi)|jithnet|ntistop|ddiplus)|b(i(zavids|ttique|nh6699|dsedan)|a(serich|nlueak|mprint|dosova)|ca-indo|u(lbknee|rburis)|o(ok(mon(n|o)|fula|gusa|zula|vivi)|tevabe)|edthese|tfkjkqv|lumtame|hrulez1)|e(topala3|v(nagivu|aznama)|ncybest|rokatan|j3leeed|zthemes|-keygen|urovini|dmethod|mconinc|pyxlife)|y(waxeweq|ouxi123|ecjrsxe)|h(marhelo|ttpload|o(odmice|usbard|wbeats|lysony)|kzonten|i(gzasri|lekoxp|jkitpq)|yazdani|uyechek|jxrksvo|fmforum|akkaery)|l(o(ve-map|mocapi)|a(m(plitr|adorm)|n(dchin|elusu)|llygag|wcetod)|e(naason|agrace)|i(ftpack|nuxsup)|ymebook)|m(inisdns|e(r(ca123|kdyce)|nsfave|s(ohard|lefot)|dnesko)|a(n4real|lemedz|3louma)|orhesto|u(siqwap|t(oisay|epost))|m(oframe|apills)|y(ipgirl|lemain))|p(a(n(berty|amvid)|gerage|ypopup)|er(hingr|efomo)|h(grifol|y-pnru)|i(tneafs|n(albal|khart))|rivacyn|o(uyakam|rtagas|stdone|llypaw)|l(atrium|sk3mme)|bfttfgw|tsector)|t(r(uminfi|ialreg|ymedia)|omisdel|i(npiano|biabot)|heasker|e(lelope|ch-att)|a(mindir|xi1855)|fpohsjc|lxfrilp)|c(om(toway|mcorp|serve)|a(useany|r-taxi)|l(aquana|ubnett|ostery)|u(pidwow|rc(amel|ha(mp|rt))|akcuak)|retonol|y(anmite|cles3d)|psystms|mpstats|hipiden)|s(olodiyi|u(intraf|lus(i(ze|fy|u(m|s))|ate))|e(osh4us|tbedow|nzatel)|h(zykths|op(4898|rdig)|enduso)|i(libobo|rtukan|ambass|gelock|tepond)|tat(s(fun|-tr)|i(kru|mps))|cwiiraq|yhanath|lonhome|w(itch18|ltch0o))|v(e(rdumnn|ter-ok)|id(hisec|sneak)|a(lidols|ccineu)|zrnb4o4|prtcls(1|3))|f(abtexbd|i(nneuro|leshat|blolpp)|un-bork|kcxdfiv|yreport)|i(n(eturet|galise|aparex|dex117|fomsan|terich)|s(htiben|sa-net)|zuhuhyq|twitier|ranblog|p-(range|sysop)|xnaxrqn|dahelyn|mpsserv)|o(fowywal|g(otytaw|pshvhk)|vahukyq|bellisk|ralania|aifpapl)|d(o(gbutic|wntrns)|y(natary|pislng)|cyakhpr|egbxpos|pdadshi|iokulum)|n(o(comcom|hegofu)|bxaudio|e(tnet51|gro001)|w(oyejym|rqebry)|ukeboot|anokipa)|w(a(tcheco|ywaycn)|eb(sells|ads20)|qfmumga|wgxwnil|ooody27|raith73|idolove|pkitbtc)|q(wixcoah|ekgxfrk|fitnlxp|urrtone)|r(e(cedjyw|llmont|gaopax)|xvinous|a(sadata|gs(mile|nipe))|ovotech|ubinp2p|gcdictp|i(falogs|o(lagir|torio))|yactive)|k(sadamar|rtvnyxc|uwaittv|ylanlaw)|2(8chejil|63rdasd|squared)|6(34rfeds|13sales)|360(gw400|dovip)|g(etmilfs|i(denvap|bridpk)|ccadwuf|meuasnn|3ddoser|urukuty|wb-cash|rashopa|oohnies)|j(mmaijia|xnbdfwh|o(vocold|yshope)|ustrags)|u(hjwxipj|iwbtjfp|kbukpuj)|zkhfwie2|x(otdhwvb|ejezk12))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665496; rev:9;) # sid 2665497 includes 411 (0 - 411) 9 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.com)"; content:"|09|";content:"|03|com|00|";nocase;within: 12;pcre: "/(b(b(redstar|deals33)|u(buruzka|ndespol|zzteria|glenews)|i(gmomies|vuxejak)|a(bblebus|tticani|vanolaf|rditons)|o(xtaditp|otymart|zcracks)|lu(rayeol|violet)|r(ightory|eaknews)|e(sloqawe|atnomad)|haahdold|scentage)|d(e(tajilap|niadela|midaind)|i(vinemeb|doyoshi|yartech)|u(vizazuz|dubbank)|ldslauno|ribscool|pjbclufd|vgeqsama|o(hxahjoo|wntraff)|annyagan|d(pgroups|lsecure))|s(u(pnewdmn|zehebaq|ojiaoge|lusient)|yxi(sesyf|tyvik)|p(adapele|o334vg6|latstep|ecialgt)|a(vanypih|zulipum|ssgutfv|ndoulov|dropped)|h(op-(your|budz)|y4thgi2|ervinet)|o(m(noigra|angcos)|ftnsoft)|li(mmonth|ckspan)|jdhcasla|e(susihyt|x(moorez|potart)|pehrelc)|k(r(oackqs|ille2k)|0lewcho)|t(opitplz|eelrode|ar-stat|hamogul))|t(laloc666|i(bumuqel|pagafyp|cfmjsce|vvitter)|a(xigibyz|emaidoo)|y(novunej|vinokun)|u(dorclee|jimiao8)|optasize|wistloft|vxwdutxo|eaeyexrx|heedmail|rack-t10)|v(uqigajab|e(zegavor|llalink)|termjezz|a(ilherdo|nninata|zzterax|llesoft)|i(ppokers|dyocini)|o(neclick|teelias)|yganison|mdgwbenh)|w(o(qugotyn|r(kasite|ld-fon)|ojeoung|wgrowez)|yciwywyt|i(setrize|yqctbhe)|u(dicofez|gcareer)|a(yluxury|density|tqjvqnf|utilber)|e(st(optic|sinks|array)|bjahaas))|y(tigosuvi|a(ndekapi|hoolnkd)|mail-vip|kkcsanct|ofiliate)|z(akikipyr|ondgroup|y(fovubyv|tamygac)|hyredted)|c(ej(ygyluh|mogezy)|o(m(etfing|bi(gave|jump))|rkchest|splanet)|l(o(rismay|udaway)|arketab|ub-bork)|a(useanys|nanhoca|stonete|bochips)|h(obdobru|a(ngjiu2|secard)|ille(map|ncy|pay))|p(-africa|m-track)|i(kojavif|tadelhk)|u(testsix|rcharge)|gzyzxpqw)|f(a(stlives|kiwijow|bia-art)|u(tutka20|ntimems)|loorslim|ff-tools|s(ksblipt|suatmti)|indviver|0rb1dd3n|riday133)|g(a(b(circle|ranits)|ncetode|yhermes|meangel)|i(b(agexyz|ropony)|huseqob|ve2vets)|wynletta|e(titbigz|cceplus|orgehay)|l(obalcml|ad-year)|jehgcrav|r(eatglad|aydevil)|ooglesgo|zjianren)|h(i(sesuloh|detools)|xdxyz0om|o(s(family|t(gozar|swiss))|djoqumi|riqomep|ldekspo)|ellivina|rynevrev|a(l(cyonet|enbeck)|kka(bo(at|ut)|t(ory|ion)|yard)|ndbless)|gubujdad|upferusa)|j(ocojihuc|aduhylaw|u(st(chatz|-boot)|dryefzu|vizovih)|i(zedriwu|kdoout0)|s(tooltip|ijdewhg)|fvxpfbgo|en(curcio|nyhart))|k(e(ywordkr|kepedia|rusatev)|rupreeda|a(zmishop|masgold)|indteens|u(salozus|10amcia|kushata)|myxdodog)|l(e(vulehup|qnxekmi|fi0kera)|ikstened|a(rukuton|ebohlay|bchimic)|upytehoq|ottomeca|qkdmcplj|vmrpvkyo|keopee32)|m(y(coresep|qapivaz)|a(ilssrvs|lavasso|toreria|kdacs00|ghrebix|yafoods)|beydogan|i(graviro|feryciq|mopywyn)|laimport|e(dia-get|toprofi)|kmngqxwk|wsjitqbf|o(oonstep|nstrotv))|n(i(gyruqyn|poloquv|kandata|udoudou|chegalz)|ordea(-(if|vf|dk)|sfi)|e(wsphoto|tfusion)|ypucevys|s1google|tvgljvty|ametango)|p(o(o(pthree|gatodf)|quwaluj|r(t(alant|culis)|n(tubeu|-gate))|introi(i|l))|i(ckfonts|xprofit|ontroil)|e(ntagori|-canada)|lohotrah|qqpwjnmn|r(o(capman|primas|growow)|avetuso|izedseo)|a(oxlrmbg|ncclear|pirolli)|bwjbkgdo|hatcutie)|q(ilogewyc|u(ickhttp|kccxcwi)|y(vexyhun|zywapoz)|wordiquy|obirawif)|r(e(tisuqat|botstat|p(ortind|toptop))|a(vewines|utexton|c(ingfax|king15)|mmjyuke|pid-xxx)|ifepfl61|jlpranks|o(yalbuka|lla01no)|ubugrave|xckgnatt)|x(arerecus|e(gunider|ucibnop)|umanipuw|y(kecolun|z-stats)|prezznet|xxtubes8|nuqkdwek)|e(dymokowe|comersik|rikaines|s(mecyndy|trexweb)|qplusmag|ijahjdmm|buyadult|pointads|npriorys|-tracked)|i(n(ningter|aaubrey|rapharm|c0gnit0)|grajvpas|ssieilla|xfiedyck|crafterz|liri-rks|framepay|p(-(blocks|dialup|hiding|netbus|subsys|upload)|dnszone)|ilasqwag|tehtxcch)|u(dp(-first|smedia)|ritoluck)|a(l(makelsy|ktramjc|iyilmaz)|rdysmoll|p(lecasit|pscoast)|u(gmepeid|dio(cdfz|4fun))|bc-stats|d(e(na-job|leenid)|xreport|magnet1|srunctr)|mbercada|n(drewloh|ti(viran|ochwf)|celtouq)|oaophoto|ernloail|wendever|gpdvawvr|yathirai|irakound)|326435465|7-storage|o(nesfocus|athaesha)|110hobart|4playwine|22princes)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665497; rev:9;) # sid 2665498 includes 1 (0 - 1) 2 character domains in the ".cx" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 2 chars (.cx)"; content:"|02|";content:"|02|cx|00|";nocase;within: 5;pcre: "/mo/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665498; rev:9;) # sid 2665499 includes 1 (0 - 1) 8 character domains in the ".cz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.cz)"; content:"|08|";content:"|02|cz|00|";nocase;within: 11;pcre: "/arnostov/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665499; rev:9;) # sid 2665500 includes 1 (0 - 1) 10 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.de)"; content:"|0a|";content:"|02|de|00|";nocase;within: 13;pcre: "/timobreuer/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665500; rev:9;) # sid 2665501 includes 1 (0 - 1) 11 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.de)"; content:"|0b|";content:"|02|de|00|";nocase;within: 14;pcre: "/tec-company/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665501; rev:9;) # sid 2665502 includes 3 (0 - 3) 13 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.de)"; content:"|0d|";content:"|02|de|00|";nocase;within: 16;pcre: "/(best-clansite|catchthefever|anne-augustum)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665502; rev:9;) # sid 2665503 includes 1 (0 - 1) 14 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.de)"; content:"|0e|";content:"|02|de|00|";nocase;within: 17;pcre: "/bartus-umzuege/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665503; rev:9;) # sid 2665504 includes 2 (0 - 2) 15 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.de)"; content:"|0f|";content:"|02|de|00|";nocase;within: 18;pcre: "/(dsh-haustechnik|eichenhain-shop)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665504; rev:9;) # sid 2665505 includes 3 (0 - 3) 16 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.de)"; content:"|10|";content:"|02|de|00|";nocase;within: 19;pcre: "/(bodosvolvogarage|domainvermarkter|financialpartner)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665505; rev:9;) # sid 2665506 includes 1 (0 - 1) 17 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.de)"; content:"|11|";content:"|02|de|00|";nocase;within: 20;pcre: "/religion-vernetzt/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665506; rev:9;) # sid 2665507 includes 2 (0 - 2) 18 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.de)"; content:"|12|";content:"|02|de|00|";nocase;within: 21;pcre: "/(magicjoefuncenters|legend-of-madrigal)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665507; rev:9;) # sid 2665508 includes 1 (0 - 1) 20 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.de)"; content:"|14|";content:"|02|de|00|";nocase;within: 23;pcre: "/auto-lackier-service/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665508; rev:9;) # sid 2665509 includes 1 (0 - 1) 22 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 22 chars (.de)"; content:"|16|";content:"|02|de|00|";nocase;within: 25;pcre: "/tierfreundliche-motels/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665509; rev:9;) # sid 2665510 includes 1 (0 - 1) 24 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 24 chars (.de)"; content:"|18|";content:"|02|de|00|";nocase;within: 27;pcre: "/der-unsichtbare-schamane/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665510; rev:9;) # sid 2665511 includes 1 (0 - 1) 3 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.de)"; content:"|03|";content:"|02|de|00|";nocase;within: 6;pcre: "/64y/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665511; rev:9;) # sid 2665512 includes 1 (0 - 1) 4 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.de)"; content:"|04|";content:"|02|de|00|";nocase;within: 7;pcre: "/gbbr/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665512; rev:9;) # sid 2665513 includes 1 (0 - 1) 5 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.de)"; content:"|05|";content:"|02|de|00|";nocase;within: 8;pcre: "/iobox/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665513; rev:9;) # sid 2665514 includes 4 (0 - 4) 6 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.de)"; content:"|06|";content:"|02|de|00|";nocase;within: 9;pcre: "/(olisee|cefalo|inverl|1ns4n3)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665514; rev:9;) # sid 2665515 includes 2 (0 - 2) 7 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.de)"; content:"|07|";content:"|02|de|00|";nocase;within: 10;pcre: "/(froetti|sega-dc)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665515; rev:9;) # sid 2665516 includes 2 (0 - 2) 8 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.de)"; content:"|08|";content:"|02|de|00|";nocase;within: 11;pcre: "/(salsanr1|zypern4u)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665516; rev:9;) # sid 2665517 includes 6 (0 - 6) 9 character domains in the ".de" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.de)"; content:"|09|";content:"|02|de|00|";nocase;within: 12;pcre: "/(p(c-cheats|ytalhost)|hoktaeder|domainsrc|geld-pool|witchsoft)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665517; rev:9;) # sid 2665518 includes 1 (0 - 1) 15 character domains in the ".dk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.dk)"; content:"|0f|";content:"|02|dk|00|";nocase;within: 18;pcre: "/kvicklyhelsinge/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665518; rev:9;) # sid 2665519 includes 1 (0 - 1) 7 character domains in the ".dk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.dk)"; content:"|07|";content:"|02|dk|00|";nocase;within: 10;pcre: "/nobrain/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665519; rev:9;) # sid 2665520 includes 1 (0 - 1) 8 character domains in the ".ee" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.ee)"; content:"|08|";content:"|02|ee|00|";nocase;within: 11;pcre: "/diamande/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665520; rev:9;) # sid 2665521 includes 1 (0 - 1) 11 character domains in the ".es" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.es)"; content:"|0b|";content:"|02|es|00|";nocase;within: 14;pcre: "/cubadirecto/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665521; rev:9;) # sid 2665522 includes 1 (0 - 1) 5 character domains in the ".es" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.es)"; content:"|05|";content:"|02|es|00|";nocase;within: 8;pcre: "/cacre/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665522; rev:9;) # sid 2665523 includes 2 (0 - 2) 6 character domains in the ".es" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.es)"; content:"|06|";content:"|02|es|00|";nocase;within: 9;pcre: "/(rxshop|d-mode)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665523; rev:9;) # sid 2665524 includes 1 (0 - 1) 7 character domains in the ".es" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.es)"; content:"|07|";content:"|02|es|00|";nocase;within: 10;pcre: "/eftopia/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665524; rev:9;) # sid 2665525 includes 2 (0 - 2) 9 character domains in the ".es" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.es)"; content:"|09|";content:"|02|es|00|";nocase;within: 12;pcre: "/(masplacer|cntajomar)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665525; rev:9;) # sid 2665526 includes 4 (0 - 4) 10 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.eu)"; content:"|0a|";content:"|02|eu|00|";nocase;within: 13;pcre: "/(v(ameportfo|e428kerea)|etatrsesj4|coralforce)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665526; rev:9;) # sid 2665527 includes 5 (0 - 5) 11 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.eu)"; content:"|0b|";content:"|02|eu|00|";nocase;within: 14;pcre: "/(web-sitecat|little-miss|pojupotrade|jecijyjudew|almazzao-co)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665527; rev:9;) # sid 2665528 includes 7 (0 - 7) 12 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.eu)"; content:"|0c|";content:"|02|eu|00|";nocase;within: 15;pcre: "/(http(lightweb|solution)|mancityloose|qdqmnmwbykid|tonery-tusze|ployteasdwet|recovery-hdd)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665528; rev:9;) # sid 2665529 includes 3 (0 - 3) 13 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.eu)"; content:"|0d|";content:"|02|eu|00|";nocase;within: 16;pcre: "/(kiropraktoren|domuskalabria|boardnewterra)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665529; rev:9;) # sid 2665530 includes 1 (0 - 1) 14 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.eu)"; content:"|0e|";content:"|02|eu|00|";nocase;within: 17;pcre: "/geilebezahlung/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665530; rev:9;) # sid 2665531 includes 1 (0 - 1) 15 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.eu)"; content:"|0f|";content:"|02|eu|00|";nocase;within: 18;pcre: "/sportnichwetten/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665531; rev:9;) # sid 2665532 includes 1 (0 - 1) 21 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 21 chars (.eu)"; content:"|15|";content:"|02|eu|00|";nocase;within: 24;pcre: "/chapterleomemorykombo/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665532; rev:9;) # sid 2665533 includes 1 (0 - 1) 23 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 23 chars (.eu)"; content:"|17|";content:"|02|eu|00|";nocase;within: 26;pcre: "/inter-bundeskriminalamt/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665533; rev:9;) # sid 2665534 includes 1 (0 - 1) 29 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 29 chars (.eu)"; content:"|1d|";content:"|02|eu|00|";nocase;within: 32;pcre: "/radio-himmlischerhoellensound/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665534; rev:9;) # sid 2665535 includes 3 (0 - 3) 5 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.eu)"; content:"|05|";content:"|02|eu|00|";nocase;within: 8;pcre: "/(exero|gyg4u|delar)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665535; rev:9;) # sid 2665536 includes 2 (0 - 2) 6 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.eu)"; content:"|06|";content:"|02|eu|00|";nocase;within: 9;pcre: "/(ifraud|misija)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665536; rev:9;) # sid 2665537 includes 6 (0 - 6) 7 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.eu)"; content:"|07|";content:"|02|eu|00|";nocase;within: 10;pcre: "/(papucky|httpweb|dvmsoft|zuzzuna|u(gmenab|mkugin))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665537; rev:9;) # sid 2665538 includes 3 (0 - 3) 8 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.eu)"; content:"|08|";content:"|02|eu|00|";nocase;within: 11;pcre: "/(httpnets|d(ynolite|entbeen))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665538; rev:9;) # sid 2665539 includes 4 (0 - 4) 9 character domains in the ".eu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.eu)"; content:"|09|";content:"|02|eu|00|";nocase;within: 12;pcre: "/(europjobs|pornozona|trans(moud|need))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665539; rev:9;) # sid 2665540 includes 1 (0 - 1) 6 character domains in the ".fm" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.fm)"; content:"|06|";content:"|02|fm|00|";nocase;within: 9;pcre: "/lajefa/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665540; rev:9;) # sid 2665541 includes 1 (0 - 1) 11 character domains in the ".fr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.fr)"; content:"|0b|";content:"|02|fr|00|";nocase;within: 14;pcre: "/kinyarwanda/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665541; rev:9;) # sid 2665542 includes 1 (0 - 1) 14 character domains in the ".fr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.fr)"; content:"|0e|";content:"|02|fr|00|";nocase;within: 17;pcre: "/sebastien-mamy/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665542; rev:9;) # sid 2665543 includes 2 (0 - 2) 16 character domains in the ".fr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.fr)"; content:"|10|";content:"|02|fr|00|";nocase;within: 19;pcre: "/(saintaubinsurmer|gravurediffusion)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665543; rev:9;) # sid 2665544 includes 1 (0 - 1) 5 character domains in the ".fr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.fr)"; content:"|05|";content:"|02|fr|00|";nocase;within: 8;pcre: "/smklk/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665544; rev:9;) # sid 2665545 includes 1 (0 - 1) 6 character domains in the ".fr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.fr)"; content:"|06|";content:"|02|fr|00|";nocase;within: 9;pcre: "/aelita/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665545; rev:9;) # sid 2665546 includes 2 (0 - 2) 9 character domains in the ".fr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.fr)"; content:"|09|";content:"|02|fr|00|";nocase;within: 12;pcre: "/(ledelarge|proxiwash)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665546; rev:9;) # sid 2665547 includes 1 (0 - 1) 10 character domains in the ".gr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.gr)"; content:"|0a|";content:"|02|gr|00|";nocase;within: 13;pcre: "/4thalasses/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665547; rev:9;) # sid 2665548 includes 1 (0 - 1) 12 character domains in the ".gr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.gr)"; content:"|0c|";content:"|02|gr|00|";nocase;within: 15;pcre: "/serraikizimi/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665548; rev:9;) # sid 2665549 includes 1 (0 - 1) 8 character domains in the ".gr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.gr)"; content:"|08|";content:"|02|gr|00|";nocase;within: 11;pcre: "/vegleris/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665549; rev:9;) # sid 2665550 includes 1 (0 - 1) 9 character domains in the ".gs" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.gs)"; content:"|09|";content:"|02|gs|00|";nocase;within: 12;pcre: "/jlmjalzjk/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665550; rev:9;) # sid 2665551 includes 1 (0 - 1) 11 character domains in the ".hu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.hu)"; content:"|0b|";content:"|02|hu|00|";nocase;within: 14;pcre: "/monikasmink/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665551; rev:9;) # sid 2665552 includes 1 (0 - 1) 12 character domains in the ".hu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.hu)"; content:"|0c|";content:"|02|hu|00|";nocase;within: 15;pcre: "/privatepilot/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665552; rev:9;) # sid 2665553 includes 1 (0 - 1) 13 character domains in the ".hu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.hu)"; content:"|0d|";content:"|02|hu|00|";nocase;within: 16;pcre: "/online-filmek/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665553; rev:9;) # sid 2665554 includes 1 (0 - 1) 6 character domains in the ".hu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.hu)"; content:"|06|";content:"|02|hu|00|";nocase;within: 9;pcre: "/alhana/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665554; rev:9;) # sid 2665555 includes 1 (0 - 1) 7 character domains in the ".hu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.hu)"; content:"|07|";content:"|02|hu|00|";nocase;within: 10;pcre: "/datanet/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665555; rev:9;) # sid 2665556 includes 1 (0 - 1) 10 character domains in the ".ie" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.ie)"; content:"|0a|";content:"|02|ie|00|";nocase;within: 13;pcre: "/mediascene/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665556; rev:9;) # sid 2665557 includes 1 (0 - 1) 12 character domains in the ".ie" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.ie)"; content:"|0c|";content:"|02|ie|00|";nocase;within: 15;pcre: "/dealsireland/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665557; rev:9;) # sid 2665558 includes 1 (0 - 1) 13 character domains in the ".ie" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.ie)"; content:"|0d|";content:"|02|ie|00|";nocase;within: 16;pcre: "/hiddenhearing/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665558; rev:9;) # sid 2665559 includes 1 (0 - 1) 9 character domains in the ".ie" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.ie)"; content:"|09|";content:"|02|ie|00|";nocase;within: 12;pcre: "/lifestyle/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665559; rev:9;) # sid 2665560 includes 1 (0 - 1) 6 character domains in the ".im" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.im)"; content:"|06|";content:"|02|im|00|";nocase;within: 9;pcre: "/chikka/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665560; rev:9;) # sid 2665561 includes 49 (0 - 49) 10 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.in)"; content:"|0a|";content:"|02|in|00|";nocase;within: 13;pcre: "/(weightsoft|c(hatsmeebo|rzyluxtds|yberevorm|atalogcft|ocoajuice)|d(isqusware|elaynogi(1|2|3))|e(statefire|ndbajcomp)|freevoodoo|p(icaminute|a(radoxnet|yaccount)|harmatrac|entaxtour)|n(boxonline|eed(aysafe|desafe))|qualattice|t(opguarduo|etraeder2)|usdownload|xmlnetwork|m(ykonfupda|i(c(rolsoft|olosoft)|fkrosoft))|gor(lumclub|niyorel)|bitechnica|search-box|zoryadoors|in(ter-time|draskies)|a(cetrussia|ltersvyaz|m(brosiaaz|ericanaz)|shotakoe(1|2|3|4|5)|nalitics3)|vafernatre|largethumb)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665561; rev:9;) # sid 2665562 includes 40 (0 - 40) 11 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.in)"; content:"|0b|";content:"|02|in|00|";nocase;within: 14;pcre: "/(edataplanet|d(azzleshare|i(giaugusta|rtydjobbo)|varendator)|burunral233|new(s7online|manlogin)|regarnoodle|g(oldforex17|reentierra)|s(onuniigaam|afebrowser)|a(llcle-safe|poloxtube6)|m(oreaz-fine|asaskisoft)|uni(eve-safe|ind-safe)|l(oginnewman|aperzdofg8)|cyberendbaj|p(o(chemainfo|letaem00(1|2|3|4|5))|ariskfjgg7|rosvertdg4)|f(asternone9|unexchange)|k(urortkuban|robodoping|aramelksd6|elaxserv(12|98))|ichaadesire|workintheus|yafsdfsdfsd)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665562; rev:9;) # sid 2665563 includes 36 (0 - 36) 12 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.in)"; content:"|0c|";content:"|02|in|00|";nocase;within: 15;pcre: "/(p(i(xovuonline|ramidspeed)|yxovirginia)|h(otstaffshop|ugeble-cure)|opendatfiles|m(e(lanomailia|rtsssooopa)|ini-opera-6)|s(ki(ndoonline|yoresorts)|portsviewer|ettingappic)|w(ork-and-sex|ebcam-teens)|f(astresource|jgkjgjfjdj5)|u(ber(ate-safe|ble-safe)|nionaccount)|a(gency(charge|riston)|dscenterltd|mbassadoraz)|c(hargeagency|dqwwkndatvt|asualoutlet)|g(ooglerapida|ertrudaniop)|riston(agency|charge)|zakachayfile|kupilkoprodv|intervalhits|qwerkyhits12|vyqhdtnsfrie)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665563; rev:9;) # sid 2665564 includes 36 (0 - 36) 13 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.in)"; content:"|0d|";content:"|02|in|00|";nocase;within: 16;pcre: "/(s(t(ar(infoworld|mediainfo)|xeapbewbblp)|afepowerforu|etting-appic|cfoijdccqtmj)|flashutilites|g(rindbuzzchat|oo(glecounter|d-clinical))|kayblenewsmax|loadmoviesite|trackerlohaaa|a(c(count-union|ademydviger)|gency-riston|dsyndication)|c(harge-riston|yberfuktthem|atalogclubco|vsqsmuiaaiyh)|r(iston-(agency|charge)|fffnahfiywyd)|union-account|m(istyc-faraon|anuelswedish|obile14promo)|ha(nterfreezer|venicemonth)|bestdomaininf|p(oweryrscaner|rudeinfotech)|nexgeninfosys|i(ndrasenanala|qkydbxjfodro))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665564; rev:9;) # sid 2665565 includes 23 (0 - 23) 14 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.in)"; content:"|0e|";content:"|02|in|00|";nocase;within: 17;pcre: "/(digitalstatues|f(lashchatgroup|irstholdermvq)|i(nd(iatoursback|radattindra)|dhantluminous|jaylordvishnu|kshusugarcane)|s(mart-scanereq|ecurity-tvoya)|b(est-jsentinel|ablogenerator)|enablesecureum|ostestsystemri|p(o(werscanercis|rnhubarchive)|ayment-glonas)|t(hebestkrearmy|opksfsecurity)|metropannolike|hits-tracker33|liksdfigjert10|gamegoldonline)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665565; rev:9;) # sid 2665566 includes 25 (0 - 25) 15 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.in)"; content:"|0f|";content:"|02|in|00|";nocase;within: 18;pcre: "/(digitalpackpack|firstfq-checker|m(ovieboxcentral|ilflesbianfree)|s(trong(defenseiz|-guardbxz)|mart(aasecurity|klhdefense)|peedsearch4you)|p(ower-wfchecker|hotoneducation|rivatevideohub)|best-networkqjo|hard(-antivirbjb|bsy-network|ynauchecker)|t(op(antivir-foru|securitykauu)|emplate-images)|ilovemymum-lite|goldfishkabonus|varlareorynydir|aliksdfigjert10|cancer-clinical|universal-hurch)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665566; rev:9;) # sid 2665567 includes 10 (0 - 10) 16 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.in)"; content:"|10|";content:"|02|in|00|";nocase;within: 19;pcre: "/(fr(eefilesarchive|ankbookreviews)|s(mart-(guardianro|suiteguard)|oftware-mahalai)|assistantbilling|geografycsturtup|qegfyxlmwbtcemcc|clinical-massage|heartbookreviews)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665567; rev:9;) # sid 2665568 includes 9 (0 - 9) 17 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.in)"; content:"|11|";content:"|02|in|00|";nocase;within: 20;pcre: "/(free(flashutilites|-book-reviews)|bester-msecuriity|personal(cleansoft|scannerlg)|s(afe-s(ecurityarmy|olutionsoft)|trong-checkerwrt)|office-electronic)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665568; rev:9;) # sid 2665569 includes 7 (0 - 7) 18 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.in)"; content:"|12|";content:"|02|in|00|";nocase;within: 21;pcre: "/(freelanceagreement|nodiginternational|s(aveinternet-guard|luxxqqgykewolmoli)|mynameisbigsecreet|googleadservices61|video-book-reviews)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665569; rev:9;) # sid 2665570 includes 1 (0 - 1) 19 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.in)"; content:"|13|";content:"|02|in|00|";nocase;within: 22;pcre: "/personal-bpsentinel/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665570; rev:9;) # sid 2665571 includes 2 (0 - 2) 20 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.in)"; content:"|14|";content:"|02|in|00|";nocase;within: 23;pcre: "/(smartantivir-scanner|google-syndication60)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665571; rev:9;) # sid 2665572 includes 6 (0 - 6) 21 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 21 chars (.in)"; content:"|15|";content:"|02|in|00|";nocase;within: 24;pcre: "/(postestatistic-online|d(omainsecurityvultest|irectmarketing(25firm|online))|google-syndication135|javascript-collection)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665572; rev:9;) # sid 2665573 includes 6 (0 - 6) 22 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 22 chars (.in)"; content:"|16|";content:"|02|in|00|";nocase;within: 25;pcre: "/(fd(865r7q6werf5b76dfsd7|s7896fbe8sdtf86dstf6|g8976fdg8nfd8sfz8fdg)|lfd78fz6d8n7fe8wfewft6|clinical-documentation|directmarketing32trade)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665573; rev:9;) # sid 2665574 includes 2 (0 - 2) 23 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 23 chars (.in)"; content:"|17|";content:"|02|in|00|";nocase;within: 26;pcre: "/(most-popularsoftcontent|cevlarfinal-destination)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665574; rev:9;) # sid 2665575 includes 1 (0 - 1) 24 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 24 chars (.in)"; content:"|18|";content:"|02|in|00|";nocase;within: 27;pcre: "/personal-internet-foryou/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665575; rev:9;) # sid 2665576 includes 1 (0 - 1) 26 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 26 chars (.in)"; content:"|1a|";content:"|02|in|00|";nocase;within: 29;pcre: "/jbtryrtyfghfgffhfghfyrte65/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665576; rev:9;) # sid 2665577 includes 1 (0 - 1) 28 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 28 chars (.in)"; content:"|1c|";content:"|02|in|00|";nocase;within: 31;pcre: "/supportline911-911postonline/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665577; rev:9;) # sid 2665578 includes 2 (0 - 2) 3 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.in)"; content:"|03|";content:"|02|in|00|";nocase;within: 6;pcre: "/(tt7|x9m)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665578; rev:9;) # sid 2665579 includes 1 (0 - 1) 32 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 32 chars (.in)"; content:"|20|";content:"|02|in|00|";nocase;within: 35;pcre: "/fdgsafkgdsfaskfshfgjahsgdf634570/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665579; rev:9;) # sid 2665580 includes 1 (0 - 1) 33 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 33 chars (.in)"; content:"|21|";content:"|02|in|00|";nocase;within: 36;pcre: "/directmarketing32businessexchange/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665580; rev:9;) # sid 2665581 includes 10 (0 - 10) 4 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.in)"; content:"|04|";content:"|02|in|00|";nocase;within: 7;pcre: "/(m(anx|29m|c-3)|3534|1god|x(1x2|xxz)|zvon|oeit|s00n)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665581; rev:9;) # sid 2665582 includes 29 (0 - 29) 5 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.in)"; content:"|05|";content:"|02|in|00|";nocase;within: 8;pcre: "/(k(inix|udin)|taxhe|h(epto|obiz)|main(1|3|4|6|7|9)|rtyuj|aria3|evorm|27flu|b(posd|a(t(ed|tu)|uds|w(ds|ty))|e(a(ks|my|ux)|lon))|fett9|gesan|shrbl|workm)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665582; rev:9;) # sid 2665583 includes 52 (0 - 52) 6 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.in)"; content:"|06|";content:"|02|in|00|";nocase;within: 9;pcre: "/(a(nneou|ssink|ccwiz)|unders|g(abtag|erved|lease|redsa)|x(-scan|b4you)|kwinte|c(he(tin|fir)|leare|nvjsv)|d(oroty|rinki)|r(edwih|lisda|imckq|azdva)|b(u(stdy|cks5)|aner3|e(atok|rega|behi)|badkf)|f(r7kk8|ilkso|enist)|s(tats1|ecway|panky)|inware|m(utras|avmor)|endbaj|v(tempe|elery|i(xpos|zlos))|tsibar|o(pgdns|lepos)|h(dljca|ashiv)|zdcwzn|leojan|n(atanz|dcmnc|nsslt))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665583; rev:9;) # sid 2665584 includes 113 (0 - 113) 7 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.in)"; content:"|07|";content:"|02|in|00|";nocase;within: 10;pcre: "/(d(e(vtube|petoa|ri(aop|ola))|oskaks|yemheb)|e(dgeaim|gziwof|ptulyk)|f(i(rthwo|ssher|aiask)|l(ipdog|yakke)|e(r(desa|omon)|corom))|m(a(kepan|riko7)|oomles|en(daly|stro)|umvron)|o(dourie|lololo|rt-dns)|j(etblab|i(njazz|l(ipon|oaer))|uzuxcy)|s(e(nhyva|xyjob|alove|riola)|v(itart|yazty)|kyinfo|oldety)|p(iclick|e(antos|losko|petoa)|rodano|otylit)|r(uivrkq|e(s(teda|hipa)|toloa)|ainbol|ostets|ilosae)|w(inner4|siteed|owmono)|a(bedaso|liento|c(et-sk|feabr)|pzukem)|i(ntodub|rvengo|lbyxxe)|krundse|n(e(utone|rolit)|olerit|scnvcb)|b(master|i(t(c(ast|ube)|fire|w(are|ire))|oalds)|e(rege8|mdymu)|portal|aerika|urness)|g(anuba1|hiamld|e(omdpu|rmiss)|loogle|dasasa|ilagis)|t(o(lula1|pstep)|e(zanov|rioal)|ylcaqo)|z(u(wejuk|ziken)|-style|latwer|aerbis)|v(mdaily|edeved|i(tgasa|loero))|h(o(gasoq|telit)|fsless)|l(inewwa|eonido|oposik)|x(ategon|eriola)|ypfuvob|c(e(ntios|tiloa)|viotal))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665584; rev:9;) # sid 2665585 includes 121 (0 - 121) 8 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.in)"; content:"|08|";content:"|02|in|00|";nocase;within: 11;pcre: "/(404error|a(rcalebe|s(smette|tinkol)|larttiu|dengate|ppleres)|b(lermili|e(lygaur|stdoor|ecitys|ilaoso|rnitto)|i(ggavno|shouse|tology|olokik)|oragore)|c(o(cineon|gi(mbee|stug)|yieldo)|heck001|ccstyle|attrade|ertilos)|d(iathbsp|ynander|treklam|o(neahme|gerlos)|e(ddyopa|rioloa))|e(pibbler|sheone3|riolosa)|f(o(urware|reston|lopoen)|alosfax|reshtds|edorita|ilagito)|k(ytoside|l(opster|aminas)|okosina|urort-m|exayayu)|g(i(gaster|llerop)|o(ldmail|odofic)|hgttte5|etadv16|rinoder)|s(e(nerino|bestia|r(awebb|iolas|ofias))|p(elleit|as2012)|vernick|ahoreen|o(ul-you|melove)|hoeshe(1|2|3|4|5))|w(a(speeds|yr4way)|hoamfor)|y(ourscan|erevano)|j(umpcast|im(gagae|m-pda)|obworke)|m(yskymba|ik(eller|osoft)|bientaz)|r(ydergen|chilene|uivrkqr|ikitiki)|t(r(quebec|ousers)|i(kitavi|meserv|oposia)|atashka|erioals|vsubcal)|i(fsearch|tuttoge)|p(ayunion|iesdool|sesinda|oorpore|epetoas)|nuowello|urdolast|z(orstatr|verovod|lat-net|izigoba)|v(t-egypt|alerito|irosafe|okomase|r(a(doras|tobes)|italel))|xmlalien|ledcas87|h(ilopoty|urindos))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665585; rev:9;) # sid 2665586 includes 52 (0 - 52) 9 character domains in the ".in" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.in)"; content:"|09|";content:"|02|in|00|";nocase;within: 12;pcre: "/(f(lashspot|esshiona)|b(astandro|r(awaidme|ightend)|est(domik|so(ft2|san))|lognotes)|newtopbug|queyocero|s(oundchat|afexanet|ecretads|top-spam)|t(houghtxs|opasarmy|erminal(2|4))|5(4608baba|23fsdfds)|r(ideusfor|etseptik)|livestats|g(oodyear1|igaverse)|a(eroclub9|c-future|ltersoft)|yahooads1|v(vvsk-mir|alenssis)|evorm(corp|host)|m(ekrosoft|yskyinfo|inkosoft)|d(nepr-web|vdserver)|h(eylondon|kjhjkhkj)|c(osnoproc|yberopea)|z(ur-matur|orro-114)|w(inxworld|ckjwzchk)|pornvers2|x(livetube|kzwerclc)|j(cjcwjcww|iloagiss))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665586; rev:9;) # sid 2665587 includes 102 (0 - 102) 10 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.info)"; content:"|0a|";content:"|04|info|00|";nocase;within: 13;pcre: "/(i(nvestplan|dahophoby)|t(hemyproxy|vzngourvp|fktizqjnf|sznzurgdr|wo-market|inkel-bel|qnndkrvov|ar(acement|seavern)|bxjhlmglw)|e(asymetin2|sdashqpxd|yvjltdzoa|nornbakal)|m(urzhirata|arvin9786|vanderwal|gzvvolzkr|tenumvyhr|lqcggfovi)|n(e(t-serasa|wfreeeye)|a(medideaz|iasferth)|ovel(efazg|rcjwp)|gxsystems|duzlksbkq|i(aisdrinn|gevporta))|h(o(norsamed|ordtrady)|hvhskbyhb)|r(iniririni|eclaimwez|zavsxatgx|mensgiksh|ajofkgauo)|c(zarsgrimi|hoirshpcd|o(fpnkijuv|astedgea)|ydogiokid|dphrcfsex)|d(antzicitd|warfjusts|ppxgwiljv|oritneaql)|b(ackknifez|usinessgo|xvufqnjpv|oss-craft)|s(heetthiso|extoys888|tepkyrort|vlmxjzsaq|watbooter|iilqzhqgt|p(bslsjumc|iesgroup))|p(aintrusti|o(rshe911z|l(iticcea|and-tea))|vdmhkdfli|hhgatgjbt)|w(ildforthy|ebwizzard)|g(oodeating|uksicodts|rascowall)|l(d(hhzkxkep|qcwsuznh)|kpdusxwtc|asocedios|tjsungabu)|f(umumujnlz|zhmaznjab|rrzrufpzn)|u(ltra-boot|hpsgwquca|bixauyhwq)|xhmrsdsqvv|a(nkeerifte|utoassets|aftlojnxa)|o(cvbynarzr|adallerps|xfkwucinp)|znshtmdjqw|5(vialoersa|poertyane)|y(wnuzkzdcp|nbrtzdabx)|k(gcktvcgfq|ingcasino|kpperwuvh|zoxkenxmt)|02begorlae|vobixvlykb)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665587; rev:9;) # sid 2665588 includes 108 (0 - 108) 11 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.info)"; content:"|0b|";content:"|04|info|00|";nocase;within: 14;pcre: "/(b(u(lwarktowl|sinesscon)|a(dpretexto|llsjointo)|e(ganquotad|ststats4u)|ogyfvorbqc|tywkwurnnr)|h(umanmakesy|ackcentral)|a(bandonwaxt|zofsaintsu|dultchatro|tothendrew)|d(oorspadesd|a(mesfutsal|tadigital)|wunfuckkye|deafunolcf|efwhitebow|houghpwhlj)|e(as(tforgeti|y-tricks)|lmofathera|ntrpemtqbb|onmicrofit)|f(a(dedalongo|cebookcam)|lowstriald|o(otmarkedl|restsbadi)|54eotoedko|reeautomag|gcqendtfnk|irstjonika|pesfxjfocw)|o(r(altablets|mfzxsiavd)|ughtlowery)|g(etstudieds|kzjaanzeho)|sha(llowsowz|retearsy)|p(r(oposedbei|uthprimed|emiumsafe)|a(ckedwindt|irexcited)|nncrrusted|hgdnagzfdr|fsiarbgwec|kmckpdwrvk|oouunqhjuu)|k(illingsbaq|fatavistic)|i(rewatchedl|miwpgaevmj)|w(i(llspreadd|ne(rewardd|dvfallw))|muoypuapvz|or(k(days004|f(are004|low004|olk004)|hour004|l(ess004|oad004)|mate004|outs004|room004|shop004|week004)|m(gear004|hole004|iest004|like004|root004|seed004))|bnhrvhumhx)|v(elvetmedia|qvatzdlrya|itblfnruce)|celebscreen|luyhbvnovel|j(e(ljxhsikpl|kfhezdbra)|ozpgvnfihu|iirdopwbqu|adesrashjr|sdeqvkallh)|z(hpsrdomanq|eqzlpxdeuc|dagzmxtvbo)|n(xqikoeugkn|iwoderaska|ahxyryptai|uwascjrccy|opwhitebow)|u(zrcukgpbpn|op(qqlbdcza|tmmtpnzm))|rxamensuser|mir-tehniki|q(ewaqrwfqdt|nawzcfhjgp)|xnpyziljffc|yqgrplkxlfi)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665588; rev:9;) # sid 2665589 includes 56 (0 - 56) 12 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.info)"; content:"|0c|";content:"|04|info|00|";nocase;within: 15;pcre: "/(u(checkconfig|semovementt)|b(ridaltotalt|a(behighesty|dconcludey)|edspeakersd|i(tstrictlyl|ll(fighters|matadors))|ooksfirmlys)|ho(meputtingi|usecrimeaz)|v(alorsociale|olhoparatel|yqhdtnsfrie)|w(aylaidquitl|eeksjewishy|orldfuneral)|c(aptiveheels|hurchcakeso|oa(rsestyled|sterminet)|ursecrimeat|dqwwkndatvt)|a(tt(itudedida|achednorl)|venuesmilez)|dr(essedtimei|ummerjulyl)|e(achnorthern|lapsewheree)|m(yrestricted|ayhembooter)|s(wedestriedl|afeinstalls|hortcutsapp)|f(urnishtourt|orestsnexty)|jealousslows|n(ataliafoese|ocompaniess)|o(rd(erssteerd|inarytooz)|ordfestival)|r(ylattention|ankatthetop)|p(athbanqueti|iersi-nijak)|k(ineticgames|a(defestival|oticbooter))|geoffresmith|l(i(abilitysud|ga4giurgiu|viu-andrei)|owhighworry))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665589; rev:9;) # sid 2665590 includes 95 (0 - 95) 13 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.info)"; content:"|0d|";content:"|04|info|00|";nocase;within: 16;pcre: "/(m(zwxnhkwrofuk|oveddescenda)|s(lljiwoncqesh|uiteprevaile|hovelsouters|avingsguides|cfoijdccqtmj|txeapbewbblp)|j(vhmhmjronmjd|ds923fdsfjsd|udshlfreight)|c(o(n(fusedrealy|stanttooky)|ssacksdeald|ttageamongd|mputedetect)|argorepliedy|h(angecitiesy|i(efremainso|ldsurvival))|r(editeuropel|oixclaimeda)|leanavcenter|vsqsmuiaaiyh)|h(otlytolledyz|fmarketplace)|i(mitationnonl|n(stancesrowd|vestorfraud)|yekokillings|slandsufferi|qkydbxjfodro)|p(nmtwnhxkgypk|gvvihoeerpnc|rovincebando|a(rksdiffersy|ulvosdewael)|honicshotgun)|v(eniceadvisez|julnlgoqlzpt)|znyrxxwropovt|a(cceptjewishy|waitedfailsl|zoffrequents|dv(ocacygroup|ertforgood))|r(apeisntfunny|eadinesscapo|fffnahfiywyd)|b(ade(complaina|renewingy)|e(comerublesd|nch(equerryy|plannedy))|idprosperedi|lowsfrightso|o(wpresentedy|skoop2nepal)|rand-central)|d(r(inkingtaskl|opunworthyl)|u(catswarmlyd|eresidences|tysuddenlyi)|i(vulgekneesi|sposedoingi))|e(as(ereliances|yinstallit)|ffectualendl|ithergibbety|m(barkedlenti|ulationpiez)|hwjgfnbjqnsa)|f(railenforcee|ullfreepoker|o(ndinformals|otingvicesd)|zabalkanized)|g(entlemanxiva|luttedgirlsy|raphicallyja)|n(ationsweetso|in(einclosedd|jastresser)|eitherrivers|ovelcsuvnvwo|beegclassics)|o(wedhelplessd|ovoodownload)|w(eightexcusez|orkings00004)|xpiwsrpdnovel|tveohibergman|uhnejogoltkgt|khyiftcrusher)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665590; rev:9;) # sid 2665591 includes 89 (0 - 89) 14 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.info)"; content:"|0e|";content:"|04|info|00|";nocase;within: 17;pcre: "/(e(uolrvmtnliwlp|atingpretendl|xpulsionshipl|mpiksmwmqfooa|sldmozsythhti|njoygloriousi)|g(znwluzrbprapn|ene(rousboxesd|vaillnessi)|raphically(aoe|huo))|n(utcrlrhisrqvi|wemivnuswirnw|a(melydurabled|njsnvvyrjkzk)|onundertakeno|zqdnnkntsrjcn)|s(u(hthtmrrsqmve|rplusrefusey)|hutassociated|tiltefestival|earchmagician|carynshocking|ystempckeeper)|h(o(rsetreatiess|me-and-decor)|evnlfxvqfrykk|ighcleantasks)|i(deaobstinacys|n(firmgenerala|sensiblyflyi))|w(antadvertisey|i(fepaintingsl|nrardownload)|hatsyourpoint|onder-bra2011)|zsoqjlsznnussh|a(bleunceasingl|miadrugaddict|n(droidpanties|aliticsmedia)|gentkeeprisks|reon-linescan)|c(a(pitalbribedl|usingarguedo)|e(lebratedmano|ntresstoresa)|haptersilvera|l(earlypleasel|osetsfightsl)|reatedsupplyo|o(ntainedkeept|llagecreator))|d(ark(nesslacedy|ice-gaming)|ownfallrobeza|rearyhostiled|ynasties(looky|spott)|udeitstacticz|elivererworms)|b(eaut(ifulnoned|yviolates)|lowgranariesl)|f(u(rniturebaded|lfillplumesl)|or(estprocurez|gottengoldy))|o(pposingwheele|ttokesastraws|wesofficialsi|nlinesecstats)|q(qxoequwsvqjsp|ktbqqvepklmrt)|r(e(adinessagesl|collectkeepy|posesightedd|bootfestival)|iosfuh47heiey|jwhrdliypkntk)|p(ar(entsmakinga|oleshefnwmb)|remiumstorage)|uninjuredrooty|k(cayqtheorizer|indlyyoutyu67)|theactorsgroup|lekspkrgdpoiqu|xomeqsucjxiuvm)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665591; rev:9;) # sid 2665592 includes 123 (0 - 123) 15 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.info)"; content:"|0f|";content:"|04|info|00|";nocase;within: 18;pcre: "/(n(plqsufspnwmetm|a(rrowlymeltedy|tional(defeaty|outlety))|e(arlyemployedi|glectstoringi)|tpkysoqfpxnszn|ltxyiqozssnjsy|rocessesremedy)|p(jupkjmzznnykmg|ro(poseofficery|te(stantirons|ctwarderav)|fitscoaching)|ullinginquiryl|a(radedungeonsy|shacomplainty)|ekigocaxebokok)|s(u(vsvhkfoutxuyu|mqrvgmvmbspic)|sjgkktjugwgepz|hirlgkmlodwmxt|e(verallystockd|cured-profile)|olverremedylow)|t(qq(nvifkgplzdjw|hzkpureytrfa)|kovvmxnglteuts|sksruhpkqrwvsv|heorizervnrrzw|ezeqavyfaruwer)|j(lmvsurpnknvdhm|skodjupryknitj|pzpuvkpwjmytgz|esteropinionse|yojizrjuhikxyt)|l(hfknpvnhqvhnio|owwormstesting)|o(lojkpcltulirqr|pposedpullingi|riginatorsignl|wesdeterminedi)|b(randyexcludedy|u(rnedidolatryo|siness-market)|e(ardsdarkeneda|llexplaininga|tweendescendl)|lessingparleyo|oardbelonginga)|c(a(mp(aignreasoni|understoods)|ptiveawaitedy)|o(n(ceives(knownd|pridei)|querequallyl|sciencewents)|llectbishopss|m(ecorruptingo|mandedangryi))|hambercommandi|ustomrequiemsd|enygizelomexyr|ykugatozazevap)|h(op(etransactedi|ingtribunals)|utsportsmouthl)|i(dolatrydwarfst|tkwvfquvznhtpi|n(firmkingdomsa|t(erpretermete|riguefeastsa)|violableknewy|jlptshdnhqffs)|fioixpisgqmdfo)|r(wvnmgmsrzgrvoh|okqsjhzyiusvrj|e(adinessmovedy|nderassembles)|quwopkohukniuj|ivypesotowigen)|u(znloepzpertqrs|mpitxbuvrupmpt|ngratefuloxeny)|v(assalssleighsl|quolvppssixwgy)|w(rssrjqpiyfsmwp|indowsraisingl)|a(bodevaluableso|cc(identsources|ustomedactsl)|ttractserrandl|urdrpvbrkvmmnk|lawardownloads)|e(uzzpjntlskotws|a(gersuspectedl|rlyreluctanti|silyrumanrowi)|ncounterednoni)|g(a(inedstrugglel|litzinreasons)|obonypinosexuk)|m(wqmyghkstuvksu|o(stlyprogressl|u(ldadmirablye|ntingheightt))|tufnrjuplvgxmz|u(wrqmnnixtsfko|xyrygitobuhik)|hjhtgfigtpmdoo)|ygnlgxyzamfxvlt|dociletreatingi|f(riendlyvisitso|o(llowedventedi|odinstitutedl|r(emostthirtyl|giveuniformi))|epykudj840kh6j)|q(nhljvfxpyopzqu|qrwkbalkanized|foccfsiciliana|jkopeodlxkjdpt|snjrhnrenphstx))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665592; rev:9;) # sid 2665593 includes 111 (0 - 111) 16 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.info)"; content:"|10|";content:"|04|info|00|";nocase;within: 19;pcre: "/(m(ediamoreplugins|mnwokpspwpkpnkd|o(ralentreatiesi|tivesignatured)|ysterydebarreds|usqouqqmnuhuuyx)|l(npzygtmdjttskyy|v(lvfpqvvqpcvuys|vokqmjrkxpqvln)|psnbzozyhvpepyp|wkqptqvmltifdxb)|o(xkfpxjubvsfhrkx|fgnrsiwpsuupstq|rtsgoonlwusotya|ut(qrpskulndkxne|setcomfortede)|nudtnxuxjthhlwo)|p(slzsgfuenglvust|vxjykswenfowdqh|qcpmlxrusrwsipv|nnpgggfpstlmhlt|a(tentabolishedd|lacsintarecept)|gxgimwigvnaikmp|bpeivriyninuphs)|q(plyooztllryohhb|jzmiwsxdbwsqrqz|mrpvkzoljxlontr)|f(koqrhrwwrlyummr|rirmfqtmsdpkkwr|lowinghighnesse|or(mingdisabledy|eclosuresinpa))|j(pkpbxkoxwijzijr|jdlhnnvotjswcue)|u(okpfvmnxfrqsqmp|n(togovernmentsd|worthyavailedy|friendlyalivee|suitableladenl)|rgingintimatedi|itppyflfsnkpxid)|v(mnszmothuovvoll|iewinstructingd|ufrdmytqprvisum)|w(lnzkqmohuhzqyra|hereverreturnse|utinuwruzohhnup|arderrescuescan)|b(urnedmaterialsl|argepertainingi|eardsprevaileds|irthdayinjuredy|o(iarsrejoindert|nfiresmountedt|xctroleclusjer)|ramrozafestival)|c(o(n(ductedparolez|trolpcon-line)|llectingquiety|uvanskymoscowt)|ar(petedmournedd|riagehearinga)|hoosepenaltiesa|itizendeliverso|loselypassionsi|urtailgovernedy)|hopelessgettingl|i(mbecilesustainy|n(sinuatinguponi|ter(cessorlaidi|nalrealityy)|voluntaryships)|slandafternoont|jpphmtcnhwrrcqv)|s(uierovkqoxrzmmb|canactivitytest|vluxfsfespytomf)|y(nn(ssrpdcuqmlrer|youuemrnsqhrf)|xnmnowlnwippxdq)|a(cquaintancesixo|ssembliessteert)|e(astwardevasivel|cclesiasticsusl|ffectedroutinel|lmoexaminationi|m(bassagejewelsd|ulationjoineds)|n(deavorloadingl|ergyconceivedo)|oppmomuklsrxqor|igytgid786jkfkf)|g(ardensmistressl|enerationsruind|luckexcitementi|qpllzmsllnpmnrp|ossiptradetalks|ifqhgqosfvgesoi)|d(i(visionempirest|ssolutecastlee)|tpaoqoyopgxnrun|atasaverprotect)|kwhmqszpvttoiglm|r(geixhnqprprqqhu|e(dressreporteda|lianceheroismt))|z(y(nlmvlugosyiwvx|galpreboast021)|ephyrarchway840)|tpwmjtpqrwwxmpts)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665593; rev:9;) # sid 2665594 includes 71 (0 - 71) 17 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.info)"; content:"|11|";content:"|04|info|00|";nocase;within: 20;pcre: "/(c(a(ndlesprecinctsl|rousingdesiresy)|o(mmunityrendingt|llectabolishedy|untenancegrowsd|nsiderablelawsi)|elebratedsequeld|hargingtiresomeo|lergyundertakeny|ustodianmaturedt|zarewitzjealousi|mapireron-linepc)|h(o(rridsplendidlys|wtoburncalories)|p-fax-service290|aaglandia-futsal)|i(mmediateutterlyt|nst(igatorthenced|rumentsamplel)|rregularmethodsy)|w(arlikeoccupyingo|heelbarrowsgemsi|olfenbuttelhelmi)|a(bodeimpregnables|u(gust(deliberatei|implacabley)|steritiesbloody)|ssociateregulars|llfinancial-news)|b(estowingbanquetd|itproportionatel)|e(x(posuresalariedo|tensiverenderso)|ffectingrequestl|l(atedinactivityi|egantdesign-dfw)|n(duredsentencedl|grossedboilingd)|hotifr895kfdjt7f)|g(ainingsubjectedi|e(rmanyappointedt|tscircumstancez)|odfathersobtains)|d(istastedeliversy|e(fendcenterrisks|bugonlineremedy))|f(r(iendshipsilvers|ontispiecebells|eetracking02234)|lowingforeignera|or(emostcaptivess|wardrecallingz))|n(inenegotiationsd|zkfvilisiciliana)|s(h(aredpenetrateds|eepacknowledgei)|icilianaxulnhuhm|qpgksbweathering)|p(rotestantchancel|aragraphdroppeds|jkshryyliability|erilsthreatworry)|re(formingpassingi|joindergarmenti)|o(ttokessareachedy|nlinetelephonika)|yachtconsideringy|quantum-processes|t(imetracking02234|askssafetyremedy)|keepcenteron-line)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665594; rev:9;) # sid 2665595 includes 61 (0 - 61) 18 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.info)"; content:"|12|";content:"|04|info|00|";nocase;within: 21;pcre: "/(b(o(yarssubjugationy|undrenunciations)|lowsinstructionsa|elievertrafficads)|c(o(n(finedstupidityz|quernavigatingd)|m(binedfavorablei|missionfrightsy))|atharineinvolvedo|entralretreatingl|hieftainadmiralss|ircuitousdurableo|laimeddeliberateo)|i(mpairedrepresentd|nterpreterthrones|rritatedelementss)|w(eaponsfriendshipy|ritersreasonabley|ormsdefenderagent)|a(ccededconquerorsy|ttract(edgrandeurd|ingalarmedo)|udacityconfusionz|gentcleanerrescue)|d(arknesspaintingsi|is(tressamusementy|poserespectfuli|countfordomains)|mjxluffloundering|e(bugscannerhazard|fendtasksspyware))|e(arnconstitutionsy|xtensivehappenedy|ighteenproceedede|lapsedvictoriousy|m(bodiedseeminglyz|ployedgenerallys)|ng(ageterritoriesd|ravingsstreetsy))|f(acilitieseasterny|riendlesssteamery|uriouslywhenevero|o(llowsdifficultyd|rmalitiesauthora))|s(ummonedilluminede|wedendiscomfortse|pidernet-software|tatisticontheline|ecurityavdebugger)|glutteds(killfullyz|overeignsi)|mo(nasticpromisingi|ralsperformancey)|nordisappointments|p(ronouncingoffendl|uskyaemancipation)|unimpededresultede|ybjpurwunjustified|literatuurfestival|zenithwardlayia694|testingwormskeeper)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665595; rev:9;) # sid 2665596 includes 45 (0 - 45) 19 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.info)"; content:"|13|";content:"|04|info|00|";nocase;within: 22;pcre: "/(http-networkrouteit|c(o(m(posedfriendshipl|missionerpoetryz)|lumninterruptiond|uncilorsstupidlyl)|handelierschoosesi|leanusahousestoday)|voluntaryappointeda|a(c(complishmentpusho|quaintancecanopyo)|ttentivelysinginga)|b(e(ginningscomportsi|holderspartisanso|longsdignitariesd)|itternessplottersi)|f(acilitiescarriaged|ortitudeintentionu)|d(omainsdisciplinedy|e(livererdangerkeep|tectionprotection))|e(ffectivedestitutei|m(bankmentsboilingo|ploymentswhereasl))|northwardfalsehoods|o(r(ganizingplottinga|umearchsdelaltruk)|verbearingentreaty|ptimizerscanningpc)|p(rote(stappointmenti|ctorsolutionav)|aintingsconcertedl)|re(ignscivilizations|ligioncompletingd)|interr(ednavigations|uptconceiveds)|unsatisfactorywarml|g(lobaltracking02234|uarantorwarderdata)|m(obiletracking02234|icrosoftdatacenter)|secur(edprofile-page|itysystemwreck)|threatcenterwindows|yorkerunamusably120|wormssaveroptimizer)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665596; rev:9;) # sid 2665597 includes 40 (0 - 40) 20 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.info)"; content:"|14|";content:"|04|info|00|";nocase;within: 23;pcre: "/(b(rotherdisobediencet|lackfridayshoessale)|c(o(m(passionsuspendedt|fortablefatiguesa)|loniesconstitutedd|urageentertainingi|ntainintercessiono)|a(nnonadingcharginga|rpentry(patriarchsl|understoodl)|tharineremittancel)|haracteristicjudged|ircumventsufferersy|lemencyefficientlyl)|w(alkedproportionated|indowsservantdefend|or(msminimizerdanger|ldsnowboardleague))|a(cknowledgebelievedd|ttentionsdevelopedo|gentonlineinspector|vdefendqueerprocess)|e(arningsfoundationsa|ndurecommendationsd)|f(abricatedindolencez|o(llowinggrievancesd|rgottenconstrainty))|generousuniversallyl|disquietuderequiress|o(n(lineonline-streams|-linetestertesting)|riginallyvoluntaryy)|p(ronounceimportancet|assionateenjoymenti)|inundationsstronglyz|testersolutionperils|zachauthorization150|s(ecure-storage-86k5u|canneragentactivity)|keeppreventionperils)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665597; rev:9;) # sid 2665598 includes 31 (0 - 31) 21 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 21 chars (.info)"; content:"|15|";content:"|04|info|00|";nocase;within: 24;pcre: "/(c(o(n(junctiontrumpeterl|queringexcitementa)|mmissionersopiniono|llagecreatorskachat)|elebratedisentanglel|ha(mberlainperishings|ndeliersexcellenti))|i(mpairedtransportingd|n(f(lamedabsolutenessy|ormaldiscontentedl)|tercoursecharacterd))|a(bscondingsettlementd|nalysiswindowsverify)|batteryintelligentlyt|s(urmountedimplicatede|ave-fuel-using-water|cann(erfirewallrescue|ingon-linethreat)|pywareantivirusworry|ervantsolversolution)|frontispiecereposingi|endeavoredmuscovitesa|regularauthenticateda|w(estwardungovernabled|arderdetectionkeeper)|toolbarqueries-google|paydayloansonlinesite|debuggerrisksfirewall|guarantorthreatcenter|helpmegetoutofdebtnow|keeperdetectormonitor)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665598; rev:9;) # sid 2665599 includes 21 (0 - 21) 22 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 22 chars (.info)"; content:"|16|";content:"|04|info|00|";nocase;within: 25;pcre: "/(c(o(n(nectionreluctantlys|s(iderableexecutiond|picuousprecessions)|trolsafetystability)|m-watch-id2181222ooo|guar-systems-support)|lean(erspywaresecurity|protectionspyware))|e(ffectuallystratagemsl|ngineersdiscouraginga)|i(njusticecontinuationy|rregularapprehensived)|pros(perouslydeclinings|tratecontemplateda)|noordelijkkoorfestival|detectdeliverertrojans|risksbrittlenesssafety|s(tabilitydatadetection|averfail-safetyrescue)|windowssolutionprotect|minimizeravsupervision)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665599; rev:9;) # sid 2665600 includes 8 (0 - 8) 23 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 23 chars (.info)"; content:"|17|";content:"|04|info|00|";nocase;within: 26;pcre: "/(garrisonedcelebrationsy|oppositiontraitorouslyy|protect(custodianmonitor|securityanalysis)|remedys(cannerprevention|upervisionshield)|systemminimizeranalysis|zorgiteamidocaffeine864)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665600; rev:9;) # sid 2665601 includes 14 (0 - 14) 24 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 24 chars (.info)"; content:"|18|";content:"|04|info|00|";nocase;within: 27;pcre: "/(ecclesiasticsappliancesd|constitutionsrepudiateda|monasteriesunofficiallys|p(r(osperedpresumptuouslys|eventiondebuggercenter)|erfomancemicrosoftwreck)|reconciliationinterruptt|d(ownloadrandomslovostore|efenderoptimizermonitor)|newdownload-randomsslovo|s(aveatlasshruggedomslovo|ecur(e-software-gvfgfdgb|ity-scanner-sdfr3sz))|wreckminimizerprotection)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665601; rev:9;) # sid 2665602 includes 14 (0 - 14) 25 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 25 chars (.info)"; content:"|19|";content:"|04|info|00|";nocase;within: 28;pcre: "/(belonginginstantaneouslyi|ecclesiasticsintoxicatedd|instructingdistinguishedi|w(wwqwertyuiopasdfghjklcom|arderinspectionantivirus)|p(rocesseskeeperperfomance|erfomanceperilsoptimizer)|s(ecur(ity-scanner-cvgfdcxx|e-storage-2012-67d69)|cansupervisionprotection)|computerinformationthreat|delivererpreventionthreat|queerprocesshazardmonitor|onlinepreventionprotector)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665602; rev:9;) # sid 2665603 includes 6 (0 - 6) 26 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 26 chars (.info)"; content:"|1a|";content:"|04|info|00|";nocase;within: 29;pcre: "/(security-scanner-(dgdx-2012|qesdvgrdf)|debugvulnerabilityfirewall|queerprocesscentersolution|reliabilitydefenderon-line|zoophytalcentrifugalize612)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665603; rev:9;) # sid 2665604 includes 16 (0 - 16) 27 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 27 chars (.info)"; content:"|1b|";content:"|04|info|00|";nocase;within: 30;pcre: "/(e(xpressionsdissatisfactiony|fficiencyprotectordefender)|pro(minentfinancialsolutionz|cessesanalysisperfomance)|creedenceclearwatersurvival|secur(ity-s(canner-(2012-(dvcvv|sfvcx)|xcvrx-2012)|torage-ddgdv-2012)|e-storage-2012-dfcxzsd)|inspect(ionprotectprotection|orguarantorcustodian)|zygozoosporethioarsenite551|detectorpreventionantivirus|analysisvulnerabilityshield|fail-safetyperfomancecenter)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665604; rev:9;) # sid 2665605 includes 4 (0 - 4) 28 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 28 chars (.info)"; content:"|1c|";content:"|04|info|00|";nocase;within: 31;pcre: "/(considerationuncontrollables|security-scanner-dgfddx-2012|queerprocessdetectionon-line|best-super-shop-bargain-club)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665605; rev:9;) # sid 2665606 includes 4 (0 - 4) 29 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 29 chars (.info)"; content:"|1d|";content:"|04|info|00|";nocase;within: 32;pcre: "/(womenclothingblackfridaysales|s(ecurity-s(canner-2012-dcdzase|torage-gbhgfgc-2012)|olverqueerprocessinformation))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665606; rev:9;) # sid 2665607 includes 3 (0 - 3) 3 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.info)"; content:"|03|";content:"|04|info|00|";nocase;within: 6;pcre: "/(gll|y(5z|9a))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665607; rev:9;) # sid 2665608 includes 2 (0 - 2) 30 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 30 chars (.info)"; content:"|1e|";content:"|04|info|00|";nocase;within: 33;pcre: "/(scanningbrittlenessreliability|microsoftqueerprocesscustodian)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665608; rev:9;) # sid 2665609 includes 1 (0 - 1) 31 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 31 chars (.info)"; content:"|1f|";content:"|04|info|00|";nocase;within: 34;pcre: "/vulnerabilitydelivererantivirus/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665609; rev:9;) # sid 2665610 includes 4 (0 - 4) 32 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 32 chars (.info)"; content:"|20|";content:"|04|info|00|";nocase;within: 35;pcre: "/(0df0fe51bd077976a3b3e9bda9579065|271fe7fe446d89c66bce464f8250abd2|81ff57dca2bfe7eba0906732a2c4ee41|protectionvulnerabilityantivirus)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665610; rev:9;) # sid 2665611 includes 7 (0 - 7) 4 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.info)"; content:"|04|";content:"|04|info|00|";nocase;within: 7;pcre: "/(jifr|cgwx|vicl|zszx|q234|niee|u32s)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665611; rev:9;) # sid 2665612 includes 69 (0 - 69) 5 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.info)"; content:"|05|";content:"|04|info|00|";nocase;within: 8;pcre: "/(0(54ng|-0-0)|r(chsl|irgc|mkcu|ohti|qfut|ncwi)|k(epoe|joan|gsrs|lerk|kpay)|y(wase|vitj|xugo|kxzi|btlz)|mnedw|viuhe|n(soxr|nnhg|txhh|yuzt)|ost1b|f(onfo|mhph)|p(akbr|en15|dmnk|yyrz)|t(ahit|yzab|rlci|ltfk|bkfn)|c(anfm|rbgb|dprz)|34165|q(meyv|uyas)|w(bucb|wjim|egpp|jmek)|1o(345|p45)|e(lit3|f(emq|duu)|qpsk)|54(3oh|mo1|po1)|h(o345|koas|jcop)|dmdgr|u(msbj|n(nat|jgo)|ayeo|qtnr)|j(osal|wphb)|gyjfw|s(bwvs|zlcf))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665612; rev:9;) # sid 2665613 includes 87 (0 - 87) 6 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.info)"; content:"|06|";content:"|04|info|00|";nocase;within: 9;pcre: "/(t(odbot|icmuc|bayzc|lzrwg)|d(e(f(yzx|tom)|ntgr)|fking|3plus|nrujn|uojee)|gohaen|i(npiet|l(weyu|yger)|ufeer|yu(feg|tfe)|cbehk|dlrxs|mg305)|3hosts|1sense|a(brak4|igogo|ymmdv|wqhcq|ooale)|7speed|e(lopli|beopr|nocaz)|l(eayso|6tebt|i(tuyv|uytc)|uyfjr|yutfy|hyibh)|j(tryvt|yoshg|j(apwj|jora|ngio))|k(tyger|uytid|ytcue|fbrtl|dwcfc)|o(ydfue|hfwwp)|u(y(jtrc|trdw)|lxong|afoas|nagqt)|w(mcoyg|chnzq|f(putz|mnwk)|ovens|awhwo|hvcha)|x(fsrxc|vpnno|paqaf)|f(oxffi|nrcfq|peuce)|p(sjveo|bkebr)|b(ipeon|ossal)|nlekpt|qwofbv|zjqagx|somets|c(opala|xwlrs|gnzeg|black)|m(sk-ix|yt(skt|vzs)|eqoin)|verdex|htkaxw)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665613; rev:9;) # sid 2665614 includes 81 (0 - 81) 7 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.info)"; content:"|07|";content:"|04|info|00|";nocase;within: 10;pcre: "/(a(nalgas|rryada|ccrisa|htrbny|yjcltc|lserv4|b(serv(1|2|3|4|5|6|7|8|9)|cseat)|mserv2|tstat(7|9)|edzems)|d(efyoli|dzfyry|wsmaip|ziiqaw)|u(pstayd|uopurl|xbqfey)|s(sddrr2|bwxxvf|udrtnh|jtgvfy)|f(loreli|dthhfy|ikturo)|k(ikvnmc|jurtey|tygvri|uytrei|oapikf|enrgty)|3idiota|liutyft|m(eelips|xhqikb)|o(ityfkt|ttgtew|vsbjto)|z(zlivua|bxkcfa)|p(y(lbvai|wzzno)|iuwove)|cnxuwio|ehcxiaw|n(mskoec|lehdno|videos)|v(tzdlzs|gqbkcs)|y(ezvvnj|iyrbkb|teprdf)|j(egwlks|shsaur|cpnrrg)|h(osyumi|hhblue|nqtiiv)|robvqln|x(gndgwl|tnpvci)|w(qimkbh|aewove)|ilyanet|t(wvpusj|czovyk|innily)|2aplusa|b(jahqeb|nvkftz)|ghjfree)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665614; rev:9;) # sid 2665615 includes 142 (0 - 142) 8 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.info)"; content:"|08|";content:"|04|info|00|";nocase;within: 11;pcre: "/(m(emehehz|s-stats|dnk(uayw|wzrr)|bxsoosl|agander|picture)|p(a(topato|j(amaaa|xssod))|ubgortk)|w(hite(-pc|pix)|iekf533)|d(a(rewaxi|baisis)|efcrazy|xwdtrsx|rkhaled|picture)|a(wetente|geoloft|hdscter|lserv12|ychzgta|tstat(1(0|1|2|3|4|5|6|7|8|9)|2(0|1|2))|ds-here|qbmtiwq|zceknhh)|b(eatarcs|i(rdsaml|t-host)|atebate|ogwbsbc|rknrmfg|fizhdkp|hhilokq)|h(oligilm|ard(ened|hack)|mdvebvs|wnktjsi)|l(amatita|kpcdnop|cifodgo|eeksrov)|t(empdom9|yavcznr|c(tbtkmk|admzns)|htftjyi|angoing|rizztal)|f(idgeter|w(okiuef|rvwldj)|cqzwuku|eswqaia|pemslgb|rpdzeme)|e(urotomo|kqvqwkc|vil(blog|peer)|ekpaoir|gtfdkqi|bt(mgvvg|tgvpd)|legyyui|ddwhdia)|q(udbcyif|nkbyisu|ewleoth|bamzrox)|u(qspghnz|vxmedia|usglaao|mrrtuvy|nmarine)|y(k(bmkniw|owkmqj)|yhynpvq)|c(fxqpkqy|ykzjpjj|maylsry|ngdtnqj|omdbikh)|jzgrlzbg|k(uqbeian|kp(xxryc|yfduo)|tmryhro)|o(p(zzbnfn|elcbgy)|grqhnbz)|z(nsualnj|fummpzg|lunaabd|iuyioog|boyz657|oopark2)|613sales|s(jbovvah|stwewnc|wzmewyf|izvlnty)|i(n(hfhoex|rrdyub)|riuhnvj|itiqzyv)|n(icewell|mpolkqy|fbdqnjm)|v(oqkmyza|lioswbt|kvgwaqa|iaporta)|g(reatmen|fsgigen|a(nder(ju|pu|vi)|ypqrta)|lpmijol)|r(merjpcv|ttitzcd|hyvhgii|qfzkixd|stvodka)|xumlolrf)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665615; rev:9;) # sid 2665616 includes 101 (0 - 101) 9 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.info)"; content:"|09|";content:"|04|info|00|";nocase;within: 12;pcre: "/(n(adnadzzz|panelsrv|fbjlayge|otsdevex)|s(kyoflies|pankabel|wiminads|viyfnmce|nxstat77)|h(t(tpwebit|aabkdyp)|ymndoeso|renasdva|akogumly)|b(yregentt|o(mbgonez|okssiny)|estof123|uusoqely)|c(o(mmitlay|dmod123)|erterpen|amnet-cm|mbxflqub|redapple)|w(auffdevi|skzoon29|qeegbwsi|epoite75)|d(warfsons|enstat77|vbyncsnv|redapple)|r(eadforty|ats-crew|rrorange)|ownroughz|xiidikesz|g(oldflews|ydbcyhzw|d(hnyxgvl|rzagdfm)|ander(dai|poe))|m(ytdsssss|hcbooter)|p(o(rnvivid|litic(fe|yu))|etstotal|xighlhwp|g(hqcxait|aapsgun))|l(ocalh0st|egflyqvh|mwhcqabf|utedldlf)|t(opline4u|wo-store|eam-neff|yeuroxjs)|e(dqdcbdls|xqwkmkcl|ur12-tea)|z(yrggbzdc|qpwbybvg|kwtvrcux|mmjoivfc|olaporta)|k(gpuogtto|nezspeat|zmqmnudg|vkstouvv)|i(ftulyirn|oikrusra|wdxzdmpz|sfqurltw|tdrqwods|hoyqzwtw|vyqwevmt|padtimes)|u(gcccwnvl|iwctwkkk|bhpphwbw|jvobrlwu)|q(koaxxlrc|vlgqqunf|mjozfbyp)|v(etstival|dfratera|juedjhpk)|6poarteja|f(xfubaspi|uqefvvan)|a(mtofqmpz|xserv1(29|3(1|2))|bsufsinl)|jekafroow|ykxufnzkd)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665616; rev:9;) # sid 2665617 includes 1 (0 - 1) 11 character domains in the ".ir" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.ir)"; content:"|0b|";content:"|02|ir|00|";nocase;within: 14;pcre: "/iranscarpet/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665617; rev:9;) # sid 2665618 includes 1 (0 - 1) 12 character domains in the ".ir" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.ir)"; content:"|0c|";content:"|02|ir|00|";nocase;within: 15;pcre: "/khorasannews/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665618; rev:9;) # sid 2665619 includes 1 (0 - 1) 15 character domains in the ".ir" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.ir)"; content:"|0f|";content:"|02|ir|00|";nocase;within: 18;pcre: "/tabanflourmills/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665619; rev:9;) # sid 2665620 includes 1 (0 - 1) 4 character domains in the ".ir" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.ir)"; content:"|04|";content:"|02|ir|00|";nocase;within: 7;pcre: "/1see/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665620; rev:9;) # sid 2665621 includes 3 (0 - 3) 5 character domains in the ".ir" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.ir)"; content:"|05|";content:"|02|ir|00|";nocase;within: 8;pcre: "/(netso|pnuit|kar20)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665621; rev:9;) # sid 2665622 includes 2 (0 - 2) 6 character domains in the ".ir" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.ir)"; content:"|06|";content:"|02|ir|00|";nocase;within: 9;pcre: "/(1abzar|radars)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665622; rev:9;) # sid 2665623 includes 3 (0 - 3) 7 character domains in the ".ir" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.ir)"; content:"|07|";content:"|02|ir|00|";nocase;within: 10;pcre: "/(cityzoo|megagsm|2daypic)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665623; rev:9;) # sid 2665624 includes 2 (0 - 2) 8 character domains in the ".ir" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.ir)"; content:"|08|";content:"|02|ir|00|";nocase;within: 11;pcre: "/(pouyakam|sixseven)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665624; rev:9;) # sid 2665625 includes 3 (0 - 3) 9 character domains in the ".ir" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.ir)"; content:"|09|";content:"|02|ir|00|";nocase;within: 12;pcre: "/(iqservice|flymazyar|memarkade)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665625; rev:9;) # sid 2665626 includes 2 (0 - 2) 10 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.it)"; content:"|0a|";content:"|02|it|00|";nocase;within: 13;pcre: "/(fotostampe|divinaclub)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665626; rev:9;) # sid 2665627 includes 3 (0 - 3) 11 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.it)"; content:"|0b|";content:"|02|it|00|";nocase;within: 14;pcre: "/(maininishop|naturmedsrl|ivantoscano)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665627; rev:9;) # sid 2665628 includes 2 (0 - 2) 13 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.it)"; content:"|0d|";content:"|02|it|00|";nocase;within: 16;pcre: "/(scuolaedileal|angeloschiavi)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665628; rev:9;) # sid 2665629 includes 1 (0 - 1) 14 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.it)"; content:"|0e|";content:"|02|it|00|";nocase;within: 17;pcre: "/figromanetwork/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665629; rev:9;) # sid 2665630 includes 2 (0 - 2) 16 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.it)"; content:"|10|";content:"|02|it|00|";nocase;within: 19;pcre: "/(illaboratoriosrl|quattro-stagioni)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665630; rev:9;) # sid 2665631 includes 2 (0 - 2) 19 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.it)"; content:"|13|";content:"|02|it|00|";nocase;within: 22;pcre: "/(uilpoliziafrosinone|profcappello-napoli)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665631; rev:9;) # sid 2665632 includes 1 (0 - 1) 6 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.it)"; content:"|06|";content:"|02|it|00|";nocase;within: 9;pcre: "/hitmen/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665632; rev:9;) # sid 2665633 includes 3 (0 - 3) 9 character domains in the ".it" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.it)"; content:"|09|";content:"|02|it|00|";nocase;within: 12;pcre: "/(a(cenergia|gensport)|beemotion)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665633; rev:9;) # sid 2665634 includes 1 (0 - 1) 7 character domains in the ".jp" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.jp)"; content:"|07|";content:"|02|jp|00|";nocase;within: 10;pcre: "/webmail/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665634; rev:9;) # sid 2665635 includes 1 (0 - 1) 5 character domains in the ".kr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.kr)"; content:"|05|";content:"|02|kr|00|";nocase;within: 8;pcre: "/kopas/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665635; rev:9;) # sid 2665636 includes 1 (0 - 1) 6 character domains in the ".kr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.kr)"; content:"|06|";content:"|02|kr|00|";nocase;within: 9;pcre: "/spycop/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665636; rev:9;) # sid 2665637 includes 1 (0 - 1) 7 character domains in the ".kr" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.kr)"; content:"|07|";content:"|02|kr|00|";nocase;within: 10;pcre: "/webkebi/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665637; rev:9;) # sid 2665638 includes 3 (0 - 3) 12 character domains in the ".kz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.kz)"; content:"|0c|";content:"|02|kz|00|";nocase;within: 15;pcre: "/(c(dqwwkndatvt|uojshtbohnt)|vyqhdtnsfrie)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665638; rev:9;) # sid 2665639 includes 4 (0 - 4) 13 character domains in the ".kz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.kz)"; content:"|0d|";content:"|02|kz|00|";nocase;within: 16;pcre: "/(cvsqsmuiaaiyh|iqkydbxjfodro|rfffnahfiywyd|scfoijdccqtmj)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665639; rev:9;) # sid 2665640 includes 1 (0 - 1) 8 character domains in the ".kz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.kz)"; content:"|08|";content:"|02|kz|00|";nocase;within: 11;pcre: "/75686f68/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665640; rev:9;) # sid 2665641 includes 1 (0 - 1) 9 character domains in the ".kz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.kz)"; content:"|09|";content:"|02|kz|00|";nocase;within: 12;pcre: "/pedamotor/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665641; rev:9;) # sid 2665642 includes 1 (0 - 1) 3 character domains in the ".li" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.li)"; content:"|03|";content:"|02|li|00|";nocase;within: 6;pcre: "/c0m/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665642; rev:9;) # sid 2665643 includes 1 (0 - 1) 8 character domains in the ".lu" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.lu)"; content:"|08|";content:"|02|lu|00|";nocase;within: 11;pcre: "/copytech/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665643; rev:9;) # sid 2665644 includes 1 (0 - 1) 11 character domains in the ".me" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.me)"; content:"|0b|";content:"|02|me|00|";nocase;within: 14;pcre: "/websoft-pro/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665644; rev:9;) # sid 2665645 includes 1 (0 - 1) 12 character domains in the ".me" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.me)"; content:"|0c|";content:"|02|me|00|";nocase;within: 15;pcre: "/wikifreetour/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665645; rev:9;) # sid 2665646 includes 1 (0 - 1) 20 character domains in the ".me" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.me)"; content:"|14|";content:"|02|me|00|";nocase;within: 23;pcre: "/free-tv-video-online/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665646; rev:9;) # sid 2665647 includes 1 (0 - 1) 3 character domains in the ".me" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.me)"; content:"|03|";content:"|02|me|00|";nocase;within: 6;pcre: "/1nk/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665647; rev:9;) # sid 2665648 includes 1 (0 - 1) 5 character domains in the ".me" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.me)"; content:"|05|";content:"|02|me|00|";nocase;within: 8;pcre: "/keep2/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665648; rev:9;) # sid 2665649 includes 2 (0 - 2) 7 character domains in the ".me" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.me)"; content:"|07|";content:"|02|me|00|";nocase;within: 10;pcre: "/(ewdkddr|wesleyk)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665649; rev:9;) # sid 2665650 includes 1 (0 - 1) 9 character domains in the ".me" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.me)"; content:"|09|";content:"|02|me|00|";nocase;within: 12;pcre: "/with-love/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665650; rev:9;) # sid 2665651 includes 1 (0 - 1) 6 character domains in the ".mk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.mk)"; content:"|06|";content:"|02|mk|00|";nocase;within: 9;pcre: "/eponim/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665651; rev:9;) # sid 2665652 includes 1 (0 - 1) 20 character domains in the ".mobi" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.mobi)"; content:"|14|";content:"|04|mobi|00|";nocase;within: 23;pcre: "/worldsnowboardleague/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665652; rev:9;) # sid 2665653 includes 1 (0 - 1) 8 character domains in the ".mobi" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.mobi)"; content:"|08|";content:"|04|mobi|00|";nocase;within: 11;pcre: "/elcoluna/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665653; rev:9;) # sid 2665654 includes 1 (0 - 1) 9 character domains in the ".my" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.my)"; content:"|09|";content:"|02|my|00|";nocase;within: 12;pcre: "/uzabfgqfk/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665654; rev:9;) # sid 2665655 includes 1 (0 - 1) 10 character domains in the ".name" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.name)"; content:"|0a|";content:"|04|name|00|";nocase;within: 13;pcre: "/generation/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665655; rev:9;) # sid 2665656 includes 1 (0 - 1) 15 character domains in the ".name" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.name)"; content:"|0f|";content:"|04|name|00|";nocase;within: 18;pcre: "/adultvideogames/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665656; rev:9;) # sid 2665657 includes 1 (0 - 1) 5 character domains in the ".name" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.name)"; content:"|05|";content:"|04|name|00|";nocase;within: 8;pcre: "/jbait/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665657; rev:9;) # sid 2665658 includes 1 (0 - 1) 6 character domains in the ".name" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.name)"; content:"|06|";content:"|04|name|00|";nocase;within: 9;pcre: "/track2/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665658; rev:9;) # sid 2665659 includes 1 (0 - 1) 16 character domains in the ".ne" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.ne)"; content:"|10|";content:"|02|ne|00|";nocase;within: 19;pcre: "/collective-media/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665659; rev:9;) # sid 2665660 includes 69 (0 - 69) 10 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.net)"; content:"|0a|";content:"|03|net|00|";nocase;within: 13;pcre: "/(a(nysexlife|vlsystems|prrxpills|sianfairy|derdoctor|kitahusky|uto-scape)|freevoodoo|h(ttp(active|domain)|eemitchea|ousespect)|i(n(nolounge|visibill)|frameshop|magshacks)|d(anteloyaa|ream-payy|ogshop225)|p(r(i(estiset|deinusa|vetcash)|odatainc)|harmatabs|assinggas)|e(vo-booter|xtra-tube|n(dorphyne|ergirans))|journaltag|lab(elchips|ofanoti)|s(oorajmull|upertable|lowstatus|e(archover|umdoctor|ndspaper)|avethezoo|ynetworks|peedylink|tarslight)|t(echtrendz|arantella)|m(akeittnow|ega(apload|-porn0)|i(rcsohbet|poqadsoz))|n(e(w(s-7days|-themes)|tworksec)|itconnect)|b(elkonvert|addowhall)|o(rgkomitet|orcueolyt)|youngzsoft|c(abalrider|yber-shop)|kaniserver|xlfseeiuzy|u(shbrenerw|dhisparty)|westdirect|richardson|galaturado|7dailynews|vaginagold)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665660; rev:9;) # sid 2665661 includes 58 (0 - 58) 11 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.net)"; content:"|0b|";content:"|03|net|00|";nocase;within: 14;pcre: "/(tra(velmeant|ckingups)|f(reetoooobe|o(ntsfornow|rfreeblog)|abulatonis|lashbooter)|h(ttpexplore|e(lterhealh|at-7-news)|ariomgroup)|365newsweek|imageshacks|d(aily7press|qtkieqnexm)|l(oubnanioun|atinitjobs)|m(e(taexploit|andyounow)|illion-one|-analytics|yfreecams1)|7(daily-jobs|news7daily)|job-news365|s(h(op-europe|ufflebuzz|irley2011)|napstudios|ilentsales|uperloadss|martbooter|t(reetscams|ylebite22))|b(pmedspills|a(ywireless|ckozifice)|ob-roberts)|e(n-softonic|bookforall|onmicrofit)|c(ifradasweb|reatenshop)|a(n(imerocket|ewsupdate)|llintercom)|p(arkasse-at|o(tkilandsa|rnoproriv))|neigh-bours|x-porn-tube|za(ebaliboti|dverising)|reagansloan|we(lldone123|rlontally)|udssorulari|geekwarrior)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665661; rev:9;) # sid 2665662 includes 58 (0 - 58) 12 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.net)"; content:"|0c|";content:"|03|net|00|";nocase;within: 15;pcre: "/(f(ollowupezio|unnyextreme|acerlboooks|lashupdates)|v(er(ynucetube|tilineopa)|yqhdtnsfrie)|h(ttpwebworld|ugsnotslave|ire-centers|ealth-feeds)|n(e(tworkofart|w(hunter599|s-7-daily))|odrugspills)|pixovuonline|365news(-week|press)|s(towiwxmemkn|mpjsueigtqn|erviceocean|uccessloads|ohbetodalar)|7(jobreporter|daily-7news)|g(allery-plus|oforwatches|etenjoyment|reeneggapps)|job-7reports|m(o(je-wyprawy|dernltd-uk)|y(teenmovies|stuff4free)|anyveryshop)|u(bagroupsplc|ntiringnews|fkirankmega)|b(ronzerpills|illfighters)|c(sa-shipping|dqwwkndatvt)|e(tfacebookss|asyinchloss)|d(ramchinatea|ark-hosting)|returenget60|t(hesexygirls|wistedtarts)|kurdistannet|a(bcasmportal|rtisanscafe|pple-retail|ds4ususausa)|i(ntegraliuss|rishlottery)|l(oadsoftware|eckrefotzen))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665662; rev:9;) # sid 2665663 includes 49 (0 - 49) 13 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.net)"; content:"|0d|";content:"|03|net|00|";nocase;within: 16;pcre: "/(h(ttpbuyonline|os(tcostarica|pitalmedic))|t(jjhmtjlziebo|rafficsurfer|hepicturehut|wiztedbooter|imewayonline)|24jobreporter|365-newspress|business7days|7job-reporter|fa(st(ertraders|stonesoft)|milytindoor)|job-newsp(aper|ress)|w(fbpumtimluzt|ork-position)|eviagra-super|you(rdreamspay|tubeonline)|a(ppstabletsrx|d(obe-updates|renalineind|specexpress))|c(omputer-giga|r(ystmassoft1|ackserialdb)|vsqsmuiaaiyh)|greendownload|n(ewsroom-mpls|lhotelsguide|anosearchpro)|little-queens|m(yfacebooksbd|axcom-online|ourganafilms)|digitalarmory|0riginalcheck|s(ecurityearth|cfoijdccqtmj)|p(cdebenyokken|lateonoodles)|khdjkuj783623|usedapartment|iqkydbxjfodro|rfffnahfiywyd|vxvhwcixcxqxd)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665663; rev:9;) # sid 2665664 includes 45 (0 - 45) 14 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.net)"; content:"|0e|";content:"|03|net|00|";nocase;within: 17;pcre: "/(m(ediatoolparts|p3dinlermisin|lxvacanthomes|yfirstbillion)|24job-reporter|e(ating-organic|-(onlinecialis|viagraonline))|t(lurionwxgynem|amilworldinfo|hef(unambulist|ourthkinds))|d(aily-job(-news|press)|utgjnpvgoqqmi|cialisforsale|ecisivebooter|ownloads-e639)|s(urfacechicago|buying-(cialis|viagra)|lkruqfprnkjhm|hopuggbootsde|ecurity-force|pacecodecpack)|7dailyreporter|chilloutcaffee|a(cialisforsale|viagraforsale|onqrnernvqret|naliticsmedia|tlantic-drugs)|b(eton(yourselff|onasos228)|ronzerrxpills|ibiblocksberg)|r(kpjngevikzqtr|e(ddawndigital|viewandbonus)|ichardshannon)|landofskillsdr|yourowndefence|onlinediller22|weddingsbyanne|google-analyst)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665664; rev:9;) # sid 2665665 includes 48 (0 - 48) 15 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.net)"; content:"|0f|";content:"|03|net|00|";nocase;within: 18;pcre: "/(a(gicdvdmstorage|stroconsulting|ppleblossomart|ctivationcrack|kpinarlojistik)|hvfjpojjlrqlovl|njinhtmtlruuuhn|f(tpnitepbnqzwwp|powmtyzqsdsfxl|lippingpuppies)|l(yuijfpqppkoyoq|andeskriminalt)|p(nltknsxsswzkku|imfvworqtkvnhm|sznjjhwsetknen|lumcrazy-media|93oneklbhc4xol)|y(wilkswylnvufje|o(zkwnpizzzconi|ur(traveldiary|landyourway)))|d(aily(-job-news7|7-business)|rivers-updates|utytraditional)|o(mwmsmoidwzmvql|nline-uggboots)|7da(ily-reporter|y-consultant)|job-(7revolution|newsexpress)|knnjnwrshqwvjvb|vlvvrlczgsmnggi|sbuying-levitra|i(ftvolzclmstnvk|nternetdomains|mportantalerts)|t(uxipkujvyquosm|hemeparkoupons)|w(o(qmqlgnrfxwtsk|rkingcruisers)|ryrzhqpokkjmnl|inhomesecurity)|xorxtvukytppkog|gethappysamples|b(estdeal-online|airrosdemaceio)|migdaliasbistro)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665665; rev:9;) # sid 2665666 includes 38 (0 - 38) 16 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.net)"; content:"|10|";content:"|03|net|00|";nocase;within: 19;pcre: "/(mediawidgetparts|n(gpllvbqkhplrzrk|kqkhzlvdsmxxmmf|eedafishingboat)|online(rpornofree|-uggsboots)|qnsggfsmgnvilmsh|24job-consultant|w(rwcqzvhmjxsmzsv|wmrrprfjoreotwq|orld-friendship)|p(j(tlsmnfjsypogrt|jloojumliilnic)|hlevelinmyblood|artyparafunalia|rovenprotection)|gikmpljumkzbxnsj|h(vlqmwtesqdkktgo|ealth-dailynews)|rlpokjmnhcimtkiz|ztovpyprnnwhwsws|tabletmedsrxteam|x(qoyjkmnrhqmxpty|npsponnonrhsirr)|b(ronzerdrugstore|undespolizei-de|logvitimasblack)|e(uropaforwarding|xpressadvantage)|jsnqfptiqpoypsir|smwpiqfmigjqwonu|yolmstdrjisoktzl|firstlibertybank|innovativesocial|advocacygroupinc|content-checking|landes-kriminalt|vincentsblogsite)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665666; rev:9;) # sid 2665667 includes 20 (0 - 20) 17 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.net)"; content:"|11|";content:"|03|net|00|";nocase;within: 20;pcre: "/(24consultant-news|germanadvertising|homebusiness-news|7daily(-mainstream|job-reports)|job-(7daily-report|onlinejournal)|s(hop-europe-staff|nova-monday-work|icherheitservice|olartechlearning)|traffic-analytics|androidspillsmeds|drugpharmacypills|e(xclusive-pretens|legantdesign-dfw)|computerbangalore|ireland-uggsboots|forbiddenexplicit|pornofromallworld)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665667; rev:9;) # sid 2665668 includes 26 (0 - 26) 18 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.net)"; content:"|12|";content:"|03|net|00|";nocase;within: 21;pcre: "/(trafficstatsonline|homebusiness-7news|7(report(s-dailynews|-7dailynews)|business-reporter|job-dailynews2011|dailynews-channel)|daily-job-reporter|fast-advertisement|employment(-channel|reporter)|a(ndroid(rxdrugstore|tabletsmeds)|ppspillsdrugstore|dobe-pdf-reader11)|mi(sskissoftheryear|lliondollarscash)|cellsdrugstoremeds|i(nterestingchapter|p-licensing-group)|pdf-word-converter|s(ynergyledlighting|tatisticontheline|pringrheumatology)|news8business-feed|ogpertlastermatrwq)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665668; rev:9;) # sid 2665669 includes 9 (0 - 9) 19 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.net)"; content:"|13|";content:"|03|net|00|";nocase;within: 22;pcre: "/(bu(siness-daily7jobs|ndeskriminalamtde)|7(breaking-job-feeds|channell-dailynews|daily-channel-news)|employment-reporter|recruiting-reporter|androidtabletspills|sichererautoverkauf)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665669; rev:9;) # sid 2665670 includes 6 (0 - 6) 20 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.net)"; content:"|14|";content:"|03|net|00|";nocase;within: 23;pcre: "/(7daily-homebusiness7|trippharmacypharmacy|canalcountryartisans|groupeflo-franchises|worldsnowboardleague|breastenhancingcream)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665670; rev:9;) # sid 2665671 includes 5 (0 - 5) 21 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 21 chars (.net)"; content:"|15|";content:"|03|net|00|";nocase;within: 24;pcre: "/(medspillspharmacygulf|tabletsdrugstoredrugs|hackfacebookpasswords|news8business-channel|cheapcanadianpharmacy)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665671; rev:9;) # sid 2665672 includes 9 (0 - 9) 22 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 22 chars (.net)"; content:"|16|";content:"|03|net|00|";nocase;within: 25;pcre: "/(enoprescription-(cialis|viagra)|pillsdrugstoremedicare|a(gentbundeskriminalamt|ndroidspillsdrugstore|dobe-acrobat-reader11|utoshippersinc-london)|ballsattitudedirection|destinychristianchurch)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665672; rev:9;) # sid 2665673 includes 5 (0 - 5) 23 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 23 chars (.net)"; content:"|17|";content:"|03|net|00|";nocase;within: 26;pcre: "/(enoprescription-levitra|assaystorepillspharmacy|bronzerdrugstorerxpills|drugtorepharmacytablets|onlinebundeskriminalamt)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665673; rev:9;) # sid 2665674 includes 6 (0 - 6) 24 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 24 chars (.net)"; content:"|18|";content:"|03|net|00|";nocase;within: 27;pcre: "/(t(abletpharmacypillsworld|orrentbundeskriminalamt)|blockbusterpharmacystore|skype-software-downloads|eatingseedsforbetterlife|financialsurvivalrevival)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665674; rev:9;) # sid 2665675 includes 1 (0 - 1) 25 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 25 chars (.net)"; content:"|19|";content:"|03|net|00|";nocase;within: 28;pcre: "/fastsoftwaredownloadstore/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665675; rev:9;) # sid 2665676 includes 1 (0 - 1) 26 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 26 chars (.net)"; content:"|1a|";content:"|03|net|00|";nocase;within: 29;pcre: "/2011-skype-software-update/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665676; rev:9;) # sid 2665677 includes 1 (0 - 1) 27 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 27 chars (.net)"; content:"|1b|";content:"|03|net|00|";nocase;within: 30;pcre: "/2011-skype-software-upgrade/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665677; rev:9;) # sid 2665678 includes 2 (0 - 2) 28 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 28 chars (.net)"; content:"|1c|";content:"|03|net|00|";nocase;within: 31;pcre: "/(blockbusterpharmacydrugstore|2011-skype-software-download)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665678; rev:9;) # sid 2665679 includes 4 (0 - 4) 3 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.net)"; content:"|03|";content:"|03|net|00|";nocase;within: 6;pcre: "/(w3q|igt|oio|qb9)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665679; rev:9;) # sid 2665680 includes 22 (0 - 22) 4 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.net)"; content:"|04|";content:"|03|net|00|";nocase;within: 7;pcre: "/(x(-44|xas)|qfsl|zfnn|l7da|h1c4|jifr|c(ked|z88|pgl)|epfm|v(gdz|bir)|o(icp|rgg)|fyxm|g(ueu|eqe)|4p85|sd02|mcmx|pubt)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665680; rev:9;) # sid 2665681 includes 35 (0 - 35) 5 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.net)"; content:"|05|";content:"|03|net|00|";nocase;within: 8;pcre: "/(e(vnvu|amia|monw)|t(wivu|qytj)|bytim|licke|w(djpq|jcam|oarz)|vtfkp|s(coke|k(yta|ata)|muss)|h(s666|inet)|useac|j(frmt|sadv)|z(eino|ddos)|r(x(sop|fly)|upje)|dr(vir|won)|nasze|yuruo|agizu|freac|mp3ae|pmiss|cimnp|9gags)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665681; rev:9;) # sid 2665682 includes 37 (0 - 37) 6 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.net)"; content:"|06|";content:"|03|net|00|";nocase;within: 9;pcre: "/(quaveo|r(oo(mbo|nyx)|hyndu)|w(ikixo|apcco)|a(n(amol|srme)|pmark|riune)|g(opota|abcat)|b(jilse|espar|ragan)|k(jjjnj|o(tran|mfis))|o(pwqmm|ijwhj)|sdoqds|h(eroiz|ljvip|4d4c4)|forppp|d(vdmp4|ynanu)|e(nnior|dge02|bcorp)|nmwrdr|i(mgbbb|cemed)|meetri|v(erred|traxe)|365cpm)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665682; rev:9;) # sid 2665683 includes 77 (0 - 77) 7 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.net)"; content:"|07|";content:"|03|net|00|";nocase;within: 10;pcre: "/(d(igiput|e(mible|rmex1)|abcube|rcheck|y(aneph|nazzy))|b(ezlica|iatudl|allbar)|fivetag|g(abspan|etinmo|2smail)|h(ttp(new|s(et|ky))|alverd|seclub)|k(ay(auto|lith)|wilium|ingbot|oinzux|kgfejg)|quilane|s(ukanaf|elmiuz|ky(edu8|peim)|rsopen|tanley)|c(ocainy|aboria|l(iffhk|kturn)|urcell)|l(anlabs|sclick|td-scg|inmaxx|osidko)|e(xalbot|liteop|vansor)|a(l(tuscu|jalea|ysamb|antic)|hbazen|dxdnet|innews|qvideo|fssinc)|n(oorjam|iklejo|catzbj|ewslib)|wsxhost|4-links|v(kgosti|o(onder|eychc))|r(u(traff|sview)|ftimes)|i(s(ellcc|pline)|mailru)|zingqua|p(2group|odtube|ixwall|s3club|daviet)|mobiodn|toxsoft)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665683; rev:9;) # sid 2665684 includes 65 (0 - 65) 8 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.net)"; content:"|08|";content:"|03|net|00|";nocase;within: 11;pcre: "/(kk0lot0m|n(picture|eraller|o(doctor|rvista)|wfepsdc)|f(ourware|i(vevine|lljobs)|zdykehg)|c(amilium|l(ubdial|ickbar)|pmtrack|onnolly)|d(emicero|ivacero|l4hacks)|e(dgetune|amoxsnw)|g(i(gaopia|jvqrqt)|o00ogle|zrzkouz)|h(ttp(disk|live)|idesoft)|s(alesian|o(lidcdn|renara)|igsypri|chriock|tatscon|kipfire|exzavod)|i(n(dohome|ferno3)|cdoctor)|up(d-host|s-post)|b(etonyou|pspills|hdoctor)|l(i(ve-bot|nkbuzz)|ojasmya|e(moteam|titbit))|r(iumoete|s-merch|egicsgf)|a(dslayer|vmirror)|t(dstraff|echmach|imeyear)|wordbean|zenboxes|vashsoft|613sales|1inkedin|m(mtiisxm|yvpcgjq)|posngndb|247track)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665684; rev:9;) # sid 2665685 includes 68 (0 - 68) 9 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.net)"; content:"|09|";content:"|03|net|00|";nocase;within: 12;pcre: "/(b(rightdog|undespol|illyfuns)|h(ttp(build|field|green)|p-driver|apturing)|t(ra(cksups|ffogon)|ankigame)|p(hotopath|layerbox|o(lerdaco|rno-day)|aperrain|ulsuzwap)|j(etmember|umplabel)|kwiveeinc|l(i(nkshots|veonair)|a(botyaqa|skeygen)|o(ves-you|tentake))|m(undoblog|a(rocsong|x(5clock|breast))|sdmvdata)|o(dessitov|cbyrpigo|nlyteenz|yadantel)|rsoftware|u(nionhire|pstracks|rnewlook)|w(ugoffers|eek7news|in(eloans|utyaso)|holeloud)|7newsweek|s(kipolice|oftdavid|amsusams|tra(tegyq|zdini))|c(inemavip|amplaces|o(pytrans|nvertro))|ydjiaxiao|f(airyfish|ile01-01|lightpub|unkycafe)|zeroxcode|gi(lemedic|sutamot)|a(cantispy|bc-spain|ntiochwf|uimjsnde)|ekotastic|dare2play)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665685; rev:9;) # sid 2665686 includes 4 (0 - 4) 10 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.nl)"; content:"|0a|";content:"|02|nl|00|";nocase;within: 13;pcre: "/(mi(ntonette|jnhemubo)|janbonnema|winupdates)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665686; rev:9;) # sid 2665687 includes 3 (0 - 3) 12 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.nl)"; content:"|0c|";content:"|02|nl|00|";nocase;within: 15;pcre: "/(avv-roermond|holdampffoto|kivitsdeuren)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665687; rev:9;) # sid 2665688 includes 1 (0 - 1) 13 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.nl)"; content:"|0d|";content:"|02|nl|00|";nocase;within: 16;pcre: "/0800fotograaf/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665688; rev:9;) # sid 2665689 includes 1 (0 - 1) 14 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.nl)"; content:"|0e|";content:"|02|nl|00|";nocase;within: 17;pcre: "/gezochtkoerier/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665689; rev:9;) # sid 2665690 includes 2 (0 - 2) 15 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.nl)"; content:"|0f|";content:"|02|nl|00|";nocase;within: 18;pcre: "/(gggggghhhhhhhhh|bijlesnederland)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665690; rev:9;) # sid 2665691 includes 1 (0 - 1) 16 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.nl)"; content:"|10|";content:"|02|nl|00|";nocase;within: 19;pcre: "/adwordsvoorbeeld/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665691; rev:9;) # sid 2665692 includes 1 (0 - 1) 18 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.nl)"; content:"|12|";content:"|02|nl|00|";nocase;within: 21;pcre: "/stoorvogelsoftware/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665692; rev:9;) # sid 2665693 includes 2 (0 - 2) 19 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.nl)"; content:"|13|";content:"|02|nl|00|";nocase;within: 22;pcre: "/(adviesgroepict-pcou|centralohiocalendar)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665693; rev:9;) # sid 2665694 includes 1 (0 - 1) 20 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.nl)"; content:"|14|";content:"|02|nl|00|";nocase;within: 23;pcre: "/bedrijfs-werkkleding/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665694; rev:9;) # sid 2665695 includes 1 (0 - 1) 21 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 21 chars (.nl)"; content:"|15|";content:"|02|nl|00|";nocase;within: 24;pcre: "/residentiebeveiliging/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665695; rev:9;) # sid 2665696 includes 1 (0 - 1) 5 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.nl)"; content:"|05|";content:"|02|nl|00|";nocase;within: 8;pcre: "/didid/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665696; rev:9;) # sid 2665697 includes 2 (0 - 2) 6 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.nl)"; content:"|06|";content:"|02|nl|00|";nocase;within: 9;pcre: "/(chadon|playme)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665697; rev:9;) # sid 2665698 includes 2 (0 - 2) 7 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.nl)"; content:"|07|";content:"|02|nl|00|";nocase;within: 10;pcre: "/(ilselos|koopsfd)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665698; rev:9;) # sid 2665699 includes 4 (0 - 4) 8 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.nl)"; content:"|08|";content:"|02|nl|00|";nocase;within: 11;pcre: "/(d(edarmen|ierpret)|ncdesign|admicare)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665699; rev:9;) # sid 2665700 includes 1 (0 - 1) 9 character domains in the ".nl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.nl)"; content:"|09|";content:"|02|nl|00|";nocase;within: 12;pcre: "/feltenwcs/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665700; rev:9;) # sid 2665701 includes 119 (0 - 119) 10 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.org)"; content:"|0a|";content:"|03|org|00|";nocase;within: 13;pcre: "/(t(i(nthethao|melymaze)|rickleivy|eethalong)|s(e(archwink|kurepays)|tripescud|apammonia|qqjabolrj|bszbcgyht)|c(l(ickpaint|erkinure)|arptheirs|yberradio|exqogtxdl)|f(i(nd(e(rexup|xt(inc|tab))|incese)|utorrent)|modjiaskv|cqvsliouy|g(agatkhxq|ihlnnbym)|skvclbpvq|jtfqobvly)|g(etcanfind|azettesay|ladespilt|oodantics|vbszvxtiv|uy(oprplbw|antaoki)|randporno)|z(b(estprice|vufdubjl)|qpeubutsi)|a(creafloat|fraiddown|ulqvmmaao|yddymubei|kitahusky)|b(a(kedemure|ncogroup)|e(nttopple|st-event)|lisswilds|oardbutts|ringgreed|ywordtoll|pqpiincvb|xesufkaua)|lo(itercash|wlymeaty)|d(amaskslab|evoidshed|i(rttouchy|hwzkldmf)|vzrqzdfeo|kqmwxirhu)|e(lkrecline|njoyocean|qxyyfhsme|toydsydur)|i(t(emizefir|-polizia)|n(closegem|tentbell))|j(uicecaulk|cbgfxqjbp|oecounter|kqezpxgcc)|m(ovingsnip|ildhotyou|fupubcnav|mfecjhrum|yapps-ups)|n(ationearn|et-studio|bmklefcff)|o(rationyou|cnptxueoa)|p(actcelery|entfinite|o(pestrict|tseclude)|cchecknow|xfpwctvqj|hoto-life)|r(e(f(ereeshe|undwine)|pentavow)|iddensoot)|v(einassert|otegroggy|bqlavxqdd)|h(ulknutmeg|ibatravel|olafoxpar|xbscnbfvc)|y(espicture|zqjcwwyad)|k(ardaizler|sgsomfgnx|dvpnypxbg|wuhzfopjq|fbufwdhtl|jielkkkxb)|w(besnancer|ommelorwv|wqihoqzou|kb(bswwgsh|evytmmi))|u(gsqagxfer|iwtioerrr|omwlmnywd|afsyhldjk)|x(slqtcahxr|mtdrnqlnh))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665701; rev:9;) # sid 2665702 includes 124 (0 - 124) 11 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.org)"; content:"|0b|";content:"|03|org|00|";nocase;within: 14;pcre: "/(n(adersamar2|odeconvert|bdccgyvjxi|lpziyovwqq)|p(o(rntubebiz|vgsufwfki)|lumtreacle|ro(saiccube|vereject)|hantomsell|igskinturn|trknlnaflg|ptpyacmeky)|k(kjkcjhhche|lumcukkloo)|c(l(ickbleach|assiclily)|e(llarprank|mentshout)|h(oreuphold|impbooter)|ydjbvzltfv|gnmnabvbqt)|a(d(ultqueens|obemailer)|c(claimpump|tiveguide)|rdorloathe|ssortsetto|mcdrrkorea|uksnrjxlqi|awbegfnnny|bdelghafar)|s(e(archwrong|rving-sys)|t(untedvote|arryplank|owgranary)|u(bdueshone|nnyscythe)|kimlyrical|quealflirt|avourotter|cumwoollen|h(inynpquiz|qipekmdhv))|f(reeblogpro|i(nd(backdup|eupbant|lineinc|nextinc)|shingbeet)|allacypour|oresttruck|ltpmgbslxi|priorsardo)|u(ni(quefraud|tepulpit)|yssnvndxqi)|w(wwapps-ups|iv(estemple|wgktnfdc)|o(verecruit|enhmatsgb)|retchninny|aivertouch|texvktkgpf|fmpvhddads|nwhpeervtp|qwwdxeiusx|gvsurgnedp|zxjxwimvzu|hbawiqjtno)|b(r(icesearch|eadsindia)|lazefiddle)|d(e(finsearch|layabrige)|rjegkrvrvo|pbnhqpabad)|t(itledrutty|estradiant|wwhbpoyvqg|hktxjpvbhk|alkhosting)|m(aximumnone|illetavoid|dnstqlesvc|gsgnvinoiq|ybackupdns)|e(ventliving|ifedphtosn|pratbyujux)|g(ibbetshook|u(lpillegal|bunbgqito))|h(eronuntrue|ungermouth|yunzpzbhdd)|l(ambkinclad|i(belconvoy|kesfetter)|kpmrqojwys|cywrbhhanj)|o(pticmoving|regonstate)|runletlanky|v(i(leisolate|sitmyblog)|haw(eskbqbq|stfspso))|i(n(curhealth|ducttrunk|stallherb)|a(nlogattwc|dyrmxyamj)|pjmpojpzux|vklhvfyyvf)|123homefree|z(juyblecghf|lntoaqbwlx)|xslatssqdnq|ybibfinidce|jshsakpthdd)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665702; rev:9;) # sid 2665703 includes 67 (0 - 67) 12 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.org)"; content:"|0c|";content:"|03|org|00|";nocase;within: 15;pcre: "/(e(ijqgpqqsuht|veinoutfind|lateexample|mbraceniece)|g(phtznwlcqgq|ailyflounce|renadeabove|lobewebsite|igabidclick)|m(atrixmotors|iserytenure|u(sterydecoy|zzleastute))|c(omadssearch|ackleshaggy|lamourunion|rafttexture)|n(a(twestbk-uk|ughtgrubby|messervers)|ightlyseeds)|totaltwelfth|w(himperchart|indowupdate)|a(ffairmedley|gainindorse|lertworsted|nalyseshort|tomicbooter)|s(u(itebillion|perbhotbed)|h(ouldfasten|eathletics)|innerreflex|lopestipend|orrelramble|t(aideconomy|uffwrestle|erlingbank)|aintlunatic|eniormilage)|bu(rntbrought|tchermeetm)|d(ec(laimtaunt|reecattle)|ivingpeddle|akinderchor)|u(nshipreckon|pdatesearch)|foggystudent|justlysubtle|linseedpaste|o(atmealfrisk|rhanhundred)|p(edalslacken|onderbelong|rimacyresin|ilgrimstrut)|quartpliancy|r(acialfreshe|e(aderocular|ctoryfeign))|vultureoffer|i(n(nersoloist|roadperish)|roningonset)|hotspurequal)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665703; rev:9;) # sid 2665704 includes 51 (0 - 51) 13 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.org)"; content:"|0d|";content:"|03|org|00|";nocase;within: 16;pcre: "/(i(phone5spyapp|gloo-testing)|g(xwiphvozjqkq|randetidings)|jkjkjdecoecce|s(lqrjysjkljvn|tudentfairly|afeinmyplace)|w(pjaltosmuttk|idowerfeeble|hitecellular)|o(sijjqueapcwp|verrunwooden)|r(zsbrprqgjepq|e(birthfalcon|missdeceive)|57-c99-shell|iponfirstcrc)|p(r(isonofficer|ancecontour|oyectoindio)|l(entyvicious|azacrownetc)|ompousdenial|urposestupid|hantombecame)|t(oiletarchway|urbidworship|ensionwarble)|m(emoirsmatrix|ummeryscales|astertraffic)|b(a(lloontroops|skettubular)|e(dridpollute|questramble)|bb-complains|hatiasonline)|d(esisthateful|otingbouquet|wmasoftarado)|e(conomyjersey|nigmaflutter|lsmarketplus|-info-update)|f(ac(ingsinvade|tionchurch)|iancesardine)|laundrysudden|n(ominalunwary|ltorrentsmap))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665704; rev:9;) # sid 2665705 includes 41 (0 - 41) 14 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.org)"; content:"|0e|";content:"|03|org|00|";nocase;within: 17;pcre: "/(iphone5(spyware|tracker)|flffrzveqflqso|u(ipohfrqtspprj|ndoingperfect)|v(svynlupsftmzn|acancyagainst)|a(mericanbanker|rraigngarment|n(imalscountry|aliticsmedia))|j(sihtspwcjgtlr|ocularputrefy)|q(etvlnivjxwiqj|lploispxlnpoo)|g(npqhlwownqllp|odliketourist)|l(nrvqjrwxphioj|ongingashamed)|w(rtxvmopsveiep|arlikedisobey)|t(orturetactful|r(afficgarland|ivialappears)|hephotobucket)|suctionbanking|capsuletrapeze|discernpitcher|e(clipsedensity|verybodynames)|hi(deousmindful|llocksaunter)|morphiaseaside|noisomechicane|oatmealshatter|p(ortionchagrin|recededynamic)|repulsemaximum|ke(ygentorrentz|limelerbenim)|besplatnoporno)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665705; rev:9;) # sid 2665706 includes 35 (0 - 35) 15 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.org)"; content:"|0f|";content:"|03|org|00|";nocase;within: 18;pcre: "/(crqsluvnlqmjrpq|j(tcwrlkzqwmmsox|etpmmpvlfmiyir)|o(okmojpzlmjkdfo|snvsnnxrlgpjzx|hypsspuuitlruf)|q(jyqfyughpmkmin|sqdrnniomdrhjt|xosridseyfnujl)|s(jfsewojjvrqxpu|nkxlzrpoqqwuwy|uperblogonline|ecurewebhostin)|v(obsejqvkmuqrbq|futwpmeuiqvrix|xfftjwrivtwioy|aranasiweavers)|ypwjmxesxzxiivy|fsnqhbwhpzyvhqm|l(npjlxislnspdrz|wpjxnoztlwxyhd|gusezgrgogtpzo)|p(nolkppdqvknwzq|pnkwphvrrdonhe)|tjpzjoglinzruep|u(vlmhpysrswtsps|zvxwovtnlzrkyt)|g(txwqptngkltozv|ermanattention)|hrxqnkovlvssuiv|z(plvozprvioejmi|sqtvwhlyjzrskv)|ecran-de-veille|registryrecords|diamondsandrust)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665706; rev:9;) # sid 2665707 includes 42 (0 - 42) 16 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.org)"; content:"|10|";content:"|03|org|00|";nocase;within: 19;pcre: "/(d(rlouxvsslqnsblv|mmnskknmglirnte)|glsqoylxoxqeskoo|j(bnikqiqqmxuxejt|mjjeqfunuotrion|cmtczpwontvppnt|vzogtyoqnxknktw|fjpdsqirhsypqnn)|k(dusqkjmtygtjoqt|arnatakaprisons|otplhqxotlzgzpt)|npstssnicqxofned|uvprpnoirijoqyss|w(hakrxuonsqhrved|ushuassociation)|x(kssurpwojespqkg|zbowuktxhqnsioh|uywmrwzyjbmhhzk)|y(l(gmflphjvpxtfed|svuiyoufocowpn)|xpnxkzmfszqloli)|z(wkihcevxqvsrldx|oflnpyvpknxolkp|pxqfqsqnkkysmtu|usvdhzkjvtpimlv)|o(wspgcipergcdipj|zrollfjqkrjhtor)|pozpwukkuoyhwrnm|q(uqnxnqeqtohjcso|mhnlypxwmclioum)|mfttwhmjqqmlqsuj|v(jopwmfmqulkvosi|elhndvdmtxicfqn)|i(wqqkhpuvnrrvqyq|nfo-saudiarabia)|rljrnsxpzkmodyin|slpnyrhbeuvxxtpw|bundespolizei-de|fa(cebook-support|stsearchportal)|landes-kriminalt|colvetlambayeque)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665707; rev:9;) # sid 2665708 includes 6 (0 - 6) 17 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.org)"; content:"|11|";content:"|03|org|00|";nocase;within: 20;pcre: "/(cinderella-dreams|falbumdinlermisin|l(osingyourparents|apoliciaespanola)|elegantdesign-dfw|dorothydaydanbury)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665708; rev:9;) # sid 2665709 includes 7 (0 - 7) 18 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.org)"; content:"|12|";content:"|03|org|00|";nocase;within: 21;pcre: "/(a(dobe-pdf-reader11|rgumenthistorical)|your(securitysystem|browsermatters)|thechurchinthepark|centercoordination|policemetropolitan)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665709; rev:9;) # sid 2665710 includes 7 (0 - 7) 19 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.org)"; content:"|13|";content:"|03|org|00|";nocase;within: 22;pcre: "/(d(polg-bundespolizei|atabase-conversion)|s(earchfindauthorize|icherheit-services)|bundeskriminalamtes|arabemirates-online|thepersonaltrafffic)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665710; rev:9;) # sid 2665711 includes 2 (0 - 2) 20 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.org)"; content:"|14|";content:"|03|org|00|";nocase;within: 23;pcre: "/(artoflivingfaridabad|lenjerieintimaonline)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665711; rev:9;) # sid 2665712 includes 2 (0 - 2) 21 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 21 chars (.org)"; content:"|15|";content:"|03|org|00|";nocase;within: 24;pcre: "/(swiftdeliveryservices|mothersandmoretritown)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665712; rev:9;) # sid 2665713 includes 5 (0 - 5) 22 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 22 chars (.org)"; content:"|16|";content:"|03|org|00|";nocase;within: 25;pcre: "/(a(dobe-acrobat-reader11|nkarasehiricinakliyat)|c(areerhiring-solutions|heck-criminal-records)|escuelarobertoespinosa)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665713; rev:9;) # sid 2665714 includes 1 (0 - 1) 23 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 23 chars (.org)"; content:"|17|";content:"|03|org|00|";nocase;within: 26;pcre: "/inter-bundeskriminalamt/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665714; rev:9;) # sid 2665715 includes 2 (0 - 2) 24 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 24 chars (.org)"; content:"|18|";content:"|03|org|00|";nocase;within: 27;pcre: "/(skype-software-downloads|financialsurvivalrevival)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665715; rev:9;) # sid 2665716 includes 1 (0 - 1) 25 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 25 chars (.org)"; content:"|19|";content:"|03|org|00|";nocase;within: 28;pcre: "/100thingstodobeforeyoudie/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665716; rev:9;) # sid 2665717 includes 1 (0 - 1) 27 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 27 chars (.org)"; content:"|1b|";content:"|03|org|00|";nocase;within: 30;pcre: "/2011-skype-software-upgrade/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665717; rev:9;) # sid 2665718 includes 1 (0 - 1) 28 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 28 chars (.org)"; content:"|1c|";content:"|03|org|00|";nocase;within: 31;pcre: "/2011-skype-software-download/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665718; rev:9;) # sid 2665719 includes 2 (0 - 2) 3 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.org)"; content:"|03|";content:"|03|org|00|";nocase;within: 6;pcre: "/(w67|rm6)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665719; rev:9;) # sid 2665720 includes 1 (0 - 1) 32 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 32 chars (.org)"; content:"|20|";content:"|03|org|00|";nocase;within: 35;pcre: "/loans-for-people-with-bad-credit/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665720; rev:9;) # sid 2665721 includes 8 (0 - 8) 4 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.org)"; content:"|04|";content:"|03|org|00|";nocase;within: 7;pcre: "/(7ail|znga|it98|jjww|pank|net9|eb4y|awbi)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665721; rev:9;) # sid 2665722 includes 52 (0 - 52) 5 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.org)"; content:"|05|";content:"|03|org|00|";nocase;within: 8;pcre: "/(s(3lab|tmac|bwzd|uzbe)|g(ugla|wwdx)|c(alid|jdnx|gdpy)|b(pbqh|akxt|olrc)|q(bqit|ymvp)|ylfqx|z(zlfb|kkxn)|m(qgqh|lyyf|dkfk)|o(jigv|grql|rvox)|n(olcy|-p-f|dmel)|w(phvg|rtjy)|a(nkdz|lyac|hbzc|vvsw|frec)|t(kkmz|nfwb)|i(rdjg|gufa)|fgatl|lxf(fe|hf|lx)|v(o(lem|tao)|fyoi|rprt)|hwppg|x(orqh|aqdo)|rzeao|d(cicz|vocx)|ugpnd)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665722; rev:9;) # sid 2665723 includes 62 (0 - 62) 6 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.org)"; content:"|06|";content:"|03|org|00|";nocase;within: 9;pcre: "/(i(madel|iwngq|hocag)|d(aily7|zruav)|s(halis|bdari)|estril|g(ruver|dspru)|k(almup|yangg|q(crxz|wjri)|tmjpx|ufnyc)|w(aspad|pmlks|kbkcw)|j(gfznx|dnqqo|wweyq|xqccm)|c(ulapo|wlrmi|gdpia|dgvom)|b(ttext|l(yzfc|cjbj)|oglrr|kkvez)|htzsbj|r(wf(add|cvc|etq)|lhcae|a(c-ar|jueg))|z(mlikb|nsurk|qpuvz|sboyg)|f(dfqoi|ahkwk|qcyli|vqfrt)|n(jkxwq|a(cylu|fdev)|fbusl|tjuqn)|vkblwt|o(bimsr|kaakf)|uonnbv|xdnuda|l(xflqc|qhwmr)|mynvek|pfxamn|tetiva)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665723; rev:9;) # sid 2665724 includes 75 (0 - 75) 7 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.org)"; content:"|07|";content:"|03|org|00|";nocase;within: 10;pcre: "/(c(oginix|c(mfuwi|olchv)|dlvkws|zunlyz)|p(lanita|raysad|dfguud)|w(oecake|pstats)|z(ippuny|oyydxd|jkwlir|hjgwpf)|e(tsaweb|qpkprp)|n(xtgipo|umbuse|rxrsjh)|s(irsize|leihpx|e(abbtw|ktori))|f(laxnap|oxnkni|dfupvv|fmiqdu)|lieweld|o(tspark|bzncjo)|t(r(epair|ickip)|fjorhc|tlipkq|myfibu)|g(enshop|fkcewa|dfrtsx|igabid)|i(qpjftc|ycwiad|krxpow)|q(udmvgj|sxbxbo|qirjqd)|v(geagck|jblyfa|idsave)|r(y(tyiil|jkpcz)|prmzfx|tldvpz)|b(vhbrhu|bashds|jnvjbf)|m(gaaoze|mritli|indser)|x(gqunmt|kvhskm|-demon|wqklrn|oimiix|mhutgu)|d(gxmbor|txwjzh|cobrzz)|h(h(ynbdf|doqoy)|olkhtv|ejxvez)|uiaeyta|axsfosz|j(querys|ektiek))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665724; rev:9;) # sid 2665725 includes 125 (0 - 125) 8 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.org)"; content:"|08|";content:"|03|org|00|";nocase;within: 11;pcre: "/(h(o(tshows|urmesh)|amcadet|hvagsmv|jsodwej|yoqqbie)|c(o(netsco|dememx)|lickpot|ellchin|ywuputt|qbswrwh|dgejfdu)|f(ind(tree|reup)|ahqhovc|f(copaih|update)|garoxif)|t(unebask|asteleg|fjhtaez|htivlae|eqlylux|wbicuor)|w(ettrend|ivnwnzg|rbtahfo|lcfxgqo|dilvyqg|spihicq)|b(eandown|zukbclo|rtbslvo)|e(nrolcaw|vermist|kqhgtgs|upufgyh|erabiam|oyrwhom)|g(hat(lend|reds)|oogglle|ksvjlrd|dsmqxaq)|n(estjolt|ufffoit|iazvskp)|o(r(derdid|yatcje)|jisthws|xugntpu|zzhpmgj|f(wecwcb|kymome)|wophcxp|ciaytwk|dpdiutz)|p(entmull|uristar|lay6677|olisvuw)|v(isapeer|zridbco|x(ptgrzq|gdkheg)|ldvwukk)|i(nnentry|iqwfwsx|cwrbqln|gi(hsjjv|nfcwr))|m(kdforce|p(3towav|bbubtw)|gsxdavd|yxxxhot|odgtpng|cgevmkb|nocamel|fsvhrdr)|r(mnoyzzk|qfqaskf)|y(otduykd|yhcrstd|gkyvwyf|kxjybjf)|a(ddflyer|mnppjjy|pqrdymy|urptrtv)|d(bmkyqng|ucktalk|lpyhijl|efapple)|l(qjqnqng|leagfxa|n(eztpeh|picaam)|vhhiysk|ecjwmrg|uwbrvpx)|z(m(lzlhjv|cveeyf)|ujbrwel|eabyvbj)|j(yomxplq|amyarei)|q(cmgyfjw|uzthxal|brjfsxn|orugzep)|u(atpkdop|grxeyss)|k(rzkcvmu|wuxbcge|kujkulu|nyzansf)|s(bl(hgagx|pvocl)|wzechcy|uzivngm)|x(qtmnwlf|gldcyxp|yzpoint))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665725; rev:9;) # sid 2665726 includes 104 (0 - 104) 9 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.org)"; content:"|09|";content:"|03|org|00|";nocase;within: 12;pcre: "/(g(amersite|lrmnyawq|cktsmjgc|hitheory)|s(e(rvers01|xysheep|ksporno)|oninkara|chatzlab|dvjbcxoa|wztbevkw|ahmrarfb)|u(pstracks|nduedome|s(heronce|qinvtlr)|ideuixwn|xwxmcibd)|f(ind(e(r(a(co|ts)|d(ea|ir|ow)|sta|unt|wid|yel)|sten)|in(dbi|sid)|rasup|upsot)|angwrath|u(zzoffal|pqlfopx)|cqxgkasc|nbpeople|gameqgry)|r(a(p-dooni|shcrowd)|eflexpan|metxdecg)|t(rashnote|a(intfurl|lkerrun)|ube(omega|chube)|nfgykvqq|ydhlxuwj|tlowiejh)|w(e(danthem|elnbtsj)|a(stefuzz|deco-bg|fjhwlbh)|kbceprce)|a(eroadore|hmedreza)|l(o(wsnooze|dgersow)|e(anspeck|tconsul))|m(a(niashow|shscamp)|odernbin|ythorama|pbduvagz)|bunkscamp|c(omechirp|fcafrica|vaxylxst|molcbcfq)|d(eskoccur|imsadden|jjrxxhwl)|e(yescanty|zlifeinc|nxknlsng)|j(a(rabroad|dsmetas)|ewishdin|xwpwtzso)|k(inoutlaw|nyesfqsb)|n(ullcandy|er-aller)|p(astrydug|o(syhatch|rno-pir)|pfyjkktg|uvhwlgur)|voyagebud|h(ymnrough|tzhrgdvs|edefcafe)|i(dearevel|kuhkwjyd)|otjnznykd|ytmfozwdb|q(xlcwnwte|uvhgmims|tufdxnxa)|zerslwfon|xomphhjjo)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665726; rev:9;) # sid 2665727 includes 1 (0 - 1) 12 character domains in the ".pe" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.pe)"; content:"|0c|";content:"|02|pe|00|";nocase;within: 15;pcre: "/light4brands/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665727; rev:9;) # sid 2665728 includes 1 (0 - 1) 8 character domains in the ".pe" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.pe)"; content:"|08|";content:"|02|pe|00|";nocase;within: 11;pcre: "/hkwytkey/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665728; rev:9;) # sid 2665729 includes 3 (0 - 3) 10 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.pl)"; content:"|0a|";content:"|02|pl|00|";nocase;within: 13;pcre: "/(naajlepsze|meganstyle|bingportal)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665729; rev:9;) # sid 2665730 includes 2 (0 - 2) 11 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.pl)"; content:"|0b|";content:"|02|pl|00|";nocase;within: 14;pcre: "/(polskiesuki|woprozorkow)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665730; rev:9;) # sid 2665731 includes 1 (0 - 1) 12 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.pl)"; content:"|0c|";content:"|02|pl|00|";nocase;within: 15;pcre: "/pracawdanone/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665731; rev:9;) # sid 2665732 includes 4 (0 - 4) 13 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.pl)"; content:"|0d|";content:"|02|pl|00|";nocase;within: 16;pcre: "/(niska-skladka|zsritpowodowo|league-dreams|bodyarchitect)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665732; rev:9;) # sid 2665733 includes 1 (0 - 1) 14 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.pl)"; content:"|0e|";content:"|02|pl|00|";nocase;within: 17;pcre: "/parafiawinnica/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665733; rev:9;) # sid 2665734 includes 1 (0 - 1) 16 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.pl)"; content:"|10|";content:"|02|pl|00|";nocase;within: 19;pcre: "/aptekadlakazdego/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665734; rev:9;) # sid 2665735 includes 2 (0 - 2) 18 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.pl)"; content:"|12|";content:"|02|pl|00|";nocase;within: 21;pcre: "/(literaturajestsexy|kredyty-sygma-bank)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665735; rev:9;) # sid 2665736 includes 1 (0 - 1) 19 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.pl)"; content:"|13|";content:"|02|pl|00|";nocase;within: 22;pcre: "/katalogowaniereczne/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665736; rev:9;) # sid 2665737 includes 1 (0 - 1) 3 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.pl)"; content:"|03|";content:"|02|pl|00|";nocase;within: 6;pcre: "/345/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665737; rev:9;) # sid 2665738 includes 3 (0 - 3) 6 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.pl)"; content:"|06|";content:"|02|pl|00|";nocase;within: 9;pcre: "/(3gplay|izorem|ekonta)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665738; rev:9;) # sid 2665739 includes 3 (0 - 3) 7 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.pl)"; content:"|07|";content:"|02|pl|00|";nocase;within: 10;pcre: "/(realpay|zsmokre|mastynk)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665739; rev:9;) # sid 2665740 includes 3 (0 - 3) 8 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.pl)"; content:"|08|";content:"|02|pl|00|";nocase;within: 11;pcre: "/(a(ugustow|waplast)|time4men)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665740; rev:9;) # sid 2665741 includes 2 (0 - 2) 9 character domains in the ".pl" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.pl)"; content:"|09|";content:"|02|pl|00|";nocase;within: 12;pcre: "/(darkwarez|pznpolice)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665741; rev:9;) # sid 2665742 includes 1 (0 - 1) 12 character domains in the ".pro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.pro)"; content:"|0c|";content:"|03|pro|00|";nocase;within: 15;pcre: "/extremesteel/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665742; rev:9;) # sid 2665743 includes 1 (0 - 1) 13 character domains in the ".pt" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.pt)"; content:"|0d|";content:"|02|pt|00|";nocase;within: 16;pcre: "/geocacherzone/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665743; rev:9;) # sid 2665744 includes 1 (0 - 1) 10 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.ro)"; content:"|0a|";content:"|02|ro|00|";nocase;within: 13;pcre: "/vivasportt/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665744; rev:9;) # sid 2665745 includes 2 (0 - 2) 11 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.ro)"; content:"|0b|";content:"|02|ro|00|";nocase;within: 14;pcre: "/(mastertuner|spack-hotel)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665745; rev:9;) # sid 2665746 includes 2 (0 - 2) 14 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.ro)"; content:"|0e|";content:"|02|ro|00|";nocase;within: 17;pcre: "/(buletindeprima|flexi-training)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665746; rev:9;) # sid 2665747 includes 1 (0 - 1) 20 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.ro)"; content:"|14|";content:"|02|ro|00|";nocase;within: 23;pcre: "/investigatii-private/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665747; rev:9;) # sid 2665748 includes 1 (0 - 1) 21 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 21 chars (.ro)"; content:"|15|";content:"|02|ro|00|";nocase;within: 24;pcre: "/curatenie-intretinere/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665748; rev:9;) # sid 2665749 includes 1 (0 - 1) 3 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.ro)"; content:"|03|";content:"|02|ro|00|";nocase;within: 6;pcre: "/pw2/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665749; rev:9;) # sid 2665750 includes 3 (0 - 3) 4 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.ro)"; content:"|04|";content:"|02|ro|00|";nocase;within: 7;pcre: "/(4tor|ledz|12am)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665750; rev:9;) # sid 2665751 includes 1 (0 - 1) 5 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.ro)"; content:"|05|";content:"|02|ro|00|";nocase;within: 8;pcre: "/ismb2/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665751; rev:9;) # sid 2665752 includes 1 (0 - 1) 6 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.ro)"; content:"|06|";content:"|02|ro|00|";nocase;within: 9;pcre: "/fercon/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665752; rev:9;) # sid 2665753 includes 4 (0 - 4) 7 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.ro)"; content:"|07|";content:"|02|ro|00|";nocase;within: 10;pcre: "/(clickpc|nejucam|fxprint|webprof)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665753; rev:9;) # sid 2665754 includes 1 (0 - 1) 8 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.ro)"; content:"|08|";content:"|02|ro|00|";nocase;within: 11;pcre: "/lovesite/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665754; rev:9;) # sid 2665755 includes 2 (0 - 2) 9 character domains in the ".ro" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.ro)"; content:"|09|";content:"|02|ro|00|";nocase;within: 12;pcre: "/t(op59serv|urtlebox)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665755; rev:9;) # sid 2665756 includes 88 (0 - 88) 10 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.ru)"; content:"|0a|";content:"|02|ru|00|";nocase;within: 13;pcre: "/(wi(ndkodexp|kewikusl)|i(jsikjgbsg|tchy(clock|sauce)|n(timgsave|et-poisk))|j(i(jiouurnq|nomarket)|upaizeuph)|l(kjdmvkkdm|amedicina|inotstroy)|v(svsdvdvsd|iperheart)|m(yccleaner|o(del-seil|tionritm)|u(stgoonax|naeghohz)|ikkimouse|edika-vrn)|t(hpkmlnuzc|elki-2010)|b(i(osolyara|tterpill)|r(edosaita|ikinvest))|x(xxporno4u|oophafiel|lamonline)|e(vromonter|epeohothe|nrgosfera|bpopemoht|dvigainfo)|p(upkovinka|apertulip|lantlunch|refs-save|e(rgamment|ter-safe))|s(taticplan|ecaviable|o(rnyaki23|ft(-hight|wareid)|ulmonety)|martcheat|p(a(rk-send|s-print)|litflash)|afe-items|uppercook)|youngmetal|k(umatoznik|lmservice)|38secretov|cherrychat|f(l(yshopear|oranimal)|aterininc|eed-large)|r(unnystorm|ickstudio)|g(etalllots|hosttrick|oozysteal|afa-senda)|d(ark-stone|igi-check)|a(bsolutapp|gurinul12|picontrol)|nahwisohch|h(o(perjoper|tlinking|ldorgold)|er(e(rxzone|zonerx)|oes2008))|queenchair|op(era(4mini|plus5)|timizzzm)|z(vezdavsem|one(hererx|rxhere)))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665756; rev:9;) # sid 2665757 includes 75 (0 - 75) 11 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.ru)"; content:"|0b|";content:"|02|ru|00|";nocase;within: 14;pcre: "/(j(qjqjqzxcbv|imm-master|etcrafting)|s(i(implesale|tyshoping)|ummerbonus|fkdhjnsfjg|dkjgndfjnf|p(iritgrass|acingcell)|e(rokfukisp|cureguard)|msoboroten|o(ftmarkets|lidcursor)|toragesafe|ave-intimg|ynapsetest)|a(llowupdate|bsolut-app|nswerfloat|irlinedesk)|m(oneyracing|a(ny(all-get|getlots)|ke(mealive|themdie)))|b(ambulka221|luepillsrx|estsoftics|illiardniy)|i(n(sane-trip|uriwporno)|komnda1977|magedumper)|g(oodfishing|erku-munka)|newmyguests|d(o(wncontent|meafavour)|uffiduffid|rookinabra|igi-client)|f(orsalga102|twtogether|lowerdomax)|o(ilsintetyc|ff2off4sea|pera(4youme|77mini|mini6a)|nline(-vest|items))|you-want-me|c(akerecipes|ooltruling|kjsfhlasla|ruelsummer|serimankra|feedlingpa)|qwant-teory|e(build-auto|nmakrostov)|here(-(rxzone|zonerx)|rx-zone|zone-rx)|toprusgirls|rioamazonas|wismartsity|uperproomgh|zone(-(hererx|rxhere)|here-rx|rx-here))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665757; rev:9;) # sid 2665758 includes 70 (0 - 70) 12 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.ru)"; content:"|0c|";content:"|02|ru|00|";nocase;within: 15;pcre: "/(m(uchachoslot|a(nyallpoisk|il2message)|obile-mamba|ediawhoerax)|a(ll(owcompany|-manyfind|find-file|lots-file)|uto-kitchen|ctivecinnex|boutconvert|wardspacing)|uvelichcheln|b(latundalqik|ellicbridge|yid-element)|f(lo(rianarray|at-answer)|i(le(-fileall|filesall|sgetfile)|nd(houseget|lotsfile))|ollowmego12)|l(iberty-live|o(tsget-find|cationlook)|abrador2011)|s(afebrowsing|earchallget|t(uffget(find|lots)|ervyatniks|artmassage)|kykeyboard2|hortcuticon|onymaind20k)|de(posi(ftiles|tpeter)|sk-airline|rezivmorda)|getfileslots|v(ermondprime|illiam-grea)|k(oletrezzo44|remlinhotel)|p(r(o(gramssafe|tectholes)|aktikaljox)|lastic(spark|alsex))|h(olesprotect|eppishopdrm)|e(gnom-omitec|commerceone)|c(o(n(vertabout|trolcheck)|ajsfooioas|jsdhfhhlsl)|kolmadiiasf)|o(peramini-(ee|qq|rr|tt|ww)|nline-items)|job13journal|quakearena32|nalezivmordu)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665758; rev:9;) # sid 2665759 includes 124 (0 - 124) 13 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.ru)"; content:"|0d|";content:"|02|ru|00|";nocase;within: 16;pcre: "/(j(fdhbhfbfdbfd|ustingyellow)|s(johvoshbshbs|uper(gameking|kinggame)|imulatormage|e(condconcert|ndqueriesax)|t(eel(cinetecs|tracking)|uff-getfi(nd|le)|ylesheethas|a(teshortcut|plescratch))|ho(koladdeath|rtcut-icon)|ystemscanner|park-plastic|amsonikonyou)|a(ctualnetwork|ll(ow-company|-houselots|find-files)|xeswizardepx|viableupdate)|c(o(m(pan(yupdate|ian-usa)|bi-justing)|n(t(rol-(parts|check)|ainerfeat)|gatarcxisi)|olwebzuzuzu|x-container)|desikasktopt|goosjjdopola|uqwuuiwrnmfo|poodsangbkia)|g(ame(kingsuper|superking)|e(tarchivfile|n(ius-memory|erationbox))|sm-sattelite)|king(gamesuper|supergame)|p(o(werprogramm|rnojurnal4u|iskfile-all)|r(o(grammpower|vider(large|-feed)|tect-holes)|ime-vermond)|lasticinetec)|r(xmedsmedical|outerstructo)|be(ryvsexnasex|tternewyear)|d(ropweight(web|you|a(pp|rt)|b(ox|uy)|c(ar|om)|fun|job|net|pro|red|sex|t(he|op))|atacricketuf|zmeritelshop|oofyonmycolg)|o(rgiyanadnuhe|pera(-mini-(h(d|q|x)|mb|vb|x(d|l)|zx)|bestmini))|e(speradooptic|ndohirurg-kb|verkosmo2012)|f(l(ashpokerist|yghtairline)|i(le(-(gethouse|manylots)|filefiles|get-poisk|s-fileget)|nd(poiskfile|filehouse|-allhouse))|ocustemplate)|m(a(ny(-filesget|file(files|poisk))|croscomfort)|o(ment-getall|ney(keep2011|mgmt2011))|emoryeternal|ulti-service)|l(argeprovider|osokorot7621)|networkteaser|t(ourscontract|ixuanabridge)|white-billing|h(ouselots-all|altermancelo)|uklopandaberk|vkontakte-1-1|xisicongatarc|izmeritelshop)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665759; rev:9;) # sid 2665760 includes 128 (0 - 128) 14 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.ru)"; content:"|0e|";content:"|02|ru|00|";nocase;within: 17;pcre: "/(z(hopaseksporno|erberzerberze)|yomwarayom2001|a(ct(ual-network|ivationcode)|ll(-findmoment|archivpoisk|poisk-stuff)|rchiv(-manyget|allhouse)|tlantawadding)|b(onus-discount|esplatnocutuh)|c(o(nnectionfast|mpanyairline|psdifbnsasdf)|zechmoney2011|golidaofghjtr|po(kemnothviik|jkjfhotzpod)|kjhasbybnhdjf|ruikdfoknaofa|jiahkhklflals|e(ntalhospital|rberzorberhu))|p(o(wer-programm|isk(-(fi(lefile|nd-get)|manyfile)|stuff-all)|pspostenkple|rosenokpetya)|ro(gramm-power|tect-secure|fitkilobics)|h(armacymedsrx|oneajoystick)|e(llicslotersa|ace-security)|attinsondaily|lastpromcentr)|t(imeconnection|e(aser-network|stnosecurity)|olkachevphoto)|f(i(le(-(housemany|file-find|getsearch|many-file|poisk-all)|s(-(file-all|get-find)|findhouse|tuffhouse))|nd(-(many-file|filefiles)|searchfile|file-stuff))|e(dikankamolns|at-container))|s(e(xmnogoo4enru|a(rch(file-all|lotsfile)|woljoystick))|kypedownload1|tuff-gethouse|isfshsdofhidd)|d(ropweight(auto|b(est|l(og|ue)|ook)|code|free|game|ho(me|st)|info|l(i(fe|nk)|ove)|news|d(ata|eal)|s(hop|ite|oft|tar)|tech)|artzofmybpull|oosdkdkjsjdfo)|g(ostivkontakte|e(t(-file-poisk|moment(house|poisk)|stuff-files)|neralstation)|ames-and-soft)|l(ots(file-files|poiskhouse|search-get|-(all-house|filestuff))|ampapomontage)|m(any(archiv-all|filemoment)|omentfile-all)|n(aughtywifepal|e(wsoftwareltd|twork-teaser))|o(m-interactive|p(era-mobileru|iumdlanaroda))|enabler-actris|vidimacontract|h(ouse(-filelots|get-stuff|lotspoisk|momentget)|untersamplifi)|r(o(ad12street12|manristories)|ehandntersfee)|j(amesbondajent|okerbatmannow)|xisi-congatarc|wiskonsintpara|uiwewsecondary)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665760; rev:9;) # sid 2665761 includes 105 (0 - 105) 15 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.ru)"; content:"|0f|";content:"|02|ru|00|";nocase;within: 18;pcre: "/(c(heckservicenow|a(rd-activation|sk(jfhlkaspsfg|fhasaoipvma)|oodntkioaojdf)|nnvcnsaoljfrut)|g(igpornoforfree|ame-(king-super|super-king)|et-(files-poisk|search(-file|house))|radient-header)|s(osutstudentxxx|u(per-(game-king|king-game)|mgankorobanns)|e(arch(-file-get|archivget|file-file)|curytycheckme)|a(fe(nesscontent|itemsrefill|refillitems)|maragotodokns)|t(uffarchivlots|ation-general))|trihuyavzadnizu|veryhotxxxporno|k(ing-(game-super|super-game)|avabangastudio|rjjfgzzzooooem)|r(xdietpillsmeds|e(lax-tropicana|funadositol15))|d(ropweight(video|world|g(ames|reen)|m(edia|oney|usic)|photo|s(mart|tore))|sakhfgkallsjfd|inamitbtzusons|phsgdfisgdfsdf|hjhgfkjsldkjdj)|l(o(oseweightfast|ts(search-find|-archiv-all))|ensesproducing|aboratorypeace)|f(alcononfly2006|i(le(-(all-(moment|search)|file-stuff|get-moment|lots-poisk)|archiv-file|s(-searchall|find-house|tuff-poisk))|nd-file(moment|sstuff)))|m(a(ny(-all-moment|archivstuff|stuff-house)|mtumbochka766)|oment(-(manylots|stuffall)|lotsstuff|searchget)|y-google-files)|a(ll(-(filessearch|getdownload)|archivsearch|stuff-moment)|mourcollection|rc(hivstufffile|oconstalling)|ctivation-card|ssistant-first)|p(oisk(-filehouse|filesearch)|r(ofit-kilobics|estigious-job))|e(asycontrolling|misacbannortim)|h(idemyfass87111|o(use(poisk-find|-file-lots)|roshovsebudet))|biznesturizm148|w(inbatch-matlab|orkathomedaily)|qimaysadaliachu|o(pera-mininokia|nline(-(itemsmed|meditems)|items-med))|upjachkajasamns|zolindarkksokns)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665761; rev:9;) # sid 2665762 includes 134 (0 - 134) 16 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.ru)"; content:"|10|";content:"|02|ru|00|";nocase;within: 19;pcre: "/(v(e(nkasexisdeffki|ronikapornosex)|id(osx(nx-freex(4e|2(b|g)|3b)|xx-freex1a|cx-freex2c|mx-freex2b)|eox(xx-freex3e|nx-freex(4a|3h)|cx-freex2e|mx-freex1b))|jcuiqecxaomkytb|zhpiaswhqlswkji)|bedownloader2011|e(wingparkbmx2011|oicszuwkjskhvki)|a(ctualconnection|ll-(archivsearch|house-search|stuff-search)|rchivsearchlots|xwiyyfbraskytvs|nidgwelnidmzueo|opltfxjzsppylfh|uvqjghelyqwtfsu|ygrpumrlmymcwkh|manarenapussyns)|p(c-international|harmacydrugsite|o(r(kax(mx-freex(1c|3(f|g)|4e)|xx-freex(5f|3g)|cx-freex(5a|3c)|nx-freex2b)|nox(cx-freex(1e|5g)|mx-freex5h))|isk(-find-stuff|archiv-file))|aybucksinternet|lacecollocation|trzfugnwoqbboof)|d(ropweight(travel|health|mobile|online|search|d(esign|omain))|ownloadfilesget|nvfodooshdkfhha|ebiudlasduisioa)|r(averuporevotrax|gbjgaofrilwygvh)|m(a(mkidayutvpopku|ny-archiv-file|rketingvillage|piuigjtnafzcnu)|o(ment-(file-find|housefind)|nikabestolucci)|ceglkuyhzvzjxbj|jlutogeawadmrya)|fi(rewallmakeover|le(-moment-find|s-house-lots)|nd(filedownload|-archiv(-file|poisk)))|l(otsarchivsearch|zngllvmrbwdcpha|wzyzsqkhjkqhomc)|s(oft-corporation|e(arch(momentfile|stuffpoisk)|rebrokakzoloto)|t(uff-poiskhouse|egqpjuvwqvlmvj)|k(ingsystems2011|jwysujlpedxxsl)|afe(-(itemsrefill|refillitems)|items-refill|refill-items)|ppylfhauvqjghel)|g(et-downloadfind|tkwqrzvjshxuvle)|h(ouse-(all-search|stuff-file)|birjhcnsuiwgtrq|jpyvexsutdctjol|mvmgywkvayilcwh)|n(ew-mobile-skype|oaztytswxyccnkj|woqbboofsbhqgqp)|i(rexsystems2011a|wexgsismxsdvyfu)|q(tdlnxbqfohcpwft|ntckhiedetxhdyq)|t(aqlftbbztqnyngq|wyzxhwpluclcqcj)|w(bgguucrbkrkjftn|fyusepaxvulfdtn|iwwkvjkinewgycb|yggrgrlaewoaecg)|x(kwjkbfpftrtdcrf|vmzegestulhtvqz|injevgcdfddgrct|s(dvyfuaopltfxjz|opiisvvajushgd)|yccnkjufwagtlyy)|k(amarovoskorlovo|hjkqhomcmapiuig|jykbubgadkfnoyw|zyimlghktuuzzgz)|c(iontooabgooppoa|kpmgcdlsidwsdno|soaspfdpojuasfn|gunikqakklsdpfo)|jtnafzcnuyiqrrkr|o(hnubbhwjtzihdka|pera11-download)|u(fwagtlyyptrzfug|iixjwxqqbaowfuz)|y(iqrrkriwexgsism|ljlkjsxdsvtkygo|qwtfsunoaztytsw))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665762; rev:9;) # sid 2665763 includes 67 (0 - 67) 17 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.ru)"; content:"|11|";content:"|02|ru|00|";nocase;within: 20;pcre: "/(t(raxnochyustudent|estme(forsecurity|4secureetee))|ru(nescapegpge2011|kobludsostazhem)|i(nternet-safeness|tisagooddaytodie)|k(lubni4kaporkaxxx|roshkidlahlebans)|vid(eox(mx-onlina(4b|3e|5g)|xx-onlina1c|cx-onlina1b|nx-onlina2d)|osx(cx-onlina5a|mx-onlina1(e|h)|nx-onlina2e))|d(ropweight(hosting|digital)|ownload(-files(all|get)|lotshouse)|aliachuuaroyalys|eliveaygrpumrlmy)|p(o(r(nox(mx-onlina5(c|h)|xx-onlina3g|cx-onlina(3b|1c)|nx-onlina(2h|3a))|kax(nx-onlina(1e|3b|2f)|mx-onlina3g))|isk-moment-find)|ullespacex-filez)|mo(ment(archiv(house|stuff)|downloadall)|bile-mail-agent)|a(rchiv-(all-moment|find-house|stufffiles)|dvertisingteaser)|get-file-download|lots-(momentsearch|poisk-moment)|c(apsule-terrabyte|o(nfig-connection|lcone-marketing)|hange-onmouseout|jjasjjikooppfkja|ruoinaikklaoifpa)|file(housedownload|s-(alldownload|searchstuff))|o(ffice-settlement|pera-miniandroid)|st(uff-momentpoisk|ylesheet-record)|uaroyalysdaliachu|bannortim-qimulta|nogasrakixerosima|helpofinthemisned)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665763; rev:9;) # sid 2665764 includes 242 (0 - 242) 18 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.ru)"; content:"|12|";content:"|02|ru|00|";nocase;within: 21;pcre: "/(g(enerationsecurity|izosuxwpeujnykjye|helyqwtfsunoaztyt|jtnafzcnuyiqrrkri|qpjuvwqvlmvjkzyim|sismxsdvyfuaopltf)|s(e(cur(itygeneration|enetsolutions)|arch-poisk-house)|hkollnitsiebutsya|qkhjkqhomcmapiuig|amanodejannyjpins|ismxsdvyfuaopltfx|wxyccnkjufwagtlyy)|m(edsdrugstorepills|a(ny(-downloadpoisk|download-files)|piuigjtnafzcnuyi)|oment-(downloadget|poisksearch)|gcdlsidwsdnolwzyz|vkrxumvbedbouiyfh|c(mapiuigjtnafzcnu|wkhanidgwelnidmz)|xsdvyfuaopltfxjzs)|t(abletsrxdrugstore|f(xjzsppylfhauvqjg|sunoaztytswxyccn)|rzfugnwoqbboofsbh|ytswxyccnkjufwagt|qzxbdrfodwozmefhx|lyyptrzfugnwoqbbo)|o(dnoklasssosut4len|rganizationlenses|aztytswxyccnkjufw|fsbhqgqpckpmgcdls|uiixjwxqqbaowfuzk)|f(il(mspornoxxxsexru|e(-find-download|download-stuff|spoiskdownload))|s(bhqgqpckpmgcdlsi|unoaztytswxyccnk)|zcnuyiqrrkriwexgs|hauvqjghelyqwtfsu|ugnwoqbboofsbhqgq|wagtlyyptrzfugnwo)|p(o(r(nox(nx-(conline(3a|1g|2d)|onlinee(5a|2d))|mx-(onlinee(1d|3g|5a)|conline5h)|cx-(conline1e|onlinee5c)|xx-onlinee5(b|d))|kax(mx-conline(3b|1h|4f)|cx-onlinee5(f|a)|nx-(onlinee(4h|1h)|conline(4a|5d))|xx-conline2(a|c)))|isk(archiv-moment|downloadfiles))|ktxicvoszqoamyduo|ylfhauvqjghelyqwt|ckpmgcdlsidwsdnol|hataqlftbbztqnyng|iuigjtnafzcnuyiqr|mgcdlsidwsdnolwzy|pylfhauvqjghelyqw|trzfugnwoqbboofsb)|d(ropweight(business|creative)|ownload(poiskfiles|stuff-find)|eposit-consulting|ynamiccertificate|ivstyleonmouseout|a(liachu-uaroyalys|ngerantiddosload)|dgrctkhjkqhomcmap|wsdnolwzyzsqkhjkq|lsidwsdnolwzyzsqk|nolwzyzsqkhjkqhom|vyfuaopltfxjzsppy|xxsllzngllvmrbwdc)|v(id(eox(cx-(onlinee(4c|5e)|conline5a)|xx-(conline(2b|1c)|onlinee1h)|nx-(onlinee(3(h|f)|1c|2b)|conline2e)|mx-onlinee4b)|osx(xx-(conline(1a|2b)|onlinee3f)|mx-(onlinee3g|conline5e)|cx-(conline(2h|3a)|onlinee2c)|nx-(conline(2a|3d|4d)|onlinee(1g|2f))))|aopxjiaphevkfpqdo|haygrpumrlmymcwkh|qjghelyqwtfsunoaz|oszqoamyduotqzxbd|jkinewgycbhbirjhc|kimjlutogeawadmry|yfuaopltfxjzsppyl)|b(razilianmoney2011|gadkfnoywgtkwqrzv|oofsbhqgqpckpmgcd|boofsbhqgqpckpmgc)|c(o(mmunityspace2911|nnection-masters)|parabnormapoopdsf|yiykeaaumwxqjftwi|kpmgcdlsidwsdnolw|lfarkpktxicvoszqo|iasamkbnavtknxiko|cnkjufwagtlyyptrz|dlsidwsdnolwzyzsq|nuyiqrrkriwexgsis|xaomkytbmceglkuyh)|l(ots(downloadmoment|-downloadstuff)|ensesorganization|sidwsdnolwzyzsqkh|y(yptrzfugnwoqbboo|qwtfsunoaztytswx)|aewoaecgrgbjgaofr|fhauvqjghelyqwtfs|ghktuuzzgzwyggrgr|tfxjzsppylfhauvqj|wzyzsqkhjkqhomcma)|a(rchiv(moment-poisk|search-stuff)|aumwxqjftwiaidvfk|camacookldaurglbh|ecgrgbjgaofrilwyg|g(tlyyptrzfugnwoqb|uerotikaahotporn)|idvfkclfarkpktxic|myduotqzxbdrfodwo|nidgwelnidmzueoyl|opltfxjzsppylfhau|fzcnuyiqrrkriwexg|qntckhiedetxhdyqo|skytvsskjwysujlpe)|i(manuilletapchenko|smxsdvyfuaopltfxj|uigjtnafzcnuyiqrr|dwsdnolwzyzsqkhjk|qrrkriwexgsismxsd)|exgsismxsdvyfuaopl|h(auvqjghelyqwtfsun|dylanfzmfngwbwxnc|elyqwtfsunoaztyts|n(gajjkuknzwdliqfj|ubbhwjtzihdkaste)|omcmapiuigjtnafzc|jkqhomcmapiuigjtn|qgqpckpmgcdlsidws)|j(bznsadolgrgrlaewo|fhxihwykiuwfknoni|k(qhomcmapiuigjtna|bfpftrtdcrfqtdln)|lkjsxdsvtkygouiix|shxuvlexinjevgcdf|tnafzcnuyiqrrkriw|ufwagtlyyptrzfugn|wxqqbaowfuzkjykbu|ykbubgadkfnoywgtk|zsppylfhauvqjghel)|k(blqegxrumlsrefvmb|riwexgsismxsdvyfu|hjkqhomcmapiuigjt|j(ftneoicszuwkjskh|ufwagtlyyptrzfug))|n(gdvmtwodjjuovsnfj|o(lwzyzsqkhjkqhomc|aztytswxyccnkjuf)|uyiqrrkriwexgsism|afzcnuyiqrrkriwex|suiwgtrqaxwiyyfbr|woqbboofsbhqgqpck)|q(gqpckpmgcdlsidwsd|jftwiaidvfkclfark|rrkriwexgsismxsdv|wtfsunoaztytswxyc|bboofsbhqgqpckpmg|homcmapiuigjtnafz|pckpmgcdlsidwsdno|vzhpiaswhqlswkjit)|r(djdykfceprrqihpcm|fodwozmefhxcyiyke|gglvwyzevqeijgnvm|kriwexgsismxsdvyf)|w(oqbboofsbhqgqpckp|xyccnkjufwagtlyyp|agtlyyptrzfugnwoq|exgsismxsdvyfuaop|qrzvjshxuvlexinje|yzxhwpluclcqcjxkw|zyzsqkhjkqhomcmap)|x(sdvyfuaopltfxjzsp|bqfohcpwftvjcuiqe|jzsppylfhauvqjghe)|y(fuaopltfxjzsppylf|hbyqwmrtqxvmpryon|ccnkjufwagtlyyptr|iqrrkriwexgsismxs|qwtfsunoaztytswxy|ala-entertainment)|u(gnwoqbboofsbhqgqp|sepaxvulfdtnwiwwk|aopltfxjzsppylfha|eoyljlkjsxdsvtkyg|noaztytswxyccnkju|vqjghelyqwtfsunoa)|z(fugnwoqbboofsbhqg|sqkhjkqhomcmapiui|tytswxyccnkjufwag))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665764; rev:9;) # sid 2665765 includes 24 (0 - 24) 19 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.ru)"; content:"|13|";content:"|02|ru|00|";nocase;within: 22;pcre: "/(d(iamondexchange2011|ropweightmarketing|olcekomarenoro2011)|generation-(internet|security)|p(rogrammengineering|ornoclub4upornosex|hilippinemoney2011)|o(gromniypornoarchiv|fficial-opera-mini|n(linesecurytytests|mouseout-divstyle))|c(b-google-analytics|c-google-analytics|e-google-analytics|f-google-analytics|heat-downloader-s1)|momentdownload-lots|archivstuffdownload|laboratory-security|s(ecurity-laboratory|trictly-prohibited)|xspisokdomenidgmens|finans-group-global)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665765; rev:9;) # sid 2665766 includes 14 (0 - 14) 20 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.ru)"; content:"|14|";content:"|02|ru|00|";nocase;within: 23;pcre: "/(s(uperxxxpornotraxsex|tarting-collocation|canforsecurytyholes)|claytabletsdrugstore|downloadhouse-moment|a(rchiv(downloadsearch|momentdownload)|ccredit-information)|file(-(moment-download|search-download)|smoment-download)|prohibitedhotlinking|windowslivemessenger|ilwygvhuigjtnafzcnuy)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665766; rev:9;) # sid 2665767 includes 8 (0 - 8) 21 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 21 chars (.ru)"; content:"|15|";content:"|02|ru|00|";nocase;within: 24;pcre: "/(megaarchivschoolporno|watchfamilyguynow2011|download(-search-house|moment-search)|c(ertificatecontroller|ontrollercertificate)|background-stylesheet|xstriokeneboleeodgons)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665767; rev:9;) # sid 2665768 includes 1 (0 - 1) 22 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 22 chars (.ru)"; content:"|16|";content:"|02|ru|00|";nocase;within: 25;pcre: "/archiv-search-download/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665768; rev:9;) # sid 2665769 includes 3 (0 - 3) 23 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 23 chars (.ru)"; content:"|17|";content:"|02|ru|00|";nocase;within: 26;pcre: "/(medichealthprescription|pharmacybuyprescription|jokerthelrerkomitunglat)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665769; rev:9;) # sid 2665770 includes 1 (0 - 1) 24 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 24 chars (.ru)"; content:"|18|";content:"|02|ru|00|";nocase;within: 27;pcre: "/pharmacyfitnessdrugstore/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665770; rev:9;) # sid 2665771 includes 9 (0 - 9) 3 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.ru)"; content:"|03|";content:"|02|ru|00|";nocase;within: 6;pcre: "/(s0r|c36|0bq|8jl|vli|9iy|jr9|w2c|dlz)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665771; rev:9;) # sid 2665772 includes 1 (0 - 1) 32 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 32 chars (.ru)"; content:"|20|";content:"|02|ru|00|";nocase;within: 35;pcre: "/drugtoreprescriptionmedspharmacy/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665772; rev:9;) # sid 2665773 includes 18 (0 - 18) 4 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.ru)"; content:"|04|";content:"|02|ru|00|";nocase;within: 7;pcre: "/(o(gff|kcd|opk)|3njx|c(b3f|nld|lck)|j(uc8|ad3)|locm|nbh3|vj64|sdex|99ip|hr00|2sms|0354|q6dl)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665773; rev:9;) # sid 2665774 includes 63 (0 - 63) 5 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.ru)"; content:"|05|";content:"|02|ru|00|";nocase;within: 8;pcre: "/(dgamb|a(rhyv|aqam|zond)|c(ounv|liqe|jgyy|haya)|l(uyto|oopk)|b(ktpm|r(zvw|ute)|eyry|tbtb|a(beq|faf)|io-v|laxa)|e(jjeh|k(abu|sip))|f(eocr|fvig|rwmy)|gpnwo|hdogm|i(dbxa|psma|op(c4|oe))|j(akfw|blii|hiye|mwbr|etp6)|m(vtnd|ekey|tc-a)|r(izvs|uear)|u(wpkx|eur3)|w(igme|aper)|x(q(fom|kjv)|yndi)|z(dvbv|gswi|o(jzk|nja)|pbko|yvwh)|n(etr2|ucop)|s(wall|taus)|81dns|k(lerk|roft)|p4you|4g3n7)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665774; rev:9;) # sid 2665775 includes 374 (0 - 374) 6 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.ru)"; content:"|06|";content:"|02|ru|00|";nocase;within: 9;pcre: "/(xcarma|k(anika|ygalu|ey(dad|rim)|i(d(egg|m(ap|ic)|peg|axe)|mvus))|s(ibnet|a(x(e(ye|gg|lf)|ink)|rkki|tmer)|e(agum|ebun|d(axa|xan))|kysum|o(d(jar|t(ea|ap)|dot|leg)|n(bar|hog|mat|t(ax|ea)|lip)|moda)|palid|u(m(bus|pad|sod|egg)|blip|n(egg|leg)))|b(u(ro47|n(gut|sum|tab)|gear|sdot)|a(g(gum|mug)|r(ham|tar)|t(ear|ray|gas)|ypan|mosa|aoas)|e(d(mic|sky|amp|ego)|rjke)|i(n(day|sax)|t(ice|sea))|o(g(gas|zoo|pod)|x(fad|lid)|y(bug|rag|son))|ro100|ysteb)|e(xfile|ar(ham|leg|ink)|g(g(a(nt|rm)|bed)|o(a(rm|xe|ir)|mud|dye))|l(fbay|emix|hior)|ye(key|rib|ute)|n(fort|plan)|monov)|a(ct(p(ub|ot)|yak|mud|bus|ris)|ir(axe|sas)|l(e(pad|cat)|lpup)|mp(ale|wax|y(ou|ak)|law|zoo)|rm(car|law)|nthat|shpit|a3bqc|d9bja)|c(a(n(mob|sax|gun|tax)|r(tea|you)|t(can|ego|wit))|ow(elf|fox|lid|zit|guy|pan)|up(a(ct|rm)|bun|gin|sun|car|elf)|iscoc)|d(ad(net|toe)|e(wjar|ntsp)|o(g(p(en|it)|jar)|t(bog|pod))|ye(bat|cup|rim|dog)|rakan)|f(a(d(b(un|ed)|mug|oil|paw)|n(ice|men|pot|gap|row|tea)|tgas|bboy)|ox(ale|rim|zit|pup)|ungin)|g(a(l(hog|mom)|p(sky|zoo|lab|rip)|sp(an|up)|btan)|in(map|dad)|u(m(dad|pen|tub)|n(bog|you|dew)|t(egg|row|you|ice)|y(bot|fox|p(al|ub)|tip))|00gl3)|h(a(mbag|t(yak|dot)|ndmy)|it(ink|ant|peg)|og(ant|elf)|ererx)|i(ce(mum|pot|hog)|nk(air|oil|ion)|on(dye|gap|wax|yak|pit)|-know)|ja(r(boy|key|s(ky|ax|un))|m(kim|vus)|vlam)|l(ab(dot|peg|tin)|eg(fox|tie)|i(tfox|dlip))|r(ow(map|p(en|up))|a(wyou|gaxe|ptap)|i(bale|mpub)|l4328|egyon)|t(a(b(lip|p(et|it)|mud|oss)|g(fad|hog|box|ray)|p(net|ute|tea)|r(lid|b(us|at)|kid|wit)|x(bug|oil|wit))|ea(amp|kid|pad|spa)|i(e(ion|bag)|n(tap|p(et|ie))|p(can|ray|wit))|oe(fan|sun|kid)|ub(bus|spa|w(ax|eb))|ropas|z6xva)|u(te(dew|elf|pub)|l0cjn)|w(a(rtag|x(dog|mix|pot|sax)|sera)|e(b(gap|tar)|rtys)|i(t(ink|tax)|g(elf|web))|k4z43)|y(ak(mix|p(al|en))|ou(law|mud)|k8nh3)|z(i(t(egg|paw|cow|lab)|pfad)|oo(gut|law|you)|enwit)|p(e(tbay|gcan)|o(rt04|dspa|lice|poks)|u(bmix|p(gas|pub))|a(d(ink|mix|wit)|ldad|nwar|w(bin|ego|you))|i(espa|gegg|t(bed|egg))|f2vq1)|m(a(prib|t(fox|lip))|enjar|i(c(kid|tie|zit)|x(mat|rag))|omcar|u(d(car|pad)|m(tow|ute)|zico)|xmoby|ma-ga)|n(ut(amp|eye|gas)|eause|aunet)|o(ilmom|ldyak|n(epet|-mas)|perae))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665775; rev:9;) # sid 2665776 includes 118 (0 - 118) 7 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.ru)"; content:"|07|";content:"|02|ru|00|";nocase;within: 10;pcre: "/(v(se-wam|i(rtuta|k1952)|ykyrth|azqqef|p29uud|jl3dvj|fkvid2|myzone|us-(kim|jam))|m(idbomb|a(riko5|pills)|e(pills|dsweb)|uvinor|o(b2011|d-sys))|w(eb(alta|diz2|pigs)|i(tlion|ldboy)|r(kvid3|apweb))|d(q(n6drj|v4fzs)|rj7oig)|j(rk(vid4|2hzd)|i(mjock|pills)|obtrue|usting|a(m-kim|zzute))|p(museum|i(llsha|ghair)|ecoran|as-tro)|t(o(plake|ysdog)|r(pills|ans-c|o-pas)|araban|endmod)|indingo|e(jzettk|qj0uih|xtorld|stprom|lemart|ndorus|ra-was)|g(hmtgmg|ubeenl|o(rycup|stivk)|abplat)|l(y20dzf|rv9utd|sv6dud|o(l0gcj|jseuv)|inokat|egcold)|qij4obd|x(wxefed|gk8sus)|z(irn-ba|aolist|epills|umobtr|xlake3)|c(am2and|cStore|ezvid6|oolbmw|mg-vrn)|f(g(liqbf|g-ltd)|absnot|plvid2|vs2012)|o(a2rjzf|da-som)|b(shades|adbase|yl(trmh|viha)|logsvk|ogquse)|r(udeink|mlake1|ep-sas)|a(r(t-ffr|edret)|ge-ega|v-post)|h(gjvid8|ere-rx)|s(oftoxo|hushev|e(rtwey|c-aga|d-axa)|ipname|as-air|tecdon|ystend)|nosyfan|k(nowled|dkbase|im-vus)|yqdazyb)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665776; rev:9;) # sid 2665777 includes 148 (0 - 148) 8 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.ru)"; content:"|08|";content:"|02|ru|00|";nocase;within: 11;pcre: "/(f(r(eakcan|xpills)|ilebale)|t(ppkuban|wqhde3i|rvaston)|i(oiopqqw|nxpills|mbingdo)|o(urtulip|verskin|nebelay|pera(-mx|7me))|a(ntituta|st-time|l(lnokia|redret)|c(tivepr|redret)|a(cporn2|redret)|bredret|d(redret|emvoce)|eredret|fredret|gredret|hredret|iredret|jredret|kredret|mredret|predret|tredret)|d(wzporn4|osmedic|eadpage|rugsdah)|h(oney-ok|ixpills|ard-buy|e(yitsme|rezone))|n(lwelar5|oseclan)|b(i(teedsx|redret|m6xe3t|zitaly)|e(ntdate|redret|layway)|aredret|bredret|credret|dredret|fredret|gredret|hredret|jredret|k(redret|-board)|l(redret|ackbmw|ingcar)|mredret|nredret|oredret|qredret|rredret|sredret|tredret|uredret|vredret|wredret|xredret|yredret|zredret|predret)|g(irsland|o(sti(-vk|moi)|lfadam)|u(estsvk|amedic))|s(m(szilla|allsax)|kin-nav)|e(-casher|venconc|mptyspa|l(tatour|-dahar)|cho-msk)|m(e(dicx(ti|u(e|l)|vi)|gahock)|akeitso|ildruby|otedigi)|c(x(lpills|redret)|rredret|tredret|uredret|zredret|iredret|oredret|bredret|credret|dredret|eredret|fredret|gredret|hredret|jredret|kredret|lredret|mredret|nredret|predret|qredret|vredret|wredret|yredret|aredret)|k(plporn5|a(raseal|kashke))|p(a(ybucks|rahole)|lat-tan|erdusha)|z(qjporn7|evkblog|onehere)|qgcporn3|vampkeys|w(atersod|-street|ebfrogs)|j(inosale|joptimo)|2ti0pv3y|leninjiv)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665777; rev:9;) # sid 2665778 includes 150 (0 - 150) 9 character domains in the ".ru" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.ru)"; content:"|09|";content:"|02|ru|00|";nocase;within: 12;pcre: "/(h(iddenseo|and-band|ydracock|redirect|ere-zone)|j(hvsbsbsb|scriptix|redirect)|k(vmdvdvdv|epillsfx|kosokoko|redirect)|s(k(riptbox|pillshx)|af(xpills|eitems)|hpillshx|npillshx|park-pay|tormhock|redirect)|e(a(rlyship|pillsvr|sypanel|kvideo6)|-loadmob|redirect|lit(e-sms|bilet))|w(e(stfight|a(ktrash|ponomd))|dbvideo4|redirect|ay-belay)|t(a(bletsrx|rifvest)|ectiljob|redirect)|g(r(e(at(jazz|hell)|direct)|ad-gray)|afasenda)|n(pc-oniks|redirect|a(memybet|pasaran|isconfe)|umberfax)|l(cstudies|aketulip|redirect|osfakers)|m(agerfest|y-guests|edic(y(c(hs|ly|ot)|nit)|t(i(n(s|i)|oi)|ur(m|r))|u(b(ee|im)|l(am|do)|shu)|vi(et|ru)|rypj|s(avi|for))|redirect)|a(fpillsvr|bpillsvr|c(cessltd|ro-mini)|mfxpills|nfxpills|tpillsvr|gedstuff|redirect|isnervfa|demcolce)|p(i(lls(hx(a(l|y)|l(l|o)|ng)|vr(er|i(s|z)|mm)|dx(el|ge|he|iw|kb|la|ni|pa))|ecerack)|o(fxpills|olstart)|redirect)|r(ofxpills|redirect)|v(apillshx|k-client|uvvideo4|redirect)|c(afxpills|lanquack|redirect|upit-dom|o(ngatarc|lceadem)|he(ck(glen|-acu)|design))|d(opillsvr|redirect|igi-mote)|o(p(fxpills|era(-lnk|mine))|redirect)|z(anyquery|redirect|one-here)|b(ezsvyazi|redirect|ox-fresh|agetmini)|f(irmhansy|redirect)|y(u(kon2011|mmyship)|redirect)|i(vestgrpp|redirect|xeebutke)|qredirect|u(redirect|aroyalys)|x(redirect|-turyaga))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665778; rev:9;) # sid 2665779 includes 1 (0 - 1) 11 character domains in the ".se" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.se)"; content:"|0b|";content:"|02|se|00|";nocase;within: 14;pcre: "/gylleneting/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665779; rev:9;) # sid 2665780 includes 2 (0 - 2) 7 character domains in the ".se" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.se)"; content:"|07|";content:"|02|se|00|";nocase;within: 10;pcre: "/(sbkdart|dhltime)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665780; rev:9;) # sid 2665781 includes 1 (0 - 1) 15 character domains in the ".si" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.si)"; content:"|0f|";content:"|02|si|00|";nocase;within: 18;pcre: "/sozitje-maribor/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665781; rev:9;) # sid 2665782 includes 1 (0 - 1) 12 character domains in the ".sk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.sk)"; content:"|0c|";content:"|02|sk|00|";nocase;within: 15;pcre: "/genesisstore/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665782; rev:9;) # sid 2665783 includes 1 (0 - 1) 20 character domains in the ".sk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.sk)"; content:"|14|";content:"|02|sk|00|";nocase;within: 23;pcre: "/privateequitytraders/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665783; rev:9;) # sid 2665784 includes 1 (0 - 1) 9 character domains in the ".sk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.sk)"; content:"|09|";content:"|02|sk|00|";nocase;within: 12;pcre: "/power-tec/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665784; rev:9;) # sid 2665785 includes 7 (0 - 7) 10 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.su)"; content:"|0a|";content:"|02|su|00|";nocase;within: 13;pcre: "/(bank(update|verify)|user(update|verify)|verifybank|trackstore|popperwith)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665785; rev:9;) # sid 2665786 includes 4 (0 - 4) 11 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.su)"; content:"|0b|";content:"|02|su|00|";nocase;within: 14;pcre: "/(bankconfirm|loginverify|userconfirm|imagedumper)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665786; rev:9;) # sid 2665787 includes 6 (0 - 6) 14 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.su)"; content:"|0e|";content:"|02|su|00|";nocase;within: 17;pcre: "/(miniokoyokolia|gerlsipslokane|trutofmymemory|closerchillaut|ebayfordummies|dovlatbegeiner)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665787; rev:9;) # sid 2665788 includes 1 (0 - 1) 15 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.su)"; content:"|0f|";content:"|02|su|00|";nocase;within: 18;pcre: "/phfhshdjsjdppns/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665788; rev:9;) # sid 2665789 includes 1 (0 - 1) 16 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.su)"; content:"|10|";content:"|02|su|00|";nocase;within: 19;pcre: "/rehjsdgfjhskjksd/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665789; rev:9;) # sid 2665790 includes 11 (0 - 11) 3 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.su)"; content:"|03|";content:"|02|su|00|";nocase;within: 6;pcre: "/(b(06|8c)|f(38|48)|g26|n73|v(95|vb)|wk8|c(6c|75))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665790; rev:9;) # sid 2665791 includes 5 (0 - 5) 4 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.su)"; content:"|04|";content:"|02|su|00|";nocase;within: 7;pcre: "/(asp(6|8)|ssl(3|7)|mycc)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665791; rev:9;) # sid 2665792 includes 4 (0 - 4) 5 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.su)"; content:"|05|";content:"|02|su|00|";nocase;within: 8;pcre: "/a(spx(2|7|9)|ntre)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665792; rev:9;) # sid 2665793 includes 2 (0 - 2) 7 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.su)"; content:"|07|";content:"|02|su|00|";nocase;within: 10;pcre: "/(confirm|iprofit)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665793; rev:9;) # sid 2665794 includes 4 (0 - 4) 8 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.su)"; content:"|08|";content:"|02|su|00|";nocase;within: 11;pcre: "/(x188188x|econfirm|pyrohost|approven)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665794; rev:9;) # sid 2665795 includes 1 (0 - 1) 9 character domains in the ".su" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.su)"; content:"|09|";content:"|02|su|00|";nocase;within: 12;pcre: "/bestdumps/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665795; rev:9;) # sid 2665796 includes 1 (0 - 1) 5 character domains in the ".tc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.tc)"; content:"|05|";content:"|02|tc|00|";nocase;within: 8;pcre: "/vzone/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665796; rev:9;) # sid 2665797 includes 17 (0 - 17) 10 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.tk)"; content:"|0a|";content:"|02|tk|00|";nocase;within: 13;pcre: "/(httptestip|xhotvids(44|89)|contextwkh|dguniverse|t(anhugbb(16|3(4|8))|weakpads(2|9))|unikafaw34|alfastring|web-domain|gambeltonx|newtestav(2|3|4))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665797; rev:9;) # sid 2665798 includes 19 (0 - 19) 11 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.tk)"; content:"|0b|";content:"|02|tk|00|";nocase;within: 14;pcre: "/(infektekbot|l(impaxhub4x|eague-news)|puonikazg(43|5(3|7|8)|9(0|3))|retunfawe21|hotxxxhub5t|chanhnguyen|facebookh4x|job-compuse|new-address|vintage2012|bunghackers|kityxxhubhp|tweakpads98)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665798; rev:9;) # sid 2665799 includes 18 (0 - 18) 12 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.tk)"; content:"|0c|";content:"|02|tk|00|";nocase;within: 15;pcre: "/(bjglvgsxteki|s(oudckrnkuzu|pujucbanodo|cdsfdfgdr12)|10s-the-best|f(reeautogame|aq-candrive)|peakingapads|watchitnegu6|m(egavidmovie|ovosotzbest)|c(hannel8news|lytuawamquk)|adobe-plugin|image-circul|9so97slfvbde|vottakdelay(2|3))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665799; rev:9;) # sid 2665800 includes 22 (0 - 22) 13 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.tk)"; content:"|0d|";content:"|02|tk|00|";nocase;within: 16;pcre: "/(httpipaddress|b(oxofficemojo|lpostjobpost)|j(scconsulting|u(sthookingup|qowvveghskp))|aahghbfewas(1(6|8)|3(4|7)|5(0|5|7))|p(eaking(apads(4|5|s)|pads(1(3|5)|42))|hysicsforums)|cricketonline|rainbowshop25)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665800; rev:9;) # sid 2665801 includes 14 (0 - 14) 14 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.tk)"; content:"|0e|";content:"|02|tk|00|";nocase;within: 17;pcre: "/(todayxclipszfm|movieawardsrss|p(eakingapads(26|36|s3)|adtimehere(383|40(2|3|8)))|infoweb-cinema|site-checksite|url-cameralist|xxxcloudtube5w|httpvideowatch)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665801; rev:9;) # sid 2665802 includes 17 (0 - 17) 15 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.tk)"; content:"|0f|";content:"|02|tk|00|";nocase;within: 18;pcre: "/(t(esthard-itbloc|opmovietracker)|http-tourismsea|fo(otballgirdles|restventrillo)|55nnobsineinsdf|i(n(tlforeigndept|donesiazfudsb)|padstimedds363)|peakingapadss(12|39|58|64|88|90)|buyinfo-centreq|alfaxxxvideoss4)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665802; rev:9;) # sid 2665803 includes 13 (0 - 13) 16 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.tk)"; content:"|10|";content:"|02|tk|00|";nocase;within: 19;pcre: "/(google-plus-plus|efficiencytuhcrz|i(padwissshyes(195|313)|nfoweb-coolinfo)|aboutphotography|job-companybuild|restore-computer|vbulletin-center|profilepeekersv(2|3|4|7))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665803; rev:9;) # sid 2665804 includes 3 (0 - 3) 17 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.tk)"; content:"|11|";content:"|02|tk|00|";nocase;within: 20;pcre: "/(buyinfo-centreqcv|cameraweb-cartoon|freesimsocialcash)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665804; rev:9;) # sid 2665805 includes 4 (0 - 4) 18 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 18 chars (.tk)"; content:"|12|";content:"|02|tk|00|";nocase;within: 21;pcre: "/(http-securityguard|movietrackeronline|sinceforeverbrasil|photos107-facebook)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665805; rev:9;) # sid 2665806 includes 1 (0 - 1) 21 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 21 chars (.tk)"; content:"|15|";content:"|02|tk|00|";nocase;within: 24;pcre: "/dewanperwakilanrakyat/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665806; rev:9;) # sid 2665807 includes 2 (0 - 2) 22 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 22 chars (.tk)"; content:"|16|";content:"|02|tk|00|";nocase;within: 25;pcre: "/(megapromotamfidelidade|watchbreakingbadonline)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665807; rev:9;) # sid 2665808 includes 1 (0 - 1) 23 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 23 chars (.tk)"; content:"|17|";content:"|02|tk|00|";nocase;within: 26;pcre: "/http-mp3downloadtorrent/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665808; rev:9;) # sid 2665809 includes 1 (0 - 1) 4 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.tk)"; content:"|04|";content:"|02|tk|00|";nocase;within: 7;pcre: "/2010/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665809; rev:9;) # sid 2665810 includes 13 (0 - 13) 5 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.tk)"; content:"|05|";content:"|02|tk|00|";nocase;within: 8;pcre: "/(0yktf|71t5m|vs0rr|3bqab|im032|cas6l|uz0my|o(u4oe|x22j)|psrzk|t(a9mi|f74v)|gak46)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665810; rev:9;) # sid 2665811 includes 11 (0 - 11) 6 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.tk)"; content:"|06|";content:"|02|tk|00|";nocase;within: 9;pcre: "/(vk(ashy|ehor)|h(elali|abobi)|monay(1|2|3|4|5|8)|kiumhu)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665811; rev:9;) # sid 2665812 includes 12 (0 - 12) 7 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.tk)"; content:"|07|";content:"|02|tk|00|";nocase;within: 10;pcre: "/(87vfnr4|bj88668|fonduta|monay1(1|2|3)|tuesda(1|3|4|5|6)|alhevxc)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665812; rev:9;) # sid 2665813 includes 16 (0 - 16) 8 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.tk)"; content:"|08|";content:"|02|tk|00|";nocase;within: 11;pcre: "/(jagawars|romoreok|t(dssopka|rgoals2|uesda1(0|1))|uniatea8|avcgirls|s(hrinkyy|ocialme)|web-fill|lebron-j|holiday1|n(ewdayav|rqqhbtx)|efacbook)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665813; rev:9;) # sid 2665814 includes 19 (0 - 19) 9 character domains in the ".tk" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.tk)"; content:"|09|";content:"|02|tk|00|";nocase;within: 12;pcre: "/(googlessl|kotsbplqf|fwzvslwcm|huhfghf(39|78)|xhdvidsq0|n(batv1210|ewdayav2)|un(iatea48|lim-app)|b(lanktube|estsoft(1|2))|s(oftxxxdc|tank-dog|hockchip)|t(cdnk4k34|lkwgoben)|exsexytop)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665814; rev:9;) # sid 2665815 includes 1 (0 - 1) 15 character domains in the ".tv" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.tv)"; content:"|0f|";content:"|02|tv|00|";nocase;within: 18;pcre: "/mortgagebrokers/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665815; rev:9;) # sid 2665816 includes 1 (0 - 1) 16 character domains in the ".tv" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.tv)"; content:"|10|";content:"|02|tv|00|";nocase;within: 19;pcre: "/film-2-streaming/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665816; rev:9;) # sid 2665817 includes 1 (0 - 1) 4 character domains in the ".tv" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.tv)"; content:"|04|";content:"|02|tv|00|";nocase;within: 7;pcre: "/vase/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665817; rev:9;) # sid 2665818 includes 1 (0 - 1) 9 character domains in the ".tv" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.tv)"; content:"|09|";content:"|02|tv|00|";nocase;within: 12;pcre: "/narutoget/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665818; rev:9;) # sid 2665819 includes 1 (0 - 1) 16 character domains in the ".tw" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.tw)"; content:"|10|";content:"|02|tw|00|";nocase;within: 19;pcre: "/xn--fct5gx28h9gs/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665819; rev:9;) # sid 2665820 includes 1 (0 - 1) 3 character domains in the ".tw" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 3 chars (.tw)"; content:"|03|";content:"|02|tw|00|";nocase;within: 6;pcre: "/dmr/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665820; rev:9;) # sid 2665821 includes 1 (0 - 1) 4 character domains in the ".tw" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.tw)"; content:"|04|";content:"|02|tw|00|";nocase;within: 7;pcre: "/molo/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665821; rev:9;) # sid 2665822 includes 1 (0 - 1) 7 character domains in the ".tw" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.tw)"; content:"|07|";content:"|02|tw|00|";nocase;within: 10;pcre: "/upwcbab/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665822; rev:9;) # sid 2665823 includes 1 (0 - 1) 8 character domains in the ".tw" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.tw)"; content:"|08|";content:"|02|tw|00|";nocase;within: 11;pcre: "/gontinty/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665823; rev:9;) # sid 2665824 includes 1 (0 - 1) 10 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.us)"; content:"|0a|";content:"|02|us|00|";nocase;within: 13;pcre: "/federalcap/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665824; rev:9;) # sid 2665825 includes 2 (0 - 2) 11 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.us)"; content:"|0b|";content:"|02|us|00|";nocase;within: 14;pcre: "/(blackshades|opensources)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665825; rev:9;) # sid 2665826 includes 1 (0 - 1) 12 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.us)"; content:"|0c|";content:"|02|us|00|";nocase;within: 15;pcre: "/music2music2/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665826; rev:9;) # sid 2665827 includes 1 (0 - 1) 13 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 13 chars (.us)"; content:"|0d|";content:"|02|us|00|";nocase;within: 16;pcre: "/web-worldcars/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665827; rev:9;) # sid 2665828 includes 1 (0 - 1) 14 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 14 chars (.us)"; content:"|0e|";content:"|02|us|00|";nocase;within: 17;pcre: "/http-harddrive/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665828; rev:9;) # sid 2665829 includes 1 (0 - 1) 15 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.us)"; content:"|0f|";content:"|02|us|00|";nocase;within: 18;pcre: "/advertisingguru/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665829; rev:9;) # sid 2665830 includes 1 (0 - 1) 16 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 16 chars (.us)"; content:"|10|";content:"|02|us|00|";nocase;within: 19;pcre: "/daileysecurities/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665830; rev:9;) # sid 2665831 includes 1 (0 - 1) 17 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.us)"; content:"|11|";content:"|02|us|00|";nocase;within: 20;pcre: "/img192-imageshack/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665831; rev:9;) # sid 2665832 includes 1 (0 - 1) 19 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 19 chars (.us)"; content:"|13|";content:"|02|us|00|";nocase;within: 22;pcre: "/watch-movies-online/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665832; rev:9;) # sid 2665833 includes 2 (0 - 2) 20 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 20 chars (.us)"; content:"|14|";content:"|02|us|00|";nocase;within: 23;pcre: "/(bankofamericanpaying|worldsnowboardleague)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665833; rev:9;) # sid 2665834 includes 5 (0 - 5) 4 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 4 chars (.us)"; content:"|04|";content:"|02|us|00|";nocase;within: 7;pcre: "/(ns01|xped|d(atz|vmc)|jirx)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665834; rev:9;) # sid 2665835 includes 1 (0 - 1) 5 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 5 chars (.us)"; content:"|05|";content:"|02|us|00|";nocase;within: 8;pcre: "/adfoc/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665835; rev:9;) # sid 2665836 includes 8 (0 - 8) 6 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.us)"; content:"|06|";content:"|02|us|00|";nocase;within: 9;pcre: "/(b(aylee|ccnet)|saldo7|img(1(22|84)|633|721|875))/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665836; rev:9;) # sid 2665837 includes 3 (0 - 3) 7 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.us)"; content:"|07|";content:"|02|us|00|";nocase;within: 10;pcre: "/(infoway|re-boot|stockli)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665837; rev:9;) # sid 2665838 includes 2 (0 - 2) 8 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.us)"; content:"|08|";content:"|02|us|00|";nocase;within: 11;pcre: "/(allfresh|getafile)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665838; rev:9;) # sid 2665839 includes 2 (0 - 2) 9 character domains in the ".us" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.us)"; content:"|09|";content:"|02|us|00|";nocase;within: 12;pcre: "/(shinydoll|easyimage)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665839; rev:9;) # sid 2665840 includes 1 (0 - 1) 17 character domains in the ".vn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 17 chars (.vn)"; content:"|11|";content:"|02|vn|00|";nocase;within: 20;pcre: "/congchungso2hanam/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665840; rev:9;) # sid 2665841 includes 1 (0 - 1) 10 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 10 chars (.ws)"; content:"|0a|";content:"|02|ws|00|";nocase;within: 13;pcre: "/4analytics/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665841; rev:9;) # sid 2665842 includes 2 (0 - 2) 11 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 11 chars (.ws)"; content:"|0b|";content:"|02|ws|00|";nocase;within: 14;pcre: "/(aeyntbajpeu|hrgicjsctkw)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665842; rev:9;) # sid 2665843 includes 1 (0 - 1) 12 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 12 chars (.ws)"; content:"|0c|";content:"|02|ws|00|";nocase;within: 15;pcre: "/626f6f686f6f/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665843; rev:9;) # sid 2665844 includes 2 (0 - 2) 15 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 15 chars (.ws)"; content:"|0f|";content:"|02|ws|00|";nocase;within: 18;pcre: "/(privateservices|webcom-software)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665844; rev:9;) # sid 2665845 includes 1 (0 - 1) 6 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 6 chars (.ws)"; content:"|06|";content:"|02|ws|00|";nocase;within: 9;pcre: "/jveaii/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665845; rev:9;) # sid 2665846 includes 2 (0 - 2) 7 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 7 chars (.ws)"; content:"|07|";content:"|02|ws|00|";nocase;within: 10;pcre: "/(luzhucy|ubqzudv)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665846; rev:9;) # sid 2665847 includes 4 (0 - 4) 8 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 8 chars (.ws)"; content:"|08|";content:"|02|ws|00|";nocase;within: 11;pcre: "/(nikbir09|wgevrhmh|yyenrixm|znemxple)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665847; rev:9;) # sid 2665848 includes 3 (0 - 3) 9 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup 9 chars (.ws)"; content:"|09|";content:"|02|ws|00|";nocase;within: 12;pcre: "/(atefpcjpe|ucmdefwnp|wuxrpbbnp)/i"; classtype:trojan-activity; reference:url,www.malwaredomains.com; sid:2665848; rev:9;)