The probelm started when I tried to close an advertisement for 888Poker. A dialogue box appeared asking me if I what to leave the page or cancel. I tried to avoid signaling a user event by Force Quiting Safari. When I reopened Safari it was slow loading. The google search box would not work. I went to google.ca and the page had a different banner than usual. Also the results didn't automatically change as you added new keywords.
Since then everything seems to work ok except this persistant cookie with all of the content that goes with it.
Here is some of what I found inside the cookie....
/**************************************************************************** ************
********************************** Reguli de legit ************************************
******************************************************************************** *********/
rule RULE_LONG_SIZE
{
condition: exec(H_LONG_SIZE);
actions: mark("LEGIT", 0);
metadata: priority = 10;
}
rule RULE_COSOI
{
condition: match("\.|%2e", HTML::Url, REGEX_INSENSITIVE);
actions: none;
metadata: none;
}
metarule RULE_COSOIUS
{
condition: RULE_COSOI == false;
actions: mark("LEGIT", 0);
metadata: priority = 1000;
}
rule RULE_URL_WITH_HTTPS
{
condition: match("^https://", HTML::Url, REGEX_INSENSITIVE);
actions: mark("LEGIT", 0);
metadata: priority = 5000;
}
rule RULE_LEGIT_HTTPS_ALN
{
condition: exec(H_PROTOCOL_IS_HTTPS);
actions: mark("LEGIT", 0);
metadata: priority = 5000;
}
rule RULE_VIEW_SOURCE_LEGIT_ALN
{
condition: match("^view-source:", HTML::Url, REGEX_INSENSITIVE);
actions: mark("LEGIT", 0);
metadata: priority = 5000;
}
rule RULE_URL_IS_HTTP
{
condition: exec(H_PROTOCOL_IS_HTTP);
actions: none;
metadata: none;
}
/* Urluri puse pe legit temporar, pana e dat releasul in care putem vedea numele semnaturilor de Fuzzy si Summary care au lovit*/
rule WHITE_LIST_TEMPORAR_ALN
{
condition: match("^zarahome\.com/|^scarlet\.be/|^res://ieframe\.dll/|^mybookface\.net /|^about:blank|^icsdelivery\.com/|^fuckbookhacked\.com|^posta\.amis\.net/|^spart oo\.co\.uk/|^whatsup\.ca/|^127\.0\.0\.1(:[0-9]{0,4})?/|^localhost/phpmyadmin|^ja vascript:|^vodacommessaging\.co\.za|^hyves\.nl|^sunrise\.ch", HTML::Url, REGEX);
actions: mark("LEGIT", 0);
metadata: priority = 9000;
}
/* Regula de LEGIT pusa pentru siteuri importante pentru a preintampina situatia in care WhiteListul fail-uieste (nu este initializat) */
rule WHITE_LIST_IMPORTANT_SITES_ALN
{
condition: match("^((login\.)?facebook\.com|twitter\.com|(offer\.|my\.)?ebay\.de|((ed it|login)\.)?yahoo\.com|caf\.fr|chase\.com|bankofamerica\.com|(ib\.)?absa\.co\.z a|schwab\.com|google\.com)/", HTML::Url, REGEX_INSENSITIVE);
actions: mark("LEGIT", 0);
metadata: priority = 9000;
}
rule RULE_BITDEFENDER_IP_LEGIT_ALN
{
condition: match("^91.199.104.43/", HTML::Url, REGEX);
actions: mark("LEGIT", 0);
metadata: priority = 5000;
}
/******************************************************************************* *********
********************************** Reguli de forgery *********************************
******************************************************************************** *********/
rule RULE_FORGERY_INPUT
{
condition: match("<input.{1,250}type=[\"' ]?password[\"' ]", HTML::Body, REGEX_INSENSITIVE, RAW);
actions: mark("FORGERY", 1000);
metadata: priority = 500;
}
/*rule RULE_FORGERY_PASS_ALL
{
condition: match("a", HTML::Body, REGEX_INSENSITIVE, RAW);
actions: mark("FORGERY", 1000);
metadata: priority = 500;
}
*/
rule RULE_FORGERY_BANK1
{
condition: match("BRD|BCR|Raiffeisen|Digipass|Money Manager|Bank of America|Digital Banking|PayPal|eBay|NationalCity|Intesa|HSBC|Bancorp Inc|Bancpost|Volksbank|Millennium|Online[ -]Banking|PIN:|Credit Europe Bank|Internal Revenue Service|Kennwort|Amazon|revenue|as_team|seb bank", HTML::Body, REGEX_INSENSITIVE, DECODED);
actions: mark("FORGERY", 1000);
metadata: priority = 500;
}
rule RULE_FORGERY_BANK2
There are hundreds of lines like this...