[Emerging-Sigs] SEO Exploit Kit Sigs

Eoin Miller eoin.miller at trojanedbinaries.com
Fri Oct 1 11:00:45 EDT 2010


  As the SEO kit keeps changing quite frequently, here are new sigs to 
see people hitting it and how they are being exploited:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EID DRIVEBY 
SEO Exploit Kit - Landing Page"; content:"<div id=\"obj\"></div><div 
id=\"pdf\"></div><div id=\"hcp\">"; classtype:bad-unknown; sid:5600164; 
rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EID DRIVEBY 
SEO Exploit Kit - client exploited by Java"; content:".php?exp=JavaROX"; 
http_uri; classtype:bad-unknown; sid:5600165; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EID DRIVEBY 
SEO Exploit Kit - client exploited by SMB"; content:".php?exp=SMB"; 
http_uri; classtype:bad-unknown; sid:5600166; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EID DRIVEBY 
SEO Exploit Kit - client exploited by Acrobat"; content:".php?exp=PDF"; 
http_uri; classtype:bad-unknown; sid:5600167; rev:1;)

Tons of people have been hitting this drive by recently as it appears 
that adshuffle was redirecting people from MSN sites for the last week 
or so.

-- Eoin


More information about the Emerging-sigs mailing list