[Emerging-Sigs] Eleonore Drive By's and the Redirection To Them

Joel Esler jesler at sourcefire.com
Tue Oct 5 14:14:56 EDT 2010


On the second rule..  why two content matches?  Can they be one big one?

On Tue, Oct 5, 2010 at 1:15 PM, Eoin Miller <
eoin.miller at trojanedbinaries.com> wrote:

>  We are using the following signatures to determine if a client system has
> hit the redirection network and been drive to an Eleonore drive by kit (I am
> pretty sure that is the type, but not 100%. Either way they are bad news):
>
> First the client will send a URI to a server which will serve up the
> redirect:
>
> /in.cgi?2
> /in.cgi?5
> /in.cgi?11
>
> Sig used to identify these requests (could probably use some PCRE to cut
> down on some of the false positives, something looking for 1-2 digits and
> then the end of the string, I'll play with modifying it more when I have
> some time):
> *alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID
> MALVERTISING redirect to exploit kit - /in.cgi?";
> flow:established,to_server; content:"/in.cgi?"; http_uri; depth:8;
> classtype:bad-unknown; sid:5600154; rev:1;)*
>
> The response to this request will contain a set cookie value in the header
> that will be like the following:
> SL_2_0000=_0_
> SL_5_0000=_0_
> SL_11_0000=_0_
>
> Sig used to identify these requests (no FP's so far):
> *alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EID
> MALVERTISING redirect to eleonore exploit kit"; flow:established,to_client;
> content:"SL_"; http_cookie; content:"_0000="; classtype:bad-unknown;
> sid:5600171; rev:1;)*
>
> Example response content causing this alert:
>
> HTTP/1.1 302 Found
> Connection: Keep-Alive
> Content-Length: 200
> Content-Type: text/html
> Date: Mon, 04 Oct 2010 23:23:10 GMT
> Keep-Alive: timeout=1, max=100
> Location: hXXp://85.234.191.210/a/gzknczas.php
> Server: Apache/2
> Set-Cookie: SL_2_0000=_7_; domain=one.riverrunpropertyvalue.com; path=/;
> expires=
> Tue, 05-Oct-2010 23:23:10 GMT
> Vary: Accept-Encoding,User-Agent
>
> <html>
> <head>
> <meta http-equiv="REFRESH" content="1; URL='hXXp://
> 85.234.191.210/a/gzknczas.php'">
> </head>
> <body>
> document moved <a href="hXXp://85.234.191.210/a/gzknczas.php">here</a>
> </body>
> </html>
>
>
> The response also includes a redirect to the actual drive by kit, once the
> user is driven to that kit and downloads the landing page, this signature
> (which is very small and simple, but very accurate without any FP's over the
> past few days) will fire:
> *alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EID DRIVEBY
> Eleonore - landing page"; flow:established,to_client;
> content:"+\"JAVASMB()\;\"\;"; classtype:bad-unknown; sid:5600170; rev:1;)*
>
> -- Eoin
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
> Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101005/aa71dd6e/attachment.html


More information about the Emerging-sigs mailing list