[Emerging-Sigs] bredolab drive by sigs

Matthew Jonkman jonkman at emergingthreatspro.com
Sat Oct 9 13:30:50 EDT 2010


Posted, but the first one (applet1.html) is too ripe for falses. But I've got the others posted, Thanks Eoin!

Matt


On Oct 8, 2010, at 5:30 PM, Eoin Miller wrote:

>  These have been very consistent for the bredolab drive by kits:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID DRIVEBY 
> bredolab - client requesting pdf exploit"; flow:established,to_server; 
> content:"/Applet1.html"; depth:13; http_uri; classtype:bad-unknown; 
> sid:5600173; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID DRIVEBY 
> bredolab - client requesting java exploit"; flow:established,to_server; 
> content:"/Notes1.pdf"; depth:11; http_uri; classtype:bad-unknown; 
> sid:5600174; rev:1;)
> 
> This one never seems to have make it to the list, it detects the 
> bredolab drive by landing pages initially coming back, which then causes 
> the client to query for jquery.jxx:
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EID DRIVEBY 
> bredolab - landing page"; flow:established,to_client; content:"Server: 
> nginx"; http_header; content:"<div style=\"visibility: hidden\;\"><"; 
> depth:120; classtype:bad-unknown; sid:5600089; rev:1;)
> 
> Been seeing some hilarious gets for exploited clients as well, check 
> this one out:
> 
> GET /1.pdf?reader_version=8.102&exn=CVE-2009-0927 HTTP/1.1
> Accept: */*
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET 
> CLR 2.0.50727; InfoPath.1)
> Host: rocks.chargecardsystemsholdings.com:8080
> Connection: Keep-Alive
> Cookie: pid=1
> 
> 
> Maybe something like:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID DRIVEBY 
> bredolab - client exploited by acrobat"; flow:established,to_server; 
> content:"?reader_version="; http_uri; content:"&exn=CVE-"; http_uri; 
> classtype:trojan-activity; sid:5600175; rev:1;)
> 
> -- Eoin
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-sigs mailing list