[Emerging-Sigs] Proposed Signature for Blackhole Exploit Landing malicious applet

Nathan nathan at packetmail.net
Mon Oct 3 10:13:59 EDT 2011


On Mon, 03 Oct 2011 15:07:59 +0100 Chris Wakelin <c.d.wakelin at reading.ac.uk>
wrote

> Looking at the actual exploit kit, they're including the Java and PDF
> exploits but not the Flash or HCP exploits (whatever HCP is?) at the moment.

It's the Help Control Protocol, another pseudo-protocol used by Win32,
'hcp://'.  There were a few vulnerabilities out for it and it looks like the
exploit kits are leveraging it.  From what I recall I do have one up there for
HCP in less than Media Player 10.0... I believe I wrote 2013077 so it may need
some updating if the URI has changed.

http://blogs.technet.com/b/srd/archive/2010/06/10/help-and-support-center-vulnerability-full-disclosure-posting.aspx

emerging-current_events.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET
$HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP overflow Media
Player lt 10"; flow:established,to_server; content:"/hcp_asx.php?f=";
http_uri; pcre:"/hcp_asx\.php\?f=\d+$/U"; classtype:trojan-activity;
sid:2013077; rev:1;)

emerging-current_events.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET
$HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit";
flow:established,to_server; content:"/pch.php?f="; http_uri;
pcre:"/pch\.php\?f=\d+$/U"; classtype:bad-unknown; sid:2013548; rev:1;)

emerging-current_events.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET 
$HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 2";
flow:established,to_server; content:"/hcp_vbs.php?f="; http_uri;
pcre:"/hcp_vbs\.php\?f=\d+&d=\d+$/U"; classtype:bad-unknown; sid:2013549;
rev:1;)

Thanks,
Nathan



More information about the Emerging-sigs mailing list