[Emerging-Sigs] Proposed Signature for Blackhole Exploit Landing malicious applet

Chris Wakelin c.d.wakelin at reading.ac.uk
Wed Oct 5 14:29:09 EDT 2011

On 05/10/11 18:44, Nick Randolph wrote:
>> New version of the blackhole landing page today. I tried to clean up some
>> of the extra whitespace at the bottom so this isn't an exact copy of what it
>> looks like.
>> hxxp://1oneok.ce.ms/main.php?page=64a30cd969b37792

Yes, looks the same as a couple of mine. It looks like the worms.jar
rule (sid 2013700) should spot it.

Best Wishes,

Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094

More information about the Emerging-sigs mailing list