[Emerging-Sigs] Blackhole HCP sig

harry.tuttle harry.tuttle at zoho.com
Sun Oct 9 20:07:22 EDT 2011


URI structure du jour.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 3"; flow:established,to_server; content:"/pch2.php?c="; http_uri; pcre:"/pch2.php?c=d+$/U"; classtype:bad-unknown; sid:nnnnnnn; rev:1;)

Currently live example:
hxxp://signal.paycheckinaction.com/content/pch2.php?c=9

Serving up a Fake AV which in turn hits 2010382.

Regards,
Harry



More information about the Emerging-sigs mailing list