[Emerging-Sigs] Another unknown exploit kit

Chris Wakelin c.d.wakelin at reading.ac.uk
Thu Oct 13 10:27:08 EDT 2011


Any reason why these didn't make it into the ruleset? I'm getting lots
of hits on the student network (plus one FP for the landing page on the
campus network - someone visiting "www.ebay.co.uk/?site=3" for some reason).

Best Wishes,
Chris

On 09/10/11 16:25, Chris Wakelin wrote:
> I've now had a good go at analysing this kit. So far it's only been seen
> on two (adjacent) IP addresses, so I guess it's not for sale, but
> perhaps for rent :)
> 
> Anyway first some signatures - I've nicknamed the kit "Saturn" as that's
> the name of the octal Java exploit class file:
> 
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"RDG Saturn Exploit
> Kit possible landing page"; flow:established,to_server;
> content:"/?site="; depth:7; http_uri; pcre:"/\/\?site=[0-9]{1,2}$/U";
> classtype:bad-unknown; sid:xxxx; rev:1;)
> 
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"RDG Saturn Exploit
> Kit binary download request"; flow:established,to_server;
> content:"/dl/"; depth:4; http_uri; fast_pattern; content:".php?";
> http_uri; pcre:"/\/dl\/\w{1,4}\.php\?[0-9]$/U";
> classtype:trojan-activity; sid:xxxx; rev:1;)
> 
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"RDG Saturn Exploit
> Kit probable Java exploit request"; flow:established,to_server;
> content:"/dl/apache.php"; depth:14; http_uri; classtype:trojan-activity;
> sid:xxxx; rev:1;)
> 
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"RDG Saturn Exploit
> Kit probable Java MIDI exploit request"; flow:established,to_server;
> content:"/dl/jsm.php"; depth:14; http_uri; classtype:trojan-activity;
> sid:xxxx; rev:1;)
> 


-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094


More information about the Emerging-sigs mailing list