[Emerging-Sigs] Blackhole exploit kit updates

harry.tuttle harry.tuttle at zoho.com
Thu Oct 13 12:56:19 EDT 2011

Hi, Chris.

I struggle with how to keep up with all the variations too. It seems like the only way is to have overlap so that as one element changes, hopefully something else will hit. At some point I guess this leads to ruleset bloat though.

Would a simple 'content:".php?f="' with 'pcre:"/\.php\?f=\d{1,2}$/"' be a horribly performing rule do you think? That would seem to catch a lot of the various exploit pages used in the blackhole kit; not sure if it would false or not. If it does false, use it to set a flowbit and then trigger an alert on something in the file coming down (%PDF, MZ, etc.). Not sure if that's the right answer - just thinking out loud.

I'm having some luck this week with this one, which often hits other sigs but not always. I'm sure it will only be temporary though.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Combination of script elements often seen in Blackhole exploit kit"; flow:established,to_client; content:"String.fromCharCode"; nocase; content:"document.createTextNode"; nocase; content:"replaceData"; nocase; content:"setCharAt"; nocase; classtype:attempted-user; sid:nnnnnnn; rev:1;)


---- On Thu, 13 Oct 2011 07:23:34 -0700 Chris Wakelin  wrote ---- 

>Looking at emerging-current_events.rules: 
>alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS 
>Java/PDF Exploit kit from /Home/games/ initial landing"; 
>flow:established,to_server; content:"/Home/games/2fdp.php?f="; http_uri; 
>classtype:trojan-activity; sid:2013025; rev:2;) 
>alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS 
>Java/PDF Exploit kit initial landing"; flow:established,to_server; 
>content:"/2fdp.php?f="; http_uri; classtype:trojan-activity; 
>sid:2013027; rev:3;) 
>Looks like 2013025 is covered by 2013027. Perhaps we should rename it 
>"Blackhole Exploit kit PDF/Javascript Exploit #2" (it uses obfuscated 
>Javascript, not Java and seems to target Acrobat <= 9.3) 
>We also have "1fdp.php?f=" (same thing for Acrobat < 8) 
>and in the last couple of days new variants: 
>"2ddfp.php?f="/"1ddfp.php?f=" and (once) "2dfp.php?f="/"1dfp.php?f=". 
>Is it better to have these as separate rules or to use a PCRE? I'm 
>guessing the former as there's precious little for a "content:" match. 
>alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS 
>Blackhole landing page with malicious Java applet"; 
>flow:established,from_server; content:"<applet 
>code=|27|buildService.MapYandex.class|27|"; content:".jar"; 
>content:""; classtype:bad-unknown; sid:2013553; rev:2;) 
>alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS 
>Blackhole landing page with malicious Java applet"; 
>flow:established,from_server; content:"<applet"; content:"code="; 
>content:".jar"; content:"e00oMDD"; content:""; 
>classtype:bad-unknown; sid:2013700; rev:2;) 
>We're still matching 2013700, but I think 2013553 might be redundant 
>(the ".class" varies a lot). In any case, they shouldn't have the same 
>(BTW "worms.jar" seems to have been replaced by "rabbit.jar" and 
>"field.jar" in the last couple of days.) 
>I've seen quite a bit of:- 
>s17.eu.tf/2jzgte.php (2011-10-07) 
>s16.net.tf/2jzgte.php (2011-10-10) 
>s06.au.tc/2jzgte.php (2011-10-10) 
>s13.it.tc/2jzgte.php (2011-10-11) 
>s07.pro.tc/2jzgte.php (2011-10-11) 
>s11.at.tc/2jzgte.php (2011-10-13) 
>(no query string). It might be worth a sig for "/2jzgte.php", though I 
>suspect this is just one user of the exploit kit. 
>The Javascript obfuscation has changed to things like 
>> s='73_84_72_90_82_74_83 ... 21_13_14_32'.split('_'); 
>> function setCharAt(str,q,index) { 
>> return String.fromCharCode(1*str[index] + 27); 
>> } 
>(the "_" could be other characters of course, I've also seen ":"). I 
>think while 2013700 still matches, we probably don't need to write a new 
>sig for this. 
>Best Wishes, 
>Christopher Wakelin, c.d.wakelin at reading.ac.uk 
>IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908 
>Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094 
>Emerging-sigs mailing list 
>Emerging-sigs at emergingthreats.net 
>Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com 
>The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current! 

More information about the Emerging-sigs mailing list