[Emerging-Sigs] Blackhole exploit kit updates

evejou girl at techn0ev3.net
Thu Oct 13 13:03:52 EDT 2011


I've deployed those sigs as well (a similar variant to your createTextNode,
and the .php?f=\d+$ one) -- and have actually had pretty good catches with
them. With the URL one, the $ in the pcre has been key to reducing FPs...
although I don't rely on it for similar URLs like the "w.php?f=&e=" ...

A sig I've been using for the BlackHole script combo (rather specific, but
at least no false negatives so far) has been:

Alert TCP $EXTERNAL_NET any -> $HOME_NET any
(msg:"Obfuscation.Method.C.Javascript"; content:"createTextNode";
content:"replaceData"; distance:0; content:"eval|28|"; distance:0; sid:xxx;
rev:1;)



-alice


On Thu, Oct 13, 2011 at 12:56 PM, harry.tuttle <harry.tuttle at zoho.com>wrote:

> Hi, Chris.
>
> I struggle with how to keep up with all the variations too. It seems like
> the only way is to have overlap so that as one element changes, hopefully
> something else will hit. At some point I guess this leads to ruleset bloat
> though.
>
> Would a simple 'content:".php?f="' with 'pcre:"/\.php\?f=\d{1,2}$/"' be a
> horribly performing rule do you think? That would seem to catch a lot of the
> various exploit pages used in the blackhole kit; not sure if it would false
> or not. If it does false, use it to set a flowbit and then trigger an alert
> on something in the file coming down (%PDF, MZ, etc.). Not sure if that's
> the right answer - just thinking out loud.
>
> I'm having some luck this week with this one, which often hits other sigs
> but not always. I'm sure it will only be temporary though.
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
> CURRENT_EVENTS Combination of script elements often seen in Blackhole
> exploit kit"; flow:established,to_client; content:"String.fromCharCode";
> nocase; content:"document.createTextNode"; nocase; content:"replaceData";
> nocase; content:"setCharAt"; nocase; classtype:attempted-user; sid:nnnnnnn;
> rev:1;)
>
> Regards,
> Harry
>
>
> ---- On Thu, 13 Oct 2011 07:23:34 -0700 Chris Wakelin  wrote ----
>
> >Looking at emerging-current_events.rules:
> >
> >alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS
> >Java/PDF Exploit kit from /Home/games/ initial landing";
> >flow:established,to_server; content:"/Home/games/2fdp.php?f="; http_uri;
> >classtype:trojan-activity; sid:2013025; rev:2;)
> >alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS
> >Java/PDF Exploit kit initial landing"; flow:established,to_server;
> >content:"/2fdp.php?f="; http_uri; classtype:trojan-activity;
> >sid:2013027; rev:3;)
> >
> >Looks like 2013025 is covered by 2013027. Perhaps we should rename it
> >"Blackhole Exploit kit PDF/Javascript Exploit #2" (it uses obfuscated
> >Javascript, not Java and seems to target Acrobat <= 9.3)
> >
> >We also have "1fdp.php?f=" (same thing for Acrobat < 8)
> >
> >and in the last couple of days new variants:
> >
> >"2ddfp.php?f="/"1ddfp.php?f=" and (once) "2dfp.php?f="/"1dfp.php?f=".
> >
> >Is it better to have these as separate rules or to use a PCRE? I'm
> >guessing the former as there's precious little for a "content:" match.
> >
> >Next,
> >
> >alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
> >Blackhole landing page with malicious Java applet";
> >flow:established,from_server; content:"<applet
> >code=|27|buildService.MapYandex.class|27|"; content:".jar";
> >content:""; classtype:bad-unknown; sid:2013553; rev:2;)
> >alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
> >Blackhole landing page with malicious Java applet";
> >flow:established,from_server; content:"<applet"; content:"code=";
> >content:".jar"; content:"e00oMDD"; content:"";
> >classtype:bad-unknown; sid:2013700; rev:2;)
> >
> >We're still matching 2013700, but I think 2013553 might be redundant
> >(the ".class" varies a lot). In any case, they shouldn't have the same
> >description!
> >
> >(BTW "worms.jar" seems to have been replaced by "rabbit.jar" and
> >"field.jar" in the last couple of days.)
> >
> >I've seen quite a bit of:-
> >
> >s17.eu.tf/2jzgte.php (2011-10-07)
> >s16.net.tf/2jzgte.php (2011-10-10)
> >s06.au.tc/2jzgte.php (2011-10-10)
> >s13.it.tc/2jzgte.php(2011-10-11)
> >s13.it.tc/2jzgte.php (2011-10-11)
> >s07.pro.tc/2jzgte.php (2011-10-11)
> >s11.at.tc/2jzgte.php (2011-10-13)
> >
> >(no query string). It might be worth a sig for "/2jzgte.php", though I
> >suspect this is just one user of the exploit kit.
> >
> >The Javascript obfuscation has changed to things like
> >
> >> s='73_84_72_90_82_74_83 ... 21_13_14_32'.split('_');
> >> function setCharAt(str,q,index) {
> >> return String.fromCharCode(1*str[index] + 27);
> >> }
> >
> >(the "_" could be other characters of course, I've also seen ":"). I
> >think while 2013700 still matches, we probably don't need to write a new
> >sig for this.
> >
> >Best Wishes,
> >Chris
> >
> >--
> >--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
> >Christopher Wakelin, c.d.wakelin at reading.ac.uk
> >IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
> >Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
> >_______________________________________________
> >Emerging-sigs mailing list
> >Emerging-sigs at emergingthreats.net
> >http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> >Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> >The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
> >
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>



-- 
---
girl at techn0ev3.net

Finché c'è vita, c'è speranza.
As long as there is life, there is hope.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111013/6e79681c/attachment-0001.html


More information about the Emerging-sigs mailing list