[Emerging-Sigs] Another unknown exploit kit

Matthew Jonkman jonkman at emergingthreatspro.com
Thu Oct 13 17:42:39 EDT 2011

No reason, only that we're behind a bit. Catching up today!

Thanks Chris. These are going through QA as we speak.

uhh… wait. FP hits coming out of qa. Let me look deeper, but the /?site= may be a problem. Ebay rover… some other things…

I think rules 2 and 3 here are ok. But on the first one, anything weird in the headers we could add?


On Oct 13, 2011, at 10:27 AM, Chris Wakelin wrote:

> Any reason why these didn't make it into the ruleset? I'm getting lots
> of hits on the student network (plus one FP for the landing page on the
> campus network - someone visiting "www.ebay.co.uk/?site=3" for some reason).
> Best Wishes,
> Chris
> On 09/10/11 16:25, Chris Wakelin wrote:
>> I've now had a good go at analysing this kit. So far it's only been seen
>> on two (adjacent) IP addresses, so I guess it's not for sale, but
>> perhaps for rent :)
>> Anyway first some signatures - I've nicknamed the kit "Saturn" as that's
>> the name of the octal Java exploit class file:
>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"RDG Saturn Exploit
>> Kit possible landing page"; flow:established,to_server;
>> content:"/?site="; depth:7; http_uri; pcre:"/\/\?site=[0-9]{1,2}$/U";
>> classtype:bad-unknown; sid:xxxx; rev:1;)
>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"RDG Saturn Exploit
>> Kit binary download request"; flow:established,to_server;
>> content:"/dl/"; depth:4; http_uri; fast_pattern; content:".php?";
>> http_uri; pcre:"/\/dl\/\w{1,4}\.php\?[0-9]$/U";
>> classtype:trojan-activity; sid:xxxx; rev:1;)
>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"RDG Saturn Exploit
>> Kit probable Java exploit request"; flow:established,to_server;
>> content:"/dl/apache.php"; depth:14; http_uri; classtype:trojan-activity;
>> sid:xxxx; rev:1;)
>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"RDG Saturn Exploit
>> Kit probable Java MIDI exploit request"; flow:established,to_server;
>> content:"/dl/jsm.php"; depth:14; http_uri; classtype:trojan-activity;
>> sid:xxxx; rev:1;)
> -- 
> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
> Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
> IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
> Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4364 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111013/e4eea95d/smime.bin

More information about the Emerging-sigs mailing list