[Emerging-Sigs] Another unknown exploit kit

Chris Wakelin c.d.wakelin at reading.ac.uk
Thu Oct 13 18:20:58 EDT 2011


On 13/10/2011 22:42, Matthew Jonkman wrote:
> No reason, only that we're behind a bit. Catching up today!
>
> Thanks Chris. These are going through QA as we speak.
>
> uhh… wait. FP hits coming out of qa. Let me look deeper, but the
> /?site= may be a problem. Ebay rover… some other things…
>
> I think rules 2 and 3 here are ok. But on the first one, anything
> weird in the headers we could add?

Alas no, though all the domains have been "<porn-sounding-name>.in", 
e.g. today was "sobigclits.in", so we could match ".in" in http_header, 
perhaps with a PCRE to make sure it's "Host:" (is there a better way to 
match the Host header?)

The Javascript obfuscation has been pretty constant though, so we could 
have a (more expensive) sig on the contents of the page.

The other two sigs look good for matching the bad stuff for now, until 
they change the names. The downloads are hitting sig 2009897 (exe sent 
as "html") too and possibly Eoin's vulnerable Java download sig (though 
it doesn't seem to work for me at the moment).

Best Wishes,
Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094


More information about the Emerging-sigs mailing list