[Emerging-Sigs] possible FPs for ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby ?page Download Secondary Request : 2013666
nathan at packetmail.net
Mon Oct 17 21:43:52 EDT 2011
On 10/17/11 17:52, Russell Fulton wrote:
> Just started seeing quite a few of hits on this rule like this:
> GET /main.php?page=d2baefb3a79c2f71 HTTP/1.1
> Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
> Referer: http://tpnads.com/iframe/jscode.php?zoneid=115&size=760x120&source=nz-shop
> Accept-Language: en-NZ
> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E; Zune 4.7)
> Accept-Encoding: gzip, deflate
> Connection: Keep-Alive
> Host: wiekf533.info
> All to the same IP :
> bluebottle:test rful011$ host wiekf533.info
> wiekf533.info has address 22.214.171.124
> In the past when I have had hits on this rule and checked the source (local) IP I have invariably found alerts for java exploits -- there are none for this site. I have now idea what the site is but in the last 24 hours I had just over a 100 IPs trigger this alert.
Hi Russell, this is indeed a Blackhole Exploit kit landing, in action. I would
block this host accordingly; this is not a false positive.
'126.96.36.199/19AS12695' out of Moscow Russia doesn't have a history of being so
nice. This is malvertising with Blackhole landing.
More information about the Emerging-sigs