[Emerging-Sigs] Necessary proposed addition to BlackHole landing URI structure

Nathan nathan at packetmail.net
Wed Oct 19 12:58:52 EDT 2011


Just like ?page=, there is a new URI variant.  2013700 "ET CURRENT_EVENTS
Blackhole landing page with malicious Java applet" fired for the server
response landing.

The Referer, there may be something valuable there in a signature from
iframe.php with a static string length I don't have enough samples.  Perhaps
others can chime in.

#Proposed, in spirit of the others similar like 2013666
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS
Likely Blackhole Exploit Kit Driveby ?doit Download Secondary Request";
flow:established,to_server; content:".php?doit"; http_uri;
pcre:"/\.php\?doit[a-z0-9]*=[a-f0-9]{16}$/U"; classtype:trojan-activity;
sid:x; rev:1;)

11:49:51.843097 IP RFC_1918.3588 > 176.58.89.225.80
GET /main.php?doitriht=9d595a6d7d579357 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, application/xaml+xml,
application/x-ms-xbap, application/x-ms-application, */*
Referer:
http://bidonionis.orge.pl/iframe.php?id=0xxnnc3e8793z0nevu1f4o36ncdvg34
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: trueis.in
Connection: Keep-Alive

Thanks,
Nathan



More information about the Emerging-sigs mailing list