[Emerging-Sigs] Blackhole exploit kit updates

Chris Wakelin c.d.wakelin at reading.ac.uk
Wed Oct 19 13:10:07 EDT 2011


Definitely need 1ddfp.php and 2ddfp.php (not seen anything else in the
last few days). These are working well for us:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"RDG Blackhole
Acrobat 8/9.3 PDF exploit download request #2";
flow:established,to_server; content:"/2ddfp.php?f="; http_uri;
classtype:trojan-activity; sid:xxxx; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"RDG Blackhole
Acrobat 1-7 PDF exploit download request #2";
flow:established,to_server; content:"/1ddfp.php?f="; http_uri;
classtype:trojan-activity; sid:xxxx; rev:1;)

As for the new Javascript, I got nicely confused by
"s='73b84b72b90b82b74b83 ..." until I noticed it ended with
"'.split('b');" - so no, it's not hex :)

Best Wishes,
Chris

On 13/10/11 15:23, Chris Wakelin wrote:
> Looking at emerging-current_events.rules:
> 
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS
> Java/PDF Exploit kit from /Home/games/ initial landing";
> flow:established,to_server; content:"/Home/games/2fdp.php?f="; http_uri;
> classtype:trojan-activity; sid:2013025; rev:2;)
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS
> Java/PDF Exploit kit initial landing"; flow:established,to_server;
> content:"/2fdp.php?f="; http_uri; classtype:trojan-activity;
> sid:2013027; rev:3;)
> 
> Looks like 2013025 is covered by 2013027. Perhaps we should rename it
> "Blackhole Exploit kit PDF/Javascript Exploit #2" (it uses obfuscated
> Javascript, not Java and seems to target Acrobat <= 9.3)
> 
> We also have "1fdp.php?f=" (same thing for Acrobat < 8)
> 
> and in the last couple of days new variants:
> 
> "2ddfp.php?f="/"1ddfp.php?f=" and (once) "2dfp.php?f="/"1dfp.php?f=".
> 
> Is it better to have these as separate rules or to use a PCRE? I'm
> guessing the former as there's precious little for a "content:" match.
> 
> Next,
> 
> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
> Blackhole landing page with malicious Java applet";
> flow:established,from_server; content:"<applet
> code=|27|buildService.MapYandex.class|27|"; content:".jar";
> content:"</applet>"; classtype:bad-unknown; sid:2013553; rev:2;)
> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
> Blackhole landing page with malicious Java applet";
> flow:established,from_server; content:"<applet"; content:"code=";
> content:".jar"; content:"e00oMDD"; content:"</applet>";
> classtype:bad-unknown; sid:2013700; rev:2;)
> 
> We're still matching 2013700, but I think 2013553 might be redundant
> (the ".class" varies a lot). In any case, they shouldn't have the same
> description!
> 
> (BTW "worms.jar" seems to have been replaced by "rabbit.jar" and
> "field.jar" in the last couple of days.)
> 
> I've seen quite a bit of:-
> 
> s17.eu.tf/2jzgte.php (2011-10-07)
> s16.net.tf/2jzgte.php (2011-10-10)
> s06.au.tc/2jzgte.php (2011-10-10)
> s13.it.tc/2jzgte.php(2011-10-11)
> s13.it.tc/2jzgte.php (2011-10-11)
> s07.pro.tc/2jzgte.php (2011-10-11)
> s11.at.tc/2jzgte.php (2011-10-13)
> 
> (no query string). It might be worth a sig for "/2jzgte.php", though I
> suspect this is just one user of the exploit kit.
> 
> The Javascript obfuscation has changed to things like
> 
>> s='73_84_72_90_82_74_83 ... 21_13_14_32'.split('_');
>> function setCharAt(str,q,index) {
>>         return String.fromCharCode(1*str[index] + 27);
>> }
> 
> (the "_" could be other characters of course, I've also seen ":"). I
> think while 2013700 still matches, we probably don't need to write a new
> sig for this.
> 
> Best Wishes,
> Chris
> 


-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094


More information about the Emerging-sigs mailing list