[Emerging-Sigs] Blackhole exploit kit updates

Matthew Jonkman jonkman at emergingthreatspro.com
Thu Oct 20 12:55:50 EDT 2011


Got these posted, thanks Chris!

Matt


On Oct 19, 2011, at 1:10 PM, Chris Wakelin wrote:

> Definitely need 1ddfp.php and 2ddfp.php (not seen anything else in the
> last few days). These are working well for us:
> 
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"RDG Blackhole
> Acrobat 8/9.3 PDF exploit download request #2";
> flow:established,to_server; content:"/2ddfp.php?f="; http_uri;
> classtype:trojan-activity; sid:xxxx; rev:1;)
> 
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"RDG Blackhole
> Acrobat 1-7 PDF exploit download request #2";
> flow:established,to_server; content:"/1ddfp.php?f="; http_uri;
> classtype:trojan-activity; sid:xxxx; rev:1;)
> 
> As for the new Javascript, I got nicely confused by
> "s='73b84b72b90b82b74b83 ..." until I noticed it ended with
> "'.split('b');" - so no, it's not hex :)
> 
> Best Wishes,
> Chris
> 
> On 13/10/11 15:23, Chris Wakelin wrote:
>> Looking at emerging-current_events.rules:
>> 
>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS
>> Java/PDF Exploit kit from /Home/games/ initial landing";
>> flow:established,to_server; content:"/Home/games/2fdp.php?f="; http_uri;
>> classtype:trojan-activity; sid:2013025; rev:2;)
>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS
>> Java/PDF Exploit kit initial landing"; flow:established,to_server;
>> content:"/2fdp.php?f="; http_uri; classtype:trojan-activity;
>> sid:2013027; rev:3;)
>> 
>> Looks like 2013025 is covered by 2013027. Perhaps we should rename it
>> "Blackhole Exploit kit PDF/Javascript Exploit #2" (it uses obfuscated
>> Javascript, not Java and seems to target Acrobat <= 9.3)
>> 
>> We also have "1fdp.php?f=" (same thing for Acrobat < 8)
>> 
>> and in the last couple of days new variants:
>> 
>> "2ddfp.php?f="/"1ddfp.php?f=" and (once) "2dfp.php?f="/"1dfp.php?f=".
>> 
>> Is it better to have these as separate rules or to use a PCRE? I'm
>> guessing the former as there's precious little for a "content:" match.
>> 
>> Next,
>> 
>> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
>> Blackhole landing page with malicious Java applet";
>> flow:established,from_server; content:"<applet
>> code=|27|buildService.MapYandex.class|27|"; content:".jar";
>> content:"</applet>"; classtype:bad-unknown; sid:2013553; rev:2;)
>> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
>> Blackhole landing page with malicious Java applet";
>> flow:established,from_server; content:"<applet"; content:"code=";
>> content:".jar"; content:"e00oMDD"; content:"</applet>";
>> classtype:bad-unknown; sid:2013700; rev:2;)
>> 
>> We're still matching 2013700, but I think 2013553 might be redundant
>> (the ".class" varies a lot). In any case, they shouldn't have the same
>> description!
>> 
>> (BTW "worms.jar" seems to have been replaced by "rabbit.jar" and
>> "field.jar" in the last couple of days.)
>> 
>> I've seen quite a bit of:-
>> 
>> s17.eu.tf/2jzgte.php (2011-10-07)
>> s16.net.tf/2jzgte.php (2011-10-10)
>> s06.au.tc/2jzgte.php (2011-10-10)
>> s13.it.tc/2jzgte.php(2011-10-11)
>> s13.it.tc/2jzgte.php (2011-10-11)
>> s07.pro.tc/2jzgte.php (2011-10-11)
>> s11.at.tc/2jzgte.php (2011-10-13)
>> 
>> (no query string). It might be worth a sig for "/2jzgte.php", though I
>> suspect this is just one user of the exploit kit.
>> 
>> The Javascript obfuscation has changed to things like
>> 
>>> s='73_84_72_90_82_74_83 ... 21_13_14_32'.split('_');
>>> function setCharAt(str,q,index) {
>>>        return String.fromCharCode(1*str[index] + 27);
>>> }
>> 
>> (the "_" could be other characters of course, I've also seen ":"). I
>> think while 2013700 still matches, we probably don't need to write a new
>> sig for this.
>> 
>> Best Wishes,
>> Chris
>> 
> 
> 
> -- 
> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
> Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
> IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
> Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list