[Emerging-Sigs] Blackhole exploit kit updates

Matthew Jonkman jonkman at emergingthreatspro.com
Thu Oct 20 12:56:47 EDT 2011


This still doing well for you evejou?

Running it through QA here, ought to be interesting!

Matt


On Oct 13, 2011, at 1:03 PM, evejou wrote:

> I've deployed those sigs as well (a similar variant to your createTextNode, and the .php?f=\d+$ one) -- and have actually had pretty good catches with them. With the URL one, the $ in the pcre has been key to reducing FPs... although I don't rely on it for similar URLs like the "w.php?f=&e=" ...
> 
> A sig I've been using for the BlackHole script combo (rather specific, but at least no false negatives so far) has been:
> 
> Alert TCP $EXTERNAL_NET any -> $HOME_NET any (msg:"Obfuscation.Method.C.Javascript"; content:"createTextNode"; content:"replaceData"; distance:0; content:"eval|28|"; distance:0; sid:xxx; rev:1;)  
> 
> 
> 
> -alice
> 
> 
> On Thu, Oct 13, 2011 at 12:56 PM, harry.tuttle <harry.tuttle at zoho.com> wrote:
> Hi, Chris.
> 
> I struggle with how to keep up with all the variations too. It seems like the only way is to have overlap so that as one element changes, hopefully something else will hit. At some point I guess this leads to ruleset bloat though.
> 
> Would a simple 'content:".php?f="' with 'pcre:"/\.php\?f=\d{1,2}$/"' be a horribly performing rule do you think? That would seem to catch a lot of the various exploit pages used in the blackhole kit; not sure if it would false or not. If it does false, use it to set a flowbit and then trigger an alert on something in the file coming down (%PDF, MZ, etc.). Not sure if that's the right answer - just thinking out loud.
> 
> I'm having some luck this week with this one, which often hits other sigs but not always. I'm sure it will only be temporary though.
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Combination of script elements often seen in Blackhole exploit kit"; flow:established,to_client; content:"String.fromCharCode"; nocase; content:"document.createTextNode"; nocase; content:"replaceData"; nocase; content:"setCharAt"; nocase; classtype:attempted-user; sid:nnnnnnn; rev:1;)
> 
> Regards,
> Harry
> 
> 
> ---- On Thu, 13 Oct 2011 07:23:34 -0700 Chris Wakelin  wrote ----
> 
> >Looking at emerging-current_events.rules:
> >
> >alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS
> >Java/PDF Exploit kit from /Home/games/ initial landing";
> >flow:established,to_server; content:"/Home/games/2fdp.php?f="; http_uri;
> >classtype:trojan-activity; sid:2013025; rev:2;)
> >alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS
> >Java/PDF Exploit kit initial landing"; flow:established,to_server;
> >content:"/2fdp.php?f="; http_uri; classtype:trojan-activity;
> >sid:2013027; rev:3;)
> >
> >Looks like 2013025 is covered by 2013027. Perhaps we should rename it
> >"Blackhole Exploit kit PDF/Javascript Exploit #2" (it uses obfuscated
> >Javascript, not Java and seems to target Acrobat <= 9.3)
> >
> >We also have "1fdp.php?f=" (same thing for Acrobat < 8)
> >
> >and in the last couple of days new variants:
> >
> >"2ddfp.php?f="/"1ddfp.php?f=" and (once) "2dfp.php?f="/"1dfp.php?f=".
> >
> >Is it better to have these as separate rules or to use a PCRE? I'm
> >guessing the former as there's precious little for a "content:" match.
> >
> >Next,
> >
> >alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
> >Blackhole landing page with malicious Java applet";
> >flow:established,from_server; content:"<applet
> >code=|27|buildService.MapYandex.class|27|"; content:".jar";
> >content:""; classtype:bad-unknown; sid:2013553; rev:2;)
> >alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
> >Blackhole landing page with malicious Java applet";
> >flow:established,from_server; content:"<applet"; content:"code=";
> >content:".jar"; content:"e00oMDD"; content:"";
> >classtype:bad-unknown; sid:2013700; rev:2;)
> >
> >We're still matching 2013700, but I think 2013553 might be redundant
> >(the ".class" varies a lot). In any case, they shouldn't have the same
> >description!
> >
> >(BTW "worms.jar" seems to have been replaced by "rabbit.jar" and
> >"field.jar" in the last couple of days.)
> >
> >I've seen quite a bit of:-
> >
> >s17.eu.tf/2jzgte.php (2011-10-07)
> >s16.net.tf/2jzgte.php (2011-10-10)
> >s06.au.tc/2jzgte.php (2011-10-10)
> >s13.it.tc/2jzgte.php(2011-10-11)
> >s13.it.tc/2jzgte.php (2011-10-11)
> >s07.pro.tc/2jzgte.php (2011-10-11)
> >s11.at.tc/2jzgte.php (2011-10-13)
> >
> >(no query string). It might be worth a sig for "/2jzgte.php", though I
> >suspect this is just one user of the exploit kit.
> >
> >The Javascript obfuscation has changed to things like
> >
> >> s='73_84_72_90_82_74_83 ... 21_13_14_32'.split('_');
> >> function setCharAt(str,q,index) {
> >> return String.fromCharCode(1*str[index] + 27);
> >> }
> >
> >(the "_" could be other characters of course, I've also seen ":"). I
> >think while 2013700 still matches, we probably don't need to write a new
> >sig for this.
> >
> >Best Wishes,
> >Chris
> >
> >--
> >--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
> >Christopher Wakelin, c.d.wakelin at reading.ac.uk
> >IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
> >Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
> >_______________________________________________
> >Emerging-sigs mailing list
> >Emerging-sigs at emergingthreats.net
> >http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> >Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> >The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
> >
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
> 
> 
> 
> -- 
> ---
> girl at techn0ev3.net
> 
> Finché c'è vita, c'è speranza.
> As long as there is life, there is hope. 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list