[Emerging-Sigs] Styx EK

n0cturnal n0cturnal.infosec at gmail.com
Wed Dec 26 22:13:35 HAST 2012


Greetings ET,

I hope everyone had a great holiday. I'm not sure if we are covered on this
or not but below are some proposed signatures for Styx EK. Please forgive
me as I am still new at this rule writing thing. Any feedback would be
appreciated. Thanks


Landing -
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS
Styx Landing Page"; flow:established,to_server;
content:"/getmyfile.exe?o=1&h="; http_uri;
pcre:"\/[a-zA-Z0-9]{150,}"; reference:url,
malwaresigs.com/2012/12/19/styx-exploit-kit/
; reference:url,
malware.dontneedcoffee.com/2012/12/crossing-styx-styx-sploit-pack-20-cve.html
;
classtype:trojan-activity; sid:xxxxxxx; rev:1;)

PDF -
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS
Styx PDF Exploit"; flow:established,to_server; content:".pdf"; http_uri;
pcre:"\/[a-zA-Z0-9]{76,81}\/[a-zA-Z0-9]{4,10}\.pdf$"; reference:url,
malwaresigs.com/2012/12/19/styx-exploit-kit/
; reference:url,
malware.dontneedcoffee.com/2012/12/crossing-styx-styx-sploit-pack-20-cve.html;
classtype:trojan-activity; sid:x; rev:1;)

JAR -
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS
Styx Java Exploit Recent Jar"; flow:established,to_server; content:"Java/";
http_header; content:".jar"; http_uri; nocase;
pcre:\/[a-zA-Z0-9]{76,81}\/[a-zA-Z0-9]{4,10}\.jar$; reference:url,
malwaresigs.com/2012/12/19/styx-exploit-kit/
; reference:url,
malware.dontneedcoffee.com/2012/12/crossing-styx-styx-sploit-pack-20-cve.html;
classtype:trojan-activity; sid:x; rev:1;)

Payload -
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS
Styx Payload Request"; flow:established,to_server;
content:"/getmyfile.exe?o=1&h="; http_uri;
pcre:"\/[a-zA-Z0-9]{150,}"; reference:url,
malwaresigs.com/2012/12/19/styx-exploit-kit/
; reference:url,
malware.dontneedcoffee.com/2012/12/crossing-styx-styx-sploit-pack-20-cve.html;
classtype:trojan-activity; sid:x; rev:1;)



References: http://www.malwaresigs.com/2012/12/19/styx-exploit-kit/
http://malware.dontneedcoffee.com/2012/12/crossing-styx-styx-sploit-pack-20-cve.html


Regards,
-n0ct
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121227/76dbea11/attachment.html>


More information about the Emerging-sigs mailing list