[Emerging-Sigs] New Drive By Kit Detection Sigs

Eoin Miller eoin.miller at trojanedbinaries.com
Wed Jul 14 15:11:17 EDT 2010

  Wrote the following sigs to detect the new drive by kits that have 
been leveraged by some malvertisers:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET 
MALVERTISING drive by kit encountered - Loading..."; 
flow:established,to_client; content:"HTTP/1"; depth:8; 
content:"<html><head></head><body>Loading...<div id=\"page\" 
style=\"display: none\">"; classtype:bad-unknown; sid:5600063; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET 
MALVERTISING drive by kit encountered - bmb cookie"; 
flow:established,to_client; content:"HTTP/1"; depth:8; 
content:"Set-Cookie: bmb="; classtype:bad-unknown; sid:5600064; rev:1;)

Above based on:
HTTP/1.1 200 OK
Connection: close
Content-Disposition: inline; filename=index.html
Content-Length: 11537
Content-Type: text/html
Date: Wed, 14 Jul 2010 17:59:18 GMT
Server: nginx/0.6.32
Set-Cookie: bmb=1279130358; expires=Wed, 21-Jul-2010 17:59:18 GMT; 
path=/; domain=resolvenews.in
X-Powered-By: PHP/5.3.2-0.dotdeb.2

<html><head></head><body>Loading...<div id="page" style="display: 
none">ZnVuY3Rpb 24g Z2V0UGx1Z 2l u cygp IHsNC iAgIC A NCiAgI CB2 
YXIgeSA9ICcnOw0KICAg IHRyeSB 7D QogICAgICAgIHkgKz0 gJ2FwcE5hbWU 6 
JyArIG5hdmlnYXRvc i5 h cHBOYW1l ICsgIlx0IjsNCi Ag ICAgICAgeSArP S 
AnYXBwVm Vyc2lvbjonICsgbmF2a WdhdG9yLm FwcFZlcnNpb24gKyAiXHQiO w0KICAgIC 
AgICB5ICs9ICd1c2Vy QWdlbnQ6 Jy Ar IG5hd m l nYXRvci 51c2VyQWdlbnQgKy Ai

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET 
MALVERTISING drive by kit collecting browser info"; 
flow:established,to_server; uricontent:"/plugins.php?p=appName"; 
classtype:bad-unknown; sid:5600065; rev:1;)

Based on:
Accept: */* Referer:
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: resolvenews.in
Cookie: bmb=1279130358

Not really sure if the second one is necessary as the first and second 
signatures fire on the same packet. Probably some good stuff for 

-- Eoin

More information about the Emerging-sigs mailing list