[Emerging-Sigs] New Drive By Kit Detection Sigs

Eoin Miller eoin.miller at trojanedbinaries.com
Wed Jul 14 15:11:17 EDT 2010


  Wrote the following sigs to detect the new drive by kits that have 
been leveraged by some malvertisers:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET 
MALVERTISING drive by kit encountered - Loading..."; 
flow:established,to_client; content:"HTTP/1"; depth:8; 
content:"<html><head></head><body>Loading...<div id=\"page\" 
style=\"display: none\">"; classtype:bad-unknown; sid:5600063; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET 
MALVERTISING drive by kit encountered - bmb cookie"; 
flow:established,to_client; content:"HTTP/1"; depth:8; 
content:"Set-Cookie: bmb="; classtype:bad-unknown; sid:5600064; rev:1;)

Above based on:
=======================================
HTTP/1.1 200 OK
Connection: close
Content-Disposition: inline; filename=index.html
Content-Length: 11537
Content-Type: text/html
Date: Wed, 14 Jul 2010 17:59:18 GMT
Server: nginx/0.6.32
Set-Cookie: bmb=1279130358; expires=Wed, 21-Jul-2010 17:59:18 GMT; 
path=/; domain=resolvenews.in
X-Powered-By: PHP/5.3.2-0.dotdeb.2

<html><head></head><body>Loading...<div id="page" style="display: 
none">ZnVuY3Rpb 24g Z2V0UGx1Z 2l u cygp IHsNC iAgIC A NCiAgI CB2 
YXIgeSA9ICcnOw0KICAg IHRyeSB 7D QogICAgICAgIHkgKz0 gJ2FwcE5hbWU 6 
JyArIG5hdmlnYXRvc i5 h cHBOYW1l ICsgIlx0IjsNCi Ag ICAgICAgeSArP S 
AnYXBwVm Vyc2lvbjonICsgbmF2a WdhdG9yLm FwcFZlcnNpb24gKyAiXHQiO w0KICAgIC 
AgICB5ICs9ICd1c2Vy QWdlbnQ6 Jy Ar IG5hd m l nYXRvci 51c2VyQWdlbnQgKy Ai
=======================================



alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET 
MALVERTISING drive by kit collecting browser info"; 
flow:established,to_server; uricontent:"/plugins.php?p=appName"; 
classtype:bad-unknown; sid:5600065; rev:1;)

Based on:
=======================================
GET 
/plugins.php?p=appName:Microsoft%20Internet%20Explorer%09appVersion:4.0%20(co 
mpatible;%20MSIE%208.0;%20Windows%20NT%205.1;%20Trident/4.0)%09userAgent:Mozilla/ 
4.0%20(compatible;%20MSIE%208.0;%20Windows%20NT%205.1;%20Trident/4.0)%09 
HTTP/1.1
Accept: */* Referer:
hXXp://resolvenews_._in/x/?src=sftmaster2&id=av5&o=o
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: resolvenews.in
Connection:
Keep-Alive
Cookie: bmb=1279130358
=======================================



Not really sure if the second one is necessary as the first and second 
signatures fire on the same packet. Probably some good stuff for 
CURRENT_EVENTS.

-- Eoin



More information about the Emerging-sigs mailing list