[Emerging-Sigs] DotkaChef EK initial landing from Oct 02 2013 mass-site compromise EK campaign

Nathan nathan at packetmail.net
Wed Oct 2 09:46:18 HADT 2013


DotkaChef EK campaign deployment across multiple compromised sites.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS
DotkaChef EK initial landing from Oct 02 2013 mass-site compromise EK
campaign"; flow:established,to_server;
content:".js?cp="; http_uri; classtype:trojan-activity; sid:x; rev:1;)

Since 09/01+ these are our landings.

SELECT url FROM webwasher_full WHERE day >= '2013-09-01' and http_status <>
'407' and url like '%.js?cp=%' and url rlike
'http:\\/\\/[^\\x2f]+\\/[A-F0-9]{8}\\.js\\?cp=[^&]+$' order by
dest_ip,date_time;

hxxp://alnera.eu/00EC5937.js?cp=creditboards.com
hxxp://alnera.eu/05C82CF6.js?cp=creditboards.com
hxxp://alnera.eu/11D12CEE.js?cp=avic411.com
hxxp://alnera.eu/137FA5DC.js?cp=www.bordercollie.org
hxxp://alnera.eu/1A74A945.js?cp=creditboards.com
hxxp://alnera.eu/57AA339E.js?cp=forums.groundspeak.com
hxxp://alnera.eu/5A2E9DFC.js?cp=www.coueswhitetail.com
hxxp://alnera.eu/6A43F2AA.js?cp=www.outbackers.com
hxxp://alnera.eu/7EC4E849.js?cp=www.losingweight.com
hxxp://alnera.eu/95987C3A.js?cp=creditboards.com
hxxp://alnera.eu/CFF0D7CB.js?cp=www.outbackers.com
hxxp://alnera.eu/F7168A88.js?cp=creditboards.com
hxxp://keyera.biz/28120881.js?cp=ad.leeb.com
hxxp://kinews.eu/55EA1BE8.js?cp=www.alllacqueredup.com
hxxp://kinews.eu/58F9B375.js?cp=www.alllacqueredup.com
hxxp://kinews.eu/D6C2D8C4.js?cp=www.alllacqueredup.com
hxxp://mumeo.biz/05E9C13E.js?cp=www.cessnacitationforum.com
hxxp://mumeo.biz/6BDEBE9A.js?cp=www.dumontdunes.com
hxxp://mumeo.biz/B7B52BE4.js?cp=www.loanuniverse.com
hxxp://mumeo.biz/D0BCBCBC.js?cp=www.greendaycommunity.org

But wait, there's more!  Through regression testing we've validated that the
PCRE character class needs to be [a-fA-F0-9]{8}, not just [A-F0-9]{8}.  More
importantly, we've shown that PCRE isn't needed at all and simply blocking URIs
with ".js?cp=" is sufficient for victory without FPs in our demographic. 
Miscreats 0, Good Guys +1.

SELECT
date_time,client_ip,user_name,command,http_status,block_reason,url_body_size,dest_ip,url,url_referrer
FROM webwasher_full WHERE day >= '2013-09-01' and http_status <> '407' and url
like '%.js?cp=%' order by dest_ip,date_time;

hxxp://aggits.biz/1afb143a.js?cp=oswegocountyads.com
hxxp://aggits.biz/1ce8ffa0.js?cp=ads.1997media.com
hxxp://aggits.biz/36d20e02.js?cp=www.reachoutmedia.com
hxxp://aggits.biz/490e4ee8.js?cp=ads.e2espwebhosting.com
hxxp://aggits.biz/5d75a1f0.js?cp=trainweb.info
hxxp://aggits.biz/6e78dfd9.js?cp=www.bartintl.com
hxxp://aggits.biz/a503836d.js?cp=openx.imaginis.com
hxxp://aggits.biz/ef7e76ce.js?cp=ox.surfersvillagenews.com
hxxp://aggits.biz/ef7e76ce.js?cp=ox.surfersvillagenews.com
hxxp://aggits.biz/ef7e76ce.js?cp=ox.surfersvillagenews.com
hxxp://aggits.biz/efdc16db.js?cp=atvscene.com
hxxp://aggits.biz/efdc16db.js?cp=atvscene.com
hxxp://alnera.eu/00EC5937.js?cp=creditboards.com
hxxp://alnera.eu/05C82CF6.js?cp=creditboards.com
hxxp://alnera.eu/11D12CEE.js?cp=avic411.com
hxxp://alnera.eu/137FA5DC.js?cp=www.bordercollie.org
hxxp://alnera.eu/1A74A945.js?cp=creditboards.com
hxxp://alnera.eu/57AA339E.js?cp=forums.groundspeak.com
hxxp://alnera.eu/5A2E9DFC.js?cp=www.coueswhitetail.com
hxxp://alnera.eu/6A43F2AA.js?cp=www.outbackers.com
hxxp://alnera.eu/7EC4E849.js?cp=www.losingweight.com
hxxp://alnera.eu/95987C3A.js?cp=creditboards.com
hxxp://alnera.eu/CFF0D7CB.js?cp=www.outbackers.com
hxxp://alnera.eu/F7168A88.js?cp=creditboards.com
hxxp://emolat.biz/4d1d049d.js?cp=adserver.finalcallnetworks.com
hxxp://emolat.biz/7733c8e3.js?cp=openx.verican.ws
hxxp://emolat.biz/7ee1c672.js?cp=adintegration.insideygs.com
hxxp://emolat.biz/bc39f9bb.js?cp=www.gomendo.com
hxxp://emolat.biz/c80b08b9.js?cp=ads.breakpointmediagroup.com
hxxp://emolat.biz/c80b08b9.js?cp=ads.breakpointmediagroup.com
hxxp://emolat.biz/d6161e89.js?cp=www.prescott.com
hxxp://emolat.biz/d6161e89.js?cp=www.prescott.com
hxxp://emolat.biz/d6161e89.js?cp=www.prescott.com
hxxp://emolat.biz/d6161e89.js?cp=www.prescott.com
hxxp://fenus.biz/30f1f1c0.js?cp=www.imagineobx.com
hxxp://fenus.biz/dcc2f00a.js?cp=www.flagstaff.com
hxxp://keyera.biz/0dd98d89.js?cp=www.adblastmarketing.com
hxxp://keyera.biz/1104534f.js?cp=www.sportscollectorsdaily.com
hxxp://keyera.biz/28120881.js?cp=ad.leeb.com
hxxp://keyera.biz/3be21d2c.js?cp=www.sbh-advert.com
hxxp://keyera.biz/61986ee4.js?cp=adserve.admospheres.com
hxxp://keyera.biz/67f245ee.js?cp=openx.balboaparkonline.org
hxxp://keyera.biz/7bb279aa.js?cp=ads.environmentalleader.com
hxxp://keyera.biz/822eede5.js?cp=ox.forexbrokerz.com
hxxp://keyera.biz/914c58e0.js?cp=ads.talkdot.com
hxxp://keyera.biz/b743c381.js?cp=www.miboards.com
hxxp://keyera.biz/cc956f0c.js?cp=ads.menuclub.com
hxxp://keyera.biz/cc956f0c.js?cp=ads.menuclub.com
hxxp://keyera.biz/cc956f0c.js?cp=ads.menuclub.com
hxxp://keyera.biz/cc956f0c.js?cp=ads.menuclub.com
hxxp://keyera.biz/cc956f0c.js?cp=ads.menuclub.com
hxxp://keyera.biz/cc956f0c.js?cp=ads.menuclub.com
hxxp://keyera.biz/cc956f0c.js?cp=ads.menuclub.com
hxxp://keyera.biz/cc956f0c.js?cp=ads.menuclub.com
hxxp://keyera.biz/cc956f0c.js?cp=ads.menuclub.com
hxxp://keyera.biz/e7a8be97.js?cp=www.supermotors.net
hxxp://keyera.biz/e9d2b507.js?cp=mhoxs.com
hxxp://keyera.biz/e9d2b507.js?cp=mhoxs.com
hxxp://kinews.eu/55EA1BE8.js?cp=www.alllacqueredup.com
hxxp://kinews.eu/58F9B375.js?cp=www.alllacqueredup.com
hxxp://kinews.eu/D6C2D8C4.js?cp=www.alllacqueredup.com
hxxp://mumeo.biz/05E9C13E.js?cp=www.cessnacitationforum.com
hxxp://mumeo.biz/6BDEBE9A.js?cp=www.dumontdunes.com
hxxp://mumeo.biz/B7B52BE4.js?cp=www.loanuniverse.com
hxxp://mumeo.biz/D0BCBCBC.js?cp=www.greendaycommunity.org
hxxp://rasciro.biz/a6023375.js?cp=summit-pub.com
hxxp://rasciro.biz/feb70015.js?cp=smarttan.com
hxxp://remalm.biz/6583d355.js?cp=openx.balboaparkonline.org
hxxp://remalm.biz/6583d355.js?cp=openx.balboaparkonline.org
hxxp://remalm.biz/6583d355.js?cp=openx.balboaparkonline.org
hxxp://remalm.biz/ce9cb200.js?cp=www.talkdisney.com
hxxp://tisar.eu/bdc20f7a.js?cp=www.projectmanager.com.au
hxxp://wasca.eu/0722181e.js?cp=www.equinechronicle.com
hxxp://wasca.eu/0722181e.js?cp=www.equinechronicle.com
hxxp://wasca.eu/0722181e.js?cp=www.equinechronicle.com
hxxp://zeina.biz/833a5bae.js?cp=noazads.com
hxxp://zeina.biz/a04ce7c5.js?cp=agentpublishing.com

Cheers,
Nathan



More information about the Emerging-sigs mailing list