[Snort-sigs] Proposed Siganture for Laik Exploit Kit hostile PDF

Community Proposed lists at ...3397...
Tue Feb 21 12:04:12 EST 2012


Seen with hostile Laik landing, this should be very useable.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY
WEB-CLIENT Hostile PDF associated with Laik Exploit Kit";
flow:established,from_server; file_data; content:"/Creator (bub lob)
/CreationDate (D:20110405234628)>>"; fast_pattern:only; content:"|0d
0a|%PDF-1.6|0d 0a|"; classtype:trojan-activity; sid:x; rev:1;)

07:50:10.006934 IP 31.184.192.35.80 > a.b.c.d.z: . 1:1261(1260) ack 572 win 55
        0x0000:  4500 0514 0ce9 4000 3106 8081 1fb8 c023  E..... at .1......#
        0x0010:  0ad7 ccc7 0050 0662 84ea 8112 ad99 a242  .....P.b.......B
        0x0020:  5010 0037 0a3d 0000 4854 5450 2f31 2e31  P..7.=..HTTP/1.1
        0x0030:  2032 3030 204f 4b0d 0a44 6174 653a 2054  .200.OK..Date:.T
        0x0040:  7565 2c20 3134 2046 6562 2032 3031 3220  ue,.14.Feb.2012.
        0x0050:  3133 3a35 303a 3536 2047 4d54 0d0a 5365  13:50:56.GMT..Se
        0x0060:  7276 6572 3a20 4170 6163 6865 2f32 2e32  rver:.Apache/2.2
        0x0070:  2e33 2028 4365 6e74 4f53 290d 0a58 2d50  .3.(CentOS)..X-P
        0x0080:  6f77 6572 6564 2d42 793a 2050 4850 2f35  owered-By:.PHP/5
        0x0090:  2e33 2e38 0d0a 4163 6365 7074 2d52 616e  .3.8..Accept-Ran
        0x00a0:  6765 733a 2062 7974 6573 0d0a 436f 6e74  ges:.bytes..Cont
        0x00b0:  656e 742d 4c65 6e67 7468 3a20 3531 3339  ent-Length:.5139
        0x00c0:  0d0a 436f 6e74 656e 742d 4469 7370 6f73  ..Content-Dispos
        0x00d0:  6974 696f 6e3a 2069 6e6c 696e 653b 2066  ition:.inline;.f
        0x00e0:  696c 656e 616d 653d 3937 3130 2e70 6466  ilename=9710.pdf
        0x00f0:  0d0a 436f 6e6e 6563 7469 6f6e 3a20 636c  ..Connection:.cl
        0x0100:  6f73 650d 0a43 6f6e 7465 6e74 2d54 7970  ose..Content-Typ
        0x0110:  653a 2061 7070 6c69 6361 7469 6f6e 2f70  e:.application/p
        0x0120:  6466 0d0a 0d0a 2550 4446 2d31 2e36 0d0a  df....%PDF-1.6..
        0x0130:  25e2 e3cf d30d 0a31 3920 3020 6f62 6a0d  %......19.0.obj.
        0x0140:  0a3c 3c2f 4669 6c74 6572 2f46 6c61 7465  .<</Filter/Flate
        0x0150:  4465 636f 6465 202f 4c65 6e67 7468 2032  Decode./Length.2
        0x0160:  343e 3e0d 0a73 7472 6561 6d0d 0a78 9c8d  4>>..stream..x..
        0x0170:  58db 6edc 3678 9c8d 58db 6edc 3678 9c8d  X.n.6x..X.n.6x..
        0x0180:  58db 6edc 360d 0a65 6e64 7374 7265 616d  X.n.6..endstream
        0x0190:  0d0a 656e 646f 626a 0d0a 3120 3020 6f62  ..endobj..1.0.ob
        0x01a0:  6a0d 0a3c 3c2f 5479 7065 2f50 6167 6520  j..<</Type/Page.
        0x01b0:  2f50 6172 656e 7420 3520 3020 5220 2f52  /Parent.5.0.R./R
        0x01c0:  6573 6f75 7263 6573 2031 3220 3020 5220  esources.12.0.R.
        0x01d0:  2f4d 6564 6961 426f 7820 5b30 2030 2035  /MediaBox.[0.0.5
        0x01e0:  3935 2038 3432 5d20 2f43 6f6e 7465 6e74  95.842]./Content
        0x01f0:  7320 3139 2030 2052 202f 526f 7461 7465  s.19.0.R./Rotate
        0x0200:  2030 3e3e 0d0a 656e 646f 626a 0d0a 3520  .0>>..endobj..5.
        0x0210:  3020 6f62 6a20 0d0a 3c3c 2f43 6f75 6e74  0.obj...<</Count
        0x0220:  2032 202f 4b69 6473 205b 3120 3020 525d  .2./Kids.[1.0.R]
        0x0230:  202f 5479 7065 2f50 6167 6573 3e3e 0d0a  ./Type/Pages>>..
        0x0240:  656e 646f 626a 0d0a 3620 3020 6f62 6a0d  endobj..6.0.obj.
        0x0250:  0a3c 3c2f 5479 7065 2f46 6f6e 7420 2f53  .<</Type/Font./S
        0x0260:  7562 7479 7065 2f54 7970 6531 202f 4261  ubtype/Type1./Ba
        0x0270:  7365 466f 6e74 2f54 696d 6573 2d52 6f6d  seFont/Times-Rom
        0x0280:  616e 202f 4e61 6d65 2f46 3120 2f45 6e63  an./Name/F1./Enc
        0x0290:  6f64 696e 672f 5769 6e41 6e73 6945 6e63  oding/WinAnsiEnc
        0x02a0:  6f64 696e 673e 3e0d 0a65 6e64 6f62 6a0d  oding>>..endobj.
        0x02b0:  0a31 3220 3020 6f62 6a0d 0a3c 3c2f 5072  .12.0.obj..<</Pr
        0x02c0:  6f63 5365 7420 5b2f 5850 4446 202f 5465  ocSet.[/XPDF./Te
        0x02d0:  7874 202f 496d 6167 6542 202f 496d 6167  xt./ImageB./Imag
        0x02e0:  6543 202f 496d 6167 6549 5d20 2f46 6f6e  eC./ImageI]./Fon
        0x02f0:  7420 3c3c 2f46 3120 3620 3020 523e 3e20  t.<</F1.6.0.R>>.
        0x0300:  2f58 4f62 6a65 6374 203c 3c3e 3e3e 3e0d  /XObject.<<>>>>.
        0x0310:  0a65 6e64 6f62 6a0d 0a39 2030 206f 626a  .endobj..9.0.obj
        0x0320:  203c 3c2f 5469 746c 6520 2028 7661 2920  .<</Title..(va).
        0x0330:  2f53 7562 6a65 6374 2028 6576 2920 2f41  /Subject.(ev)./A
        0x0340:  7574 686f 7220 2879 7670 2064 6576 6f29  uthor.(yvp.devo)
        0x0350:  202f 4372 6561 746f 7220 2862 7562 206c  ./Creator.(bub.l
        0x0360:  6f62 2920 2f43 7265 6174 696f 6e44 6174  ob)./CreationDat
        0x0370:  6520 2844 3a32 3031 3130 3430 3532 3334  e.(D:20110405234
        0x0380:  3632 3829 3e3e 0d0a 656e 646f 626a 0d0a  628)>>..endobj..
        0x0390:  3239 2030 206f 626a 0d0a 3c3c 2f54 7970  29.0.obj..<</Typ
        0x03a0:  652f 456d 6265 6464 6564 4669 6c65 202f  e/EmbeddedFile./
        0x03b0:  4669 6c74 6572 2f46 6c61 7465 4465 636f  Filter/FlateDeco
        0x03c0:  6465 202f 4c65 6e67 7468 2031 3332 3e3e  de./Length.132>>
        0x03d0:  0d0a 7374 7265 616d 0d0a 789c b3b1 afc8  ..stream..x.....
        0x03e0:  cd51 284b 2d2a cecc cfb3 5532 d433 5052  .Q(K-*....U2.3PR
        0x03f0:  48cd 4bce 4fc9 cc4b b755 0d0a 656e 6473  H.K.O..K.U..ends
        0x0400:  7472 6561 6d0d 0a65 6e64 6f62 6a0d 0a38  tream..endobj..8
        0x0410:  2030 206f 626a 2020 0d0a 3c3c 2f46 696c  .0.obj....<</Fil
        0x0420:  7465 7220 2f46 6c61 7465 4465 636f 6465  ter./FlateDecode
        0x0430:  2020 2f4c 656e 6774 6820 3331 3836 3e3e  ../Length.3186>>
        0x0440:  0d0a 7374 7265 616d 0d0a 789c ed9d e96f  ..stream..x....o
        {SNIPPED BY NATHAN}





More information about the Snort-sigs mailing list