[Snort-sigs] Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq"

Community Proposed lists at ...3397...
Wed Feb 29 12:39:51 EST 2012


Below is a proposed signature to detect the try{ catch()} approaches used by
the Blackhole exploit kits which to date share a commonality with the
attachment to "catch(qq".  Looking at all of my PCAP samples these match
nicely, perform well, and have not been prone to false positives.

This is also doing very well in detecting new Blackhole initial landings and
the various, near daily, changing permutations of the string
splitting/building methods.  I am seeing a large presence of legitimate sites
which have been compromised now delivering Blackhole.  Some of these are k12
US education/school sites.

21438 can be retired in place of the proposed above.  Joel, existing PCAPs for
Blackhole landings should suffice for validation of the above, if more are
needed, please let me know.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY
SPECIFIC-THREATS High Probability Blackhole Landing with specific catch qq
structure"; flow:established,from_server; content:")|3b|}catch(qq";
fast_pattern:only; classtype:trojan-activity; sid:x; rev:1;)

I know there is a VRT standard for writing these, please respond to me after
transforming the rule for compliance so that future submissions can adhere to
this standard.  The reference from 21438 can be used here.

Thanks,
Nathan





More information about the Snort-sigs mailing list