[Snort-sigs] Proposed Signature - SPECIFIC-THREATS Blackhole landing page with specific structure

yew chuan Ong yewchuan_23 at ...144...
Thu Jul 12 02:11:25 EDT 2012


Hi,

Found out that this blackhole landing page is not detectable by Snort. [http://urlquery.net/report.php?id=87943]

I guess there are some specific keywords (highlighted with red) which we can use to create a signature for this.

Proposed Signature:
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Blackhole landing page with specific structure - dshsd catch"; flow:to_client,established; content:"dshsdfh"; content:"}catch(dshsd)"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:xxx; classtype:attempted-user; sid:xxx; rev:1;)

The script is detected by 3 AVs as malicious. [https://www.virustotal.com/file/59f21a240c419b270f1bbde55dce09ed4e4d2f228310be7a1701caa2a326fbe4/analysis/]

Maybe we can put the result from VirusTotal as reference.

0100  0d 0a 3c 68 74 6d 6c 3e  3c 62 6f 64 79 3e 0d 0a   ..<html> <body>..
0110  3c 73 63 72 69 70 74 3e  72 3d 66 75 6e 63 74 69   <script> r=functi
0120  6f 6e 28 29 7b 74 72 79  7b 71 3d 70 72 6f 74 6f   on(){try {q=proto
0130  74 79 70 65 5e 32 3b 7d  63 61 74 63 68 28 71 29   type^2;} catch(q)
0140  7b 7a 3d 32 3b 7d 6d 64  3d 22 61 22 3b 0d 0a 73   {z=2;}md ="a";..s
0150  3d 22 22 3b 0d 0a 77 3d  32 3b 0d 0a 66 6f 72 28   ="";..w= 2;..for(
0160  6b 3d 61 2e 6c 65 6e 67  74 68 2d 31 3b 6b 3e 3d   k=a.leng th-1;k>=
0170  30 3b 6b 2d 2d 29 7b 0d  0a 09 69 66 28 77 69 6e   0;k--){. ..if(win
0180  64 6f 77 2e 64 6f 63 75  6d 65 6e 74 29 74 72 79   dow.docu ment)try
0190  7b 64 73 68 73 64 66 68  2e 61 70 70 65 6e 64 43   {dshsdfh .appendC
01a0  68 69 6c 64 28 22 31 32  22 2b 64 73 68 73 64 66   hild("12 "+dshsdf
01b0  68 29 3b 7d 63 61 74 63  68 28 64 73 68 73 64 29   h);}catc h(dshsd)
01c0  7b 0d 0a 09 09 76 3d 61  5b 6b 5d 3b 0d 0a 09 09   {....v=a [k];....
01d0  6e 3d 61 2e 6c 65 6e 67  74 68 2d 6b 2d 31 3b 0d   n=a.leng th-k-1;.
01e0  0a 09 09 6e 3d 6e 2d 4d  61 74 68 2e 66 6c 6f 6f   ...n=n-M ath.floo
01f0  72 28 6e 2f 77 29 2a 77  3b 0d 0a 09 09 7a 3d 76   r(n/w)*w ;....z=v
0200  2a 28 6e 2b 31 29 3b 0d  0a 09 09 73 3d 73 2b 53   *(n+1);. ...s=s+S
0210  74 72 69 6e 67 2e 66 72  6f 6d 43 68 61 72 43 6f   tring.fr omCharCo

Kindly advice and share your opinions.

Attached is the malicious script and the pcap file.



Regards
Yew Chuan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120711/328e3693/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suspicious_12July.pcap
Type: application/octet-stream
Size: 93304 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120711/328e3693/attachment.obj>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: trojan script sample.txt
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120711/328e3693/attachment.txt>


More information about the Snort-sigs mailing list