[Snort-sigs] Proposed Signature - SPECIFIC-THREATS Blackhole landing page with specific structure

Nick Randolph drandolph at ...435...
Thu Jul 12 10:01:12 EDT 2012


Thanks for the pcap. It triggered 21492 and 21646 when I ran it.
I can't say how urlquery.net has Snort configured or if they have those
rules enabled.


On Thu, Jul 12, 2012 at 2:11 AM, yew chuan Ong <yewchuan_23 at ...144...>wrote:

> Hi,
>
> Found out that this blackhole landing page is not detectable by Snort. [
> http://urlquery.net/report.php?id=87943]
>
> I guess there are some specific keywords (highlighted with red) which we
> can use to create a signature for this.
>
> Proposed Signature:
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"SPECIFIC-THREATS Blackhole landing page with specific structure -
> dshsd catch"; flow:to_client,established; content:"dshsdfh";
> content:"}catch(dshsd)"; metadata:policy balanced-ips drop, policy
> security-ips drop, service http; reference:xxx; classtype:attempted-user;
> sid:xxx; rev:1;)
>
> The script is detected by 3 AVs as malicious. [
> https://www.virustotal.com/file/59f21a240c419b270f1bbde55dce09ed4e4d2f228310be7a1701caa2a326fbe4/analysis/
> ]
>
> Maybe we can put the result from VirusTotal as reference.
>
> 0100  0d 0a 3c 68 74 6d 6c 3e  3c 62 6f 64 79 3e 0d 0a   ..<html> <body>..
> 0110  3c 73 63 72 69 70 74 3e  72 3d 66 75 6e 63 74 69   <script> r=functi
> 0120  6f 6e 28 29 7b 74 72 79  7b 71 3d 70 72 6f 74 6f   on(){try {q=proto
> 0130  74 79 70 65 5e 32 3b 7d  63 61 74 63 68 28 71 29   type^2;} catch(q)
> 0140  7b 7a 3d 32 3b 7d 6d 64  3d 22 61 22 3b 0d 0a 73   {z=2;}md ="a";..s
> 0150  3d 22 22 3b 0d 0a 77 3d  32 3b 0d 0a 66 6f 72 28   ="";..w= 2;..for(
> 0160  6b 3d 61 2e 6c 65 6e 67  74 68 2d 31 3b 6b 3e 3d   k=a.leng th-1;k>=
> 0170  30 3b 6b 2d 2d 29 7b 0d  0a 09 69 66 28 77 69 6e   0;k--){. ..if(win
> 0180  64 6f 77 2e 64 6f 63 75  6d 65 6e 74 29 74 72 79   dow.docu ment)try
> 0190  7b 64 73 68 73 64 66 68  2e 61 70 70 65 6e 64 43   {dshsdfh .appendC
> 01a0  68 69 6c 64 28 22 31 32  22 2b 64 73 68 73 64 66   hild("12 "+dshsdf
> 01b0  68 29 3b 7d 63 61 74 63  68 28 64 73 68 73 64 29   h);}catc h(dshsd)
> 01c0  7b 0d 0a 09 09 76 3d 61  5b 6b 5d 3b 0d 0a 09 09   {....v=a [k];....
> 01d0  6e 3d 61 2e 6c 65 6e 67  74 68 2d 6b 2d 31 3b 0d   n=a.leng th-k-1;.
> 01e0  0a 09 09 6e 3d 6e 2d 4d  61 74 68 2e 66 6c 6f 6f   ...n=n-M ath.floo
> 01f0  72 28 6e 2f 77 29 2a 77  3b 0d 0a 09 09 7a 3d 76   r(n/w)*w ;....z=v
> 0200  2a 28 6e 2b 31 29 3b 0d  0a 09 09 73 3d 73 2b 53   *(n+1);. ...s=s+S
> 0210  74 72 69 6e 67 2e 66 72  6f 6d 43 68 61 72 43 6f   tring.fr omCharCo
>
> Kindly advice and share your opinions.
>
> Attached is the malicious script and the pcap file.
>
>
>
> Regards
> Yew Chuan
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120712/ebdb586b/attachment.html>


More information about the Snort-sigs mailing list