[Snort-sigs] Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole landing page with specific structure - prototype catch qq"

Joel Esler jesler at ...435...
Wed Mar 7 11:01:23 EST 2012


Thanks Nathan,

We'll take a look at this.


--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Mar 7, 2012, at 10:55 AM, Community Proposed wrote:

> Please see the below for a variant of the catch(qq hostile blackhole exploit
> kit initial landing.  VRT -- PCAP en-route.
> 
> Note 'origin community' in metadata, uncertain how the nomenclature for this
> will be.  Not sure if 'origin vrt' and 'origin community' are what you had in
> mind.
> 
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"SPECIFIC-THREATS Blackhole landing page with specific structure -
> prototype catch qq"; flow:to_client,established; file_data; content:")try{";
> content:"prototype}catch(qq"; distance:0; metadata:policy balanced-ips drop,
> policy security-ips drop, service http, origin community;
> reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx;
> classtype:attempted-user; sid:x; rev:1;)
> 
> PCAP ASCII Snippet:
> 
> 0x0470:  6d65 2e35 2e37 2e30 223e 3c2f 6f62 6a65  me.5.7.0"></obje
> 0x0480:  6374 3e3c 2f68 746d 6c3e 3c73 6372 6970  ct></html><scrip
> 0x0490:  743e 6966 2877 696e 646f 772e 646f 6375  t>if(window.docu
> 0x04a0:  6d65 6e74 2974 7279 7b6e 6577 2261 222e  ment)try{new"a".
> 0x04b0:  7072 6f74 6f74 7970 657d 6361 7463 6828  prototype}catch(
> 0x04c0:  7171 7129 7b7a 7a3d 2765 7661 6c27 3b73  qqq){zz='eval';s
> 0x04d0:  733d 5b5d 3b61 613d 5b5d 2b30 3b61 6161  s=[];aa=[]+0;aaa
> 0x04e0:  3d30 2b5b 5d3b 6966 2861 612e 696e 6465  =0+[];if(aa.inde
> 0x04f0:  784f 6628 6161 6129 3d3d 3d30 297b 663d  xOf(aaa)===0){f=
> 0x0500:  2766 726f 6d43 6861 7227 3b66 2b3d 2743  'fromChar';f+='C
> 0x0510:  6f64 6527 3b7d 6565 3d27 6527 3b65 3d77  ode';}ee='e';e=w
> 0x0520:  696e 646f 775b 7a7a 5d3b 743d 2779 273b  indow[zz];t='y';
> 0x0530:  7d68 3d4d 6174 682e 6174 616e 3228 332c  }h=Math.atan2(3,
> 0x0540:  3029 2f4d 6174 682e 5049 2a2d 343b 6e3d  0)/Math.PI*-4;n=
> 0x0550:  2233 2e35 7033 2e35 7035 312e 3570 3530  "3.5p3.5p51.5p50
> 0x0560:  7031 3570 3139 7034 3970 3534 2e35 7034  p15p19p49p54.5p4
> 0x0570:  382e 3570 3537 2e35 7035 332e 3570 3439  8.5p57.5p53.5p49
> 0x0580:  2e35 7035 3470 3537 7032 3270 3530 2e35  .5p54p57p22p50.5
> 0x0590:  7034 392e 3570 3537 7033 332e 3570 3533  p49.5p57p33.5p53
> 0x05a0:  7034 392e 3570 3533 2e35 7034 392e 3570  p49.5p53.5p49.5p
> 0x05b0:  3534 7035 3770 3536 2e35 7033 3270 3539  54p57p56.5p32p59
> 
> Thanks,
> Nathan
> 





More information about the Snort-sigs mailing list