[Snort-sigs] Proposed Signatures - Blackhole Exploit Kit

Community Proposed lists at ...3397...
Tue Mar 13 13:09:40 EDT 2012


The Blackhole PDFs are consistent in structure and "fluff", I've had
very good luck in identifying commonalities in the PDF structures used
by the Blackhole Exploit Kit.

One of these commonalities is the presence of "qwe123" in the PDFs.
This has been present for some time now, if not multiple months.  Joel,
let me know if you need PCAPs for this, I believe you'll find it in most
of yours already.

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"COMMUNITY
SPECIFIC-THREATS qwe123 PDF"; flow:to_client,established; file_data;
content:"%PDF-1.6"; content:"|20 28|qwe123"; fast_pattern:only;
classtype:trojan-activity; sid:436520771; rev:1;)

Additionally, I'm using this signature as an alternative to 21492 rev 5.  I'm
having some false positives with SID 21492 rev 5, so much so I've had to
disable it :(  It may be better to revert to rev 3-4 where we're just catching
"catch(qq" and using the below as well:

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"COMMUNITY
SPECIFIC-THREATS Blackhole Landing with prototype catch";
flow:to_client,established; file_data;
content:"if(window.document)try{new|20|"; content:".prototype}catch(";
distance:0; fast_pattern; sid:436520770; rev:1;)

Joel, let me know if you need PCAPs.  I highly recommend 436520770 and
reverting 21492 rev 5.

Thanks,
Nathan





More information about the Snort-sigs mailing list