[Snort-sigs] Proposed Signatures - Blackhole Exploit Kit

Joel Esler jesler at ...435...
Tue Mar 13 16:46:01 EDT 2012

Do you have a pcap for the first one?

We have a second one in testing right now that will replace 21492 and is
similar to your second one.


On Tue, Mar 13, 2012 at 1:09 PM, Community Proposed <lists at ...3397...>wrote:

> The Blackhole PDFs are consistent in structure and "fluff", I've had
> very good luck in identifying commonalities in the PDF structures used
> by the Blackhole Exploit Kit.
> One of these commonalities is the presence of "qwe123" in the PDFs.
> This has been present for some time now, if not multiple months.  Joel,
> let me know if you need PCAPs for this, I believe you'll find it in most
> of yours already.
> SPECIFIC-THREATS qwe123 PDF"; flow:to_client,established; file_data;
> content:"%PDF-1.6"; content:"|20 28|qwe123"; fast_pattern:only;
> classtype:trojan-activity; sid:436520771; rev:1;)
> Additionally, I'm using this signature as an alternative to 21492 rev 5.
>  I'm
> having some false positives with SID 21492 rev 5, so much so I've had to
> disable it :(  It may be better to revert to rev 3-4 where we're just
> catching
> "catch(qq" and using the below as well:
> SPECIFIC-THREATS Blackhole Landing with prototype catch";
> flow:to_client,established; file_data;
> content:"if(window.document)try{new|20|"; content:".prototype}catch(";
> distance:0; fast_pattern; sid:436520770; rev:1;)
> Joel, let me know if you need PCAPs.  I highly recommend 436520770 and
> reverting 21492 rev 5.
> Thanks,
> Nathan

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120313/7fd323f5/attachment.html>

More information about the Snort-sigs mailing list