[Snort-sigs] Unknown EK

Community Proposed lists at ...3397...
Tue Jul 2 18:42:12 EDT 2013


Unknown malvertising EK campaign isolated with 205.185.158.219 and
205.185.158.220 which pDNS shows pointed only to piksmedia.com and
clearmetric.net respectively.  The PCRE produces a few benign false positives,
considering the cost/risk the PCRE is worth it.  Might be able to get away with
some proxy blocks on this one.  Popular hosts such as BBC are being used.

Global Hosts identified:
*.piksmedia.com
*.clearmetric.net
205.185.158.219
205.185.158.220

Global URLs identified:
*/app.jar
*/cm2.jar

RegEx:
regex((?-i)http:\/\/[^\x2f]+\/[a-z]{1,6}\d?\/[a-f0-9]{8,10}\.htm$)  Unknown EK
initial landing and stage-1

Validation, as well as hits, after expansion and contraction of search criteria
for this campaign :

select date_time, http_status, media_type, url_body_size, dest_ip, url,
url_referrer, user_agent
from webwasher_full where day>='2013-06-01' and http_status <> '407' and
(url rlike 'http:\\/\\/[^\\x2f]+\\/[a-z]{1,6}\\d?\\/[a-f0-9]{8}\\.htm$' or url
like '%/app.jar' or url like '%/cm2.jar' or dest_ip like '205.185.158.219' or
dest_ip like '205.185.158.220');

{See attached Unknown_EK.tsv please note HTTP Referers and UAs}

PCRE Validation
select date_time, http_status, media_type, url_body_size, dest_ip, url,
url_referrer, user_agent
from webwasher_full where day>='2013-06-01' and http_status <> '407' and
(url rlike 'http:\\/\\/[^\\x2f]+\\/[a-z]{1,6}\\d?\\/[a-f0-9]{8}\\.htm$');

{See attached PCRE_Validation.tsv please note HTTP Referers and UAs}

Looking at the PCAP {see attached} this signature may be good to match the
payload, but these signatures are untested and I am coming off a long day and
my eyes are shot.  They may need some TLC:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"VRT COMMUNITY
Unknown Malvertising Exploit Kit Hostile Jar pipe.class";
flow:established,from_server; 
file_data; content:"PK"; depth:0; 
content:"|00|pipe.class"; fast_pattern; distance:0; 
content:"|00|inc.class"; distance:0; 
content:"|00|fdp.class"; distance:0; 
classtype:trojan-activity; sid:x; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"VRT COMMUNITY
Unknown Malvertising Exploit Kit stage-1 redirect";
flow:established,from_server; 
content:"<html><body><script>|0a|var "; fast_pattern; 
content;"document.createElement("; within:80; 
content:".setAttribute(|22|archive|22|, "; within:65; 
content:".setAttribute(|22|codebase|22|, "; within:65; 
content:".setAttribute(|22|id|22|, "; within:65; 
content:".setAttribute(|22|code|22|, "; within:65; 
content:"|22|)|3b 0a|document.body.appendChild("; within:65; 
content:"</script>|0a|</body>|0a|</html>|0a 0a|"; 
classtype:trojan-activity; sid:x; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY
Unknown Malvertising Exploit Kit Hostile Jar app.jar";
flow:established,to_server; 
content:"/app.jar"; http_uri; 
content:") Java/"; http_header; 
classtype:trojan-activity; sid:x; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY
Unknown Malvertising Exploit Kit Hostile Jar cm2.jar";
flow:established,to_server; 
content:"/cm2.jar"; http_uri; 
content:") Java/"; http_header; 
classtype:trojan-activity; sid:x; rev:1;)

Cheers,
Nathan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: UnknownEK_Inet.pcap
Type: application/octet-stream
Size: 99812 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130702/6e986a11/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PCRE_Validation.tsv
Type: text/tab-separated-values
Size: 18571 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130702/6e986a11/attachment.tsv>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Unknown_EK.tsv
Type: text/tab-separated-values
Size: 23953 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130702/6e986a11/attachment-0001.tsv>


More information about the Snort-sigs mailing list