[Snort-sigs] Unknown EK

Joel Esler jesler at ...435...
Tue Jul 2 19:31:11 EDT 2013


Nathan,

Okay, these look good for the most part, I took these and cleaned them up to fit into the VRT ruleset, but one error on the first one that will definitely keep it from functioning is the content match for “PK”.  You have a depth:0;

I am sure you meant depth:2;.  But in the rule I am committing, I’m not putting a depth, doesn’t look like we need it really.

Also, in the second rule, the colon after the second content match, is a semi colon, probably just a typo.

Anyway, http://urlquery.net/report.php?id=3480890 I think shows what you are trying to find. 

sid(rev) msg:
27085(1) "EXPLOIT-KIT Unknown Malvertising Exploit Kit Hostile Jar pipe.class"
27086(1) "EXPLOIT-KIT Unknown Malvertising Exploit Kit stage-1 redirect"
27087(1) "EXPLOIT-KIT Unknown Malvertising Exploit Kit Hostile Jar app.jar"
27088(1) "EXPLOIT-KIT Unknown Malvertising Exploit Kit Hostile Jar cm2.jar”

Thanks Nathan.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


On Jul 2, 2013, at 6:42 PM, Community Proposed <lists at ...3397...> wrote:

> Unknown malvertising EK campaign isolated with 205.185.158.219 and
> 205.185.158.220 which pDNS shows pointed only to piksmedia.com and
> clearmetric.net respectively.  The PCRE produces a few benign false positives,
> considering the cost/risk the PCRE is worth it.  Might be able to get away with
> some proxy blocks on this one.  Popular hosts such as BBC are being used.
> 
> Global Hosts identified:
> *.piksmedia.com
> *.clearmetric.net
> 205.185.158.219
> 205.185.158.220
> 
> Global URLs identified:
> */app.jar
> */cm2.jar
> 
> RegEx:
> regex((?-i)http:\/\/[^\x2f]+\/[a-z]{1,6}\d?\/[a-f0-9]{8,10}\.htm$)  Unknown EK
> initial landing and stage-1
> 
> Validation, as well as hits, after expansion and contraction of search criteria
> for this campaign :
> 
> select date_time, http_status, media_type, url_body_size, dest_ip, url,
> url_referrer, user_agent
> from webwasher_full where day>='2013-06-01' and http_status <> '407' and
> (url rlike 'http:\\/\\/[^\\x2f]+\\/[a-z]{1,6}\\d?\\/[a-f0-9]{8}\\.htm$' or url
> like '%/app.jar' or url like '%/cm2.jar' or dest_ip like '205.185.158.219' or
> dest_ip like '205.185.158.220');
> 
> {See attached Unknown_EK.tsv please note HTTP Referers and UAs}
> 
> PCRE Validation
> select date_time, http_status, media_type, url_body_size, dest_ip, url,
> url_referrer, user_agent
> from webwasher_full where day>='2013-06-01' and http_status <> '407' and
> (url rlike 'http:\\/\\/[^\\x2f]+\\/[a-z]{1,6}\\d?\\/[a-f0-9]{8}\\.htm$');
> 
> {See attached PCRE_Validation.tsv please note HTTP Referers and UAs}
> 
> Looking at the PCAP {see attached} this signature may be good to match the
> payload, but these signatures are untested and I am coming off a long day and
> my eyes are shot.  They may need some TLC:
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"VRT COMMUNITY
> Unknown Malvertising Exploit Kit Hostile Jar pipe.class";
> flow:established,from_server; 
> file_data; content:"PK"; depth:0; 
> content:"|00|pipe.class"; fast_pattern; distance:0; 
> content:"|00|inc.class"; distance:0; 
> content:"|00|fdp.class"; distance:0; 
> classtype:trojan-activity; sid:x; rev:1;)
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"VRT COMMUNITY
> Unknown Malvertising Exploit Kit stage-1 redirect";
> flow:established,from_server; 
> content:"<html><body><script>|0a|var "; fast_pattern; 
> content;"document.createElement("; within:80; 
> content:".setAttribute(|22|archive|22|, "; within:65; 
> content:".setAttribute(|22|codebase|22|, "; within:65; 
> content:".setAttribute(|22|id|22|, "; within:65; 
> content:".setAttribute(|22|code|22|, "; within:65; 
> content:"|22|)|3b 0a|document.body.appendChild("; within:65; 
> content:"</script>|0a|</body>|0a|</html>|0a 0a|"; 
> classtype:trojan-activity; sid:x; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY
> Unknown Malvertising Exploit Kit Hostile Jar app.jar";
> flow:established,to_server; 
> content:"/app.jar"; http_uri; 
> content:") Java/"; http_header; 
> classtype:trojan-activity; sid:x; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY
> Unknown Malvertising Exploit Kit Hostile Jar cm2.jar";
> flow:established,to_server; 
> content:"/cm2.jar"; http_uri; 
> content:") Java/"; http_header; 
> classtype:trojan-activity; sid:x; rev:1;)
> 
> Cheers,
> Nathan
> <UnknownEK_Inet.pcap><PCRE_Validation.tsv><Unknown_EK.tsv>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130702/5c032de6/attachment.html>


More information about the Snort-sigs mailing list