[Snort-sigs] Unknown EK

Joel Esler jesler at ...435...
Tue Jul 9 15:46:30 EDT 2013


Nathan,

FYI -- We couldn't publish the /app.jar or /cm2.jar rules.  We had a bunch
of falses as soon as we tested them.


On Tue, Jul 2, 2013 at 6:42 PM, Community Proposed <lists at ...3397...>wrote:

> Unknown malvertising EK campaign isolated with 205.185.158.219 and
> 205.185.158.220 which pDNS shows pointed only to piksmedia.com and
> clearmetric.net respectively.  The PCRE produces a few benign false
> positives,
> considering the cost/risk the PCRE is worth it.  Might be able to get away
> with
> some proxy blocks on this one.  Popular hosts such as BBC are being used.
>
> Global Hosts identified:
> *.piksmedia.com
> *.clearmetric.net
> 205.185.158.219
> 205.185.158.220
>
> Global URLs identified:
> */app.jar
> */cm2.jar
>
> RegEx:
> regex((?-i)http:\/\/[^\x2f]+\/[a-z]{1,6}\d?\/[a-f0-9]{8,10}\.htm$)
>  Unknown EK
> initial landing and stage-1
>
> Validation, as well as hits, after expansion and contraction of search
> criteria
> for this campaign :
>
> select date_time, http_status, media_type, url_body_size, dest_ip, url,
> url_referrer, user_agent
> from webwasher_full where day>='2013-06-01' and http_status <> '407' and
> (url rlike 'http:\\/\\/[^\\x2f]+\\/[a-z]{1,6}\\d?\\/[a-f0-9]{8}\\.htm$' or
> url
> like '%/app.jar' or url like '%/cm2.jar' or dest_ip like '205.185.158.219'
> or
> dest_ip like '205.185.158.220');
>
> {See attached Unknown_EK.tsv please note HTTP Referers and UAs}
>
> PCRE Validation
> select date_time, http_status, media_type, url_body_size, dest_ip, url,
> url_referrer, user_agent
> from webwasher_full where day>='2013-06-01' and http_status <> '407' and
> (url rlike 'http:\\/\\/[^\\x2f]+\\/[a-z]{1,6}\\d?\\/[a-f0-9]{8}\\.htm$');
>
> {See attached PCRE_Validation.tsv please note HTTP Referers and UAs}
>
> Looking at the PCAP {see attached} this signature may be good to match the
> payload, but these signatures are untested and I am coming off a long day
> and
> my eyes are shot.  They may need some TLC:
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"VRT COMMUNITY
> Unknown Malvertising Exploit Kit Hostile Jar pipe.class";
> flow:established,from_server;
> file_data; content:"PK"; depth:0;
> content:"|00|pipe.class"; fast_pattern; distance:0;
> content:"|00|inc.class"; distance:0;
> content:"|00|fdp.class"; distance:0;
> classtype:trojan-activity; sid:x; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"VRT COMMUNITY
> Unknown Malvertising Exploit Kit stage-1 redirect";
> flow:established,from_server;
> content:"<html><body><script>|0a|var "; fast_pattern;
> content;"document.createElement("; within:80;
> content:".setAttribute(|22|archive|22|, "; within:65;
> content:".setAttribute(|22|codebase|22|, "; within:65;
> content:".setAttribute(|22|id|22|, "; within:65;
> content:".setAttribute(|22|code|22|, "; within:65;
> content:"|22|)|3b 0a|document.body.appendChild("; within:65;
> content:"</script>|0a|</body>|0a|</html>|0a 0a|";
> classtype:trojan-activity; sid:x; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY
> Unknown Malvertising Exploit Kit Hostile Jar app.jar";
> flow:established,to_server;
> content:"/app.jar"; http_uri;
> content:") Java/"; http_header;
> classtype:trojan-activity; sid:x; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY
> Unknown Malvertising Exploit Kit Hostile Jar cm2.jar";
> flow:established,to_server;
> content:"/cm2.jar"; http_uri;
> content:") Java/"; http_header;
> classtype:trojan-activity; sid:x; rev:1;)
>
> Cheers,
> Nathan
>



-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130709/31415a71/attachment.html>


More information about the Snort-sigs mailing list