[Snort-sigs] Rawin EK

Community Proposed lists at ...3397...
Thu Jun 20 16:55:03 EDT 2013


New EK, not sure what to call it.  I didn't get jars with
proliferateheritage.biz, PCAP attached.  templatedrivenswift.info was on
217.23.8.15 now it's moved to 8.8.4.4

hxxp://templatedrivenswift.info/rawin.php?b=0F0598&v=1.6.0.41
hxxp://templatedrivenswift.info/sigwer.jar
hxxp://templatedrivenswift.info/dubspace.jar

Clearly leaking Java Version and not sure about the 0F0598 stuff.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY
Unknown Version-targeted Java Rawin Exploit Kit"; flow:established,to_server;
content:".php?b="; http_uri; fast_pattern; content:"&v="; http_uri; distance:0;
pcre:"/\.php\?b=[A-F0-9]+&v=[0-9]\.[0-9]\.[0-9]\.[0-9]+$/U";
classtype:trojan-activity; sid:x; rev:1;)

Hive Validation:
select date_time, url, dest_ip from webwasher_full where day>='2013-06-01' and
url rlike '\\.php\\?b=[A-F0-9]+&v=[0-9]\\.[0-9]\\.[0-9]\\.[0-9]+$'
[20/Jun/2013:11:21:22 -0600]   
hxxp://templatedrivenswift.info/rawin.php?b=0F0598&v=1.6.0.41    217.23.8.15
[06/Jun/2013:11:08:22 -0600]   
hxxp://proliferateheritage.biz/rawin.php?b=0F0598&v=1.7.0.7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rawinfixed.pcap
Type: application/octet-stream
Size: 220695 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130620/c4eb7d90/attachment.obj>


More information about the Snort-sigs mailing list