[Snort-sigs] Rawin EK

Joel Esler jesler at ...435...
Thu Jun 20 19:02:33 EDT 2013


Nathan,

Thanks, this is how I added it:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rawin exploit kit outbound java retrieval"; flow:to_server,established; content:".php?b="; http_uri; content:"&v=1."; distance:0; http_uri; pcre:"/\.php\?b=[A-F0-9]+&v=1\./U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26985; rev:1;)


--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Jun 20, 2013, at 4:55 PM, Community Proposed <lists at ...3397...> wrote:

> New EK, not sure what to call it.  I didn't get jars with
> proliferateheritage.biz, PCAP attached.  templatedrivenswift.info was on
> 217.23.8.15 now it's moved to 8.8.4.4
> 
> hxxp://templatedrivenswift.info/rawin.php?b=0F0598&v=1.6.0.41
> hxxp://templatedrivenswift.info/sigwer.jar
> hxxp://templatedrivenswift.info/dubspace.jar
> 
> Clearly leaking Java Version and not sure about the 0F0598 stuff.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY
> Unknown Version-targeted Java Rawin Exploit Kit"; flow:established,to_server;
> content:".php?b="; http_uri; fast_pattern; content:"&v="; http_uri; distance:0;
> pcre:"/\.php\?b=[A-F0-9]+&v=[0-9]\.[0-9]\.[0-9]\.[0-9]+$/U";
> classtype:trojan-activity; sid:x; rev:1;)
> 
> Hive Validation:
> select date_time, url, dest_ip from webwasher_full where day>='2013-06-01' and
> url rlike '\\.php\\?b=[A-F0-9]+&v=[0-9]\\.[0-9]\\.[0-9]\\.[0-9]+$'
> [20/Jun/2013:11:21:22 -0600]   
> hxxp://templatedrivenswift.info/rawin.php?b=0F0598&v=1.6.0.41    217.23.8.15
> [06/Jun/2013:11:08:22 -0600]   
> hxxp://proliferateheritage.biz/rawin.php?b=0F0598&v=1.7.0.7
> <rawinfixed.pcap>------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
> 
> Build for Windows Store.
> 
> http://p.sf.net/sfu/windows-dev2dev_______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130620/50e31658/attachment.html>


More information about the Snort-sigs mailing list