Snort mailing list archives

Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole landing page with specific structure - prototype catch qq"

From: Joel Esler <jesler () sourcefire com>
Date: Wed, 7 Mar 2012 11:01:23 -0500

Thanks Nathan,

We'll take a look at this.


--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Mar 7, 2012, at 10:55 AM, Community Proposed wrote:

Please see the below for a variant of the catch(qq hostile blackhole exploit
kit initial landing.  VRT -- PCAP en-route.

Note 'origin community' in metadata, uncertain how the nomenclature for this
will be.  Not sure if 'origin vrt' and 'origin community' are what you had in
mind.

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"SPECIFIC-THREATS Blackhole landing page with specific structure -
prototype catch qq"; flow:to_client,established; file_data; content:")try{";
content:"prototype}catch(qq"; distance:0; metadata:policy balanced-ips drop,
policy security-ips drop, service http, origin community;
reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx;
classtype:attempted-user; sid:x; rev:1;)

PCAP ASCII Snippet:

0x0470:  6d65 2e35 2e37 2e30 223e 3c2f 6f62 6a65  me.5.7.0"></obje
0x0480:  6374 3e3c 2f68 746d 6c3e 3c73 6372 6970  ct></html><scrip
0x0490:  743e 6966 2877 696e 646f 772e 646f 6375  t>if(window.docu
0x04a0:  6d65 6e74 2974 7279 7b6e 6577 2261 222e  ment)try{new"a".
0x04b0:  7072 6f74 6f74 7970 657d 6361 7463 6828  prototype}catch(
0x04c0:  7171 7129 7b7a 7a3d 2765 7661 6c27 3b73  qqq){zz='eval';s
0x04d0:  733d 5b5d 3b61 613d 5b5d 2b30 3b61 6161  s=[];aa=[]+0;aaa
0x04e0:  3d30 2b5b 5d3b 6966 2861 612e 696e 6465  =0+[];if(aa.inde
0x04f0:  784f 6628 6161 6129 3d3d 3d30 297b 663d  xOf(aaa)===0){f=
0x0500:  2766 726f 6d43 6861 7227 3b66 2b3d 2743  'fromChar';f+='C
0x0510:  6f64 6527 3b7d 6565 3d27 6527 3b65 3d77  ode';}ee='e';e=w
0x0520:  696e 646f 775b 7a7a 5d3b 743d 2779 273b  indow[zz];t='y';
0x0530:  7d68 3d4d 6174 682e 6174 616e 3228 332c  }h=Math.atan2(3,
0x0540:  3029 2f4d 6174 682e 5049 2a2d 343b 6e3d  0)/Math.PI*-4;n=
0x0550:  2233 2e35 7033 2e35 7035 312e 3570 3530  "3.5p3.5p51.5p50
0x0560:  7031 3570 3139 7034 3970 3534 2e35 7034  p15p19p49p54.5p4
0x0570:  382e 3570 3537 2e35 7035 332e 3570 3439  8.5p57.5p53.5p49
0x0580:  2e35 7035 3470 3537 7032 3270 3530 2e35  .5p54p57p22p50.5
0x0590:  7034 392e 3570 3537 7033 332e 3570 3533  p49.5p57p33.5p53
0x05a0:  7034 392e 3570 3533 2e35 7034 392e 3570  p49.5p53.5p49.5p
0x05b0:  3534 7035 3770 3536 2e35 7033 3270 3539  54p57p56.5p32p59

Thanks,
Nathan



------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole landing page with specific structure - prototype catch qq" Community Proposed (Mar 07)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole landing page with specific structure - prototype catch qq" Joel Esler (Mar 07)