Snort mailing list archives
Re: Unknown EK
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 2 Jul 2013 19:31:11 -0400
Nathan, Okay, these look good for the most part, I took these and cleaned them up to fit into the VRT ruleset, but one error on the first one that will definitely keep it from functioning is the content match for “PK”. You have a depth:0; I am sure you meant depth:2;. But in the rule I am committing, I’m not putting a depth, doesn’t look like we need it really. Also, in the second rule, the colon after the second content match, is a semi colon, probably just a typo. Anyway, http://urlquery.net/report.php?id=3480890 I think shows what you are trying to find. sid(rev) msg: 27085(1) "EXPLOIT-KIT Unknown Malvertising Exploit Kit Hostile Jar pipe.class" 27086(1) "EXPLOIT-KIT Unknown Malvertising Exploit Kit stage-1 redirect" 27087(1) "EXPLOIT-KIT Unknown Malvertising Exploit Kit Hostile Jar app.jar" 27088(1) "EXPLOIT-KIT Unknown Malvertising Exploit Kit Hostile Jar cm2.jar” Thanks Nathan. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Jul 2, 2013, at 6:42 PM, Community Proposed <lists () packetmail net> wrote:
Unknown malvertising EK campaign isolated with 205.185.158.219 and 205.185.158.220 which pDNS shows pointed only to piksmedia.com and clearmetric.net respectively. The PCRE produces a few benign false positives, considering the cost/risk the PCRE is worth it. Might be able to get away with some proxy blocks on this one. Popular hosts such as BBC are being used. Global Hosts identified: *.piksmedia.com *.clearmetric.net 205.185.158.219 205.185.158.220 Global URLs identified: */app.jar */cm2.jar RegEx: regex((?-i)http:\/\/[^\x2f]+\/[a-z]{1,6}\d?\/[a-f0-9]{8,10}\.htm$) Unknown EK initial landing and stage-1 Validation, as well as hits, after expansion and contraction of search criteria for this campaign : select date_time, http_status, media_type, url_body_size, dest_ip, url, url_referrer, user_agent from webwasher_full where day>='2013-06-01' and http_status <> '407' and (url rlike 'http:\\/\\/[^\\x2f]+\\/[a-z]{1,6}\\d?\\/[a-f0-9]{8}\\.htm$' or url like '%/app.jar' or url like '%/cm2.jar' or dest_ip like '205.185.158.219' or dest_ip like '205.185.158.220'); {See attached Unknown_EK.tsv please note HTTP Referers and UAs} PCRE Validation select date_time, http_status, media_type, url_body_size, dest_ip, url, url_referrer, user_agent from webwasher_full where day>='2013-06-01' and http_status <> '407' and (url rlike 'http:\\/\\/[^\\x2f]+\\/[a-z]{1,6}\\d?\\/[a-f0-9]{8}\\.htm$'); {See attached PCRE_Validation.tsv please note HTTP Referers and UAs} Looking at the PCAP {see attached} this signature may be good to match the payload, but these signatures are untested and I am coming off a long day and my eyes are shot. They may need some TLC: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"VRT COMMUNITY Unknown Malvertising Exploit Kit Hostile Jar pipe.class"; flow:established,from_server; file_data; content:"PK"; depth:0; content:"|00|pipe.class"; fast_pattern; distance:0; content:"|00|inc.class"; distance:0; content:"|00|fdp.class"; distance:0; classtype:trojan-activity; sid:x; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"VRT COMMUNITY Unknown Malvertising Exploit Kit stage-1 redirect"; flow:established,from_server; content:"<html><body><script>|0a|var "; fast_pattern; content;"document.createElement("; within:80; content:".setAttribute(|22|archive|22|, "; within:65; content:".setAttribute(|22|codebase|22|, "; within:65; content:".setAttribute(|22|id|22|, "; within:65; content:".setAttribute(|22|code|22|, "; within:65; content:"|22|)|3b 0a|document.body.appendChild("; within:65; content:"</script>|0a|</body>|0a|</html>|0a 0a|"; classtype:trojan-activity; sid:x; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY Unknown Malvertising Exploit Kit Hostile Jar app.jar"; flow:established,to_server; content:"/app.jar"; http_uri; content:") Java/"; http_header; classtype:trojan-activity; sid:x; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY Unknown Malvertising Exploit Kit Hostile Jar cm2.jar"; flow:established,to_server; content:"/cm2.jar"; http_uri; content:") Java/"; http_header; classtype:trojan-activity; sid:x; rev:1;) Cheers, Nathan <UnknownEK_Inet.pcap><PCRE_Validation.tsv><Unknown_EK.tsv>
------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Unknown EK Community Proposed (Jul 02)
- Re: Unknown EK Joel Esler (Jul 02)
- Re: Unknown EK lists () packetmail net (Jul 02)
- Re: Unknown EK Joel Esler (Jul 09)
- Re: Unknown EK lists () packetmail net (Jul 09)
- Re: Unknown EK Joel Esler (Jul 02)