Snort mailing list archives
Re: Unknown EK
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 2 Jul 2013 19:31:11 -0400
Nathan, Okay, these look good for the most part, I took these and cleaned them up to fit into the VRT ruleset, but one error on the first one that will definitely keep it from functioning is the content match for “PK”. You have a depth:0; I am sure you meant depth:2;. But in the rule I am committing, I’m not putting a depth, doesn’t look like we need it really. Also, in the second rule, the colon after the second content match, is a semi colon, probably just a typo. Anyway, http://urlquery.net/report.php?id=3480890 I think shows what you are trying to find. sid(rev) msg: 27085(1) "EXPLOIT-KIT Unknown Malvertising Exploit Kit Hostile Jar pipe.class" 27086(1) "EXPLOIT-KIT Unknown Malvertising Exploit Kit stage-1 redirect" 27087(1) "EXPLOIT-KIT Unknown Malvertising Exploit Kit Hostile Jar app.jar" 27088(1) "EXPLOIT-KIT Unknown Malvertising Exploit Kit Hostile Jar cm2.jar” Thanks Nathan. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Jul 2, 2013, at 6:42 PM, Community Proposed <lists () packetmail net> wrote:
Unknown malvertising EK campaign isolated with 205.185.158.219 and
205.185.158.220 which pDNS shows pointed only to piksmedia.com and
clearmetric.net respectively. The PCRE produces a few benign false positives,
considering the cost/risk the PCRE is worth it. Might be able to get away with
some proxy blocks on this one. Popular hosts such as BBC are being used.
Global Hosts identified:
*.piksmedia.com
*.clearmetric.net
205.185.158.219
205.185.158.220
Global URLs identified:
*/app.jar
*/cm2.jar
RegEx:
regex((?-i)http:\/\/[^\x2f]+\/[a-z]{1,6}\d?\/[a-f0-9]{8,10}\.htm$) Unknown EK
initial landing and stage-1
Validation, as well as hits, after expansion and contraction of search criteria
for this campaign :
select date_time, http_status, media_type, url_body_size, dest_ip, url,
url_referrer, user_agent
from webwasher_full where day>='2013-06-01' and http_status <> '407' and
(url rlike 'http:\\/\\/[^\\x2f]+\\/[a-z]{1,6}\\d?\\/[a-f0-9]{8}\\.htm$' or url
like '%/app.jar' or url like '%/cm2.jar' or dest_ip like '205.185.158.219' or
dest_ip like '205.185.158.220');
{See attached Unknown_EK.tsv please note HTTP Referers and UAs}
PCRE Validation
select date_time, http_status, media_type, url_body_size, dest_ip, url,
url_referrer, user_agent
from webwasher_full where day>='2013-06-01' and http_status <> '407' and
(url rlike 'http:\\/\\/[^\\x2f]+\\/[a-z]{1,6}\\d?\\/[a-f0-9]{8}\\.htm$');
{See attached PCRE_Validation.tsv please note HTTP Referers and UAs}
Looking at the PCAP {see attached} this signature may be good to match the
payload, but these signatures are untested and I am coming off a long day and
my eyes are shot. They may need some TLC:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"VRT COMMUNITY
Unknown Malvertising Exploit Kit Hostile Jar pipe.class";
flow:established,from_server;
file_data; content:"PK"; depth:0;
content:"|00|pipe.class"; fast_pattern; distance:0;
content:"|00|inc.class"; distance:0;
content:"|00|fdp.class"; distance:0;
classtype:trojan-activity; sid:x; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"VRT COMMUNITY
Unknown Malvertising Exploit Kit stage-1 redirect";
flow:established,from_server;
content:"<html><body><script>|0a|var "; fast_pattern;
content;"document.createElement("; within:80;
content:".setAttribute(|22|archive|22|, "; within:65;
content:".setAttribute(|22|codebase|22|, "; within:65;
content:".setAttribute(|22|id|22|, "; within:65;
content:".setAttribute(|22|code|22|, "; within:65;
content:"|22|)|3b 0a|document.body.appendChild("; within:65;
content:"</script>|0a|</body>|0a|</html>|0a 0a|";
classtype:trojan-activity; sid:x; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY
Unknown Malvertising Exploit Kit Hostile Jar app.jar";
flow:established,to_server;
content:"/app.jar"; http_uri;
content:") Java/"; http_header;
classtype:trojan-activity; sid:x; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY
Unknown Malvertising Exploit Kit Hostile Jar cm2.jar";
flow:established,to_server;
content:"/cm2.jar"; http_uri;
content:") Java/"; http_header;
classtype:trojan-activity; sid:x; rev:1;)
Cheers,
Nathan
<UnknownEK_Inet.pcap><PCRE_Validation.tsv><Unknown_EK.tsv>
------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Unknown EK Community Proposed (Jul 02)
- Re: Unknown EK Joel Esler (Jul 02)
- Re: Unknown EK lists () packetmail net (Jul 02)
- Re: Unknown EK Joel Esler (Jul 09)
- Re: Unknown EK lists () packetmail net (Jul 09)
- Re: Unknown EK Joel Esler (Jul 02)