Home page logo

snort logo Snort mailing list archives

Malicious scriptlets
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 16 May 2013 11:16:32 -0600

So I've now seen two of these so far.  Compromised site gets a bonus 
file...a .sct scriptlet file.  These files had the initial header of the 
Sizzle CSS Engine:


  * Sizzle CSS Selector Engine - v0.9.3
  *  Copyright 2009, The Dojo Foundation
  *  Released under the MIT, BSD, and GPL Licenses.
  *  More information: http://sizzlejs.com/

but then goes on with the below (spaces added):

<s c r i p t l e t><implements 

the shortend goo.gl link points to bls.pw/ which apparently is 
"missing" an index.* page (hat tip to ET for detecting the .pw domain 
jazz).  The response is just as icky (snippets):

<t i t l e>404 Not Found</title>
.<h1>Not Found</h1>
.<p>The requested URL / was not found on this server.</p>
.<p>Additionally, a 404 Not Found error was encountered while trying to 
use an ErrorDocument to handle the request.</p>
.<!--[if gt IE 7]>
.<s c r i p t type="text/javascript">
.setTimeout('new Image().src="//goo.gl/9yBTe"',2500);

The shortened links are currently serving up nasty jar files:


Sig below should catch the response from the compromised server:

(msg:"INDICATOR-COMPROMISED Scriptlet file with iframe redirect"; 
flow:from_server,established; file_data; content:"<scriptlet"; 
content:"url="; content:"iframe"; metadata:policy balanced-ips drop, 
policy security-ips drop, service http; metadata:ruleset community; 
classtype:trojan-activity; sid:10000060; rev:1)

Anything to help make the sig better would be much appreciated.


AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
  • Malicious scriptlets James Lay (May 16)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]