Snort mailing list archives
Re: Proposed Signature - SPECIFIC-THREATS Blackhole landing page with specific structure
From: Nick Randolph <drandolph () sourcefire com>
Date: Thu, 12 Jul 2012 10:01:12 -0400
Thanks for the pcap. It triggered 21492 and 21646 when I ran it. I can't say how urlquery.net has Snort configured or if they have those rules enabled. On Thu, Jul 12, 2012 at 2:11 AM, yew chuan Ong <yewchuan_23 () yahoo com>wrote:
Hi, Found out that this blackhole landing page is not detectable by Snort. [ http://urlquery.net/report.php?id=87943] I guess there are some specific keywords (highlighted with red) which we can use to create a signature for this. Proposed Signature: alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Blackhole landing page with specific structure - dshsd catch"; flow:to_client,established; content:"dshsdfh"; content:"}catch(dshsd)"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:xxx; classtype:attempted-user; sid:xxx; rev:1;) The script is detected by 3 AVs as malicious. [ https://www.virustotal.com/file/59f21a240c419b270f1bbde55dce09ed4e4d2f228310be7a1701caa2a326fbe4/analysis/ ] Maybe we can put the result from VirusTotal as reference. 0100 0d 0a 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 0d 0a ..<html> <body>.. 0110 3c 73 63 72 69 70 74 3e 72 3d 66 75 6e 63 74 69 <script> r=functi 0120 6f 6e 28 29 7b 74 72 79 7b 71 3d 70 72 6f 74 6f on(){try {q=proto 0130 74 79 70 65 5e 32 3b 7d 63 61 74 63 68 28 71 29 type^2;} catch(q) 0140 7b 7a 3d 32 3b 7d 6d 64 3d 22 61 22 3b 0d 0a 73 {z=2;}md ="a";..s 0150 3d 22 22 3b 0d 0a 77 3d 32 3b 0d 0a 66 6f 72 28 ="";..w= 2;..for( 0160 6b 3d 61 2e 6c 65 6e 67 74 68 2d 31 3b 6b 3e 3d k=a.leng th-1;k>= 0170 30 3b 6b 2d 2d 29 7b 0d 0a 09 69 66 28 77 69 6e 0;k--){. ..if(win 0180 64 6f 77 2e 64 6f 63 75 6d 65 6e 74 29 74 72 79 dow.docu ment)try 0190 7b 64 73 68 73 64 66 68 2e 61 70 70 65 6e 64 43 {dshsdfh .appendC 01a0 68 69 6c 64 28 22 31 32 22 2b 64 73 68 73 64 66 hild("12 "+dshsdf 01b0 68 29 3b 7d 63 61 74 63 68 28 64 73 68 73 64 29 h);}catc h(dshsd) 01c0 7b 0d 0a 09 09 76 3d 61 5b 6b 5d 3b 0d 0a 09 09 {....v=a [k];.... 01d0 6e 3d 61 2e 6c 65 6e 67 74 68 2d 6b 2d 31 3b 0d n=a.leng th-k-1;. 01e0 0a 09 09 6e 3d 6e 2d 4d 61 74 68 2e 66 6c 6f 6f ...n=n-M ath.floo 01f0 72 28 6e 2f 77 29 2a 77 3b 0d 0a 09 09 7a 3d 76 r(n/w)*w ;....z=v 0200 2a 28 6e 2b 31 29 3b 0d 0a 09 09 73 3d 73 2b 53 *(n+1);. ...s=s+S 0210 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f tring.fr omCharCo Kindly advice and share your opinions. Attached is the malicious script and the pcap file. Regards Yew Chuan ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed Signature - SPECIFIC-THREATS Blackhole landing page with specific structure yew chuan Ong (Jul 12)
- Re: Proposed Signature - SPECIFIC-THREATS Blackhole landing page with specific structure Nick Randolph (Jul 12)