Re: Unknown EK

[Joel Esler <jesler () sourcefire com>]

Nathan,

FYI -- We couldn't publish the /app.jar or /cm2.jar rules.  We had a bunch
of falses as soon as we tested them.


On Tue, Jul 2, 2013 at 6:42 PM, Community Proposed <lists () packetmail net>wrote:

> Unknown malvertising EK campaign isolated with 205.185.158.219 and
> 205.185.158.220 which pDNS shows pointed only to piksmedia.com and
> clearmetric.net respectively.  The PCRE produces a few benign false
> positives,
> considering the cost/risk the PCRE is worth it.  Might be able to get away
> with
> some proxy blocks on this one.  Popular hosts such as BBC are being used.
>
> Global Hosts identified:
> *.piksmedia.com
> *.clearmetric.net
> 205.185.158.219
> 205.185.158.220
>
> Global URLs identified:
> */app.jar
> */cm2.jar
>
> RegEx:
> regex((?-i)http:\/\/[^\x2f]+\/[a-z]{1,6}\d?\/[a-f0-9]{8,10}\.htm$)
>  Unknown EK
> initial landing and stage-1
>
> Validation, as well as hits, after expansion and contraction of search
> criteria
> for this campaign :
>
> select date_time, http_status, media_type, url_body_size, dest_ip, url,
> url_referrer, user_agent
> from webwasher_full where day>='2013-06-01' and http_status <> '407' and
> (url rlike 'http:\\/\\/[^\\x2f]+\\/[a-z]{1,6}\\d?\\/[a-f0-9]{8}\\.htm$' or
> url
> like '%/app.jar' or url like '%/cm2.jar' or dest_ip like '205.185.158.219'
> or
> dest_ip like '205.185.158.220');
>
> {See attached Unknown_EK.tsv please note HTTP Referers and UAs}
>
> PCRE Validation
> select date_time, http_status, media_type, url_body_size, dest_ip, url,
> url_referrer, user_agent
> from webwasher_full where day>='2013-06-01' and http_status <> '407' and
> (url rlike 'http:\\/\\/[^\\x2f]+\\/[a-z]{1,6}\\d?\\/[a-f0-9]{8}\\.htm$');
>
> {See attached PCRE_Validation.tsv please note HTTP Referers and UAs}
>
> Looking at the PCAP {see attached} this signature may be good to match the
> payload, but these signatures are untested and I am coming off a long day
> and
> my eyes are shot.  They may need some TLC:
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"VRT COMMUNITY
> Unknown Malvertising Exploit Kit Hostile Jar pipe.class";
> flow:established,from_server;
> file_data; content:"PK"; depth:0;
> content:"|00|pipe.class"; fast_pattern; distance:0;
> content:"|00|inc.class"; distance:0;
> content:"|00|fdp.class"; distance:0;
> classtype:trojan-activity; sid:x; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"VRT COMMUNITY
> Unknown Malvertising Exploit Kit stage-1 redirect";
> flow:established,from_server;
> content:"<html><body><script>|0a|var "; fast_pattern;
> content;"document.createElement("; within:80;
> content:".setAttribute(|22|archive|22|, "; within:65;
> content:".setAttribute(|22|codebase|22|, "; within:65;
> content:".setAttribute(|22|id|22|, "; within:65;
> content:".setAttribute(|22|code|22|, "; within:65;
> content:"|22|)|3b 0a|document.body.appendChild("; within:65;
> content:"</script>|0a|</body>|0a|</html>|0a 0a|";
> classtype:trojan-activity; sid:x; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY
> Unknown Malvertising Exploit Kit Hostile Jar app.jar";
> flow:established,to_server;
> content:"/app.jar"; http_uri;
> content:") Java/"; http_header;
> classtype:trojan-activity; sid:x; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY
> Unknown Malvertising Exploit Kit Hostile Jar cm2.jar";
> flow:established,to_server;
> content:"/cm2.jar"; http_uri;
> content:") Java/"; http_header;
> classtype:trojan-activity; sid:x; rev:1;)
>
> Cheers,
> Nathan



-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!