Snort mailing list archives
Re: Unknown EK
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 9 Jul 2013 15:46:30 -0400
Nathan, FYI -- We couldn't publish the /app.jar or /cm2.jar rules. We had a bunch of falses as soon as we tested them. On Tue, Jul 2, 2013 at 6:42 PM, Community Proposed <lists () packetmail net>wrote:
Unknown malvertising EK campaign isolated with 205.185.158.219 and 205.185.158.220 which pDNS shows pointed only to piksmedia.com and clearmetric.net respectively. The PCRE produces a few benign false positives, considering the cost/risk the PCRE is worth it. Might be able to get away with some proxy blocks on this one. Popular hosts such as BBC are being used. Global Hosts identified: *.piksmedia.com *.clearmetric.net 205.185.158.219 205.185.158.220 Global URLs identified: */app.jar */cm2.jar RegEx: regex((?-i)http:\/\/[^\x2f]+\/[a-z]{1,6}\d?\/[a-f0-9]{8,10}\.htm$) Unknown EK initial landing and stage-1 Validation, as well as hits, after expansion and contraction of search criteria for this campaign : select date_time, http_status, media_type, url_body_size, dest_ip, url, url_referrer, user_agent from webwasher_full where day>='2013-06-01' and http_status <> '407' and (url rlike 'http:\\/\\/[^\\x2f]+\\/[a-z]{1,6}\\d?\\/[a-f0-9]{8}\\.htm$' or url like '%/app.jar' or url like '%/cm2.jar' or dest_ip like '205.185.158.219' or dest_ip like '205.185.158.220'); {See attached Unknown_EK.tsv please note HTTP Referers and UAs} PCRE Validation select date_time, http_status, media_type, url_body_size, dest_ip, url, url_referrer, user_agent from webwasher_full where day>='2013-06-01' and http_status <> '407' and (url rlike 'http:\\/\\/[^\\x2f]+\\/[a-z]{1,6}\\d?\\/[a-f0-9]{8}\\.htm$'); {See attached PCRE_Validation.tsv please note HTTP Referers and UAs} Looking at the PCAP {see attached} this signature may be good to match the payload, but these signatures are untested and I am coming off a long day and my eyes are shot. They may need some TLC: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"VRT COMMUNITY Unknown Malvertising Exploit Kit Hostile Jar pipe.class"; flow:established,from_server; file_data; content:"PK"; depth:0; content:"|00|pipe.class"; fast_pattern; distance:0; content:"|00|inc.class"; distance:0; content:"|00|fdp.class"; distance:0; classtype:trojan-activity; sid:x; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"VRT COMMUNITY Unknown Malvertising Exploit Kit stage-1 redirect"; flow:established,from_server; content:"<html><body><script>|0a|var "; fast_pattern; content;"document.createElement("; within:80; content:".setAttribute(|22|archive|22|, "; within:65; content:".setAttribute(|22|codebase|22|, "; within:65; content:".setAttribute(|22|id|22|, "; within:65; content:".setAttribute(|22|code|22|, "; within:65; content:"|22|)|3b 0a|document.body.appendChild("; within:65; content:"</script>|0a|</body>|0a|</html>|0a 0a|"; classtype:trojan-activity; sid:x; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY Unknown Malvertising Exploit Kit Hostile Jar app.jar"; flow:established,to_server; content:"/app.jar"; http_uri; content:") Java/"; http_header; classtype:trojan-activity; sid:x; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY Unknown Malvertising Exploit Kit Hostile Jar cm2.jar"; flow:established,to_server; content:"/cm2.jar"; http_uri; content:") Java/"; http_header; classtype:trojan-activity; sid:x; rev:1;) Cheers, Nathan
-- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Unknown EK Community Proposed (Jul 02)
- Re: Unknown EK Joel Esler (Jul 02)
- Re: Unknown EK lists () packetmail net (Jul 02)
- Re: Unknown EK Joel Esler (Jul 09)
- Re: Unknown EK lists () packetmail net (Jul 09)
- Re: Unknown EK Joel Esler (Jul 02)