Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq"

[Community Proposed <lists () packetmail net>]

Below is a proposed signature to detect the try{ catch()} approaches used by
the Blackhole exploit kits which to date share a commonality with the
attachment to "catch(qq".  Looking at all of my PCAP samples these match
nicely, perform well, and have not been prone to false positives.

This is also doing very well in detecting new Blackhole initial landings and
the various, near daily, changing permutations of the string
splitting/building methods.  I am seeing a large presence of legitimate sites
which have been compromised now delivering Blackhole.  Some of these are k12
US education/school sites.

21438 can be retired in place of the proposed above.  Joel, existing PCAPs for
Blackhole landings should suffice for validation of the above, if more are
needed, please let me know.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY
SPECIFIC-THREATS High Probability Blackhole Landing with specific catch qq
structure"; flow:established,from_server; content:")|3b|}catch(qq";
fast_pattern:only; classtype:trojan-activity; sid:x; rev:1;)

I know there is a VRT standard for writing these, please respond to me after
transforming the rule for compliance so that future submissions can adhere to
this standard.  The reference from 21438 can be used here.

Thanks,
Nathan


------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!