Snort mailing list archives
Re: Rawin EK
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 20 Jun 2013 19:02:33 -0400
Nathan, Thanks, this is how I added it: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rawin exploit kit outbound java retrieval"; flow:to_server,established; content:".php?b="; http_uri; content:"&v=1."; distance:0; http_uri; pcre:"/\.php\?b=[A-F0-9]+&v=1\./U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26985; rev:1;) -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Jun 20, 2013, at 4:55 PM, Community Proposed <lists () packetmail net> wrote:
New EK, not sure what to call it. I didn't get jars with proliferateheritage.biz, PCAP attached. templatedrivenswift.info was on 217.23.8.15 now it's moved to 8.8.4.4 hxxp://templatedrivenswift.info/rawin.php?b=0F0598&v=1.6.0.41 hxxp://templatedrivenswift.info/sigwer.jar hxxp://templatedrivenswift.info/dubspace.jar Clearly leaking Java Version and not sure about the 0F0598 stuff. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY Unknown Version-targeted Java Rawin Exploit Kit"; flow:established,to_server; content:".php?b="; http_uri; fast_pattern; content:"&v="; http_uri; distance:0; pcre:"/\.php\?b=[A-F0-9]+&v=[0-9]\.[0-9]\.[0-9]\.[0-9]+$/U"; classtype:trojan-activity; sid:x; rev:1;) Hive Validation: select date_time, url, dest_ip from webwasher_full where day>='2013-06-01' and url rlike '\\.php\\?b=[A-F0-9]+&v=[0-9]\\.[0-9]\\.[0-9]\\.[0-9]+$' [20/Jun/2013:11:21:22 -0600] hxxp://templatedrivenswift.info/rawin.php?b=0F0598&v=1.6.0.41 217.23.8.15 [06/Jun/2013:11:08:22 -0600] hxxp://proliferateheritage.biz/rawin.php?b=0F0598&v=1.7.0.7 <rawinfixed.pcap>------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rawin EK Community Proposed (Jun 20)
- Re: Rawin EK Joel Esler (Jun 20)
- Re: Rawin EK lists () packetmail net (Jun 21)
- Re: Rawin EK Joel Esler (Jun 21)
- Re: Rawin EK lists () packetmail net (Jun 21)
- Re: Rawin EK Joel Esler (Jun 20)