alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Best Pack Exploit Pack Binary Load Request"; flow:established,to_server; content:".php?e="; http_uri; content:"&o="; http_uri; content:"&b="; http_uri; content:"&id="; http_uri; pcre:"/\.php\?e=\d+&o=\w+&b=\w+&id=[0-9a-f]{32}$/U"; reference:url,www.kahusecurity.com/2011/best-pack/; classtype:bad-unknown; sid:2013489; rev:3; metadata:created_at 2011_08_30, updated_at 2011_08_30;)

Added 2017-08-07 21:06:48 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Best Pack Exploit Pack Binary Load Request"; flow:established,to_server; content:".php?e="; http_uri; content:"&o="; http_uri; content:"&b="; http_uri; content:"&id="; http_uri; pcre:"/\.php\?e=\d+&o=\w+&b=\w+&id=[0-9a-f]{32}$/U"; reference:url,www.kahusecurity.com/2011/best-pack/; classtype:bad-unknown; sid:2013489; rev:1;)

Added 2011-10-12 19:36:58 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Best Pack Exploit Pack Binary Load Request"; flow:established,to_server; content:".php?e="; http_uri; content:"&o="; http_uri; content:"&b="; http_uri; content:"&id="; http_uri; pcre:"/\.php\?e=\d+&o=\w+&b=\w+&id=[0-9a-f]{32}$/U"; classtype:bad-unknown; reference:url,www.kahusecurity.com/2011/best-pack/; sid:2013489; rev:1;)

Added 2011-08-31 10:23:42 UTC

Sample request URI from public threat data:

/kntrn334e/load.php?e=6&o=3&b=4&id=a2a31c494b7562f436bde17eb7e23522

This rule is intended to capture the point that an exploited host has issued a request for the binary load from the kit, although the request URI format is actually duplicated by at least one other script in the kit to serve the PDF payload during the exploit run:

/lpdf.php?e=5&o=3&b=3&id=583a0ea533dfce29c138f5d0a461f764

The rule could be modified to match /load.php explicitly, but it's been reported that over time the script names have been variable among versions of the kit.

-- DarrenSpruell - 02 Sep 2011


Topic revision: r2 - 2011-09-02 - DarrenSpruell
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats