#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole - Landing Page Received - catch and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.blackhole.uri; content:"}catch("; classtype:trojan-activity; sid:2014976; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_27, malware_family Blackhole, updated_at 2016_07_01;)

Added 2017-08-07 21:08:27 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole - Landing Page Received - catch and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.blackhole.uri; content:"}catch("; classtype:trojan-activity; sid:2014976; rev:2;)

Added 2012-06-28 23:30:32 UTC

Many false positives on things like GET http://www.npr.org/templates/reg/newsletter-bucket.php?slice=Sell&guid=500981bff1c42 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:14.0) Gecko/20100101 Firefox/14.0.1

Context for the string "}catch{" is:

0x02E0: 2F 78 2D 6D 34 61 3B 22 29 7C 7C 61 2E 63 61 6E /x-m4a;")||a.can 0x02F0: 50 6C 61 79 54 79 70 65 28 22 61 75 64 69 6F 2F PlayType?("audio/ 0x0300: 61 61 63 3B 22 29 29 2E 72 65 70 6C 61 63 65 28 aac;")).replace( 0x0310: 2F 5E 6E 6F 24 2F 2C 22 22 29 7D 63 61 74 63 68 /^no$/,"")}catch 0x0320: 28 64 29 7B 7D 72 65 74 75 72 6E 20 63 7D 2C 73 (d){}return c},s 0x0330: 2E 6C 6F 63 61 6C 73 74 6F 72 61 67 65 3D 66 75 .localstorage=fu 0x0340: 6E 63 74 69 6F 6E 28 29 7B 74 72 79 7B 72 65 74 nction(){try{ret

-- RichGraves - 20 Aug 2012


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole - Landing Page Received - }catch( and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.blackhole.uri; content:"}catch("; classtype:trojan-activity; sid:2014976; rev:1;)

Added 2012-06-26 21:37:35 UTC


Topic revision: r2 - 2012-08-20 - RichGraves
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats