Tuesday, March 24, 2015

Angler exploit kit False Positive

So I saw this alert
EXPLOIT-KIT Angler exploit kit outbound URL structure (1:31046)

Which triggered by this snort rule
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit outbound URL structure"; flow:to_server,established; urilen:>70; content:"= HTTP/"; fast_pattern:only; content:"User-Agent"; http_header; content:"="; http_uri; pcre:"/^\/[-\w]{70,78}==?$/U"; flowbits:set,file.exploit_kit.silverlight&file.exploit_kit.jar; metadata:service http; classtype:trojan-activity; sid:31046; rev:3; )

Which was caused by this request
GET /aHR0cDovL2Nkbi5pbmNsaW1nLmNvbS9hZmZpbGlhdGUvZ2V0LW15LXF1b3Rlcy1iYWRnZS5wbmc= HTTP/1.1
Host: mail03.perfectmatchjobs.com

So I plugged this url into virustotal, web of trust, urlquery, urlvoid, etc. and found no findings
(162.222.37.38) hxxp://mail03.perfectmatchjobs.com/aHR0cDovL2Nkbi5pbmNsaW1nLmNvbS9hZmZpbGlhdGUvZ2V0LW15LXF1b3Rlcy1iYWRnZS5wbmc=

But everytime I see random text with an '=' sign at the end I think of Base64 encoding, so I run that through notepad++ Base64 decoding




And I end up with this url
(54.230.99.38) hxxp://cdn.inclimg.com/affiliate/get-my-quotes-badge.png

Which is exactly what shows up when I view it in url query

Which happens to just be an image or advertisement.

So I think this snort alert was a false positive. This is some kind of paid advertising or something and the developers are just encoding or hiding the url to prevent monitoring tools from seeing or detecting the hidden redirect that is occurring.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment