EXPLOIT-KIT Angler exploit kit outbound URL structure (1:31046)
Which triggered by this snort rule
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit outbound URL structure"; flow:to_server,established; urilen:>70; content:"= HTTP/"; fast_pattern:only; content:"User-Agent"; http_header; content:"="; http_uri; pcre:"/^\/[-\w]{70,78}==?$/U"; flowbits:set,file.exploit_kit.silverlight&file.exploit_kit.jar; metadata:service http; classtype:trojan-activity; sid:31046; rev:3; )
Which was caused by this request
GET /aHR0cDovL2Nkbi5pbmNsaW1nLmNvbS9hZmZpbGlhdGUvZ2V0LW15LXF1b3Rlcy1iYWRnZS5wbmc= HTTP/1.1
Host: mail03.perfectmatchjobs.com
So I plugged this url into virustotal, web of trust, urlquery, urlvoid, etc. and found no findings
(162.222.37.38) hxxp://mail03.perfectmatchjobs.com/aHR0cDovL2Nkbi5pbmNsaW1nLmNvbS9hZmZpbGlhdGUvZ2V0LW15LXF1b3Rlcy1iYWRnZS5wbmc=
But everytime I see random text with an '=' sign at the end I think of Base64 encoding, so I run that through notepad++ Base64 decoding
And I end up with this url
(54.230.99.38) hxxp://cdn.inclimg.com/affiliate/get-my-quotes-badge.png
Which is exactly what shows up when I view it in url query
Which happens to just be an image or advertisement.
So I think this snort alert was a false positive. This is some kind of paid advertising or something and the developers are just encoding or hiding the url to prevent monitoring tools from seeing or detecting the hidden redirect that is occurring.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment