Monday, December 26, 2016

1:41035 1:41084 EXPLOIT-KIT Sundown Exploit Kit redirection attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these exploit kit alerts didn't include documentation.

(1:41035) EXPLOIT-KIT Sundown Exploit Kit redirection attempt

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sundown Exploit Kit redirection attempt"; flow:established,to_server; content:"/noone.php"; depth:10; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:41035; rev:1; )

(1:41084) EXPLOIT-KIT Sundown Exploit kit landing page obfuscation detected

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown Exploit kit landing page obfuscation detected"; flow:to_client,established; file_data; content:"|22|script|22|"; nocase; content:"|22|createE|22|"; within:50; nocase; content:"|22|lement|22|"; within:20; nocase; content:"|22|type|22|"; within:50; nocase; content:"|22|text/j|22|"; within:50; nocase; content:"|22|avascript|22|"; within:50; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:41084; rev:1; )


If I had to guess I think it's related to the Sundown Exploit Kit or something similar which stated.

Per the article, it is composed of a couple of parts: a landing page and an exploit page with a payload. This landing page then probes the user's system to determine if they are potentially vulnerable and then delivers an exploit page with a malicious payload.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment