[Dshield] Mpack Snort Sigs?

Paul Melson pmelson at gmail.com
Wed Jun 20 15:05:40 GMT 2007


After reading Vicente's paper on MPack, I realized that we have seen some
exploits that have been obfuscated in the same manner as MPack uses.  It led
me to write this signature last night.  I don't like it since it would be
trivial to rename JavaScript function name to anything that's not a reserved
word, but since it's out there now, it doesn't hurt to use it.

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"LOCAL Possible obfuscated
JavaScript dropper MPack"; content:"<script>"; nocase; content:"unescape";
nocase; content:"|64462827|"; classtype:trojan-activity; sid:9000130;
rev:1;)

The content:"|64462827|" directive is looking for the string "dF('" which
indicates the beginning of the function where the obfuscated exploit/dropper
lives.  Feel free to use it if you like.

PaulM


-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of brian.varine at us.army.mil
Sent: Tuesday, June 19, 2007 2:26 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Mpack Snort Sigs?


Thanks. We've seen what appears to be Mpack type traffic but wanted to cover
all the bases. The stuff we've seen is pretty noisy and even lists the
exploit its downloading. 

Brian
----- Original Message -----
From: Paul Melson <pmelson at gmail.com>
Date: Tuesday, June 19, 2007 14:03
Subject: Re: [Dshield] Mpack Snort Sigs?
To: 'General DShield Discussion List' <list at lists.dshield.org>

> > There was a pretty good write up in todays handlers diary about
> Mpack. Has
> anyone written good Snort
> > sigs for this exploit? So far we've put one in to flag any
> downloads of
> o7.php, any other successful
> > sigs?
> 
> If I understand correctly, Mpack uses multiple existing exploits.  
> I did a
> brief check against the Panda blog entry on Mpack, and all of the 
> exploitslisted (QuickTime, Firefox, IE, etc.) were accounted for in 
> the current VRT subscription rules or Bleeding Snort rules.
> 
> PaulM
> 
> 
> _________________________________________
> SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 courses, SANS 
> top instructors, and a great tools and solutions expo. Register today!
> http://www.sans.org/info/4651 (brochure code ISC)
> 
_________________________________________
SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 courses, SANS top
instructors, and a great tools and solutions expo. Register today!
http://www.sans.org/info/4651 (brochure code ISC)



More information about the list mailing list