A typical "Drive-by" download consists of a victim visiting, or being redirected to, an attacker's webpage which serves obfuscated/encrypted code for the browser to execute.
Following is a Snort IDS signature which attempts to detect this obfuscated code:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL Malicious script"; flow:established,from_server; content:"("; pcre:"/(\x27|\x22)[\w/@=+%!\\-]{500}/iR"; sid:1000;)
This signature has been successfully tested against the following exploit toolkits:
- Icepack
- Mpack (all variations: regular, obfuscated, and XOR encrypted)
- Firepack 0.18
- Neosploit (various builds of version 1 and 2)
Comments, suggestions, criticism, and optimizations regarding the signature are welcomed.
2 comments:
wht does [\w/@=+%!\\-]{ do here?
Read the source Luke: PCRE.org
Post a Comment