TippingPoint DVLabs recently posted a good analysis of the blackhole exploit kit and the success rates. Get any group of people together and ask "how many of you have helped someone that had a Fake Antivirus program installed" and you'll have a quick view of how big the problem is.
The DVLabs post says people using TippingPoint IPS should be well protected against this exploit. Many of the rules that are providing protection are not enabled by default and/or not 100% effective against this exploit kit.
- CVE-2010-1885 Typo in original post: 9989 - Should be 9899 (B/N)
- CVE-2010-1423 9697 (see below),9698 (B/N)
- CVE-2010-0886 9697 Web Launch Command Injection (B/N)
- CVE-2010-0842 9651 MixerSequencer (Disabled)
- CVE-2010-0840 10985 (Block/Notify)
- CVE-2009-1671 10919 Java Deployment Toolkit ActiveX (Disabled)
- CVE-2009-0927 6255 - Suspicious Javascript (Disabled)
- CVE-2008-2992 6833 - util.printf call (Disabled)
- CVE-2007-5659 6435 Compressed Javascript (Disabled),6436 (Block/Notify)
- CVE-2006-0003 4244 Recommended: Disabled
TippingPoint seems writing rules targetingthe vulnerability and not the specific instance of the exploit. Even with all of the Java rules turned on, vulnerable JRE versions will still be exploited in the recommended configuration. It's very difficult to write an IDS rule that detects a malicious .jar or .class file while letting legit applications work.
Currently, I use the following two snort rules to detect Blackhole sites and then use TippingPoint RepDV to block the site. The actual exploit sites move IP addresses fairly quickly. I don't believe they show up in RepDV feeds quickly.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Potential Blackhole Exploit Pack landing"; flow:established,to_server; content:".php?f="; http_uri; fast_pattern; content:".php?tp="; http_header; pcre:"/\.php\?f=\d+$/U"; classtype:bad-unknown; reference:url,krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/; sid:2012688; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Blackhole Exploit Pack Binary Load Request"; flow:established,to_server; content:".php?f="; nocase; http_uri; content:"&e="; nocase; http_uri; content:!"Referer|3a|"; http_header; content:"User-Agent|3a|"; nocase; http_header; content:"Host|3a|"; nocase; http_header; distance:0; pcre:"/\.php\?f=\d+&e=\d+$/U"; classtype:bad-unknown; reference:url,krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/; sid:2012169; rev:6;)
Within the 2012169 rule, you'll see the JRE version used to download the exploit. If the version is less than 1.6.0.24, you can assume it was successful and start investigating. Converting these into a CSW would be useful or for DVLabs to implement similar. I'd love to have TippingPoint providing timely for exploit kits as well as post-infection indicators for the popular malware.
No comments:
Post a Comment