[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] signature for phoenix exploit kit - administrative page being accessed
From:       eoin.miller () trojanedbinaries ! com (Eoin Miller)
Date:       2010-07-29 22:30:16
Message-ID: 4C5200F8.70306 () trojanedbinaries ! com
[Download RAW message or body]

  This would probably help out some managed hosting providers detect and 
remove phoenix exploit kits from their nets if they are so inclined:

alert tcp any $HTTP_PORTS -> any any (msg:"EID DRIVEBY phoenix exploit 
kit - admin login page detected"; flow:established,to_client; 
content:"<title>Phoenix Exploit's Kit - Log In</title>"; 
classtype:bad-unknown; sid:99999999; rev:1;)

I know I used any for the source/destination addresses, but if you limit 
to $HOME_NET or $EXTERNAL_NET here, then you can only fire if you are 
hosting or if a client is accessing it on an external network. You may 
want to know if either or happens or maybe create two signatures? One 
for if you are hosting it and another for if your clients are accessing it.


Based on:
==========================================================================
0000  3c 68 74 6d 6c 3e 3c 68  65 61 64 3e 3c 73 74 79 <html><h ead><sty
0010  6c 65 20 74 79 70 65 3d  27 74 65 78 74 2f 63 73   le type= 'text/cs
0020  73 27 3e 62 6f 64 79 2c  20 74 64 20 7b 66 6f 6e   s'>body,  td {fon
****  ***************************** SNIP *********************************
0250  30 30 30 7d 3c 2f 73 74  79 6c 65 3e 3c 74 69 74   000}</st yle><tit
0260  6c 65 3e 50 68 6f 65 6e  69 78 20 45 78 70 6c 6f   le>Phoen ix Explo
0270  69 74 27 73 20 4b 69 74  20 2d 20 4c 6f 67 20 49   it's Kit  - Log I
0280  6e 3c 2f 74 69 74 6c 65  3e 3c 2f 68 65 61 64 3e   n</title ></head>
==========================================================================


Bunch of examples here if anyone else is interested in doing a bit of 
research:
http://www.malwaredomainlist.com/mdl.php?search=control+panel+of+Phoenix+exploit+kit&colsearch=All&quantity=50



-- Eoin


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic