Thursday, February 23, 2012

A FABULOUS policy rule

Lots of people in the security space are familiar with the blog of Brain Krebs, a former Washington Post network security writer and one of a tiny number of IT security journalists who actually gets it. If you're not following him on Twitter (@briankrebs), you should be.

Especially after today's awesome tweet:

"Don't look now (seriously, don't unless you're ninja) but Twilight author Stephanie Meyer's site appears 2b serving up Crimepack Exploit kit"

I was just lucky enough to notice this tweet within moments of it being sent out. As someone who hates sparkly vampires, I immediately went out and did a wget of the site in question, and pulled down an awesome PCAP. Besides having bad 90s-era HTML, the site was indeed infected with a bad case of the Crimepack Exploit Kit, as Mr. Krebs had noted.

While the VRT is busy adding more exploit kit rules - and please, if you have good intel on any of them, email us at research <at> sourcefire <dot> com - I figured I'd run it through the rule set to see if we had it covered. We did - SID 21039, which looks for a common form of JavaScript obfuscation, took care of matters. We'll be following up with a more detailed analysis of the exploit kit itself, to see if we can add more aggressive rules that even the most conservative CSO types feel comfortable running.

In the meantime, pay attention as you're browsing the Internet - you never know what sort of evil awaits you, even in the lamest of its corners.

No comments:

Post a Comment