Styx Exploit Kit

Here are some signatures for detecting Styx Exploit Kit

Gates

HTTP Request Method = GET
Regex HTTP URI for \/[a-zA-Z0-9]{40,90}$

See examples of Styx Exploit Kit Gates on UrlQuery.net

Plugin Detect

HTTP Request Method = GET
HTTP URI = */pdfx.html
Can also Regex HTTP URI for \/[a-zA-Z0-9]{40,90}\/pdfx.html

See examples of Styx Exploit Kit PluginDetect on UrlQuery.net

JAR

HTTP Request Method = GET
HTTP Content-Type = application/x-java-archive
HTTP URI ends with *.jar
Regex HTTP URI for \/[a-zA-Z0-9]{40,90}\/[a-zA-Z0-9]{4,10}\.jar$

See examples of Styx Exploit Kit JARs on UrlQuery.net

PDF

HTTP Request Method = GET
HTTP URI ends with *.pdf
Regex HTTP URI for \/[a-zA-Z0-9]{40,90}\/[a-zA-Z0-9]{4,10}\.pdf$

See examples of Styx Exploit Kit PDFs on UrlQuery.net

EOT

HTTP Request Method = GET
HTTP URI ends with *.eot
Regex HTTP URI for \/[a-zA-Z0-9]{40,90}\/[a-zA-Z0-9]{4,10}\.eot$

Reference: http://malware.dontneedcoffee.com/2012/12/crossing-styx-styx-sploit-pack-20-cve.html

EXE

HTTP Request Method = GET
HTTP Content-Type = application/octet-stream*
HTTP URI ends with &h=*
Regex HTTP URI for \/[a-zA-Z0-9]{150,}\/

See examples of Styx Exploit Kit EXEs on UrlQuery.net

Cookie Detection

HTTP Request Method = GET
Cookie = PHPSESSID=*
Regex the cookie for PHPSESSID=[0-9]{64}$

Comments are closed.