Cool Exploit Kit v2 Variant

@Set_Abominae pointed out that there seems to be another variant of cool going around that won’t get caught in the existing sig. It was noticed in @kafeine’s writeup about the jre7u10 0day.

This variant looks to be using dynamic domains, some examples of which can been seen at @Set_Abominae’s paste. It’s also using a “/read/” tag instead of “/news/”.

HTTP Request Method = GET
HTTP URI contains /read/ or /news/
Regex HTTP URI for ^http:\/\/[a-z0-9]{10,}\.[a-z0-9.\-]{6,}\/(read|news)\/

This may give some FP’s but will catch both variants.

You can tune out alot of FP’s by also regexing for the file extension with “\.[a-zA-Z]{3,4}$”.

See more examples of Cool Exploit Kit v2 Variant on

Comments are closed.