BEK 2.1.0 URI Pattern Changes

New URI patterns in the latest BEK 2.1.0…

@Kafeine has written about it here > http://malware.dontneedcoffee.com/2013/06/blackhole-exploit-kit-goes-210-shows.html

BEK2 JNLP

HTTP Method = GET
HTTP URI contains *.php?jnlp=*
User-Agent = JNLP*
Regex HTTP URI for \.php\?jnlp=[a-f0-9]{10}

See examples of BEK2 JNLP on UrlQuery.net

BEK2 JAR

Pretty much the same as before…

HTTP Method = GET
HTTP Content Type = application/java-archive
Regex HTTP URI for \.php\?[a-zA-Z]+=[a-zA-Z]+&[a-zA-Z]+=[a-zA-Z]+$

BEK2 SWF

…haven’t seen often enough yet to make a reliable regex…

BEK 2.1.0 EXE

These are still using the same classic filenames – about.exe, calc.exe, info.exe, readme.exe

HTTP Method = GET
HTTP User Agent contains *Java/1.*
HTTP Request Method = application/x-msdownload
Regex HTTP URI for \.php\?[A-Za-z]f=[0-9]{10}&[A-Za-z]e=[0-9]{20}&[A-Z]=[0-9]{2}

Comments are closed.