Slight changes to STYX URI

*Update* 24.10.2013 —

These are some static fields you can use to detect:

*/pdfx.html
*/flsh.html
*/fnts.html
*/jovf.html
*/jorg.html
*/jvvn.html
*/retn.html
*/jply.html
*/iexp.html

See more examples of STYX EK exploits on UrlQuery.net

STYX EK has made some slight modifications to it’s URI obfuscations.

OLD:

/J2XPld0gMrg08M2J0MEBq0eX1m0NbRP0ricH0MZRK00RHW0UKjV0yAad03Ude14
DiA0WOeP10CbU0GUur0Eo8D11YEU0KMWz0qVhx0xfO60Atj10XSPh17UCQ08ufB0
YXUe0qxzZ12zIb0iWPJ0quFR0xwck0SxyU0IA9g0Elow09oES0xEd30cJJO0JY2l
0W0IH0gzRe0WNa00PI2j1769W0ulO40hjiY09p6J0fk4l0CiHw13qbQ0LHoZ/KXbhhYJ.jar

NEW:

/TXB/zMC0/MnOs0ZJbE0_8aXu_0xee4/0aB-5t08L_Me0t_Cs-X0RqUB0/Xzpw04-Sb110n960_RkiQ_0VZWL0IF_HS0X8y_90RY_th09_wGN01OB_H0qC-Ls06QTK02-K9j0/64CC0B-u6i0mi/Sj0M_dkA0-X5lX0_PDMF-08Gz_y0ikHK0H/9VC0/kKCc0LcO_E0vxbI_0pgu_J1/8h6v0QuE_00-Ncmf-03xB_Q0weTh1_5qgG0_zNm9_0Mj-gA0v-Hvh0b1_YA109c_50YQ_kR/RYlzer.jar

STYX EK JAR

HTTP Method = GET
Content-type = application/x-java-archive
User-Agent = *Java/1.*
Regex HTTP URI for \/[a-zA-Z0-9-\/_]{200,}\.jar(\.pack\.gz)?$

STYX EK EXE

HTTP Method = GET
Content-type = NULL (Meaning it’s absent)
User-Agent = *Java/1.*
Regex HTTP URI for \/[a-zA-Z0-9]+\.exe\?[a-zA-Z0-9]+=[a-zA-Z0-9]+&h=[0-9]+$

Comments are closed.