I recently noticed that the URL length for the StyX Exploit Kit had suddenly changed from 40-90 characters to go to as long as 257 in length.
After a lot of investigation a pattern suddenly emerged before my eyes.
Here is a screenshoot of a lot of StyX urls lined up after each other (picked from various places, but mostly from UrlQuery).
It is not easy to see a pattern just yet, but if I color the value 1 and 0 with blue, the pattern suddenly appears.
As you can see in every url the 7th letter is 0 or 1, and after this every 5th is either 0 or 1.
So the new pattern for the landing page is:
.*/[a-zA-Z0-9]{6,}(0|1)[a-zA-Z0-9]{4,}(0|1)[a-zA-Z0-9]{4,}(0|1)[a-zA-Z0-9]{4,}(0|1)[a-zA-Z0-9]{4,}(0|1).*
URLQuery
This will not produce a lot of FP and if it does you could add another 4 letters + 0or1 in the pattern.
Styx uses the same pattern for Java,PDF and EOT exploits (correct me if I am wrong)
Jar pattern:
.*/[a-zA-Z0-9]{6,}(0|1)[a-zA-Z0-9]{4,}(0|1)[a-zA-Z0-9]{4,}(0|1)[a-zA-Z0-9]{4,}(0|1)[a-zA-Z0-9]{4,}(0|1).*\.jar$
URLQuery
Pdf pattern:
.*/[a-zA-Z0-9]{6,}(0|1)[a-zA-Z0-9]{4,}(0|1)[a-zA-Z0-9]{4,}(0|1)[a-zA-Z0-9]{4,}(0|1)[a-zA-Z0-9]{4,}(0|1).*\.pdf$
URLQuery
EOT pattern:
.*/[a-zA-Z0-9]{6,}(0|1)[a-zA-Z0-9]{4,}(0|1)[a-zA-Z0-9]{4,}(0|1)[a-zA-Z0-9]{4,}(0|1)[a-zA-Z0-9]{4,}(0|1).*\.eot$
URLQuery
Happy Styx hunting and dissecting.
Other Styx References:
http://malforsec.blogspot.no/2013/04/styx-exploit-kit-analysis-building.html
http://www.malwaresigs.com/?s=Styx
http://malware.dontneedcoffee.com/2013/05/inside-styx-2013-05.html
http://malware.dontneedcoffee.com/2012/12/crossing-styx-styx-sploit-pack-20-cve.html
Ingen kommentarer:
Legg inn en kommentar