Rule Category

EXPLOIT-KIT -- Snort has alerted on traffic that is typical of known exploit kits. Exploit kits are pre-packaged sets of code and malware geared toward finding and taking advantage of common browser vulnerabilities. They are Javascript code that provides an entry point to a system to initiate the next state. Snort's rules look for known exploit kit nomenclature, information sent back exposing sensitive infrastructure, attempts to reach a certain file, etc. Rules try to identify the exact kit being used based on actor-group patterns, such as favored target website, malware types, and code similarities.

Alert Message

EXPLOIT-KIT Blackholev2 exploit kit landing page detected

Rule Explanation

This event is generated when a victim reaches the landing page of the Blackholev2 exploit kit. Impact: Exposure to a malicious web site, which could result in loss of integrity. Details: All exploit kits deliver their malicious payload by way of what is known as a landing page, which typically contains heavily obfuscated JavaScript that automates the process of delivering a sequence of attacks against the victim. This signature detects characteristics typical of the Blackholev2 exploit kit's landing page. Ease of Attack: Simple. The Blackholev2 is commercially available software with technical support.

What To Look For

No information provided

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos

Rule Groups

No rule groups

CVE

None

Rule Vulnerability

No information provided

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.

None