SID 1-28614

Rule Category

EXPLOIT-KIT -- Snort has alerted on traffic that is typical of known exploit kits. Exploit kits are pre-packaged sets of code and malware geared toward finding and taking advantage of common browser vulnerabilities. They are Javascript code that provides an entry point to a system to initiate the next state. Snort's rules look for known exploit kit nomenclature, information sent back exposing sensitive infrastructure, attempts to reach a certain file, etc. Rules try to identify the exact kit being used based on actor-group patterns, such as favored target website, malware types, and code similarities.

Alert Message

EXPLOIT-KIT Angler exploit kit landing page

Rule Explanation

This event is generated when the Angler exploit kit landing page has been detected Impact: A Network Trojan was detected Details: Ease of Attack:

What To Look For

No information provided

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

Rule Groups

No rule groups

CVE

CVE-2013-0074 CVE-2013-0634 CVE-2013-3896

Additional Links

malware.dontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html

Rule Vulnerability

CVE Additional Information

CVE-2013-0074

Microsoft Silverlight 5, and 5 Developer Runtime, before 5.1.20125.0 does not properly validate pointers during HTML object rendering, which allows remote attackers to execute arbitrary code via a crafted Silverlight application, aka "Silverlight Double Dereference Vulnerability."

Details
Severity	HIGH	Base Score	9.3
Impact Score	10.0	Exploit Score	8.6
Confidentiality Impact	COMPLETE	Integrity Impact	COMPLETE
Availability Impact	COMPLETE	Access Vector
Authentication	NONE	Ease of Access

CVE-2013-0634

Adobe Flash Player before 10.3.183.51 and 11.x before 11.5.502.149 on Windows and Mac OS X, before 10.3.183.51 and 11.x before 11.2.202.262 on Linux, before 11.1.111.32 on Android 2.x and 3.x, and before 11.1.115.37 on Android 4.x allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted SWF content, as exploited in the wild in February 2013.

Details
Severity	HIGH	Base Score	9.3
Impact Score	10.0	Exploit Score	8.6
Confidentiality Impact	COMPLETE	Integrity Impact	COMPLETE
Availability Impact	COMPLETE	Access Vector
Authentication	NONE	Ease of Access

CVE-2013-3896

Microsoft Silverlight 5 before 5.1.20913.0 does not properly validate pointers during access to Silverlight elements, which allows remote attackers to obtain sensitive information via a crafted Silverlight application, aka "Silverlight Vulnerability."

Details
Severity	MEDIUM	Base Score	4.3
Impact Score	2.9	Exploit Score	8.6
Confidentiality Impact	PARTIAL	Integrity Impact	NONE
Availability Impact	NONE	Access Vector
Authentication	NONE	Ease of Access