Snort sigs for latest Java Malware

Here are some snort signatures to detect a couple of recent pieces of Java malware. In particular the Sun Java vulnerability actively being exploited is the "Sun Java Plugin Arbitrary Package Access Vulnerability".

The signatures detect 2 different variants of this exploit. The most significant signature is the "Java runtime.exec()" which should never be seen in untrusted applets.

alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"Java runtime.exec() call"; flow:from_server,established; content:"|52 75 6e 74 69 6d 65 3b 01 00 04 65 78 65 63 01 00|"; classtype:trojan-activity; reference:url,www.mullingsecurity.com; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Java private function call sun.misc.unsafe"; flow:from_server,established; content:"sun/misc/Unsafe"; classtype:trojan-activity; reference:url,www.mullingsecurity.com; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Java field reflector call java.lang.reflect.field"; flow:from_server,established; content:"java/lang/reflect/Field"; classtype:trojan-activity; reference:url,www.mullingsecurity.com; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Javascript unsafe applet call"; flow:from_server,established; content: "sun.misc.Unsafe"; classtype:trojan-activity; reference:url,www.mullingsecurity.com; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Javascript Securitymanager class applet call"; flow:from_server,established; content: "java.lang.SecurityManager"; classtype:trojan-activity; reference:url,www.mullingsecurity.com; rev:1;)

Running these signatures will trigger when either of my 2 test exploits (run at your own risk) are executed on a vulnerable machine (JRE 1.4.2_05 or prior). If executed on a patched JRE the javascript signatures will trigger.

Variant #1 (http://38.112.88.68/ads/) - http://www.opensecnet.com/testsploit.htm

snort: [1:0:1] Java field reflector call java.lang.reflect.Method [Classification: A Network Trojan was detected] [Priority: 1]: {TCP} 64.62.148.141:80 -> 172.16.30.130:1103

snort: [1:0:1] Java SecurityManager manipulation [Classification: A Network Trojan was detected] [Priority: 1]: {TCP} 64.62.148.141:80 -> 172.16.30.130:1103

snort: [1:0:1] Java field reflector call java.lang.reflect.Method [Classification: A Network Trojan was detected] [Priority: 1]: {TCP} 64.62.148.141:80 -> 172.16.30.130:1107

snort: [1:0:1] Java SecurityManager manipulation [Classification: A Network Trojan was detected] [Priority: 1]: {TCP} 64.62.148.141:80 -> 172.16.30.130:1107

snort: [1:0:1] Java runtime.exec() call [Classification: A Network Trojan was detected] [Priority: 1]: {TCP} 64.62.148.141:80 -> 172.16.30.130:1108

Variant #2 (a.k.a fullchain.net) - http://www.opensecnet.com/test2sploit.htm

snort: [1:0:1] Javascript unsafe applet call [Classification: A Network Trojan was detected] [Priority: 1]: {TCP} 64.62.148.141:80 -> 172.16.30.130:1112

snort: [1:0:1] Java field reflector call java.lang.reflect.field [Classification: A Network Trojan was detected] [Priority: 1]: {TCP} 64.62.148.141:80 -> 172.16.30.130:1114

snort: [1:0:1] Java runtime.exec() call [Classification: A Network Trojan was detected] [Priority: 1]: {TCP} 64.62.148.141:80 -> 172.16.30.130:1114

snort: [1:0:1] Java private function call sun.misc.unsafe [Classification: A Network Trojan was detected] [Priority: 1]: {TCP} 64.62.148.141:80 -> 172.16.30.130:1114

snort: [1:0:1] Java field reflector call java.lang.reflect.field [Classification: A Network Trojan was detected] [Priority: 1]: {TCP} 64.62.148.141:80 -> 172.16.30.130:1114