Versions (2)
Version DetailsCurrent
Rev: 3 • May 5, 2014, 12:00 PMET EXPLOIT_KIT DRIVEBY Nuclear EK Landing May 05 2014
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing May 05 2014"; flow:from_server,established; http.header; content:"|0d 0a|Vary|3a 20|Accept-Encoding,User-Agent"; content:"|0d 0a|X-Powered-By|3a 20|PHP"; file.data; content:"|ef bb bf 3c 68 74 6d 6c 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23|"; within:27; fast_pattern; pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}\r\n<script>(?:var [a-zA-Z0-9]{1,20}\x3b){1,20}[a-zA-Z0-9]{1,20}\s*?=/R"; classtype:exploit-kit; sid:2018451; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_05_05, deployment Perimeter, malware_family Nuclear, confidence High, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2020_04_29;)
May 5, 2014, 12:00 PM
Apr 29, 2020, 12:00 PM
Sep 21, 2024, 3:00 AM
May 30, 2025, 12:04 AM
rules/emerging-exploit_kit.rules