alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Underminer EK Landing"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Content-Encoding|3a 20|gzip|0d 0a|"; content:"X-UA-Compatible|3a 20|IE=9|3b 20|IE=8|3b 20|IE=7|0d 0a|"; file.data; content:"style=|22|width|3a|1px|3b|height|3a|1px|22|"; nocase; content:"position|3a 20|absolute|3b 20|left|3a 20|-"; nocase; content:"px|3b 20|width|3a 20|1px|3b 20|height|3a 20|1px|3b 22|"; within:40; content:"<!--[if lte IE 6]>"; nocase; distance:0; fast_pattern; content:"if(!!window.ActiveXObject && typeof("; nocase; distance:0; content:"<!--[if gte IE 7]>"; nocase; distance:0; content:"if(!!window.ActiveXObject && typeof("; nocase; distance:0; pcre:"/^[^\r\n]+\s*\)\s*\!==\s*[\x22\x27]undefined[\x22\x27]\s*\)\{\s+var\s+(?P<var>[A-Za-z0-9]{1,25})\s*=\s*[^\.]+\.getElementById\s*\([\x22\x2][^\x22\x27]+[\x22\x27]\s*\)\s*\x3b\s+(?P=var)\s*\.\s*elements\[[\x22\x27][^\x22\x27]+[\x22\x27]\]\.value\s*=\s*[0-9]{1,15}\s*\;/Rsi"; content:"src="; nocase; distance:0; pcre:"/^\s*[\x22\x27][^\r\n]+\/[a-z0-9]{20,40}\.js[\x22\x27]\s*>\s*<\/script>\s*<\/body>/Rs"; classtype:exploit-kit; sid:2025916; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, performance_impact Significant, confidence Medium, signature_severity Major, tag Underminer_EK, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_22;)