MS08-053のExploitに関する検知の特徴が書かれてる！！！

This e2 attack toolkit is a system that appends its first stage-encrypted block to an otherwise legitimate web page to begin its attack. It is detected by existing IPS signatures as HTTP Malicious Toolkit Variant Activity. This first stage will then redirect the user to either an intermediary redirector, or directly to the attack page. In either case, the result is the same-the user will eventually arrive at the e2 attack page. The e2 encryptor is much like later versions of Mpack, in that an encrypted block is fed to a two-key decoder. By this, I do not mean that it is using a public key variant, but rather a decoder that takes the following form:


String.fromCharCode(key2 ^(key1 ^ encodedString.charCodeAt(i)

(Where key2 and key1 vary.)

https://forums.symantec.com/syment/blog/article?blog.id=vulnerabilities_exploits&message.id=169#M169