Monday, October 22, 2012

Blackhole 2.0 Binary Get Request

Written by Frank Angiolelli, CISSP

I am still focused on Blackhole 2.0 and in my last article here, I examined the URL pattern. The regex in this previous article is good at detecting the entry points and the exploit as it is occurring, but not the binary get request. This was because of too many false positives for sites like facebook (credit for the teamwork to ). Today, I focused on getting the pattern for the binary get request.

This is an ongoing series where my intel will be posted as I get it. Feedback to me on twitter @fknsec. Also, check out #malwaremustdie on twitter.


Blackhole 2.0 Entry Point/PDF/PK Pattern
     Content type/MIME type:application/pdf

\.php\?\w{2,10}\=[0-9a-f]{10}\&\w{2,10}\=[a-z0-9]{2,6}\&[a-z]{2,8}\=[a-z]{2,10}\&[a-z]{2,8}\=[a-z]{2,8}$
  
Blackhole 2.0 Binary Get Request Pattern
 Content type/MIME Type: application/x-msdownload

\.php\?\w\w\=[a-f0-9]{10}\&\w\w\=[a-f0-9]{20}\&\w\=[0-9]{2}\&\w\w\=\w\&\w\w\=\w$

     



Blackhole 2.0 - All About the PDF

Screen Cap 1:
Adobe Reader uninstalled, still prompts for PDF.
So far, I have only observed instances where a get request for the root php file is made, which contains an applet archive, the second request response is a PDF download, followed by a PK jar file, followed by the binary get request. This is so predictable that when I removed Adobe Reader from my lab, the website still requested that I download the PDF and asked me where to save it (see Screen Cap 1)

Screen Cap 2
This sample really, really wanted me to log into Bank of America.
As a side note - one of the malware samples was an impatient password stealer that actually launched IE and took me to the legitimate Bank of New York web page. (See Screen Cap 2).

Once the PDF is downloaded and executed, the system requests one or a series of PK files which java executes.

Trying to Stop the Exploit (and failing miserably)

I tried a series of moves to stop the exploit, all but one of which failed, and the other was inconclusive.

  • Disabling Javascript in Adobe Reader - failed to stop the exploit.
  • Configured "Security Enhanced" to prevent any PDF from accessing the internet - failed to stop the exploit.
  • Removed Adobe Reader - Website prompted me to save the PDF (see second screen cap)
  • Installed Foxit Reader with "Security Enhancements" enabled - failed to stop the exploit.
  • Configured DEP for all windows programs - inconclusive. I saw a binary get request and the malware downloaded and showed up in the task manager, but then it disappeared. I need more data on this before I can speak further on this.
Interesting enough a majority of the cases I reviewed, the actual malware launched was install_0_msi.exe followed by a KB<random number>.exe, presumably a pony downloader followed by Zeus-family.
Screen Cap 3:
Look at the task manager. Java and AcroRd32.exe.
The AcroRd32.exe is processor intensive when it opens.
Nothing shows on the screen to indicate it Adobe launched.

Screen Cap 4
Adobe and Foxit Readers security settings do not stop this attack.
In my lab, disabling Java does not affect it, neither does restricting PDF access to the internet.



Characteristics of the Blackhole 2.0 Binary Get Request:

First off, check out this article posted by Rise on malwarereports.blogspot.com
Rise decodes the parameter values in the jar file to understand how blackhole passes the URL.


The Get Request:
    

  • The Regex for the URL string  is \.php\?\w\w\=[a-f0-9]{10}\&\w\w\=[a-f0-9]{20}\&\w\=[0-9]{2}\&\w\w\=\w\&\w\w\=\w$
    • 

  • The get requests are all performed by the user agent "Java", in these cases it was update 29. 
    • 

  • The get requests contains no referrer, (but the PDFs do)
    • 




The Response:
  • Server: nginx - Be wary this could easily be changed.
  • Content-Type: application/x-msdownload
  • Cache-Control: must-revalidate, post-check=0, pre-check=0 - (I would not rely on this one)
  • Content-Disposition: attachment; filename="     
    • The file names were one of three possibilities I observed:
      • readme.exe
      • info.exe
      • about.exe
  • Content-Transfer-Encoding: binary 



URLs (Binary get request only)





/forum/links/column.php?tf=0735020b0b&ve=3307093738070736060b&f=02&nu=j&rw=m
/links/observe_resources-film.php?gf=050934030b&fe=0a050304380b37370a36&c=02&pr=n&od=v
/links/keyboard_aid_feeds.php?mf=050934030b&ue=0506050a0b0934070b06&h=02&jx=b&tj=k
/links/around_film.php?rf=050934030b&le=08040534050337333736&x=02&qb=o&zt=h
/forum/links/column.php?ff=050934030b&we=3307093738070736060b&q=02&jn=p&ep=g
/detects/signOn_go.php?ef=050934030b&me=0b350707040802093705&k=02&hz=k&kb=d
/links/calls_already_stopping.php?qf=050934030b&ue=0b36340b353507360208&p=02&kp=c&lr=p






Examples:



GET /forum/links/column.php?tf=0735020b0b&ve=3307093738070736060b&f=02&nu=j&rw=m

HTTP/1.1

User-Agent: Java/1.6.0_29

Host: sonatanamore.ru:8080

Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2

Connection: keep-alive





HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Sun, 07 Oct 2012 05:09:02 GMT

Content-Type: application/x-msdownload

Connection: keep-alive

X-Powered-By: PHP/5.3.17-1~dotdeb.0

Pragma: public

Expires: Sun, 07 Oct 2012 12:42:41 GMT

Cache-Control: must-revalidate, post-check=0, pre-check=0

Cache-Control: private

Content-Disposition: attachment; filename="readme.exe"

Content-Transfer-Encoding: binary

Content-Length: 92160

Next example





GET /links/observe_resources-film.php?gf=050934030b&fe=0a050304380b37370a36&c=02&

pr=n&od=v HTTP/1.1

User-Agent: Java/1.6.0_29

Host: corandomotorider.com

Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2

Connection: keep-alive 





HTTP/1.1 200 OK

Server: nginx/0.8.54

Date: Sat, 20 Oct 2012 23:17:50 GMT

Content-Type: application/x-msdownload

Connection: keep-alive

Content-Length: 444494

X-Powered-By: PHP/5.3.14-1~dotdeb.0

Pragma: public

Expires: Sat, 20 Oct 2012 23:17:50 GMT

Cache-Control: must-revalidate, post-check=0, pre-check=0

Cache-Control: private

Content-Disposition: attachment; filename="readme.exe"  



Content-Transfer-Encoding: binary 

Next example





GET /links/keyboard_aid_feeds.php?mf=050934030b&ue=0506050a0b0934070b06&h=02&jx=b

&tj=k HTTP/1.1

User-Agent: Java/1.6.0_29

Host: postpozic.8x.biz

Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2

Connection: keep-alive 





HTTP/1.1 200 OK

Server: nginx/1.2.4

Date: Sat, 20 Oct 2012 23:24:20 GMT

Content-Type: application/x-msdownload

Content-Length: 368640

Connection: keep-alive

Pragma: public

Expires: Sat, 20 Oct 2012 23:23:24 GMT

Cache-Control: must-revalidate, post-check=0, pre-check=0

Cache-Control: private

Content-Disposition: attachment; filename="about.exe"

Content-Transfer-Encoding: binary






Next example





GET /links/around_film.php?rf=050934030b&le=08040534050337333736&x=02&qb=o&zt=h H

TTP/1.1

User-Agent: Java/1.6.0_29

Host: 94.23.43.55

Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2

Connection: keep-alive





HTTP/1.1 200 OK

Server: nginx

Date: Sun, 21 Oct 2012 00:31:48 GMT

Content-Type: application/x-msdownload

Content-Length: 73326

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.2

Pragma: public

Expires: Sun, 21 Oct 2012 00:31:48 GMT

Cache-Control: must-revalidate, post-check=0, pre-check=0

Cache-Control: private

Content-Disposition: attachment; filename="readme.exe"

Content-Transfer-Encoding: binary




Next example



GET /forum/links/column.php?ff=050934030b&we=3307093738070736060b&q=02&jn=p&ep=g

HTTP/1.1

User-Agent: Java/1.6.0_29

Host: secondhand4u.ru:8080

Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2

Connection: keep-alive





HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Sun, 21 Oct 2012 00:54:11 GMT

Content-Type: application/x-msdownload

Connection: keep-alive

X-Powered-By: PHP/5.3.17-1~dotdeb.0

Pragma: public

Expires: Sun, 21 Oct 2012 00:52:37 GMT

Cache-Control: must-revalidate, post-check=0, pre-check=0

Cache-Control: private

Content-Disposition: attachment; filename="readme.exe"

Content-Transfer-Encoding: binary

Content-Length: 87040



Conclusion


In conclusion, I hope that you can use this information to combat this exploit kit. As always, I welcome suggestions, feedback and teamwork. 






Possible snort rules (I'm still testing these).








alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Blackhole 2.0 Binary Get Request"; content:"GET"; offset:0; content:"User-Agent: Java/1.6"; content:!"Referer"; pcre:"/\.php\?\w\w\=[a-f0-9]{10}\&\w\w\=[a-f0-9]{20}\&\w\=[0-9]{2}\&\w\w\=\w\&\w\w\=\w$/U"; classtype:successful-user; sid:98800058;)










alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Blackhole 2.0 binary download"; content:"HTTP/1"; content:"Content-Type: application/x-msdownload"; content:"Content-Disposition: attachment|3b| filename="; distance:0; content:"Content-Transfer-Encoding: binary"; distance:0; nocase; pcre:"/filename\=\"(readme.exe|info.exe|about.exe)/smi"; classtype:successful-user; sid:98800059;)








Shout out to @malwaremustdie and the #malwaremustdie team.













Posted by





at
1:39 PM



















Labels:
,
,

















No comments:















Post a Comment


















        

      









Subscribe to:
Post Comments (Atom)