Wewt! Darryl Kahu Security is the Man! This has been the case for a very very long time when it comes to Deobfuscation and Exploit Kits but I'm stoked to have read that someone other than myself has called NeoSploit out. If I haven't already I will credit him with naming the kit I've been trying to document (with questionable success) months and months ago.
Now as I'm trying to get things balanced at work I will be possibly pushing a little more on researching this kit as I can. That being said, I don't promise anything amazing or special due to my lack of knowledge and experience at poking at these things.
My current thoughts on this is there may be a pattern in the URI paths used by the kit, I'm not sure how to break those down. However, there is definitely a reused pattern in the URL structure.
Case in point: A google search for "osnp91icm" (pointed out here by @kahusecurity) yields a few domains that are absolutely related to the kit.
Domains:
warlikedisobey.org/osnp91icm/?5
numbuse.org /osnp91icm/?
scatterrider.org/osnp91icm/?5
lowmustard.org/osnp91icm/?
Here is what I found looking for the same URL pattern:
http hoeobserve.org /osnp91icm/ ?5
http torpidtawny.org /osnp91icm/ ?5
http oxastir.org /osnp91icm/ ?5
http lowmustard.org /osnp91icm/ ?5
http arrivesmear.org /osnp91icm/ ?5
Same kit, different domains.
Frustratingly enough for me, is cracking the huge TLD's of com/org/net when it comes to these kits, the less frequented TLDs are easier to monitor the interaction. Keying off of Java interaction is pretty much a sure bet because the prey is so common, now the question is what versions of Java survive these attacks.
It's good to be back.
-Paul
@demon117
Sunday, October 30, 2011
Sunday, August 28, 2011
"Neosploit" - Where'd it go?!
I still have rocks to turn over to try and find lives sites for this pack, but I haven't seen anything since roughly early to mid July.
Did these guys just disappear? No, definitely not. However, must drum up some activity to find more about this threat and how to catch more of it.
I know that Cinemablend was compromised for the majority of May and June, has anyone seen other sites I can poke at?
Thanks!
Paul
@demon117
Did these guys just disappear? No, definitely not. However, must drum up some activity to find more about this threat and how to catch more of it.
I know that Cinemablend was compromised for the majority of May and June, has anyone seen other sites I can poke at?
Thanks!
Paul
@demon117
Sunday, July 31, 2011
"NeoSploit" Research
I'm working on finding more about NeoSploit in past research from various sources and seeing how it correlates to what I've found and other more advanced researchers have found.
Major sources for research from the past have been:
FireEye - http://blog.fireeye.com/research/2010/06/neosploit_notes.html
M86 - http://labs.m86security.com/2011/01/shedding-light-on-the-neosploit-exploit-kit/
RSA - http://blogs.rsa.com/rsafarl/the-end-of-neosploit/
It looks like NeoSploit was pronounced dead, and from the original versions there seems to be some activity on the web still. I've read a bit about it (not a source of knowledge by any means) from Sites (not just the links) above.
Sources for my current research:
Zscaler -
It appears that one of the Security Researchers for Zscaler, in their India office, has been interacting with this pack.
Emerging Threats -
ET has had a signature to catch the URI query activity since late June. SID 2013094 has been revised a few times to catch this. Thanks for sharing what you guys have seen and helped others to catch this stuff.
I will be sending out a request on twitter to try to collaborate more on this using the SID as a linker. As well as requesting collaboration directly to the contributors on the ET list.
A possible clue/key to better correlation on what is going on with the pack. So I've been working on this blog for a few weeks and trying to find patterns in these interactions. Something struck me as Very interesting when I checked the stats page of the blog and saw a Google search for the keyword "ea0gux4t" showed up.
I actually stumbled on this when I started the blog but didn't put enough attention towards it. Now looking back I see that was an interesting way of getting matches and seeing what the responses send... I still don't have a way of looking at the requests.
The Subdirectory - is fixed length and definitely seems to be a point of relation between various installs of the kit on domains.
I'm stuck right now though, the majority of my notes/research is on a box that lost a NIC in the storm last week. I'll get that up and running again so I can get more information out here.
-Paul
@demon117
Major sources for research from the past have been:
FireEye - http://blog.fireeye.com/research/2010/06/neosploit_notes.html
M86 - http://labs.m86security.com/2011/01/shedding-light-on-the-neosploit-exploit-kit/
RSA - http://blogs.rsa.com/rsafarl/the-end-of-neosploit/
It looks like NeoSploit was pronounced dead, and from the original versions there seems to be some activity on the web still. I've read a bit about it (not a source of knowledge by any means) from Sites (not just the links) above.
Sources for my current research:
Zscaler -
It appears that one of the Security Researchers for Zscaler, in their India office, has been interacting with this pack.
Emerging Threats -
ET has had a signature to catch the URI query activity since late June. SID 2013094 has been revised a few times to catch this. Thanks for sharing what you guys have seen and helped others to catch this stuff.
I will be sending out a request on twitter to try to collaborate more on this using the SID as a linker. As well as requesting collaboration directly to the contributors on the ET list.
A possible clue/key to better correlation on what is going on with the pack. So I've been working on this blog for a few weeks and trying to find patterns in these interactions. Something struck me as Very interesting when I checked the stats page of the blog and saw a Google search for the keyword "ea0gux4t" showed up.
I actually stumbled on this when I started the blog but didn't put enough attention towards it. Now looking back I see that was an interesting way of getting matches and seeing what the responses send... I still don't have a way of looking at the requests.
The Subdirectory - is fixed length and definitely seems to be a point of relation between various installs of the kit on domains.
I'm stuck right now though, the majority of my notes/research is on a box that lost a NIC in the storm last week. I'll get that up and running again so I can get more information out here.
-Paul
@demon117
Monday, July 25, 2011
"NeoSploit" URI patterns - Work In Progress
I'm digging through my samples as well as looking for more to at least collect as many variations and I can glean. Here are some of what I have so far:
/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
/5cm1zrkq/?7fd0e2bb0d480b96521e010b54005554025e5f095c0b5953045653055206565b04
/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03
/5cm1zrkq/?04ee3e0fab7472aa4343035e02570750050c5e5c0a5c0b57030452500451045f03
/9s1hjngl/?3319fe7979403dfa5f5a5302545e05080a0204095d5155090807555f5600070803
/9s1hjngl/?684928607837bcf753405102000304010f090109090c54000d0c505f025d060106
/9s1hjngl/?0cabed07c1e4ebae5a021359575f0206095254525e5052070b5705045501000600
/9s1hjngl/?1d1fb22a7837bcf7541c545d5009005008550456590650510a5055005257025001
/9s1hjngl/?1d1fb22a7837bcf7541c545d5009005008550456590650510a5055005257025001
/9s1hjngl/?684928607837bcf753405102000304010f090109090c54000d0c505f025d060106
/9s1hjngl/?0cabed07c1e4ebae5a021359575f0206095254525e5052070b5705045501000600
/9s1hjngl/?1d1fb22a7837bcf7541c545d5009005008550456590650510a5055005257025001
/9s1hjngl/?3e51deaa21de322f5911580a565e53500a5400015f510351085151575400515003
/9s1hjngl/?3319fe7979403dfa5f5a5302545e05080a0204095d5155090807555f5600070803
/9s1hjngl/?7125bd83de0bc5cb4446540e505f0a020e00070559505a030c0556535201080207
/ea0gux4t/?76d8457b84d3cfc25d420903050e005001075003005707590353555c57010657
/ea0gux4t/?555aac175e4e5b1b4642535a505806050304015a5501010c0150040502570002
/ea0gux4t/?12e7d21c6be350c85b53170c550906510703510c505001580557545307060056
/t6ryfisw/?356c4ffd1392a5f159544458075d5f53010d0d5756565d5057530457005305
/t6ryfisw/?2a19647f0b318cd941165702050f0e5100590a0d54040c525607030d020154
/t6ryfisw/?0200123d400de24c554a550b02090a53020a0b045302085054540204050750
/t6ryfisw/?013a3faa400de24c5549565a005d58560209085551565a5554570155075302
/t6ryfisw/?013a3faa400de24c5549565a005d58560209085551565a5554570155075302
/t6ryfisw/?165ab5c3f61d85b25b42585a510e5a04030e0e550005580755500755560000
URI Queries:
/?3319fe7979403dfa5f5a5302545e05080a0204095d5155090807555f5600070803
/?684928607837bcf753405102000304010f090109090c54000d0c505f025d060106;1;1
/?0cabed07c1e4ebae5a021359575f0206095254525e5052070b5705045501000600
/?1d1fb22a7837bcf7541c545d5009005008550456590650510a5055005257025001;1;8
/?1d1fb22a7837bcf7541c545d5009005008550456590650510a5055005257025001;1;8;1
/?684928607837bcf753405102000304010f090109090c54000d0c505f025d060106;1;1
/?0cabed07c1e4ebae5a021359575f0206095254525e5052070b5705045501000600
/?1d1fb22a7837bcf7541c545d5009005008550456590650510a5055005257025001;1;8
/?3e51deaa21de322f5911580a565e53500a5400015f510351085151575400515003
/?3319fe7979403dfa5f5a5302545e05080a0204095d5155090807555f5600070803
/?7125bd83de0bc5cb4446540e505f0a020e00070559505a030c0556535201080207
/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
/?7fd0e2bb0d480b96521e010b54005554025e5f095c0b5953045653055206565b04;1;8
/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
/?04ee3e0fab7472aa4343035e02570750050c5e5c0a5c0b57030452500451045f03
/?76d8457b84d3cfc25d420903050e005001075003005707590353555c57010657
/?555aac175e4e5b1b4642535a505806050304015a5501010c0150040502570002
/?12e7d21c6be350c85b53170c550906510703510c505001580557545307060056
Variant:
/?356c4ffd1392a5f159544458075d5f53010d0d5756565d5057530457005305
/?2a19647f0b318cd941165702050f0e5100590a0d54040c525607030d020154
/?0200123d400de24c554a550b02090a53020a0b045302085054540204050750;1;8
/?013a3faa400de24c5549565a005d58560209085551565a5554570155075302;1;1
/?013a3faa400de24c5549565a005d58560209085551565a5554570155075302;1;1;1
/?165ab5c3f61d85b25b42585a510e5a04030e0e550005580755500755560000
Will be updating this as I go and find more, and will post more content and context as well.
/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
/5cm1zrkq/?7fd0e2bb0d480b96521e010b54005554025e5f095c0b5953045653055206565b04
/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03
/5cm1zrkq/?04ee3e0fab7472aa4343035e02570750050c5e5c0a5c0b57030452500451045f03
/9s1hjngl/?3319fe7979403dfa5f5a5302545e05080a0204095d5155090807555f5600070803
/9s1hjngl/?684928607837bcf753405102000304010f090109090c54000d0c505f025d060106
/9s1hjngl/?0cabed07c1e4ebae5a021359575f0206095254525e5052070b5705045501000600
/9s1hjngl/?1d1fb22a7837bcf7541c545d5009005008550456590650510a5055005257025001
/9s1hjngl/?1d1fb22a7837bcf7541c545d5009005008550456590650510a5055005257025001
/9s1hjngl/?684928607837bcf753405102000304010f090109090c54000d0c505f025d060106
/9s1hjngl/?0cabed07c1e4ebae5a021359575f0206095254525e5052070b5705045501000600
/9s1hjngl/?1d1fb22a7837bcf7541c545d5009005008550456590650510a5055005257025001
/9s1hjngl/?3e51deaa21de322f5911580a565e53500a5400015f510351085151575400515003
/9s1hjngl/?3319fe7979403dfa5f5a5302545e05080a0204095d5155090807555f5600070803
/9s1hjngl/?7125bd83de0bc5cb4446540e505f0a020e00070559505a030c0556535201080207
/ea0gux4t/?76d8457b84d3cfc25d420903050e005001075003005707590353555c57010657
/ea0gux4t/?555aac175e4e5b1b4642535a505806050304015a5501010c0150040502570002
/ea0gux4t/?12e7d21c6be350c85b53170c550906510703510c505001580557545307060056
/t6ryfisw/?356c4ffd1392a5f159544458075d5f53010d0d5756565d5057530457005305
/t6ryfisw/?2a19647f0b318cd941165702050f0e5100590a0d54040c525607030d020154
/t6ryfisw/?0200123d400de24c554a550b02090a53020a0b045302085054540204050750
/t6ryfisw/?013a3faa400de24c5549565a005d58560209085551565a5554570155075302
/t6ryfisw/?013a3faa400de24c5549565a005d58560209085551565a5554570155075302
/t6ryfisw/?165ab5c3f61d85b25b42585a510e5a04030e0e550005580755500755560000
URI Queries:
/?3319fe7979403dfa5f5a5302545e05080a0204095d5155090807555f5600070803
/?684928607837bcf753405102000304010f090109090c54000d0c505f025d060106;1;1
/?0cabed07c1e4ebae5a021359575f0206095254525e5052070b5705045501000600
/?1d1fb22a7837bcf7541c545d5009005008550456590650510a5055005257025001;1;8
/?1d1fb22a7837bcf7541c545d5009005008550456590650510a5055005257025001;1;8;1
/?684928607837bcf753405102000304010f090109090c54000d0c505f025d060106;1;1
/?0cabed07c1e4ebae5a021359575f0206095254525e5052070b5705045501000600
/?1d1fb22a7837bcf7541c545d5009005008550456590650510a5055005257025001;1;8
/?3e51deaa21de322f5911580a565e53500a5400015f510351085151575400515003
/?3319fe7979403dfa5f5a5302545e05080a0204095d5155090807555f5600070803
/?7125bd83de0bc5cb4446540e505f0a020e00070559505a030c0556535201080207
/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
/?7fd0e2bb0d480b96521e010b54005554025e5f095c0b5953045653055206565b04;1;8
/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
/?04ee3e0fab7472aa4343035e02570750050c5e5c0a5c0b57030452500451045f03
/?76d8457b84d3cfc25d420903050e005001075003005707590353555c57010657
/?555aac175e4e5b1b4642535a505806050304015a5501010c0150040502570002
/?12e7d21c6be350c85b53170c550906510703510c505001580557545307060056
Variant:
/?356c4ffd1392a5f159544458075d5f53010d0d5756565d5057530457005305
/?2a19647f0b318cd941165702050f0e5100590a0d54040c525607030d020154
/?0200123d400de24c554a550b02090a53020a0b045302085054540204050750;1;8
/?013a3faa400de24c5549565a005d58560209085551565a5554570155075302;1;1
/?013a3faa400de24c5549565a005d58560209085551565a5554570155075302;1;1;1
/?165ab5c3f61d85b25b42585a510e5a04030e0e550005580755500755560000
Will be updating this as I go and find more, and will post more content and context as well.
"NeoSploit" #2
Here is the interaction from the first post, for part 2 I'm adding my analysis and further information about the interaction. (Thanks for your patience on my scattered writting attempts.) Additionally it was pointed out that the request/response has been jumbled together for this data. I'm in the process of finding a compromised site and bouncing it off a windows vm that will hopefully yield Much more information including exploits/playloads delivered (Thanks Darren).
200 text/html 482:16466 GET hxxp://pboysxaj.co.tv/7aoptmzxwahwllhr/
302 text/html 692:365 GET hxxp://pboysxaj.co.tv/b1e346d3ca0b910ebf905deac0f9b8938176zxw
200 text/html 664:23214 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?3
200 application/x-shockwave-flash 543:1706 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?04ee3e0fab7472aa4343035e02570750050c5e5c0a5c0b57030452500451045f03
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
302 188:2391 GET hxxp://91.226.78.47/shrgr.class
200 application/octet-stream 427:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
302 338:2643 GET hxxp://91.226.78.47/shrgr.class
302 272:2528 GET hxxp://91.226.78.47/shrgr.class
200 application/octet-stream 384:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 384:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
200 text/plain 281:8036 GET hxxp://91.226.78.47/shrgr.class
302 188:2391 GET hxxp://91.226.78.47/shrgr.class
302 338:2643 GET hxxp://91.226.78.47/shrgr.class
302 363:2528 GET hxxp://91.226.78.47/shrgr.class
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 427:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 449:871884 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
302 336:2615 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
302 336:2615 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 352:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?7fd0e2bb0d480b96521e010b54005554025e5f095c0b5953045653055206565b04;1;8
Here goes my analysis:
First page coming from the compromised referer:
200 text/html 482:16466 GET hxxp://pboysxaj.co.tv/7aoptmzxwahwllhr/
Redirect to landing page:
302 text/html 692:365 GET hxxp://pboysxaj.co.tv/b1e346d3ca0b910ebf905deac0f9b8938176zxw
Landing page used to determine plugins and vulnerabilties:
200 text/html 664:23214 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?3
**Note how the responses for these three are text/html versus below**
First exploit served:
200 application/x-shockwave-flash 543:1706 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?04ee3e0fab7472aa4343035e02570750050c5e5c0a5c0b57030452500451045f03
Success, and Payload download: (look at the size)
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
Success? Payload download: (look at the size)(unknown why this is a duplicate)
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
Interesting Additional download after payload: (denied here)
302 188:2391 GET hxxp://91.226.78.47/shrgr.class
Second exploit served:
200 application/octet-stream 427:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
Success, Payload download: (look at the size)
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
Success, Payload download: (undetermined why this is a duplicate)
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
Repeat of a seemingly Additional download: (denied again)
302 338:2643 GET hxxp://91.226.78.47/shrgr.class
Repeat of a seemingly Additional download: (denied again)
302 272:2528 GET hxxp://91.226.78.47/shrgr.class
Third exploit served:
200 application/octet-stream 384:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
Forth exploit served:
200 application/octet-stream 384:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
Success on Additional download
200 text/plain 281:8036 GET hxxp://91.226.78.47/shrgr.class
Repeat of a seemingly Additional download: (denied again)
302 188:2391 GET hxxp://91.226.78.47/shrgr.class
Repeat of a seemingly Additional download: (denied again)
302 338:2643 GET hxxp://91.226.78.47/shrgr.class
Repeat of a seemingly Additional download: (denied again)
302 363:2528 GET hxxp://91.226.78.47/shrgr.class
Third exploit served (again):
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
Forth exploit served (again):
200 application/octet-stream 427:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
Third exploit served (again):
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
Success, Payload download: (undetermined why this is a duplicate)
200 application/octet-stream 449:871884 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
Uknown what this transaction is:
302 336:2615 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
Third Exploit attempt:
302 336:2615 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
Success, Payload download:
200 application/octet-stream 352:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?7fd0e2bb0d480b96521e010b54005554025e5f095c0b5953045653055206565b04;1;8
These are my assumptions of the transactions, however as I said before I am working on finding a live site to test out in a honeyclient/VM situation.
More to come, hopefully with even more data next time.
If you've seen interaction like this please contact me, I'd like to combine forces on this and dig into it deeper and understand what the pack is and who is running it, what it's serving up.
Thanks again!
Paul
@demon117 (twitter)
200 text/html 482:16466 GET hxxp://pboysxaj.co.tv/7aoptmzxwahwllhr/
302 text/html 692:365 GET hxxp://pboysxaj.co.tv/b1e346d3ca0b910ebf905deac0f9b8938176zxw
200 text/html 664:23214 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?3
200 application/x-shockwave-flash 543:1706 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?04ee3e0fab7472aa4343035e02570750050c5e5c0a5c0b57030452500451045f03
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
302 188:2391 GET hxxp://91.226.78.47/shrgr.class
200 application/octet-stream 427:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
302 338:2643 GET hxxp://91.226.78.47/shrgr.class
302 272:2528 GET hxxp://91.226.78.47/shrgr.class
200 application/octet-stream 384:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 384:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
200 text/plain 281:8036 GET hxxp://91.226.78.47/shrgr.class
302 188:2391 GET hxxp://91.226.78.47/shrgr.class
302 338:2643 GET hxxp://91.226.78.47/shrgr.class
302 363:2528 GET hxxp://91.226.78.47/shrgr.class
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 427:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 449:871884 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
302 336:2615 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
302 336:2615 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 352:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?7fd0e2bb0d480b96521e010b54005554025e5f095c0b5953045653055206565b04;1;8
Here goes my analysis:
First page coming from the compromised referer:
200 text/html 482:16466 GET hxxp://pboysxaj.co.tv/7aoptmzxwahwllhr/
Redirect to landing page:
302 text/html 692:365 GET hxxp://pboysxaj.co.tv/b1e346d3ca0b910ebf905deac0f9b8938176zxw
Landing page used to determine plugins and vulnerabilties:
200 text/html 664:23214 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?3
**Note how the responses for these three are text/html versus below**
First exploit served:
200 application/x-shockwave-flash 543:1706 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?04ee3e0fab7472aa4343035e02570750050c5e5c0a5c0b57030452500451045f03
Success, and Payload download: (look at the size)
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
Success? Payload download: (look at the size)(unknown why this is a duplicate)
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
Interesting Additional download after payload: (denied here)
302 188:2391 GET hxxp://91.226.78.47/shrgr.class
Second exploit served:
200 application/octet-stream 427:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
Success, Payload download: (look at the size)
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
Success, Payload download: (undetermined why this is a duplicate)
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
Repeat of a seemingly Additional download: (denied again)
302 338:2643 GET hxxp://91.226.78.47/shrgr.class
Repeat of a seemingly Additional download: (denied again)
302 272:2528 GET hxxp://91.226.78.47/shrgr.class
Third exploit served:
200 application/octet-stream 384:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
Forth exploit served:
200 application/octet-stream 384:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
Success on Additional download
200 text/plain 281:8036 GET hxxp://91.226.78.47/shrgr.class
Repeat of a seemingly Additional download: (denied again)
302 188:2391 GET hxxp://91.226.78.47/shrgr.class
Repeat of a seemingly Additional download: (denied again)
302 338:2643 GET hxxp://91.226.78.47/shrgr.class
Repeat of a seemingly Additional download: (denied again)
302 363:2528 GET hxxp://91.226.78.47/shrgr.class
Third exploit served (again):
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
Forth exploit served (again):
200 application/octet-stream 427:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
Third exploit served (again):
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
Success, Payload download: (undetermined why this is a duplicate)
200 application/octet-stream 449:871884 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
Uknown what this transaction is:
302 336:2615 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
Third Exploit attempt:
302 336:2615 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
Success, Payload download:
200 application/octet-stream 352:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?7fd0e2bb0d480b96521e010b54005554025e5f095c0b5953045653055206565b04;1;8
These are my assumptions of the transactions, however as I said before I am working on finding a live site to test out in a honeyclient/VM situation.
More to come, hopefully with even more data next time.
If you've seen interaction like this please contact me, I'd like to combine forces on this and dig into it deeper and understand what the pack is and who is running it, what it's serving up.
Thanks again!
Paul
@demon117 (twitter)
Saturday, July 16, 2011
"NeoSploit" #1
This is the first post of observation of and research into what I think is a newer version of the notorious NeoSploit exploit kit/pack.
First off, many thanks and appreciation to Darren who has mentored me at work and helped with the tracking and understanding of this and other packs. Thanks to Daryl at @kahusecurity for an excellent blog and detailed write-ups that one day I hope to approach. Thanks also to the Emerging Threats community on producing a signature to catch this pack and all of the other great contributions they have too!
My introduction to this Exploit Pack occurred after a system showed up being served what I believed was a second malicious payload via Java directly from an IP rather than a domain. Digging through the interaction I found evidence of a pack I have never seen before which had flown undetected "under the radar" and thus the hunt began. Looking at the interaction with the kit I quickly realised why it came undetected, the majority of the process was obfuscated from the domain name to the URI query.
Below is an example with information like the http status code, content type, and bytes(out/in) plus the URL structure.
200 text/html 482:16466 GET hxxp://pboysxaj.co.tv/7aoptmzxwahwllhr/
302 text/html 692:365 GET hxxp://pboysxaj.co.tv/b1e346d3ca0b910ebf905deac0f9b8938176zxw
200 text/html 664:23214 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?3
200 application/x-shockwave-flash 543:1706 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?04ee3e0fab7472aa4343035e02570750050c5e5c0a5c0b57030452500451045f03
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
302 188:2391 GET hxxp://91.226.78.47/shrgr.class
200 application/octet-stream 427:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
302 338:2643 GET hxxp://91.226.78.47/shrgr.class
302 272:2528 GET hxxp://91.226.78.47/shrgr.class
200 application/octet-stream 384:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 384:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
200 text/plain 281:8036 GET hxxp://91.226.78.47/shrgr.class
302 188:2391 GET hxxp://91.226.78.47/shrgr.class
302 338:2643 GET hxxp://91.226.78.47/shrgr.class
302 363:2528 GET hxxp://91.226.78.47/shrgr.class
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 427:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 449:871884 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
302 336:2615 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
302 336:2615 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 352:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?7fd0e2bb0d480b96521e010b54005554025e5f095c0b5953045653055206565b04;1;8
I will be adding further analysis/assumptions as "NeoSploit" #2.
Please check back here and as I add more posts, and as I asked on twitter please comment and provide feedback and information if you've seen this pack before!
-Paul @demon117
*DISCLAIMER* These are malicious sites, they may still be active and if so are Extremely dangerous. I have tried to make it so the links will not work, but still handle with care! If you visit them it's on your own accord and not mine. */DISCLAIMER*
First off, many thanks and appreciation to Darren who has mentored me at work and helped with the tracking and understanding of this and other packs. Thanks to Daryl at @kahusecurity for an excellent blog and detailed write-ups that one day I hope to approach. Thanks also to the Emerging Threats community on producing a signature to catch this pack and all of the other great contributions they have too!
My introduction to this Exploit Pack occurred after a system showed up being served what I believed was a second malicious payload via Java directly from an IP rather than a domain. Digging through the interaction I found evidence of a pack I have never seen before which had flown undetected "under the radar" and thus the hunt began. Looking at the interaction with the kit I quickly realised why it came undetected, the majority of the process was obfuscated from the domain name to the URI query.
Below is an example with information like the http status code, content type, and bytes(out/in) plus the URL structure.
200 text/html 482:16466 GET hxxp://pboysxaj.co.tv/7aoptmzxwahwllhr/
302 text/html 692:365 GET hxxp://pboysxaj.co.tv/b1e346d3ca0b910ebf905deac0f9b8938176zxw
200 text/html 664:23214 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?3
200 application/x-shockwave-flash 543:1706 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?04ee3e0fab7472aa4343035e02570750050c5e5c0a5c0b57030452500451045f03
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
302 188:2391 GET hxxp://91.226.78.47/shrgr.class
200 application/octet-stream 427:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
302 338:2643 GET hxxp://91.226.78.47/shrgr.class
302 272:2528 GET hxxp://91.226.78.47/shrgr.class
200 application/octet-stream 384:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 384:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
200 text/plain 281:8036 GET hxxp://91.226.78.47/shrgr.class
302 188:2391 GET hxxp://91.226.78.47/shrgr.class
302 338:2643 GET hxxp://91.226.78.47/shrgr.class
302 363:2528 GET hxxp://91.226.78.47/shrgr.class
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 427:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 449:871884 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
302 336:2615 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
302 336:2615 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 352:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?7fd0e2bb0d480b96521e010b54005554025e5f095c0b5953045653055206565b04;1;8
I will be adding further analysis/assumptions as "NeoSploit" #2.
Please check back here and as I add more posts, and as I asked on twitter please comment and provide feedback and information if you've seen this pack before!
-Paul @demon117
*DISCLAIMER* These are malicious sites, they may still be active and if so are Extremely dangerous. I have tried to make it so the links will not work, but still handle with care! If you visit them it's on your own accord and not mine. */DISCLAIMER*
The Beginning
Greetings,
Fellow researchers, readers, and anyone who has stumbled upon my writing. This is my first crack at a serious contribution to the Security community, let us see how it goes. In lieu of my newness in the community and unrefined nature of my research and posts, I felt it was safer to build a blog on blogspot/blogger until I get some practice. Then I'll move it to one of my domains which hopefully allow me to increase what I can contribute.
My name is Paul, I go by demon117 (Twitter @demon117) for various reasons, all of which are harmless unless we're gaming ;).
Thank you for visiting feel free to leave comments and feedback.
-Demon117
Fellow researchers, readers, and anyone who has stumbled upon my writing. This is my first crack at a serious contribution to the Security community, let us see how it goes. In lieu of my newness in the community and unrefined nature of my research and posts, I felt it was safer to build a blog on blogspot/blogger until I get some practice. Then I'll move it to one of my domains which hopefully allow me to increase what I can contribute.
My name is Paul, I go by demon117 (Twitter @demon117) for various reasons, all of which are harmless unless we're gaming ;).
Thank you for visiting feel free to leave comments and feedback.
-Demon117
Subscribe to:
Posts (Atom)