Sunday, October 30, 2011

NeoSploit Exposed

Wewt! Darryl Kahu Security is the Man! This has been the case for a very very long time when it comes to Deobfuscation and Exploit Kits but I'm stoked to have read that someone other than myself has called NeoSploit out. If I haven't already I will credit him with naming the kit I've been trying to document (with questionable success) months and months ago.

Now as I'm trying to get things balanced at work I will be possibly pushing a little more on researching this kit as I can. That being said, I don't promise anything amazing or special due to my lack of knowledge and experience at poking at these things.

My current thoughts on this is there may be a pattern in the URI paths used by the kit, I'm not sure how to break those down. However, there is definitely a reused pattern in the URL structure.

Case in point: A google search for "osnp91icm" (pointed out here by @kahusecurity) yields a few domains that are absolutely related to the kit.

Domains:
warlikedisobey.org/osnp91icm/?5
numbuse.org /osnp91icm/?
scatterrider.org/osnp91icm/?5
lowmustard.org/osnp91icm/?

Here is what I found looking for the same URL pattern:
http hoeobserve.org /osnp91icm/ ?5
http torpidtawny.org /osnp91icm/ ?5
http oxastir.org /osnp91icm/ ?5
http lowmustard.org /osnp91icm/ ?5
http arrivesmear.org /osnp91icm/ ?5


Same kit, different domains.

Frustratingly enough for me, is cracking the huge TLD's of com/org/net when it comes to these kits, the less frequented TLDs are easier to monitor the interaction. Keying off of Java interaction is pretty much a sure bet because the prey is so common, now the question is what versions of Java survive these attacks.


It's good to be back.


-Paul
@demon117