Monday, April 2, 2012

New NeoSploit Research

Had a ton of fun digging into new encounters with the NeoSploit kit over the last two days and have discovered a bit of change from the initial encounters in the last year. It boggles my mind that it's been a year since we saw it start to show up and almost a year since I tried to get serious about tracking it. I was serious, but it was and continues to be difficult.

Over the last week I have been refining my queries to dig through the logs looking for the specific URI patterns, specifically the Load URI Request and what I assume is the Post-Load URI Request or confirmation the payload was delivered. The query has proven to be quite solid now to push my searches farther back in time to amass a larger data set than I currently have.

My hope is the more data these searches yield the better the and more refined signatures can be crafted from them. In the last year I have been tracking patterns and what I could determine behavior of both the kit and the traffic direction techniques that the kit used. In that time there have been changes, there are probably changes now that I haven't seen. This kit is brutally effective and is extremely obfuscated with its tactics.

Observations from previous posts and the interactions recently are:

1. Changed the redirection means - previously a strange string/uri query, now a third party site that seems to be referenced by a compromised site to insert an iframe leading to the landing page.

2. No longer seeing the strange http://[IPaddress]/random.class file in the interaction process.

3. (unvalidated) Appears that the same exploit seems to be pushed multiple times prior to Load URI request ... this may not be a new thing either, but interesting

4. Found a variant of a 9 alpha-numeric subdirectory structure in the URI path, originally assumed there was just an 8 character path.

I need to collect my notes from the last year and try to combine all of request URI structures in a file to do analysis on. As well as consolidate my notes for a more coherent understanding and ability to communicate my findings.

After digging through a small data set we were able to piece together 3 test signatures for Snort to track Exploit URI, Load URI request, and Post-Load URI request. Running this for the next few months will hopefully provide much more granular content around the requests so the signatures can be tuned and shared with the community.

Happy hunting!

-Paul
@demon117