Showing posts with label Exploit Pack. Show all posts
Showing posts with label Exploit Pack. Show all posts

Tuesday, September 11, 2012

NeoSploit serving two exploits

While tracking NeoSploit it has been interesting to see behavioral changes in the kit, from varying the landing page or the sequence of how the kit delivers victims to the exploit.

NeoSploit, unlike the Blackhole kit, will serve up the exploit multiple times to the victim before the compromise occurs. Why does this happen? I have no idea, but in the future will hopefully find out.

Generally I see NeoSploit serve up a single exploit 3-5 times, this behavior has been adapted recently with addition of the new Java 0-day (referenced here by Daryl at Kahu Security). Now it looks like the kit is serving up two exploits, both served up multiple times to the victim.

2012-09-10T19:36:13  200  text/html                 513:7947    GET  hxxp://minigamesobihais[.]org/gf3ztv8/?2
2012-09-10T19:36:18  200  application/octet-stream  373:3757    GET  hxxp://minigamesobihais[.]org/gf3ztv8/?659fdb537a47b1d90651585d56590d0406010f5d5000050803050d0350530105
2012-09-10T19:36:18  200  application/octet-stream  373:6623    GET  hxxp://minigamesobihais[.]org/gf3ztv8/?4e466b7c405c14f15606420d04590f540451020d020007580155005302530355
2012-09-10T19:36:19  200  application/octet-stream  330:3757    GET  hxxp://minigamesobihais[.]org/gf3ztv8/?659fdb537a47b1d90651585d56590d0406010f5d5000050803050d0350530105
2012-09-10T19:36:19  200  application/octet-stream  330:6623    GET  hxxp://minigamesobihais[.]org/gf3ztv8/?4e466b7c405c14f15606420d04590f540451020d020007580155005302530355
2012-09-10T19:36:33  200  application/octet-stream  373:3757    GET  hxxp://minigamesobihais[.]org/gf3ztv8/?659fdb537a47b1d90651585d56590d0406010f5d5000050803050d0350530105
2012-09-10T19:36:33  200  application/octet-stream  373:6623    GET  hxxp://minigamesobihais[.]org/gf3ztv8/?4e466b7c405c14f15606420d04590f540451020d020007580155005302530355
2012-09-10T19:36:34  200  application/octet-stream  373:3757    GET  hxxp://minigamesobihais[.]org/gf3ztv8/?659fdb537a47b1d90651585d56590d0406010f5d5000050803050d0350530105
2012-09-10T19:36:34  200  application/octet-stream  373:6623    GET  hxxp://minigamesobihais[.]org/gf3ztv8/?4e466b7c405c14f15606420d04590f540451020d020007580155005302530355
2012-09-10T19:36:35  200  application/octet-stream  373:6623    GET  hxxp://minigamesobihais[.]org/gf3ztv8/?4e466b7c405c14f15606420d04590f540451020d020007580155005302530355
2012-09-10T19:36:36  200  application/octet-stream  298:161052  GET  hxxp://minigamesobihais[.]org/gf3ztv8/?2826a54d96e538d05740570d530e0c53020c040d5557045f0708065355040052;1;1
2012-09-10T19:36:37  200  text/html                 300:226     GET  hxxp://minigamesobihais[.]org/gf3ztv8/?2826a54d96e538d05740570d530e0c53020c040d5557045f0708065355040052;1;1;1

I was able to grab the exploits from this interaction and run them through Virus Total.

First up:

659fdb537a47b1d90651585d56590d0406010f5d5000050803050d0350530105

1/42 detections
AhnLab-V3  with Java/Cve-2012-1723

Older but extremely effective java exploit.

Second up:
4e466b7c405c14f15606420d04590f540451020d020007580155005302530355

5faee8c1d7a9b0e5e6ea52720a958794
3/41 detections
Kaspersky HEUR:Exploit.Java.CVE-2012-4681.gen

And here we have the the Java 0-day.

As for the payload, we saw this medfos served up at the end.

2/41 detections
Fortinet W32/Medfos.ALI!tr

Traffic generated by Medfos looked like this: http://IP
/file/id=BwBwAAEAOuxqCQEFABcAAABWAAAAAAAAAAAAAACMDA... (truncated due to bad bad formatting)

Always interesting to see what shows up after a successful encounter.

Reading Daryl's writeup again, he goes into the deobfuscation and tears through the kit, which is awesome. If you're not following him on twitter (@kahusecurity) or reading his blog and you're in security, you need to do it NOW! (Seriously now!)

It would be interesting to see if there is a way, like Emerging Threats has done with the Blackhole kit, to build a sig off the number of landing page. 

Granted the way we've been attacking it is building a rule off of exploit delivery URI, load URI, and post-load URI patterns.

Exploit sig:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CURRENT_EVENTS Neosploit Exploit URI Request (by bare query parameter pattern)"; flow:established,to_server; content:"/?"; http_uri; pcre:"/\/\?\d[0-9a-f]{50,68}$/U"; classtype:attempted-user; reference:url,www.google.com; sid:*******; rev:2; )

Load URI sig:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CURRENT_EVENTS Neosploit Load URI Request (by bare query parameter pattern)"; flow:established,to_server; content:"/?"; http_uri; content:"|3b|"; distance:0; http_uri; content:"|3b|"; distance:0; http_uri; pcre:"/\/\?\d[0-9a-f]{50,68}\;\d+\;\d+$/U"; classtype:attempted-user; reference:url,www.google.com; sid:*****; rev:2; )

 Post-load URI sig:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CURRENT_EVENTS Neosploit Post-Load URI Request (by bare query parameter pattern)"; flow:established,to_server; content:"/?"; http_uri; content:"|3b|"; distance:0; http_uri; content:"|3b|"; distance:0; http_uri; content:"|3b|"; distance:0; http_uri; pcre:"/\/\?\d[0-9a-f]{50,68}\;\d+\;\d+\;\d+$/U"; classtype:attempted-user; reference:url,www.google.com; sid:******; rev:2; )

Again, these are experimental rules.

More on NeoSploit as I can find it.

-Paul
@demon117
Posted by at No comments:
Labels: , , , , , , , , , , , , , , ,

Sunday, August 12, 2012

The "2 hit" kit

I dub this unknown kit/pack as the "2hit kit" and here is why.

The kit is extremely "simple" looking, there are two interactions with the malicious domain that serve up an exploit and then a payload.

Example:
evildomain[.]info/0516 (exploit)
evildomain[.]info/07893 (payload)

Could it be that simple?

No, however I haven't been able to find and document the missing link in the malicious traffic. My assumption of the traffic is a compromised site (possibly outdated/exploited wordpress or something along those lines) serving up the malicious JavaScript that leads to the victims system's JRE connecting to the malicious domain.

Unfortunately this has been evading me so these are my unconfirmed assumptions.

I will be editing this or adding another post with a theoretical Snort signature for this kit.

My RegEx logic: (Splunk with proxy logs)

uri_path="/0*" user_agent=*java* | regex uri_path="^/0\d{3,4}$"

Currently the logic for the signature will be based around catching the Java/1. user agent string in the header, moving into the regex for the number. There is much work to be done on it.

There is much data to sift through and sites to plug at when I have the chance.

Until I have more.

-Demon

@demon117
Posted by at No comments:
Labels: , , , , , , , , , , , , ,

NeoSploit is not dead

In April/May we realized that it had been a year since encountered NeoSploit, what a ride it has been since then. Mostly on figuring out how to lock in a signature for the kit.

Up until just recently (1-1.5 months) this was the most advanced kit I have seen, granted I've never seen anything around the install of the kit or the mechanics beyond the URI patterns. Granted from a Regular Expression stand point the pattern is a bit of a beast, but there are ways to match.

This kit has definitely not faded away, it's out there, maybe not as prevalent as blackhole but it is striking from the shadows.

Looking back, I referred to the rules we created to try and catch this kit but never got into them (at least I think I never got deep into them on here).

Here are the rules:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Neosploit Exploit URI Request (by bare query parameter pattern)"; flow:established,to_server; content:"/?"; http_uri; pcre:"/\/\?\d[0-9a-f]{50,68}$/U"; classtype:attempted-user; reference:url,www.google.com; sid:1000021; rev:2; )

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Neosploit Load URI Request (by bare query parameter pattern)"; flow:established,to_server; content:"/?"; http_uri; content:"|3b|"; distance:0; http_uri; content:"|3b|"; distance:0; http_uri; pcre:"/\/\?\d[0-9a-f]{50,68}\;\d+\;\d+$/U"; classtype:attempted-user; reference:url,www.google.com; sid:1000022; rev:2; )

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Neosploit Post-Load URI Request (by bare query parameter pattern)"; flow:established,to_server; content:"/?"; http_uri; content:"|3b|"; distance:0; http_uri; content:"|3b|"; distance:0; http_uri; content:"|3b|"; distance:0; http_uri; pcre:"/\/\?\d[0-9a-f]{50,68}\;\d+\;\d+\;\d+$/U"; classtype:attempted-user; reference:url,www.google.com; sid:1000023; rev:2; )

These rules have been crafted to catch what we've seen for a while, however for some unknown reason little success has been had actually catching the kit. From a visibility standpoint I hope it is the rule...

Regardless, what has been observed looks like this:

Landing page: (Do not have a rule for this)
/?digit

Exploits (served up multiple times, mainly 3)
/?+digit+lots-of-hex(variable amount 50-68)

Load Request:
/?+digit+lots-of-hex(variable amount 50-68);digit(s);digit(s) (Malware payload)

Post-Load Confirmation:
/?+digit+lots-of-hex(variable amount 50-68);digit(s);digit(s);digit(generally a 1)

The landing page is fairly sizeable, and full of obfuscated javascript.
Exploits we've seen are all Java related and are around 5kb
Payload is roughly 100-300kb in size.

Please let me know if you've seen any activity like this, have more information regarding this kit, or just want to compare notes.

I know researchers have seen it, but it seems like no one is talking about it other than quick spurts.

Thanks!

-Demon

@demon117 (on twitter)
paul.sec117@gmail[.]com for email

Posted by at No comments:
Labels: , , , , , , , , , ,

Monday, April 2, 2012

New NeoSploit Research

Had a ton of fun digging into new encounters with the NeoSploit kit over the last two days and have discovered a bit of change from the initial encounters in the last year. It boggles my mind that it's been a year since we saw it start to show up and almost a year since I tried to get serious about tracking it. I was serious, but it was and continues to be difficult.

Over the last week I have been refining my queries to dig through the logs looking for the specific URI patterns, specifically the Load URI Request and what I assume is the Post-Load URI Request or confirmation the payload was delivered. The query has proven to be quite solid now to push my searches farther back in time to amass a larger data set than I currently have.

My hope is the more data these searches yield the better the and more refined signatures can be crafted from them. In the last year I have been tracking patterns and what I could determine behavior of both the kit and the traffic direction techniques that the kit used. In that time there have been changes, there are probably changes now that I haven't seen. This kit is brutally effective and is extremely obfuscated with its tactics.

Observations from previous posts and the interactions recently are:

1. Changed the redirection means - previously a strange string/uri query, now a third party site that seems to be referenced by a compromised site to insert an iframe leading to the landing page.

2. No longer seeing the strange http://[IPaddress]/random.class file in the interaction process.

3. (unvalidated) Appears that the same exploit seems to be pushed multiple times prior to Load URI request ... this may not be a new thing either, but interesting

4. Found a variant of a 9 alpha-numeric subdirectory structure in the URI path, originally assumed there was just an 8 character path.

I need to collect my notes from the last year and try to combine all of request URI structures in a file to do analysis on. As well as consolidate my notes for a more coherent understanding and ability to communicate my findings.

After digging through a small data set we were able to piece together 3 test signatures for Snort to track Exploit URI, Load URI request, and Post-Load URI request. Running this for the next few months will hopefully provide much more granular content around the requests so the signatures can be tuned and shared with the community.

Happy hunting!

-Paul
@demon117


Posted by at No comments:
Labels: , , ,

Monday, February 6, 2012

A "Gotcha!" moment, literally

Researching what appears to be a malicious injection I wanted to poke at the bad site - piz[dot]de[dot]tf . Obviously, this seems malicious to me and I have still not identified where the injection is at (I need to pull .css files .etc from the cafecoronado page).

(This is related to the Sutra TDS. Thanks to Darren for the help on identifying the threat.)

I tried to wget the in.cgi?2  at the above mentioned domain and here is the output:



$ wget hxxp://piz.de.tf/in.cgi?2
--2012-02-06 10:42:54--  hxxp://piz.de.tf/in.cgi?2
Resolving piz.de.tf (piz.de.tf)... 31.184.192.6
Connecting to piz.de.tf (piz.de.tf)|31.184.192.6|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: hxxp://188.72.213.185/c/bot.js [following]
--2012-02-06 10:42:55--  hxxp://188.72.213.185/c/bot.js
Connecting to 188.72.213.185:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `bot.js'

    [ <=>                                                                                                                    ] 7           --.-K/s   in 0s     

2012-02-06 10:42:55 (273 KB/s) - `bot.js' saved [7]
                                                                                                                                                
$ cat bot.js                                                                                                                                                   
GOTCHA!$

Yes, I was found and have laughed a few times at this response.

Pretty funny stuff.

-Paul
@demon117
Posted by at 2 comments:
Labels: , , , , , , , , ,

Sunday, January 29, 2012

The Blackhole Pack

Blackhole - of all the packs that I've seen it has to be this one that we see the most.

The other day watching a redirect chain that was blocked I decided to research  the part of the chain the unsuspecting user was protected from. The page landing page was a mess, obfuscated and gnarly to say the least. So I decided to run it through wepawet to see what it could do work through the obfuscation.

Wepawet came through wonderfully and yielded the following link/report:


Doublediet[dot]com Report
(http://wepawet.iseclab.org/view.php?hash=4bb5c0ea61443185406fa062237525bc&type=js)

It's awesome to see from start to finish the mechanics down to detecting the shellcode and payload.

Thanks to the Wepawet folks for an awesome tool and making it easy to read.

I am working on getting more time to play with the packs we see, and will hopefully be refining my means of pulling data and getting better at it.

-Paul
@demon117
Posted by at No comments:
Labels: , , , ,

Sunday, August 28, 2011

"Neosploit" - Where'd it go?!

I still have rocks to turn over to try and find lives sites for this pack, but I haven't seen anything since roughly early to mid July.

Did these guys just disappear? No, definitely not. However, must drum up some activity to find more about this threat and how to catch more of it.

I know that Cinemablend was compromised for the majority of May and June, has anyone seen other sites I can poke at?

Thanks!
Paul
@demon117
Posted by at No comments:
Labels: , ,

Sunday, July 31, 2011

"NeoSploit" Research

I'm working on finding more about NeoSploit in past research from various sources and seeing how it correlates to what I've found and other more advanced researchers have found.

Major sources for research from the past have been:


FireEye - http://blog.fireeye.com/research/2010/06/neosploit_notes.html
M86 - http://labs.m86security.com/2011/01/shedding-light-on-the-neosploit-exploit-kit/
RSA - http://blogs.rsa.com/rsafarl/the-end-of-neosploit/

It looks like NeoSploit was pronounced dead, and from the original versions there seems to be some activity on the web still. I've read a bit about it (not a source of knowledge by any means) from Sites (not just the links) above.

Sources for my current research:

Zscaler -
It appears that one of the Security Researchers for Zscaler, in their India office, has been interacting with this pack.

Emerging Threats -
ET has had a signature to catch the URI query activity since late June. SID 2013094 has been revised a few times to catch this. Thanks for sharing what you guys have seen and helped others to catch this stuff.

I will be sending out a request on twitter to try to collaborate more on this using the SID as a linker. As well as requesting collaboration directly to the contributors on the ET list.

A possible clue/key to better correlation on what is going on with the pack. So I've been working on this blog for a few weeks and trying to find patterns in these interactions. Something struck me as Very interesting when I checked the stats page of the blog and saw a Google search for the keyword "ea0gux4t" showed up.

I actually stumbled on this when I started the blog but didn't put enough attention towards it. Now looking back I see that was an interesting way of getting matches and seeing what the responses send... I still don't have a way of looking at the requests.

The Subdirectory - is fixed length and definitely seems to be a point of relation between various installs of the kit on domains.

I'm stuck right now though, the majority of my notes/research is on a box that lost a NIC in the storm last week. I'll get that up and running again so I can get more information out here.

-Paul
@demon117
Posted by at No comments:
Labels: , ,

Monday, July 25, 2011

"NeoSploit" URI patterns - Work In Progress

I'm digging through my samples as well as looking for more to at least collect as many variations and I can glean. Here are some of what I have so far:

/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
/5cm1zrkq/?7fd0e2bb0d480b96521e010b54005554025e5f095c0b5953045653055206565b04
/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03
/5cm1zrkq/?04ee3e0fab7472aa4343035e02570750050c5e5c0a5c0b57030452500451045f03
/9s1hjngl/?3319fe7979403dfa5f5a5302545e05080a0204095d5155090807555f5600070803
/9s1hjngl/?684928607837bcf753405102000304010f090109090c54000d0c505f025d060106
/9s1hjngl/?0cabed07c1e4ebae5a021359575f0206095254525e5052070b5705045501000600
/9s1hjngl/?1d1fb22a7837bcf7541c545d5009005008550456590650510a5055005257025001
/9s1hjngl/?1d1fb22a7837bcf7541c545d5009005008550456590650510a5055005257025001
/9s1hjngl/?684928607837bcf753405102000304010f090109090c54000d0c505f025d060106
/9s1hjngl/?0cabed07c1e4ebae5a021359575f0206095254525e5052070b5705045501000600
/9s1hjngl/?1d1fb22a7837bcf7541c545d5009005008550456590650510a5055005257025001
/9s1hjngl/?3e51deaa21de322f5911580a565e53500a5400015f510351085151575400515003
/9s1hjngl/?3319fe7979403dfa5f5a5302545e05080a0204095d5155090807555f5600070803
/9s1hjngl/?7125bd83de0bc5cb4446540e505f0a020e00070559505a030c0556535201080207
/ea0gux4t/?76d8457b84d3cfc25d420903050e005001075003005707590353555c57010657
/ea0gux4t/?555aac175e4e5b1b4642535a505806050304015a5501010c0150040502570002
/ea0gux4t/?12e7d21c6be350c85b53170c550906510703510c505001580557545307060056
/t6ryfisw/?356c4ffd1392a5f159544458075d5f53010d0d5756565d5057530457005305
/t6ryfisw/?2a19647f0b318cd941165702050f0e5100590a0d54040c525607030d020154
/t6ryfisw/?0200123d400de24c554a550b02090a53020a0b045302085054540204050750
/t6ryfisw/?013a3faa400de24c5549565a005d58560209085551565a5554570155075302
/t6ryfisw/?013a3faa400de24c5549565a005d58560209085551565a5554570155075302
/t6ryfisw/?165ab5c3f61d85b25b42585a510e5a04030e0e550005580755500755560000

URI Queries:
/?3319fe7979403dfa5f5a5302545e05080a0204095d5155090807555f5600070803
/?684928607837bcf753405102000304010f090109090c54000d0c505f025d060106;1;1
/?0cabed07c1e4ebae5a021359575f0206095254525e5052070b5705045501000600
/?1d1fb22a7837bcf7541c545d5009005008550456590650510a5055005257025001;1;8
/?1d1fb22a7837bcf7541c545d5009005008550456590650510a5055005257025001;1;8;1
/?684928607837bcf753405102000304010f090109090c54000d0c505f025d060106;1;1
/?0cabed07c1e4ebae5a021359575f0206095254525e5052070b5705045501000600
/?1d1fb22a7837bcf7541c545d5009005008550456590650510a5055005257025001;1;8
/?3e51deaa21de322f5911580a565e53500a5400015f510351085151575400515003
/?3319fe7979403dfa5f5a5302545e05080a0204095d5155090807555f5600070803
/?7125bd83de0bc5cb4446540e505f0a020e00070559505a030c0556535201080207
/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
/?7fd0e2bb0d480b96521e010b54005554025e5f095c0b5953045653055206565b04;1;8
/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
/?04ee3e0fab7472aa4343035e02570750050c5e5c0a5c0b57030452500451045f03
/?76d8457b84d3cfc25d420903050e005001075003005707590353555c57010657
/?555aac175e4e5b1b4642535a505806050304015a5501010c0150040502570002
/?12e7d21c6be350c85b53170c550906510703510c505001580557545307060056

Variant:
/?356c4ffd1392a5f159544458075d5f53010d0d5756565d5057530457005305
/?2a19647f0b318cd941165702050f0e5100590a0d54040c525607030d020154
/?0200123d400de24c554a550b02090a53020a0b045302085054540204050750;1;8
/?013a3faa400de24c5549565a005d58560209085551565a5554570155075302;1;1
/?013a3faa400de24c5549565a005d58560209085551565a5554570155075302;1;1;1
/?165ab5c3f61d85b25b42585a510e5a04030e0e550005580755500755560000

Will be updating this as I go and find more, and will post more content and context as well.
Posted by at No comments:
Labels: , ,

"NeoSploit" #2

Here is the interaction from the first post, for part 2 I'm adding my analysis and further information about the interaction. (Thanks for your patience on my scattered writting attempts.) Additionally it was pointed out that the request/response has been jumbled together for this data. I'm in the process of finding a compromised site and bouncing it off a windows vm that will hopefully yield Much more information including exploits/playloads delivered (Thanks Darren).

200 text/html 482:16466 GET hxxp://pboysxaj.co.tv/7aoptmzxwahwllhr/
302 text/html 692:365 GET hxxp://pboysxaj.co.tv/b1e346d3ca0b910ebf905deac0f9b8938176zxw
200 text/html 664:23214 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?3
200 application/x-shockwave-flash 543:1706 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?04ee3e0fab7472aa4343035e02570750050c5e5c0a5c0b57030452500451045f03
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
302 188:2391 GET hxxp://91.226.78.47/shrgr.class
200 application/octet-stream 427:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
302 338:2643 GET hxxp://91.226.78.47/shrgr.class
302 272:2528 GET hxxp://91.226.78.47/shrgr.class
200 application/octet-stream 384:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 384:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
200 text/plain 281:8036 GET hxxp://91.226.78.47/shrgr.class
302 188:2391 GET hxxp://91.226.78.47/shrgr.class
302 338:2643 GET hxxp://91.226.78.47/shrgr.class
302 363:2528 GET hxxp://91.226.78.47/shrgr.class
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 427:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 449:871884 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
302 336:2615 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
302 336:2615 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 352:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?7fd0e2bb0d480b96521e010b54005554025e5f095c0b5953045653055206565b04;1;8

Here goes my analysis:

First page coming from the compromised referer:
200 text/html 482:16466 GET hxxp://pboysxaj.co.tv/7aoptmzxwahwllhr/

Redirect to landing page:
302 text/html 692:365 GET hxxp://pboysxaj.co.tv/b1e346d3ca0b910ebf905deac0f9b8938176zxw

Landing page used to determine plugins and vulnerabilties:
200 text/html 664:23214 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?3

**Note how the responses for these three are text/html versus below**

First exploit served:
200 application/x-shockwave-flash 543:1706 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?04ee3e0fab7472aa4343035e02570750050c5e5c0a5c0b57030452500451045f03

Success, and Payload download: (look at the size)
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6

Success? Payload download: (look at the size)(unknown why this is a duplicate)
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6

Interesting Additional download after payload: (denied here)
302 188:2391 GET hxxp://91.226.78.47/shrgr.class

Second exploit served:
200 application/octet-stream 427:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07

Success, Payload download: (look at the size)
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007

Success, Payload download: (undetermined why this is a duplicate)
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6

Repeat of a seemingly Additional download: (denied again)
302 338:2643 GET hxxp://91.226.78.47/shrgr.class

Repeat of a seemingly Additional download: (denied again)
302 272:2528 GET hxxp://91.226.78.47/shrgr.class

Third exploit served:
200 application/octet-stream 384:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007

Forth exploit served:
200 application/octet-stream 384:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07

Success on Additional download
200 text/plain 281:8036 GET hxxp://91.226.78.47/shrgr.class

Repeat of a seemingly Additional download: (denied again)
302 188:2391 GET hxxp://91.226.78.47/shrgr.class

Repeat of a seemingly Additional download: (denied again)
302 338:2643 GET hxxp://91.226.78.47/shrgr.class

Repeat of a seemingly Additional download: (denied again)
302 363:2528 GET hxxp://91.226.78.47/shrgr.class

Third exploit served (again):
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007

Forth exploit served (again):
200 application/octet-stream 427:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07

Third exploit served (again):
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007

Success, Payload download: (undetermined why this is a duplicate)
200 application/octet-stream 449:871884 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6

Uknown what this transaction is:
302 336:2615 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07

Third Exploit attempt:
302 336:2615 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007

Success, Payload download:
200 application/octet-stream 352:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?7fd0e2bb0d480b96521e010b54005554025e5f095c0b5953045653055206565b04;1;8

These are my assumptions of the transactions, however as I said before I am working on finding a live site to test out in a honeyclient/VM situation.

More to come, hopefully with even more data next time.

If you've seen interaction like this please contact me, I'd like to combine forces on this and dig into it deeper and understand what the pack is and who is running it, what it's serving up.

Thanks again!

Paul
@demon117 (twitter)
Posted by at No comments:
Labels: , ,

Saturday, July 16, 2011

"NeoSploit" #1

This is the first post of observation of and research into what I think is a newer version of the notorious NeoSploit exploit kit/pack.

First off, many thanks and appreciation to Darren who has mentored me at work and helped with the tracking and understanding of this and other packs. Thanks to Daryl at @kahusecurity for an excellent blog and detailed write-ups that one day I hope to approach. Thanks also to the Emerging Threats community on producing a signature to catch this pack and all of the other great contributions they have too!

My introduction to this Exploit Pack occurred after a system showed up being served what I believed was a second malicious payload via Java directly from an IP rather than a domain. Digging through the interaction I found evidence of a pack I have never seen before which had flown undetected "under the radar" and thus the hunt began. Looking at the interaction with the kit I quickly realised why it came undetected, the majority of the process was obfuscated from the domain name to the URI query.


Below is an example with information like the http status code, content type, and bytes(out/in) plus the URL structure.

200 text/html 482:16466 GET hxxp://pboysxaj.co.tv/7aoptmzxwahwllhr/
302 text/html 692:365 GET hxxp://pboysxaj.co.tv/b1e346d3ca0b910ebf905deac0f9b8938176zxw
200 text/html 664:23214 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?3
200 application/x-shockwave-flash 543:1706 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?04ee3e0fab7472aa4343035e02570750050c5e5c0a5c0b57030452500451045f03
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
302 188:2391 GET hxxp://91.226.78.47/shrgr.class
200 application/octet-stream 427:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
302 338:2643 GET hxxp://91.226.78.47/shrgr.class
302 272:2528 GET hxxp://91.226.78.47/shrgr.class
200 application/octet-stream 384:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 384:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
200 text/plain 281:8036 GET hxxp://91.226.78.47/shrgr.class
302 188:2391 GET hxxp://91.226.78.47/shrgr.class
302 338:2643 GET hxxp://91.226.78.47/shrgr.class
302 363:2528 GET hxxp://91.226.78.47/shrgr.class
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 427:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 449:871884 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
302 336:2615 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
302 336:2615 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 352:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?7fd0e2bb0d480b96521e010b54005554025e5f095c0b5953045653055206565b04;1;8

I will be adding further analysis/assumptions as "NeoSploit" #2.

Please check back here and as I add more posts, and as I asked on twitter please comment and provide feedback and information if you've seen this pack before!

-Paul @demon117

*DISCLAIMER* These are malicious sites, they may still be active and if so are Extremely dangerous. I have tried to make it so the links will not work, but still handle with care! If you visit them it's on your own accord and not mine. */DISCLAIMER*
Posted by at 1 comment:
Labels: , ,
Subscribe to: Posts (Atom)