Sunday, January 29, 2012

The Blackhole Pack

Blackhole - of all the packs that I've seen it has to be this one that we see the most.

The other day watching a redirect chain that was blocked I decided to research  the part of the chain the unsuspecting user was protected from. The page landing page was a mess, obfuscated and gnarly to say the least. So I decided to run it through wepawet to see what it could do work through the obfuscation.

Wepawet came through wonderfully and yielded the following link/report:


Doublediet[dot]com Report
(http://wepawet.iseclab.org/view.php?hash=4bb5c0ea61443185406fa062237525bc&type=js)

It's awesome to see from start to finish the mechanics down to detecting the shellcode and payload.

Thanks to the Wepawet folks for an awesome tool and making it easy to read.

I am working on getting more time to play with the packs we see, and will hopefully be refining my means of pulling data and getting better at it.

-Paul
@demon117

Sunday, January 8, 2012

.info: home to badness

Greetings,
It has been a while since I gave this blog some attention, work has shifted to provide more research time that will have direct benefits to my information gathering time and being able to share said findings.

First off, seen a massive uptick in the Black Hole kit activity, and NeoSploit is back on the radar after we lost visibility for a bit (most likely it was us and not them taking a break). Another pack has emerged as well that I don't know what it is, but it uses some interesting attempted obfuscation. It's not as blatant as Black Hole, but no where near as wicked obfuscated as NeoSploit.

Getting to the title, the TLD of .info is home to definitely BH and NeoSploit. Black Hole is pretty easy to identify the payload/compromise as the binary payload download has been locked in very tight with the Emerging Threats signature. I will edit it this with one of the strings as it is completely escaping me right now. NeoSploit is never easy, at least not for me. I need to poke at the patterns again to see if there is a way to determine a content match rather than just going solely off of regex. This "new" pack that is between BH and NeoSploit seems to share some of the common exploit names with BH, something I've seen regularly is the use of the com, edu, net, org java bits being passed. Why does it do this? I have no idea, it however does pass them.

If you have proxy logs for your consumption and can build content around it I recommend shooting for a UserAgent containing Java going to the ".info" TLD. There are more than just this that are absolutely suspicious and there is rarely a good reason for anyone to be playing with java over there, I will find that list and drop it in here too of suspicious TLDs that have been high fidelity when seeing Java talking with them.

Here is to more hunting and at least blocking of the badguys.

-Paul
@demon117