Showing posts with label attack. Show all posts
Showing posts with label attack. Show all posts

Tuesday, September 11, 2012

NeoSploit serving two exploits

While tracking NeoSploit it has been interesting to see behavioral changes in the kit, from varying the landing page or the sequence of how the kit delivers victims to the exploit.

NeoSploit, unlike the Blackhole kit, will serve up the exploit multiple times to the victim before the compromise occurs. Why does this happen? I have no idea, but in the future will hopefully find out.

Generally I see NeoSploit serve up a single exploit 3-5 times, this behavior has been adapted recently with addition of the new Java 0-day (referenced here by Daryl at Kahu Security). Now it looks like the kit is serving up two exploits, both served up multiple times to the victim.

2012-09-10T19:36:13  200  text/html                 513:7947    GET  hxxp://minigamesobihais[.]org/gf3ztv8/?2
2012-09-10T19:36:18  200  application/octet-stream  373:3757    GET  hxxp://minigamesobihais[.]org/gf3ztv8/?659fdb537a47b1d90651585d56590d0406010f5d5000050803050d0350530105
2012-09-10T19:36:18  200  application/octet-stream  373:6623    GET  hxxp://minigamesobihais[.]org/gf3ztv8/?4e466b7c405c14f15606420d04590f540451020d020007580155005302530355
2012-09-10T19:36:19  200  application/octet-stream  330:3757    GET  hxxp://minigamesobihais[.]org/gf3ztv8/?659fdb537a47b1d90651585d56590d0406010f5d5000050803050d0350530105
2012-09-10T19:36:19  200  application/octet-stream  330:6623    GET  hxxp://minigamesobihais[.]org/gf3ztv8/?4e466b7c405c14f15606420d04590f540451020d020007580155005302530355
2012-09-10T19:36:33  200  application/octet-stream  373:3757    GET  hxxp://minigamesobihais[.]org/gf3ztv8/?659fdb537a47b1d90651585d56590d0406010f5d5000050803050d0350530105
2012-09-10T19:36:33  200  application/octet-stream  373:6623    GET  hxxp://minigamesobihais[.]org/gf3ztv8/?4e466b7c405c14f15606420d04590f540451020d020007580155005302530355
2012-09-10T19:36:34  200  application/octet-stream  373:3757    GET  hxxp://minigamesobihais[.]org/gf3ztv8/?659fdb537a47b1d90651585d56590d0406010f5d5000050803050d0350530105
2012-09-10T19:36:34  200  application/octet-stream  373:6623    GET  hxxp://minigamesobihais[.]org/gf3ztv8/?4e466b7c405c14f15606420d04590f540451020d020007580155005302530355
2012-09-10T19:36:35  200  application/octet-stream  373:6623    GET  hxxp://minigamesobihais[.]org/gf3ztv8/?4e466b7c405c14f15606420d04590f540451020d020007580155005302530355
2012-09-10T19:36:36  200  application/octet-stream  298:161052  GET  hxxp://minigamesobihais[.]org/gf3ztv8/?2826a54d96e538d05740570d530e0c53020c040d5557045f0708065355040052;1;1
2012-09-10T19:36:37  200  text/html                 300:226     GET  hxxp://minigamesobihais[.]org/gf3ztv8/?2826a54d96e538d05740570d530e0c53020c040d5557045f0708065355040052;1;1;1

I was able to grab the exploits from this interaction and run them through Virus Total.

First up:

659fdb537a47b1d90651585d56590d0406010f5d5000050803050d0350530105

1/42 detections
AhnLab-V3  with Java/Cve-2012-1723

Older but extremely effective java exploit.

Second up:
4e466b7c405c14f15606420d04590f540451020d020007580155005302530355

5faee8c1d7a9b0e5e6ea52720a958794
3/41 detections
Kaspersky HEUR:Exploit.Java.CVE-2012-4681.gen

And here we have the the Java 0-day.

As for the payload, we saw this medfos served up at the end.

2/41 detections
Fortinet W32/Medfos.ALI!tr

Traffic generated by Medfos looked like this: http://IP
/file/id=BwBwAAEAOuxqCQEFABcAAABWAAAAAAAAAAAAAACMDA... (truncated due to bad bad formatting)

Always interesting to see what shows up after a successful encounter.

Reading Daryl's writeup again, he goes into the deobfuscation and tears through the kit, which is awesome. If you're not following him on twitter (@kahusecurity) or reading his blog and you're in security, you need to do it NOW! (Seriously now!)

It would be interesting to see if there is a way, like Emerging Threats has done with the Blackhole kit, to build a sig off the number of landing page. 

Granted the way we've been attacking it is building a rule off of exploit delivery URI, load URI, and post-load URI patterns.

Exploit sig:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CURRENT_EVENTS Neosploit Exploit URI Request (by bare query parameter pattern)"; flow:established,to_server; content:"/?"; http_uri; pcre:"/\/\?\d[0-9a-f]{50,68}$/U"; classtype:attempted-user; reference:url,www.google.com; sid:*******; rev:2; )

Load URI sig:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CURRENT_EVENTS Neosploit Load URI Request (by bare query parameter pattern)"; flow:established,to_server; content:"/?"; http_uri; content:"|3b|"; distance:0; http_uri; content:"|3b|"; distance:0; http_uri; pcre:"/\/\?\d[0-9a-f]{50,68}\;\d+\;\d+$/U"; classtype:attempted-user; reference:url,www.google.com; sid:*****; rev:2; )

 Post-load URI sig:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CURRENT_EVENTS Neosploit Post-Load URI Request (by bare query parameter pattern)"; flow:established,to_server; content:"/?"; http_uri; content:"|3b|"; distance:0; http_uri; content:"|3b|"; distance:0; http_uri; content:"|3b|"; distance:0; http_uri; pcre:"/\/\?\d[0-9a-f]{50,68}\;\d+\;\d+\;\d+$/U"; classtype:attempted-user; reference:url,www.google.com; sid:******; rev:2; )

Again, these are experimental rules.

More on NeoSploit as I can find it.

-Paul
@demon117
Posted by at No comments:
Labels: , , , , , , , , , , , , , , ,

Sunday, August 12, 2012

The "2 hit" kit

I dub this unknown kit/pack as the "2hit kit" and here is why.

The kit is extremely "simple" looking, there are two interactions with the malicious domain that serve up an exploit and then a payload.

Example:
evildomain[.]info/0516 (exploit)
evildomain[.]info/07893 (payload)

Could it be that simple?

No, however I haven't been able to find and document the missing link in the malicious traffic. My assumption of the traffic is a compromised site (possibly outdated/exploited wordpress or something along those lines) serving up the malicious JavaScript that leads to the victims system's JRE connecting to the malicious domain.

Unfortunately this has been evading me so these are my unconfirmed assumptions.

I will be editing this or adding another post with a theoretical Snort signature for this kit.

My RegEx logic: (Splunk with proxy logs)

uri_path="/0*" user_agent=*java* | regex uri_path="^/0\d{3,4}$"

Currently the logic for the signature will be based around catching the Java/1. user agent string in the header, moving into the regex for the number. There is much work to be done on it.

There is much data to sift through and sites to plug at when I have the chance.

Until I have more.

-Demon

@demon117
Posted by at No comments:
Labels: , , , , , , , , , , , , ,

Monday, February 6, 2012

A "Gotcha!" moment, literally

Researching what appears to be a malicious injection I wanted to poke at the bad site - piz[dot]de[dot]tf . Obviously, this seems malicious to me and I have still not identified where the injection is at (I need to pull .css files .etc from the cafecoronado page).

(This is related to the Sutra TDS. Thanks to Darren for the help on identifying the threat.)

I tried to wget the in.cgi?2  at the above mentioned domain and here is the output:



$ wget hxxp://piz.de.tf/in.cgi?2
--2012-02-06 10:42:54--  hxxp://piz.de.tf/in.cgi?2
Resolving piz.de.tf (piz.de.tf)... 31.184.192.6
Connecting to piz.de.tf (piz.de.tf)|31.184.192.6|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: hxxp://188.72.213.185/c/bot.js [following]
--2012-02-06 10:42:55--  hxxp://188.72.213.185/c/bot.js
Connecting to 188.72.213.185:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `bot.js'

    [ <=>                                                                                                                    ] 7           --.-K/s   in 0s     

2012-02-06 10:42:55 (273 KB/s) - `bot.js' saved [7]
                                                                                                                                                
$ cat bot.js                                                                                                                                                   
GOTCHA!$

Yes, I was found and have laughed a few times at this response.

Pretty funny stuff.

-Paul
@demon117
Posted by at 2 comments:
Labels: , , , , , , , , ,
Subscribe to: Comments (Atom)