Monthly Archives: November 2012

Pharmacy Spam

Annoying.

HTTP Request Method = GET

HTTP URI Fields:

*/images/chcm/*
*/images/mcp/*
*/images/lrx/*
*/images/cnp/*
*/images/cfp/*
*/award_apha.gif
*/award_visa.gif
*/d_canadapost.jpg
*/healthcarer.jpg
*/d_fedex.jpg
*/?cid=o1b

Unknown Exploit Kit (Gate Exploit Kit)

Haven’t seen this written about. Not sure if this is around anymore.

HTTP Request Method = GET
HTTP URI = */gate.php?*

regex URI for “\?[a-z]=\d{6,7}$”

bigdeal777.com/gate.php?f=971235
googlecounter.in/gate.php?f=860184
unclesammm.com/gate.php?f=871942
zalupka.in/gate/gate.php?f=651722
zumobtr.ru/gate.php?f=1042091

SofosFO Exploit Kit

Community name, idk official name.

HTTP Request Method = GET
HTTP Domain = *.org

regex URI for “^[a-z-.]{50,}”

Example Chain:

hxxp://birthplace-admissions.sutter-iyeyeibokfuvhhqqaaeslsralphdput.org/apologistsrichardson.html > GATE
hxxp://birthplace-admissions.sutter-iyeyeibokfuvhhqqaaeslsralphdput.org/507ecc12c05d802048047bf2/1,6,0,31/9,3,0,0 > Plugin Enum?
hxxp://birthplace-admissions.sutter-iyeyeibokfuvhhqqaaeslsralphdput.org/507ecc1bc05d802048047d66/30491834/onsero.pdf > PDF
hxxp://birthplace-admissions.sutter-iyeyeibokfuvhhqqaaeslsralphdput.org/507ecc1bc05d802048047d66/396340842/171347709 > EXE

Example Domains:

ceymmmfhnhxf.takefilms-wyz-pez-dvt.org
fgqrrohdzlo.insertstringnmookrm-lsx.org
kpfgbiycifowo.freevip-bvg-nxnv-iacb.org
ldisvingc.panel-lines-krvo-arumylc.org
leeqispspvv.middle-white-kcetdkbub.org
hails-tokeniazsvwfi.sutter-iyeyeibokfuvhhqqaaeslsralphdput.org
nglvuhfox.orangevideodobfdxf-khds.org
nkuvloxgbpix.cat-email-ceepgm-mfm.org
orebpgfcnebo.juice-elite-yqtplorywub.org
ovlnzqaum.juice-elite-yqtplorywub.org
oxhyyenqbvrap.catonline-witt-imzw-piuz.org
birthplace-admissions.sutter-iyeyeibokfuvhhqqaaeslsralphdput.org

Finding Zeus Infected Hosts

Here are a few tricks for finding crimeware hosts on your network.

Zeus in DNS or Proxy Logs:

Look for Domain = *.biz

and regex for “^[a-zA-Z0-9]{30,}\.biz$”

Infected hosts will have lots of lookups to many domains. Utilizing .biz speeds up your search as that TLD is seen less often on most networks than .com or .net.

Zeus Constant Traffic to Google:

HTTP URI = google.com/webhp OR www.google.com.sg

and regex on the URI field for “^(www\.)?google\.com(\.sg)?\/webhp$”

Investigate hosts that match this query more than 50 times in a 24 hour period.

Finding Malicious Redirectors

Below are some uri fields you can look for which are commonly used in redirecting to exploit kits.

*&ab_iframe=*
*&tds-sid=*
*/go.php?sid=*
*/got.php?sid=*
*/in.cgi?*
*/linko02.php*
*/in.php*
*/index.php?go=1
*.in/?site=*
*/i.php?go=1
*/r.php?l=http*
*/404.php?go=1
*/?go=1
*/?go=2
*/vc.php?go=2
*/ep/links/moving.php
*/track.php?c00*
*.cgi?8
*/sword/in.cgi?*

this is also useful

HTTP Request Type = GET
HTTP Status Code = 302
HTTP URI = *.cgi?*

and regex on the HTTP URI for “\.cgi\?\d+?$”

Nuclear Exploit Pack Signatures

Gates

HTTP METHOD = GET
Content Type = text/html
HTTP URI = */t/*
Regex URI for “\/t\/[a-f0-9]{32}$”

See Examples on UrlQuery.net

OR

HTTP METHOD = GET
Content Type = text/html
Regex HTTP URI for :[0-9]+\/[a-f0-9]{32}\.html

See Examples on UrlQuery.net

JAR / PDF Payloads

HTTP METHOD = GET
Content Type = text/html
HTTP URI = *.jar OR *.pdf
Regex URI for “[a-f0-9]{32}\/[0-9]+?\/[a-f0-9]{32}\.(jar|pdf)$””

Examples:

hxxp://ravishigha.in/images/13d5ae8ab5e9f8592c67331c9e3c96bb/670158000/7f60f2b6166f381b44ef142744cd6271.jar
hxxp://travislowq.in/images/8e80dbc58fedbb3b16c41238ad27e67c/670145520/0f76f34ead3bbe76f0bc54af1f01b960.jar
hxxp://travismedz.in/images/de432476f233d162af3bbfff70e5cc6e/670205130/4d21668e2b5d171b4358bd3914444b74.jar
hxxp://travislowq.in/images/8e80dbc58fedbb3b16c41238ad27e67c/670145520/0f76f34ead3bbe76f0bc54af1f01b960.pdf
hxxp://ravishigha.in/images/13d5ae8ab5e9f8592c67331c9e3c96bb/670158000/7f60f2b6166f381b44ef142744cd6271.pdf

Executables

HTTP METHOD = GET
Content Type = application/octet-stream
Regex URI for “\/[0-9]+?\/[a-f0-9]{32}\/[a-f0-9]{32}\/[0-9](\/[0-9])?$”

Examples:

hxxp://ravishigha.in/f/670159140/39d2b0c5605315cff8a6b187b9850e8e/13d5ae8ab5e9f8592c67331c9e3c96bb/3/2
hxxp://ravishigha.in/f/670159140/39d2b0c5605315cff8a6b187b9850e8e/13d5ae8ab5e9f8592c67331c9e3c96bb/3
hxxp://ravishigha.in/f/670158000/7f60f2b6166f381b44ef142744cd6271/13d5ae8ab5e9f8592c67331c9e3c96bb/3/2
hxxp://ravishigha.in/f/670158000/7f60f2b6166f381b44ef142744cd6271/13d5ae8ab5e9f8592c67331c9e3c96bb/3
hxxp://travislowq.in/f/670145520/0f76f34ead3bbe76f0bc54af1f01b960/8e80dbc58fedbb3b16c41238ad27e67c/6

BEK 2 Payloads – Old

BEK2 used to use a 64 char hex field in it’s payloads. Not seen lately.

HTTP Request Method = GET
HTTP URI = *.php?*

Regex URI for “\/[a-z0-9-_]+?\.php\?[a-z]+?=[0-9a-f]{64}&[a-z]+?=[0-9a-f]+?&”

Examples:

hxxp://epistlepu.info/links/busy-tasks-lacking.php?sbzpklj=050b040b0633090a04040904093508350b34060b0306030b070436360b383606&xvlubip=0a0005000300040a0b&fcqqb=03000900020009&xvljbpt=03030006000602040004080
hxxp://hiofuries.info/links/busy-tasks-lacking.php?kycis=0909073437030237070609050735020208063437330605073708023836380235&ujmnbn=0b000500020002&taltiudw=02000200020002&suo=030300060006020400040807
hxxp://wacookery.info/links/busy-tasks-lacking.php?fsbsreh=363402043406330b0835063807033506070b3636053603070a34043404050b38&tzhnrg=3d&ngo=333605330b3407083405&krvaiarm=0a0005000200040a02
hxxp://yaocookery.info/links/came_broadcasting_taking-various.php?gjbrvk=3736070804350b0b05063707330b04343609383436353508330705020b090802&wplctb=363c&mwesp=zjzqro&ncegre=vlefxsgu

BEK Mail Redirectors

This is a long lived URI format utilized in BEK1 and 2 emails.

HTTP Request Method = GET
HTTP URI = */js.js OR */index.html

Regex for

“http:\/\/[a-z-.]+?\/[A-Za-z0-9]{6,8}\/(index\.html|js\.js)$” NOT “\/([A-Z]{6,8}|[0-9]{6,8}|[a-z0-9]{6,8}|[a-zA-Z]{6,8})\/”

This will have some false positives, but very useful.

See Examples on UrlQuery.net

BEK 2.0 Payloads – 2

This is an older uri format that is not seen as much lately.

HTTP Request Method = GET
HTTP URI = *.php?*

Regex URI for “\/[a-z0-9-_]+?\.php\?[a-z]{4,7}=[0-9]{10}&[a-z]{5,7}=[a-f0-9]{2,4}”

Examples:

hxxp://69.194.192.203/links/lies_deliberate.php?xuuorn=3736070804&ocrtq=3d&pfxwcdv=03370302073706343433&hinlzz=0a000300050002
hxxp://owner.muzafferkocer.com/watches/temporarily-directory_capable-displayed.php?aclklf=3736070804&smvgbd=4a&tfsyviv=02033506330804020307&zwrz=0302000300020002
hxxp://old.bestseopractices.info/watches/temporarily-directory_capable-displayed.php?smhirjt=3736070804&bbzylqr=44&cwrpqejm=02033506330804020307&ugtolj=0302000300020002
hxxp://209.59.223.163/links/deep_recover-result.php?ecnwz=0505360903&scxtzc=48&hmoxmn=05330b360a3333350307&rgf=0a0005000300040a0b
hxxp://209.59.223.163/links/deep_recover-result.php?vcoqe=0503333538&tycznaj=4a&iyp=05330b360a3333350307&hsupim=030200030005000405
hxxp://209.59.223.163/links/deep_recover-result.php?vcoqe=0503333538&tycznaj=4a&iyp=05330b360a3333350307&hsupim=030200030005000405
hxxp://needle.sewingmachineaccessoriess.info/watches/temporarily-directory_capable-displayed.php?gojw=3408020603&kpfldle=33&yrnfqes=02033506330804020307&dgsuhapp=02000200020002

Sweet Orange (SO) Cookie Filter

SO uses a predictable cookie field in the exploit requests.

HTTP Request Method = GET
Content Type = application/*java-archive OR Content Type = application/pdf

Regex cookie field for “^\w{5}=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$”

Examples:

hxxp://dro4.trochoi.biz/aPkMt > Malicious SO PDF Payload
hxxp://niqozi.pro:8284/QWdSGB > Malicious SO Payload
hxxp://aiydedzxu.dnset.com/1241 > Malicious SO JAR Payload

This may produce some false positives. There are also text/html files with this cookie field on them that are SO related. Filtering for these will dramatically increase your FP rate.