Monthly Archives: December 2012

RogueAV (.BKM) Post-Compromise Traffic

This RogueAV traffic originates after a machine has been infected.

HTTP Request Method = GET
HTTP URI Fields = “*/api/test” or “*/api/ping?stage=*” or “*/html/viruslist/?uid=*” OR “*/content/scc”

Reference: http://about-threats.trendmicro.com/Malware.aspx?id=50100&name=TROJ_DLOADR.BKM&language=au

Example: https://www.virustotal.com/file/91a07dda97e9ca7d414360cabd4a907bf3bc9945e36fd7ccfb2202c0cdad45f9/analysis/1356968033/

Sweet Orange v2

I love this kit.

SO v2 Gates < Will have FPs HTTP Request Method = GET HTTP URI contains ".php?" Regex HTTP URI for \/[a-z]+?\.php\?([a-z_]+?=[0-9]{2,5}&){3,}[a-z_]+?=[0-9]{2,5}$ Thanks to @Set_Abominae for helping to keep this updated!

Examples:

/mysqladmin/online/finance/shows.php?thumbs=378&speakers=100&soft=39&pipermail=621&training=757&index=536
/roman/photo/servlet.php?serial=195&misc=395&config=56&join=698&promos=262&cialis=253&vendor=161
/svc/command/entry.php?journals=135&documents=522&sales=56&mature=960&linux=714

SO v2 JARs

HTTP Request Method = GET
Content Type = application/x-java-archive
HTTP URI != *.jar
Regex HTTP URI for \/[a-zA-Z]{5,10}$

Examples:

/roman/photo/urbjuPS
/roman/photo/DkTUKYm
/mysqladmin/online/finance/imHoXAej
/mysqladmin/online/finance/BqHCJUak

SO v2 PDFs

HTTP Request Method = GET
Content Type = application/pdf
HTTP URI != *.pdf
Regex HTTP URI for \/[a-zA-Z]{5,10}$ + Regex for NOT \/[a-z]{5,10}$

Examples:

/mysqladmin/online/finance/WGFhK
/roman/photo/fHICO

SO v2 EXEs

HTTP Request Method = GET
HTTP URI contains “.php?”
Content Type = application/octet-stream
Regex HTTP URI for \/[a-z]+?\.php\?([a-z]+?=[0-9]{1,3}&){3,}[a-z]+?=[0-9]{1,3}$

Examples:

/demos.php?nav_m=234&book=4&issue=546&fedora=171&play=634&stats=576&entry=168&warez=644&apply=472&access=263
/visits.php?index=605&left=456&special=4&audit=38&paper=171&stats=256&thumb=62&files=316&demos=538&rfid=791
/keygen.php?radio=242&special=4&paper=151&talks=248

Reference: http://malware.dontneedcoffee.com/2012/12/juice-sweet-orange-2012-12.html

Cool Exploit Kit v2

*There is an updated version of this query*

Thanks to @Set_Abominae for pointing this out.

Per @kafeine’s blog post, Cool EK updated.

HTTP Request Method = GET
HTTP URI contains “/news/”
Regex HTTP URI for ^http:\/\/[a-f0-9]{13}\.

See examples of Cool Exploit Kit v2 on UrlQuery.net

Neosploit Redirectors

These are redirecting to neosploit/fiesta.

1) www.dreamincode.net/forums/topic/100672-how-to-get-all-ip-addresses-of-a-systems-connected-to-a-lan/ > Compromised Site
2) meleyomiho.longmusic.com/s406ezzwryav12/4e7302eaa7dc50f5769349bc18584ceb/ > DYN REDIR
3) meleyomiho.longmusic.com/hfbd8ppo/?4 > NEO GATE

1) www.dreamincode.net/forums/topic/256685-sending-a-message-to-multiple-clients/ > Compromised Site
2) qudixev.longmusic.com/2evr0hzwkxlarrx3/4e73527aa7dc50f53669349bc18c84ceb/ > DYN REDIR
3) qudixev.longmusic.com/hfbd8ppo/?4 > NEO GATE

More Examples:

budplix.changeip.name/omoslvzcvnwjnljqf/4e73014aa7dc50f6369349bc18884ceb/
cejapavqze.longmusic.com/cbz7yezbvuotg/517dd3bd75bb1f24fca169919bcf7ddf/
cothvu.changeip.name/llwstbzxwmika34/4e73014aa7dc96f0769349bc18884ceb/
denepsfol.changeip.name/yqvpnszxwaz0rkuh/fa4d85395479a005de13a117d67b10c1/
fjlide.longmusic.com/ipddy7zthhob3yds/54adcdea94611ad546a79d12229cdba6/
gevqeoq.longmusic.com/kkbjezulwaen/4e73014aa7dc50f0769378bc18884ceb/
gofozcawo.changeip.name/fcvekvzxw0wqhn/54adcdea9731134546a79d12229cdba6/
joduegqeh.changeip.name/bqdjr2zjypg7j/4e73014aa7dc50f0569349bc18884ceb/

You can regex logs for HTTP URI of:

^http:\/\/[a-z]{6,10}\.(hopto\.org|changeip\.name|longmusic\.com|ftpserver\.biz|dns04\.com|myvnc\.com|servehttp\.com|sytes\.net)\/[a-z0-9]{10,17}\/[a-f0-9]{32}\/$

See examples of Neosploit Redirectors on UrlQuery.net

Crimeboss Exploit Kit

Gates

HTTP Request Method = GET
URI strings:
*/0day.php
*/cb.php
*.php?action=jv&h=*
*/rebots.php*

Stats

HTTP Request Method = GET
URI strings:
*/index.php?setup=d*
*/index.php?action=stats_*

Payloads

HTTP Request Method = GET
URI strings:
*/phedex/*
*/jex/*
*/cbx/*
*/pka1.jar – */pka7.jar
*/xul1.jar
*/javab.jar?r=*
*/java7.jar?r=*
*/rh.exe
*/amor1.jar
*/jmx.jar?r=*
*/jmx.jar
*/jhan.jar?r=*
*/m11.jar

See examples of Crimeboss Exploit Kit Gates on UrlQuery.net

Thanks to @malforsec for helping to keep this updated!

Unknown Exploit Kit (a036719)

Please message me via twitter if you know a name for this exploit kit.

Example Exploit Chain

mp3musparade.com/ > Compromised Site
052x.de.ms/in.php?s=1 > Redir
sjkwoyusi.sendsmtp.com/a036719
sjkwoyusi.sendsmtp.com/031336kyt/sivw7295301.html?a036719
sjkwoyusi.sendsmtp.com/01891404/lwq92536?a036719
sjkwoyusi.sendsmtp.com/01891404/omn67 > JAR
sjkwoyusi.sendsmtp.com/01891404/929220175 > PDF
sjkwoyusi.sendsmtp.com/01891404/Ini.class
sjkwoyusi.sendsmtp.com/01891404/Ini/class.class
sjkwoyusi.sendsmtp.com/01891404/967261005 (content-type is image/jpeg) > ZBOT EXE

HTTP Request Method = GET
HTTP URI contains a036719 or a2ca0dfa or /01891404/ or /omn67

Has been seen utilizing dynamic domains “jungleheart.com”, “sendsmtp.com”, and “itemdb.com”

See examples of a036719 on UrlQuery.net

See examples of /01891404/ or UrlQuery.net

FakeAV/Locker Delivered via Email

This one is a link in an email which downloads a zip requiring the user to extract and run it.

Links:

HTTP Request Method = GET
HTTP URI contains *?php=receipt OR *.php?receipt=* OR *.php?info=* OR *.php?get_receipt=* OR *.php?receipt_print=* OR *.php?print_receipt=* OR *.php?receiptid=*
Regex HTTP URI for “(\.php\?(info|(get_|print_)?receipt|receipt_print|receiptid)=([a-z0-9]{2,}_[0-9]{3,}|[0-9]{6,})|\?php=receipt)”

See examples of FakeAV/Locked Delivered via Email on UrlQuery.net

Extracted file will be something like PostalReceipt.exe

30/45 on VT

If installed you can locate Post Compromise traffic with this

HTTP Method = GET
Regex HTTP URI for (\d\d?\d?\.){3}\d\d?\d?\/[A-F0-9]{80,}$
HTTP Dest Port = 8080 or 60000 or 6667
HTTP User Agent = Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

You can also look for dll.crp which is indicative of Kuluoz.B

HTTP Method = GET
HTTP Dest Port = 8080
HTTP URI = */get/*.dll.crp
Regex HTTP URI for \/get\/[a-z0-9]+\.dll\.crp$
Content-type = application/octet-stream
HTTP User Agent = Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Thanks to @Set_Abominae for helping to keep this updated!

Styx Exploit Kit

Here are some signatures for detecting Styx Exploit Kit

Gates

HTTP Request Method = GET
Regex HTTP URI for \/[a-zA-Z0-9]{40,90}$

See examples of Styx Exploit Kit Gates on UrlQuery.net

Plugin Detect

HTTP Request Method = GET
HTTP URI = */pdfx.html
Can also Regex HTTP URI for \/[a-zA-Z0-9]{40,90}\/pdfx.html

See examples of Styx Exploit Kit PluginDetect on UrlQuery.net

JAR

HTTP Request Method = GET
HTTP Content-Type = application/x-java-archive
HTTP URI ends with *.jar
Regex HTTP URI for \/[a-zA-Z0-9]{40,90}\/[a-zA-Z0-9]{4,10}\.jar$

See examples of Styx Exploit Kit JARs on UrlQuery.net

PDF

HTTP Request Method = GET
HTTP URI ends with *.pdf
Regex HTTP URI for \/[a-zA-Z0-9]{40,90}\/[a-zA-Z0-9]{4,10}\.pdf$

See examples of Styx Exploit Kit PDFs on UrlQuery.net

EOT

HTTP Request Method = GET
HTTP URI ends with *.eot
Regex HTTP URI for \/[a-zA-Z0-9]{40,90}\/[a-zA-Z0-9]{4,10}\.eot$

Reference: http://malware.dontneedcoffee.com/2012/12/crossing-styx-styx-sploit-pack-20-cve.html

EXE

HTTP Request Method = GET
HTTP Content-Type = application/octet-stream*
HTTP URI ends with &h=*
Regex HTTP URI for \/[a-zA-Z0-9]{150,}\/

See examples of Styx Exploit Kit EXEs on UrlQuery.net

Cookie Detection

HTTP Request Method = GET
Cookie = PHPSESSID=*
Regex the cookie for PHPSESSID=[0-9]{64}$

ProPack Exploit Kit

http://malware.dontneedcoffee.com/2012/11/meet-propack-exploit-pack.html

Gates / JAR Payloads

HTTP Method = GET
HTTP URI ends with *.php
Regex HTTP URI for \/build2?\/

JARs will have content type of text/html

PDF Payloads

HTTP Method = GET
HTTP URI ends with *.pdf
Regex HTTP URI for \/build2?\/

EXE Payloads

HTTP Method = GET
Regex HTTP URI for \/build2?\/ and \.php?[a-z]=[0-9]&[a-z]=[0-9]$

See Examples of ProPack on UrlQuery.net

Some Popular RogueAV Redirectors

These have been pretty popular lately, they redirect to RogueAV infections currently.

HTTP Request Method = GET
Regex HTTP URI for \/vd\/[0-9]{1,3};

See examples of RogueAV /vd/ Redirectors on UrlQuery.net

HTTP Request Method = GET
Regex HTTP URI for promo_opt=[0-9]$

See examples of RogueAV Promo Redirectors on UrlQuery.net

HTTP Request Method = GET
HTTP URI contains /api/urls/ OR /api/stats/install/

See examples of RogueAV /api/ Redirectors on UrlQuery.net