Monthly Archives: January 2013

Black Dragon BEK2 Variant

This BEK2 variant seems to use some static gate strings, each of which directs to a different payload.

/black_dragon.php
/98y7y432ufh49gj23sldkkqowpsskfnv.php
/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php
/209tuj2dsljdglsgjwrigslgkjskga.php
/984y3fh8u3hfu3jcihei.php

It appears to use the /closest/ tag, but has used /only/ in the past. Everything else is standard BEK2 so it’s likely picked up by existing rules and sigs.

Example:

/closest/209tuj2dsljdglsgjwrigslgkjskga.php > GATE/PluginDetect
/closest/209tuj2dsljdglsgjwrigslgkjskga.php?jazk=1l:33:1j:33:2j&esbr=35&htqgq=30:33:1m:1n:1h:33:30:1o:30:1h&leynl=1n:1d:1g:1d:1h:1d:1f > PDF
/closest/209tuj2dsljdglsgjwrigslgkjskga.php?opliqayu=rbehzty&lntgr=dyvs > JAR
/closest/209tuj2dsljdglsgjwrigslgkjskga.php?lbxpw=1l:33:1j:33:2w&ftq=30:33:1n:1m:1h:33:30:1o:30:2h&jcglbzm=1i&ykwdj=jhx&jgmzjsm=ijbnvlc > EXE from PDF
/closest/209tuj2dsljdglsgjwrigslgkjskga.php?lf=1l:33:1j:33:2w&le=10:33:1n:1m:1h:33:30:1o:20:1h&c=1f&kv=s&vd=t > EXE from JAR

See examples of Black Dragon BEK2 on UrlQuery.net

G01pack Exploit Kit Variant

Don’t know if this is an update, or a different campaign, or whatnot…but it’s different than it used to be.

Tricky to acquire. Almost exclusive to malvertising.

DynDns Domains being used:

*.dyndns.org
*.dyndns.info
*.dyndns-at-home.com
*.dyndns.tv
*.dyndns-web.com
*.dyndns.biz
*.dyndns-ip.com
*.homeip.net
*.homelinux.com
*.mine.nu
*.blogsite.org
*.homedns.org
*.homeftp.net
*.blogdns.com
*.webhop.org
*.is-lost.org
*.is-a-musician.com
*.is-a-hunter.com
*.is-a-designer.com
*.is-into-anime.com
*.homeunix.com
*.saves-the-wales.com
*.does-it.net
*.is-an-accountant.com
*.selfip.info
*.dnsdojo.net
*.is-a-geek.com
*.doesntexist.com
*.dynalias.com
*.servegame.org

– i’m sure there are more *.is-* domains…can look for more with regex on domain > “\.is(\-[a-z]+){1,}\.[a-z]+”

Regex for identifying fields:

\/(forum|mix|songs|ports|news|comments|top|funds|feeds|finance|usage|profile|points|look|banners
|view|ads|delivery|paints|audit|css|accounts|internet|tweet|posts)\/

GATES

http://eiscalla.saves-the-whales.com/news/
http://fordnosize.is-an-accountant.com/finance/
http://noinoldun.does-it.net/news/
http://kzzjump.homedns.org/look/

MALJAR

http://talkydao.is-an-accountant.com/finance/s98w4.gif
http://mefb2bri.is-a-hunter.com/finance/syypj.gif
http://uscodedb.is-a-musician.com/finance/ja2pi.gif
http://sizecownwhen.dnsdojo.net/ads/t8wcpk.jpg
http://oracle.com-Critical-Security-Update-JRE_1.7.u17-Windows-Install-Request-From.hiynet .is-a-geek.net/ads/9hlkii92.file
http://sun.com-oracle-security-fix-jdk_1.7.u17-win32-install-request-from-bcwhensi.is-a-soxfan .org/ads/ag9ntac6nc35.applet

HTTP Request Method = GET
Content-type = application/java-archive
User-agent contains *Java/1.*
Regex HTTP URI for \/[a-z0-9]{4,14}\.(gif|jpg|file|applet)$

MALJAR Variant

http://sizecownwhen.dnsdojo.net/ads/llctsudjeyhtsf.png
http://mefb2bri.is-a-hunter.com/ads/5p92jsuhencus8.png
http://uscodedb.is-a-musician.com/ads/28kdujeuhsgyeh.png

HTTP Request Method = GET
HTTP Content-type = text/html*
HTTP URI ends with .png
User-agent contains *Java/1.*
Regex HTTP URI for \/[a-z0-9]{4,14}\.png$

MALJAR Variant 2

http://java.com-oracle-update-runtime.7u23-win32.install-prefix.netsizekocode.is-a-geek.net/ads/h7n6i3w.control

HTTP Request Method = GET
HTTP Content-type = application/java-archive
HTTP URI ends with .control
User-agent contains *Java/1.*
Regex HTTP URI for \/[a-z0-9]{4,14}\.control$

EXEs

http://lewhenfold. is-a-designer.com/finance/2qsyk.php?lint=39705&template=%2F&site=33676207&login=50&

HTTP Request Method = GET
Content-type = application/octet-stream
Regex HTTP URI for “\/(forum|mix|songs|ports|news|comments|top|funds|feeds|finance|usage|profile|points|look|banners|view|
ads|delivery|paints|audit|css|accounts|internet|tweet|posts)\/[a-z0-9]{5,14}\.php”

See more examples of g01Pack Exploit Kit on UrlQuery.net

— Notes

This activity seems to be focused in the 31.193.195.0/24 subnet.

@c_APT_ure reported that g01pack is also active within the past few days at 216.246.98.88-90, and posted a paste of current domains.

Reference: http://permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/18443

Thanks to @Set_Abominae for helping to keep this updated!

AnonJDB / JDB Exploit Kit

This appears to be an older kit as @Xylibox posted on this back in July of last year. @Unixfreakjp did a nice infection writeup on it recently.

GATE

HTTP Request Method = GET
HTTP URI contains /inf.php?id=
Regex HTTP URI for “\/inf\.php\?id=[a-f0-9]{32}$”

Social Engineering (Update Adobe / DL EXE)

HTTP Request Method = GET
HTTP URI contains /lib/adobe.php?id=
Regex HTTP URI for “\/lib\/adobe\.php\?id=[a-f0-9]{32}$”

Java Exploit

HTTP Request Method = GET
HTTP URI contains /data.php?id=
User-Agent contains “Java”
Regex HTTP URI for “\/data\.php\?id=[a-f0-9]{32}$”

See Examples of AnonJDB on UrlQuery.net

Reference: http://www.xylibox.com/2012/07/anonjdb.html
http://malwaremustdie.blogspot.com/2013/01/peeking-at-jdb-exploit-kit-infector.html
http://blog.webroot.com/2012/01/17/inside-anonjdb-a-java-based-malware-distribution-platforms-for-drive-by-downloads/
http://www.youtube.com/watch?v=1LXtB3nTPeQ > AnonJDB Setup Video

Speedtest.net serving malvertising to g01pack Exploit Kit

You can see paste of main page here. Malicious code begins at line 166.

Cleaned up JS code is here.

This also highlights some changes in the g01pack exploit chain, will post more about it after researching more.

Exploit Chain:

http://www.speedtest.net
http://lewhenfold.is-a-designer.com/finance/
http://lewhenfold.is-a-designer.com/finance/sw4qr.gif (application/java-archive)
http://lewhenfold.is-a-designer.com/finance/rlwra.gif (application/java-archive)
http://lewhenfold.is-a-designer.com/finance/qyjkj.php
http://lewhenfold.is-a-designer.com/finance/2qsyk.php?lint=39705&template=%2F&site=33676207&login=50& (Encoded EXE > 0x7e) > application/octet-stream

Trojan.Gatak Post-Compromise

HTTP Method = POST
Content-type = image/png
Regex HTTP URI for “\/[a-z]{4,8}\/[a-z]{3,10}\?[a-z_]{3,9}=[0-9]{2,8}&[a-z]{6,9}=[a-zA-Z0-9_*]{30,}$”

Content-type is *usually* “image/png”, but not always in my testing.

Examples:

famous.famoustattoos.net/booking/read?page=120&ylozseub=ZJRWYZFTYdqbPn*V22pQtQnJ25FsE6ucGAyeRJBo
popa.morgatory.com/sound/cat?n=18&ysqaux=ZJRWYZFTYdspwzffvaxjR25YJX0rngGx
bog.judaicabyjosh.com/insight/flourence?banner_id=386514&ysqaux=ZJRWYZFTYdspwzffvaxjR25YJX0rngGx
famous.famoustattoos.net/booking/read?page=120&ysqaux=ZJRWYZFTYdspwzffvaxjR25YJX0rngGx
igg.niksonic.com/booking/read?page=120&ysqaux=ZJRWYZFTYdspwzffvaxjR25YJX0rngGx
surio.cubicksplace.com/sound/cat?n=18&ysqaux=ZJRWYZFTYdspwzffvaxjR25YJX0rngGx
inc.kevinmilligangallery.com/insight/flourencebanner_id=386514&ysqaux=ZJRWYZFTYdspwzffvaxjR25YJX0rngGx

Reference: Symantec – Trojan.Gatak

BEK2 Variant 4

GATE

HTTP Request Method = GET
HTTP URI contains */index.php?*
Regex HTTP URI for “^http:\/\/[a-f0-9]{16}\.[a-z0-9-.]+?\/index\.php\?[a-z]=[a-zA-Z0-9]{150,}(={1,2})?$”

Deob Stuff / Build iframe / Plugindetect

HTTP Request Method = GET
HTTP URI = */sort.php OR */info/last/index.php
Regex HTTP URI for “^http:\/\/[0-9a-f]{25,65}\.”

See examples of /info/last/index.php on UrlQuery.net
See examples of /sort.php on UrlQuery.net

JAR

HTTP Request Method = GET
HTTP URI contains */info/last/index.php*
Content-type = application/java-archive
Regex HTTP URI for “\.php\?[a-z]{3,8}=[a-z]{3,8}&[a-z]{3,8}=[a-z]{3,8}$”

OR

HTTP Request Method = GET
HTTP URI contains */info/finance/*.jar
Content-type = application/java-archive

PDF

HTTP Request Method = GET
HTTP URI contains */info/last/index.php*
Content-type = application/pdf
Regex HTTP URI for “([1-3][a-z0-9]):{9}[1-3][a-z0-9]”

EXE *Currently works for all BEK2 Variants that i’m aware of*

HTTP Request Method = GET
HTTP URI contains *.php?*
Content-type = application/x-msdownload
Regex HTTP URI for “([1-3][a-z0-9]):{9}[1-3][a-z0-9]”

EXIT/TIMEOUT REDIR

HTTP Request Method = GET
HTTP URI contains */exit.php*
Regex for “^http:\/\/[0-9a-f]{25,65}\.”

Example Chain:

hxxp://345bd0d9d7a281cf.akafi .net/index.php?o=anM9MSZrZ3l1dHJmZj1neXZkJnRpbWU9MTMwMTI5MTUyMy02NDc4ODcyNzYmc3JjPTI0JnN1cmw9d3d3LmxpbmhhcXVlbnRlLmNvbSZzcG9ydD04MCZrZXk9RTg2NDdFMDYmc3VyaT0vbGluaGFxdWVudGVibG9nLmpz > Gate / build urls
hxxp://345bd0d9d7a281cf01602313012916218222534d01fa8728a24b65823a430cd.akafi .net/sort.php > Write iframe / deob urls in base 64
hxxp://345bd0d9d7a281cf01602313012916218222534d01fa8728a24b65823a430cd.akafi .net/info/last/index.php > Plugin Detect
hxxp://345bd0d9d7a281cf01602313012916218222534d01fa8728a24b65823a430cd.akafi .net/info/last/index.php?zqqwgarw=nib&sndecry=qqub > JAR
hxxp://345bd0d9d7a281cf01602313012916218222534d01fa8728a24b65823a430cd.akafi .net/info/last/index.php?njks=1l:33:1j:33:2w&ogb=3h&ebkh=1l:32:1j:2v:33:2v:1h:1h:1i:1n&rtg=1n:1d:1g:1d:1h:1d:1f > PDF
hxxp://345bd0d9d7a281cf01602313012916218222534d01fa8728a24b65823a430cd.akafi .net/exit.php?x=24&t=onunload > Send victim elsewhere
hxxp://www.freemilfpassport.com/?t=113244,1,99,0 > Popover pr0n
hxxp://345bd0d9d7a281cf01602313012916218222534d01fa8728a24b65823a430cd.akafi .net/info/last/index.php?auivnl=1l:33:1j:33:2w&lak=1l:32:1j:2v:33:2v:1h:1h:1i:1n&udkdh=1i&xozzwtj=psf&pmemeyb=smemh > EXE (Java)

Spammed Facebook Links Lead to Reveton

Traffic chain:

ctlp.co/phm (shortened link – 302)
schnitzelfvideop.tk/84ae.html (frame to load next link)
zvlks.gormless.org/208.html?qbzsyl (page with html encoded links to download exe)
208.131.138.217/imagedl11.php (exe – application/force-download)
208.131.138.218/imagedl11.php (exe – application/force-download)

An example page can be found here. The links are just HTML Encoded and they will decode to the exe links.

See more examples on UrlQuery.net

The resulting exe will match the filename regex below.

(Me|You|Iam)(Funny|Naked|Nice|Sexy|Whore|Lol)(PIC|TIFF|PNG|GIF|BMP|JPEG)\.exe$

Many comments about this can be found on mywot.

Unpacked EXE on VT
Packed EXE on VT

BEK2 :8080 Redirectors

These redirect to the BEK variant that uses :8080 from mass phishing.

HTTP Request Method = GET
Regex HTTP URI for “\.htm\?[A-Z0-9]{3,}=[A-Z0-9]{5,}$”

eg.

http://kazanhospital .ru/osc.htm?TZPJ6=D3DVRRBQ5OUJLV85WPG
http://danadala .ru:8080/forum/links/column.php

http://www.borgometeo .it/mail.htm?FO0IGS=8OP4BWSO
http://bunakaranka .ru:8080/forum/links/column.php

http://wt.ktus.ttct.edu .tw/sites/default/files/upload.htm?v203=3dr1g9rfkk
http://moneymakergrow .ru:8080/forum/links/column.php

http://www.gcpvail .com/modules/mail.htm?vp9y3=1ybzz81887575rrcki
http://bunakaranka.ru:8080/forum/links/column.php

See examples of BEK2 :8080 Redirectors on UrlQuery.net

Vobfus Post-Infection Indicator

A classic, but still very active.

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fVobfus

HTTP Request Method = GET
Regex HTTP URI for :443\/[a-zA-Z]+\?[a-z]$

See examples of Vobfus Post-Infection Indicator on UrlQuery.net

Shiz Backdoor Post-Compromise Traffic

HTTP Request Method = POST
HTTP URI ends with */login.php
UA = Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Can also Regex URI for [a-z]{11}\.eu\/login.php$ if needed

References:
https://www.virustotal.com/file/b5ad005039657e495e81f1bf97d3e95ec3988041412e4c4c9d760bc231d00a03/analysis/
https://www.virustotal.com/file/317ec507071772a6806da420bc69b5f81f2eebf8a3915e03c18b658b75edef29/analysis/
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Shiz-L/detailed-analysis.aspx