Monthly Archives: February 2013

Slight changes in Crimeboss URI’s

Main information on Crimeboss can be found here.

Chain looked like this…

http:// www.theowlmag .com/album-reviews/album-review-open-by-rhye/ >> Compromised Site
http:// bebicasal. com.ar/update/ajax.php >> continue if java enabled
http:// bebicasal .com.ar//update/ajax.php?action=jv&h=1534720865 >> 302
http:// derneuntekontinent. de/cgi/index.php?x=s >> continue if java enabled
http:// derneuntekontinent .de/cgi/index.php?x=s&gmllaid=754933428&no=0 >> GATE
http:// derneuntekontinent. de/cgi/index.php?action=stats_access
http:// derneuntekontinent .de/cgi/index.php?action=stats_javaon
http:// www.backstop.org .uk/.te/amor1.jar >> 2012-4681
http:// www.backstop .org.uk/.te/jhan.jar?r=284466 >> 2013-0422
http:// www.backstop.org .uk/.te/jmx.jar?r=1061858 >> 2013-0422
http:// broodenzoets .nl/plugin/Plugin.cpl > EXE
http:// zelinares .com .br/x4.gif > EXE
http:// derneuntekontinent .de/cgi/index.php?action=stats_loaded&k=j
http:// fotoprimavera.com .br/Site/js/tabs/mago/05/Instal.jpg > EXE
http:// fotoprimavera .com .br/Site/js/tabs/mago/civic/Instal.xml

The exe’s are particularly interesting as they aren’t encoded, but have faked names along with content types. They’re downloaded by Java tho, so the user agent is there.

This should be pretty easy to see with snort and may catch some other things too… > user_agent = *Mozilla*Java/1.* > look for MZ / MZP header

Without it you’ll have a fair amount of FPs, fun stuff.

Probable ZBOT Post-Compromise Activity

Found these in a very noisy redkit attack…not totally sure that it’s ZBOT. Corrections welcome…

POST naurg. com/xhobdogfz.db
POST naurg. com/fjgmzzllvqoycbsustahfwbsuytqzhtidcjihpgvtu.rtf
POST naurg. com/issrxrdzlpofezkwhmuhymmorkplnc.7z
POST naurg. com/ixzygseaenf.log
POST ronavo .com/npjvncroe.log
POST ronavo .com/lwtirttzxoevcaztzylqbou.7z
POST ronavo .com/kaaaaaabnqayupqau.rar
POST ronavo .com/bzmqvwtwbrejgqibfkgmjirjcpwoclitfdshtsmftyuhvtwbdsqrkvgpnozym.php3

HTTP Method = POST
Content-Type = “application/x-www-form-urlencoded”
Regex HTTP URI for ^http:\/\/[a-zA-Z0-9-.]+\/[a-z]+\.(db|pif|log|rar|tpl|7z|rtf|tiff|php3|doc|pl|cgi)$

http://kargid. org/c.htm?uvZA8kUIv7AwOZCMqkqhwl7jDZUOEtWFwErdgRUr
http://joshuagsilverman .com/q.htm?tVgNliikvKhhITo2QcV1ooZ6QICtS8
http://homedecorreviews. com/g.htm?Eyl5gRHaELSinXQ9fvb8k3XUOfoOTq
http://heritageclothingcompany .com/w.htm?OomDwn2fWkkW598iEtR5afe
http://solomaquetas. com/l.htm?ZQjpwNPWV1o94aEFkSdd1vYt1ZjKWC4zOr
http://gorgeoregon. com/w.htm?f9QAXSZ4vUh6qvt43YOaauWiEfSqvZKlDjI
http://compstar .us/k.htm?oyQWBuciU6G3qqIu73gpbnxia7m2m8A8baezO51
http://canadabook .ca/y.htm?qELp27uE4QF76X65tsSEitdFC63ymvKqICc16

HTTP Method = GET
Content-Type = “application/octet-stream”
User-Agent = “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
Regex HTTP URI for \/[a-z]\.htm\?

Regex HTTP URI for ^[a-zA-Z0-9:/.?-_]{57,64}$ > they all seem to be 57-64 char right now…

Sport*.cd.am – Sibhost

More info in Sibhost post.

HTTP Method = GET
HTTP domain = sport*.cd.am (was previously sport*.c0m.li)

Common strings

404.php
yoO4TAbn2tpl5DltCfASJIZ2spEJPLSn

Examples

sportoffergroup.cd.am/yoO4TAbn2tpl5DltCfASJIZ2spEJPLSn
sportberserk.cd.am/yoO4TAbn2tpl5DltCfASJIZ2spEJPLSn
sportkivsyak.cd.am/yoO4TAbn2tpl5DltCfASJIZ2spEJPLSn
sportoslo.cd.am/yoO4TAbn2tpl5DltCfASJIZ2spEJPLSn
sportmine1.cd.am/yoO4TAbn2tpl5DltCfASJIZ2spEJPLSn.pdf
sportforyou.cd.am/yoO4TAbn2tpl5DltCfASJIZ2spEJPLSn

Some more examples on UrlQuery.net

CritxPack adds CVE-2012-4792

Appears that CritXPack has incorporated CVE-2012-4792

http://cadb63dffd6e4223aa0e472b.dnsdojo.net/f310113b/torenso/in.php?jquery=default
http://cadb63dffd6e4223aa0e472b.dnsdojo.net/f310113b/torenso/js/rdps.js
http://cadb63dffd6e4223aa0e472b.dnsdojo.net/f310113b/torenso/i8.php?jquery=%64%65%66%61%75%6c%74& (default) > CVE-2012-4792

Paste of deob’d i8.php…
Compare to CoolEK CVE-2012-4792 from @kafeine

Updated indicators in CritXPack Post Here.

Slight change to Facebook malware

This is a slight change to this post.

null

http://heartbeat.scoundrelly .eu/load/dlimage4.php?9618

You can also catch this if its coming directly from facebook (main distibution method) with something like this:

HTTP Method = GET
HTTP Referer = http://www.facebook.com/
Content-type = application/force-download

Locker Post Compromise Traffic

Very Noisy Malware.

HTTP Request Method = GET
Content-type = application/octet-stream
HTTP URI ends with *.php OR *.html
Regex HTTP URI for “\/[a-z-_]{70,}\.(php|html)$” OR “\/([a-z]+(\-|_)){5,}(\-|_)?\.(php|html)$”

Examples:

http://dbtnw.ru/oa-hjyq-ybtisddnxojg-tskorpvqvrdg_ksauqkddxxrcelpaehsdceal-alla-ousu-mrwfqs-xjytcnxignohzh-qt.php
http://wvrxe.su/cgcgcgcg-cgcg_cgcgwp-ezpl-htqu-oaysvpuxoncu_vtpt-wiko-jxus-ixwgjuykxsvi_nehtxjlldgcbdmbadukseb-.php
http://dbtnw.ru/cu-opvkdgksbafvsu-oayhrn-dwmr-yejz-nlxtxyfrrcawrtez-jwfr-yvtecotumsdn-vait-dify-pipt-narpjkduuq.php
http://wvrxe.su/dhxsdknq-zajpfcgtvyzv_cegonl-eljv-mpph-kqsy-mxfyiprakylgop_fzgo_ohlxprrtxiyn-hcgb-nhbtiqfrcosh.php

http://proimagecreativeservices.com/forums/vkwqahirbdwviurviuujvsgusnsgazrxryqf-xtorlp-htxadiamwi-plgc-plspnnlwenogdkyxtm_dklbsncxny.html
http://proimagecreativeservices.com/news/kwnnjrwsjspvefgz_gkig_qqsl-jruu-rrjrhioprrbp-qvkvfqhuwjdkcpzk-ylwk-mtnc-afzfbfksynfl_xtwqaq-el.html

http://unknownbringing.asia/news/bheyvibfiqfzcjynvnvyqclidgtskfdhsnpi-ysjkqzllys-nwfz_tfrpqkxovpdf-gtjzkbjhptdaxtjlwflzcu-.html

Tiltedkilt.com redirecting to Fiesta

*First thought neosploit…turns out fiesta.*

This compromise only redirects visitors coming from a search engine.

http://sitecheck.sucuri.net/results/tiltedkilt.com

http://www.tiltedkilt.com/menu/ (come from search engine like google/bing)

Paste of redirecting JS

http://flownacme.info/showads.php?2&seoref=http%3A%2F%2Fwww.google.com%2Furl%3Fsa%3Dt%26rct%3Dj%26q%3Dtilted%2520kilt%2520menu%26source%3Dweb%26cd%3D1%26sqi%3D2%26ved%3D0CC8QFjAA%26url%3Dhttp%253A%252F%252Fwww.tiltedkilt.com%252Fmenu%252F%26ei%3DA3ARUdGgIem1ygGewoHoBw%26usg%3DAFQjCNE5woagSo26HJaev5A8eSwYUJWQ7w%26bvm%3Dbv.41934586%2Cd.aWM&HTTP_REFERER=http%3A%2F%2Fwww.tiltedkilt.com%2Fmenu%2F > Redirect

http://bitsawalli.www1.biz/w4bm607/counter.php?id=2
http://bitsawalli.www1.biz/w4bm607/?2
http://bitsawalli.www1.biz/w4bm607/?0ae2960a13391f965c0807090b0d015809525e065b060b55095700020d5252 > PDF
http://bitsawalli.www1.biz/w4bm607/?02c3ea533044d71d52511508575a040a0901580707510e0709040603510557 > JAR (application/x-java-archive)
http://bitsawalli.www1.biz/w4bm607/?40f2f7e2da7d541555420709540c540b0d035d0604075e060d060302525307 > JAR (application/x-java-archive)
http://bitsawalli.www1.biz/w4bm607/?05a155a358a6daa4554d040a070e500a09065a0557055a0709030401015107;1;3 > EXE from PDF (application/octet-stream)
http://bitsawalli.www1.biz/w4bm607/?4a53229d5fcb1ebd511950080009085d0d520e07500202500d57500306565b;1;1 > EXE from JAR (application/octet-stream)
http://bitsawalli.www1.biz/w4bm607/?4a53229d5fcb1ebd511950080009085d0d520e07500202500d57500306565b;1;1;1 > empty > DL confirm
http://bitsawalli.www1.biz/w4bm607/?5ff3f9fb5fcb1ebd501e03085402575b0c555d0704095d560c500303525d04;1;2 > EXE from JAR (application/octet-stream)
http://bitsawalli.www1.biz/w4bm607/?5ff3f9fb5fcb1ebd501e03085402575b0c555d0704095d560c500303525d04;1;2;1 > empty > DL confirm
http://bitsawalli.www1.biz/w4bm607/?05a155a358a6daa4554d040a070e500a09065a0557055a0709030401015107;1;3;1 > empty > DL confirm

Nothing new here, low AV detection, payload looks like locker.

Updated NeoSploit Post with more indicators.

Finding Zeus/Zbot in your DNS logs

Regex your DNS logs with this to find hosts that are compromised.

^[a-z]{30,}\.biz

eg.

sdfiehfdkhfuwekjdsfoisdfhjehddfeers.biz
kfdijfkjeifjfgasufdkjfsdukwejkfhiushdf.biz
tqwehgnbzxctfdsowkjdhsfldgjkhmnlskhfsiu.biz

You’ll likely see some DGA style domain lookups for other top level domains as well. .biz has less false positives.