Monthly Archives: March 2013

Neutrino Exploit Kit

http://jung. demonised .org/lotobs?fgtxowblk=4238735 > Landing (Paste)
http://jung. demonised .org/scripts/js/plugin_detector.js
http://jung. demonised .org/cwk78d7ro > Applet Serialization (Paste)
http://jung. demonised .org/ewogqfbibxd?hggitdbt=515245e3aaa2cbaa2a00002b (application/java-archive)
http://jung. demonised .org/java/lang/ClassBeanInfo.class
http://jung. demonised .org/java/lang/ObjectBeanInfo.class
http://jung. demonised .org/java/lang/ObjectCustomizer.class
http://jung. demonised .org/java/lang/ClassCustomizer.class
http://jung. demonised .org/pdjunyijv?hfmtd=515245e3aaa2cbaa2a00002b (application/octet-stream) > Encoded EXE

Neutrino JAR

HTTP Method = GET
Content-type = application/java-archive
Regex HTTP URI for =[a-f0-9]{24}$

Neutrino EXE

HTTP Method = GET
Content-type = application/octet-stream
User-Agent = *Java/1.*
Regex HTTP URI for =[a-f0-9]{24}$

Neutrino JAR 2

HTTP Method = GET
Content-Type = application/java-archive
Regex HTTP URI for \/[A-Za-z0-9]{50,}(==?)?$

Neutrino EXE 2

HTTP Method = GET
Content-Type = application/octet-stream
Regex HTTP URI for \/[A-Za-z0-9]{50,}(==?)?$

Reference: http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html

CritXPack Changes URI Encoding

Thanks to @Set_Abominae for sharing this!

CritXPack seems to be using a new encoding for params and/or received a slight build update. (220213 – Feb 22 2013)

Current Exploit Chain –

/a220213k/btxqfuta/index.php?id=1234512345
/a220213k/btxqfuta/js/js.js
/a220213k/btxqfuta/gate.php?ver=gpwpPEgpwP:E:p:g.c.Eg:Egc1E81wgp:Epg18Epg18&p=8.0.0.456&j=1.6.0.26&f=10.0.42.4
/a220213k/btxqfuta/j16.php?i=Egc1E81wg1 > JAR
/a220213k/btxqfuta/load.php?e=E&ip=gpwpPEggwP > EXE

(index.php) Encoded Landing / Decoded Landing
(js.js) Encoded PluginDetect / Decoded PluginDetect
(gate.php) Encoded Gate / Decoded Gate

This will alter the existing signatures for CritXPack.

CritXPack Landing

HTTP Method = GET
HTTP URI contains /index.php?id=
Regex HTTP URI for \/[a-z][0-9]{6}[a-z]\/

CritXPack PluginDetect

HTTP Method = GET
HTTP URI ends with /js/js.js
Regex HTTP URI for \/[a-z][0-9]{6}[a-z]\/

CritXPack PluginDetect Response

HTTP Method = GET
HTTP URI contains /gate.php?ver=
Regex HTTP URI for \/[a-z][0-9]{6}[a-z]\/

CritxPack JAR

HTTP Method = GET
HTTP URI contains /j15.php?i= OR /j16.php?i= OR /j17.php?i=
Content-type = application/java-archive
Regex HTTP URI for \/[a-z][0-9]{6}[a-z]\/

CritXPack EXE

HTTP Request Method = GET
HTTP URI contains “*/load.php?e=*”
Regex HTTP URI for \/[a-z][0-9]{6}[a-z]\/

Popads Exploit Kit

Some stuff that has been useful for catching Popads.

Thanks to @kafeine for catching my silly naming error. 🙂

Example chain

*omitting domain for space, see previous post.*

/?bbf49b029fa11db901403d06a520eee8=g15
/35ddf971291d6ba1603daebd2e8f3677.eot (application/vnd.ms-fontobject)
/ceb5ac44146f822b47742aa2869f28f6/3b7414f89c83e64318605265a5419f52.swf (application/x-shockwave-flash)
/ceb5ac44146f822b47742aa2869f28f6/bd89ae7dee57f92f50f785a6bfe5e597.jar (application/x-java-archive)
/45ce50c8f996cae6327f4525b96db70d/043bd8b18c03c98152fa76b39180342a.jar (application/x-java-archive)
/ceb5ac44146f822b47742aa2869f28f6/java/lang/ClassBeanInfo.class (text/html)
/ceb5ac44146f822b47742aa2869f28f6/java/lang/ObjectBeanInfo.class (text/html)
/ceb5ac44146f822b47742aa2869f28f6/java/lang/ObjectCustomizer.class (text/html)
/ceb5ac44146f822b47742aa2869f28f6/java/lang/ClassCustomizer.class (text/html)
/ceb5ac44146f822b47742aa2869f28f6/0 > (text/html) > Encoded EXE
/ceb5ac44146f822b47742aa2869f28f6/1 > 404
/ceb5ac44146f822b47742aa2869f28f6/2 > 404
/ceb5ac44146f822b47742aa2869f28f6/3 > 404
/ceb5ac44146f822b47742aa2869f28f6/4 > (text/html) > Encoded EXE

PopadsEK Gate Regex

\/\?[a-f0-9]{32}=[a-z0-9]{2,3}(&[a-f0-9]{32}=[a-z0-9-_.]+)?$

PopadsEK .jnlp

HTTP Method = GET
Regex HTTP URI for \/[a-f0-9]{32}\.jnlp$

PopadsEK EOT

HTTP Method = GET
Content-type = application/vnd.ms-fontobject
Regex HTTP URI for \/[a-f0-9]{32}\.eot$

PopadsEK SWF

HTTP Method = GET
Content-type = application/x-shockwave-flash
Regex HTTP URI for \/[a-f0-9]{32}\/[a-f0-9]{32}\.swf$

PopadsEK JAR

HTTP Method = GET
Content-type = application/x-java-archive
Regex HTTP URI for \/[a-f0-9]{32}\/[a-f0-9]{32}\.jar$

PopadsEK CVE-2013-0431 Class files

HTTP Method = GET
Content-type = text/html
Regex HTTP URI for \/[a-f0-9]{32}\/java\/lang\/[a-zA-Z]+\.class$

PopadsEK EXEs from JAR

HTTP Method = GET
User-agent = *Java/1.*
Content-type = text/html
Regex HTTP URI for \/[a-f0-9]{32}\/[0-4]$

Has been dropping ZeroAccess and Urausy.

Interesting Subdomain Technique – Popads Exploit Kit

Popads is using some interesting domains lately…

tech.net.microsoft.windows.update.system.release.vukzy.1targetdayanalize.info
tech.net.microsoft.windows.update.system.release.sg.1zitargoh.info
tech.net.microsoft.windows.update.system.release.jxtbc.1zitargoh.info
tech.net.microsoft.windows.update.system.release.gxsha.1zitargoh.info
tech.net.microsoft.windows.update.system.release.fp.12targetdayanalize.info
tech.net.microsoft.windows.update.system.release.bv.12targetdayanalize.info
tech.net.microsoft.windows.update.system.release.aldmd.1tickersonball.info

critical.microsoft.windows.software.update.patch.tu.7personalidoffuskerts.info
critical.microsoft.windows.software.update.patch.jdkwv.7personalidoffuskerts.info

emergency.microsoft.security.software.update.patch.oqska.1yebatek.info
emergency.microsoft.security.software.update.patch.nv.1yebatek.info

looks like 6 keywords (tech.net counts as 1) then a 2-5 random value then the domain.

Easy to find in DNS logs.

Domain = *.info
Query contains
emergency OR critical OR microsoft OR security OR software OR update OR patch OR system OR release OR tech.net OR windows

— Update 4/16 —

Still at it, slightly different

net.tech.windows.internet.7c23a7f1d978eaac81d9d3049f22a59c.wfyjp.4qastorb.info
net.tech.windows.internet.92181dc1ad75243ace8a1aee4cfa74be.gimi.12qastorb.info

Still easy to find in DNS logs.

Domain = *.info
Query contains
emergency OR critical OR microsoft OR security OR software OR update OR patch OR system OR release OR tech.net OR windows OR net.tech

Can also regex part of the domain for [a-f0-9]{32}\.[a-z]{3,6}\.[0-9]+[a-z]+\.info$

— Update 4/17 —

Still easy to find in DNS logs. LOL 🙂

Domain = *.info
Query contains
emergency OR critical OR microsoft OR security OR software OR update OR patch OR system OR release OR tech.net OR windows OR net.tech OR internet OR explorer

Cool Exploit Kit \world\ Variant

This tag isnt new for CEK, but has become increasingly popular over the past few weeks.

You can regex URI with this for the various payloads (pdf, jar, swf…etc)

\/world\/([a-z]+(-|_)){1,}[a-z]+\.[a-z]{3,4}$

The exe is easy enough to find with the below. Have seen it with many variations, all numerical, with jpg extension…

HTTP Method = GET
HTTP URI contains /world/
Content-Type = application/x-msdownload

See more examples of Cool Exploit Kit /world/ variant on UrkQuery.net

Slight changes in RedKit URI

Finally seeing some changes/customization in Redkit payloads, a departure from the static files.

vivianmastrangelo.com/atnf.htm
vivianmastrangelo.com/pqo.jar
vivianmastrangelo.com/11.html > encoded (application/octet-stream)

chelscore.com/wtpp.html
chelscore.com/jce.jar
chelscore.com/55.html > encoded (application/octet-stream)

JAR

HTTP Method = GET
Content-Type = application/java-archive
Regex HTTP URI for \/[a-z0-9]{3}\.jar$

Confirmed by @node5 and @xanda on twitter

EXE

HTTP Method = GET
Content-Type = application/octet-stream
HTTP Destination = *.html
User-Agent = *Java/1.*

Regex HTTP URI for \/[0-9]{2}\.html$ <-- Optional

CVE-2013-0431 Class Requests

These seem to be artifacts of the exploit and show up in multiple exploit kits.

Much like com.class / net.class / edu.class / org.class was a while back.

HTTP Request Method = GET
HTTP URI = */java/lang/*.class