Popads Exploit Kit

Some stuff that has been useful for catching Popads.

Thanks to @kafeine for catching my silly naming error. šŸ™‚

Example chain

*omitting domain for space, see previous post.*

/?bbf49b029fa11db901403d06a520eee8=g15
/35ddf971291d6ba1603daebd2e8f3677.eot (application/vnd.ms-fontobject)
/ceb5ac44146f822b47742aa2869f28f6/3b7414f89c83e64318605265a5419f52.swf (application/x-shockwave-flash)
/ceb5ac44146f822b47742aa2869f28f6/bd89ae7dee57f92f50f785a6bfe5e597.jar (application/x-java-archive)
/45ce50c8f996cae6327f4525b96db70d/043bd8b18c03c98152fa76b39180342a.jar (application/x-java-archive)
/ceb5ac44146f822b47742aa2869f28f6/java/lang/ClassBeanInfo.class (text/html)
/ceb5ac44146f822b47742aa2869f28f6/java/lang/ObjectBeanInfo.class (text/html)
/ceb5ac44146f822b47742aa2869f28f6/java/lang/ObjectCustomizer.class (text/html)
/ceb5ac44146f822b47742aa2869f28f6/java/lang/ClassCustomizer.class (text/html)
/ceb5ac44146f822b47742aa2869f28f6/0 > (text/html) > Encoded EXE
/ceb5ac44146f822b47742aa2869f28f6/1 > 404
/ceb5ac44146f822b47742aa2869f28f6/2 > 404
/ceb5ac44146f822b47742aa2869f28f6/3 > 404
/ceb5ac44146f822b47742aa2869f28f6/4 > (text/html) > Encoded EXE

PopadsEK Gate Regex

\/\?[a-f0-9]{32}=[a-z0-9]{2,3}(&[a-f0-9]{32}=[a-z0-9-_.]+)?$

PopadsEK .jnlp

HTTP Method = GET
Regex HTTP URI for \/[a-f0-9]{32}\.jnlp$

PopadsEK EOT

HTTP Method = GET
Content-type = application/vnd.ms-fontobject
Regex HTTP URI for \/[a-f0-9]{32}\.eot$

PopadsEK SWF

HTTP Method = GET
Content-type = application/x-shockwave-flash
Regex HTTP URI for \/[a-f0-9]{32}\/[a-f0-9]{32}\.swf$

PopadsEK JAR

HTTP Method = GET
Content-type = application/x-java-archive
Regex HTTP URI for \/[a-f0-9]{32}\/[a-f0-9]{32}\.jar$

PopadsEK CVE-2013-0431 Class files

HTTP Method = GET
Content-type = text/html
Regex HTTP URI for \/[a-f0-9]{32}\/java\/lang\/[a-zA-Z]+\.class$

PopadsEK EXEs from JAR

HTTP Method = GET
User-agent = *Java/1.*
Content-type = text/html
Regex HTTP URI for \/[a-f0-9]{32}\/[0-4]$

Has been dropping ZeroAccess and Urausy.

Comments are closed.