Monthly Archives: April 2013

Popads loading up java exploits with “.jnlp” file

Popads seems to be using a .jnlp file to make it’s actions seem more legitimate to the end user.

Paste of .jnlp file

What’s a JNLP file?

When loaded, this gives a nice little animated popover…while the malicious stuff is happening in the background. This is used to bypass the security warning that was introduced in JRE7u11.

There may be a misconfig on this as it created a very large number of instances of java. 🙂

Popads post updated with this “jnlp” info.

Ref: http://security-obscurity.blogspot.no/2013/04/the-latest-java-exploit-with-security.html

SofosFO EXE Payload Evasion Techniques

SofosFO is being sneaky in a cool and interesting way.

Example Chain:

http://incurable.fulfillingrgdohavingdhiv.biz/chanting_shallow.php > Landing/PD
http://incurable.fulfillingrgdohavingdhiv.biz/6oqgDDwQ4GmiEDQmqqir4DZpD/9d20ZKQ7QeQe/loads.php5 > Calls JAR
http://incurable.fulfillingrgdohavingdhiv.biz/qboqgDDwQwGmiEDQmqqir4DZmm/353810494/misspelled.pdf > Mal PDF
http://incurable.fulfillingrgdohavingdhiv.biz/ee9woqgDDwQwGmiEDQmqqir4DZmm/358416430/2445500 > EXE from PDF
http://incurable.fulfillingrgdohavingdhiv.biz/qboqgDDwQwGmiEDQmqqir4DZmm/example.jar > Mal JAR
http://incurable.fulfillingrgdohavingdhiv.biz/qboqgDDwQwGmiEDQmqqir4DZmm/0256000045/1369364 > EXE from JAR

Looks like usual SofosFO activity till we look at the packets…

EXE from JAR

GET /qboqgDDwQwGmiEDQmqqir4DZmm/0256000045/1369364 HTTP/1.1
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_10
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

HTTP/1.1 200 OK
Server: nginx/0.7.67
Content-Type: application/java-archive
Transfer-Encoding: chunked
Connection: keep-alive
Content-Disposition: inline; filename=”triumphs.jar”

This is an encoded exe, with a modified content type and filename. Also notice the user agent.

Signature:

HTTP Method = GET
User-Agent = *Java/1.*
Content-Type = application/java-archive
Regex HTTP URI for \/[0-9]{8,11}\/[0-9]{6,8}$

EXE from PDF

GET /ee9woqgDDwQwGmiEDQmqqir4DZmm/358416430/2445500 HTTP/1.1
User-Agent: http://incurable.fulfillingrgdohavingdhiv.biz/ee9woqgDDwQwGmiEDQmqqir4DZmm/358416430/2445500
Host: incurable.fulfillingrgdohavingdhiv.biz

HTTP/1.1 200 OK
Server: nginx/0.7.67
Content-Type: application/pdf
Transfer-Encoding: chunked
Connection: keep-alive
Content-Disposition: inline; filename=”nozzles.jar”

This is also an encoded executable from the Adobe exploit. Notice the user agent, content type, and inline filename.

Signature:

HTTP Method = GET
User-Agent = http://*
Content-Type = application/pdf
Regex HTTP URI for \/[0-9]{8,11}\/[0-9]{6,8}$

Dropping large (800k+) RogueAV files currently.

Detecting TDSS Variants

These have caught some TDSS infected hosts lately.

HTTP Method = GET
Regex HTTP URI for \/[a-z]\/[0-9]{4}\/[0-9]{1,4}\/[0-9]{13}_[0-9]{13,14}\/([0-9]+\/)?$

Examples:

espeak911.com/s/1097/5005/1348834772843_32880252672854/11/
runrunfaster.com/s/1500/0/1361145743122_5741195516747/11/
novemberrainx.com/c/1600/0/1354942684608_34784241188532/
wewillrocknow.com/s/1306/0/1369426784608_34784241188532/11/

HTTP Method = GET
Regex HTTP URI for \/j\/js[1-9]$

Examples:

woohoowoo.com/j/js9
woohoowoo.com/j/js8
woohoowoo.com/j/js4
woohoowoo.com/j/js3
woohoowoo.com/j/js2
woohoowoo.com/j/js1
woohoowoo.com/j/js7
woohoowoo.com/j/js6
woohoowoo.com/j/js5

You can also look for these, potentially many FPs.

HTTP Method = GET
Regex HTTP URI for \/(x|z|d)\/$

paspartux.com/x/
crossmatchx.com/x/
85.195.92.11/x/
novemberrainx.com/z/
oleolex98.com/x/
yawszaw89.com/x/

Known Malicious Domains:

37.220.36.44
79.143.186.52
79.143.186.52
79.143.177.199
79.143.186.53
85.195.92.11
85.195.92.12
88.208.57.134
88.208.57.133
88.208.58.149
colexity777.com
crossmatchx.com
espeak911.com
fastbonitax.com
fastmasterz.com
movemovenow.com
novemberjean.com
novemberrainx.com
octoberbeer.com
oleolex98.com
paspartux.com
runrunfaster.com
wewillrocknow.com
whooyeeee.com
woohoowoo.com
yawszaw89.com

References:

http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-YVC/detailed-analysis.aspx
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~TDSS-IY/detailed-analysis.aspx
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~TDSS-IX/detailed-analysis.aspx
http://www.pchelpforum.com/xf/threads/espeak911-colexity777-37-220-36-44-malicious-url-sites.141526/page-5 (solved w/ TDSSKiller)

Current Event Redirectors to Redkit

Have been seeing these a lot recently in conjunction with recent events…

HTTP Method = GET
HTTP URI ends with */news.html OR */boston.html OR */texas.html
Regex HTTP Request for ^http:\/\/(\d\d?\d?\.){3}\d\d?\d?\/(news|texas|boston)\.html$

See examples of this on UrlQuery.net

Sakura Exploit Kit

Some things that have been useful in catching Sakura lately.

Landing – hq5jj.grantsfork12schools.net:88/forum/he.php
PDF – hq5jj.grantsfork12schools.net:88/forum/late_between.php (application/pdf)
JAR – hq5jj.grantsfork12schools.net:88/forum/late_between.php (application/x-java-archive)
EXE – hq5jj.grantsfork12schools.net:88/forum/8632.htm (application/octet-stream) – likey from pdf

Landing

HTTP Request Method = GET
HTTP URI contains /forum/ OR /articles/ OR /page/ OR /pages/ OR /docs/ OR /blog/ OR /wiki/
Regex HTTP URI for :((8|9)[0-9]|443|9090)\/(forum|articles|pages?|docs|blog|wiki)\/[a-z-_]+\.php$

PDF

HTTP Request Method = GET
HTTP URI contains /forum/ OR /articles/ OR /page/ OR /pages/ OR /docs/ OR /blog/ OR /wiki/
Content type = application/pdf
Regex HTTP URI for :((8|9)[0-9]|443|9090)\/(forum|articles|pages?|docs|wiki)\/[a-z_-]+\.php$

JAR

HTTP Request Method = GET
HTTP URI contains /forum/ OR /articles/ OR /page/ OR /docs/ OR /pages/ OR /blog/ OR /wiki/
Content type = application/x-java-archive
Regex HTTP URI for :((8|9)[0-9]|443|9090)\/(forum|articles|pages?|docs|wiki)\/[a-z-_]+\.php$

EXE

HTTP Request Method = GET
HTTP URI contains /forum/ OR /articles/ OR /page/ OR /pages/ OR /docs/ OR /blog/ OR /wiki/
Content type = application/octet-stream
Regex HTTP URI for :((8|9)[0-9]|443|9090)\/(forum|articles|pages?|docs|blog|wiki)\/

See more examples of Sakura Exploit Kit on URLquery.net

Thanks to @Set_Abominae for helping to keep this up to date!

Cool Exploit Kit Variant Executable

Have been seeing CEK being used without /world/ or /news/ or /read/…etc.

EXE Payload

HTTP Method = GET
User-agent = *Java/1.*
Content-type = application/x-msdownload
Regex HTTP URI for “\.txt\?[a-z]=[0-9]+$”

Slight update to Neutrino Payloads

Slight change…also noticed by @Set_Abominae > http://pastebin.com/SFypQ0Q1

Neutrino JAR

HTTP Method = GET
Content-Type = application/java-archive
Regex HTTP URI for \/[A-Za-z0-9]{50,}(==?)?$

Neutrino EXE

HTTP Method = GET
Content-Type = application/octet-stream
Regex HTTP URI for \/[A-Za-z0-9]{50,}(==?)?$

Will have some FPs like globo.com, avast.com, etc.

Slight changes in g01pack

1) hiynet. is-a-geek.net/ads/ > Landing
2) oracle.com-Critical-Security-Update-JRE_1.7.u17-Windows-Install-Request-From.hiynet .is-a-geek.net/ads/9hlkii92.file > JAR (application/x-java-archive)
3) hiynet. is-a-geek.net/ads/lp9459f5.php?a=41&bulkily=3d747&i=44903301&bo=40232&priors=n&x=%2F&trismic=V& > XOR’d EXE (application/octet-stream)

Only change here is the jar file. Previous post on g01pack has been updated.

Clickfraud traffic from infected hosts

Check for this on your network to find infected hosts performing clickfraud.

HTTP Method = GET
HTTP Destination contains *=/?l=eyJhYyI6* (Thats a lower case “L”)
Regex HTTP URI for \/[0-9]{8,9}\/[A-Za-z0-9]{7}=\/\?l=[A-Za-z0-9]{300,}(==?)?$

You can base64 decode the long field at the end to see some add’l info about the activity.

Seeing this in hosts that have been compromised with Neutrino lately.

EXEs downloaded by STYX loader

Noticed some easy sigs for EXEs being downloaded by STYX loader.

RogueAV, ZA, and Zbot…

HTTP Method = GET
User-Agent = Mozilla/4.0
Content-type = application/octet-stream

Also Infostealer.gift

HTTP Method = POST
User-Agent = Mozilla/4.0
Content-type = application/x-www-form-urlencoded