Monthly Archives: May 2013

Topic Exploit Kit

This is a community name for a long standing exploit kit that i see from time to time.

Example Chain:

http://abhorrible.org/index.php?r=e28501f > GATE
http://uowroth.wha.la/viewforum.php?b=c25cbf6&ref=fjeldogfritid.dk > PLUGINDETECT
http://uowroth.wha.la/profile.php?exp=byte&b=c25cbf6&k=0846a8a8d7a5373b69ef814bc47b4f1 > JAR
http://uowroth.wha.la/profile.php?exp=lib&b=c25cbf6&k=0846a8a8d7a5373b69ef814bc47b4f1&host=uowroth.wha.la > PDF
http://uowroth.wha.la/y41gr.php?exp=byte&b=c25cbf6&k=0846a8a8d7a5373b69ef814bc47b4f1 > EXE

Have seen the following tags for different exploits:

exp=byte
exp=lib
exp=atom
exp=rhino

@Set_Abominae noticed a recent example chain exploiting CVE-2013-2423 and posted on pastebin > http://pastebin.com/zeUecnqr

Flimkit Exploit Kit

**Thanks to @node5 and @EKwatcher**

This is known to EmergingThreats as ‘FlimKit’.

This originated from a ‘8gcf744Waxolp752.php’ traffic redirector and flagads.net’s ‘popunder’ advertising service.

onbackups.biz/ (Iframe)
rugocsv.pl/ameron (Paste of CVE-2013-2423 Contents)
rugocsv.pl/a59a312c49082.zip (MALJAR 2423)
rugocsv.pl/9f8705012b5f0.zip (404)
rugocsv.pl/eqquutgc/lfwumjmg.class (404)
rugocsv.pl/eqquutgc/lfwumjmg/class.class (404)
rugocsv.pl/cba6a7ca3e3f789a POST (application/octet-stream)

Thats an interesting way to get a rogueav/locker payload.

HTTP Method = POST
Content-type = application/octet-stream
Regex HTTP URI for \/[a-f0-9]{16}$
Content Length > 800k (Optional)

Flimkit Gates:

*/veenuews
*/shupolak
*/ameron
*/shoerton
*/juicokahe
*/erolikos
*/rukaleta
*/fpcelokas

This is a list of all the IPs i could find hosting Flimkit > http://pastebin.com/xpTvn4L1

The *.pl domains are all being “tasted“.

Reference:

http://doc.emergingthreats.net/bin/view/Main/2016869
http://doc.emergingthreats.net/bin/view/Main/2016840
http://doc.emergingthreats.net/bin/view/Main/2016839

Slight change in RedKit URI

As noticed by @Set_Abominae and @kafeine, redkit has made a slight modification to it’s URI.

Looks to now be four characters in the html, jar and jnlp. EXE remains 2 digits.

Redkit JNLP

HTTP Method = GET
HTTP URI ends with *.jnlp
Regex HTTP URI ^http:\/\/[a-z0-9A-Z-.]+\/[a-z0-9A-Z]{4}\.jnlp$

RedKit JAR

HTTP Method = GET
HTTP URI ends with *.jar
Content-type = application/java-archive
Regex HTTP URI ^http:\/\/[a-z0-9A-Z-.]+\/[a-z0-9A-Z]{4}\.jar$

*Is this change related to the Sophos article? Hmm… :)*

BEK Utilizing JNLP files

Looks like Multiple variants of BEK have integrated the use of JNLP files as well.

@secobscurity has a very nice writeup of how JNLP bypasses the security warning that was introduced with JRE 7u11.

Paste of jnlp landing.

d.wholink.pw/raise/words-printers.php?jnlp=b3bd7b747e,07116a753d (text/html)
d.wholink.pw/raise/words-printers.php?rtg=cnavm&qznsq=ttczm (application/java-archive)

BEK JNLP File

HTTP Method = GET
HTTP URI contains *.php?jnlp=*
User-Agent = JNLP*
Regex HTTP URI for \.php\?jnlp=[a-f0-9]{10}(,[a-f0-9]{10})?$

See more examples of BEK JNLP files on UrlQuery.net