Monthly Archives: June 2013

BEK 2.1.0 URI Pattern Changes

New URI patterns in the latest BEK 2.1.0…

@Kafeine has written about it here > http://malware.dontneedcoffee.com/2013/06/blackhole-exploit-kit-goes-210-shows.html

BEK2 JNLP

HTTP Method = GET
HTTP URI contains *.php?jnlp=*
User-Agent = JNLP*
Regex HTTP URI for \.php\?jnlp=[a-f0-9]{10}

See examples of BEK2 JNLP on UrlQuery.net

BEK2 JAR

Pretty much the same as before…

HTTP Method = GET
HTTP Content Type = application/java-archive
Regex HTTP URI for \.php\?[a-zA-Z]+=[a-zA-Z]+&[a-zA-Z]+=[a-zA-Z]+$

BEK2 SWF

…haven’t seen often enough yet to make a reliable regex…

BEK 2.1.0 EXE

These are still using the same classic filenames – about.exe, calc.exe, info.exe, readme.exe

HTTP Method = GET
HTTP User Agent contains *Java/1.*
HTTP Request Method = application/x-msdownload
Regex HTTP URI for \.php\?[A-Za-z]f=[0-9]{10}&[A-Za-z]e=[0-9]{20}&[A-Z]=[0-9]{2}

Dotcachef Exploit Kit

— Update 6/27 —

The users of this exploit kit have dropped the \/\.cache\/ and replaced it with \/[a-f0-9]{10}\/

They have also changed f=site.jar and f=atom.jar to f=s and f=s

Lots of examples of the changes are on UrlQuery.net

Props to EKwatcher for noticing this…

Example Chain:

http://www.environmentalleader.com/2013/06/10/cintas-eco-apparel-diverts-17-million-plastic-bottles-from-landfill/app.jnlp > Compromised via Malvertising
http://www.googlecodehosting.net/openx/js/zone_functions.js?cp=166 > REDIR
http://www.megabit.nl/gallery/docs/g1package/images/.cache/?f=site.jar&k=8791629774058014&h=bcf52e8e32f17f53 > JAR
http://www.megabit.nl/gallery/docs/g1package/images/.cache/?f=sm_main.mp3&k=8791629774058025&h=bcf52e8e32f17f53 (application/octet-stream) > Unencoded EXE – ZA

Looking for “/.cache/?f=” in the URI gives pretty solid results.

See examples of Unknown Exploit Kit on UrlQuery.net

More examples and info can be found on Basemont.com

Slight change in Flashpack URI

— Update 8.10 —

These have changed yet again…

The date tags now look like:

/work300713/
/120713/
/060713/
/040713/
/210613/
/200613/
/150613/

Some of the exploits include:

*/rhino.php*
*/javadb.php*
*/javabyte.php*
*/msie8.php*
*/msie6.php*
*/cgenericelement.php*

Has been active on 192.95.53.232, 192.95.46.244, and 192.95.46.245 the past few days.

See examples of Flashpack URI on Urlquery.net

Flashpack has made some changes…

Examples:

http://792bd051d38cbe978ad8aea2.is-a-libertarian.com/flashpack/ba0306utred/output.php?hash=I3QxI1lZU0E1I3MjOTE5RDkjI3M1OVk5UzlZcjVzIyM5MTkxREQ5WURZc1kjMXJBJkQjREE=
http://792bd051d38cbe978ad8aea2.is-a-libertarian.com/flashpack/ba0306utred/js/deployJava.js

http://lapachka.info/flashpack/krik0906uytre/rotat.php?hash=312e362e302e33393a392e352e352e303a31312e372e3730302e3232343a31333731303332323935
http://lapachka.info/flashpack/krik0906uytre/rotat.php?hash=312e362e302e33393a31312e302e332e33373a31312e372e3730302e3230323a31333731313039373637
http://lapachka.info/flashpack/krik0906uytre/rotat.php?hash=312e362e302e33373a31312e302e302e303a31312e372e3730302e3230323a31333731303730373435
http://lapachka.info/flashpack/ba0306utred/rotat.php?hash=312e372e302e31313a382e322e342e3236383a31312e372e3730302e3230323a31333731323234363234

hex decodes to…

1.7.0.11:8.2.4.268:11.7.700.202:1371224624

which is just…

Java_Version:Reader_Version:Flash_Version:ID_Probably

Looking for these phrases in your logs should find some good things:

/rotat.php?hash=
/output.php?hash=
/flashpack/

A decent regex should be \/[a-z]{2,5}[0-9]{4}[a-z]{2,5}\/[a-z]+\.php\?hash=[A-Za-z0-9=]{60,}$

Have seen activity recently on the following IPs

62.76.179.182
109.236.81.142
62.76.176.67

Thanks to @Set_Abominae for continuing to check up on these!

FlashPack Exploit Kit (SafePack)

This is a renaming of SafePack / CritX and @Kafeine has added details to his SafePack post here > http://malware.dontneedcoffee.com/2013/04/meet-safe-pack-v20-again.html

What i found interesting was that the old tag used to be something like \/[a-z][0-9]{6}[a-z]\/ that looked like it contained a date.

/a220213k/ > 22 02 13

Now its a bit different:

/bods2903bue/ > 29 03
/ab1905kloq/ > 19 05
/arok2905yer/ > 29 05
/aaz0406rrtw/ > 04 06

We can update some sigs as follows.

FlashPack Landing

HTTP Method = GET
HTTP URI contains /index.php?id=
Regex HTTP URI for \/[a-z]{2,5}[0-9]{4}[a-z]{2,5}\/

FlashPack PluginDetect

HTTP Method = GET
HTTP URI ends with /js/js.js
Regex HTTP URI for \/[a-z]{2,5}[0-9]{4}[a-z]{2,5}\/

FlashPack PluginDetect Response

HTTP Method = GET
HTTP URI contains /gate.php?ver=
Regex HTTP URI for \/[a-z]{2,5}[0-9]{4}[a-z]{2,5}\/

FlashPack JAR

HTTP Method = GET
HTTP URI contains /j15.php?i= OR /j16.php?i= OR /j17.php?i= OR /j07.php?i= OR /j161.php?i=
Content-type = application/java-archive
Regex HTTP URI for \/[a-z]{2,5}[0-9]{4}[a-z]{2,5}\/

FlashPack EXE

HTTP Request Method = GET
HTTP URI contains “*/load.php?e=*”
Content-type = application/octet-stream
Regex HTTP URI for \/[a-z]{2,5}[0-9]{4}[a-z]{2,5}\/