Monthly Archives: July 2013

Malvertising on Youtube.com redirects to EKs

— Update 8/1

This seems to be more EKs than just SO.

Redirects to EK Redirector from Youtube.com

HTTP Method = GET
HTTP Referer = http://www.youtube.com/*
Regex HTTP URI for “^http://[a-zA-Z0-9-.]+\/[a-z]+\/$”

Examples:

top. lossa .be /pro/
zxroll. doniz .nl /stats/
purchasing. nookid .nl /stats/

Redirects to Sweet Orange EK from Youtube.com

Have seen a lot of this in the past week.

All domains are dynamic dns domains.

eg.

*.is-a-lawyer.com
*.servehalflife.com
*.no-ip.org
…many others

HTTP Method = GET
HTTP Referer = http://www.youtube.com/*
Regex HTTP URI for “\.php\?[a-z]+=[0-9]+$

This also appears to have modified the URI of the EXE request in this case.

The last field is a longer number.

/trans.php?title=567&intl=672&licensing=4&bugs=147&warez=171&entry=730&game=270
&mapa=189&asia=8&cart=807088360

A regex like this works:

\/[a-z]+?\.php\?([a-z]+?=[0-9]{1,3}&){4,}[a-z]+?=[0-9]+$

Sweet Orange IP Addresses

64.187.226.228
64.187.226.231
64.187.226.232
93.190.45.225
38.126.174.31
204.45.200.235
204.45.200.236
195.3.147.126
195.3.147.152
217.23.138.42
217.23.138.31

Example URIs

/administratie/guest/cnstats/releases.php?subject=92
/zip/releases.php?subject=92
/imode/webalizer/releases.php?subject=93
/panel/results/message.php?adclick=192
/gcc/mysql-admin/chat/releases.php?subject=93
/picture_library/releases.php?subject=92
/power_user/lite/message.php?adclick=192
/musics/fedora.php?read=58
/ccp14admin/gallery/loginflat/fedora.php?read=58
/haddan_files/releases.php?subject=92
/foren/test/webapp.php?display=64
/navSiteAdmin/gp/priv8/classes.php?plugins=127
/hpwebjetadmin/webmasters/classes.php?plugins=127
/engine/ftps/classes.php?plugins=128
/admincp/webapp.php?display=64
/bigadmin/webapp.php?display=64

Slight changes to STYX URI

*Update* 24.10.2013 —

These are some static fields you can use to detect:

*/pdfx.html
*/flsh.html
*/fnts.html
*/jovf.html
*/jorg.html
*/jvvn.html
*/retn.html
*/jply.html
*/iexp.html

See more examples of STYX EK exploits on UrlQuery.net

STYX EK has made some slight modifications to it’s URI obfuscations.

OLD:

/J2XPld0gMrg08M2J0MEBq0eX1m0NbRP0ricH0MZRK00RHW0UKjV0yAad03Ude14
DiA0WOeP10CbU0GUur0Eo8D11YEU0KMWz0qVhx0xfO60Atj10XSPh17UCQ08ufB0
YXUe0qxzZ12zIb0iWPJ0quFR0xwck0SxyU0IA9g0Elow09oES0xEd30cJJO0JY2l
0W0IH0gzRe0WNa00PI2j1769W0ulO40hjiY09p6J0fk4l0CiHw13qbQ0LHoZ/KXbhhYJ.jar

NEW:

/TXB/zMC0/MnOs0ZJbE0_8aXu_0xee4/0aB-5t08L_Me0t_Cs-X0RqUB0/Xzpw04-Sb110n960_RkiQ_0VZWL0IF_HS0X8y_90RY_th09_wGN01OB_H0qC-Ls06QTK02-K9j0/64CC0B-u6i0mi/Sj0M_dkA0-X5lX0_PDMF-08Gz_y0ikHK0H/9VC0/kKCc0LcO_E0vxbI_0pgu_J1/8h6v0QuE_00-Ncmf-03xB_Q0weTh1_5qgG0_zNm9_0Mj-gA0v-Hvh0b1_YA109c_50YQ_kR/RYlzer.jar

STYX EK JAR

HTTP Method = GET
Content-type = application/x-java-archive
User-Agent = *Java/1.*
Regex HTTP URI for \/[a-zA-Z0-9-\/_]{200,}\.jar(\.pack\.gz)?$

STYX EK EXE

HTTP Method = GET
Content-type = NULL (Meaning it’s absent)
User-Agent = *Java/1.*
Regex HTTP URI for \/[a-zA-Z0-9]+\.exe\?[a-zA-Z0-9]+=[a-zA-Z0-9]+&h=[0-9]+$

Private Exploit Pack

@Kafeine has a complete writeup here. > http://malware.dontneedcoffee.com/2013/07/pep-new-bep.html

This is very similar in URI structure to something found by @Set_Abominae. > http://pastebin.com/5LMq56bA

Chain:

/blog/post.php?name=lB5Uenr4V&id=57216084&page=730
/blog/js/PluginDetect.js
/blog/xwncgmxctx.php?x=3547129&id=57216084
/blog/xwncgmxctx.php?x=5512027&id=57216084 > JAR
/blog/com.class
/blog/net.class
/blog/org.class
/blog/edu.class
/blog/icakinsoef.php?x=5512027&id=57216084 > EXE

Private Exploit Pack JAR

HTTP Method = GET
User Agent = *Java/1.*
Content-Type = application/x-java-archive
Regex HTTP URI for \.php\?[a-z]+=[0-9]+&[a-z]+=[0-9]+$

Private Exploit Pack EXE

HTTP Method = GET
User Agent = *Java/1.*
Content-Type = application/octet-stream
Regex HTTP URI for \.php\?[a-z]+=[0-9]+&[a-z]+=[0-9]+$

Whose port is it anyway?

Here’s a small listing of some kits and what tcp ports they have been using lately. Consider them to be a snapshot of the past 30 days as these are likely to change.

Neutrino EK

:8000/andhbdthgqofr?qdirmw=5283539
:8000/agqfhdo?qlpqjbjvlmud=8201532
:8000/atmjrsds?qgtkrdmghtro=403906

Cool/Styx

@Kafeine has a great in-depth look at this activity at http://malware.dontneedcoffee.com/2013/07/a-styxy-cool-ek.html

:754/grateful_partly-panic.html
:754/dissipate-favourite_timing_breath.jar
:754/tshirt_spot.htm

Sakura EK

:38/mark-two_learn.php
:38/weather-begin.php

:443/pages/see.php
:443/pages/its.php
:443/pages/see.php

:52/against.php
:52/produce.php
:52/gone.php

:90/docs/sky.php
:90/docs/space.php

:9090/nothing.php
:9090/nothing.php

:96/docs/at.php
:96/docs/land.php

Sweet Orange EK

:6091/full/contrib/foodsites.php?amazon=82
:6091/profiles/foodsites.php?amazon=82
:6091/bbadmin/acct_login/clickheat/foodsites.php?amazon=82

:3811/vadmind/install.php?virus=221&demos=82&changes=745&pages=379&bugs=798&mapa=203
:3811/stores/competition/ladder/tramadol.php?plugins=33&promos=246&about_us=135&email=499&chapters=82&vote=336&export=225
:3811/upload/loginflat/partners.php?navbar=350&faculty=613&ports=82&training=627&generic=975&experts=19&giftsjob=865

:7149/ajax/internal/campaign.php?readme=454&story=384&voip=831&fonts=82&top_left=610

Glazunov EK

:8080/4856827694/8385.zip
:8080/3819449304/8.zip
:8080/3335683362/2295.zip

Sibhost EK

:85/ipy2nCAsCEymbrnYg0TC2V6lVgn4
:85/I26mpxrs5r0L8XLTyxJXIAHI6J1XyPtjEpLY1.zip

Recent Fiesta EK Tags

This is just a listing of popular Fiesta EK tags that have been seen recently.

/0m68r7a/
/180yxim/
/3yifquk/
/4esi8v6/
/4rp3yc1/
/523r0gm/
/68vk0et/
/6pk1f2o/
/6rvz74c/
/6xtmw2a/
/avm3tcn/
/h2p8zt5/
/hb9cx5u/
/hczajmb/
/l9iok5h/
/lyagf8w/
/nf8c4hv/
/ni9xkjf/
/o8x792z/
/uhtbk6g/
/w4bm607/
/zds0u5x/