Monthly Archives: September 2013

Turning Vendor Blog Posts Into Actionable Intelligence (re: Solarbot)

When i see blog posts like these, they make my day. Thanks ESET/Avast!

http://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/
https://blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/

The actionable data from them (IMO) is the below:

Filename = *www.facebook.com.exe

HTTP Method = POST
Content-type = application/x-www-form-urlencoded
Content-length < 100
HTTP URI (not domain) = \/[a-z]+\/$

We’re able to use great sites like Virustotal, UrlQuery, Malwr.com, CleanMX, Malc0de.com, and some simple googlefu to build more intelligence around the indicators that were given.

You can then turn around and use this in your environment to detect compromised machines.

dabakhost.be – 81.177.180.60

From VT

2013-08-28 04:15:56 http://dabakhost.be/solbrwq/
2013-08-09 22:40:17 http://dabakhost.be/Loader.exe

From UrlQuery

2013-08-09 04:29:35 http://dabakhost.be/Loader.exe [Russian Federation] 81.177.180.60

From CleanMX

http://privathosting.be/Solar.exe

terra-araucania.cl – 69.73.130.24

From VT

2013-08-28 12:16:00 http://terra-araucania.cl/
2013-08-28 03:57:10 http://terra-araucania.cl/solar/

xyz25.com – 92.243.18.120, 92.243.1.61

From VT

2013-08-16 13:17:33 http://xyz25.com/

From UrlQuery

2013-09-17 15:21:12 http://www.xyz25.com/mf2cqb60hvpg/j12515f1e3xelm6/Image_024-WWW.FACEBOOK.COM.exe
[France] 92.243.1.61

From Malwr.com

1. https://malwr.com/analysis/NjQ0N2YzNTMwMGNkNDJkMTg5ZGI5MjJiMTAyYmYyN2Q/
2. https://malwr.com/analysis/ZjUwZjZiOGJlZTk5NDgyNmE1MmFmM2JjNDAwZDBiODg/
3. https://malwr.com/analysis/MTlmMmQ0YjliNzM0NGQ5MmI4MGI4ZjkzMWVjYjUxNTI/

Some additional activity is seen in Report #2 that may or may not be related…

http://upload.tehran98.com/upme/uploads/91e26a25c62c3cd91.png – 144.76.94.237

GET /upme/uploads/91e26a25c62c3cd91.png HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)
Host: upload.tehran98.com
Connection: Keep-Alive

http://zxc.ao2r9k.com/l1I.php – 95.142.171.14

GET /l1I.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.71 Safari/537.36
Host: zxc.ao2r9k.com
Cache-Control: no-cache

UA is different than in either of the writeups, showing us that the binary probably isn’t using a static UA.

yandafia.com – 85.25.208.82, 85.25.23.154, 93.190.141.106

From VT

2013-09-19 13:36:43 http://yandafia.com/456.exe
2013-08-31 14:23:37 http://yandafia.com/wp-admin/css/css/css/csx/
2013-07-29 15:00:54 http://yandafia.com/450.exe
2013-07-20 20:08:27 http://yandafia.com/order.php
2013-07-11 01:49:29 http://yandafia.com/

elzbthfntr.com – 37.139.3.132

From VT

2013-08-04 37.139.3.132

alfadente.com.br – 200.234.196.75

From VT

2013-09-26 14:27:10 http://alfadente.com.br/
2013-08-07 03:28:59 http://alfadente.com.br/Image.Skype.29.07.2013.exe
2013-08-04 03:35:25 http://alfadente.com.br/s.exe
2013-08-03 12:29:25 http://alfadente.com.br/i.exe

cmeef.info – 93.174.94.64, 178.238.237.110

From VT

2013-09-26 14:14:29 http://cmeef.info/e6ct/index.php
2013-09-05 15:16:41 http://cmeef.info/
2013-09-05 14:01:06 http://cmeef.info/e6ct/

From there you can build out more domains on the IPs and start building some IOCs for use in your network. Network Analysis is Iterative.

Detecting BEK via URI Parameters

This might only be interesting to me, but recently BEK has shifted from encoding like this:

.php?Pf=6435663034&Ne=33613638373066373138&N=30&vi=a&KB=A

To something nasty like this:

.php?r7!7K3620M97Xk=wd8e89wbw7&-89a2*_-8h*=8a8bwb8cwwwe8b8ew9w8&Ua3_--8O5u=ww&-5a*1!91=37A42!8!1*I&7!O7PE*N=4Rd*!9mb4

That looks somewhat like a nightmare, but what hasn’t changed is the number of parameters in the URI.

Old EXE URI…

1. Pf=
2. 6435663034&Ne=
3. 33613638373066373138&N=
4. 30&vi=
5. a&KB=
6. A

New EXE URI…

1. r7!7K3620M97Xk=
2. wd8e89wbw7&-89a2*_-8h*=
3. 8a8bwb8cwwwe8b8ew9w8&Ua3_–8O5u=
4. ww&-5a*1!91=
5. 37A42!8!1*I&7!O7PE*N=
6. 4Rd*!9mb4

In looking at this further, it appears that landings have 0 params, JARs have 3 params, PDFs have 5 params, and EXEs have 6 params.

Examples of Variants: (Scroll down on the urlquery link and expand the red JS execution)

/ngen/controlling/ BEK – http://urlquery.net/report.php?id=5463246
/closest/ BEK – http://urlquery.net/report.php?id=5885689

BEK JAR *Most Reliable*

HTTP Method = GET
HTTP URI = *.php?*
User-Agent = *Java/1.*
Content-type = application/x-java-archive
Regex HTTP URI = \.php\?([^=]+=){2}[^=]+$

BEK EXE *May FP*

HTTP Method = GET
User-Agent = *Java/1.*
Regex HTTP URI = \.php\?([^=]+=){5}[^=]+$
Regex HTTP URI != \/[a-z]+\.php (optional to cut down fp’s)

HTML Ransomware (Browlock)

F-Secure has good writeups w/ pics.

Domains

http://polizei. de.id418617766-7663 816001.h2558 .com/
http://polizia- penitenziaria.it.id 560639580-7614024630.h2558 .com/
http://fbi.gov. id503845846-4250343 921.e3485 .com/
http://europol. europe.eu.id4571150 76-3952336761.h2558 .com/
http://europol. europe.eu.france.id 939452574-6333297494.s1523 .com/
http://politie. nl.id710883125-2999 810328.v2783 .com/
http://afp.gov. au.id242687187-1661 635308.z3476 .com/
http://police.h u.id134465522-91392 26962.e6751 .com/
http://policia. es.id130353034-4831 771390.k5741 .com/
http://rcmp.gc. ca.id768819119-3487 405861.z3476 .com/
http://polizei. gv.at.id912354877-1 044451441.e2456 .com/
http://police.g ovt.nz.id657546456- 3999456674.e9635 .com/
http://polisen. se.id537054689-8785 274190.i6468 .com/
http://politi.n o.id549630431-46653 99949.e8679 .com
http://polfed-f edpol.be.id32168266 1-5528465056.z3476 .com/
http://policja. pl.id906759031-7211 363077.p8569 .com/
http://cyberpol ice.lt.id252161139- 4927948242 .q3754.com
http://cybercri meunit.gr.id2521611 39-4927948242.q3754 .com
http://astynomi a.gr.id252161139-49 27948242.q3754 .com
http://asp.gov. al.id252161139-4927 948242.q3754 .com
http://egm.gov. tr.id186914923-5094 277828.o4854 .com
http://fia.gov. pk.id252161139-4927 948242.q3754 .com/
http://poliisi. no.id252161139-4927 948242.q3754 .com/
http://nr3c.gov .pk.id252161139-492 7948242.q3754 .com/
http://npa.go.j p.id423342221-90402 40625.h6785 .com/
http://npb.gov. pk.id252161139-4927 948242.q3754 .com/
http://mchs.gov .ru.id252161139-492 7948242.q3754 .com/
http://logregla .is.id252161139-492 7948242.q3754 .com/
http://mvr.bg.i d252161139-49279482 42.q3754 .com/
http://politiar omana.ro.id25216113 9-4927948242.q3754 .com/
http://police.i s.id252161139-49279 48242.q3754 .com/
http://rusipa.r u.id252161139-49279 48242.q3754 .com/
http://police.g ov.mt.id252161139-4 927948242.q3754 .com/
http://policija .hr.id252161139-492 7948242.q3754 .com/
http://mvdrf.ru .id252161139-492794 8242.q3754 .com/

Recent IPs

193.169.87.14
195.20.141.61
91.220.131.56
91.220.131.106
91.220.131.193
91.220.131.108

Regex

URI:
\/\?flow_id[0-9&=]+\/case_id=[0-9]+$

Domains:
\.id[0-9]{9}\-[0-9]{10}\.[a-z][0-9]{4}\.com$

Sakura EK on waw .pl domains

Have noticed Sakura active on waw.pl root domain.

As @kafeine notes, this is a TDS in front of a particular instance of Sakura.

Examples

adscarl.liabufa.waw. pl/?joke=9
a6johns.omegdia.waw .pl/?joke=9
a2publi.foscidir.waw. pl/?joke=9
99calva.lofnala.waw .pl/?foll=2
7bqjis.triptenlu.waw. pl/?foll=2

Tags seen include joke, poke, moon, foll, good, hera, key, etc.

IPs

50.7.177.254 (fdcservers nl)
50.7.177.253 (fdcservers nl)
50.7.178.13 (fdcservers nl)
85.17.122.119 (leaseweb nl)

Regex for TDS domains

^[a-z0-9]{6,7}\.[a-z]+\.waw\.pl$

Alternate Regex for TDS URI

\.waw\.pl\/\?[a-z]+=[0-9]+?$