Monthly Archives: September 2013

Turning Vendor Blog Posts Into Actionable Intelligence (re: Solarbot)

When i see blog posts like these, they make my day. Thanks ESET/Avast!

The actionable data from them (IMO) is the below:

Filename = *

HTTP Method = POST
Content-type = application/x-www-form-urlencoded
Content-length < 100
HTTP URI (not domain) = \/[a-z]+\/$

We’re able to use great sites like Virustotal, UrlQuery,, CleanMX,, and some simple googlefu to build more intelligence around the indicators that were given.

You can then turn around and use this in your environment to detect compromised machines. –

From VT

2013-08-28 04:15:56
2013-08-09 22:40:17

From UrlQuery

2013-08-09 04:29:35 [Russian Federation]

From CleanMX –

From VT

2013-08-28 12:16:00
2013-08-28 03:57:10 –,

From VT

2013-08-16 13:17:33

From UrlQuery

2013-09-17 15:21:12



Some additional activity is seen in Report #2 that may or may not be related… –

GET /upme/uploads/91e26a25c62c3cd91.png HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)
Connection: Keep-Alive –

GET /l1I.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.71 Safari/537.36
Cache-Control: no-cache

UA is different than in either of the writeups, showing us that the binary probably isn’t using a static UA. –,,

From VT

2013-09-19 13:36:43
2013-08-31 14:23:37
2013-07-29 15:00:54
2013-07-20 20:08:27
2013-07-11 01:49:29 –

From VT

2013-08-04 –

From VT

2013-09-26 14:27:10
2013-08-07 03:28:59
2013-08-04 03:35:25
2013-08-03 12:29:25 –,

From VT

2013-09-26 14:14:29
2013-09-05 15:16:41
2013-09-05 14:01:06

From there you can build out more domains on the IPs and start building some IOCs for use in your network. Network Analysis is Iterative.

Detecting BEK via URI Parameters

This might only be interesting to me, but recently BEK has shifted from encoding like this:


To something nasty like this:


That looks somewhat like a nightmare, but what hasn’t changed is the number of parameters in the URI.


1. Pf=
2. 6435663034&Ne=
3. 33613638373066373138&N=
4. 30&vi=
5. a&KB=
6. A


1. r7!7K3620M97Xk=
2. wd8e89wbw7&-89a2*_-8h*=
3. 8a8bwb8cwwwe8b8ew9w8&Ua3_–8O5u=
4. ww&-5a*1!91=
5. 37A42!8!1*I&7!O7PE*N=
6. 4Rd*!9mb4

In looking at this further, it appears that landings have 0 params, JARs have 3 params, PDFs have 5 params, and EXEs have 6 params.

Examples of Variants: (Scroll down on the urlquery link and expand the red JS execution)

/ngen/controlling/ BEK –
/closest/ BEK –

BEK JAR *Most Reliable*

HTTP Method = GET
HTTP URI = *.php?*
User-Agent = *Java/1.*
Content-type = application/x-java-archive
Regex HTTP URI = \.php\?([^=]+=){2}[^=]+$


HTTP Method = GET
User-Agent = *Java/1.*
Regex HTTP URI = \.php\?([^=]+=){5}[^=]+$
Regex HTTP URI != \/[a-z]+\.php (optional to cut down fp’s)

HTML Ransomware (Browlock)

F-Secure has good writeups w/ pics.


http://polizei. de.id418617766-7663 816001.h2558 .com/
http://polizia- 560639580-7614024630.h2558 .com/ id503845846-4250343 921.e3485 .com/
http://europol. 76-3952336761.h2558 .com/
http://europol. 939452574-6333297494.s1523 .com/
http://politie. nl.id710883125-2999 810328.v2783 .com/ au.id242687187-1661 635308.z3476 .com/
http://police.h u.id134465522-91392 26962.e6751 .com/
http://policia. es.id130353034-4831 771390.k5741 .com/
http://rcmp.gc. ca.id768819119-3487 405861.z3476 .com/
http://polizei. 044451441.e2456 .com/
http://police.g 3999456674.e9635 .com/
http://polisen. se.id537054689-8785 274190.i6468 .com/
http://politi.n o.id549630431-46653 99949.e8679 .com
http://polfed-f 1-5528465056.z3476 .com/
http://policja. pl.id906759031-7211 363077.p8569 .com/
http://cyberpol 4927948242
http://cybercri 39-4927948242.q3754 .com
http://astynomi 27948242.q3754 .com al.id252161139-4927 948242.q3754 .com tr.id186914923-5094 277828.o4854 .com pk.id252161139-4927 948242.q3754 .com/
http://poliisi. no.id252161139-4927 948242.q3754 .com/ .pk.id252161139-492 7948242.q3754 .com/
http://npa.go.j p.id423342221-90402 40625.h6785 .com/ pk.id252161139-4927 948242.q3754 .com/ .ru.id252161139-492 7948242.q3754 .com/
http://logregla .is.id252161139-492 7948242.q3754 .com/ d252161139-49279482 42.q3754 .com/
http://politiar 9-4927948242.q3754 .com/
http://police.i s.id252161139-49279 48242.q3754 .com/
http://rusipa.r u.id252161139-49279 48242.q3754 .com/
http://police.g 927948242.q3754 .com/
http://policija .hr.id252161139-492 7948242.q3754 .com/ .id252161139-492794 8242.q3754 .com/

Recent IPs




Sakura EK on waw .pl domains

Have noticed Sakura active on root domain.

As @kafeine notes, this is a TDS in front of a particular instance of Sakura.


adscarl.liabufa.waw. pl/?joke=9
a6johns.omegdia.waw .pl/?joke=9
a2publi.foscidir.waw. pl/?joke=9
99calva.lofnala.waw .pl/?foll=2
7bqjis.triptenlu.waw. pl/?foll=2

Tags seen include joke, poke, moon, foll, good, hera, key, etc.

IPs (fdcservers nl) (fdcservers nl) (fdcservers nl) (leaseweb nl)

Regex for TDS domains


Alternate Regex for TDS URI