Detecting BEK via URI Parameters

This might only be interesting to me, but recently BEK has shifted from encoding like this:

.php?Pf=6435663034&Ne=33613638373066373138&N=30&vi=a&KB=A

To something nasty like this:

.php?r7!7K3620M97Xk=wd8e89wbw7&-89a2*_-8h*=8a8bwb8cwwwe8b8ew9w8&Ua3_--8O5u=ww&-5a*1!91=37A42!8!1*I&7!O7PE*N=4Rd*!9mb4

That looks somewhat like a nightmare, but what hasn’t changed is the number of parameters in the URI.

Old EXE URI…

1. Pf=
2. 6435663034&Ne=
3. 33613638373066373138&N=
4. 30&vi=
5. a&KB=
6. A

New EXE URI…

1. r7!7K3620M97Xk=
2. wd8e89wbw7&-89a2*_-8h*=
3. 8a8bwb8cwwwe8b8ew9w8&Ua3_–8O5u=
4. ww&-5a*1!91=
5. 37A42!8!1*I&7!O7PE*N=
6. 4Rd*!9mb4

In looking at this further, it appears that landings have 0 params, JARs have 3 params, PDFs have 5 params, and EXEs have 6 params.

Examples of Variants: (Scroll down on the urlquery link and expand the red JS execution)

/ngen/controlling/ BEK – http://urlquery.net/report.php?id=5463246
/closest/ BEK – http://urlquery.net/report.php?id=5885689

BEK JAR *Most Reliable*

HTTP Method = GET
HTTP URI = *.php?*
User-Agent = *Java/1.*
Content-type = application/x-java-archive
Regex HTTP URI = \.php\?([^=]+=){2}[^=]+$

BEK EXE *May FP*

HTTP Method = GET
User-Agent = *Java/1.*
Regex HTTP URI = \.php\?([^=]+=){5}[^=]+$
Regex HTTP URI != \/[a-z]+\.php (optional to cut down fp’s)

Comments are closed.