HTML Ransomware (Browlock)

F-Secure has good writeups w/ pics.

Domains

http://polizei. de.id418617766-7663 816001.h2558 .com/
http://polizia- penitenziaria.it.id 560639580-7614024630.h2558 .com/
http://fbi.gov. id503845846-4250343 921.e3485 .com/
http://europol. europe.eu.id4571150 76-3952336761.h2558 .com/
http://europol. europe.eu.france.id 939452574-6333297494.s1523 .com/
http://politie. nl.id710883125-2999 810328.v2783 .com/
http://afp.gov. au.id242687187-1661 635308.z3476 .com/
http://police.h u.id134465522-91392 26962.e6751 .com/
http://policia. es.id130353034-4831 771390.k5741 .com/
http://rcmp.gc. ca.id768819119-3487 405861.z3476 .com/
http://polizei. gv.at.id912354877-1 044451441.e2456 .com/
http://police.g ovt.nz.id657546456- 3999456674.e9635 .com/
http://polisen. se.id537054689-8785 274190.i6468 .com/
http://politi.n o.id549630431-46653 99949.e8679 .com
http://polfed-f edpol.be.id32168266 1-5528465056.z3476 .com/
http://policja. pl.id906759031-7211 363077.p8569 .com/
http://cyberpol ice.lt.id252161139- 4927948242 .q3754.com
http://cybercri meunit.gr.id2521611 39-4927948242.q3754 .com
http://astynomi a.gr.id252161139-49 27948242.q3754 .com
http://asp.gov. al.id252161139-4927 948242.q3754 .com
http://egm.gov. tr.id186914923-5094 277828.o4854 .com
http://fia.gov. pk.id252161139-4927 948242.q3754 .com/
http://poliisi. no.id252161139-4927 948242.q3754 .com/
http://nr3c.gov .pk.id252161139-492 7948242.q3754 .com/
http://npa.go.j p.id423342221-90402 40625.h6785 .com/
http://npb.gov. pk.id252161139-4927 948242.q3754 .com/
http://mchs.gov .ru.id252161139-492 7948242.q3754 .com/
http://logregla .is.id252161139-492 7948242.q3754 .com/
http://mvr.bg.i d252161139-49279482 42.q3754 .com/
http://politiar omana.ro.id25216113 9-4927948242.q3754 .com/
http://police.i s.id252161139-49279 48242.q3754 .com/
http://rusipa.r u.id252161139-49279 48242.q3754 .com/
http://police.g ov.mt.id252161139-4 927948242.q3754 .com/
http://policija .hr.id252161139-492 7948242.q3754 .com/
http://mvdrf.ru .id252161139-492794 8242.q3754 .com/

Recent IPs

193.169.87.14
195.20.141.61
91.220.131.56
91.220.131.106
91.220.131.193
91.220.131.108

Regex

URI:
\/\?flow_id[0-9&=]+\/case_id=[0-9]+$

Domains:
\.id[0-9]{9}\-[0-9]{10}\.[a-z][0-9]{4}\.com$

Sakura EK on waw .pl domains

Have noticed Sakura active on waw.pl root domain.

As @kafeine notes, this is a TDS in front of a particular instance of Sakura.

Examples

adscarl.liabufa.waw. pl/?joke=9
a6johns.omegdia.waw .pl/?joke=9
a2publi.foscidir.waw. pl/?joke=9
99calva.lofnala.waw .pl/?foll=2
7bqjis.triptenlu.waw. pl/?foll=2

Tags seen include joke, poke, moon, foll, good, hera, key, etc.

IPs

50.7.177.254 (fdcservers nl)
50.7.177.253 (fdcservers nl)
50.7.178.13 (fdcservers nl)
85.17.122.119 (leaseweb nl)

Regex for TDS domains

^[a-z0-9]{6,7}\.[a-z]+\.waw\.pl$

Alternate Regex for TDS URI

\.waw\.pl\/\?[a-z]+=[0-9]+?$

30 days of Neutrino Domains/IPs

This is just a quick sum of Neutrino utilization on port 8000 in the past 30 days.

IPs Utilized:

178.175.140.197
62.113.243.251
46.37.184.57
46.37.167.131
37.139.20.190
37.139.13.5
178.32.72.132
94.249.196.115
37.139.2.46

Root dyndns domains utilized:

barrel-of-knowledge.info
blogdns.net
blogsite.org
dnsalias.com
dnsalias.net
dnsdojo.org
doesntexist.com
dynalias.com
dynalias.net
dyndns-at-work.com
dyndns-free.com
dyndns-mail.com
dyndns-office.com
dyndns-remote.com
dyndns-server.com
dyndns.biz
dyndns.info
dyndns.org
dyndns.ws
from-mn.com
from-mo.com
from-nh.com
from-sc.com
game-host.org
game-server.cc
go.dyndns.org
gotdns.com
gotdns.org
ham-radio-op.net
homedns.org
homelinux.com
homelinux.net
homelinux.org
homeunix.com
is-a-doctor.com
is-a-geek.com
is-a-geek.net
is-a-hard-worker.com
is-a-nurse.com
is-a-rockstar.com
is-a-soxfan.org
is-a-student.com
is-a-teacher.com
is-into-games.com
isa-geek.net
isa-hockeynut.com
likes-pie.com
merseine.nu
mine.nu
mypets.ws
office-on-the.net
selfip.biz
selfip.info
servegame.org
webhop.org

PDNS from Virustotal:

2013-07-14 fohespwhsxdeoevgupi.isa-geek.net
2013-07-15 evmyxyowcggqnnqub.gotdns.com
2013-07-27 ucxscsdordjwmjftomqxw.dnsdojo.org
2013-07-29 bfdxurkbhmksnqnfvurt.mine.nu
2013-07-29 cuvrbrygnunjuqcsu.dyndns-free.com
2013-07-29 huydsxfmbmdvdsekxcrs.dyndns-free.com
2013-07-29 jqurrdpjldv.mine.nu
2013-07-29 kemepjknmqlrgqeewmkeq.mine.nu
2013-07-29 lhybcjigicwiyucj.mine.nu
2013-07-29 lyixmpofgpko.mine.nu
2013-07-29 mmipspcgixgmc.mine.nu
2013-07-29 qbpvjjlrkmlfbtmty.mine.nu
2013-07-30 djikdstrjtnpixp.mine.nu
2013-07-30 dqxjtiuctrvhd.home.dyndns.org
2013-07-30 imxkurddgimms.mine.nu
2013-07-30 ipcxsgvgpbvhtlkpqbug.mine.nu
2013-07-30 itringjhlkol.mine.nu
2013-07-30 klxyfhxcmrnynoflofvf.home.dyndns.org
2013-07-30 lyofjykhvgomhnfnj.mine.nu
2013-07-30 oncpytncsfchbujgjno.mine.nu
2013-07-31 bxwqvjgbmqk.dyndns.info
2013-07-31 opvqxlpedljgfrlmx.dyndns.info
2013-08-02 loovimhryji.doesntexist.com
2013-08-02 slqvfsisiec.doesntexist.com
2013-08-03 chvfdfpcnnlsq.from-mo.com
2013-08-03 dpdcwybxyemvmbvtqx.game-server.cc
2013-08-03 idlehljfrtyreubvccpyv.dnsdojo.org
2013-08-04 yquyhcmxnqfcvtcmifio.blogdns.net
2013-08-05 epbwiktxkjqfhjdbmhc.dyndns.biz
2013-08-05 ffekmnfjpkwgfubbkdjle.dyndns-mail.com
2013-08-05 fhnvreuudrurwtvvysyt.dyndns.biz
2013-08-05 gxwwncvhctfvjgvihms.dyndns-mail.com
2013-08-05 herqlqxdywyofyfy.dyndns.biz
2013-08-06 cgejxoygmcmijnkft.is-a-geek.net
2013-08-06 crudulitynhdmvfs.homedns.org
2013-08-06 eduhcxsjtcwxod.dyndns-office.com
2013-08-06 gexfrfhebmws.homedns.org
2013-08-06 hvjcwgbljvd.dyndns-office.com
2013-08-06 ijrvgifrtpuiyjqyyv.dyndns-office.com
2013-08-07 dknendudbxibkucs.selfip.biz
2013-08-07 evohqrhpyib.selfip.biz
2013-08-07 icccbicuyogpdggkngmld.from-nh.com
2013-08-07 ijuyfvuetwmw.from-nh.com
2013-08-09 cuscusramd.com
2013-08-13 heeiyhqmrpmen.homeunix.com
2013-08-15 btovvdqbpuswlvtqdns.dynalias.com
2013-08-15 buuyutwvijnxtlwnicsr.dynalias.com
2013-08-15 cqbrtyemqcnlvmgq.dynalias.com
2013-08-15 dqhwsqrnrykki.dynalias.com
2013-08-15 dvfhsdisfpnnpofiv.dynalias.com
2013-08-15 emusioqsklknxdxfbxym.dynalias.com
2013-08-15 eyldiklxipeypwevmmhlg.dynalias.com
2013-08-15 fjljyopdxmsq.dynalias.com
2013-08-15 ginxixipxfg.dynalias.com
2013-08-15 sbrrneojcgycxy.dnsalias.net
2013-08-15 ymucnychdhfleq.dnsalias.net
2013-08-16 nchewvcysgctcql.barrel-of-knowledge.info
2013-08-17 efdtwohdpghivooom.homelinux.org
2013-08-17 inmetr.lorenzobenitez.net
2013-08-17 mdhfsvtuugt.homelinux.org
2013-08-17 ncuguymmxjblqn.dynalias.net
2013-08-19 cxrpvisjujpnl.homelinux.com
2013-08-19 dnocgbovhyt.homelinux.com
2013-08-19 fekmsvcyqysuuvfib.homelinux.com
2013-08-19 fuejneifgblstxommvh.homelinux.com
2013-08-19 klrjkhvtosxkspyg.barrel-of-knowledge.info
2013-08-19 qckerkeimucyljuo.homelinux.com
2013-08-19 qxpgeyvuwfcggo.homelinux.com
2013-08-19 sulueddcpxwuitdq.homelinux.com
2013-08-20 cjqpjhcpjfuchobnhr.dnsalias.com
2013-08-20 dqicecyvjtjpjiykrug.dnsalias.com
2013-08-20 drnfohqeolpydms.is-a-nurse.com
2013-08-20 fgedcdyrsegf.is-a-nurse.com
2013-08-20 fjkvhkjoljjnyqpesoyci.dnsalias.com
2013-08-20 tjskrndtdvq.homelinux.net
2013-08-21 eudokkqrbmljhfwuof.game-host.org
2013-08-21 fliytctmdbwypfbbxesxx.game-host.org
2013-08-21 teuewjlbdkowylouuoj.game-host.org
2013-08-24 fhdgicbhdvplyogeiqjj.dyndns.org
2013-08-24 kigqmdtobip.dyndns.org
2013-08-24 kxulhtoscru.dyndns.org
2013-08-25 bscxwytnylwpmg.homelinux.com
2013-08-25 fowsnxpeqlkfqb.homelinux.com
2013-08-25 hfcvvosrcdbwcubib.homelinux.com
2013-08-25 mhikmpnxbvqsvgofq.homelinux.com
2013-08-25 nslerbqfcmvvcpiglny.dynalias.com
2013-08-26 nxxesqogrmykpswvhvd.homelinux.com
2013-08-28 bkskrdrumuovejhdi.dyndns-at-work.com
2013-08-28 bmmhkoxpxjxugje.is-a-soxfan.org
2013-08-28 ebqcqwwnqdxugsidfie.is-a-soxfan.org
2013-08-28 eekbvlmjprrkmfkioxnf.is-a-soxfan.org
2013-08-28 fmcxfcvvvyhyfvkootc.is-a-soxfan.org
2013-08-28 frjbwbstkvbf.is-a-soxfan.org
2013-08-28 gpwmwmdbkyenkfkvrsl.is-a-soxfan.org
2013-08-28 guitxfefsmerbedsou.dyndns-at-work.com
2013-08-28 hpicefgmmjudoqkioomt.dyndns-at-work.com
2013-08-28 ihncgxdrgjkiwvlje.is-a-soxfan.org
2013-08-28 imvrmbgvfqrvjeguydkf.is-a-soxfan.org
2013-08-28 kmlrjwxurxw.is-a-soxfan.org
2013-08-28 knrvgbsevkdtx.is-a-soxfan.org
2013-08-28 luvpgefeqkwwyuk.is-a-soxfan.org
2013-08-28 lwfitrywqudkdgpl.is-a-soxfan.org
2013-08-28 mcwcjsmhvytpr.is-a-soxfan.org
2013-08-28 ocrlypitodq.dyndns-at-work.com
2013-08-28 pepqmdouhnioxivbms.dyndns-at-work.com
2013-08-28 pgxfmikqgve.dyndns-at-work.com
2013-08-28 rjkdwiugxuyuqbgb.dyndns-at-work.com
2013-08-29 ckohptxxrsrrggbv.is-a-geek.com
2013-08-29 fugmdxtqrphsqudljpnpo.dyndns.biz
2013-08-29 gvngnqmugpie.dyndns.biz
2013-08-29 hrxcnctoqjytmgbghg.dyndns.biz
2013-08-29 jgtbxmrersblueoyfybv.is-a-geek.com
2013-08-29 liyxebxqedytoudln.dyndns.biz
2013-08-29 lviwrnnbrjvhbiuteo.dyndns.biz
2013-08-29 mtpydkeclcpgcplq.dyndns.biz
2013-08-29 mwubtblyibnbi.dyndns.biz
2013-08-29 pbcoktomdgyjpxvbdqqo.dyndns.biz
2013-08-29 starttestnow.biz
2013-08-29 vstbogybquycfffrj.is-a-geek.com

Malvertising on Youtube.com redirects to EKs

— Update 8/1

This seems to be more EKs than just SO.

Redirects to EK Redirector from Youtube.com

HTTP Method = GET
HTTP Referer = http://www.youtube.com/*
Regex HTTP URI for “^http://[a-zA-Z0-9-.]+\/[a-z]+\/$”

Examples:

top. lossa .be /pro/
zxroll. doniz .nl /stats/
purchasing. nookid .nl /stats/

Redirects to Sweet Orange EK from Youtube.com

Have seen a lot of this in the past week.

All domains are dynamic dns domains.

eg.

*.is-a-lawyer.com
*.servehalflife.com
*.no-ip.org
…many others

HTTP Method = GET
HTTP Referer = http://www.youtube.com/*
Regex HTTP URI for “\.php\?[a-z]+=[0-9]+$

This also appears to have modified the URI of the EXE request in this case.

The last field is a longer number.

/trans.php?title=567&intl=672&licensing=4&bugs=147&warez=171&entry=730&game=270
&mapa=189&asia=8&cart=807088360

A regex like this works:

\/[a-z]+?\.php\?([a-z]+?=[0-9]{1,3}&){4,}[a-z]+?=[0-9]+$

Sweet Orange IP Addresses

64.187.226.228
64.187.226.231
64.187.226.232
93.190.45.225
38.126.174.31
204.45.200.235
204.45.200.236
195.3.147.126
195.3.147.152
217.23.138.42
217.23.138.31

Example URIs

/administratie/guest/cnstats/releases.php?subject=92
/zip/releases.php?subject=92
/imode/webalizer/releases.php?subject=93
/panel/results/message.php?adclick=192
/gcc/mysql-admin/chat/releases.php?subject=93
/picture_library/releases.php?subject=92
/power_user/lite/message.php?adclick=192
/musics/fedora.php?read=58
/ccp14admin/gallery/loginflat/fedora.php?read=58
/haddan_files/releases.php?subject=92
/foren/test/webapp.php?display=64
/navSiteAdmin/gp/priv8/classes.php?plugins=127
/hpwebjetadmin/webmasters/classes.php?plugins=127
/engine/ftps/classes.php?plugins=128
/admincp/webapp.php?display=64
/bigadmin/webapp.php?display=64

Slight changes to STYX URI

*Update* 24.10.2013 —

These are some static fields you can use to detect:

*/pdfx.html
*/flsh.html
*/fnts.html
*/jovf.html
*/jorg.html
*/jvvn.html
*/retn.html
*/jply.html
*/iexp.html

See more examples of STYX EK exploits on UrlQuery.net

STYX EK has made some slight modifications to it’s URI obfuscations.

OLD:

/J2XPld0gMrg08M2J0MEBq0eX1m0NbRP0ricH0MZRK00RHW0UKjV0yAad03Ude14
DiA0WOeP10CbU0GUur0Eo8D11YEU0KMWz0qVhx0xfO60Atj10XSPh17UCQ08ufB0
YXUe0qxzZ12zIb0iWPJ0quFR0xwck0SxyU0IA9g0Elow09oES0xEd30cJJO0JY2l
0W0IH0gzRe0WNa00PI2j1769W0ulO40hjiY09p6J0fk4l0CiHw13qbQ0LHoZ/KXbhhYJ.jar

NEW:

/TXB/zMC0/MnOs0ZJbE0_8aXu_0xee4/0aB-5t08L_Me0t_Cs-X0RqUB0/Xzpw04-Sb110n960_RkiQ_0VZWL0IF_HS0X8y_90RY_th09_wGN01OB_H0qC-Ls06QTK02-K9j0/64CC0B-u6i0mi/Sj0M_dkA0-X5lX0_PDMF-08Gz_y0ikHK0H/9VC0/kKCc0LcO_E0vxbI_0pgu_J1/8h6v0QuE_00-Ncmf-03xB_Q0weTh1_5qgG0_zNm9_0Mj-gA0v-Hvh0b1_YA109c_50YQ_kR/RYlzer.jar

STYX EK JAR

HTTP Method = GET
Content-type = application/x-java-archive
User-Agent = *Java/1.*
Regex HTTP URI for \/[a-zA-Z0-9-\/_]{200,}\.jar(\.pack\.gz)?$

STYX EK EXE

HTTP Method = GET
Content-type = NULL (Meaning it’s absent)
User-Agent = *Java/1.*
Regex HTTP URI for \/[a-zA-Z0-9]+\.exe\?[a-zA-Z0-9]+=[a-zA-Z0-9]+&h=[0-9]+$

Private Exploit Pack

@Kafeine has a complete writeup here. > http://malware.dontneedcoffee.com/2013/07/pep-new-bep.html

This is very similar in URI structure to something found by @Set_Abominae. > http://pastebin.com/5LMq56bA

Chain:

/blog/post.php?name=lB5Uenr4V&id=57216084&page=730
/blog/js/PluginDetect.js
/blog/xwncgmxctx.php?x=3547129&id=57216084
/blog/xwncgmxctx.php?x=5512027&id=57216084 > JAR
/blog/com.class
/blog/net.class
/blog/org.class
/blog/edu.class
/blog/icakinsoef.php?x=5512027&id=57216084 > EXE

Private Exploit Pack JAR

HTTP Method = GET
User Agent = *Java/1.*
Content-Type = application/x-java-archive
Regex HTTP URI for \.php\?[a-z]+=[0-9]+&[a-z]+=[0-9]+$

Private Exploit Pack EXE

HTTP Method = GET
User Agent = *Java/1.*
Content-Type = application/octet-stream
Regex HTTP URI for \.php\?[a-z]+=[0-9]+&[a-z]+=[0-9]+$

Whose port is it anyway?

Here’s a small listing of some kits and what tcp ports they have been using lately. Consider them to be a snapshot of the past 30 days as these are likely to change.

Neutrino EK

:8000/andhbdthgqofr?qdirmw=5283539
:8000/agqfhdo?qlpqjbjvlmud=8201532
:8000/atmjrsds?qgtkrdmghtro=403906

Cool/Styx

@Kafeine has a great in-depth look at this activity at http://malware.dontneedcoffee.com/2013/07/a-styxy-cool-ek.html

:754/grateful_partly-panic.html
:754/dissipate-favourite_timing_breath.jar
:754/tshirt_spot.htm

Sakura EK

:38/mark-two_learn.php
:38/weather-begin.php

:443/pages/see.php
:443/pages/its.php
:443/pages/see.php

:52/against.php
:52/produce.php
:52/gone.php

:90/docs/sky.php
:90/docs/space.php

:9090/nothing.php
:9090/nothing.php

:96/docs/at.php
:96/docs/land.php

Sweet Orange EK

:6091/full/contrib/foodsites.php?amazon=82
:6091/profiles/foodsites.php?amazon=82
:6091/bbadmin/acct_login/clickheat/foodsites.php?amazon=82

:3811/vadmind/install.php?virus=221&demos=82&changes=745&pages=379&bugs=798&mapa=203
:3811/stores/competition/ladder/tramadol.php?plugins=33&promos=246&about_us=135&email=499&chapters=82&vote=336&export=225
:3811/upload/loginflat/partners.php?navbar=350&faculty=613&ports=82&training=627&generic=975&experts=19&giftsjob=865

:7149/ajax/internal/campaign.php?readme=454&story=384&voip=831&fonts=82&top_left=610

Glazunov EK

:8080/4856827694/8385.zip
:8080/3819449304/8.zip
:8080/3335683362/2295.zip

Sibhost EK

:85/ipy2nCAsCEymbrnYg0TC2V6lVgn4
:85/I26mpxrs5r0L8XLTyxJXIAHI6J1XyPtjEpLY1.zip

Recent Fiesta EK Tags

This is just a listing of popular Fiesta EK tags that have been seen recently.

/0m68r7a/
/180yxim/
/3yifquk/
/4esi8v6/
/4rp3yc1/
/523r0gm/
/68vk0et/
/6pk1f2o/
/6rvz74c/
/6xtmw2a/
/avm3tcn/
/h2p8zt5/
/hb9cx5u/
/hczajmb/
/l9iok5h/
/lyagf8w/
/nf8c4hv/
/ni9xkjf/
/o8x792z/
/uhtbk6g/
/w4bm607/
/zds0u5x/

BEK 2.1.0 URI Pattern Changes

New URI patterns in the latest BEK 2.1.0…

@Kafeine has written about it here > http://malware.dontneedcoffee.com/2013/06/blackhole-exploit-kit-goes-210-shows.html

BEK2 JNLP

HTTP Method = GET
HTTP URI contains *.php?jnlp=*
User-Agent = JNLP*
Regex HTTP URI for \.php\?jnlp=[a-f0-9]{10}

See examples of BEK2 JNLP on UrlQuery.net

BEK2 JAR

Pretty much the same as before…

HTTP Method = GET
HTTP Content Type = application/java-archive
Regex HTTP URI for \.php\?[a-zA-Z]+=[a-zA-Z]+&[a-zA-Z]+=[a-zA-Z]+$

BEK2 SWF

…haven’t seen often enough yet to make a reliable regex…

BEK 2.1.0 EXE

These are still using the same classic filenames – about.exe, calc.exe, info.exe, readme.exe

HTTP Method = GET
HTTP User Agent contains *Java/1.*
HTTP Request Method = application/x-msdownload
Regex HTTP URI for \.php\?[A-Za-z]f=[0-9]{10}&[A-Za-z]e=[0-9]{20}&[A-Z]=[0-9]{2}

Dotcachef Exploit Kit

— Update 6/27 —

The users of this exploit kit have dropped the \/\.cache\/ and replaced it with \/[a-f0-9]{10}\/

They have also changed f=site.jar and f=atom.jar to f=s and f=s

Lots of examples of the changes are on UrlQuery.net

Props to EKwatcher for noticing this…

Example Chain:

http://www.environmentalleader.com/2013/06/10/cintas-eco-apparel-diverts-17-million-plastic-bottles-from-landfill/app.jnlp > Compromised via Malvertising
http://www.googlecodehosting.net/openx/js/zone_functions.js?cp=166 > REDIR
http://www.megabit.nl/gallery/docs/g1package/images/.cache/?f=site.jar&k=8791629774058014&h=bcf52e8e32f17f53 > JAR
http://www.megabit.nl/gallery/docs/g1package/images/.cache/?f=sm_main.mp3&k=8791629774058025&h=bcf52e8e32f17f53 (application/octet-stream) > Unencoded EXE – ZA

Looking for “/.cache/?f=” in the URI gives pretty solid results.

See examples of Unknown Exploit Kit on UrlQuery.net

More examples and info can be found on Basemont.com