Shiz Backdoor Post-Compromise Traffic

HTTP Request Method = POST
HTTP URI ends with */login.php
UA = Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Can also Regex URI for [a-z]{11}\.eu\/login.php$ if needed

References:
https://www.virustotal.com/file/b5ad005039657e495e81f1bf97d3e95ec3988041412e4c4c9d760bc231d00a03/analysis/
https://www.virustotal.com/file/317ec507071772a6806da420bc69b5f81f2eebf8a3915e03c18b658b75edef29/analysis/
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Shiz-L/detailed-analysis.aspx

“Shrift” BEK2 EOT Exploit

It looks like the EOT exploit has been incorporated into some Blackhole Exploit Kit Variants.

HTTP Request Method = GET
HTTP URI = */shrift.php

Examples:

http://secondtestinggo .com/ngen/shrift.php
http://refresher2013.com/ngen/shrift.php
http://winupdatingservice .org/ngen/shrift.php
http://sterringpolira .net/ngen/shrift.php
http://rodeoshowingglow .com/ngen/shrift.php
http://mondaynighttotheclub .net/ngen/shrift.php
http://freeitunescards .org/ngen/shrift.php
http://contextipdating .com/ngen/shrift.php
http://obamabloopers .net/ngen/shrift.php
http://waitwhileloading .com/ngen/shrift.php
http://wipinginsideasat .com/ngen/shrift.php
http://world-armageddon .org/ngen/shrift.php
http://thingingmon .com/ngen/shrift.php
http://newageconsultingservice .com/ngen/shrift.php
http://merchantsgerta .org/ngen/shrift.php
http://prachristmas .com/ngen/shrift.php
http://financialsuccesssa .net/ngen/shrift.php
http://taxsolutionsukay .com/ngen/shrift.php
http://svntestingsat .com/ngen/shrift.php
http://domanderstand .com/ngen/shrift.php

https://www.virustotal.com/file/196c3e10bc46e2b70ef5f9798e41ced89a3a81080310fa299147c18466587033/analysis/

See examples of BEK2 EOT Exploit on UrlQuery.com

CVE-2012-4792 Exploit Utilized in “Wateringhole” Style Attacks

Look for these strings in your proxy logs over the past few weeks. Infected hosts will likely begin C2ing to dynamic domains shortly after exploitation.

HTTP Request Method = GET
URI Strings:

*/xsainfo.jpg
*/today.swf
*/Grumgog.swf
*/DOITYOUR02.html
*/DOITYOUR01.txt
*/mt.html
*/javamt.html
*/AppletHigh.jar
*/AppletLow.jar
*/green.swf

Reference: http://eromang.zataz.com/2013/01/15/watering-hole-campaign-use-latest-java-and-ie-vulnerabilities/

Pony / Zbot / Zeus / Fareit – Bad Useragent

Look for this UA on your network.

Both GETs and POSTs

Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

References:
https://www.virustotal.com/file/e5248139d085b176997c2f044287d9d13c995cf5e2c375b232a9d49344008f53/analysis/
https://www.virustotal.com/file/8d0fdff40102d391be01552bd88ec18c4fcd583fb41d1442880ece098af8fe80/analysis/
https://www.virustotal.com/file/135a86c0f3480b313bff740c6cb8c30ca0a19075ad59c8e034066ffb6ee2a440/analysis/
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Fareit

Xtreme RAT

HTTP Request Method = GET
HTTP URI = *.functions
Regex HTTP URI for \/[0-9]+\.functions$

Examples:

mrhacking .no-ip.info:81/1234567890.functions
almofatch .no-in.info:81/1234567890.functions
netera .no-ip.org:920/123.functions
aln3imi00100 .zapto.org:81/123321.functions
hackk-hackk .no-ip.biz:81/440526.functions
cinamarcina .no-ip.biz:100/1234567890.functions
reveng1 .no-ip.biz:81/1234567890.functions
aymn161 .no-ip.org:81/1234567890.functions
amin1111 .no-ip.org:93/1234567890.functions
cagatay3162 .zapto.org:81/1234567890.functions
ers .zapto.org:93/1234567890.functions
amgad .no-ip.biz:8181/1234567890.functions
mrxm511 .no-ip.org:82/1234567890.functions
hac.zapto .org:1177/1234567890.functions
mahmodemos .no-ip.org:81/1234567890.functions
176.241.85 .6:1723/1234567890.functions
starnight2012 .tzo.net:53156/1234567890.functions
jv123 .no-ip.org:82/104566.functions
77.64.70 .82:22280/1234567890.functions
kirkukboy .no-ip.biz:9999/1234567890.functions
sosososo .no-ip.biz:288/1234567890.functions
hack4ps .no-ip.info:92/1234567890.functions
sa123re .no-ip.org:82/1234567890.functions
khalil02 .no-ip.biz:81/1234567890.functions
wail .no-ip.biz:81/1234567890.functions

See examples of Xtreme RAT on UrlQuery.net

Reference: (PDF) http://www.matasano.com/research/PEST-CONTROL.pdf

Autorun Post-Infection Indicators

Indicators for various autorun malwares like virut, sality, etc.

HTTP Request Method = GET
HTTP URI Strings

/spm/s_task.php?id=
/spm/s_alive.php?id=
/spm/s_get_host.php?ver=

Example: https://www.virustotal.com/file/deb834ac55eae1cb224983370ce85792119fb186f4e1a6b916abf5041267614c/analysis/

HTTP Request Method = GET
Regex HTTP URI for “\?[a-f0-9]{5,}=[0-9]{6,}$”

Examples:

asps.co.in/logo.gif?1b8e8=677232
allahabadyellowpages.net/logo.gif?17cd2=389960
earnestbiz.com/img/logof.gif?1b595=784147
4-educationtech.com/s.jpg?154c3=697880
noray.com.mx/images/xs.jpg?15744=439380

See examples on UrlQuery.net

Bicololo Post-Infection Indicator

@unixfreakjp had a great writeup a few days ago concerning a wordpress compromise that downloaded Bicololo.

We can detect this on the network as below:

HTTP Request Method = GET
HTTP URI contains /stats/tuk/

Example:

https://www.virustotal.com/file/e4106edcbe7a0284d16bfbf59d140d5f7687173a4dc9dcfac1d82d2e43d00c1b/analysis/
https://www.virustotal.com/file/2b55bcfffd33bd4272369edbf28a603c95dd6a948157996ac83e4bcbaf847617/analysis/

Reference: http://malwaremustdie.blogspot.com/2013/01/double-hit-pc-trojan-w32vbs-bicololo.html
Reference: http://www.nod32.it/threat-center/encyclopedia1.php?id=2834

BEK2 Executables

This will detect multiple BEK2 executables across multiple variants.

HTTP Request Method = GET
Content Type = “application/x-msdownload”
HTTP URI =*.php?*
Regex HTTP URI for “([1-3][a-z0-9]:){9}[1-3][a-z0-9]”

Dynamic Domain Monitoring

If you’re not watching the dynamic dns domain traffic on your network, you’re missing things.

Even if you or your web filtering/proxy solutions is blocking them, you still need to watch for them.

Compromised hosts will often use them as C2.

Depending on the size of your network, you may need to do some heavy tuning…but trust me, it’s worth it.

MalwareDomains.com list of Dynamic Domains

Just throw the domains in a csv and run it against your proxy logs and dns logs every 24. Be a hero.

SofosFO Exploit Kit Changes

This is an update to the previous post here. It does now include the CVE-2013-0422 Jre7u10 0day.

JS

HTTP Request Method = GET
Domain = *.org
Regex = ^http:\/\/[a-z-.]{16,}\.org\/[a-zA-Z0-9]{24,}\/Qm[a-zA-Z0-9]+\/[a-z]+\.js$

JAR

HTTP Request Method = GET
Domain = *.org
Content-Type = application/java-archive
Regex = ^http:\/\/[a-z-.]{16,}\.org\/[a-zA-Z0-9]{24,}\/[0-9]{9,10}\/[a-z]+\.jar$

PDF

HTTP Request Method = GET
Domain = *.org
Content-Type = application/pdf
Regex = ^http:\/\/[a-z-.]{16,}\.org\/[a-zA-Z0-9]{24,}\/[0-9]{9,10}\/[a-z]+\.pdf$

EXE (Encoded)

HTTP Request Method = GET
Domain = *.org
Content-Type = application/octet-stream
Regex = ^http:\/\/[a-z-.]{16,}\.org\/[a-zA-Z0-9]{24,}\/[0-9]{9,10}\/[0-9]{7,10}$

If not done already, Snort users could probably do something interesting with this. “application/octet-stream” without a proper MZ header.

Examples:

hxxp://legroom.fixedxxnunprofitablerx .org/w230hFGGpYmYWDmhwGKhDxFGWIGY/QmWmlmDEwPmQmlml/packets.js
hxxp://legroom.fixedxxnunprofitablerx .org/0hxtxhFGGpYhGWDmhwGKhDxFGYFIY/243024699/implemented.jar
hxxp://legroom.fixedxxnunprofitablerx .org/0hxtxhFGGpYhGWDmhwGKhDxFGYFIY/333205651/produce.pdf
hxxp://legroom.fixedxxnunprofitablerx .org/0hxtxhFGGpYhGWDmhwGKhDxFGYFIY/243024699/92637253

hxxp://privilege-kindly.tpmyanointedpkga .org/ykdhFAIDYKwYDmhmGIhCQFNAmhG/QmWmlmDEwPmQmlml/misrepresentations.js
hxxp://privilege-kindly.tpmyanointedpkga .org/lxqq9mwdhFAIDYDQYDmhmGIhCQFNAmQp/276082143/firefight.jar
hxxp://privilege-kindly.tpmyanointedpkga .org/lxnq9mwdhFAIDYDQYDmhmGIhCQFNAmQp/354999135/centralized.pdf
hxxp://privilege-kindly.tpmyanointedpkga .org/lxnq9mwdhFAIDYDQYDmhmGIhCQFNAmQp/354999135/53627863

hxxp://ycqqabsentee.pointingmlpitifulcco .org/1a3bbgflhFAwIIWpQpwGmAGwhgFgApmy/QmWmlmxwPmEmlml/specifies.js
hxxp://ycqqabsentee.pointingmlpitifulcco .org/z9zu1cyhFAwIIWyQpwGmAGwhgFgApDD/384335740/english.pdf
hxxp://ycqqabsentee.pointingmlpitifulcco .org/5ye727dmhFAwIIWyQpwGmAGwhgFgApDD/344272683/570646680

hxxp://ecological.crossroadsxqc .org/bshFAIGAYYYDmhmGIhGQFpfwAK/QmxmlmQlwlmQmEml/misrepresentations.js
hxxp://ecological.crossroadsxqc .org/53d3gahFAIGAYNYDmhmGIhGQFpfwIg/356959135/centralized.pdf
hxxp://ecological.crossroadsxqc .org/9xhFAIGAYNYDmhmGIhGQFpfwIg/394501877/2983062