[Emerging-Sigs] Another unknown exploit kit

Chris Wakelin c.d.wakelin at reading.ac.uk
Sun Oct 9 11:25:56 EDT 2011


I've now had a good go at analysing this kit. So far it's only been seen
on two (adjacent) IP addresses, so I guess it's not for sale, but
perhaps for rent :)

Anyway first some signatures - I've nicknamed the kit "Saturn" as that's
the name of the octal Java exploit class file:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"RDG Saturn Exploit
Kit possible landing page"; flow:established,to_server;
content:"/?site="; depth:7; http_uri; pcre:"/\/\?site=[0-9]{1,2}$/U";
classtype:bad-unknown; sid:xxxx; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"RDG Saturn Exploit
Kit binary download request"; flow:established,to_server;
content:"/dl/"; depth:4; http_uri; fast_pattern; content:".php?";
http_uri; pcre:"/\/dl\/\w{1,4}\.php\?[0-9]$/U";
classtype:trojan-activity; sid:xxxx; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"RDG Saturn Exploit
Kit probable Java exploit request"; flow:established,to_server;
content:"/dl/apache.php"; depth:14; http_uri; classtype:trojan-activity;
sid:xxxx; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"RDG Saturn Exploit
Kit probable Java MIDI exploit request"; flow:established,to_server;
content:"/dl/jsm.php"; depth:14; http_uri; classtype:trojan-activity;
sid:xxxx; rev:1;)

Analysis:

Landing page (/site=NN) uses obfuscated Javascript that contains
(currently) three Java exploits

1) Octal exploit for Java < 1.6.0_24 downloads
kipoldddr at 1844204081/saturn.class that contains obfuscated Java which
downloads from <ip number>/dl/dl.php?0

This should match existing signature sid:2012609 "Java Exploit Attempt
Request for .class from octal host" (can we get rid of the "Phoenix" in
the descriptions for these sigs, they're used by other kits too!)

2) Java exploit JAR file from /dl/apache.php, containing obfuscated Java
that transliterates the parameter in the landing page into a URL
"/dl/dl.php?1" that is then downloaded (I think the query-string,
similarly to the e= parameter in the Blackhole kit, says which exploit
worked)

3) Java exploit JAR file from /dl/jsm.php, more obfuscated Java, which
downloads a data file from /dl/jsm_text.php that then gets loaded into
the Java MIDI sequencer (presumably an exploit). However, I can't see
how this generates a download URL.

The DNS name changes frequently, but the kit doesn't seem to check
you're using the right name (so all of these could be "109.236.82.49" at
the moment). This weekend at least, all the executable downloads have
been the same (Anubis analysis at
http://anubis.iseclab.org/?action=result&task_id=1880b963ea606fbd4c10e8aca0ae06149&format=html
and VirusTotal at
http://www.virustotal.com/file-scan/report.html?id=2af6edf358cfcd29592f82ac80a6ae7bf757a72d17a7fb4c0af0d0e3f244eee2-1318031515)

Best Wishes,
Chris

On 27/09/2011 23:21, Martin Holste wrote:
> Yep, went looking and got a hit on that.  After the MZ served by
> /dl/ex.php?1, the last loader will be to /dl/ex.php?3, it's serving a
> 404 right now.

...

>>> 09/26/2011-22:35:24.725371 boobfactorthumblogger.info [**] /?site=28 [**] Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.1; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) [**] http://ad.yieldmanager.com/iframe3?iaREAIKnFACym6sAAAAAABILKgAAAAAAAgA8AAYAAAAAAP8AAAACFyTkNQAAAAAAsTspAAAAAAA8FzcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgGw0AAAAAAAIAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAMWOwk1Ye80.pHA9Ctej8D-.MjNjpq3WP5qZmZmZmfk.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB.B0eBmtTJCrqc8N5YXMIgT87owoVrYmMVYuy9AAAAAA==,http%3A%2F%2Ftag.admeld.com%2Fclick%2F6c88770f-38c4-4770-8d10-00833d04f3e6%2F1317072921%3Fredirect%3D%24,http%3A%2F%2Fadx.theglobalweb.com%2Fdelivery%2Fcx%2Flb5%3Fux%3D1%26g%3D232,B%3D10%26Z%3D728x90%26_salt%3D724386989%26r%3D0%26s%3D1353602,6ff16780-e887-11e0-8158-3c4a92df7f5a,1317072921743 [**] GET [**] HTTP/1.1 [**] 200 [**] 7903 bytes [**] 193.61.xxx.xxx:8783 -> 109.236.82.48:80
>>> 09/26/2011-22:35:28.378678 boobfactorthumblogger.info [**] /dl/jsm.php [**] Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_22 [**] <no referer> [**] GET [**] HTTP/1.1 [**] 200 [**] 2576 bytes [**] 193.61.xxx.xxx:13223 -> 109.236.82.48:80
>>> 09/26/2011-22:35:28.389958 1844204080 [**] /saturn.class [**] Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_22 [**] <no referer> [**] GET [**] HTTP/1.1 [**] 200 [**] 8085 bytes [**] 193.61.xxx.xxx:31699 -> 109.236.82.48:80
>>> 09/26/2011-22:35:28.437842 boobfactorthumblogger.info [**] /dl/apache.php [**] Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_22 [**] <no referer> [**] GET [**] HTTP/1.1 [**] 200 [**] 18428 bytes [**] 193.61.xxx.xxx:31056 -> 109.236.82.48:80
>>> 09/26/2011-22:35:29.187594 109.236.82.48 [**] /dl/dl.php?4 [**] Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_22 [**] <no referer> [**] GET [**] HTTP/1.1 [**] 200 [**] 412847 bytes [**] 193.61.xxx.xxx:17176 -> 109.236.82.48:80
>>> 09/26/2011-22:35:29.373055 boobfactorthumblogger.info [**] /dl/jsm_text.php [**] Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_22 [**] <no referer> [**] GET [**] HTTP/1.1 [**] 200 [**] 522 bytes [**] 193.61.xxx.xxx:24363 -> 109.236.82.48:80
>>
>> The only sig that hit was the "octal Java" one.

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094


More information about the Emerging-sigs mailing list