[Emerging-Sigs] Another unknown exploit kit

Martin Holste mcholste at gmail.com
Sun Oct 9 12:48:21 EDT 2011


Great intel, thanks.  Any pattern to the payloads it's serving, or is
it your usual pay-per-install grab bag?

On Sun, Oct 9, 2011 at 10:25 AM, Chris Wakelin
<c.d.wakelin at reading.ac.uk> wrote:
> I've now had a good go at analysing this kit. So far it's only been seen
> on two (adjacent) IP addresses, so I guess it's not for sale, but
> perhaps for rent :)
>
> Anyway first some signatures - I've nicknamed the kit "Saturn" as that's
> the name of the octal Java exploit class file:
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"RDG Saturn Exploit
> Kit possible landing page"; flow:established,to_server;
> content:"/?site="; depth:7; http_uri; pcre:"/\/\?site=[0-9]{1,2}$/U";
> classtype:bad-unknown; sid:xxxx; rev:1;)
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"RDG Saturn Exploit
> Kit binary download request"; flow:established,to_server;
> content:"/dl/"; depth:4; http_uri; fast_pattern; content:".php?";
> http_uri; pcre:"/\/dl\/\w{1,4}\.php\?[0-9]$/U";
> classtype:trojan-activity; sid:xxxx; rev:1;)
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"RDG Saturn Exploit
> Kit probable Java exploit request"; flow:established,to_server;
> content:"/dl/apache.php"; depth:14; http_uri; classtype:trojan-activity;
> sid:xxxx; rev:1;)
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"RDG Saturn Exploit
> Kit probable Java MIDI exploit request"; flow:established,to_server;
> content:"/dl/jsm.php"; depth:14; http_uri; classtype:trojan-activity;
> sid:xxxx; rev:1;)
>
> Analysis:
>
> Landing page (/site=NN) uses obfuscated Javascript that contains
> (currently) three Java exploits
>
> 1) Octal exploit for Java < 1.6.0_24 downloads
> kipoldddr at 1844204081/saturn.class that contains obfuscated Java which
> downloads from <ip number>/dl/dl.php?0
>
> This should match existing signature sid:2012609 "Java Exploit Attempt
> Request for .class from octal host" (can we get rid of the "Phoenix" in
> the descriptions for these sigs, they're used by other kits too!)
>
> 2) Java exploit JAR file from /dl/apache.php, containing obfuscated Java
> that transliterates the parameter in the landing page into a URL
> "/dl/dl.php?1" that is then downloaded (I think the query-string,
> similarly to the e= parameter in the Blackhole kit, says which exploit
> worked)
>
> 3) Java exploit JAR file from /dl/jsm.php, more obfuscated Java, which
> downloads a data file from /dl/jsm_text.php that then gets loaded into
> the Java MIDI sequencer (presumably an exploit). However, I can't see
> how this generates a download URL.
>
> The DNS name changes frequently, but the kit doesn't seem to check
> you're using the right name (so all of these could be "109.236.82.49" at
> the moment). This weekend at least, all the executable downloads have
> been the same (Anubis analysis at
> http://anubis.iseclab.org/?action=result&task_id=1880b963ea606fbd4c10e8aca0ae06149&format=html
> and VirusTotal at
> http://www.virustotal.com/file-scan/report.html?id=2af6edf358cfcd29592f82ac80a6ae7bf757a72d17a7fb4c0af0d0e3f244eee2-1318031515)
>
> Best Wishes,
> Chris
>
> On 27/09/2011 23:21, Martin Holste wrote:
>> Yep, went looking and got a hit on that.  After the MZ served by
>> /dl/ex.php?1, the last loader will be to /dl/ex.php?3, it's serving a
>> 404 right now.
>
> ...
>
>>>> 09/26/2011-22:35:24.725371 boobfactorthumblogger.info [**] /?site=28 [**] Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.1; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) [**] http://ad.yieldmanager.com/iframe3?iaREAIKnFACym6sAAAAAABILKgAAAAAAAgA8AAYAAAAAAP8AAAACFyTkNQAAAAAAsTspAAAAAAA8FzcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgGw0AAAAAAAIAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAMWOwk1Ye80.pHA9Ctej8D-.MjNjpq3WP5qZmZmZmfk.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB.B0eBmtTJCrqc8N5YXMIgT87owoVrYmMVYuy9AAAAAA==,http%3A%2F%2Ftag.admeld.com%2Fclick%2F6c88770f-38c4-4770-8d10-00833d04f3e6%2F1317072921%3Fredirect%3D%24,http%3A%2F%2Fadx.theglobalweb.com%2Fdelivery%2Fcx%2Flb5%3Fux%3D1%26g%3D232,B%3D10%26Z%3D728x90%26_salt%3D724386989%26r%3D0%26s%3D1353602,6ff16780-e887-11e0-8158-3c4a92df7f5a,1317072921743 [**] GET [**] HTTP/1.1 [**] 200 [**] 7903 bytes [**] 193.61.xxx.xxx:8783 -> 109.236.82.48:80
>>>> 09/26/2011-22:35:28.378678 boobfactorthumblogger.info [**] /dl/jsm.php [**] Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_22 [**] <no referer> [**] GET [**] HTTP/1.1 [**] 200 [**] 2576 bytes [**] 193.61.xxx.xxx:13223 -> 109.236.82.48:80
>>>> 09/26/2011-22:35:28.389958 1844204080 [**] /saturn.class [**] Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_22 [**] <no referer> [**] GET [**] HTTP/1.1 [**] 200 [**] 8085 bytes [**] 193.61.xxx.xxx:31699 -> 109.236.82.48:80
>>>> 09/26/2011-22:35:28.437842 boobfactorthumblogger.info [**] /dl/apache.php [**] Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_22 [**] <no referer> [**] GET [**] HTTP/1.1 [**] 200 [**] 18428 bytes [**] 193.61.xxx.xxx:31056 -> 109.236.82.48:80
>>>> 09/26/2011-22:35:29.187594 109.236.82.48 [**] /dl/dl.php?4 [**] Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_22 [**] <no referer> [**] GET [**] HTTP/1.1 [**] 200 [**] 412847 bytes [**] 193.61.xxx.xxx:17176 -> 109.236.82.48:80
>>>> 09/26/2011-22:35:29.373055 boobfactorthumblogger.info [**] /dl/jsm_text.php [**] Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_22 [**] <no referer> [**] GET [**] HTTP/1.1 [**] 200 [**] 522 bytes [**] 193.61.xxx.xxx:24363 -> 109.236.82.48:80
>>>
>>> The only sig that hit was the "octal Java" one.
>
> --
> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
> Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
> IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
> Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094
>


More information about the Emerging-sigs mailing list