[Emerging-Sigs] Another unknown exploit kit

Chris Wakelin c.d.wakelin at reading.ac.uk
Mon Oct 10 19:21:06 EDT 2011

On 09/10/2011 23:44, Chris Wakelin wrote:
> On 09/10/2011 17:48, Martin Holste wrote:
>> Great intel, thanks.  Any pattern to the payloads it's serving, or is
>> it your usual pay-per-install grab bag?
> This weekend, it's the same payload, it seems, but I bet they're getting
> paid for it!

Same payload today, though the IP address has changed again (still in
the same /21 netblock, belonging to "Worldstream" in the Netherlands,
who appear to own a /20).

>> On Sun, Oct 9, 2011 at 10:25 AM, Chris Wakelin
>> <c.d.wakelin at reading.ac.uk> wrote:
>>> 3) Java exploit JAR file from /dl/jsm.php, more obfuscated Java, which
>>> downloads a data file from /dl/jsm_text.php that then gets loaded into
>>> the Java MIDI sequencer (presumably an exploit). However, I can't see
>>> how this generates a download URL.
> Looking into this, it appears to be an exploit for CVE-2010-0842.
> Googling has found an analysis of something very similar at
> http://www.inreverse.net/?p=1610 (the Java listed is almost line for
> line the same as in the "shena.class" and "kiwiw.class" files in the
> jsm.php JAR and the downloaded file starts the same way for the first
> 140 bytes or so).
> I'm not very experienced at finding and deciphering shellcode, but I'm
> guessing the download URL is encoded somewhere in the file. The file
> varies by a few bytes between the different downloads I have. I'll let
> you know if I manage to decipher it!

I did :) It's a 4-byte XOR and gives whatever you feed it in the Host
header + URI with /dl.php?0 at the end. (the apache.php exploit gives
the same dl.php?1 and the octal saturn.class exploit gives IP address +
URI with dl.php?4)

It looks like there's some coverage of the MIDI exploit in sigs
2013484/5 (again called "Phoenix Java MIDI Exploit", though it's not
just the Phoenix kit!) though they won't match a JAR like this one. Can
we match JAR (=zip) file content listings?

Best Wishes,

Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094

More information about the Emerging-sigs mailing list