[Emerging-Sigs] More Sigs: Proposed Signature - "ET CURRENT_EVENTS Unknown Java Exploit Kit Payload Download Request After Successful Exploitation, Folder in URI is same as initial landing - Sep 04 2012"

Chris Wakelin c.d.wakelin at reading.ac.uk
Wed Sep 5 17:05:42 EDT 2012


I've seen a couple of these today from three domains but the same IP

qaxgckzkn.changeip.name /8TJOgPCGPDDgHPxdF0epfp9V72hv7M9p 91.229.210.195
kwaecuns.changeip.name /8TJOgPCGPDDgHPxdF0epfp9V72hv7M9p 91.229.210.195
fknnfx.changeip.name /8TJOgPCGPDDgHPxdF0epfp9V72hv7M9p 91.229.210.195

This is actually the same IP as I saw months ago, and I named the kit
"Sibhost" after the whois record. I didn't have any sigs good enough to
contribute though.

The Java exploit was also called "pqvjdujfllkwl.jar" with MD5
90f46bc531c24124478a6034a2b8ec6a

I decoded the applet parameters and the routine (but not the key) is
identical to a "Glazunov" compromise I also saw today. In both cases you
need to add a "1" to the end to get the payload URL, which is, of
course, predictable in this case.

My method (in case anybody else finds it useful!) is pretty much

1) unzip the .jar
2) use "jad" to decompile the class files
3) grep "0xff" *.jad to find the one with containing the key (256 integers)
4) paste the key into my decoder (copied and reimplemented in perl,
attached)

Best Wishes,
Chris

On 05/09/12 21:49, Nathan wrote:
> Chris - Thanks for all your input on this one, just had another landing, seeing
> some really odd things out of justdied.com that very much smells like
> fast-flux.  These child domains are only up for an hour or so after initial
> landing, if even that long.
> 
> Thus far I've seen these URI structures, and initial vector of landing appears
> to be SEO based on HTTP referer.
> 
> I'm seeing 302's with the '404.php and class.class'
> 
> #Yesterday
> hxxp://funsvkh.justdied.com/PJeHubmUDaovPDRCJxGMEzlYXdvvppcg
> hxxp://funsvkh.justdied.com/pqvjdujfllkwl.jar
> hxxp://funsvkh.justdied.com/PJeHubmUDaovPDRCJxGMEzlYXdvvppcg?s=1
> 
> #Today
> hxxp://xmqgnsjd.justdied.com/PJeHubmUDaovPDRCJxGMEzlYXdvvppcg
> hxxp://xmqgnsjd.justdied.com/pqvjdujfllkwl.jar
> hxxp://xmqgnsjd.justdied.com/yausvrgpatcskwbas/404.php
> hxxp://xmqgnsjd.justdied.com/yausvrgpatcskwbas/uyabdmvgswv/class.class
> hxxp://xmqgnsjd.justdied.com/yausvrgpatcskwbas/uyabdmvgswv.class
> hxxp://xmqgnsjd.justdied.com/yausvrgpatcskwbas/uyabdmvgswv/404.php
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS
> Unknown Java Exploit Kit with fast-flux like behavior hostile FQDN - Sep 05
> 2012"; flow:established,to_server; content:".justdied.com|0d 0a|"; http_header;
> classtype:trojan-activity; sid:x; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS
> Unknown Java Exploit Kit with fast-flux like behavior static initial landing -
> Sep 05 2012"; flow:established,to_server; content:"/PJeHubmUD"; http_uri;
> classtype:trojan-activity; sid:x; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS
> Unknown Java Exploit Kit with fast-flux like behavior hostile java archive -
> SEP 05 2012"; flow:established,to_server; content:"pqvjdujfllkwl.jar";
> http_uri; classtype:trojan-activity; sid:x; rev:1;)
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
> 


-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094
-------------- next part --------------
A non-text attachment was scrubbed...
Name: decoder-glaz.pl
Type: application/x-perl
Size: 1654 bytes
Desc: not available
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20120905/925392e1/attachment.bin>


More information about the Emerging-sigs mailing list