2012-09-13 - Study
Fast look at an infection by a Blackhole Exploit Kit 2.0
Bet there is a new logo...but don't have it |
If you didn't know that Blackhole Exploit Kit has been rewritten to version 2.0 take a look at this post
All files here : http://kafeine.minus.com/mbkP1Nl0bC
Goal of this post : show how an infection via the new version of Blackhole looks like.
Forget the main.php?page=0123456789abcdef and variants it's (almost) over now.
Will maybe update later with other Vuln path or other information related to 2.0
Video of the infection described below in 1...Useless but I like visual things. I did not wait till Live Security Platinum pop up cause i did not know if the payload had a GUI.
1 - Here is the complete fiddler trace for a CVE-2012-4681 infection path :
200 http://46.249.37.118 /links/differently-trace.php --> a464b3414a32203b10cf89e84b884609 (anubis report)200 http://46.249.37.118 /links/differently-trace.php?
zexl=36070905070437020234050505343634353405060636060a330902340a033505
&lgyzvu=4833&evwi=nfsl&izcjjjxl=ycvrg --> d7f16e839aa3b0ec02c5d798ee184a5a (VT report)
Seems to be the same Jar that we found at same time on Blackhole that are not already updated.
404 http://46.249.37.118 /links/getJavaInfo.jar
404 http://46.249.37.118 /links/getJavaInfo.jar
404 http://46.249.37.118 /links/getJavaInfo.jar
200 http://46.249.37.118 /links/differently-trace.php?zexl=36070905070437020234050505343634353405060636060a330902340a033505
&lgyzvu=4833&evwi=nfsl&izcjjjxl=ycvrg --> d7f16e839aa3b0ec02c5d798ee184a5a (yes same.. (?) )
404 http://46.249.37.118 /links/getJavaInfo.jar
404 http://46.249.37.118 /links/A.class
404 http://46.249.37.118 /links/A/class.class
200 http://46.249.37.118 /links/differently-trace.php?xwwrf=36070905070437020234050505343634353405060636060a330902340a033505
&fvjmvlke=03090708363335340408&vene=02&fch=lsm&wka=sxi --> a4ee53b38e3a8a1fdd720cb035d9873f User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_06
404 http://46.249.37.118 /links/differently-trace.php?gceol=36070905070437020234050505343634353405060636060a330902340a033505
&plq=45&lqhsb=03090708363335340408&sfemv=02000200020002
404 http://46.249.37.118 /links/getJavaInfo.jar
404 http://46.249.37.118 /links/getJavaInfo.jar
404 http://46.249.37.118 /links/getJavaInfo.jar
404 http://46.249.37.118 /links/getJavaInfo.jar
404 http://46.249.37.118 /links/A.class
404 http://46.249.37.118 /links/A/class.class
404 http://46.249.37.118 /links/A.class
404 http://46.249.37.118 /links/A/class.class
Files are available here : http://minus.com/lCoPbeqIs8DLr
Fiddler session is here : http://minus.com/lbjapThXMLSl6K
The payload just for those who wonder. Out of the scope of this post. |
2-One more CVE-2012-4681 infection:
200 http://level.liborscam.info /links/tune-spreads-action.php > a1f3cca2be43825b25ec39cd10082083 (wepawet showing PluginDetect pointed by Websense and Aleksandr Matrosov)
200 http://level.liborscam.info /links/tune-spreads-action.php?ivpnaza=3306380338020a0b0b02360609350608350409050334350933080a3505063308
&oxn=3533&kqztigi=kkwxmuax&zuc=uvvibjqq -> 6a3757841ff61752fd24cbb84f67418c (vt report)
302 http://level.liborscam.info /links/getJavaInfo.jar
200 http://level.liborscam.info /links/tune-spreads-action.php?ivpnaza=3306380338020a0b0b02360609350608350409050334350933080a3505063308
&oxn=3533&kqztigi=kkwxmuax&zuc=uvvibjqq -> 6a3757841ff61752fd24cbb84f67418c (same)
302 http://level.liborscam.info /links/getJavaInfo.jar
200 http://level.liborscam.info /links/tune-spreads-action.php?uxytgf=3306380338020a0b0b02360609350608350409050334350933080a3505063308
&abnczdde=06090a3708050a063402&jvfagfn=02&pusr=uwelha&tibqqyl=rpfarbmb --> 18fb6c377458e52559b6044aed21b3f1 (vt report - must be a Reveton Ransomware cause we can see an IP of the RP owned by our squatter from AS57999 ) User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_06
302 http://level.liborscam.info /links/A.class
302 http://level.liborscam.info/links /A.class
Files are available here : http://minus.com/lbyzmpVJY34jSE
Fiddler session is here : http://minus.com/lwwbnnmDejV7C
Note: where i have been hit got a combo : Redkit + BH EK 2.0 and end up with Karagny, Zeus? (config : http://91.238.82.95:80[/]_cp/gate.php ) and Reveton. Look like one Traffer is selling to 2 differents Clients
Double Strike BH EK 2.0 + Redkit EK |
</edit2>
<edit3>
3-MDAC infection:
GET http://delivery.trafficbroker.com /rd.php?http://212.59.118.144/links/middle_granting.php
200 OK (text/html)
GET http://212.59.118.144 /links/middle_granting.php
200 OK (text/html)
GET http://java.sun.com/update/1.6.0/jinstall-6u60-windows-i586.cab
301 Moved Permanently to http://javadl-esd.sun.com/update/1.6.0/jinstall-6u60-windows-i586.cab
GET http://javadl-esd.sun.com/update/1.6.0/jinstall-6u60-windows-i586.cab
404 Not Found (text/html)
POST http://activex.microsoft.com /objects/ocget.dll
404 Not Found (text/html)
POST http://codecs.microsoft.com /isapi/ocget.dll
404 Not Found (text/html)
POST http://activex.microsoft.com /objects/ocget.dll
404 Not Found (text/html)
GET http://212.59.118.144 /links/middle_granting.php?rzy=37060a0933&qebtfeoy=39&arowcw=06090a3708050a063402&qxlhwqt=02000200020002
200 OK (application/pdf) <-- eedfd.pdf 43497a7060d68bd1ef5add8276858c0e
GET http://212.59.118.144 /links/middle_granting.php?bjg=37060a0933&lsry=06090a3708050a063402&vedpt=04&cljdwo=cxlcbbox&aeh=wtorw
POST http://codecs.microsoft.com /isapi/ocget.dll
404 Not Found (text/html)
</edit3>
> Yes Tor exit nodes are escaped.
> Yes double tilt with same IP won't trigger the landing Twice (502 error - 0 )
Is BH EK 2.0 exploiting CVE-2012-1535 which affect Flash 11.3.300.270 and previous ?...Paunch never mentionned it. Please anyone, comment if I'm wrong. The thread of this blackhole at least was not using it.
One useless video showing a computer vulnerable only (...for what we know) to CVE-2012-1535 running fine through this thread of that BH EK.
Edit: 13/09/12 - 08:03am - Added remark regarding plugin detect after Websense post.
Edit 2: Removed the remark regarding plugin detect..it's indeed part of the BH EK 2.0 Double Check after Aleksandr Matrosov tweet, the first landing in Fiddler Trace1
Edit3 : Add infection path : MDAC
Edit4: Adding User-Agent information on final payload get.
Note: Have tried infection triggering CVE-2012-0507 (Atomic on jre 1.6u30) and CVE-2012-1723 (jre 1.6 u32). Both "successful".
User-Agent: Java/1.6.0_30 on Final payload GET
User-Agent: Java/1.6.0_32 on Final payload GET