2012-12-18 - Evolution

Big update for Cool EK

Yesterday (2012-12-18) around 13h GMT I was not the only one (o/ Ekse) to noticed that something was happening on the Cool EK Front. (At least the one owned by the group pushing Reveton).
Landings in /r/ were replying with a "502 bad gateway"
Landings in /t/ were replying with a "ERROR 404 CONTENT"

Few hours later Malekal spotted the new landings.

So let's take a look at that.

Landing page filed with random data
The landing is now feed with random data.
In really small at beginning I saw for instance :
<div class='Minister'>curse: changing =)</div>
<div class='Shortly'>pass: vehicle =)</div>
<div class='neglect'>Reflection: NORTH =)</div>

The Plugin detect is not easy to read...lot of stuff.
After fast cleaning still need some time to read it. ( see for instance : http://pastebin.com/7xxj25KR )

Cool EK Landing after some cleaning

Sun Java :

Java ?

CVE-2012-4681 - CVE-2012-5076 :

GET http://50cf96399f208.transumancia .com/news/privileged.asp
200 OK (text/html) b3eb3375487191d20e6ad4854bb3d22b

GET http://50cf96399f208.transumancia .com/news/HEADMASTER-SUSPICIOUS.EOT
200 OK (text/html)
778ce2bf0593b021865df133ddbf2c1f (32bits)
062be3ecbdd356381126528ff131c391 (64bits)

GET http://50cf96399f208.transumancia .com/news/opinion-toss.jar
200 OK (application/java-archive)  77b464ae2e64efce193911191e31ab7f

GET http://50cf96399f208.transumancia .com/news/opinion-toss.exe
200 OK (application/x-msdownload) (out of scope...Reveton : 924bd8a4dbac809d1b139a2be6492fc1 )

CVE-2012-4681 Positive Path

CVE-2012-5076 Positive Path
CVE-2012-5076  in the opinion-toss jar

CVE-2012-0507 :

GET http://50cf96399f208.transumancia .com/news/privileged.asp
200 OK (text/html)

GET http://50cf96399f208.transumancia .com/news/HEADMASTER-SUSPICIOUS.EOT
200 OK (text/html)

GET http://50cf96399f208.transumancia .com/news/opinion-toss.jar
200 OK (application/java-archive) a1df4db82e9cf9c54a070332586c0877

GET http://50cf96399f208.transumancia.com/news/opinion-toss.exe
200 OK (application/x-msdownload)

CVE-2012-0507 Positive Path

CVE-2012-1723 :

GET http://frequent.dwyane-wade .org/news/opinion-toss.jar
200 OK (application/java-archive)  98a777ce628d7f7cf34ec4699119d815

CVE-2012-1723 Positive Path
CVE-2012-1723 in a 3rd opinion-toss jar

Adobe Reader : 

Adobe Reader ? for you BLESS1 or president2

GET http://50cf9f4e59a7d.triptoromania .com/news/DEFY/BLESS1.PDF (new PDF)
200 OK (application/pdf)  8e1bf290252776a94f48c6e6d4d6a6e5 (wepawet escaped)

GET http://50cfc981724ac.weareone-group .es/news/president2.pdf  (Old PDF at least CVE-2009-0927)
200 OK (application/pdf)  141dfa2439a3ce71c73fa4f691ed8216 (wepawet win)

Shell code revealed by Wepawet in president2.pdf

GET http://50cfd1b9790e9.weareone-group .eu/news/opinion-toss4.exe
200 OK (application/x-msdownload) d54d18c803869e631a7d0e6d5fb32512 (Reveton)

Adobe Flash Player

diamond2 flash call
Tried with Flash Player (CVE-2011-0611 ) seems safe (CVE-2011-2110 (?) seems safe. safe....

So had to use magic powder (so not 100% sure of the result, in fact have the feeling it's not ok) to :

GET http://50cfe21f5124a.appartamentogenova .net/news/said/diamond2.swf?info=02e67fbb3b74fa5a767eba652bd9088b98214cdf58f3ecfc585cc4a4e3c90da1f298befd5ab4c6faadfad5f25ca2d9c74866dbcc3650d5e9cf48b05f2328faa1f40b8588f16db1
200 OK (text/html) c57414b2160d4139f1334a4533dc2da1

GET http://50cfe21f5124a.appartamentogenova .net/news/GRAVEL/STANDING3.SWF?info=02e67fbb3b74fa5a767eba652bd9088b98214cdf58f3ecfc585cc4a4e3c90da1f298befd5ab4c6faadfad5f25ca2d9c74866dbcc3650d5e9cf48b05f2328faa1f40b8588f16db1
200 OK (text/html)  96affff5b127372d761e91b312a53fa1

<edit2 19/12/12 12:30>
The shellcode is : http://pastebin.com/raw.php?i=2NJ3YHKG
Running it with Pylibemu on this you'll get an amazing result (hat tip to Angelo and Markus working hard to make our days easier)
ShellCode Analysis with Pylibemu
Txt here : http://pastebin.com/raw.php?i=UuWmz2vR

As usual to be safe here...just update your Java/Flash/Adobe Reader and Windows

One last word about Reveton. As you may have seen by Trend Micro, in United States Reveton is showing a new design.
I really hope they will make a step backward cause this one is going too far...pushing a really disturbing image to the face of anyone in front of the screen at infection time.
Reveton last US Design.

The "pseudo" treaty between antivirus vendor and Police
explaining how you got that screen.

Files :  http://goo.gl/JvbDg Public Password (usual password for infected stuff)

<edit1 18/12/12 - 19h> Fixed CVE-2012-0507 (not 0506). Thx @eromang.</edit1>
More about Cool EK ?
Cool Exploit Kit Remove Support of Java CVE-2012-1723 - 2012-12-02 - Eromang - Eric Romang Blog
Cool-er Than Blackhole? - 2012-11-16 - Timo Hirvonen - F-Secure
Cool EK : "Hello my friend..." CVE-2012-5076 - 2012-11-09
Cool Exploit Kit - A new Browser Exploit Pack on the Battlefield with a "Duqu" like font drop - 2012-10-09

More about Reveton ?
Reveton can speak now ! - 2012-11-23
Reveton += HU, LV, SK, SI, TR (!), RO - So spreading accross Europe with 6 new Design 2012-10-29
Reveton Autumn Collection += AU,CZ, IE, NO & 17 new design - 2012-10-12
Kernel Mode Thread