Seen in the wild: Updated Exploit Kits

In early March, after one of our network sensors flagged an incident at one of our customers, we noticed some traffic going to a rather suspicious .biz domain. When looking into the details of this domain, we found it to be registered to a guy named “Lukas Vask”.

Image

When doing a reverse whois on just the email address, we found that Mister Vask owns 88 domains, 3 ‘.com’, 1 ‘.net’, 70 other gTLD’s and 14 ccTLD’s.
When reviewing the same data some days later we found that he bought another 78 domains.

A small sample list of unique domains used:

hxxp://www.goothewebcomwert.biz
hxxp://www.tenofityrocla.biz
hxxp://www.turkglobvan.in
hxxp://www.myfirstsitemanme.com
hxxp://www.globin-fo-stat.info
hxxp://www.globinfodetails.info
hxxp://www.findservicenuclear.org
hxxp://www.pubbotstatistic.com
hxxp://www.botupdatestatistic.com
hxxp://www.currentlocalburn5.biz
hxxp://www.currentlocalburn.biz

Alongside the above unique domains seen, we noticed a simple type of domain obfuscation. Using a combination of 3 to 5 words from the english dictionary with both the .org and .biz TLD’s are registered. Afterwards a letter is added to the end of the domains, which are just ascending letters of the alphabet and again the .org and .biz are also registered.

A small example list of the used words:
longdrivetoair
hitoryyoutohorm
takeafreemyw

We’ve seen the following being used in the wild:

hxxp://www.hitoryyoutohorm.biz
hxxp://www.hitoryyoutohorm.org
hxxp://www.hitoryyoutohormb.biz
hxxp://www.hitoryyoutohormb.org
hxxp://www.hitoryyoutohormc.biz
hxxp://www.hitoryyoutohormc.org
hxxp://www.hitoryyoutohormf.biz
hxxp://www.hitoryyoutohormf.org
hxxp://www.hitoryyoutohormg.biz
hxxp://www.hitoryyoutohormg.org
hxxp://www.hitoryyoutohormh.biz
hxxp://www.hitoryyoutohormh.org
hxxp://www.hitoryyoutohormk.org
hxxp://www.hitoryyoutohorml.biz
hxxp://www.hitoryyoutohorml.org

hxxp://www.takeafreemyw.biz
hxxp://www.takeafreemyw.org
hxxp://www.takeafreemywb.biz
hxxp://www.takeafreemywb.org

These pages are serving the Nice Pack exploit kit at this time.

Nice Pack Exploit Kit

Previous listings of the Nice Pack exploit kit have used Javascript with the old fashioned try and catch methods which are easily detected by IDS systems. For the new landing page of Nice Pack the creators took some time in figuring out how to sail free from the IDS detection by using even more obfuscated Javascript with no clear usage of known functions. Using a combination of these randomly named variables and functions makes these landing pages harder to detect.

Sample landing page:
Image

Deobfuscated it looks like this:
Image

The NicePack uses a combination of Adobe PDF and Java exploits to drop its malware.
The Java exploit targets CVE-2012-1723. The Adobe PDF exploit could not be determined as it seems the exploit kit is missing files, a 404 is returned when the malicious PDF should be served.

One way of determining if you’re dealing with a NicePack exploit kit domain is by doing a HTTP request on port 443, in the response you get will included a little hint.
Image

Checksums malicious files NicePack:
3cf648103d7d9ed4185494979af10b2c https://www.virustotal.com/en/file/5e283a5ef0213d9c920e644fb74b2de96420926fda86f80b9cf192e7514e5555/analysis/1362477992/

Sweet Orange Exploit Kit

While taking a look at Mister Vask, we found another type of domain obfuscation used to spread the Sweet Orange exploit kit.
This DGA works similar to the alphabet one but in this case adds an asceding number at the end, we’ve seen the following being used:

hxxp://www.currentlocalburn5.biz
hxxp://www.currentlocalburn.biz

The new URL syntax of Sweet Orange looks like this as seen in the wild:

/mambots/feedback/dog/questions.php?alert=477&oracle=79&courses=813&christmas=961&photos=653&talks=538
/software/careers.php?sony=228&hardcore=79&groupsn=685&contrib=277&featured=750

Older versions of the Sweet Orange exploit kit used shorter links for the landing page.

The landing page in this version of Sweet Orange:
Image

The deobfuscated script part:

sweetorange_landingpage_deobfuscated

This part embeds the malicious PDF file located at ‘./tUaZFs’. The PDF targets CVE-2010-0188.The above attempts to exploit java vulnerbilities by loading malicious JAR files which target specific Java versions.The Java archives we’ve seen target CVE-2012-1723 and CVE-2013-0431 .

While most exploit kits check Java and Adobe versions to determine the most suitable way to drop their malware, this one attempts everything anyway and discards any version checking.
The bruteforce approach it seems.

Checksums malicious files SweetOrange:
6292f68f7deb3d7bb946096b9ecd8f45 https://www.virustotal.com/en/file/62a0a8ca7c9c92e06314cdd01c75048addf455972d8e6cea98b1050c7667f6ab/analysis/1362477648/
b4a044835a6a1464c556042db484b977 https://www.virustotal.com/en/file/499e42c9869f3e5a87478afe6a5c17978eeaefde9530cca6b73e315d2d740304/analysis/1362477660/
7a7ce94c19fcc47e20068e3f51971b52 https://www.virustotal.com/en/file/93e54881d92c38bb8876c7cd8af0da83051ec469f6dd5119a2a3f40696852501/analysis/1362477670/

Conclusion

Getting back to the WHOIS information, it seems the domains for both exploit kits are being registered with the same credentials. Either a fake account or stolen identity is being used by multiple people or the same guys are behind SweetOrange and NicePack.. who knows.

Yonathan Klijnsma & Barry Weymes

Writeup on nbc.com distributing Citadel malware

Every now and then, an incident occurs in the SOC (Security Operation Center) that really captures everyone involved’s imagination. NBC’s websites getting hacked, is just one case, in point. Image

At 16:43 CET, this afternoon we noticed that the NBC.com website links to the redkit exploit kit that is spreading Citadel malware, targeting US financials institutions. This version of Citadel is only recognizable by 3 out of the 46 antivirus programs on virustotal.com.

https://www.virustotal.com/en/file/96deefbe5034d826b2fe4796c32104badaa6c8df768da1059827ccac6ef2f9d8/analysis/1361464137/

It has been shown before (with Dutch news site nu.nl, for example, along with the recent incidents at the New York Times and Wall Street Journal), targeting media and news websites can vastly improve an attacker’s chances of success. Users presume these large organizations websites to be free from malware. If an attacker can gain access to these web servers, they can use them to distribute malware to every visitor of that web server.

Image

The flow of the attack looks like this:

An iframe (on nbc.com) loads a webpage that tries to download and execute a malicious JAR file as well as a malicious PDF.

hxxp://finesseindia.com/332.jar & hxxp://finesseindia.com/987.pdf

Many more different URLs have been used in the coming hours after the first sign of the attack was detected.

The Citadel malware distributed is configured to manipulate traffic to and from the banking sites of the following banks amongst others:

  • Wells Fargo
  • USAA
  • Citibank
  • Bank of America
  • TD Ameritrade
  • Suntrust
  • Navy Federal Credit Union
  • Citizensbank Online
  • Fifth Third Bank
  • PNC
  • Chase
  • Schwab
  • American Express

The malware was no longer served at 21:28 CET.

This isn’t the first time a major website is compromised and starts spreading malware, and we don’t presume its the last. Be wary.

Barry Weymes et al.

Credit to Yonathan Klijnsma and Lennart Haagsma for discovery.

Oracle getting serious about Java

Recently, Oracle released new a version of Java with a difference. Java/1.7.0_13 is the latest version. Its increased the default security from ‘Medium’ to ‘High’, which restricts execution of unsigned applets. It also introduced a new warning to people executing Java code which checks if Java is using the latest version. You might notice the process jusched.exe running on your Windows PC to do this check. The conclusion here is that Oracle is getting serious about keeping its users up to date.

JavaOne

The above notice will give the users three choices: Update, Block or Continue. ‘Update’ will stop the execution and bring the user to the Java website to download the latest and safest version. ‘Block’ will not allow Java from being executed now and in future. By pressing ‘Block’ the user  Pressing ‘Later’ button the java code will be executed.

JavaTwo

Why this updating matters? It matters because these days the majority of machines exploited are because of Java vulnerabilities. Exploit kits used to deliver a malicious payload to a victims computer are the form of a jar file (Java Archive). This usually happens when the victim visits a compromised website or opens a malicious email. A typical exploit kit has some malicious JavaScript that will test for vulnerable Java versions (amongst other things). Once the script has found the vulnerable version, it will automatically try to execute a malicious jar file to gain control of the machine. Some examples of successful exploitation that we have seen at the SOC recently:

  • hxxp://nika16.nazwa.pl/332.jar Java/1.6.0_14
  • hxxp://stp.softupcheck.info/28ce4a88eed0ccb186520e43a867c384/1359543705/9ojy9x.app  Java/1.6.0_20
  • hxxp://kh.jimmywalkermusic.com /WtfWQjU.jar Java/1.6.0_37
  • hxxp://www1.v4xm7g02agdn0.undo.it/mkbrifd.jar Java/1.6.0_38
  • hxxp://uvyesn.dyndns-at-home.com/funds/1z9a02laoa15yy1591g5.jar Java/1.7.0_06

Blackhole_2.0.1_succesful_exploitation_distribution

Above shows part of a web interface for a botnet that has over 17500 successfully exploited systems using this blackhole exploit kit, we can see that over 78% of the systems was compromised by a Java exploit. This percentage is common and similar in other exploit kits, showing that Java continues to be the most commonly attacked application.

It would seem that users, don’t update software regularly and this is why the recent move by Oracle is important. Hopefully, this will stop the bad guys (continuously) taking advantage of that fact.

In the wild, we have seen the all types of old Java virtual machines getting compromised, anyone with these versions are obviously vulnerable. It is highly recommended that you either disable/uninstall Java or if you must use it make sure it is always up to date. Oracle’s increased focus on security stems from the need for better security in the software we use everyday, if this doesn’t happen maybe users and organisations will simply not accept it because it is too risky to have installed anymore.

Barry Weymes et al, Security Analyst at the Fox-IT Security Operations Center.