Friday, November 22, 2013

I'm calling this Goon Exploit Kit, for now

We started seeing this exploit kit in our systems on November 21st.  It has some similarities to Redkit and the Dotcache exploit kit.

Cookiebomb redirection to:

192.168.0.58 1044 173.237.187.203 80 GET 173.237.187.203 /cnt.php?id=786629 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

173.237.187.203 80 192.168.0.58 1044 301 text/html

Which bounces you over to:

Landing:
192.168.0.58 1046 192.185.32.90 80 GET vinnypedulla.com /2013/11/11/21/2013/downloader.php?page_seed=xhtml Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

192.185.32.90 80 192.168.0.58 1046 200 text/html

This is the JNLP bypass in an xml.
192.168.0.58 1048 192.185.32.90 80 GET vinnypedulla.com /5/201311/browser.xml Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_16

192.185.32.90 80 192.168.0.58 1048 200 text/xml

Cve: 2012-0507
192.168.0.58 1048 192.185.32.90 80 GET application/x-java-archive vinnypedulla.com /5/201311/browser.jar Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_16

192.185.32.90 80 192.168.0.58 1048 200 application/java-archive

Payload
192.168.0.58 1049 192.185.32.90 80 GET vinnypedulla.com /5/201311/014146.mp3 Java/1.6.0_16

192.185.32.90 80 192.168.0.58 1049 404 text/html

At the time of this investigation, the Payload 404'ed.

I'll update this blog post as more information becomes available.

Update:  After further research, it appears the structure for the URLs doing the download of the jar and jnlp files is dynamic in some way.  However, we are seeing this exploit kit now drop a XOR'd binary of Zeroaccess.  Please ensure you have VRT rule 26524 enabled, as that will detect the JWS bypass section of this exploit kit. If in IPS mode, it should stop this kit from working.  

Update-2: Added some clarification around the Cookiebomb bump.  Detected 60 installs of this yesterday.

2 comments:

  1. Any ideas of how to clean this out of a website (wordpress)?

    ReplyDelete
  2. It's simple to remove the code from your site. What is the harder part is figuring out how they got in to put the code there in the first place.

    ReplyDelete

Post a Comment