Thursday, June 12, 2014

The never ending Exploit Kit shift - Bleeding Life

Recently we've been able to observe several shifts in exploit kit techniques, so I thought it would be good to share the IOC information for the exploit kits so that administrators and network defenders can take a look at their devices and logs to remediate on their networks.

Bleeding Life

Bleeding life, traditionally, was not one of the more subtle exploit kits.

In the past, the exploit kit would attempt to get the exploits through fairly obvious URI methods.  For example:


The URI would be explicit about which vulnerability the kit was going to download and run on the client.  However, as of the beginning of of May, subtlety increased slightly, as we've seen a shift in this technique.  The jar and swf files are now named much simpler.  So, for example:


The vulnerabilities have been updated to more modern exploits as well.  (I'll detail the hashes and vulnerabilities here in a second.)

The landing page appears to have shifted format in URI as well.  For example:

"/load_module.php?user=", in which the variable issued to user is either "n1, 1, 2, or 11"  or for those of you that speak regular expression: user=(n1|11?|2)

Now for some hashes:

nu.swf, 1.swf, and 2.swf, these appears to be a single hash:
4788CCA43F06752BD6D52978CBF8058FA4A3AEB76BC5242EE83DA4223EC2DE13 -- CVE-2013-0634

n3.swf, however, is a different hash:
8A5EDD1E23DB8054E6B7B76193A70EDC7C0924320F4D26AB963AA53CEA35AB90 -- CVE-2014-0515

1.jar appears to be several hashes:
3C3172A47915FE77EF1F2D38CCB5C786D30F13D8C5161FD0F2411C3B0459A036 -- CVE-2011-3544
C35A5AA55C911F1F1CFF733E0F422C0DE316CFFAF3B285ABA57A4CFDB7188341 -- CVE-2012-1723
4525F4FE895D887AE354CE6221BAD424690503DAFEBC87A43CF54092FAA9CBE8 -- CVE-2012-1723
C1806E59BAE8CD3A320FB249223852D25DD62299844CF045D5AF4AE1DF0452AF -- CVE-2012-1723
C43DBBADD79F2C50F67BFC265825FBAC3887F6840B1DBB2E2556148F597D80C7 -- CVE-2013-2465
7F04E3B43FA259984AEE7CF9FBE83A2C0994FB321D650E5B9FDFDFB11435F05E -- CVE-2013-2465

2.jar appears to be a single hash: 
C9450462F9A58C2C854E93FF8A6782C7AF677653097347F20DD679939EA19B5A -- CVE-2013-2465

The hostnames where this exploit kit has been hosted in the past 30 days (that we've seen) are the following:

With the following as "Referers":


However, the point that I find the most interesting about this exploit kit are the exploits that are shared with at least one other exploit kit.

The following hashes, for example, are shared between Bleeding Life and the Nuclear exploit kit:

The fact that so many exploits are shared between the two, in my mind, draws a connection.  I don't know if it's a connection in the same way that Cool and Blackhole were related (written by the same person), but I find it interesting.

All these hashes are detected and prevented with both ClamAV and FireAMP, and Sourcefire IPS/Snort's detection will ship in the form of SIDs:


This blog was made possible by contributions and assistance from Emmanuel Tacheau from our Cisco TRAC team.

1 comment:

  1. The reason for the kit sharing exploits with other kits (and using CVEs past 2011) is that Rob was not the author of any variants past 2011. Version 2 wound up being released open source on so any variants of bleeding life using exploits past 2011 are not authored by Rob. I have the latest un-released version which was bleeding life 3 and I gave that to xylitol for him to analyze and him alone. Just figured I'd shed some light on to the reasons for this.


Post a Comment