Recently we've been able to observe several shifts in exploit kit techniques, so I thought it would be good to share the IOC information for the exploit kits so that administrators and network defenders can take a look at their devices and logs to remediate on their networks.

Bleeding Life

Bleeding life, traditionally, was not one of the more subtle exploit kits.

In the past, the exploit kit would attempt to get the exploits through fairly obvious URI methods.  For example:

"/load_module.php?e=Adobe-2010-2884"

"/load_module.php?e=Java-2010-3552"

"/modules/helpers/Java-2010-0842.jar"

The URI would be explicit about which vulnerability the kit was going to download and run on the client.  However, as of the beginning of of May, subtlety increased slightly, as we've seen a shift in this technique.  The jar and swf files are now named much simpler.  So, for example:

"/modules/2.swf"

"/modules/1.swf"

"/modules/nu.swf"
"/modules/n3.swf"

"/modules/1.jar"

The vulnerabilities have been updated to more modern exploits as well.  (I'll detail the hashes and vulnerabilities here in a second.)

The landing page appears to have shifted format in URI as well.  For example:

"/load_module.php?user=", in which the variable issued to user is either "n1, 1, 2, or 11"  or for those of you that speak regular expression: user=(n1|11?|2)

Now for some hashes:

nu.swf, 1.swf, and 2.swf, these appears to be a single hash:

4788CCA43F06752BD6D52978CBF8058FA4A3AEB76BC5242EE83DA4223EC2DE13 -- CVE-2013-0634


n3.swf, however, is a different hash:

8A5EDD1E23DB8054E6B7B76193A70EDC7C0924320F4D26AB963AA53CEA35AB90 -- CVE-2014-0515


1.jar appears to be several hashes:

3C3172A47915FE77EF1F2D38CCB5C786D30F13D8C5161FD0F2411C3B0459A036 -- CVE-2011-3544

C35A5AA55C911F1F1CFF733E0F422C0DE316CFFAF3B285ABA57A4CFDB7188341 -- CVE-2012-1723

4525F4FE895D887AE354CE6221BAD424690503DAFEBC87A43CF54092FAA9CBE8 -- CVE-2012-1723

C1806E59BAE8CD3A320FB249223852D25DD62299844CF045D5AF4AE1DF0452AF -- CVE-2012-1723

C43DBBADD79F2C50F67BFC265825FBAC3887F6840B1DBB2E2556148F597D80C7 -- CVE-2013-2465
7F04E3B43FA259984AEE7CF9FBE83A2C0994FB321D650E5B9FDFDFB11435F05E -- CVE-2013-2465 2.jar appears to be a single hash:

C9450462F9A58C2C854E93FF8A6782C7AF677653097347F20DD679939EA19B5A -- CVE-2013-2465 The hostnames where this exploit kit has been hosted in the past 30 days (that we've seen) are the following:
www.rouleta.org
tsp-team.com
www.air-bilet.ru
www.cook-n-eat.net
www.preotech.ru

With the following as "Referers":
www.vz.ru
tvzvezda.ru
www.westernbeef.com
paranormal-news.ru
rollen.ru
www.insur-info.ru

Sharing However, the point that I find the most interesting about this exploit kit are the exploits that are shared with at least one other exploit kit.

The following hashes, for example, are shared between Bleeding Life and the Nuclear exploit kit:
4788CCA43F06752BD6D52978CBF8058FA4A3AEB76BC5242EE83DA4223EC2DE13
7F04E3B43FA259984AEE7CF9FBE83A2C0994FB321D650E5B9FDFDFB11435F05E
C35A5AA55C911F1F1CFF733E0F422C0DE316CFFAF3B285ABA57A4CFDB7188341
4525F4FE895D887AE354CE6221BAD424690503DAFEBC87A43CF54092FAA9CBE8
C43DBBADD79F2C50F67BFC265825FBAC3887F6840B1DBB2E2556148F597D80C7
 The fact that so many exploits are shared between the two, in my mind, draws a connection.  I don't know if it's a connection in the same way that Cool and Blackhole were related (written by the same person), but I find it interesting.

All these hashes are detected and prevented with both ClamAV and FireAMP, and Sourcefire IPS/Snort's detection will ship in the form of SIDs:

31229-31232

This blog was made possible by contributions and assistance from Emmanuel Tacheau from our Cisco TRAC team.