Kahu Security

Pinpointing Malicious Redirects

Posted on February 8, 2014 by darryl

Cybercriminals are constantly thinking up new ways to redirect unsuspecting visitors to their drive-by landing page. The guys over at Sucuri often find really interesting redirects that they’ve come up with.

What I have been doing lately is documenting these redirection methods so that I can program Pinpoint to look for these methods when it analyzes webpages. I believe it’s useful to identify these methods so that you can tell if it’s an Infinity EK (aka RedKit, GoonKit), ramayana EK (aka DotkaChef), DarkLeech, or another type of website infection.

Here’s what I collected so far. Some of these methods are deprecated, browser-specific, or won’t work unless the browser is in compatibility mode but I’ve captured them anyway (btw, these two sites were very helpful).

Meta Refresh
<meta http-equiv=”location” content=”url=http://www.google.com” />
<meta http-equiv=”refresh” content=”0;url=http://www.google.com” />

Javascript Redirect
document.domain=”http://www.google.com”;
document.location=”http://www.google.com”;
document.location.href=”http://www.google.com”;
document.URL=”http://www.google.com”;
location=”http://www.google.com”;
location.assign(“http://www.google.com”);
location.host=”http://www.google.com”;
location.hostname=”http://www.google.com”;
location.href=”http://www.google.com”;
location.reload(“http://www.google.com”);
location.reload=”http://www.google.com”;
location.replace(“http://www.google.com”);
self.location=”http://www.google.com”;
top.location=”http://www.google.com”;
top.location.href=”http://www.google.com”;
window.location=”http://www.google.com”;
window.location.assign(“http://www.google.com”);
window.location.href=”http://www.google.com”;
window.location.replace(“http://www.google.com”);
window.navigate(“http://www.google.com”);
window.open(“http://www.google.com”);
window.showModalDialog(“http://www.google.com”);
window.showModelessDialog(“http://www.google.com”);

CSS
<div style=”width:expression(document.location(“http://www.google.com”))”>hello</div>
<style>body{width:ex/**/pression(document.location(“http://www.google.com”));}</style>
<style>body{background-image:url(javascript:document.location=”http://www.google.com”);}</style>

OnError
<img src=”missing.jpg” onerror=document.location=”http://www.google.com”;>

Other
By changing the data type to Javascript, it will decode and execute the script that’s in base64:

You don’t actually need to define the data type as this works too:

Same thing here except the data type is set to HTML:

By saving the redirect content in an external file, it will be read and executed with this:

In this redirect example, the name of the file holds the key. The script reads in the filename and after subtracting 5 from the decimal equivalent of the characters, converts it to “google.com” which you are redirected to.

I saw a similar example in the wild awhile back. In this script, I assigned colors of various parts of the webpage but those are actually decimal values of the redirect script.

First, let me show you what the webpage looks like. I just searched for random images on Google and put them on the webpage.

Now have a look at the source code and you can see what I’m using the images for. The script grabs the width and height of each photo and converts these decimal values to text which is the redirect script. This one took a lot of patience since I had to resize each picture to the decimal values I needed without overly distorting the images.

For this redirect I use the obfuscation method found in live examples and combine it with the technique above. The logo.png’s width and height was also resized to the decimal values I needed then referenced by the script. This value is the key (multiplier) that converts the “x-y coodinates” at the top into the redirect script.

Here, I embed a secret value at the end of a PNG graphic file. I use VBScript to extract the bytes I needed which are converted into the redirect script.

Here’s the shot of the data I added to the graphic file using a hex editor.

Here’s a crude method to extract data from a photo, convert the bits into text then eval the result. This works on older versions of IE. The code, Binary Ajax, from this site can be used to make this work on newer versions.

To make this, I just grabbed a random image from Google:

Then I added the hex equivalent of the redirect script in the “Authors” field.

The bytes are extracted with the help of VBScript. The Javascript portion converts the hex to ASCII and evaluates it. And like the rest, you end up on google.com.

Besides detecting these methods (or at the least captures the main parts and writes it out to the cleaned up output file for your review), the latest version of Pinpoint now includes several new features and bug fixes:

Removed log option since that should always be enabled
Added stats to log file (multiple calls will be counted each time)
Included the HTTP request to the raw log file
Ability to add to the header (use ^p to insert CRLF)
Finds links on a webpage up to five levels deep
Ability to access webpages when a port is specified (e.g. example.com:8080)
Ability to make a GET or POST on the initial request
Unescapes links before making a request to them

Here’s a live example of Pinpoint doing its thing. (If you want to see more examples, you can read this introductory post.)

You can see an iframe tag with a strange-looking URL in the above pic. Viewing the log file reveals that this file has a high “entropy” value of 86.35% and is referenced on the main page.

The file called “pinpoint_clean.txt” is a cleaned-up version of the webpages that only shows key elements. Here you can see the malicious iframe tag.

You can download Pinpoint here.

Posted in Exploit Packs, Malscript, Tools | Tagged drive-by download, exploit kit, pinpoint | Comments Off

Revelo Updated

Posted on February 6, 2014 by darryl

I’ve been noticing obfuscated Javascript using a function that returns the deobfuscated result more and more lately so I added a new method to catch this.

Here’s an obfuscated script. It’s not that difficult but it does look intimidating!

First I loaded the script and made sure that the “<script></script>” tags are present. This is important to Revelo because it uses this exact string as a marker to add content before or after the opening or closing script tag.

Next, I click on the “Highlight Decryption Clues” button. This gives you hints to look for in the script — functions, variable accumulators, and now returns. What this shows is the variable “IBq” is accumulating a result. (This is the only accumulator in the entire script.) Then the results get returned to the calling function.

Just choose the new method called “Intercept Return and Variable” and paste in the actual return statement “return(IBq)”. You need to paste the “return” keyword too because there’s other combinations.

Click on the “Execute” button and go the Results tab to get the deobfuscated text. (Note: the results contain escaped characters but it is essentially deobfuscated.)

The other change was that I updated the JSBeautify script with the latest version from jsbeautifier.org .

You can find Revelo here.

Posted in Malscript, Tools | Tagged obfuscated javascript, revelo | Comments Off

Box.php Fraud Kit

Posted on January 30, 2014 by darryl

I’ve been researching that fake Adobe Flash update and Neutrino EK redirect that other fine researchers have been writing about:

blog.spiderlabs.com/2014/01/beware-bats-hide-in-your-jquery-.html
blog.sucuri.net/2014/01/website-mesh-networks-distributing-malware.html
www.f-secure.com/weblog/archives/00002659.html
blog.malwarebytes.org/online-security/2014/01/neutrino-delivers-fake-flash-malware-hosted-on-skydrive/

I don’t want to duplicate too much of what they have already covered but here’s what I’ve discovered so far…

Compromised websites have this script injected in HTML pages or external Javascript files (see SpiderLabs’ blog):

Here are some other examples:

v008642[.]home[.]net[.]pl/pub/ALwX12uL[.]php?id=56254554
m1[.]home[.]pl/pub/pnrAtOjy[.]php?id=25916810
www[.]uacups[.]com/YZivZBZ8[.]php?id=18279488
crm[.]autotrim[.]ru/BgOXgTDu[.]php?id=53381973
www[.]luxuryholidaycottages-scotland[.]com/yQ0ofabY[.]php?id=19327629
79[.]96[.]53[.]47/pub/KUnJWUSz[.]php?id=10665478
tennesseechristmastree[.]org/z3vZkP8y[.]php?id=123805228
bluemot[.]com/TRAVEL%20PASS%20PROYECTO%209%20JULIO_/PSV6HvQ8[.]php?id=10431893
www[.]dortmund-vegan[.]de/MyNHgdft[.]php?id=123562613
salvatorismater[.]home[.]pl/projekt/xUXpaFdw[.]php?id=55870772
svstall[.]at/CeXCJgtr[.]php?id=27970583
www[.]telecomdata[.]ro/qRdWb723[.]php?id=101043310
www[.]dvangelder[.]nl/AtGvHSaG[.]php?id=3792231
bestwaytolearnmandarin[.]com/root/NdOmB5M7[.]php?id=60559313
laireduvin[.]fr/img/O2ApKvh4[.]php?id=60559313
bluegrassfirstclass[.]com/Joseph/7vPt8Jm5[.]php
www[.]billingborough[.]lincs[.]sch[.]uk/attachments/4g3IIYEj[.]php?id=57110286
heritageindiaimages[.]com/gallery_images/GILk7gke[.]php?id=63553146
web230[.]webgo24-server8[.]de/F1wxFBty[.]php?id=58237817
csfirearms[.]com/flash/6Is6c3hB[.]php?id=56543812
svp-stadt-sursee[.]ch/zVilDE4Z[.]php?id=51288531
patchwerk[.]net/pics/fx9bLB38[.]php?id=115311343
www[.]alessiosatta[.]it/img/6QeiNof2[.]php?id=52484468
kavelnieuws[.]nl/cgi-bin/yWqMkTiL[.]php?id=46362613
www[.]dvangelder[.]nl/AtGvHSaG[.]php?id=46626551
wg2c7cfgx[.]homepage[.]t-online[.]de/kontakt/dw1sPuVj[.]php?id=58215025

After a few moments, the visiting website shows a frame offering an Adobe Flash Player update.

Clicking on the link leads to a malicious executable being download. I’m not sure how successful this fraud campaign is but it looks pretty convincing to untrained users.

The landing page of that injected script sets up the fake Adobe Flash Player update frame then calls an external HTML file. You can see the reference to “b.html” in the HTML page below.

Sometime in mid-January, the landing page was updated to include a call to the Neutrino Exploit Kit. Now it seems to be redirecting to the Nuclear Exploit Kit.

Going back to the fake update, here’s a portion of the “b.html” page. The “skydrive.live.com” link is where the malware resides.

After checking numerous sites for additional clues, I was lucky to find an open FTP server so I could download the files behind this campaign.

The HTML files are different pages that try to convince users to download VLC Player, VIO Player, to disable AdBlock, or to enable Javascript.

There are three PHP files. In the “b.html” file, there’s an AJAX call to “checker.php”. This PHP file grabs the visitor’s IP, presumably for banning repeat visitors and/or to check if it belongs to security companies or sandboxes.

The second file, “okaybox.php”, looks like this:

After deobfuscating this, the script turns out to be WSO Shell with weird comments embedded in the script used as fillers.

Interestingly, the individual(s) behind this “kit” often uses a PHP shell with a filename that starts with a four-letter dictionary word followed by “box.php” (e.g. agedbox.php, lonebox.php, pastbox.php, ripebox.php, etc.).

The third PHP file is what the compromised website redirects the users to and looks like this. The script has three parts. The top part has a “cfg” variable. The second part has an array of base64 strings. The third part is the main code that references the array.

You can use Converter’s Array Search/Replace function to deobfuscate this in such a way so you can see what it’s doing but not necessarily to run it (unless you fix the variables by adding quotes where applicable).

What this script basically does is decrypt the “cfg” variable, make a request to some site and pass information about the user and server to it, then take some action depending on the results.

You can fix up the code so you can decrypt the “cfg” variable manually. Cool!

Now we can mimic the script and see what happens. I constructed the URL based on the code (don’t visit this link if you don’t know what you’re doing!):

hxxp://109.202.108 .4/mantds/egiybka.php?dom=http://www.somesite .com/&ref=http://www.othersite .com/&ip=10.10.10 .10&prox=no&agent=Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)

This is the same landing page we got at the very top of this article except the iframe source now references our fake site.

Posted in Exploit Packs, Malscript | Tagged fraud, neutrino, nuclear, social engineering | Comments Off

Sneaky Redirect to Exploit Kit

Posted on January 12, 2014 by darryl

While I was testing a Pinpoint update, I found a sneaky method to redirect unsuspecting users to Neutrino EK. This one was interesting to me so I thought I would document it here.

Here’s the website I visited…looks suspicious already:

There was a reference to an external Javascript file:

The file is obfuscated Javascript which is a red flag:

I found the malicious redirect, or so I thought…

Long story short, this led nowhere. Going back to the main page, there is a call to a Flash file at the bottom.

Reviewing the ActionScript reveals something interesting. It reads in a PNG file called “gray-bg.png”, extracts every other character, then evals it.

The “PNG file is not a graphic file but a renamed text file.

I used Converter to extract one character every two positions and got this:

The URL leads to the Neutrino landing page.

Posted in Exploit Packs, Malscript | Tagged actionscript, exploit kit, flash, neutrino | Comments Off

Exploit Delivery Networks

Posted on January 9, 2014 by darryl

Exploit packs are normally set up on a hacker-controlled server. Compromised websites or malicious email links lead unsuspecting users to the drive-by landing page on the server. While this keeps the main control panel, renter’s panel, crypter, statistics, etc all in one place, it’s vulnerable to a take-down resulting in a major disruption and a loss of statistical data among other things.

We might be seeing the beginning of a new trend where distributed, self-contained exploit packs are installed on multiple compromised websites. A back-end server pushes out updates to and retrieves statistics from these websites. Take-downs of these compromised websites hosting the exploit packs don’t cause a major disruption anymore. The hackers just compromise other websites and quickly build it back up.

This is basically a content delivery network but for exploits — an “Exploit Delivery Network”, if you will. RedKit is a prime example (you can read about it here). Another exploit pack was recently revealed which operates in a similar manner.

Special thanks to a colleague of mine who provided me with intel and permission to write about this. Also thanks to a forum administrator who provided me with the files after his site was compromised.

Ramayana Exploit Pack
The “DotkaChef” exploit pack was discovered several months ago. Its real name is ramayana. Recently, the cybercriminals behind ramayana targeted numerous forums running vulnerable versions of IP.Board (read more here). After successfully exploiting the website, a folder is created with the self-contained exploit pack copied to it.

The PHP script verifies that the incoming URL contains the correct parameters and values otherwise you won’t get infected. This prevents researchers from trying to analyze the pack. Here’s an example exploit chain related to ramayana:

website/panel/js/fe0e2feefe/?=MDct5ibpFWbf12c8lzM1ATN4YDM1UDMwk
zM89SZmVWZmJTZwUmZvMnavwWZuFGcvUGdpNnYld3LvoDc0RHa8NnZ
website/panel/js/fe0e2feefe/?f=a&k=3900550685053931
website/panel/js/fe0e2feefe/?f=s&k=3900550685053919
website/panel/js/fe0e2feefe/?f=sm_main.mp3&k=3900550685053942

Here’s the part of the script that sends the exploit over. There are two Java exploits used — atom.jar (CVE-2013-2423) and byte.jar (CVE-2013-1493).

The Java applets and their related payloads are the four other files you see in the folder screenshot above. Those files are base64-encoded and are decoded upon delivery.

A stats file is also created which contains the key parameter from the URL and a status code.

The PHP script defines the values of the status code:

The backend system that controls the exploit pack nodes runs Python. It does a health check, builds the exploit pack files, pushes out updates, and other things. And of course there is a dashboard with a statistics panel which is fed by a stat-harvesting script. This appears to be an important measure of an exploit pack’s success and therefore part of most control panels.

Summary
“RedKit” and ramayana may represent a new class of exploit packs and an evolutionary improvement over their peers. Their exploitation methods remains the same but the delivery system uniquely leverages compromised websites to host disposable components of their exploit pack in order to maximize resiliency, protect their backend systems, and ultimately, to ensure the longevity of their criminal operations. Time will tell if Exploit Delivery Networks become the new norm but it’s something to keep a close eye on nonetheless.

Posted in Exploit Packs | Tagged DotCache, dotcachef, DotkaChef, exploit delivery network, ramayama, redkit | Comments Off

Pinpointing Malicious Redirects

Revelo Updated

Sneaky Redirect to Exploit Kit

Exploit Delivery Networks

Recent Posts

Recent Comments

Archives

Categories

Meta