SimpleTDS as part of RedKit Exploit Kit

2012.09.04

Another Malware Distribution System, SimpleTDS (named after URLQuery), appeared at horizon today morning.

As I found at the end – it was part (integrated or attached in this case) of known RedKit EK – thx to @kafeine blog post “CVE-2012-4681 – Redkit Exploit Kit – I want Porche Turbo”

Disclamer: All links provided lead to lists of malicious or potentially malicious resources. Do not click there on any link, or don’t run any file, without proper knowledge, env prepared and skills trained.

Well, it was a morning… :)

This time, it was something that I got from one of my clients:

hxxp://routinehabit.com

“It clearly malicious,” – he said, “I see IDS going crazy… “

Well, let’s see..

GET hxxp://routinehabit.com

bla-bla…

Definitely, something is going on!

Going there:

GET hxxp://173.0.59. 219/i.php

Ok, here we have reply.  Looks like Gateway service? After few tests – same reply for multiple requests, different browsers. Ok, until now all plain and simple :)

Going next step:

Host: brunobigg.su

IP: 188.190.126.77

GET hxxp://brunobigg.su/t/go.php?sid=1

Another  302 redirect? Same server, but other page..

Testing few times – same reply, not depend on any changes.

GET hxxp://brunobigg.su/t/other_traff.php 

Ok, got another 302! :) Wait! From previous case we saw some tricks, lets check them?
Another 3 gets – 302 to same page.

Ok, since there is no rotation – let’s see where we redirected

Host: circolo3.avitis.it,

IP: 178.79.135.231

Another variants:

174.36.1.34 – palabramielnicaragua.org

108.174.144.103 – peloplumapesca.com

and more :)

Going next:

GET hxxp://circolo3.avitis.it/37884697.html

Hooray! Got reply 200! )

Let’s see payload:

It contain 2 different .jar files:

and a PDF :)

Jar files details You can see at @kafeine blog post, sample I got is only first one:

Virustotal: [1/42] https://www.virustotal.com/file/3392b09c5e038dcc51f81bdf23e55fa35376445c112bed34263debb677b90fc7/analysis/

and PDF file:

Virustotal: [1/42] https://www.virustotal.com/file/558088e576b25fba51542ff3c2a1c2e73b3c81080c5599b78ea9e0dd74de284c/analysis/1346766067/

Ok. What about exploits for other than Internet Explorer

Again, but with different agent:

GET hxxp://circolo3.avitis.it/37884697.html

Reply: 404! What? How? Already died? 3 minutes?

Or…. Step back:

GET hxxp://brunobigg.su/t/other_traff.php

Got 302 redirect to… hxxp://circolo3.avitis.it/63574697.html << target page changed!

GET new page – and same file names in attack page:

98765.pdf

88770.jar

33256.jar

So – there is first anti-forensic until now

Html pages rotate, to prevent multiple requests during any valuable amount of time. Not depend on IP or number of requests, but based on specific amount of time. From the other side – exploit names stay the same.  It is a flaw in anti-forensic, but good for us :)

Well, after half an hour I return to tests, and GET hxxp://brunobigg.su/t/other_traff.php return completely different address:

hxxp://mwyt.co.uk/35304697.html

On previous domain hxxp://circolo3.avitis.it all HTML pages and malicious exploit files removed, attack server moved.

Aha, another anti-forensic:

MDS rotate prepared domains, presumably once in the specific amount of time basis, clean up old domain. I can guess, that malware-owners create chain of prepared domains, that Gateway system use one after another, on each domain same Gateway system rotate different HTML pages.

Important note, that filenames of malicious files remain the same over all monitored domains... Weird, no… Why so?

And here we arrive to third anti-forensic trick in current MDS - all rotated domains – actually alive web-hosts, local businesses, small companies, etc. So, MDS use hacked web-servers to spread malware:

As I see algorithm of MDS work:

a. Webserver with low security hacked, shell uploaded to provide API for MDS

b. Malicious files uploaded from source server, include html pages

c. MDS transfer malware spreading role to next prepared server in list, at first HTML page

d. MDS rotate HTML pages, remove already used ones

e. At the end of HTML pages, MDS clean-up files from current server and transfer malware spreading role to new server >> GOTO c

This algorithm cleaned-up after multiple tests on this web-threat. But if You can add something – contact me, please.

Well, it IMHO more budget version of anti-forensics – no new domains required, no User-Agent\IP logging used.

Conclusions:

At SimpleTDS(MDS) – (possible) part of RedKit EK, following anti-forensic features detected:

1. Domain rotation – based on time

2. HTML pages rotation, switching based on time too.

3. Domains\web-server involved in apreading malware – victims of previous hacks, that turned into malware spreading hosts

4. MDS clean-up hacked host (at least from added HTML pages and malicious files) at the end of usage.

5. Malware page provide 3(!) different payload, 2 for Java and another for PDF.

Major flaw in this system is non-changed names for malicious files, but since malware domains are hacked, I assume only limited functional available to MDS owners, and that’s require to use static file names.

So, this is it.

I changd the way of posting requests\replies, this way it looks better. But will appreciate feedback – how You prefer:)

That’s all

cheers!

D.L.

4 comments

  1. Hello,

    Nice post, thanks much!
    It would be interesting to see the .htaccess file from such sites.
    My first attempt to get the above mentioned payload ended up with a redirect to google.com.
    Checking from different IPs gave the desired data though – which suggests blocking of certain IPs is used.

    Cheers

    MimoJP, 05/09/2012
  2. Thx, MimoJP!
    It actually is interesting to see internal config, but legally problematic to break-in to the malicious hosts, even if they spread malware and vulnerable to public exploits :)
    In fact, for now chain is partially dead, so it possible You get 302 to Google,
    Or You blocked by list of IP’s of known malware hunting companies, they also available for sale.
    Regards
    D.L.

    Denis, 05/09/2012
  3. > Or You blocked by list of IP’s of known malware hunting companies, they also available for sale.

    Oh for sale? I don’t know how much data that is and for what price but –> since the beginning of 2012 I collected such lists (from phish-kits or backdoored sites) and put the data into a sqlite db. Currently 1812 entries of IPs/ranges – for free :D

    MimoJP, 05/09/2012
  4. 2MimoJP
    Well, good for You. But why You surprized – on underground market, if You wish to pay, always You’ll find someone who will sell You all, even stuff that available for free. :)

    Denis, 07/09/2012

Leave a comment