Another Malware Distribution System, SimpleTDS (named after URLQuery), appeared at horizon today morning.
As I found at the end – it was part (integrated or attached in this case) of known RedKit EK – thx to @kafeine blog post “CVE-2012-4681 – Redkit Exploit Kit – I want Porche Turbo”
Disclamer: All links provided lead to lists of malicious or potentially malicious resources. Do not click there on any link, or don’t run any file, without proper knowledge, env prepared and skills trained.
Well, it was a morning…
This time, it was something that I got from one of my clients:
“It clearly malicious,” – he said, “I see IDS going crazy… “
Well, let’s see..
Definitely, something is going on!
GET hxxp://173.0.59. 219/i.php
Ok, here we have reply. Looks like Gateway service? After few tests – same reply for multiple requests, different browsers. Ok, until now all plain and simple
Going next step:
Another 302 redirect? Same server, but other page..
Testing few times – same reply, not depend on any changes.
Ok, got another 302! Wait! From previous case we saw some tricks, lets check them?
Another 3 gets – 302 to same page.
Ok, since there is no rotation – let’s see where we redirected
22.214.171.124 – palabramielnicaragua.org
126.96.36.199 – peloplumapesca.com
Hooray! Got reply 200! )
Let’s see payload:
It contain 2 different .jar files:
and a PDF
Jar files details You can see at @kafeine blog post, sample I got is only first one:
Virustotal: [1/42] https://www.virustotal.com/file/3392b09c5e038dcc51f81bdf23e55fa35376445c112bed34263debb677b90fc7/analysis/
and PDF file:
Virustotal: [1/42] https://www.virustotal.com/file/558088e576b25fba51542ff3c2a1c2e73b3c81080c5599b78ea9e0dd74de284c/analysis/1346766067/
Ok. What about exploits for other than Internet Explorer
Again, but with different agent:
Reply: 404! What? How? Already died? 3 minutes?
Or…. Step back:
Got 302 redirect to… hxxp://circolo3.avitis.it/63574697.html << target page changed!
GET new page – and same file names in attack page:
So – there is first anti-forensic until now
Html pages rotate, to prevent multiple requests during any valuable amount of time. Not depend on IP or number of requests, but based on specific amount of time. From the other side – exploit names stay the same. It is a flaw in anti-forensic, but good for us
Well, after half an hour I return to tests, and GET hxxp://brunobigg.su/t/other_traff.php return completely different address:
On previous domain hxxp://circolo3.avitis.it all HTML pages and malicious exploit files removed, attack server moved.
Aha, another anti-forensic:
MDS rotate prepared domains, presumably once in the specific amount of time basis, clean up old domain. I can guess, that malware-owners create chain of prepared domains, that Gateway system use one after another, on each domain same Gateway system rotate different HTML pages.
Important note, that filenames of malicious files remain the same over all monitored domains... Weird, no… Why so?
And here we arrive to third anti-forensic trick in current MDS - all rotated domains – actually alive web-hosts, local businesses, small companies, etc. So, MDS use hacked web-servers to spread malware:
As I see algorithm of MDS work:
a. Webserver with low security hacked, shell uploaded to provide API for MDS
b. Malicious files uploaded from source server, include html pages
c. MDS transfer malware spreading role to next prepared server in list, at first HTML page
d. MDS rotate HTML pages, remove already used ones
e. At the end of HTML pages, MDS clean-up files from current server and transfer malware spreading role to new server >> GOTO c
This algorithm cleaned-up after multiple tests on this web-threat. But if You can add something – contact me, please.
Well, it IMHO more budget version of anti-forensics – no new domains required, no User-Agent\IP logging used.
At SimpleTDS(MDS) – (possible) part of RedKit EK, following anti-forensic features detected:
1. Domain rotation – based on time
2. HTML pages rotation, switching based on time too.
3. Domains\web-server involved in apreading malware – victims of previous hacks, that turned into malware spreading hosts
4. MDS clean-up hacked host (at least from added HTML pages and malicious files) at the end of usage.
5. Malware page provide 3(!) different payload, 2 for Java and another for PDF.
Major flaw in this system is non-changed names for malicious files, but since malware domains are hacked, I assume only limited functional available to MDS owners, and that’s require to use static file names.
So, this is it.
I changd the way of posting requests\replies, this way it looks better. But will appreciate feedback – how You prefer:)