Refreshing EK Hunting Technique (Enrichment) via TTP

Happy new year!

It has been a while since the last update.

Today I’ve saw an update in malware-traffic-analysis on RIG EK. Nothing new, but i asked myself if my old hunting technique is still relevant today, since i left EK hunting ‘industry’ 1 year++ ago. So i wrote a simple script to perform a quick check:

xanda:tmp xanda$ ./loop.sh 109.234.36.0
109.234.36.133
109.234.36.210
DONE!

I’ve found 2 IPs; 109.234.36.133 (currently serving RIG, mentioned in malware-traffic-analysis blog) and 109.234.36.210. 109.234.36.210 is not yet serving anything malicious, but my prediction, it will be serving RIG EK in/within the next 7 days.

Some tips on this fingerprinting technique:

1. Based on the initial IP found, look for the IP range assigned to the same ASN, in this case 109.234.36.0/24
2. Identify the HTTP header response from the known bad IP, and use it to fingerprint the rest.
3. Based from my experience, 1 batch of EK server setup will have similar (or almost similar) HTTP header response, and some EK will use 1 subnet for 1 batch (but not necessarily)
4. EK server will always (mostly) be dedicated. If you found historical pDNS record on that IP, verify (with dig/nslookup) for the current IP resolved by the domain(s). For example; 109.234.36.210 has 3 historical pDNS record, but at the moment, 1 of the domain has expired, and another 2 domains are now pointing to different IP(s).
5. This method will only works if the “scanned” hosts are alive at that particular moment

Hope it helps. Happy hunting

RedKit Patterns – Additional Info to @fknsec Writeup

It’s been a while since the last time I logged in into my WordPress. I’ve jumped on BlueCoat System‘s bandwagon (and left MyCERT earlier), so I’ve to spent some time to make myself familiar with this new environment and job 🙂

Last week, @fknsec, in his blog, wrote a very good article about RedKit Exploit Kit. But here I would like to add few more interesting facts on the RedKit patterns

1. @fknsec did mention about “/hmiq.htm” in his blog, but from my observation, beside Porche and Ferari, the RedKit author also like the letter H. The naming convention for the HTML file will always start from H and ended with .htm (everything in small case). So a working regex for this pattern world be:

   /\/h(m|f)[a-z]{2}\.htm$/

   /\/h(m|f)[a-z]{2}\.htm$/

   ** updated on 14 Feb 2013 **
   Look like this portion is no longer valid at the moment. You can replace it with:

   /\/[a-z]{4}\.html?$/

   /\/[a-z]{4}\.html?$/

2. 887.jar and 332.jar is quite unique to RedKit. Go hunt them!

   /\/(887|332)\.jar$/

   /\/(887|332)\.jar$/

3. Same goes to 987.pdf

   /\/987.pdf$/

   /\/987.pdf$/

4. c.htm as mentioned by @fknsec can be in 1 char (letter) file name (in small case), or it can also be in 2 digit (number) and ended with .htm.

   /\/([a-z]{1}|\d{2})\.htm$/

   /\/([a-z]{1}|\d{2})\.htm$/

5. Unlike BlackHole and Cool exploit kit, RedKit will usually be hosted on compromised websites and not having his own special subdomain. Most of the time, RedKit files will be in the main directory of a website/domain

   eg: google.com/332.jar

   eg: google.com/332.jar

6. From my observation, among the famous tricks to lure victim to RedKit are:
   • Redirector script planted in jquery JS file
   • Redirector in “Domain to sell” placeholder

I think that’s all for today. I don’t know when is the next time to update my blog, since will keep my self busy in these coming weeks, with my first baby is going to execute /h(is|er)/ first version of “Hello World” script in near soon.

Till then, stay safe everyone & happy hunting!

Reference:

1. http://fortknoxnetworks.blogspot.com/2012/12/exploit-medfos-url-detection-with-drop.html
2. http://malware.dontneedcoffee.com/2012/08/cve-2012-4681-redkit-exploit-kit-i-want.html