Detecting counter.php – The BlackHole Redirector

Have you ever came across the following line of code injected to your (or you visited) website

If I get it correctly, it is the BlackHole Exploit Kit redirector.

The pattern for this “counter.php” injected script will always be the same, so for system administrator or webmasters, you can use the following yara rule for your detection

rule counterPHPredirectBHEK
{
	meta:
		author = "adnan.shukor@gmail.com"
		description = "Detection rule to detect compromised page injected with invisible counter.php redirector"
		ref = "http://blog.xanda.org/2013/04/05/detecting-counter-php-the-blackhole-redirector"
		cve = "NA"
		version = "1"
		impact = 4
		hide = false
	strings:
		$counterPHP = /\<iframe\ src\=\"https?\:\/\/[a-zA-Z0-9\-\.]{4,260}\/counter\.php\"\ style\=\"visibility\:\ hidden\;\ position\:\ absolute\;\ left\:\ 0px\;\ top\:\ 0px\"\ width\=\"10\"\ height\=\"10\"\/\>$/
	condition:
		all of them
}

Thanks

P/S: MyYaraSIG guys, my Macbook is not able to be boot right now, will commit to the repo later

RedKit Redirector Injected into Legitimate JavaScript Code

Hi,

Nothing special and interesting but just to share some (old) info on this topic

I’ve read Sophos’s blog post yesterday on “Malware injected into legitimate JavaScript code on legitimate websites” and it seems like a familiar stuff to me. I’ve also been asked in the comment section of “RedKit Patterns – Additional Info to @fknsec Writeup” entry on something that is related to this issue so lets just blog about it

I’ve performed a quick search in URLquery and managed to get these samples:

• hxxp://www.nedakitap.com/js/jquery[dot]js
• hxxp://www.nedakitap.com/js/jquery.carouFredSel-5.5.0-packed[dot]js

You may found more sample of there. The point is there is no specific version of jquery targeted (as asked in the comment section) since in order for you to modify/edit the jquery file, you need to have the CMS/server compromised in the first place and jquery is not a CMS 🙂 . However, by looking at the version of the jquery, you will be able to predict the ‘age’ of the CMS used and the last update date. Mostly they are old (meaning that the CMS is not updated)

Viewing the content of the modified/compromised JavaScript  file (in this example, jquery) you can see the additional code in line no 1, (2 is a empty line), 3, second last, and last line of the JavaScript file. And the pattern will always be the same.

The JavaScript files which have been called will execute the injected script and write an (almost) invisible iframe redirecting victim to another compromised website which is hosting RedKit exploit kit. Most of the time, the host with the compromised JS will also have the RedKit files on it and waiting to be called by another compromised JS on another website

Some other characteristics that can help you to determine these injected code are by looking at these keywords:

• iframe
• name=Twitter
• scrolling=auto
• frameborder=no
• align=center
• height=2
• width=2
• a .htm or .html file in the web root directory in 4 char length and sometime came with query variable of ‘h’, ‘i’ or ‘j’ **scroll below to see update on 7 Mar**

Lets make a conclusion and write a simple regex for this

document\.write\('<iframe\ name=Twitter\ scrolling=auto\ frameborder=no\ align=center\ height=2\ width=2\ src=http:\/\/[\w\.\-]{4,}\/[a-z]{4}\.html?(\?[hij]=\d{7})?><\/iframe>'\);

Once you have 4 hits, you know it is RedKit redirector.

Yes you can modify it to be used as yara signature as well 🙂

Thats all from me for now

Thanks and stay safe

** Updated on 16 Feb **
According to Securi, this is a family of TDS

** Updated on 7 Mar **
Found new pattern that use PHP.. A quick yara rule would be:

rule iframeRedKit
{
	meta:
		author = "adnan.shukor@gmail.com"
		description = "Detection rule to detect compromised page injected with invisible iframe of Redkit redirector"
		ref = "http://blog.xanda.org/2013/02/15/redkit-redirector-injected-into-legitimate-javascript-code/"
		cve = "NA"
		version = "1.2"
		impact = 4
		hide = false
	strings:
		$iRedKit_1 = /name\=['"]?Twitter['"]?/
		$iRedKit_2 = /scrolling\=['"]?auto['"]?/
		$iRedKit_3 = /frameborder\=['"]?no['"]?/
		$iRedKit_4 = /align\=['"]?center['"]?/
		$iRedKit_5 = /height\=['"]?2['"]?/
		$iRedKit_6 = /width\=['"]?2['"]?/
		$iRedKit_7 = /src\=['"]?http:\/\/[\w\.\-]{4,}\/(([a-z]{4}\.html?(\?[hij]=\d{7})?)|([a-z]{4,}\.php\?[a-z]{4,}\=[a-f0-9]{16}))['"]?/
	condition:
		all of them
}

Yara Detection for Java Applet JMX Remote Code Execution (CVE-2013-0422)

Hi

It’s a bit to late for me to write this, but at least CVE-2013-0422 is no longer a secret.. and yes I can share some yara rule for this

Anyway, thanks to @kafeine for the disclosure and thanks to Immunity for a very good write up.

So here you go:

rule CVE_2013_0422
{
        meta:
                description = "Java Applet JMX Remote Code Execution"
                cve = "CVE-2013-0422"
                ref = "http://pastebin.com/JVedyrCe"
                author = "adnan.shukor@gmail.com"
                date = "12-Jan-2013"
                version = "1"
                impact = 4
                hide = false
        strings:
                $0422_1 = "com/sun/jmx/mbeanserver/JmxMBeanServer" fullword
                $0422_2 = "com/sun/jmx/mbeanserver/JmxMBeanServerBuilder" fullword
                $0422_3 = "com/sun/jmx/mbeanserver/MBeanInstantiator" fullword
                $0422_4 = "findClass" fullword
                $0422_5 = "publicLookup" fullword
                $class = /sun\.org\.mozilla\.javascript\.internal\.(Context|GeneratedClassLoader)/ fullword 
        condition:
                (all of ($0422_*)) or (all of them)
}

Kindly leave comment I you find ways to improvement this rule. Obfuscation? yeah of course can be used to bypassed this rule as well 😉

Thanks

P/S: MyYaraSIG members should have receive this rule/update earlier today. Just git pull everyone 🙂

RedKit Patterns – Additional Info to @fknsec Writeup

It’s been a while since the last time I logged in into my WordPress. I’ve jumped on BlueCoat System‘s bandwagon (and left MyCERT earlier), so I’ve to spent some time to make myself familiar with this new environment and job 🙂

Last week, @fknsec, in his blog, wrote a very good article about RedKit Exploit Kit. But here I would like to add few more interesting facts on the RedKit patterns

1. @fknsec did mention about “/hmiq.htm” in his blog, but from my observation, beside Porche and Ferari, the RedKit author also like the letter H. The naming convention for the HTML file will always start from H and ended with .htm (everything in small case). So a working regex for this pattern world be:

   /\/h(m|f)[a-z]{2}\.htm$/

   /\/h(m|f)[a-z]{2}\.htm$/

   ** updated on 14 Feb 2013 **
   Look like this portion is no longer valid at the moment. You can replace it with:

   /\/[a-z]{4}\.html?$/

   /\/[a-z]{4}\.html?$/

2. 887.jar and 332.jar is quite unique to RedKit. Go hunt them!

   /\/(887|332)\.jar$/

   /\/(887|332)\.jar$/

3. Same goes to 987.pdf

   /\/987.pdf$/

   /\/987.pdf$/

4. c.htm as mentioned by @fknsec can be in 1 char (letter) file name (in small case), or it can also be in 2 digit (number) and ended with .htm.

   /\/([a-z]{1}|\d{2})\.htm$/

   /\/([a-z]{1}|\d{2})\.htm$/

5. Unlike BlackHole and Cool exploit kit, RedKit will usually be hosted on compromised websites and not having his own special subdomain. Most of the time, RedKit files will be in the main directory of a website/domain

   eg: google.com/332.jar

   eg: google.com/332.jar

6. From my observation, among the famous tricks to lure victim to RedKit are:
   • Redirector script planted in jquery JS file
   • Redirector in “Domain to sell” placeholder

I think that’s all for today. I don’t know when is the next time to update my blog, since will keep my self busy in these coming weeks, with my first baby is going to execute /h(is|er)/ first version of “Hello World” script in near soon.

Till then, stay safe everyone & happy hunting!

Reference:

1. http://fortknoxnetworks.blogspot.com/2012/12/exploit-medfos-url-detection-with-drop.html
2. http://malware.dontneedcoffee.com/2012/08/cve-2012-4681-redkit-exploit-kit-i-want.html

URL in IP Formats which are Supported by Browsers

I’m not sure for the terms used in the title, but what I’m trying to say is..

• We are familiar with this:
  • http://www.google.com
• And this:
  • http://74.125.135.106
• But, what about:
  • http://1249740650
• And also:
  • http://0x4A7D876A
• And this:
  • http://0x4A.0x7D.0x87.0x6A
• And..
  • http://lets-set-up-phishing-site.com@0x4A7D876A

It’s not over yet. Find out more at:

1. https://hackvertor.co.uk/hvurl/3x
2. http://www.pc-help.org/obscure.htm

Please leave your comment with additional awesome example 🙂