Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Threatglass has pcap files with exploit kit activity

Published: 2015-03-10
Last Updated: 2015-03-10 18:13:07 UTC
by Brad Duncan (Version: 1)
4 comment(s)

Threatglass is a one way to find up-to-date examples of exploit kit traffic.  Not all of it is exploit kit traffic, but all of it represents some sort of malicious activity.  Threatglass doesn't explain what type of traffic you're looking at from the pcaps the site provides.  Let's look at a page from last week on Thursday, March 5th 2015 [1].  This one is exploit kit activity.  In the image below, you'll find a link to the packet capture in the lower right-hand corner of the window:

Download the pcap and open it in Wireshark.  User http.request as the filter, and make sure you're showing the host name in the column display.  We quickly find some unusual traffic, which I know from personal experience is the Nuclear Exploit Kit.

For most exploit kits, the pattern of traffic is:  Landing page  -->  Exploit (Java, Flash, Silverlight, IE, etc)  -->  Malware payload if the exploit is successful

Let's look at this example by following a few TCP streams in the pcap.  First, we have the landing page:

Next, the exploit kit sends a Flash exploit to the victim host:

'

When the Flash exploit works, a malware payload is sent.  Currently, Nuclear Exploit Kit obfuscates the malware payload with an ASCII string.  In this case, the binary was XOR-ed with the ASCII string: VhBFALHxyw

Using a Python script, I was able to XOR the payload with that ASCII string again, and I got the original malicious executable:

The Virus Total results indicate the malware is a Tofsee variant - https://www.virustotal.com/en/file/7659b2be203a34b7491c7101c0275b9e20e8d801d236817a5285c2e63e0ad0e5/analysis/

If you want a sample of the deobfuscated payload, you can get it from malwr.com at: https://malwr.com/analysis/N2U3NDUwMjQ5MWViNGZkNWFlMTBkMjkxMzExZGQxNTM/

If you have the time, review some of the other entries on Threatglass to figure out which ones are exploit kit activity, and which ones are other activity, like fake flash installer pop-up windows.  This is one of many resources on line that aspiring analysts can use to build their skills. 

---

Brad Duncan, Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] http://threatglass.com/malicious_urls/geospotrima-com

Keywords: exploit kit
4 comment(s)
Diary Archives