Sad
Thursday, December 20, 2012
Tuesday, December 4, 2012
Blackhole Exploit Kit Observations
Hey all,
Been doing a bit of research, and I've found some interesting correlations with the BEK. First off, I'll be looking at three separate incidents:
Oct 22 2012 - Microsoft Support spoofed emails
Oct 23 2012 - LinkedIn spoofed emails
Dec 4 2012 - US Airways spoofed emails
The method of infection is pretty much the same and well documented...click the link, and your flash/reader/java versions are checked, then exploited. After that, usually Zeus or Cridex is installed and your machine starts talking to their C&C servers. It's this point that I'm looking at. There are some variances, but the general flow seems to be:
Exploited java creates:
C:\Documents and Settings\username\wgsdgsdgdsgsd.exe
Internet Explorer creates:
C:\DOCUME~1\username\LOCALS~1\Temp\wpbt0.dll
wpbt0.dll creates (and starts) a secondary downloaded executable file
or
wgsdgsdgdsgsd.exe creates (and starts) a secondary downloaded executable file, usually a KB00random#s.exe
File C:\Documents and Settings\username\Application Data\94B3EB7A and Registry Key HKCU\Software\Microsoft\Windows NT\S94B3EB7A are created. This entry is what I believe to be the list of banks and sites to steal your data and has some interesting bits:
File C:\Documents and Settings\jlay\Local Settings\Temporary Internet Files\Content.IE5\<random>\AjX0[1].txt is created. This file I believe is encrypted and portions of it are sent to the C&C server:
I suspect this file contains information about your machine/user info/etc. In two cases this file was close to 100kB, in the last case it was over 440kB!
For reboot survival, key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KB00729045.exe is created.
Lastly, wgsdgsdgdsgsd.exe and wpbt0.dll createa couple .bat files are created that attempt to delete a few files:
C:\Documents and Settings\username\Local Settings\Temp\exp3.tmp.bat
C:\Documents and Settings\username\Local Settings\Temp\exp1.tmp.bat
Things I need to do:
Create a snort rule
Figure out how to decrypt the AjX0 files
Thanks.
Been doing a bit of research, and I've found some interesting correlations with the BEK. First off, I'll be looking at three separate incidents:
Oct 22 2012 - Microsoft Support spoofed emails
Oct 23 2012 - LinkedIn spoofed emails
Dec 4 2012 - US Airways spoofed emails
The method of infection is pretty much the same and well documented...click the link, and your flash/reader/java versions are checked, then exploited. After that, usually Zeus or Cridex is installed and your machine starts talking to their C&C servers. It's this point that I'm looking at. There are some variances, but the general flow seems to be:
Exploited java creates:
C:\Documents and Settings\username\wgsdgsdgdsgsd.exe
Internet Explorer creates:
C:\DOCUME~1\username\LOCALS~1\Temp\wpbt0.dll
wpbt0.dll creates (and starts) a secondary downloaded executable file
or
wgsdgsdgdsgsd.exe creates (and starts) a secondary downloaded executable file, usually a KB00random#s.exe
File C:\Documents and Settings\username\Application Data\94B3EB7A and Registry Key HKCU\Software\Microsoft\Windows NT\S94B3EB7A are created. This entry is what I believe to be the list of banks and sites to steal your data and has some interesting bits:
File C:\Documents and Settings\jlay\Local Settings\Temporary Internet Files\Content.IE5\<random>\AjX0[1].txt is created. This file I believe is encrypted and portions of it are sent to the C&C server:
I suspect this file contains information about your machine/user info/etc. In two cases this file was close to 100kB, in the last case it was over 440kB!
For reboot survival, key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KB00729045.exe is created.
Lastly, wgsdgsdgdsgsd.exe and wpbt0.dll createa couple .bat files are created that attempt to delete a few files:
C:\Documents and Settings\username\Local Settings\Temp\exp3.tmp.bat
C:\Documents and Settings\username\Local Settings\Temp\exp1.tmp.bat
Things I need to do:
Create a snort rule
Figure out how to decrypt the AjX0 files
Thanks.
Subscribe to:
Posts (Atom)