Yesterday (2012-12-18) around 13h GMT I was not the only one (o/ Ekse) to noticed that something was happening on the Cool EK Front. (At least the one owned by the group pushing Reveton).
Landings in /r/ were replying with a "502 bad gateway"
Landings in /t/ were replying with a "ERROR 404 CONTENT"
Few hours later Malekal spotted the new landings.
So let's take a look at that.
 |
| Landing page filed with random data |
In really small at beginning I saw for instance :
<div class='Minister'>curse: changing =)</div>
<div class='Shortly'>pass: vehicle =)</div>
<div class='neglect'>Reflection: NORTH =)</div>
The Plugin detect is not easy to read...lot of stuff.
After fast cleaning still need some time to read it. ( see for instance : http://pastebin.com/7xxj25KR )
 |
| Cool EK Landing after some cleaning |
Sun Java :
 |
| Java ? |
CVE-2012-4681 - CVE-2012-5076 :
GET http://50cf96399f208.transumancia .com/news/privileged.asp
200 OK (text/html) b3eb3375487191d20e6ad4854bb3d22b
GET http://50cf96399f208.transumancia .com/news/HEADMASTER-SUSPICIOUS.EOT
200 OK (text/html)
778ce2bf0593b021865df133ddbf2c1f (32bits)
062be3ecbdd356381126528ff131c391 (64bits)
GET http://50cf96399f208.transumancia .com/news/opinion-toss.jar
200 OK (application/java-archive) 77b464ae2e64efce193911191e31ab7f
GET http://50cf96399f208.transumancia .com/news/opinion-toss.exe
200 OK (application/x-msdownload) (out of scope...Reveton : 924bd8a4dbac809d1b139a2be6492fc1 )
 |
| CVE-2012-4681 Positive Path |
 |
| CVE-2012-5076 Positive Path |
 |
| CVE-2012-5076 in the opinion-toss jar |
CVE-2012-0507 :
GET http://50cf96399f208.transumancia .com/news/privileged.asp
200 OK (text/html)
GET http://50cf96399f208.transumancia .com/news/HEADMASTER-SUSPICIOUS.EOT
200 OK (text/html)
GET http://50cf96399f208.transumancia .com/news/opinion-toss.jar
200 OK (application/java-archive) a1df4db82e9cf9c54a070332586c0877
GET http://50cf96399f208.transumancia.com/news/opinion-toss.exe
200 OK (application/x-msdownload)
 |
| CVE-2012-0507 Positive Path |
CVE-2012-1723 :
GET http://frequent.dwyane-wade .org/news/opinion-toss.jar
200 OK (application/java-archive) 98a777ce628d7f7cf34ec4699119d815
 |
| CVE-2012-1723 Positive Path |
 |
| CVE-2012-1723 in a 3rd opinion-toss jar |
Adobe Reader :
 |
| Adobe Reader ? for you BLESS1 or president2 |
GET http://50cf9f4e59a7d.triptoromania .com/news/DEFY/BLESS1.PDF (new PDF)
200 OK (application/pdf) 8e1bf290252776a94f48c6e6d4d6a6e5 (wepawet escaped)
GET http://50cfc981724ac.weareone-group .es/news/president2.pdf (Old PDF at least CVE-2009-0927)
200 OK (application/pdf) 141dfa2439a3ce71c73fa4f691ed8216 (wepawet win)
 |
| Shell code revealed by Wepawet in president2.pdf |
GET http://50cfd1b9790e9.weareone-group .eu/news/opinion-toss4.exe
200 OK (application/x-msdownload) d54d18c803869e631a7d0e6d5fb32512 (Reveton)Adobe Flash Player
 |
| diamond2 flash call |
10.2.153.1 (CVE-2011-0611 ) seems safe
10.3.181.22 (CVE-2011-2110 (?) seems safe.
11.2.202.233 safe....
So had to use magic powder (so not 100% sure of the result, in fact have the feeling it's not ok) to :
GET http://50cfe21f5124a.appartamentogenova .net/news/said/diamond2.swf?info=02e67fbb3b74fa5a767eba652bd9088b98214cdf58f3ecfc585cc4a4e3c90da1f298befd5ab4c6faadfad5f25ca2d9c74866dbcc3650d5e9cf48b05f2328faa1f40b8588f16db1
200 OK (text/html) c57414b2160d4139f1334a4533dc2da1
GET http://50cfe21f5124a.appartamentogenova .net/news/GRAVEL/STANDING3.SWF?info=02e67fbb3b74fa5a767eba652bd9088b98214cdf58f3ecfc585cc4a4e3c90da1f298befd5ab4c6faadfad5f25ca2d9c74866dbcc3650d5e9cf48b05f2328faa1f40b8588f16db1
200 OK (text/html) 96affff5b127372d761e91b312a53fa1
 |
| getShellCode |
<edit2 19/12/12 12:30>
The shellcode is : http://pastebin.com/raw.php?i=2NJ3YHKG
Running Thug locally on it you'll get an amazing result (hat tip to Angelo and Markus working hard to make our days easier)
 |
| ShellCode Analysis via Thug Txt here : http://pastebin.com/raw.php?i=UuWmz2vR |
</edit2>
As usual to be safe here...just update your Java/Flash/Adobe Reader and Windows
One last word about Reveton. As you may have seen by Trend Micro, in United States Reveton is showing a new design.
I really hope they will make a step backward cause this one is going too far...pushing a really disturbing image to the face of anyone in front of the screen at infection time.
 |
| Reveton last US Design. |
 |
| The "pseudo" treaty between antivirus vendor and Police explaining how you got that screen. |
Files : http://dl.dropbox.com/u/106864056/CoolEK%202.zip Public Password (usual password for infected stuff)
<edit1 18/12/12 - 19h> Fixed CVE-2012-0507 (not 0506). Thx @eromang.</edit1>
More about Cool EK ?
Cool Exploit Kit Remove Support of Java CVE-2012-1723 - 2012-12-02 - Eromang - Eric Romang Blog
Cool-er Than Blackhole? - 2012-11-16 - Timo Hirvonen - F-Secure
Cool EK : "Hello my friend..." CVE-2012-5076 - 2012-11-09
Cool Exploit Kit - A new Browser Exploit Pack on the Battlefield with a "Duqu" like font drop - 2012-10-09
More about Reveton ?
Reveton can speak now ! - 2012-11-23
Reveton += HU, LV, SK, SI, TR (!), RO - So spreading accross Europe with 6 new Design 2012-10-29
Reveton Autumn Collection += AU,CZ, IE, NO & 17 new design - 2012-10-12
Kernel Mode Thread