2013-09-28 - ADS FROM DELIVERY.GLOBALCDNNODE.COM LEAD TO BLACKHOLE EK

PCAP AND MALWARE:

 

NOTES:

Starting on Sunday, 22 Sep 2013, I've seen several blackhole-style Snort events at work with the same URL from delivery.globalcdnnode.com.  Here's an example:

GET /7f01baa99716452bda5bba0572c58be9/afr-zone.php HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap,
application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hxxp://www.santabanta.com/jokes/universal-jokes/?page=9
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727;
.NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; MS-RTC LM 8)
Accept-Encoding: gzip, deflate
Host: delivery.globalcdnnode.com
Connection: Keep-Alive

 

DETAILS

These have all been the result of ad traffic.  In the example above, the HTTP GET request to delivery.globalcdnnode.com actually came from ad.turn.com as shown in the image below:

Based on what I've seen from my other investigations, there may have been some ad-related domains in this chain of events after the original referer of www.santabanta.com before it got to the HTTP GET request to ad.turn.com

Here's what I've seen for the same URL at delivery.globalcdnnode.com/7f01baa99716452bda5bba0572c58be9/afr-zone.php

In each case, delivery.globalcdnnode.com has resolved to a different IP address:

Interestingly enough, the domain was registered as of 2013-09-22, which is the date we first started seeing blackhole-type events from this domain at work.  Here's some of the whois information for the domain globalcdnnode.com :

Registrant's name: Alexey Prokopenko
Organization: home
City: Ubileine
Country: Ukraine
Email: Alex1978a@bigmir.net
Created: 2013-09-22 11:30:05
Updated: 2013-09-22
Expires: 2014-09-22

Lets fire up a vulnerable Windows host and see what Security Onion finds on it when we visit the URL.  In this case it's ransomware (from the Nymaim family based on one of the Snort events).  If you try this on your own, your results may vary.  Links to the malware and a PCAP of this particular infection are in the "Final Notes" section at the end of this blog entry.


Ah, this particular scam again...

SNORT EVENTS

The following events were triggered on a bare metal Windows 7 64-bit SP 1 install with Java 6 update 25 and Adobe Reader 10.0.0 being monitored by a default configuration of Security Onion:

INFECTION TRAFFIC

Here are the significant domains/IP addresses involved in the initial infection:

Here are the significant domains/IP addresses for the callback traffic after the machine was infected:

Chain of events to the initial infection of Trojan downloader:

Callback for the ransomware:

Callback activity after the machine was infected with the ransomware:

INFECTION TRAFFIC DETAILS

GET /7f01baa99716452bda5bba0572c58be9/afr-zone.php
IP address: 66.84.17.101 port 80
domain name: delivery.globalcdnnode.com

Sguil event:

Screenshot of traffic:

 

GET /7f01baa99716452bda5bba0572c58be9/afr-zone.php?4WC2937*H*=-5J*S!e&w_fM7RoG=(!x-4_al-_
IP address: 66.84.17.101 port 80
domain name: delivery.globalcdnnode.com

Sguil events:

Screenshot of traffic:

 

GET /7f01baa99716452bda5bba0572c58be9/afr-zone.php?m*ml1v*6x0f1)84=8dwe8dw78e&4G-!2**=w88c8dw6wdw7wbwbwd8c&R!778K*Ks6-=ww&6N!J813_**j=fvM78KV&8D0h-L!-B4_8_5*=!**a*R3l7
IP address: 66.84.17.101 port 80
domain name: delivery.globalcdnnode.com

Sguil events:

Screenshot of traffic:

 

GET /6.exe
IP address: 74.204.171.69 port 80
domain name: main-firewalls.com

Sguil events:

Screenshot of traffic:

 

GET /1.exe?c=13
IP address: 74.204.171.69 port 80
domain name: main-firewalls.com

Sguil events: none

Screenshot of traffic:

 

POST /36414/j481261/index.php
IP address: 69.88.46.245 port 80
domain name: none

Sguil event:

Screenshot of traffic:

 

POST /RnRfoI?YUhsYiJvWiQQphCTe=yGdUDvFgWwOKYiQh&EIGnkbNDGP=oiIFegxpmXVrKb
IP address: 81.139.129.74 port 35618
domain name: none

Sguil events: none

Screenshot of traffic:

 

POST /nH2zhg?HeeaFwGMpGc=tvQjVADernTbdM&JBbvwDSelGrELo=CQTwxlErbjFLtygd
IP address: 125.20.14.222 port 80
domain name: instotsvin.ru

Sguil event:

Screenshot of traffic:

 

The rest of the callback traffic is the same as the previous 3 entries:

125.20.14.222 port 80 - instotsvin.ru - POST /yPbXq46qd?cAYNLlfcMtSqcTc=INCsYcaxqHcilM&OhKLsrlBTMRkxbUM=xqerjUpaivxmoxp&jbRmaMpInTUhm=SbInVGmSheRLO
76.114.253.25 port 35618 - no domain name - POST /Gx292jk?emrLgequbgauCvA=CpCBAVIecbqQa
120.146.252.247 port 35618 - no domain name - POST /VEm2lt6uo?KyNHXjXkIulOTa=BEwwexgfNJHVOB&tTuWKKBcLtPvTBK=XmoNdIVCHUukl
120.146.252.247 port 35618 - no domain name - POST /EvCdwW?xtfrjayLopxYYFd=JmGVCYxPgrBhcH
120.146.252.247 port 35618 - no domain name - POST /x3JPge5ys?RJfkMMykmHVVh=xaLQnTpyAiXMoP&ToDmeJEJxYWmtXF
120.146.252.247 port 35618 - no domain name - POST /DvZ5os6hk?utwRQAHDykohxjJ=MONfcSiTxDJmF
120.146.252.247 port 35618 - no domain name - POST /lsqEf7?churVvcxrarcMllNj=kpifyKNGDbA&jxDjcwFOdNTUc=AhKoiYaMkjui
120.146.252.247 port 35618 - no domain name - POST /TeHavW8vV?nTvVlcNjPpXnh=HspQwHYfMhrnaqWB&WuOEkYPKhYgn=AeidFNJUHgxqWF&CDBbEwMiOjG
71.233.228.250 port 35618 - no domain name - POST /pHxXeF?GxGCLIJVkxNj=eFoiPCMswbDQm&UvGGLaqLxiPK=ThhRgNCNcxfo&RBLNGuQMhELo=GNkhpSGCtUIdI
71.233.228.250 port 35618 - no domain name - POST /2JRW2kn?PjdrlmmRKeTvDQj=ykqghJKSCVoeQh&PajPXuFurlglORRRP
50.63.52.53 port 35618 - no domain name - POST /0X2d7ri?UPMudvhCAqKjvH=DbYCEdVkgmWpi&WSDQisxyrINIVnin=fvwCRQSspxvPCmBlI&LyMslMCNdSGp

PRELIMINARY MALWARE ANALYSIS

Java exploit from 66.84.17.101 (delivery.golbalcdnnode.com):

https://www.virustotal.com/en/file/bd7c0f52fd7d7e9b20ab9e8f13ac114243a4f09433f484f8fbc3b51c7c44650d/analysis/1380435320/

File name:  java-archive-from-delivery.globalcdnnode.com.jar
File size:  28.7 KB ( 29404 bytes )
MD5:  d49275523cae83a5e7639bb22604dd86
Detection ratio:  5 / 47

Malicious executable from 66.84.17.101 (delivery.golbalcdnnode.com):

https://www.virustotal.com/en/file/5fbcce025624741d66f092f6c322cce15a73a467b0042f07becd1957c4bd1b69/analysis/1380436024/

File name:  malicious-executable-from-delivery.globalcdnnode.com.exe
File size:  123.0 KB ( 125952 bytes )
MD5:  9b75da764b0fa639b18548d52255689b
Detection ratio:  20 / 48

Malicious executable from 74.204.171.69 (main-firewalls.com):

https://www.virustotal.com/en/file/a8caf61ef1dac3a91269c76b98db41530afccbaba81c28d6b2981bbcc8c7d55d/analysis/1380436034/

File name:  malicious-executable-from-main-firewalls.com.exe
File size:  157.5 KB ( 161280 bytes )
MD5:  c8edabf40c6cf341916c75f4cea153ca
Detection ratio:  15 / 48

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

`

Click here to return to the main page.