2013-12-09 - WHITEHOLE EXPLOIT KIT

ASSOCIATED FILE:

 

NOTES:

Reports about the Whitehole exploit kit started appearing in early February 2013:

I hadn't noticed anything on this specific exploit, until I ran across an example this past week.  I've identified this traffic as Whitehole from two signature matches from the Emergingthreats signature set on Security Onion.

Let's look at the traffic from a vulnerable host...

 

SNORT EVENTS

INFECTION CHAIN OF EVENTS

ASSOCIATED DOMAINS

INITIAL INFECTION CHAIN

 

INITIAL PATH TO INFECTION

IP address: 23.218.156.83 port 80
domain name: www.kffl.com
HTTP request: GET /gnews.php?id=884107-mlb-jeff-francoeur-had-lasik-surgery

Screenshot of traffic:

 

IP address: 23.218.156.83 port 80
domain name: www.kffl.com
HTTP request: GET /includes/scripts.js

Screenshot of traffic:

 

IP address: 88.198.0.59 port 80
domain name: xn--80ahbafij2anccd2q.xn--p1ai
HTTP request: GET /web/1.php

Screenshot of traffic:

And the infection traffic from the Whitehole domain starts from there.  Normally, I'd comb through this and present a bit more information; however, I haven't had time lately, so I've created this blog entry as is.  I've provided the PCAP for anyone who wants to review it more and see all of the traffic on an infection from a suspected Whitehole exploit.  The PCAP shows a Java exploit and two malicious binaries passed to the vulnerable host, and it was infected.

 

FINAL NOTES

Once again, here is the associated file:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.