2014-04-15 - FUN WITH GOON/INFINITY EK

ASSOCIATED FILES:

 

POKING AT INFINITY

Lately, if you want to see what's happening with Goon/Infinity EK, just Google inurl:zyso.cgi and see what URLs come up.  These URLs normally end in zyso.cgi?18 but I've been able to get redirects to exploit kits starting from zyso.cgi?3 up to zyso.cgi?20.  It's usually Goon/Infinity EK, but I've also seen Nuclear EK and Angler EK from these redirects.  Today, it was Goon/Infinity.

For the ones that work, you can try these zyso.cgi URLs repeatedly, and you'll still generate exploit traffic.  Unfortunately, you won't always get an EXE payload.  In today's example, I didn't get any EXE payloads.

So far, this has been a reliable way to track changes in the exploits used by Goon/Infinity EK.  Since exploit kit patterns change over time, I expect this will change at some point.

I tried different configurations on vulnerable VMs to see how the exploit kit would respond.  After that, I tried all three again and recorded it in the same PCAP.  Here's what I found...

 

VM configuration: Windows 7 SP1 32-bit, IE 8, Java 6 update 25, Flash player 11.9.900.117, Silverlight 5.0.61118.0

Along with a Silverlight exploit, this one sent a Flash file.  The first HTTP GET request to the EK returns what looks like a CVE-2013-2551 MSIE exploit.

 

VM configuration: Windows 7 SP1 64-bit, IE 10, Java 7 update 13, Flash player 12.0.0.38, Silverlight 5.0.10411.0

Along with the Silverlight exploit, this one sent two Flash files for the CVE-2014-0322 MSIE exploit.  This traffic is similar to Kafeine's blog entry on CVE-2014-0322.

 

VM configuration: Windows 7 SP1 64-bit, IE 10, Java 7 update 17

Why didn't I get any Java in the previous two examples?  I removed Silverlight and Flash, then tried the EK with Java 6 update 22, but I didn't get a Java exploit.  I tried it again with Java 7 update 13, but still had no luck.  I finally tried Java 7 update 17 and got a Java exploit.

 

The exploit kit domains/IP addresses change periodically--at least once every hour (possibly quicker).  Here's an example from the hour before:

Here's an example from the hour after:

 

Now that we've seen the traffic, let's look at the exploit files...

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT   (modified: 2014-04-13)

File name:  2014-04-15-Goon-EK-silverlight-exploit.xap
File size:  12.9 KB ( 13235 bytes )
MD5 hash:  8d0b218210ee44839e4fb9156bb389c8
Detection ratio:  1 / 50
First submission:  2014-04-15 01:54:32 UTC
VirusTotal link:  https://www.virustotal.com/en/file/867ed8cb13098e13e0b3c5b1e03674adde8828c717abb252dcb0e61aed633a9e/analysis/

 

JAVA EXPLOIT   (modified: 2014-04-14)

File name:  2014-04-15-Goon-EK-java-exploit.jar
File size:  10.4 KB ( 10677 bytes )
MD5 hash:  740a58275de43d380d9d52a24fa8bee2
Detection ratio:  5 / 51
First submission:  2014-04-15 01:54:48 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ee5b8e6dc9b5ef1d045ef901c24f14efe717d24bd9819cfec81852e05e13bdd3/analysis/

 

FLASH FILE SEEN IN THE IE 8 AND IE 10 TRAFFIC

File name:  2014-04-15-Goon-EK-flash-file-01.swf
File size:  5.9 KB ( 6074 bytes )
MD5 hash:  f11d8adf8547e3855bdf4b4115a2e88b
Detection ratio:  0 / 51
First submission:  2014-04-14 23:33:17 UTC
VirusTotal link:  https://www.virustotal.com/en/file/dfe5d53175f57281fcccd2e0a847d9fbf8f2be711b12a4dd8f678c5469d09a01/analysis/

 

SECOND FLASH FILE SEEN IN THE IE 10 TRAFFIC

File name:  2014-04-15-Goon-EK-flash-file-02.swf
File size:  5.7 KB ( 5861 bytes )
MD5 hash:  2795f08722a062b32f6c4957dc51f49f
Detection ratio:  0 / 51
First submission:  2014-04-15 01:55:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b264e645c5ebe7080789e32e15ea813676eed7aacca7936225fd11f0e45a6be6/analysis/

 

SNORT EVENTS

SOME OF THE SNORT EVENTS SEEN FOR THIS TRAFFIC (from Sguil on Security Onion)

 

SOME SCREENSHOTS FROM THE TRAFFIC

 

 

 

 

 

 

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.