2013-09-28 - ADS FROM DELIVERY.GLOBALCDNNODE.COM LEAD TO BLACKHOLE EK
PCAP AND MALWARE:
- ZIP of the PCAP: 2013-09-28-Blackhole-EK-traffic.pcap.zip
- ZIP file of the malware: 2013-09-28-Blackhole-EK-malware.zip
NOTES:
Starting on Sunday, 22 Sep 2013, I've seen several blackhole-style Snort events at work with the same URL from delivery.globalcdnnode.com. Here's an example:
GET /7f01baa99716452bda5bba0572c58be9/afr-zone.php HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap,
application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hxxp://www.santabanta.com/jokes/universal-jokes/?page=9
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727;
.NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; MS-RTC LM 8)
Accept-Encoding: gzip, deflate
Host: delivery.globalcdnnode.com
Connection: Keep-Alive
DETAILS
These have all been the result of ad traffic. In the example above, the HTTP GET request to delivery.globalcdnnode.com actually came from ad.turn.com as shown in the image below:
Based on what I've seen from my other investigations, there may have been some ad-related domains in this chain of events after the original referer of www.santabanta.com before it got to the HTTP GET request to ad.turn.com
Here's what I've seen for the same URL at delivery.globalcdnnode.com/7f01baa99716452bda5bba0572c58be9/afr-zone.php
- 2013-09-22 15:04 GMT - Original referer: www.ndtv.com
- 2013-09-23 07:59 GMT - Original referer: eenadu.net/news/newsitem.aspx?item=politics&no=1
- 2013-09-23 11:37 GMT - Original referer: slashdot.org/?source=autorefresh
- 2013-09-23 18:48 GMT - Original referer: imgur.com/gallery/A85PxGv
- 2013-09-24 02:36 GMT - Original referer: www.wowhead.com/skill=165
- 2013-09-25 17:38 GMT - Original referer: www.santabanta.com/jokes/universal-jokes/?page=9
- 2013-09-27 06:42 GMT - Original referer: googleads.g.doubleclick.net/pagead/ads?[long string of characters]
In each case, delivery.globalcdnnode.com has resolved to a different IP address:
- 2013-09-22 15:04 GMT - delivery.globalcdnnode.com at: 184.168.31.24
- 2013-09-23 07:59 GMT - delivery.globalcdnnode.com at: 174.37.224.248
- 2013-09-23 11:37 GMT - delivery.globalcdnnode.com at: 64.15.147.211
- 2013-09-23 18:48 GMT - delivery.globalcdnnode.com at: 69.20.86.232
- 2013-09-24 02:36 GMT - delivery.globalcdnnode.com at: 208.43.248.29
- 2013-09-25 17:38 GMT - delivery.globalcdnnode.com at: 69.64.74.102
- 2013-09-27 06:42 GMT - delivery.golbalcdnnode.com at: 174.36.216.226
Interestingly enough, the domain was registered as of 2013-09-22, which is the date we first started seeing blackhole-type events from this domain at work. Here's some of the whois information for the domain globalcdnnode.com :
Registrant's name: Alexey Prokopenko
Organization: home
City: Ubileine
Country: Ukraine
Email: Alex1978a@bigmir.net
Created: 2013-09-22 11:30:05
Updated: 2013-09-22
Expires: 2014-09-22
Lets fire up a vulnerable Windows host and see what Security Onion finds on it when we visit the URL. In this case it's ransomware (from the Nymaim family based on one of the Snort events). If you try this on your own, your results may vary. Links to the malware and a PCAP of this particular infection are in the "Final Notes" section at the end of this blog entry.
Ah, this particular scam again...
SNORT EVENTS
The following events were triggered on a bare metal Windows 7 64-bit SP 1 install with Java 6 update 25 and Adobe Reader 10.0.0 being monitored by a default configuration of Security Onion:
- 00:36:47 GMT - 192.168.1.106 port 49158 - 66.84.17.101 port 80 - ET CURRENT_EVENTS Possible BHEK Landing URI Format
- 00:36:56 GMT - 192.168.1.106 port 49160 - 66.84.17.101 port 80 - ET POLICY Vulnerable Java Version 1.6.x Detected
- 00:36:56 GMT - 192.168.1.106 port 49160 - 66.84.17.101 port 80 - ET CURRENT_EVENTS Possible Blackhole EK Jar Download URI Struct
- 00:36:56 GMT - 66.84.17.101 port 80 - 192.168.1.106 port 49160 - ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs
- 00:36:56 GMT - 66.84.17.101 port 80 - 192.168.1.106 port 49160 - ET INFO JAVA - Java Archive Download By Vulnerable Client
- 00:36:57 GMT - 192.168.1.106 port 49161 - 66.84.17.101 port 80 - ET CURRENT_EVENTS BlackHole EK Payload Download Sep 11 2013
- 00:36:57 GMT - 66.84.17.101 port 80 - 192.168.1.106 port 49161 - ET POLICY PE EXE or DLL Windows file download
- 00:36:57 GMT - 66.84.17.101 port 80 - 192.168.1.106 port 49161 - ET INFO EXE - Served Attached HTTP
- 00:36:57 GMT - 66.84.17.101 port 80 - 192.168.1.106 port 49161 - ET INFO Packed Executable Download
- 00:36:57 GMT - 66.84.17.101 port 80 - 192.168.1.106 port 49161 - ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - contacts.exe
- 00:36:57 GMT - 66.84.17.101 port 80 - 192.168.1.106 port 49161 - ET POLICY Java EXE Downloal
- 00:36:57 GMT - 66.84.17.101 port 80 - 192.168.1.106 port 49161 - ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby
- 00:36:58 GMT - 66.84.17.101 port 80 - 192.168.1.106 port 49161 - ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
- 00:37:10 GMT - 192.168.1.106 port 49162 - 74.204.171.69 port 80 - ET TROJAN Known Trojan Downloader HTTP Library MSIE 5 Win98 seen with ZeuS
- 00:37:10 GMT - 192.168.1.106 port 49162 - 74.204.171.69 port 80 - ET TROJAN Fareit/Pony Downloader Checkin 3
- 00:37:10 GMT - 192.168.1.106 port 49162 - 74.204.171.69 port 80 - ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
- 00:37:10 GMT - 192.168.1.106 port 49162 - 74.204.171.69 port 80 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
- 00:37:10 GMT - 74.204.171.69 port 80 - 192.168.1.106 port 49162 - ET POLICY PE EXE or DLL Windows file download
- 00:37:10 GMT - 74.204.171.69 port 80 - 192.168.1.106 port 49162 - ET INFO Packed Executable Download
- 00:37:16 GMT - 192.168.1.106 port 49164 - 69.88.46.245 port 80 - PADS New Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
- 00:40:10 GMT - 192.168.1.106 port 49174 - 125.20.14.222 port 80 - ET TROJAN W32/Nymaim Checkin (2)
INFECTION TRAFFIC
Here are the significant domains/IP addresses involved in the initial infection:
- 66.84.17.101 port 80 - delivery.golbalcdnnode.com - hosts blackhole-style exploit page, delivers the java exploit, and provides the first malicious executable--a Trojan downloader. Some IDS events label the exploit page as a Darkleech exploit.
- 74.204.171.69 port 80 - main-firewalls.com - the first callback domain that provides the second malicious executable--the ransomware. It tried for another piece of malware but got a 404 Not Found error.
Here are the significant domains/IP addresses for the callback traffic after the machine was infected:
- 69.88.46.245 port 35987 - no domain name - IP address for an Internet service provider (ISP) in the US at Hagerstown, Maryland: Antietam Cable Television
- 81.139.129.74 port 35618 - no domain name - IP address for another ISP in the UK: London BT Public Internet Service
- 125.20.14.222 port 80 - instotsvin.ru - Russian domain name hosted on an IP address in India
- 76.114.253.25 port 35618 - no domain name - IP address for another ISP in the US: Comcast Cable Communications (for Dale city, VA)
- 120.146.252.247 port 35618 - no domain name - IP address for another ISP in the US: Comcast Cable Communications (for Boston, MA)
- 50.63.52.53 port 35618 - no domain name - IP address for another ISP in the US: GoDaddy.com (e-bourne.com uses this IP address.)
Chain of events to the initial infection of Trojan downloader:
- 19:36:47 GMT - 192.168.1.106 port 49158 - 66.84.17.101 port 80 - delivery.globalcdnnode.com - GET /7f01baa99716452bda5bba0572c58be9/afr-zone.php
- 19:36:51 GMT - 192.168.1.106 port 49159 - 66.84.17.101 port 80 - delivery.globalcdnnode.com - GET /favicon.ico
- 19:36:56 GMT - 192.168.1.106 port 49160 - 66.84.17.101 port 80 - delivery.globalcdnnode.com - GET /7f01baa99716452bda5bba0572c58be9/afr-zone.php?4WC2937*H*=-5J*S!e&w_fM7RoG=(!x-4_al-_
- 19:36:57 GMT - 192.168.1.106 port 49161 - 66.84.17.101 port 80 - delivery.globalcdnnode.com - GET /7f01baa99716452bda5bba0572c58be9/afr-zone.php?m*ml1v*6x0f1)84=8dwe8dw78e&4G-!2**=w88c8dw6wdw7wbwbwd8c&R!778K*Ks6-=ww&6N!J813_**j=fvM78KV&8D0h-L!-B4_8_5*=!**a*R3l7
Callback for the ransomware:
- 19:37:10 GMT - 192.168.1.106 port 49162 - 74.204.171.69 port 80 - main-firewalls.com - GET /6.exe
- 19:37:11 GMT - 192.168.1.106 port 49163 - 74.204.171.69 port 80 - main-firewalls.com - GET /1.exe?c=13
Callback activity after the machine was infected with the ransomware:
- 19:37:16 GMT - 192.168.1.106 port 49164 - 69.88.46.245 port 35987 - no domain name - POST /36414/j481261/index.php
- 19:39:26 GMT - 192.168.1.106 port 49171 - 81.139.129.74 port 35618 - no domain name - POST /RnRfoI?YUhsYiJvWiQQphCTe=yGdUDvFgWwOKYiQh&EIGnkbNDGP=oiIFegxpmXVrKb
- 19:40:10 GMT - 192.168.1.106 port 49174 - 125.20.14.222 port 80 - instotsvin.ru - POST /nH2zhg?HeeaFwGMpGc=tvQjVADernTbdM&JBbvwDSelGrELo=CQTwxlErbjFLtygd
- 19:40:15 GMT - 192.168.1.106 port 49175 - 125.20.14.222 port 80 - instotsvin.ru - POST /yPbXq46qd?cAYNLlfcMtSqcTc=INCsYcaxqHcilM&OhKLsrlBTMRkxbUM=xqerjUpaivxmoxp&jbRmaMpInTUhm=SbInVGmSheRLO
- 19:40:15 GMT - 192.168.1.106 port 49176 - 76.114.253.25 port 35618 - no domain name - POST /Gx292jk?emrLgequbgauCvA=CpCBAVIecbqQa
- 19:40:16 GMT - 192.168.1.106 port 49177 - 120.146.252.247 port 35618 - no domain name - POST /VEm2lt6uo?KyNHXjXkIulOTa=BEwwexgfNJHVOB&tTuWKKBcLtPvTBK=XmoNdIVCHUukl
- 19:40:17 GMT - 192.168.1.106 port 49178 - 120.146.252.247 port 35618 - no domain name - POST /EvCdwW?xtfrjayLopxYYFd=JmGVCYxPgrBhcH
- 19:40:20 GMT - 192.168.1.106 port 49179 - 120.146.252.247 port 35618 - no domain name - POST /x3JPge5ys?RJfkMMykmHVVh=xaLQnTpyAiXMoP&ToDmeJEJxYWmtXF
- 19:40:21 GMT - 192.168.1.106 port 49180 - 120.146.252.247 port 35618 - no domain name - POST /x3JPge5ys?RJfkMMykmHVVh=xaLQnTpyAiXMoP&ToDmeJEJxYWmtXF
- 19:40:31 GMT - 192.168.1.106 port 49181 - 120.146.252.247 port 35618 - no domain name - POST /DvZ5os6hk?utwRQAHDykohxjJ=MONfcSiTxDJmF
- 19:40:59 GMT - 192.168.1.106 port 49182 - 120.146.252.247 port 35618 - no domain name - POST /lsqEf7?churVvcxrarcMllNj=kpifyKNGDbA&jxDjcwFOdNTUc=AhKoiYaMkjui
- 19:41:03 GMT - 192.168.1.106 port 49183 - 120.146.252.247 port 35618 - no domain name - POST /TeHavW8vV?nTvVlcNjPpXnh=HspQwHYfMhrnaqWB&WuOEkYPKhYgn=AeidFNJUHgxqWF&CDBbEwMiOjG
- 19:41:21 GMT - 192.168.1.106 port 49184 - 71.233.228.250 port 35618 - no domain name - POST /pHxXeF?GxGCLIJVkxNj=eFoiPCMswbDQm&UvGGLaqLxiPK=ThhRgNCNcxfo&RBLNGuQMhELo=GNkhpSGCtUIdI
- 19:41:22 GMT - 192.168.1.106 port 49185 - 71.233.228.250 port 35618 - no domain name - POST /2JRW2kn?PjdrlmmRKeTvDQj=ykqghJKSCVoeQh&PajPXuFurlglORRRP
- 19:41:22 GMT - 192.168.1.106 port 49186 - 50.63.52.53 port 35618 - no domain name - POST /0X2d7ri?UPMudvhCAqKjvH=DbYCEdVkgmWpi&WSDQisxyrINIVnin=fvwCRQSspxvPCmBlI&LyMslMCNdSGp
INFECTION TRAFFIC DETAILS
GET /7f01baa99716452bda5bba0572c58be9/afr-zone.php
IP address: 66.84.17.101 port 80
domain name: delivery.globalcdnnode.com
Sguil event:
- ET CURRENT_EVENTS Possible BHEK Landing URI Format
Screenshot of traffic:
GET /7f01baa99716452bda5bba0572c58be9/afr-zone.php?4WC2937*H*=-5J*S!e&w_fM7RoG=(!x-4_al-_
IP address: 66.84.17.101 port 80
domain name: delivery.globalcdnnode.com
Sguil events:
- ET POLICY Vulnerable Java Version 1.6.x Detected
- ET CURRENT_EVENTS Possible Blackhole EK Jar Download URI Struct
- ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs
- ET INFO JAVA - Java Archive Download By Vulnerable Client
Screenshot of traffic:
GET /7f01baa99716452bda5bba0572c58be9/afr-zone.php?m*ml1v*6x0f1)84=8dwe8dw78e&4G-!2**=w88c8dw6wdw7wbwbwd8c&R!778K*Ks6-=ww&6N!J813_**j=fvM78KV&8D0h-L!-B4_8_5*=!**a*R3l7
IP address: 66.84.17.101 port 80
domain name: delivery.globalcdnnode.com
Sguil events:
- ET CURRENT_EVENTS BlackHole EK Payload Download Sep 11 2013
- ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - contacts.exe
- ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
- ET POLICY PE EXE or DLL Windows file download
- ET INFO EXE - Served Attached HTTP
- ET INFO Packed Executable Download
- ET POLICY Java EXE Download
- ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby
Screenshot of traffic:
GET /6.exe
IP address: 74.204.171.69 port 80
domain name: main-firewalls.com
Sguil events:
- ET TROJAN Fareit/Pony Downloader Checkin 3
- ET TROJAN Known Trojan Downloader HTTP Library MSIE 5 Win98 seen with ZeuS
- ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
- ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
- ET POLICY PE EXE or DLL Windows file download
- ET INFO Packed Executable Download
Screenshot of traffic:
GET /1.exe?c=13
IP address: 74.204.171.69 port 80
domain name: main-firewalls.com
Sguil events: none
Screenshot of traffic:
POST /36414/j481261/index.php
IP address: 69.88.46.245 port 80
domain name: none
Sguil event:
- PADS New Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Screenshot of traffic:
POST /RnRfoI?YUhsYiJvWiQQphCTe=yGdUDvFgWwOKYiQh&EIGnkbNDGP=oiIFegxpmXVrKb
IP address: 81.139.129.74 port 35618
domain name: none
Sguil events: none
Screenshot of traffic:
POST /nH2zhg?HeeaFwGMpGc=tvQjVADernTbdM&JBbvwDSelGrELo=CQTwxlErbjFLtygd
IP address: 125.20.14.222 port 80
domain name: instotsvin.ru
Sguil event:
- ET TROJAN W32/Nymaim Checkin (2)
Screenshot of traffic:
The rest of the callback traffic is the same as the previous 3 entries:
125.20.14.222 port 80 - instotsvin.ru - POST /yPbXq46qd?cAYNLlfcMtSqcTc=INCsYcaxqHcilM&OhKLsrlBTMRkxbUM=xqerjUpaivxmoxp&jbRmaMpInTUhm=SbInVGmSheRLO
76.114.253.25 port 35618 - no domain name - POST /Gx292jk?emrLgequbgauCvA=CpCBAVIecbqQa
120.146.252.247 port 35618 - no domain name - POST /VEm2lt6uo?KyNHXjXkIulOTa=BEwwexgfNJHVOB&tTuWKKBcLtPvTBK=XmoNdIVCHUukl
120.146.252.247 port 35618 - no domain name - POST /EvCdwW?xtfrjayLopxYYFd=JmGVCYxPgrBhcH
120.146.252.247 port 35618 - no domain name - POST /x3JPge5ys?RJfkMMykmHVVh=xaLQnTpyAiXMoP&ToDmeJEJxYWmtXF
120.146.252.247 port 35618 - no domain name - POST /DvZ5os6hk?utwRQAHDykohxjJ=MONfcSiTxDJmF
120.146.252.247 port 35618 - no domain name - POST /lsqEf7?churVvcxrarcMllNj=kpifyKNGDbA&jxDjcwFOdNTUc=AhKoiYaMkjui
120.146.252.247 port 35618 - no domain name - POST /TeHavW8vV?nTvVlcNjPpXnh=HspQwHYfMhrnaqWB&WuOEkYPKhYgn=AeidFNJUHgxqWF&CDBbEwMiOjG
71.233.228.250 port 35618 - no domain name - POST /pHxXeF?GxGCLIJVkxNj=eFoiPCMswbDQm&UvGGLaqLxiPK=ThhRgNCNcxfo&RBLNGuQMhELo=GNkhpSGCtUIdI
71.233.228.250 port 35618 - no domain name - POST /2JRW2kn?PjdrlmmRKeTvDQj=ykqghJKSCVoeQh&PajPXuFurlglORRRP
50.63.52.53 port 35618 - no domain name - POST /0X2d7ri?UPMudvhCAqKjvH=DbYCEdVkgmWpi&WSDQisxyrINIVnin=fvwCRQSspxvPCmBlI&LyMslMCNdSGp
PRELIMINARY MALWARE ANALYSIS
Java exploit from 66.84.17.101 (delivery.golbalcdnnode.com):
https://www.virustotal.com/en/file/bd7c0f52fd7d7e9b20ab9e8f13ac114243a4f09433f484f8fbc3b51c7c44650d/analysis/1380435320/
File name: java-archive-from-delivery.globalcdnnode.com.jar
File size: 28.7 KB ( 29404 bytes )
MD5: d49275523cae83a5e7639bb22604dd86
Detection ratio: 5 / 47
Malicious executable from 66.84.17.101 (delivery.golbalcdnnode.com):
https://www.virustotal.com/en/file/5fbcce025624741d66f092f6c322cce15a73a467b0042f07becd1957c4bd1b69/analysis/1380436024/
File name: malicious-executable-from-delivery.globalcdnnode.com.exe
File size: 123.0 KB ( 125952 bytes )
MD5: 9b75da764b0fa639b18548d52255689b
Detection ratio: 20 / 48
Malicious executable from 74.204.171.69 (main-firewalls.com):
https://www.virustotal.com/en/file/a8caf61ef1dac3a91269c76b98db41530afccbaba81c28d6b2981bbcc8c7d55d/analysis/1380436034/
File name: malicious-executable-from-main-firewalls.com.exe
File size: 157.5 KB ( 161280 bytes )
MD5: c8edabf40c6cf341916c75f4cea153ca
Detection ratio: 15 / 48
FINAL NOTES
Once again, here are the associated files:
- ZIP of the PCAP: 2013-09-28-Blackhole-EK-traffic.pcap.zip
- ZIP file of the malware: 2013-09-28-Blackhole-EK-malware.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
`Click here to return to the main page.