Monday, October 17, 2011

BlackHole BEP + HP Scanner Infections

We have recently encountered a heavy set of email traffic spreading HP scanning email with non legitimate links. No doubt, this campaign is a traffic infection process by sending plethora of emails around the internet. It is not a big deal of getting email addresses nowadays. It is just a walk-around in the park for the phishers or attackers. This HP scanning email looks like as presented below

The only part that interests in giving a brief shot at this malware campaign is the usage of Java Exploits through BlackHole BEP.
The user is forced or tricked to visit a domain with URL hxxp://finance-motor.info/main.php which is further redirected to malicious domain hxxp://ahredret.ru/main.php. Now the URL, which is from russian domain with following information
domain: AHREDRET.RU
nserver: dns1.naunet.ru.
nserver: dns2.naunet.ru.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
e-mail: mxx3@yandex.ru
registrar: NAUNET-REG-RIPN
created: 2011.10.06
paid-till: 2012.10.06
source: TCI

Last updated on 2011.10.17 20:35:46 MSK/MSD


The above presented information shows that this domain is activated and is recently accessed. The active time stamp shows that this is an active infection process. Without a doubt, the domain has port 80 and port 22 opened. The port 80 serves the BlackHole BEP and port 22 is for administration as shown below

22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 1024 bb:d1:ae:ea:db:46:97:2a:09:ca:38:cc:50:47:9c:24 (DSA)

|_1024 39:1d:f5:8c:fa:ad:9c:02:a0:bf:db:9d:2a:24:73:bb (RSA)
80/tcp open http nginx


So, the next step is to try with wepawet but as expected the server did not respond well to the tool as presented below


The automated HTTP request/response and detection module did not work appropriately. At last, its all about manual analysis by setting an appropriate sandbox environment. We preferred to have a generic settings that provide malware an opportunity to expand and gives us the information that is required. So on performing manual testing carefully, we were served with exploit prototype as follows


The field.jar contains the following set of Java files



We have already performed analysis on this kind of exploit which is used effectively by the BlackHole (Java is what I like the most for spreading infections).

Fetch the code - http://www.secniche.org/sample_exploits/hp_scan_exploit.rar

Enjoy !