In April/May we realized that it had been a year since encountered NeoSploit, what a ride it has been since then. Mostly on figuring out how to lock in a signature for the kit.
Up until just recently (1-1.5 months) this was the most advanced kit I have seen, granted I've never seen anything around the install of the kit or the mechanics beyond the URI patterns. Granted from a Regular Expression stand point the pattern is a bit of a beast, but there are ways to match.
This kit has definitely not faded away, it's out there, maybe not as prevalent as blackhole but it is striking from the shadows.
Looking back, I referred to the rules we created to try and catch this kit but never got into them (at least I think I never got deep into them on here).
Here are the rules:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Neosploit
Exploit URI Request (by bare query parameter pattern)";
flow:established,to_server; content:"/?"; http_uri;
pcre:"/\/\?\d[0-9a-f]{50,68}$/U"; classtype:attempted-user;
reference:url,www.google.com; sid:1000021; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Neosploit
Load URI Request (by bare query parameter pattern)";
flow:established,to_server; content:"/?"; http_uri; content:"|3b|";
distance:0; http_uri; content:"|3b|"; distance:0; http_uri;
pcre:"/\/\?\d[0-9a-f]{50,68}\;\d+\;\d+$/U"; classtype:attempted-user;
reference:url,www.google.com; sid:1000022; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Neosploit Post-Load URI Request (by bare query parameter pattern)"; flow:established,to_server; content:"/?"; http_uri; content:"|3b|"; distance:0; http_uri; content:"|3b|"; distance:0; http_uri; content:"|3b|"; distance:0; http_uri; pcre:"/\/\?\d[0-9a-f]{50,68}\;\d+\;\d+\;\d+$/U"; classtype:attempted-user; reference:url,www.google.com; sid:1000023; rev:2; )
These rules have been crafted to catch what we've seen for a while, however for some unknown reason little success has been had actually catching the kit. From a visibility standpoint I hope it is the rule...
Regardless, what has been observed looks like this:
Landing page: (Do not have a rule for this)
/?digit
Exploits (served up multiple times, mainly 3)
/?+digit+lots-of-hex(variable amount 50-68)
Load Request:
/?+digit+lots-of-hex(variable amount 50-68);digit(s);digit(s) (Malware payload)
Post-Load Confirmation:
/?+digit+lots-of-hex(variable amount 50-68);digit(s);digit(s);digit(generally a 1)
The landing page is fairly sizeable, and full of obfuscated javascript.
Exploits we've seen are all Java related and are around 5kb
Payload is roughly 100-300kb in size.
Please let me know if you've seen any activity like this, have more information regarding this kit, or just want to compare notes.
I know researchers have seen it, but it seems like no one is talking about it other than quick spurts.
Thanks!
-Demon
@demon117 (on twitter)
paul.sec117@gmail[.]com for email
No comments:
Post a Comment