Exploit kits (EKs) are used by criminals to infect unsuspecting users while they are browsing the web. EKs are hosted on servers specifically dedicated to the EK.

How are the users computers directed to an EK? It often happens through compromised websites. Threat actors compromise legitimate websites, and pages from these compromised servers have injected script that connects the users computer to an EK server.">Compromised (legitimate) website -- EK server

Threat actors often use another server as a gate between the compromised website and the EK server. I often call it a redirect because it redirects traffic from a compromised website to the EK.">Compromised website -- Gate -- EK

The gate is most often another compromised website. Less often, the gate is a dedicated server established by the threat actor.">Compromised website -- First gate -- Second gate -- EK

All of this is transparent to the unsuspecting user. Fortunately, many security professionals study EK traffic. Specific trends are quickly identified, security professionals share the data, and automated detection isusually available within a day or two.

Threat actors know this. Criminals occasionally change tactics in how they direct traffic from compromised websites to their EK servers. For example, earlier this week I noticed a change by an actor using Rig EK. On Monday 2015-11-16, this threat actor was using a distinct gate path. By Wednesday 2015-11-18, the gate patterns had distinctly changed.

Chain of events

On Monday 2015-11-16, this actor was using a two gates between the compromised website and Rig EK. The first gate was a Pastebin page that returned text generating another gate URL." />
Shown above: Flow chart for this threat actor on Monday 2015-11-16.

On Wednesday 2015-11-18, the same actor had switched to a single gate. ">Shown above: Flow chart for thesame threat actor on Wednesday 2015-11-18.

...And You Will Know Us by the Malware We Spread

I intercepted Rig EK traffic on two different days. The first group of Rig EK intercept camefrom Monday 2015-11-16. The second group camefrom Wednesday 2015-11-18. Although I could not identify this actor, the traffic represents the same criminal group. Im basing my assessment on the malware payload. Each payload exhibited the same behavior on both occasions. The malware copied itself somewhere under the users AppData\Roaming directory and updated the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key for persistence." />

Traffic from Monday2015-11-16

Below are images for three examples ofRig EK from Monday 2015-11-16 filtered in Wireshark. Youll find the compromised legitimate website, followed by the first gate usingPastebin,followed by the second gate onlachinampa.com.mx. Rig EK wason using the domainsday.boatstuffforsale.com orhelp.bobsrvclub.com. " />

This pattern was somewhat unusual, because script pointing to the gates was written backwards. " />

Oneof the above images (the second example) shows an additional PastebingateURL using HTTPS. What did the Pastebin URLs return? More backwards script pointing to a URL at" />
Shown above: More backwards script from the gate using" />
Shown above: Malicious script returned from the second gate at lachinampa.com.mx.

affic was recognizable asRig EK. I used tcpreplay on one of the 2015-11-16 pcaps in Security Onion andfound alerts for Rig EK and theChthonic Trojan." />
Shown above: Significant events from traffic on Monday 2015-11-16 using the EmergingThreatsPro signature set.

Traffic from Wednesday 2015-11-18

I saw Rig EK and the same post-infectiontraffic after viewing morecompromised websites on Wednesday 2015-11-18. Youll find the compromised legitimate website, followed by a single gate. Rig EK was on using the domainsftg.askgreatquestions.com,ghf.askmoregetmore.com, or erf.closelikeapro.com. Post-infection traffic was seen on using the domain alohajotracks.com, just like we saw before on Monday." />

In theabove image, script pointing to a gate at esparpool.com was injected intoevery.html and .js file fromthe compromised website. The gate was sent multiple times, and it makes for a much messier pcap.

Below is an example of the gate traffic seen on Wednesday 2015-11-18. In the image, youll find the gate URL fromfundacioncentrodeculturaandaluza.es returned an iframe pointing to" />

Final words

Ive seen a wide variety of paths from compromised websites to an EK server, so this isnt a comprehensive review on the topic. This is just one example. Don">Hopefully, this diaryprovidesagood example of how criminal groups canchange their tactics when directing traffic to an EK.

Pcaps and malware samples used in this diary are available here.

Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Messages sent today to Telegram users explaining what the service had done to block ISIS propaganda channels.

In the wake of revelations that groups affiliated with the Islamic State were using the Telegram messaging service to communicate and spread propaganda materials, the nonprofit organization running the service announced that it had moved to block terror-related content from being spread through its servers.

"We were disturbed to learn that Telegram's public channels were being used by ISIS to spread their propaganda," a Telegram spokesperson posted in the service's Telegram News channel. "We are carefully reviewing all reports sent to us at [email protected] and are taking appropriate action to block such channels. As a result, this week alone we blocked 78 ISIS-related channels across 12 languages." The channels were identified and blocked in part because of abuse reports filed by Telegram users.

Channels allow Telegram users to subscribe to broadcast content published through a permanent URL and allow the channel publisher to reach an unlimited number of users. While the channels are connected to a specific profile by the service, the user can post content—including files, images, and messages—anonymously from a mobile device or PC.

Read 2 remaining paragraphs | Comments


ChannelLife NZ

InfoSec finalists announced for awards at Te Papa
Scoop.co.nz (press release)
In a nod to the health and vitality of New Zealand's information security (InfoSec) industry, a stellar line up of finalists have been announced for the 2015 iSANZ Awards. The iSANZ Awards are New Zealand's only dedicated Awards that recognise and ...
New Zealand information security awards finalists namedChannelLife NZ

all 4 news articles »
Oracle Java SE CVE-2015-4732 Remote Security Vulnerability
Oracle Java SE CVE-2015-2601 Remote Security Vulnerability
Oracle Java SE CVE-2015-4843 Remote Security Vulnerability

We do have a *very* experimental client script to submit logs from PFSense firewalls. Supporting these popular and capable open source firewalls is somewhat challenging. First of all, PFSense is based on BSD, not Linux like most other open source firewall distributions. As a result, our standard Linux clients will not work. The BSD packet filter code uses a different log format. To make things more interesting, PFSense uses a round-robbing log file. Log lines are continuously removed and added to just keep the last x lines.

I managed to put together a quick test. Feedback would be very helpful while I am learning how to turn this into a proper PFSense package.

Since there is no simple package to install right now, you need to install and configure the script manually. The script is written in PHP and heavily leverages existing PHP libraries that are included in PFSesnse.

The script sends logs to DShield via e-mail. You need to have Notifications configured. The script will just use the e-mail server settings from your notification configuration.

Please see:


for the script. Additional instructions are included at the top. Please check back regularly for updates.

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The Register

Mixing ERP and production systems: Oil industry at risk, say infosec bods
The Register
Black Hat Europe Hackers might be able to bridge the gap between supposedly air-gapped systems in oil and gas production by pivoting from enterprise planning onto production systems. Vulnerabilities and insecure installations in SAP business software ...

and more »
GAITHERSBURG, Md.?The National Institute of Standards and Technology (NIST) has announced the winners of the Reference Data Challenge, the agencys first-ever app development competition. The contest was intended to spur the development ...
RCE and SQL injection via CSRF in Horde Groupware
Adobe Premiere Clip v1.1.1 iOS - (cid:x) Filter Bypass & Persistent Software Vulnerability
[security bulletin] HPSBGN03521 rev.1 - HP Operations Orchestration Central, Cross-Site Request Forgery (CSRF)
Internet Storm Center Infocon Status