Neat little find - Network forensics

Overview
This post may seem trivial, pointless, and indicative of a security noob, but the other day I was perusing some network traffic between a windows DC and a client and found some interesting traffic. As I later discovered, what I found is standard traffic from a Windows domain controller, but since it was the first time I saw it, I was intrigued. It began with me looking at some larger-than-usual ICMP traffic.

The Pcap
When I first saw the Pcap, it looked rather normal. Then I noticed the 'Length' of some of the ICMP replies, and I wondered why they were so big. 

So I popped into a couple of the big ICMP reply packets and instantly saw a JPEG magic number in the hex-offset. "JFIF" aka 0x4a464946

I started to think, "what the heck is this?". The best way to figure that out was to carve the image right out of the pcap and see what it was.

To do this was super easy. There are a lot of programs than can carve files out of pcaps for you automatically, but this file was so small that I just did it manually. First I started by copying the bytes in a hex-stream format.

Once I copied the hex-stream, I moseyed on over to Malzilla since it has a fantastic converter functionality for "Hex to File". So it'll decode the hex-stream straight to a file.

Once that completes it will save the file as "hexfile.bin", so I just changed the extension to .jpg and presto...wait...wtf?

Yeah. That's the image all right. Anyways, a quick google of that behavior from a client/ MS domain controller and I came to realize I discovered standard DC operation. It's basically their method for slow link detection which if you were unaware of this like me, you can read about it from Microsoft's site

So call me a noob if you must. I thought it was a neat find.

Wilkes-Barre PA Site owned

The Gist
Wilkes-Barre PA's official site has fallen victim to an injected blackhole exploit toolkit redirect that uses the Twitter trends API to generate different domains. Some may already know of the little town named Wilkes-Barre for their delicious and super cheap college-beer called "Lionshead", brewed by Lions Brewery. It's 8:30am, and I go could for a refreshing Lionshead right now. Mmmm.

The Injected JS
The site looks innocent enough, but behind the scenes there some bad JS ready to own you.

  When checking the source code, there are script tags sourcing a javascript file named 'PopBox.js'. It is within this javascript file that the injected redirect is located.

 

When you check the popbox.js file, it is immediately apparent that there is some obfuscated code down at the bottom. I uploaded the full obfuscated JS to pastebin.

The first layer is easy enough to de-obfuscate. I just replaced eval with document.write()

Layer 2 is also easy enough to de-obfuscate. Same story, just document.write() 'd'

 3 Layers of obfuscation already. What in the hell. Just from the look of layer 3, you can basically just guess that it's char-code separated by some gibberish. All I really did was comment out one statement in the "trim()" function that was called, and I got all the char-code.

Char code is the easiest to handle. Just a simple document.write(String.fromCharCode(blahblah)); and presto, I have layer 5.

Layer 5 is using the same obfuscation technique as layer 1. Simply replacing eval() with document.write(), I FINALLY got the 'basically de-obfuscated' code. It still has randomized variables and all that jazz, but you can essentially see what it's doing in plain site. It's using the twitter trends API information to construct different domains, which is rather cool.

Here's what it looks like all formatted and pretty

I've found a couple of instances of this type of injection before, but I never really felt like doing a write-up on it since others already have. I figured I'd do the write-up on this one because it was a Wilkes-Barre gov't site, and I was in the mood for Lionshead beer. In the end it turned out to be yet another blackhole exploit injection that was redirecting to RogueAVs/FakeAVs.

Check out a pretty decent write-up about the same type of injection, done on the Websense Blog: sophisticated-injection-abuse-twitter-trend-service

My question is, if these people are willing to obfuscate 5 layers deep, why the hell don't more people who use BH change the formatting of the redirecting URLs so they're not all "/index.php?tp=xxxx" or "/forum.php?tp=xxxx".