Thursday, April 12, 2012

Special Delivery -- Phoenix Exploit Kit

You would think that spam masquerading as a delivery company would be getting a little long in the tooth, but that isn't the case.  Last week the winner was "DHL Attention 846698", which looks something like this:


Good day!
 

Dear Consumer , Recipient's address is wrong

PLEASE FILL IN ATTACHED FILE WITH RIGHT ADDRESS AND RESEND TO YOUR PERSONAL MANAGER

With Best Wishes , DHL .com Customer Services


A nice present in the form of a zip file named "DHL-N-35385784.zip" came along with the email.  It contained an html file which, in my case, was named "DHL_Letter_N88324.htm".  This had 4 blocks of a pretty standard, obfuscated block of code that, when clicked, sent you off to a phoenix exploit kit sitting on a static IP address (no DNS name) on port 8080.

The exploit kit had a multi-capability PDF document that would exploit PDF readers with different exploits depending on what they were vulnerable to.  It also, in the case of the DVMTK (Damn Vulnerable Malware Testing Kit, or less glamorously, some Windows XP box with an old version of IE and PDF reader) also hit the Windows Help and Support Center vulnerability (CVE-2010-1885).

Snort pretty much let loose on this visit, with 8 total alerts targeting the specifics in the exploit kit's PDF delivery and for the four different malware samples that were downloaded as a result of visiting this site.  The exploit kit and PDF rules are on by default.  However, the executable downloads, SID 15306 and 11192 both need to be activated manually.  Regardless of the exploit kit we've seen, these are the SIDs that always fire.  So if you can turn them on in your environment we strongly recommend we do.

So, we would hope that user education would take care of this, but it will probably be quite a while before that will be the case.  In the meantime, keep your patches, your AV and your IDSes updated, along with any other custom in-house solutions you have.
Add to Technorati Favorites Digg! This
Post a Comment