alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Driveby Exploit Attempt Often to Install Monkif"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/frame.php?pl=Win32"; nocase; http_uri; classtype:trojan-activity; sid:2012506; rev:5;)

Added 2012-03-19 23:39:11 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Driveby Exploit Attempt Often to Install Monkif"; flow:established,to_server; content:"GET"; http_method; content:"/frame.php?pl=Win32"; nocase; http_uri; classtype:trojan-activity; sid:2012506; rev:4;)

Added 2011-10-12 19:34:31 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Driveby Exploit Attempt Often to Install Monkif"; flow:established,to_server; content:"GET"; http_method; content:"/frame.php?pl=Win32"; nocase; http_uri; classtype:trojan-activity; sid:2012506; rev:4;)

Added 2011-04-07 21:14:45 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Driveby Exploit Attempt Often to Install Monkif"; flow:established,to_server; content:"GET"; http_method; content:"/frame.php?pl=Win32"; nocase; http_uri; classtype:trojan-activity; sid:2012506; rev:4;)

Added 2011-04-07 14:49:28 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Monkif Initial Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/frame.php?pl=Win32"; nocase; http_uri; classtype:trojan-activity; sid:2012506; rev:3;)

Added 2011-04-06 17:38:09 UTC

Background from Darren Spruell:



I'm certain that /somedir/frame.php?pl=Win32 is tied to an exploit pack
although I don't know which. The association with Monkif is due to
Monkif being served as the binary payload. We saw early iterations of
this campaign at least as far back as 2/23/11.

Earlier notes:

2011-02-23  22:16:57  (200)  text/html;%20charset=UTF-8  649:755
GET  [U]  hxxp://64.27.25.227/sl1/
2011-02-23  22:16:57  (200)  text/html;%20charset=UTF-8  699:350
GET  [U]  hxxp://64.27.25.227/sl1/frame.php?pl=Win32
2011-02-23  22:17:01  (200)  application/java-archive    390:5887
GET  [U]  hxxp://64.27.25.227/sl1/2.php
2011-02-23  22:17:02  (200)  application/java-archive    347:5887
GET  [U]  hxxp://64.27.25.227/sl1/2.php
2011-02-23  22:17:04  (200)  application/octet-stream    356:30999
GET  [U]  hxxp://64.27.25.227/sl1/404.htm
2011-02-23  22:40:19  (200)  text/html;%20charset=UTF-8  764:755
GET  [U]  hxxp://64.27.25.227/sl1/
2011-02-23  22:40:19  (200)  text/html;%20charset=UTF-8  779:350
GET  [U]  hxxp://64.27.25.227/sl1/frame.php?pl=Win32
2011-02-23  22:40:25  (200)  application/java-archive    347:251
GET  [U]  hxxp://64.27.25.227/sl1/2.php
2011-02-23  22:40:25  (200)  application/octet-stream    315:2895
GET  [U]  hxxp://64.27.25.227/sl1/pim.class

/sl1/2.php returns a JAR archive with encoded class files. The script
returns 0 bytes to "nonvulnerable" user-agent strings but the JAR to
vulnerable (verified with 1.6.0_17).

pim.class looks to be purposed with detecting jvm versions I'm supposing.

404.php looks to be a binary download but I was unable to collect the
file at time of analysis.

-----
Obfuscation by RetroGuard Lite - Academic / Not-For-Profit License -
www.retrologic.com
  inflating: aa.class
  inflating: pim.class
  inflating: a.class
  inflating: d.class
  inflating: c.class
  inflating: b.class
  inflating: META-INF/MANIFEST.MF
-----

On several cases Referer headers showed udmserve.net.

hxxp://udmserve.net/udm/img.fetch?sid=3117;tid=2;ev=1;dt=1;
hxxp://udmserve.net/udm/img.fetch?sid=3312;tid=2;ev=1;dt=1;

In one case Monkif C&C was observed afterward.

hxxp://www.adheadies.com:80/photo/crxc.php?bqgwl=517557%3C5x6445=7x640%3Cx4x4x515x1x0x6x5x5772=712x5772=716x

hxxp://88.80.7.152:80/photo/nsxggggg.php?gggg=517557%3C5x6445=7x640%3Cx4x4x515x0x%3Cx6x5x5772=712x5772=716x

www. adheadies.com.      23243   IN      A       88.80.7.152

-- MattJonkman - 07 Apr 2011


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Monkif Initial Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/frame.php?pl=Win32"; nocase; http_uri; classtype:trojan-activity; sid:2012506; rev:1;)

Added 2011-03-15 14:23:02 UTC


Topic revision: r2 - 2011-04-07 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats