Karn!v0r3x v1.0 Exploit Kit
There is a new exploit kit in the wild, this time named Karn!v0r3x v1.0:
Html code of the login page:
<html>
<head>
<title>Karn!v0r3x v1.0 [Inicio]| Malandrines .n3t</title>
<script language="JavaScript" src="files/fallt.js"></script>
<style>
body{background:black;color:yellow;}
#karnivora{
margin:80px auto;
background:url('files/karni.jpg');
width:500px;
height:375px;
border:1px solid red;
-moz-border-radius:5px;
border-radius:5px;
color:black;font-size:20px;font-weight:bold;
}
form{float:right;}
ol{list-style:none;margin:0px;padding:0px;}
input{background:#2F2F2F;color:yellow;}
</style>
</head>
<body>
<div id='karnivora'>
<form action='' method='post'>
<ol>
<li>
<label>Username:</label><br/>
<input type='text' name='user' size='20' />
</li>
<li>
<label>Password:</label> <br/>
<input type='password' name='pass' size='20' />
</li>
<li><input type='submit' value='Enter'/></li>
</ol>
</form>
<div style='margin-top:354px;margin-left:10px;'>
Karn!v0r3x v1.0 | Malandrines .n3t [2011]
</div>
</div>
</body>Sniffed traffic during trying some logins:
POST /imagenes_noticias/ HTTP/1.1 Host: alertas .gob.mx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.25) Gecko/20111212 Firefox/3.6.25 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: hxxp://www.alertas .gob.mx/imagenes_noticias/ Content-Type: application/x-www-form-urlencoded Content-Length: 27 user=username&pass=password
Screenshots of the content of some directories:
hxxp://www.alertas .gob.mx/imagenes_noticias/files/
hxxp://www.alertas .gob.mx/imagenes_noticias/files/os/
The file net4.exe looks like to be the legit file of .NET 4.0:
File: net4_exe Size: 889416 bytes MD5 Hash: 53406E9988306CBD4537677C5336ABA4 SHA1 Hash: 06BECADB92A5FCCA2529C0B93687C2A0C6D0D610 SHA256 Hash: FA1AFFF978325F8818CE3A559D67A58297D9154674DE7FD8EB03656D93104425 SHA384 Hash: FAA596D827BB04DAD53CFB921047BA07916BA78754EBDF00A5DF1BEE69594512DDD9E5F6F1C76D6B82EE3576E4CDA40F SHA512 Hash: 4F89DA81B5A3800AA16FF33CC4A42DBB17D4C698A5E2983B88C32738DECB57E3088A1DA444AD0EC0D745C3C6B6B8B9B86D3F19909142F9E51F513748C0274A99
Location of the executable file is:
hxxp://www.alertas .gob.mx/imagenes_noticias/files/net4.exe
If we query the bot.php file as follow:
hxxp://www.alertas .gob.mx/imagenes_noticias/bot.php?b=sites
We get a list of websites (titles?) as seen in this image:
Most probably the banking trojan that is distributed with this exploit kit monitors for the page title of web browsers, and if matched the title it starts to capture details of banking transactions to steal the account details.
List of known paths related to this exploit kit:
/index.php /bot.php?b=sites /bot.php?b=save /bot.php?b=show /bot.php?b=id /bot.php?b=savesites /files/ /files/os/ /files/capturas/ /files/downloads/ /files/geoip.dat /files/geoip.inc /files/karni.jpg /files/paises/ /files/net4.exe
The infected machine communicate with the C&C server as this:
/bot.php?b=save&windows=Microsoft%20Windows%20NT%205.1.2600%20Service%20Pack%203&pcname=PCNAME&userna=UserName
More details about this exploit kit can be found here:
Nuevo Botnet Contra Mexico: Karn!v0r3x
