Popads seems to be using a .jnlp file to make it’s actions seem more legitimate to the end user.

Paste of .jnlp file

What’s a JNLP file?

When loaded, this gives a nice little animated popover…while the malicious stuff is happening in the background. This is used to bypass the security warning that was introduced in JRE7u11.

There may be a misconfig on this as it created a very large number of instances of java. 

Popads post updated with this “jnlp” info.

Ref: http://security-obscurity.blogspot.no/2013/04/the-latest-java-exploit-with-security.html

Some stuff that has been useful for catching Popads.

Thanks to @kafeine for catching my silly naming error. 

Example chain

*omitting domain for space, see previous post.*

/?bbf49b029fa11db901403d06a520eee8=g15
/35ddf971291d6ba1603daebd2e8f3677.eot (application/vnd.ms-fontobject)
/ceb5ac44146f822b47742aa2869f28f6/3b7414f89c83e64318605265a5419f52.swf (application/x-shockwave-flash)
/ceb5ac44146f822b47742aa2869f28f6/bd89ae7dee57f92f50f785a6bfe5e597.jar (application/x-java-archive)
/45ce50c8f996cae6327f4525b96db70d/043bd8b18c03c98152fa76b39180342a.jar (application/x-java-archive)
/ceb5ac44146f822b47742aa2869f28f6/java/lang/ClassBeanInfo.class (text/html)
/ceb5ac44146f822b47742aa2869f28f6/java/lang/ObjectBeanInfo.class (text/html)
/ceb5ac44146f822b47742aa2869f28f6/java/lang/ObjectCustomizer.class (text/html)
/ceb5ac44146f822b47742aa2869f28f6/java/lang/ClassCustomizer.class (text/html)
/ceb5ac44146f822b47742aa2869f28f6/0 > (text/html) > Encoded EXE
/ceb5ac44146f822b47742aa2869f28f6/1 > 404
/ceb5ac44146f822b47742aa2869f28f6/2 > 404
/ceb5ac44146f822b47742aa2869f28f6/3 > 404
/ceb5ac44146f822b47742aa2869f28f6/4 > (text/html) > Encoded EXE

PopadsEK Gate Regex

\/\?[a-f0-9]{32}=[a-z0-9]{2,3}(&[a-f0-9]{32}=[a-z0-9-_.]+)?$

PopadsEK .jnlp

HTTP Method = GET
Regex HTTP URI for \/[a-f0-9]{32}\.jnlp$

PopadsEK EOT

HTTP Method = GET
Content-type = application/vnd.ms-fontobject
Regex HTTP URI for \/[a-f0-9]{32}\.eot$

PopadsEK SWF

HTTP Method = GET
Content-type = application/x-shockwave-flash
Regex HTTP URI for \/[a-f0-9]{32}\/[a-f0-9]{32}\.swf$

PopadsEK JAR

HTTP Method = GET
Content-type = application/x-java-archive
Regex HTTP URI for \/[a-f0-9]{32}\/[a-f0-9]{32}\.jar$

PopadsEK CVE-2013-0431 Class files

HTTP Method = GET
Content-type = text/html
Regex HTTP URI for \/[a-f0-9]{32}\/java\/lang\/[a-zA-Z]+\.class$

PopadsEK EXEs from JAR

HTTP Method = GET
User-agent = *Java/1.*
Content-type = text/html
Regex HTTP URI for \/[a-f0-9]{32}\/[0-4]$

Has been dropping ZeroAccess and Urausy.

Popads is using some interesting domains lately…

tech.net.microsoft.windows.update.system.release.vukzy.1targetdayanalize.info
tech.net.microsoft.windows.update.system.release.sg.1zitargoh.info
tech.net.microsoft.windows.update.system.release.jxtbc.1zitargoh.info
tech.net.microsoft.windows.update.system.release.gxsha.1zitargoh.info
tech.net.microsoft.windows.update.system.release.fp.12targetdayanalize.info
tech.net.microsoft.windows.update.system.release.bv.12targetdayanalize.info
tech.net.microsoft.windows.update.system.release.aldmd.1tickersonball.info

critical.microsoft.windows.software.update.patch.tu.7personalidoffuskerts.info
critical.microsoft.windows.software.update.patch.jdkwv.7personalidoffuskerts.info

emergency.microsoft.security.software.update.patch.oqska.1yebatek.info
emergency.microsoft.security.software.update.patch.nv.1yebatek.info

looks like 6 keywords (tech.net counts as 1) then a 2-5 random value then the domain.

Easy to find in DNS logs.

Domain = *.info
Query contains
emergency OR critical OR microsoft OR security OR software OR update OR patch OR system OR release OR tech.net OR windows

— Update 4/16 —

Still at it, slightly different

net.tech.windows.internet.7c23a7f1d978eaac81d9d3049f22a59c.wfyjp.4qastorb.info
net.tech.windows.internet.92181dc1ad75243ace8a1aee4cfa74be.gimi.12qastorb.info

Still easy to find in DNS logs.

Domain = *.info
Query contains
emergency OR critical OR microsoft OR security OR software OR update OR patch OR system OR release OR tech.net OR windows OR net.tech

Can also regex part of the domain for [a-f0-9]{32}\.[a-z]{3,6}\.[0-9]+[a-z]+\.info$

— Update 4/17 —

Still easy to find in DNS logs. LOL 

Domain = *.info
Query contains
emergency OR critical OR microsoft OR security OR software OR update OR patch OR system OR release OR tech.net OR windows OR net.tech OR internet OR explorer

This looks like NeoSploit to me. Any confirmation or assistance would be much appreciated. (Likely Popads)

Chain:

http://www.indiandefence.com/forums/indian-defence-industry/2775-bel-developing-software-defined-radio.html Compromised site (must be referred from google)
http://gfxet.18flibosters.com/?5d60e92b8cd6d36f921cde3682194dbd=15&397b4250de951041c69eaab0f0cb979a=indiandefence.com
http://gfxet.18flibosters.com/130dd10026f2bdd30eec146d70112a6f.eot > Duqu Font Drop
http://gfxet.18flibosters.com/a824e75bc82d7dc0318ee725baa39201/82fc47de539aa72b0283bbef826abce2.jar > MalJAR
http://gfxet.18flibosters.com/a824e75bc82d7dc0318ee725baa39201/0 > XOR encoded exes…(text/html)
http://gfxet.18flibosters.com/a824e75bc82d7dc0318ee725baa39201/1
http://gfxet.18flibosters.com/a824e75bc82d7dc0318ee725baa39201/2
http://gfxet.18flibosters.com/a824e75bc82d7dc0318ee725baa39201/3
http://gfxet.18flibosters.com/a824e75bc82d7dc0318ee725baa39201/4

Sigs:

HTTP Request Method = GET

Gate: \/\?[a-f0-9]{32}=[0-9]+&[a-f0-9]{32}=
See More Examples on UrlQuery.net
EOT: \/[a-f0-9]{32}\.eot$
JAR: \/[a-f0-9]{32}\/[a-f0-9]{32}\.jar$
See More Examples on UrlQuery.net
EXEs: \/[a-f0-9]{32}\/[0-9]$
See More Examples on UrlQuery.net

Drops ZeroAccess, UDP P2P

Post Compromise ZA Indicators:

POST /CallBack/SomeScripts/mgsNewPeer.php HTTP/1.0
POST /CallBack/SomeScripts/mgsGetMGList.php HTTP/1.0
POST /CallBack/SomeScripts/update34.php HTTP/1.0

Sigs:

HTTP Request Method = POST
HTTP Uri = */CallBack/SomeScripts/*