During daily data mining activities, we observe continual outbreaks of many exploit kits (EK) such as RIG EK. Logs are monitored and analyzed to come up with new protections, which are eventually deployed in the Zscaler cloud. The dynamic nature of EK’s landing page code, presents a constant challenge in providing generic detections. We need to take a look at various aspects of EK’s such as URLs/Domains/IP’s to come up with a generic detection guidance. In this regard, log analysis plays an important role.
Sept 4th EK URLs: 
In this blog we'll take a look logs from last week (8/28/2014 - 9/5/2014), observed for RIG EK.
 |
| RIG EK Traffic (%) |
The above chart illustrates the traffic trend of RIG EK over the past week. There was a significant spike noted on Sept. 4th.
Sept 4th Domains/IP:
| Domains | IP |
| eir.alexandrajarup[.]com | 194.58.101[.]24 |
| eir.alexandrajarup[.]com | 194.58.101[.]24 |
| uiue.nuiausqas[.]com | 194.58.101[.]24 |
| iow.alanmccaig[.]com | 191.101.14[.]125 |
| ods.alankellygang[.]com | 191.101.14[.]125 |
| uew.alankellygang[.]com | 191.101.14[.]125 |
| soi.alankellygang[.]com | 191.101.14[.]125 |
| eur.alankellygang[.]com | 191.101.14[.]125 |
| sod.alankellygang[.]com | 191.101.14[.]125 |
| soa.alankellygang[.]com | 191.101.14[.]125 |
| lol.alankellygang[.]com | 191.101.14[.]125 |
Sept 4th EK URLs:
Sept 4th common URL pattern:
[.]com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg
RIG EK landing page content:
 |
| RIG EK Landing Page |
Code analysis of the landing page shown above is not discussed here. For a full code analysis, please take a look at our blog post from last month. In that blog, we tried to come up with a generic de-obfuscation technique that helps to de-obfuscate the EKs such as RIG and Fiesta.
Let's now take look at the overall traffic distribution by IP for the last week (8/28/2014 - 9/5/2014).
 |
| Traffic distribution by EK IP's |
| Traffic was observed from 13 unique IP addresses. IP '191.101.14[.]125', was seen to be spreading the EK's in large volumes. We also observed many IP addresses falling into three subnets. 194.58.101[.]XXX 191.101.13[.]XXX 191.101.14[.]XXX We recommend blocking the aforementioned IP's. Subnet level blocks can also be used but we have to be bit cautious when doing so as legitimate sites may also be hosted in the same range. The following world map illustrates the geographical distribution of the EK IP's which have been observed. As noted, most activity is emanating from Russia.
|
No geo-location information was available for IP's falling into '191.101.XX.XX' subnet.
Below is the full list of domains and IP's seen for the previous week.
| Domains | IP |
| tue.allthatsin[.]com | 178.132.203[.]113 |
| qie.allthatsin[.]com | 178.132.203[.]113 |
| dfu.aloliskincare[.]com | 194.58.101[.]38 |
| uer.alistairnunes[.]com | 194.58.101[.]31 |
| eir.alexandrajarup[.]com | 194.58.101[.]24 |
| oweuryt.account-ltunes[.]com | 191.101.13[.]139 |
| teyruyt.a[.]commodationinsauze[.]com | 191.101.13[.]139 |
| weorioi.a[.]commodationinsauze[.]com | 191.101.13[.]139 |
| owiery.wikusbotha[.]com | 191.101.13[.]140 |
| nuaysuq.planeimpressions[.]com | 5.31.72[.]115 |
| suyfdys.online-moneymakingsystem[.]com | 5.31.72[.]115 |
| iuiweyr.online-moneymakingsystem[.]com | 5.31.72[.]115 |
| oweiru.laughterisgoodmedicine[.]com | 5.31.72[.]115 |
| woiero.laughterisgoodmedicine[.]com | 5.31.72[.]115 |
| aosidoa.kensymicek[.]com | 191.101.13[.]202 |
| sdfusug.kensymicek[.]com | 191.101.13[.]202 |
| qwieuu.kensymicek[.]com | 191.101.13[.]202 |
| iuasid.kensymicek[.]com | 191.101.13[.]202 |
| odigoud.helny[.]com | 191.101.13[.]202 |
| qoiweur.helny[.]com | 191.101.13[.]202 |
| miiuis.helny[.]com | 191.101.13[.]202 |
| oeriouh.francisssmith[.]com | 191.101.13[.]202 |
| dciugi.francisssmith[.]com | 191.101.13[.]202 |
| gdofigu.forgottenapples[.]com | 191.101.13[.]201 |
| miqwue.boxsteravatar[.]com | 191.101.13[.]200 |
| popoqwe.dukeanddiva[.]com | 191.101.13[.]201 |
| mbivuc.click2maps[.]com | 191.101.13[.]201 |
| oiqwour.click2maps[.]com | 191.101.13[.]201 |
| mbivuc.click2maps[.]com | 191.101.13[.]201 |
| oiqwour.click2maps[.]com | 191.101.13[.]201 |
| oiaosdu.bluffswebdesign[.]com | 191.101.13[.]201 |
| dwieru.bluffswebdesign[.]com | 191.101.13[.]201 |
| nuasiud.amiramatthews[.]com | 191.101.13[.]200 |
| miuggid.748tmp[.]com | 191.101.13[.]200 |
| owierowu.748tmp[.]com | 191.101.13[.]200 |
| eoitoe.boxsteravatar[.]com | 191.101.13[.]200 |
| miqwue.boxsteravatar[.]com | 191.101.13[.]200 |
| wueriq.boxsteravatar[.]com | 191.101.13[.]200 |
| naduq.00tim[.]com | 191.101.13[.]198 |
| miasud.bigredshed.org[.]uk | 191.101.13[.]198 |
| qiuwer.121sky[.]com | 191.101.13[.]198 |
| digudyfg.belucent.co[.]uk | 191.101.13[.]196 |
| woiero.beauchamplondon.co[.]uk | 191.101.13[.]196 |
| eir.alexandrajarup[.]com | 194.58.101[.]24 |
| uiue.nuiausqas[.]com | 194.58.101[.]24 |
| iow.alanmccaig[.]com | 191.101.14[.]125 |
| ods.alankellygang[.]com | 191.101.14[.]125 |
| uew.alankellygang[.]com | 191.101.14[.]125 |
| soi.alankellygang[.]com | 191.101.14[.]125 |
| eur.alankellygang[.]com | 191.101.14[.]125 |
| sod.alankellygang[.]com | 191.101.14[.]125 |
| soa.alankellygang[.]com | 191.101.14[.]125 |
| lol.alankellygang[.]com | 191.101.14[.]125 |
| kick.alankellygang[.]com | 191.101.14[.]125 |
| sdifu.alanhalldriving[.]com | 191.101.14[.]125 |
| pqqie.alanhalldriving[.]com | 191.101.14[.]125 |
| weoriuwyt.alanhalldriving[.]com | 191.101.14[.]125 |
| oigydfg.alanhalldriving[.]com | 191.101.14[.]125 |
| oiweyr.alanhalldriving[.]com | 191.101.14[.]125 |
| fgydy.ajrobertsconsulting[.]com | 191.101.14[.]125 |
| husaus.ajrobertsconsulting[.]com | 191.101.14[.]125 |
| super.affogatomoments[.]com | 191.101.13[.]139 |
| iuweryw.activity-partners[.]com | 191.101.13[.]139 |
| weorioi.a[.]commodationinsauze[.]com | 191.101.13[.]139 |
| owiery.wikusbotha[.]com | 191.101.13[.]140 |
| oiqwour.click2maps[.]com | 191.101.13[.]201 |
| oiaosdu.bluffswebdesign[.]com | 191.101.13[.]201 |
| dwieru.bluffswebdesign[.]com | 191.101.13[.]201 |
| owierowu.748tmp[.]com | 191.101.13[.]200 |
| eoitoe.boxsteravatar[.]com | 191.101.13[.]200 |
| miqwue.boxsteravatar[.]com | 191.101.13[.]200 |
| qiuwer.121sky[.]com | 191.101.13[.]198 |
The above trend shows a continuous outbreak of RIG EK in the wild. Data mining logs for such activity provides us with a sense of the trends being followed by the attackers. We will keep on sharing such information via blogs/scrapbook posts.
Stay tuned!
Pradeep
