torsdag 20. juni 2013

StyX Exploit Kit - A pattern emerges

I recently noticed that the URL length for the StyX Exploit Kit had suddenly changed from 40-90 characters to go to as long as 257 in length.

After a lot of investigation a pattern suddenly emerged before my eyes.
Here is a screenshoot of a lot of StyX urls lined up after each other (picked from various places, but mostly from UrlQuery).


It is not easy to see a pattern just yet, but if I color the value 1 and 0 with blue, the pattern suddenly appears.

As you can see in every url the 7th letter is 0 or 1, and after this every 5th is either 0 or 1.
So the  new pattern for the landing page is:

.*/[a-zA-Z0-9]{6,}(0|1)[a-zA-Z0-9]{4,}(0|1)[a-zA-Z0-9]{4,}(0|1)[a-zA-Z0-9]{4,}(0|1)[a-zA-Z0-9]{4,}(0|1).*

URLQuery

This will not produce a lot of FP and if it does you could add another 4 letters + 0or1 in the pattern.
Styx uses the same pattern for Java,PDF and EOT exploits (correct me if I am wrong)

Jar pattern:
.*/[a-zA-Z0-9]{6,}(0|1)[a-zA-Z0-9]{4,}(0|1)[a-zA-Z0-9]{4,}(0|1)[a-zA-Z0-9]{4,}(0|1)[a-zA-Z0-9]{4,}(0|1).*\.jar$
URLQuery

Pdf pattern:
.*/[a-zA-Z0-9]{6,}(0|1)[a-zA-Z0-9]{4,}(0|1)[a-zA-Z0-9]{4,}(0|1)[a-zA-Z0-9]{4,}(0|1)[a-zA-Z0-9]{4,}(0|1).*\.pdf$
URLQuery

EOT pattern:
.*/[a-zA-Z0-9]{6,}(0|1)[a-zA-Z0-9]{4,}(0|1)[a-zA-Z0-9]{4,}(0|1)[a-zA-Z0-9]{4,}(0|1)[a-zA-Z0-9]{4,}(0|1).*\.eot$
URLQuery

Happy Styx hunting and dissecting.

Other Styx References:
http://malforsec.blogspot.no/2013/04/styx-exploit-kit-analysis-building.html
 http://www.malwaresigs.com/?s=Styx
http://malware.dontneedcoffee.com/2013/05/inside-styx-2013-05.html
http://malware.dontneedcoffee.com/2012/12/crossing-styx-styx-sploit-pack-20-cve.html