In this paper we present a historical overview of malicious network activities which we've been observing since 2011 and could be roughly categorized as lurk. This activity was mainly involved compromises of high profile sites and consequntially using those as watering holes to compromise targetted audience. In this paper we review targets, which were compromised over time, techniques and activities, which were used by lurk group, associated indicators and evolution of the group capabilities over time.
What is Lurk? We can define lurk as a set of losely associated activities which at the beginning had a very distinct characteristic - they often served a non-persistent payload which probed the target of interest before making thecision if any additional payload needs to be served. Thus the name - "Lurk". The nature of the malucious activities was very similar to other "for-profit" criminal activities. The group compromised a number of high-profile websites. Injected them with code redirecting to Lurk endpoints which in turn would make decision whether to serve malicious content (i.e. exploit kit code) or simply send a redirect to a third party website, such as google.
Several techniques have been observed to be used by the group to minimize chances of campaign detection. Serving malicious content to only limited IP ranges of interest is a technique which is also frequently used by other exploit kit operators. However this particular group also utilized other methods, such as:
Lurk continued to use a very distinct URL pattern in their activities, which could be easily detected even with traditional IDS systems such as snort (all of the connections were plain-text http).
Examples of signature patterns:
animal42bury.com 188.165.136.148 80 POST http://animal42bury.com/search?hl=us&source=hp&q=23724032&aq=f&aqi=&aql=&oq= text/plain 200 robotic17e.com 188.165.136.43 80 GET http://robotic17e.com/search?hl=us&source=hp&q=57468&aq=f&aqi=&aql=&oq=57468 text/html 200 animal42bury.com 188.165.136.148 80 POST http://animal42bury.com/search?hl=us&source=hp&q=1000000000553788&aq=f&aqi=&aql=&oq= text/html 200 animal42bury.com 188.165.136.148 80 POST http://animal42bury.com/search?hl=us&source=hp&q=1000000000553788&aq=f&aqi=&aql=&oq= text/html 200
GET;http://concisesteve.info/ISOQ;HTTP/1.1 64.79.67.220 concisesteve.info 200 235 677 http://www.3dnews.ru/news/640065
GET;http://concisesteve.info/ISOQ;HTTP/1.1 64.79.67.220 concisesteve.info 200 58435 688 http://www.vesti.ru/doc.html?id=1001992
GET;http://mgsinterviews.biz/ISOQ;HTTP/1.1 64.79.67.220 mgsinterviews.biz 200 58236 703 http://234x120.adv.vz.ru/cgi-bin/iframe/vz?24562&options=N
GET;http://mgsinterviews.biz/ISOQ;HTTP/1.1 64.79.67.220 mgsinterviews.biz 200 58217 688 http://www.tks.ru/reviews/2013/01/25/01
In [72]:
# preamble
# load libraries and set plot parameters
import numpy as np
from prettytable import PrettyTable as pt
import matplotlib.pyplot as plt
%matplotlib inline
from IPython.display import set_matplotlib_formats
set_matplotlib_formats('pdf', 'png')
plt.rcParams['savefig.dpi'] = 75
plt.rcParams['figure.autolayout'] = False
plt.rcParams['figure.figsize'] = 10, 6
plt.rcParams['axes.labelsize'] = 18
plt.rcParams['axes.titlesize'] = 20
plt.rcParams['font.size'] = 16
plt.rcParams['lines.linewidth'] = 2.0
plt.rcParams['lines.markersize'] = 8
plt.rcParams['legend.fontsize'] = 14
plt.rcParams['text.usetex'] = True
plt.rcParams['font.family'] = "serif"
plt.rcParams['font.serif'] = "cm"
plt.rcParams['text.latex.preamble'] = "\usepackage{subdepth}, \usepackage{type1cm}"
Based on our estimate the Lurk group has been active at least from 2011. We started collecting related artifacts in early 2012 when their network pattern became more or less distinctive and continued through until the group's series arrests when other parties started publicly disclosing related information.
In May 2012 we observed what we call Version 3 and in August (8-6-12) Version 4 of bodyless activity. Here is an example of serving urls.
http://braingameser.info/2T4T;HTTP/1.1 207.182.136.146 braingameser.info 200 58062 604 referenced by http://www.3dnews.ru/news (mime text/html)
http://braingameser.info/02T4Tdq;HTTP/1.1 207.182.136.146 braingameser.info 200 6020 423 http://braingameser.info/2T4T (mime: text/html)
http://braingameser.info/02T4Tjq;HTTP/1.1 207.182.136.146 braingameser.info 200 19797 300 Mozilla/4.0;(Windows;7;6.1);Java/1.6.0_31 fetching mime: application/3dr
http://braingameser.info/12T4Tjq;HTTP/1.1 207.182.136.146 braingameser.info 200 98712 259 Java/1.6.0_31 - - application/octet-stream
POST http://scum36organ.com/search?hl=us%26source=hp%26q=1211826176%26aq=f%26aqi=%26aql=%26oq= 5.10.68.31 scum36organ.com 200 251 7118
130 text/html
In [73]:
from IPython.display import Image
Image(filename='images/Advert.PNG', width=500)
Out[73]:
In [95]:
Image(filename='images/adfox.png', width=500)
Out[95]:
In [76]:
Image(filename='images/Div.PNG', width=500)
Out[76]:
In [77]:
Image(filename='images/tks_bodyless_aug_27_2013_fiddler.PNG',width=500)
Out[77]:
28.01.2013 15:15 - mgsinterviews.biz 64.79.67.220 80 GET http://mgsinterviews.biz/0ISOQjq application/java-archive 200 TCP 668 21460
28.01.2013 15:15 - mgsinterviews.biz 64.79.67.220 80 GET http://mgsinterviews.biz/1ISOQjq application/octet-stream 200 TCP 597 123280
28.01.2013 15:15 http://234x120.adv.vz.ru/cgi-bin/iframe/vz?44122&options=N mgsinterviews.biz 64.79.67.220 80 GET http://mgsinterviews.biz/ISOQ text/html 200 TCP 629 58214
2013-01-28 15:16:29.033 http://234x120.adv.vz.ru/cgi-bin/iframe/vz?96815&options=N mgsinterviews.biz 64.79.67.220 80 GET http://mgsinterviews.biz/ISOQ text/html 200 TCP 592 194
28.01.2013 15:19 http://234x120.adv.vz.ru/cgi-bin/iframe/vz?76056&options=N mgsinterviews.biz 64.79.67.220 80 GET http://mgsinterviews.biz/ISOQ text/html 200 TCP 325 194
28.01.2013 15:24 http://234x120.adv.vz.ru/cgi-bin/iframe/echomsk?111 mgsinterviews.biz 64.79.67.220 80 GET http://mgsinterviews.biz/ISOQ text/html 200 TCP 680 194
28.01.2013 15:33 http://234x120.adv.vz.ru/cgi-bin/iframe/echomsk?111 mgsinterviews.biz 64.79.67.220 80 GET http://mgsinterviews.biz/ISOQ text/html 200 TCP 318 194
2013-01-28 15:40:10.020 http://234x120.adv.vz.ru/cgi-bin/iframe/vz?25730&options=N mgsinterviews.biz 64.79.67.220 80 GET http://mgsinterviews.biz/ISOQ text/html 200 TCP 1095 194
28.01.2013 15:50 http://234x120.adv.vz.ru/cgi-bin/iframe/echomsk?111 mgsinterviews.biz 64.79.67.220 80 GET http://mgsinterviews.biz/ISOQ text/html 200 TCP 338 194
In January 2013 the Lurk group was observed to serve content through national TV website (vesti.ru) known to have over one million of unique visitor per day, producing enormous amount of potential victims. Here are some examples of Lurk activity in proxy logs:
22.01.2013 16:33 http://www.vesti.ru/m/doc.html?id=1011083&cid=520 cetapetrar.info 64.79.67.220 80 GET http://cetapetrar.info/ISOQ
22.01.2013 16:49 http://www.vesti.ru/doc.html?id=1011907 cetapetrar.info 64.79.67.220 80 GET http://cetapetrar.info/ISOQ
2013-01-22 16:50:20.070 http://www.vesti.ru/doc.html?id=1008251&cid=7 cetapetrar.info 64.79.67.220 80 GET http://cetapetrar.info/ISOQ
22.01.2013 17:09 http://www.vesti.ru/doc.html?id=1011900 cetapetrar.info 64.79.67.220 80 GET http://cetapetrar.info/ISOQ
GET;http://concisesteve.info/ISOQ;HTTP/1.1 64.79.67.220 concisesteve.info 200 235 677 http://www.3dnews.ru/news/640065
GET;http://concisesteve.info/ISOQ;HTTP/1.1 64.79.67.220 concisesteve.info 200 58435 688 http://www.vesti.ru/doc.html?id=1001992
GET;http://mgsinterviews.biz/ISOQ;HTTP/1.1 64.79.67.220 mgsinterviews.biz 200 58236 703 http://234x120.adv.vz.ru/cgi-bin/iframe/vz?24562&options=N
GET;http://mgsinterviews.biz/ISOQ;HTTP/1.1 64.79.67.220 mgsinterviews.biz 200 58217 688 http://www.tks.ru/reviews/2013/01/25/01
animal42bury.com 188.165.136.148 80 POST http://animal42bury.com/search?hl=us&source=hp&q=23724032&aq=f&aqi=&aql=&oq= text/plain 200 robotic17e.com 188.165.136.43 80 GET http://robotic17e.com/search?hl=us&source=hp&q=57468&aq=f&aqi=&aql=&oq=57468 text/html 200 animal42bury.com 188.165.136.148 80 POST http://animal42bury.com/search?hl=us&source=hp&q=1000000000553788&aq=f&aqi=&aql=&oq= text/html 200 animal42bury.com 188.165.136.148 80 POST http://animal42bury.com/search?hl=us&source=hp&q=1000000000553788&aq=f&aqi=&aql=&oq= text/html 200
On 28-01-2013 we identified a new IP address associated with lurk group: IP 208.110.73.74
Example of assiociated activities:
GET;http://sedratewa.info/ISOQ;HTTP/1.1 208.110.73.74 sedratewa.info 200 871 332 152 706 http://www.3dnews.ru/games/640700/ Mozilla/4.0; - 0 text/html
GET;http://sedratewa.info/0ISOQjq;HTTP/1.1 208.110.73.74 sedratewa.info 200 566 21575 21413 401 - Mozilla/4.0;(Windows;7;6.1);Java/1.6.0_21 - 0 application/java-archive
GET;http://sedratewa.info/1ISOQjq;HTTP/1.1 208.110.73.74 sedratewa.info 407 187 4135 0 0 - Java/1.6.0_21 - 0 -
GET;http://sedratewa.info/1ISOQjq;HTTP/1.1 208.110.73.74 sedratewa.info 407 287 4194 0 0 - Java/1.6.0_21 - 0 -
GET;http://sedratewa.info/1ISOQjq;HTTP/1.1 208.110.73.74 sedratewa.info 200 459 119279 119137 244 - Java/1.6.0_21 - 0 application/octet-stream
GET;http://robotic17e.com/search?hl=us&source=hp&q=36154&aq=f&aqi=&aql=&oq=36154;HTTP/1.1 188.165.136.43 robotic17e.com 200 484 340303 340156 269 - - - 0 text/html
POST;http://animal42bury.com/search?hl=us&source=hp&q=1000000000555827&aq=f&aqi=&aql=&oq=;HTTP/1.1 188.165.136.148 animal42bury.com 200 267 315 197 322 - - - 0 text/html
In [96]:
import pandas as pd
import numpy as np
import matplotlib.pyplot as plt
%matplotlib inline
lurk01=pd.read_csv("lurk_aug17_2013.csv",parse_dates=['log_time'])
lurk01.rename(columns = {'bytes_sent':'bytesSent'}, inplace = True)
#lurk01.head()
In [79]:
lurk01.describe()
Out[79]:
In [97]:
#lurk01['bytesSent'].describe()
In [81]:
lurk01d=lurk01[['log_time','referrerd_server', 'dest_host','dest_host_ip', 'uri','bytesSent']]
lurk01d.head()
Out[81]:
In [82]:
lurk01d_group=lurk01d.groupby('referrerd_server')
lurk01d_group.size()
Out[82]:
In [87]:
lurk01d_total=lurk01d_group.sum()
lurk01d_total.head()
Out[87]:
In [84]:
lurk01d_plot=lurk01d_total.plot(kind='bar')
2014 was significant in Lurk history with a number of high profile intermediate victims being repeatedly compromised by the group.
24.02.2014 15:48 meow://ad.3dnews.ru/www/delivery/afr.php?resize=1&zoneid=171&cb=INSERT_RANDOM_NUMBER_HERE panachediminished.info 69.64.91.24 80 GET meow://panachediminished.info/indexm.html 407 4155 508 HTTP Mon, 24 Feb 2014 11:48:45 GMT
24.02.2014 15:48 meow://ad.3dnews.ru/www/delivery/afr.php?resize=1&zoneid=171&cb=INSERT_RANDOM_NUMBER_HERE panachediminished.info 69.64.91.24 80 GET meow://panachediminished.info/indexm.html 407 4220 592 HTTP Mon, 24 Feb 2014 11:48:45 GMT
24.02.2014 15:48 - panachediminished.info 69.64.91.24 80 GET meow://panachediminished.info/indexm.html text/html 404 813 984 HTTP Mon, 24 Feb 2014 11:48:46 GMT
24.02.2014 15:48 - panachediminished.info 69.64.91.24 80 GET meow://panachediminished.info/indexm.html text/html 404 813 508 HTTP Mon, 24 Feb 2014 11:48:47 GMT
24.02.2014 15:48 - panachediminished.info 69.64.91.24 80 GET meow://panachediminished.info/indexm.html text/html 404 813 508 HTTP Mon, 24 Feb 2014 11:48:52 GMT
24.02.2014 15:49 meow://ad.3dnews.ru/www/delivery/afr.php?resize=1&zoneid=171&cb=INSERT_RANDOM_NUMBER_HERE panachediminished.info 69.64.91.24 80 GET meow://panachediminished.info/indexm.html 407 4155 508 HTTP Mon, 24 Feb 2014 11:49:33 GMT
24.02.2014 15:49 meow://ad.3dnews.ru/www/delivery/afr.php?resize=1&zoneid=171&cb=INSERT_RANDOM_NUMBER_HERE panachediminished.info 69.64.91.24 80 GET meow://panachediminished.info/indexm.html 407 4220 592 HTTP Mon, 24 Feb 2014 11:49:33 GMT
24.02.2014 15:49 - panachediminished.info 69.64.91.24 80 GET meow://panachediminished.info/indexm.html text/html 404 813 984 HTTP Mon, 24 Feb 2014 11:49:34 GMT 24.02.2014 15:49 meow://ad.3dnews.ru/www/delivery/afr.php?resize=1&zoneid=171&cb=INSERT_RANDOM_NUMBER_HERE panachediminished.info 69.64.91.24 80 GET meow://panachediminished.info/indexm.html 407 4155 508 HTTP Mon, 24 Feb 2014 11:49:57 GMT
24.02.2014 15:49 meow://ad.3dnews.ru/www/delivery/afr.php?resize=1&zoneid=171&cb=INSERT_RANDOM_NUMBER_HERE panachediminished.info 69.64.91.24 80 GET meow://panachediminished.info/indexm.html 407 4220 592 HTTP Mon, 24 Feb 2014 11:49:57 GMT
24.02.2014 15:49 - panachediminished.info 69.64.91.24 80 GET meow://panachediminished.info/indexm.html text/html 404 813 984 HTTP Mon, 24 Feb 2014 11:49:57 GMT 24.02.2014 15:55 - panachediminished.info 69.64.91.24 80 GET meow://panachediminished.info/indexm.html text/html 404 813 672 HTTP Mon, 24 Feb 2014 11:55:34 GMT
30.05.2014 16:40 meow://www.myconnectionserver.com/support/tutorials/v90/iisreverseproxy/index.html www.visualware.com 74.200.64.138 80 GET meow://www.visualware.com/indexm.html 407 4143 429 HTTP Fri, 30 May 2014 12:40:24 GMT
30.05.2014 16:40 meow://www.myconnectionserver.com/support/tutorials/v90/iisreverseproxy/index.html www.visualware.com 74.200.64.138 80 GET meow://www.visualware.com/indexm.html 407 4208 513 HTTP Fri, 30 May 2014 12:40:24 GMT
30.05.2014 16:40 - www.visualware.com 74.200.64.138 80 GET meow://www.visualware.com/indexm.html text/html 200 7274 693 HTTP Fri, 30 May 2014 12:40:25 GMT
3dnews.ru (TBD: show cool stats)
2015/03/16 15:22:16 Dst IP/Port: 5.135.242.172:80 (FRA) [AS16276 OVH SAS] {RIPE}
GET /indexm.html HTTP/1.1 Host: asop2kcn-o3jus.howperaforjo.in Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36 Referer: http://www.3dnews.ru/ Accept-Encoding: gzip, deflate, sdch Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4 HTTP/1.1 302 Moved Temporarily Server: nginx Date: Mon, 16 Mar 2015 12:22:14 GMT Content-Type: text/html Connection: close Location: http://google.com
2015/03/20 14:47:33 Dst IP/Port: 5.135.242.172:80 (FRA) [AS16276 OVH SAS] {RIPE}
Source Destination GET /indexm.html HTTP/1.1 Host: sdkl3458jd.osdl4op34xnwe-dk3.in Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36 Referer: http://w6.tks.ru/adserver/www/delivery/afr.php?zoneid=14 Accept-Encoding: gzip, deflate, sdch Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
HTTP/1.1 302 Moved Temporarily
Server: nginx Date: Fri, 20 Mar 2015 11:47:31 GMT
Landing indexm.html //askd29-as72hhoip[.]poweji093fbad.in/indexm.html //askd29-as72hhoip[.]poweji093fbad.in/0MSKMdl
//askd29-as72hhoip[.]poweji093fbad.in/cljlkzaaukinh.html
188.165.229.195 (angler)
... https://www.virustotal.com/en/file/d947e1ad59d4dfeaa6872a6bda701e67d40a265f711f74984aa286a59daf1373/analysis/1418902222/ File name: 0MSKMdl Detection ratio: 9 / 52 Analysis date: 2014-12-18 11:30:22 UTC ( 2 minutes ago )
..
12/15/2014 13:55 GET meow://moapisytra.poweji093fbad.in/indexm.html 188.165.229.195 moapisytra.poweji093fbad.in 403 444 meow://www.rbc[.]ua/rus/news/economic/v-kabmine-podgotovili-proekt-gosbyudzheta-2015-s-defitsitom-15122014123500
12/16/2014 11:48 GET meow://pwoyquy-saswu0.jomlakisow.in/indexm.html 5.196.251.171 pwoyquy-saswu0.jomlakisow.in 403 688 meow://www.rbcua[.]com/rus/bank-v-ekaterinburge-nachal-prodavat-evro-po-100-rubley-16122014090500
12/16/2014 13:41 GET meow://opqwejmfsd34.nxpoitrawebo.in/indexm.html 5.196.251.171 opqwejmfsd34.nxpoitrawebo.in 403 612 meow://www.utro[.]ua/
12/17/2014 14:08 GET meow://pwoyquy-saswu0.jomlakisow.in/indexm.html 5.196.251.171 pwoyquy-saswu0.jomlakisow.in 403 645 meow://www.novostimira.com[.]ua/news_10670.html
...
Active compromise of financial insitutions by Lurk group led to series of investigations done by Group-IB, Kaspersky Lab leading to arrests of some of group members. There were multiple publications on 'Lurk' this year. Here are to name a few: