Re: Java script exploit

[Andreas Beck <becka-list-bugtraq () bedatec de>]

gandalf () digital net wrote:
> Greetings and Salutations:
> I just receieved this exploit, 

It is none, as others already have mentioned.

I suppose you got it from one of the various "you received a postcard"
mailings going round.


It is basically a trampoline that will lead to a series of webservers
that have been compromised which will redirect to each other (typically
2 or 3 steps) using frames, iframes or similar javascripts (they use the
same basic en-/decoder, as far as I have seen).


The last step, however (which is probably what triggered a trap on your
system) is a piece of HTML that is using 3 or 4 different exploits 
to try to download and execute a variant of Haxdoor.

The first two are trying to use ActiveX together with .chm bugs (not
sure, if I should count them as two), the next utilizes some JavaApplet
called " SandBoxEscape.class", while the fourth tries to exploit
http://www.securiteam.com/windowsntfocus/6B00L2KEKW.html

The binary that should have been downloaded was identified by
virusscan.jotti.org as being 
- Bitdefender BehavesLike:Trojan.WinlogonHook (probable variant), 
- NOD32 a variant of Win32/Haxdoor
- VBA32 Trojan-Downloader.Agent.84 (probable variant).


Note, that only three of about a dozen Scanners installed on jotti
identify the malware, as it seems to be modified.


I have given a short description of what I've seen there in the german
newsgroup de.comp.security.virus with MID
slrndv299i.sp1.becka-news-nospam-2006-02 () xeon mcs acs uni-duesseldorf de


> Subject: You have received a postcard!   Id: 7963

Ah. Good guess.


Kind regards,

Andreas Beck

-- 
Andreas Beck
http://www.bedatec.de/