[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20060219180044.GB11863@acs.uni-duesseldorf.de>
Date: Sun, 19 Feb 2006 19:00:44 +0100
From: Andreas Beck <becka-list-bugtraq@...atec.de>
To: bugtraq@...urityfocus.com
Subject: Re: Java script exploit
gandalf@...ital.net wrote:
> Greetings and Salutations:
> I just receieved this exploit,
It is none, as others already have mentioned.
I suppose you got it from one of the various "you received a postcard"
mailings going round.
It is basically a trampoline that will lead to a series of webservers
that have been compromised which will redirect to each other (typically
2 or 3 steps) using frames, iframes or similar javascripts (they use the
same basic en-/decoder, as far as I have seen).
The last step, however (which is probably what triggered a trap on your
system) is a piece of HTML that is using 3 or 4 different exploits
to try to download and execute a variant of Haxdoor.
The first two are trying to use ActiveX together with .chm bugs (not
sure, if I should count them as two), the next utilizes some JavaApplet
called " SandBoxEscape.class", while the fourth tries to exploit
http://www.securiteam.com/windowsntfocus/6B00L2KEKW.html
The binary that should have been downloaded was identified by
virusscan.jotti.org as being
- Bitdefender BehavesLike:Trojan.WinlogonHook (probable variant),
- NOD32 a variant of Win32/Haxdoor
- VBA32 Trojan-Downloader.Agent.84 (probable variant).
Note, that only three of about a dozen Scanners installed on jotti
identify the malware, as it seems to be modified.
I have given a short description of what I've seen there in the german
newsgroup de.comp.security.virus with MID
slrndv299i.sp1.becka-news-nospam-2006-02@...n.mcs.acs.uni-duesseldorf.de
> Subject: You have received a postcard! Id: 7963
Ah. Good guess.
Kind regards,
Andreas Beck
--
Andreas Beck
http://www.bedatec.de/
Powered by blists - more mailing lists