lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sun, 19 Feb 2006 19:00:44 +0100
From: Andreas Beck <becka-list-bugtraq@...atec.de>
To: bugtraq@...urityfocus.com
Subject: Re: Java script exploit


gandalf@...ital.net wrote:
> Greetings and Salutations:
> I just receieved this exploit, 

It is none, as others already have mentioned.

I suppose you got it from one of the various "you received a postcard"
mailings going round.


It is basically a trampoline that will lead to a series of webservers
that have been compromised which will redirect to each other (typically
2 or 3 steps) using frames, iframes or similar javascripts (they use the
same basic en-/decoder, as far as I have seen).


The last step, however (which is probably what triggered a trap on your
system) is a piece of HTML that is using 3 or 4 different exploits 
to try to download and execute a variant of Haxdoor.

The first two are trying to use ActiveX together with .chm bugs (not
sure, if I should count them as two), the next utilizes some JavaApplet
called " SandBoxEscape.class", while the fourth tries to exploit
http://www.securiteam.com/windowsntfocus/6B00L2KEKW.html

The binary that should have been downloaded was identified by
virusscan.jotti.org as being 
- Bitdefender BehavesLike:Trojan.WinlogonHook (probable variant), 
- NOD32 a variant of Win32/Haxdoor
- VBA32 Trojan-Downloader.Agent.84 (probable variant).


Note, that only three of about a dozen Scanners installed on jotti
identify the malware, as it seems to be modified.


I have given a short description of what I've seen there in the german
newsgroup de.comp.security.virus with MID
slrndv299i.sp1.becka-news-nospam-2006-02@...n.mcs.acs.uni-duesseldorf.de


> Subject: You have received a postcard!   Id: 7963

Ah. Good guess.


Kind regards,

Andreas Beck

-- 
Andreas Beck
http://www.bedatec.de/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ