Last Updated: 2008-03-07 15:15:52 UTC
by Mark Hofman (Version: 1)
One of the things I love about being a handler, other than the red shirt, is that pretty much every day I learn something new. Thanks to our readers and through cooperation with various groups around the planet we get to see some interesting stuff.
Last week Jeremy sent a link and a few files for us to have a closer look at. The link was being injected (using SQL Injection) into a site and if successful would have resulted in a world of pain for anyone visiting the compromised site afterwards. After a quick check it was obvious that nasty things would happen, the final result was a file which had a detect rate of 2/32 on VT, other files had similar detect rates.
When looking at malicious things there are a number of ways to look at it. The code junkies will look at the code and analyse it, follow it through and throw debuggers at the final executable. Net heads may execute (on a VM or sacrificial system) a file or visit a link and see where the packets take them. I probably would have done the latter if a couple of hours previously I had not seriously trashed my playpen, looking at the code was my only option. Glad I did.
The first script sets a cookie, it generates a random number used to select the exploit path to follow although only two paths are available. Depending on the result it pulls in an iframe, either a html file or a js file.
Following the html stream , the next page also sets a cookie and attempts a number of exploits, MS06014, MS07004, MS06067, MS06057 Real player exploit or storm player exploit are the ones so far. Each is attempted. If the preceding exploit did not work the next exploit is attempted. Once the final exploit is attempted a counter is set on a stats site.
The JS stream similarly also tries a number of vulnerabilities including MS07-055, telnet, file transfer, file injection and a real player attack. A number of vbscripts are used in this stream, reversed, possibly to try and evade scanning tools. At the end of this stream another counter was set on a stats site.
There were a few interesting things in the scripts such as the setting of the cookies and the multiple attack streams. Interestingly the exploits are all relatively old, but obviously still worth the effort. The files that are eventually downloaded are typical downloaders grabbing additional files, but I’m still going through them. There is still more to find.
Only a few sites seem to have been compromised with this code, so far. Attempts to shut down the hosting sites so far have not been successful. I may be able to publish more info at a later date and provide some code samples.