Author Topic: gornial.com  (Read 3308 times)

0 Members and 1 Guest are viewing this topic.

July 30, 2009, 08:35:27 pm
Read 3308 times

Shawn Jefferson

  • Newbie

  • Offline
  • *

  • 8
Found this today:

gornial.com hosting lots of obfuscated JS and exploit code.

From packet captures to that address:
Code: [Select]
GET / HTTP/1.1
Accept: */*
Referer: http://ad.yieldmanager.com/iframe3?B4VeAEN1CAD.RikAAAAAAM5-CwAAAAAAAAAIAAYAAAAAAAoABQAFCWAxDQAAAAAA.ogEAAAAAADYXBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAQgQAAAAAAAIAAwAAAAAAqdkDrcCQpT-p2QOtwJClPw3gLZCg-LE.DeAtkKD4sT-kcD0K16PAP6RwPQrXo8A.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcWOtGlaW6BtCCB58.M-PnfY2nMusp7AxtDIVSAAAAAA==,,http://adstreams.org/www/delivery/afr.php?refresh=60&zoneid=11&cb=insert_random_number_here&loc=http%3a%2f%2fwww.onlineradiostations.com%2fradio-stations%2fcanada%2fnewfoundland%2fst-johns%2fcksj-101.1-easy-liste
Accept-Language: en-ca
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: gornial.com
Connection: Keep-Alive

GET /nic/vo.png HTTP/1.1
Accept: */*
Referer: http://gornial.com/
Accept-Language: en-ca
UA-CPU: x86
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 28 Jul 2009 18:19:17 GMT
If-None-Match: "166402d-1477-46fc81bc6d340"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: gornial.com
Connection: Keep-Alive

GET /nic/java.html HTTP/1.1
Accept: */*
Referer: http://gornial.com/
Accept-Language: en-ca
UA-CPU: x86
Accept-Encoding: gzip, deflate
If-Modified-Since: Wed, 01 Jul 2009 01:25:00 GMT
If-None-Match: "1664083-35-46d9acab39300"-gzip
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: gornial.com
Connection: Keep-Alive

Is the referrer in the first GET request the way the user got to the final malware landing page (the gornial.com page?)

I haven't fully decoded it all, but it looks like the obfucated code at the index page is attempting a few IE exploits at least, there is a malicious PDF, and I believe also a JRE exploit (my AV system picked up on this).  I decoded one of the exploits, ran the shellcode through Malzilla, found the XOR code of 0x21 and the URL of

Code: [Select]
http://gornial.com/nic/utt.php

which is installb.com

Virustotal (7% coverage!):
http://www.virustotal.com/analisis/3231c6fa83cb5636d00537fa9eace4e77106bcea20b2a6eecfe42749737b3245-1248985717

CWSandbox:
http://www.cwsandbox.org/?page=report&analysisid=619412&password=ejgaldyfwc

Edit: This braviax.exe seems to be pretty old though...

July 30, 2009, 09:56:00 pm
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Is the referrer in the first GET request the way the user got to the final malware landing page (the gornial.com page?)

It is indeed.

This particular one is the following;

Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/972890.mspx

Quote
CVE-2009-1095

Integer overflow in unpack200 in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier, and 6 Update 12 and earlier, allows remote attackers to access files or execute arbitrary code via a JAR file with crafted Pack200 headers.

http://www.securityfocus.com/bid/34240/exploit
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net