Author Topic: Wepawet detection in exploit kit  (Read 5662 times)

0 Members and 1 Guest are viewing this topic.

December 31, 2009, 07:17:34 pm
Read 5662 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
I came across an exploit kit CRiMEPACK v2.1.5
http://www.malwaredomainlist.com/mdl.php?search=tk-tk.tk

at

Code: [Select]
tk-tk.tk/forum/


Interesting is the following piece of code.
It checks document.location.href for "cs.ucsb.edu" and doesn't output exploit code if it finds this string.
I guess this should prevent analysis by Wepawet.



Quote
function KhOP13()
 {
   var a8teTR = document;
   var lnNEBq = "c"+"s"+"."+"u"+"c"+"s"+"b"+"."+"e"+"d"+"u";
   var qyVmC8 = a8teTR.location.href;
   var vohdWr = qyVmC8.search(lnNEBq);
   if(vohdWr != -1)
   {
     return 0;
   }
   else
   {
     return 1;
   }
 }
 if(KhOP13())
 {
   jfg1Wk.write(


Ruining the bad guy's day

December 31, 2009, 09:28:30 pm
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Interestingly, x.php points to the following, which is spitting a 404 at me?

Code: [Select]
tk-tk.tk/forum/get.php?eid=aY6jCWUjWdoC9gP8t&id=A56B8841DE8A5EFBE133B535AE892DA5
I've notified Marco @ UCSB of this particular issue (with a ref to this thread).

y.php points to a .class that doesn't seem to exist. Grabbed the .jar though, which has a ref to;

Code: [Select]
http://213.239.206.118/load.mp3
/edit

Interestingly, the .mp3 file returns a 404 for me too :(
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

January 06, 2010, 09:49:24 pm
Reply #2

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I meant to mention, dot.tk got back to me about this and informed me they've shut down the offending .tk domain :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net