« previous next »
Pages: [1]   Go Down

Author Topic: gornial.com  (Read 3607 times)

0 Members and 1 Guest are viewing this topic.

July 30, 2009, 08:35:27 pm
Read 3607 times

Shawn Jefferson

  • Newbie
  • Offline
  • *
  • 8
gornial.com
Found this today:

gornial.com hosting lots of obfuscated JS and exploit code.

From packet captures to that address:
Code: [Select]
GET / HTTP/1.1
Accept: */*
Referer: http://ad.yieldmanager.com/iframe3?B4VeAEN1CAD.RikAAAAAAM5-CwAAAAAAAAAIAAYAAAAAAAoABQAFCWAxDQAAAAAA.ogEAAAAAADYXBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAQgQAAAAAAAIAAwAAAAAAqdkDrcCQpT-p2QOtwJClPw3gLZCg-LE.DeAtkKD4sT-kcD0K16PAP6RwPQrXo8A.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcWOtGlaW6BtCCB58.M-PnfY2nMusp7AxtDIVSAAAAAA==,,http://adstreams.org/www/delivery/afr.php?refresh=60&zoneid=11&cb=insert_random_number_here&loc=http%3a%2f%2fwww.onlineradiostations.com%2fradio-stations%2fcanada%2fnewfoundland%2fst-johns%2fcksj-101.1-easy-liste
Accept-Language: en-ca
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: gornial.com
Connection: Keep-Alive

GET /nic/vo.png HTTP/1.1
Accept: */*
Referer: http://gornial.com/
Accept-Language: en-ca
UA-CPU: x86
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 28 Jul 2009 18:19:17 GMT
If-None-Match: "166402d-1477-46fc81bc6d340"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: gornial.com
Connection: Keep-Alive

GET /nic/java.html HTTP/1.1
Accept: */*
Referer: http://gornial.com/
Accept-Language: en-ca
UA-CPU: x86
Accept-Encoding: gzip, deflate
If-Modified-Since: Wed, 01 Jul 2009 01:25:00 GMT
If-None-Match: "1664083-35-46d9acab39300"-gzip
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: gornial.com
Connection: Keep-Alive

Is the referrer in the first GET request the way the user got to the final malware landing page (the gornial.com page?)

I haven't fully decoded it all, but it looks like the obfucated code at the index page is attempting a few IE exploits at least, there is a malicious PDF, and I believe also a JRE exploit (my AV system picked up on this).  I decoded one of the exploits, ran the shellcode through Malzilla, found the XOR code of 0x21 and the URL of

Code: [Select]
http://gornial.com/nic/utt.php

which is installb.com

Virustotal (7% coverage!):
http://www.virustotal.com/analisis/3231c6fa83cb5636d00537fa9eace4e77106bcea20b2a6eecfe42749737b3245-1248985717

CWSandbox:
http://www.cwsandbox.org/?page=report&analysisid=619412&password=ejgaldyfwc

Edit: This braviax.exe seems to be pretty old though...
Logged
July 30, 2009, 09:56:00 pm
Reply #1

MysteryFCM

  • Administrator
  • Hero Member
  • Offline
  • *****
  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Re: gornial.com
Quote from: Shawn Jefferson on July 30, 2009, 08:35:27 pm
Is the referrer in the first GET request the way the user got to the final malware landing page (the gornial.com page?)

It is indeed.

This particular one is the following;

Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/972890.mspx

Quote
CVE-2009-1095

Integer overflow in unpack200 in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier, and 6 Update 12 and earlier, allows remote attackers to access files or execute arbitrary code via a JAR file with crafted Pack200 headers.

http://www.securityfocus.com/bid/34240/exploit
Logged
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net
Pages: [1]   Go Up
« previous next »