We just got a report from an external source about a particular url that exhibits some strange behavior…
So I grabbed the url and investigated on what may have caused the ‘strange behavior’. As soon as I had the copy of the file that is pointed to by the url, http://{blocked}.org/xpl/index.php, I checked its contents and found out that it uses an iframe tag (html tag) to redirect the browser to another page that hosts another strange looking script.
I verified the contents of the script to see if it has anything to do with the ‘strange behavior’ and I was surprised because it did look pretty strange… Looking closely, I found some interesting keywords prodding me to continue my analysis and my interest to unravel the mystery behind the ‘strange behavior’. The script is obfuscated but still gives out some clues on what it might do. See below for the part of the obfuscated script, especially the words enclosed in a box.
Now, my intuition runs into a conclusion that this obfuscated code has an embedded shellcode (because of the ‘unescape’ keyword followed by unicode characters) that will download and execute a possibly malicious file to the affected system as pointed to by the url included in the script. Since there is a shellcode (a code snippet, must be injected to an intended process space to execute successfully), there should also be a particular process/application that this shellcode will be applied to. Then, I noticed the “.wmv” string which is associated with Windows Media Player by default when executed. To prove my little theory I executed the script in my infect machine and there I saw a Windows Media Player object on the page being rendered on the browser.
Then, at the bottom part of the obfuscated script is a readable JavaScript-disciplined code that seems to be helpful in cleaning up (to de-obfuscate) the obfuscated code shown above. I modified the code a bit so that it will stop executing as soon as I have the de-obfuscated code as shown below.
There it is! — It just told half of the story but this is sort of misleading because the shellcode is already embedded in the script which the “spray” variable holds. The exact url to be accessed by the malicious shellcode is now clear as well. On the lower part of the de-obfuscated script I have noticed a html tag that was given a very strange looking value.
So, I googled every keyword that may seem to help from the image above and not surprisingly, I was directed to a popular web site that posts exploits for particular vulnerabilities and I found similarities from one of the published exploits. Based on the behavior I have seen in my testing and the sample exploit posted on the site, I have confirmed that the ‘strange behavior’ was caused by a vulnerability exploited by the Windows Media Player Plugin EMBED Exploit (MS06-006).
Even though this is not a new vulnerability, there are still malicious people that are trying to take advantage of this bug as evidenced by this incident. This only shows the importance of up-to-date patching of systems AND applications to protect our systems from malicious attacks like this.
More information on MS06-006 can be found in the Microsoft website.
All malicious samples together with the urls related to this incident are already being processed for inclusion in Trend solutions.