|
Following our earlier post on nasty network address ranges, ISC reader Tom wrote in with some interesting logs. His information ties a recent wave of Java exploits to several addresses in the same 91.204.48.0/22 netblock. The latest exploits in this case start with a file called "new.htm", which contains obfuscated code as follows
This is easy to unravel - the numbers are Unicode and can be turned back into plain ASCII characters with a Perl line like this: cat new.htm | perl -pe 's/u00(..)/chr(hex($1))/ge' The resulting file looks as follows applet name="Java Update" code="Polat. class" archive="Hidden. jar" height="10" width="1" Yes, the above is slightly modified .. I tried to keep it plain enough that this diary can still be found via web search, but obfuscated enough to keep the less sophisticated anti-virus tools (like 90% of them) from triggering on this diary just because of the file name... Nicely enough, we don't even have to use "jad" to decompile the Java class file - the "url" parameter passed to the applet is kinda telling all by itself. The good news is that "host.exe" already has pretty decent anti-virus coverage on VirusTotal. But .. let's look at the Polat.class file anyway.
Huh? Download and run? Shouldn't the Java Sandbox prevent this? Sure. This "openConnection-and-run" method of drive-by download only works when it is paired with a Java exploit. Which is not the case here, the Java file is clean, and doesn't contain any exploit for a recent vulnerability. So what gives? Well, let's try it out, and see what happens...
|
Daniel 385 Posts ISC Handler Dec 29th 2010 |
| Thread locked Subscribe |
Dec 29th 2010 1 decade ago |
|
The malware from hxxp://benaguasil. net/host.exe [MD5: 08c1f238e6ec187aaece25f5ebbf666b] is documented @ ThreatExpert: http://threatexpert.com/report.aspx?md5=08c1f238e6ec187aaece25f5ebbf666b.
|
Anonymous |
| Quote |
Dec 30th 2010 1 decade ago |
.jpg)
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
