Re: need analysis on downloaded javascript - security threat - threat.zip

On 2007-06-30, David McDivitt <david-del (AT) del-subjectivist (DOT) org> wrote:

Quote:

I received an email telling me to read a greeting card sent by a family
member. Upon going to the website, my firewall prompted me, saying the
program ~.exe wanted to access the internet (with a tilde). The program was
located at \windows\system32. Of course I said no, but I wondered how that
program got installed on my workstation. Since I'd already hit the site and
a second time wouldn't matter, I went back to copy the page source. Very
creative stuff!

I have attached a zip file containing files listed below. Please reply to
the newsgroup with any ideas you have, regarding what this code does, or
with results of any analysis you do.

If this is a new security threat, please forward details to appropriate
software companies and agencies. It is very hard trying to find a place to
report this type thing, so this is my chosen method. Thanks


- email.txt - This is the saved email with headers. I blanked addresses.

- ~.exe.txt - This is the file placed at my \windows\system32 folder.

- pageOriginal.htm.txt - This is the original page source.

- pageEditedForCopy.htm.txt - This is where I edited the page to extract.

- extractedCode.txt - This is the extracted javascript

- snapshot01.jpg - Showing the info bar trying to install ActiveX.

- snapshot02.jpg - Screen snapshot showing IE was hung up.

The Javascript tries a few things. It tries the MD2C() exploits,
for various items which may have exploitable classID which will
allow xmlHTTP to get a file, use ADODB.Stream to save to a file
and WScript to run it. The file it tries to get is
http://24.174.218.7/file.php which (if the exploit works) is
saved to c:\sys.[random_string].exe and run
(var name = "c:\\sys"+GetRandString(4)+".exe"
ShellExecute(v[2], name, n)
where v[2] is a WScript.Shell)

IF they do not work, overflow exploits are tried
("if (! MD2C() ) { startOverflow(0); }" is in the start() funtion)

These use the var a = unescape("%u4343%u4343%u0feb%u..." string.
In memory, javascript apparently stores text strings as unicode
(with byte swapping in machines with the right "endiannness").
This part of the code creates a long string of do-nothing machine
language (b = getb(b,bSize)) and appends the "a" string (more code,
encoded as two byte unicode so it is the proper code in memory) and
creates an array consisting of copies of this very long string
(do nothing code followed by the payload, a). The trick then is to
start some other programme with bad data which when it ends or crashes
will use the overflowing data in the large array as its return code
and run it. There are the usual programmes tried. QuickTime, WinZip,
WebViewFolder.

To see the code as it is stored in memory, rather than the two byte
unicode text string that Javascript uses, split the pairs of bytes
(in the string "a") in each unicode character, swap those bytes and dehex.

Do that and you get you get binary code ending with the URL
http://24.174.218.7/file.php, again.


I short, it uses the usual MDAC and overflow exploits to get and run
http://24.174.218.7/file.php. Unpatched IE and other programmes
(e.g. quicktime) are subject to such exploits. I didn't see anthing
new (but I did not check to see if all the classIDs in the array
in the function MD2C()
{BD96C556-65A3-11D0-983A-00C04FC29E30}
{BD96C556-65A3-11D0-983A-00C04FC29E36}
{AB9BCEDD-EC7E-47E1-9322-D4A210617116}
{0006F033-0000-0000-C000-000000000046}
{0006F03A-0000-0000-C000-000000000046}
{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}
{6414512B-B978-451D-A0D8-FCFDF33E833C}
{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}
{06723E09-F4C2-43c8-8358-09FCD1DB0766}
{639F725F-1B2D-4831-A9FD-874847682010}
{BA018599-1DB3-44f9-83B4-461454C84BF8}
{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}
{E8CCCDDF-CA28-496b-B050-6C07C962476B}
have patches)


That is currently not up and the javascript has surely changed.
24.174.218.7 is a residential RoadRunner user,
Address 24.174.218.7 maps to cpe-24-174-218-7.elp.res.rr.com
Checking cpe-24-174-218-7.elp.res.rr.com address 24.174.218.7
and is surely an infected machine. Other copies of the mail surely
send one on to other infected systems. This user may (probably has)
broken his connection and hopefully is cleaning and securing his
system.


The file that the file.php returns is probably a short downloader
for the actual malware.

Embedded in the exe you included one finds the text string,
"24.174.218.7/op.exe"

Thanks for that. I never get any viruses on my machine, and pay close
attention. I was surprised when the exe file was written, and was curious
whether this is a new technique. Not knowing to what extent my machine is
infected, I've been running free virus scanners from different sites to see
if anything's found, in addition to the one I subscribe to. Nothing has been
found yet, which really irks me. I was prompted to allow internet access for
the exe, otherwise it surely would have hooked up and downloaded more code.
I don't think anything is left on my machine, but if a new threat, it
wouldn't be detected.

Quote:

From: Spamless <Spamless (AT) Nil (DOT) nil
Date: 30 Jun 2007 19:57:39 GMT
Lines: 102

On 2007-06-30, David McDivitt <david-del (AT) del-subjectivist (DOT) org> wrote:
I received an email telling me to read a greeting card sent by a family
member. Upon going to the website, my firewall prompted me, saying the

The Javascript tries a few things. It tries the MD2C() exploits,
for various items which may have exploitable classID which will
allow xmlHTTP to get a file, use ADODB.Stream to save to a file
and WScript to run it. The file it tries to get is

--
dgm