Style.js embeds an iframe to http://79.135.168.18
The index.html page of the iframe contains another obfuscation method.
Read more »
Archive for December, 2008
www.wmpd.ru/style.js and www.mtno.ru/style.js
Posted in sql injection on December 19, 2008 by s3cuvip.4s3w.cn/vip/I7.htm
Posted in sql injection on December 14, 2008 by s3cuanother IE exploit, but this evasion technique is so cute, take a look:
Read more »
IE 0-day exploit
Posted in sql injection on December 12, 2008 by s3cuok, so the supposedly IE7 vulnerability is also applicable to other versions.
Check out MS advisory 961051
Other domains that are also exploiting this vulnerability are listed in shadowserver.
Notice that the shellcode of 17gamo.com IE7 exploit is encrypted.
ie7 exploit encrypted shellcode
Disassembly of the shellcode shows that each byte is xored with 21h.
To decrypt the shellcode, a simple perl script can be applied to the unicode
s/\%u(..)(..)/(chr(hex($2))^chr(hex(21))).(chr(hex($1))^chr(hex(21)))/ge
A hexdump of the decrypted shellcode shows where it will retrieve the malware:
17gamo.com/1.js
Posted in sql injection on December 10, 2008 by s3cuA new sql-injected URL.
1.js contains iframe src to http://www.17gamo.com/co/index.htm
The index.htm contains several exploits, one of which is the latest ie7 0-day exploit.
The ie7 exploit is at www.17gamo.com/co/ie7.htm
