Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Baby, baby!

Published: 2008-12-05
Last Updated: 2008-12-05 23:53:49 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)

When Brad went to a web site in search of fluffy clothing for his toddler, little did he know that each web page of that baby site was booby trapped. The bottom of each page contained an obfuscated section framed by comments that claimed that the javascript code was for "Yahoo Counter".  Well, it wasn't.

What it did was download a heavily obfuscated Javascript, followed by a download of a PDF with embedded exploit code, followed by a download of an EXE. The EXE has almost no detection (Virustotal) at this time.

The analysis of this case was made a tiny bit more interesting than usual .. because the self defense mechanisms of the obfuscated JavaScript code were pretty good. Whoever wrote this thing probably read my ISC diary on how to patch SpiderMonkey to even untangle obnoxious Javascript. Because when I simply ran the code through my patched Spidermonkey, what I got was:

daniel@debian:~$ js i.js
File i.js Line 68 calls eval with the following parameter:
//Just f**k off...

The ** have been added, of course. Eventually, this protection fell as well though. If you want to make sure your users haven't been "had" likewise while shopping for baby clothes, check your logs for connections to 218.93.202. 61 and 78.110.175. 21 . Don't go there though, both sites are BAD.

Keywords: malware
0 comment(s)

Been updatin' your Flash player lately?

Published: 2008-12-05
Last Updated: 2008-12-05 00:30:36 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)


We received a couple of submissions from ISC readers that indicate that a new wave of rogue "Flash Player" updates is making the rounds. This latest version is pretty artfully done - the pages hosting this malware actually do contain a real flash movie that is not malicious and plays in a Youtube-like embedded frame. After the movie has been running for a couple seconds though, a pop-up opens that indicates that a "Flash Player Update is available". It all looks credibly enough like one of those usual auto-update pop-ups, but if you click OK, you get an EXE which isn't really a Flash player update of course.

So far, the URLs where the malware is coming from all seem to have in common that port 7777 is used. This is rare enough that trolling through your proxy logs for any of your users going to a URL containing :7777/dt might give you a better indication than your anti-virus. Because AV coverage (VirusTotal) is only slowly improving.

 

Keywords: adobe flash malware
0 comment(s)
Diary Archives