Not so funny.php

Published: 2007-04-08
Last Updated: 2007-04-08 16:29:01 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
With all the malware and exploit files around, I find it frequently hard to remember some specific attack. But when today while analyzing a suspicious site I came across an exploit which tried to download a binary called "funny.php", it sure felt enough like a glitch in the matrix to make me look back through my logs. And indeed, there's been another funny.php, from the same server in Malaysia, almost a month ago. And another, five days ago from a server in Germany. The EXEs the exploit tries to retrieve varies (of course) but the exploit pattern is always the same.

The first file, commonly included per IFRAME, contains a file part named "in.php?adv=1". This file contains an encoded blob of JavaScript, which is not reliably detected by AV (from the scanners I have at hand to verify, only Kaspersky, FSecure and McAfee seem to recognize it at all). Once manually decoded, AV detection improves somewhat, but is still leaky. The decoded blob reveals a bunch of "friendly" little code snippets:

1. Exploit-Byteverify (a quite wizened Java exploit)
2. An Exploit for MS06-014, with the code lifted almost in verbatim off the corresponding Metasploit Module
3. A copy of the MS06-057 WebViewFolderIcon.SetSlice exploit, artfully rendered to avoid detection

If either of these is successful, the exploit downloads and runs the mentioned "funny.php?adv=1" files, which invariably turn out to be Trojan Downloaders or worse. The funny.php thingies are apparently refreshed frequently enough to keep AV coverage low to nonexistent.

While the three exploits are not at all lethal on a well patched PC, the prevalence and endurance of these not-so-funny PHPs suggests that there are still far too many PCs out there that fall for this sort of attack. We have informed the two affected ISPs in Germany and Malaysia, lets see who has staff on duty on an Easter weekend...
0 comment(s)


Diary Archives