A Drive-by Download Threat?

Hi Guys,

I went into a site recently and got prompted by AVG that the site contains a link to an exploit site. I checked with AVG support and they also said that there is a piece of code which is malicious.

The code is as follows:



Can anyone decode what this means and what threat does it poses to users visiting the site?

Many Thanks in advance!



Note from LWM: This is what the above encoded text converts to when you decode it:



Note: avast! triggered just on the appearance of the text in the post. Avira also triggered when copying the text and pasting into a webpage form, like a search box. These are weak signature detections since as "text only" this is harmless. If you execute the Javascript of it though, (which you can not do in a vBulletin forum, therefore you must manipulate it yourself outside the forum to run it), then yes, you could infect yourself.

 

I'm not sure what it does but when I searched for it, I got an alert from Avira.
http://www.avira.com/en/threats/section/fulldetails/id_vir/4221/html_dldr.iframe.dp.html

I think maybe Avira was picking it up because of the copy/paste I did. I would advise anyone not to copy and paste the above code without the adequate protection and knowledge.

I'm still getting alerts so don't mess with this!

Edit: Here was the location of the file Avira detected.
C:\Sandbox\Owner\DefaultBox\user\current\Application Data\Mozilla\Firefox\Profiles\c3xl6613.default\formhistory.sqlite

 

What does the fact that Avast and Avira warn on these snippets have to do with these being "weak signature detections"?

You're talking about two completely unrelated things.

It's like on-access file scanning. Some AV's warn if you just open an infected EXE file (e.g. open the containing folder in Explorer), others only warn when you try to execute it. But the method of detection can be just arbitrary...


Cheers
Vlk

 

Seems that this threat is pretty threatening. I tested entering the site with NAV 2009 but it doesn't detect anything. I got my friends to enter the site as well with other AV and there isn't any prompt as well. If anyone wants the site, please PM me as this site is a commercial site.

I hope this will not affect the other users visiting the site. Any AVG users or out there willing to give this site a try? PM me.

Thanks.

 

In an effort to learn, could either set of the above scripts be inserted into a simple web page in an attempt to infect a user?

Are there any other ways a user can execute the script?

 

Unfortunately, this is all too easy, since these exploits are sold as packages on hacking sites. Here is an old one, which uses the exact same code except for the URL to connect to the hacker's server:

http://www.urs2.net/rsj/computing/tests/gpack

So, it is evident that this exploit code has been in circulation for a while. In the current Radio stations exploit, because the same code appears on all of the Watch pages suggests some type of code injection which targeted those specific pages on the server. The URL in the malicious javascript code no longer works.

So, you could put this code in a web page on your server and those who view it without proper protection would be exploited.

Note that because it is javascript code, that controlling javascript in the browser nullifies the attack.

----
rich

 

Thanks for the explanation and link Rmus. What you wrote was easy to understand .