Analysis of password-strength page at unwrongest website (split from password thread)

CloneRanger · Jul 31, 2010

Also used FF

Hope he gets it sorted soon.

Originally Posted by Sadeghi85 IE exploit?
Click to expand...

You're right to question, i've clarified this post

wat0114 · Jul 31, 2010

Well there's no need for people to merrily click away oblivious of the consequences.

Peter2150 · Jul 31, 2010

If I understood what Rmus showed it would also help explain why I saw nothing. I don't have any adobe products, including the reader on board.

Page42 · Jul 31, 2010

wat0114 said:

Hi Page42,
that directory is normal default in my neck of the woods on Win 7 x64.
Click to expand...

Thanks for the reply. I figured it was, but still thought it wise to check with others.

Page42 · Jul 31, 2010

Peter2150 said:

If I understood what Rmus showed it would also help explain why I saw nothing. I don't have any adobe products, including the reader on board.
Click to expand...

I don't have Adobe Reader either, but you know the warnings I have been getting. I think you seeing nothing is more a function of the malware being based on geoIP, as Vlk stated.

Peter2150 · Jul 31, 2010

Page42 said:

I don't have Adobe Reader either, but you know the warnings I have been getting. I think you seeing nothing is more a function of the malware being based on geoIP, as Vlk stated.
Click to expand...

You are probably right. I think this thread has been an eye opener, on many levels.

Page42 · Jul 31, 2010

Peter2150 said:

You are probably right. I think this thread has been an eye opener, on many levels.
Click to expand...

I agree. I know I have learned quite a bit, on many levels, as you noted.

Rmus · Aug 1, 2010

GTO_Jeff said:

I located 17 PHP pages with an obfuscated string:...

When I extracted the encoded string, this is what I got:...

You will see how each of the sites you are mentioning are selected. This is a very complex piece of code. It looks at the default search engine and modifies its response first to that. Then it appears to select a "color" based upon the browser that directs it to the .js file.
Click to expand...

While this seems very sophisticated, it's really just another plateau in the evolution of complex malware that began at least five years ago.

Back then, security analysts used the term "unicode" for obfuscating (disquising) the real code:

Hackers, Scammers Hide Malicious JavaScript On Web Sites
October 20, 2005 02:45 PM
http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articleID=172302840

Attackers have sometimes created Byzantine paths between Web sites to further obscure their work, sending users from one site to another via IFRAME exploits and hidden JavaScript. Sites seen using the JS/Wonka routines include those that spoof search engine results, disable pop-up blockers, falsely claim that the PC is infected with spyware, and market spammed products such as fake pharmaceuticals, low-rate mortgages, pornography, and illegally-copied software.
Click to expand...

Here is an example from that time:

http://www.urs2.net/rsj/computing/tests/postcards/

One of the HTML files that is cached selects the exploit based on the version of Windows and the IE browser. The actual code:
Code:
// launching exploit which number is depends on Windows and IE versions
function Get_Win_Version(IE_vers)
   
     if (IE_vers.indexOf('Windows 95') != -1) return "95"
     else if (IE_vers.indexOf('Windows NT 4') != -1) return "NT"
     else if (IE_vers.indexOf('Win 9x 4.9') != -1) return "ME"
     else if (IE_vers.indexOf('Windows 98') != -1) return "98"
     else if (IE_vers.indexOf('Windows NT 5.0') != -1) return "2K"
     else if (IE_vers.indexOf('Windows NT 5.1') != -1) return "XP"
     else if (IE_vers.indexOf('Windows NT 5.2') != -1) return "2K3"
This is a forerunner of the Exploit Kit which serves up malware to exploit vulnerabilities in different browsers and other applications.

Postcards even checks for the presence of certain AV:
Code:
 if ((fNortonAV==0)&&(fMcAfee==0))
 { ExploitNumber=3; } 
     else
     { ExploitNumber=2; }
I mention a bit of history because it's easy to get caught up in the sensational aspects of remote code execution attacks and lose sight of the easy ways these attacks are thwarted from running their executable payloads.

I mentioned in a previous TDSS thread that for all of the sophistication of malware exploits, they still depend on the 2 tried and proven methods of attack. Marco of Prevx responds.

https://www.wilderssecurity.com/showthread.php?t=265297

Originally Posted by Rmus
I see that this sneaky trojan can be prevented by the usual methods one would employ against both the remote code execution exploit, and the social engineering exploit. For all of the sophistication of today's malware, the delivery mechanisms for the dropper haven't changed much!
........
Actually it's totally true

Marco
Click to expand...

So, no matter the sophistication of the code, it still has to get a malware executable onto the system.

----
rich

Log in or Sign up

Analysis of password-strength page at unwrongest website (split from password thread)

CloneRanger Registered Member

wat0114 Guest

Attached Files:

7-30-2010 11-15-18 PM.png

Peter2150 Global Moderator

Page42 Registered Member

Page42 Registered Member

Peter2150 Global Moderator

Page42 Registered Member

Rmus Exploit Analyst

Log in or Sign up

Analysis of password-strength page at unwrongest website (split from password thread)

CloneRanger Registered Member

wat0114 Guest

Attached Files:

7-30-2010 11-15-18 PM.png

Peter2150 Global Moderator

Page42 Registered Member

Page42 Registered Member

Peter2150 Global Moderator

Page42 Registered Member

Rmus Exploit Analyst

Useful Searches