Cross platform virus PoC

Discussion in 'malware problems & news' started by ronjor, Apr 7, 2006.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,072
    Location:
    Texas
    sans.org
     
  2. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    "Even today websites sending exploits to their visitors tend to detect what browser/platform the visitor is using and send a matching exploit to install some malware and earn their quarter for each confirmed installation."

    Example of a recent one, containing five exploits, searching for a machine with one or more vulnerabilities:

    ______________________________
    The script in the ie0601.htm file determines the Windows and IE browser versions and launches exploits accordingly: [some code removed]

    // launching exploit which number is depends on Windows and IE versions
    function Get_Win_Version(IE_vers)

    if (IE_vers.indexOf('Windows 95') return "95"
    else if (IE_vers.indexOf('Windows NT 4') return "NT"
    else if (IE_vers.indexOf('Win 9x 4.9') return "ME"
    else if (IE_vers.indexOf('Windows 98') return "98"
    else if (IE_vers.indexOf('Windows NT 5.0') return "2K"
    else if (IE_vers.indexOf('Windows NT 5.1') return "XP"
    else if (IE_vers.indexOf('Windows NT 5.2') return "2K3"

    For Example:

    case "2K":
    if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
    { ExploitNumber=1; }
    else // if JVM = 5.0.3810.0 or higher

    if ((fNortonAV==0)&&(fMcAfee==0))
    { ExploitNumber=3; }
    else
    { ExploitNumber=2; }
    ___________________________________________
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.