Cross platform virus PoC

Discussion in 'malware problems & news' started by ronjor, Apr 7, 2006.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
    sans.org
     
  2. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    "Even today websites sending exploits to their visitors tend to detect what browser/platform the visitor is using and send a matching exploit to install some malware and earn their quarter for each confirmed installation."

    Example of a recent one, containing five exploits, searching for a machine with one or more vulnerabilities:

    ______________________________
    The script in the ie0601.htm file determines the Windows and IE browser versions and launches exploits accordingly: [some code removed]

    // launching exploit which number is depends on Windows and IE versions
    function Get_Win_Version(IE_vers)

    if (IE_vers.indexOf('Windows 95') return "95"
    else if (IE_vers.indexOf('Windows NT 4') return "NT"
    else if (IE_vers.indexOf('Win 9x 4.9') return "ME"
    else if (IE_vers.indexOf('Windows 98') return "98"
    else if (IE_vers.indexOf('Windows NT 5.0') return "2K"
    else if (IE_vers.indexOf('Windows NT 5.1') return "XP"
    else if (IE_vers.indexOf('Windows NT 5.2') return "2K3"

    For Example:

    case "2K":
    if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
    { ExploitNumber=1; }
    else // if JVM = 5.0.3810.0 or higher

    if ((fNortonAV==0)&&(fMcAfee==0))
    { ExploitNumber=3; }
    else
    { ExploitNumber=2; }
    ___________________________________________
     
Loading...
Thread Status:
Not open for further replies.