Malware? - - Was: State of local self defense

[David H. Lipman]

From: "FromTheRafters" <erratic@nomail.afraid.org>

| G. Morgan wrote:
|
| I got a blob of obfuscated javascript. While analyzing it, I
| accidentally closed the program and lost it all. Going back three more
| times did not give me the obfuscated javascript anymore.
|
| The obfuscation looked very similar to some I have seen before that had
| eventually led to a Fake-AV trojan.

Yeah. I ran it again at that JS is playing Hide & Seek. I think it is
recording IPs and checking User-Agent. I ran it again under sandBox and
although no malware and successful explotation occurred (the box is full of
exploitable software from IE6, to Adobe Reader 9 to Sun Java v5 update X)
but I did capture the following screen.

http://multi-av.thespykiller.co.uk/dump0.jpeg

It "IS" associated with Black Hole Exploit kit sites.

http://blog.dynamoo.com/2011/12/malw...from-your.html
http://urlquery.net/report.php?id=10700



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[FromTheRafters]

David H. Lipman wrote:
> From: "FromTheRafters" <erratic@nomail.afraid.org>
>
> | G. Morgan wrote:
> |
> | I got a blob of obfuscated javascript. While analyzing it, I
> | accidentally closed the program and lost it all. Going back three more
> | times did not give me the obfuscated javascript anymore.
> |
> | The obfuscation looked very similar to some I have seen before that had
> | eventually led to a Fake-AV trojan.
>
> Yeah. I ran it again at that JS is playing Hide & Seek. I think it is
> recording IPs and checking User-Agent. I ran it again under sandBox and
> although no malware and successful explotation occurred (the box is full
> of exploitable software from IE6, to Adobe Reader 9 to Sun Java v5
> update X) but I did capture the following screen.
>
> http://multi-av.thespykiller.co.uk/dump0.jpeg
>
> It "IS" associated with Black Hole Exploit kit sites.
>
> http://blog.dynamoo.com/2011/12/malw...from-your.html
> http://urlquery.net/report.php?id=10700
>
Do you know what this line does?

<script type="text/javascript"> jQuery(document).ready( function() {
jQuery("a.confirm").click( function() { if ( confirm( 'Are you sure?' )
) return true; else return false; }); });</script>

[David H. Lipman]

From: "FromTheRafters" <erratic@nomail.afraid.org>


| Do you know what this line does?
|
| <script type="text/javascript"> jQuery(document).ready( function() {
| jQuery("a.confirm").click( function() { if ( confirm( 'Are you sure?' )
| ) return true; else return false; }); });</script>
|

No. But it is a good question for Ant.

This this script "is" playing hard to get.
http://multi-av.thespykiller.co.uk/Image2.jpg
Now you see it, now you don't. Its funny how I didn't see it this AM. Saw
it Tonight and when I go back, its gone again.

I think I have to experiment with a Proxy.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[FromTheRafters]

David H. Lipman wrote:
> From: "FromTheRafters" <erratic@nomail.afraid.org>
>
>
> | Do you know what this line does?
> |
> | <script type="text/javascript"> jQuery(document).ready( function() {
> | jQuery("a.confirm").click( function() { if ( confirm( 'Are you sure?' )
> | ) return true; else return false; }); });</script>
> |
>
> No. But it is a good question for Ant.
>
> This this script "is" playing hard to get.
> http://multi-av.thespykiller.co.uk/Image2.jpg
> Now you see it, now you don't. Its funny how I didn't see it this AM.
> Saw it Tonight and when I go back, its gone again.
>
> I think I have to experiment with a Proxy.
>
Yep, that's the booger. I simplified the decoder too much (missed out on
the h=-1) then accidentally closed the editor.

[David H. Lipman]

From: "FromTheRafters" <erratic@nomail.afraid.org>

| David H. Lipman wrote:
>> From: "FromTheRafters" <erratic@nomail.afraid.org>
>>
|>> Do you know what this line does?
|>>
|>> <script type="text/javascript"> jQuery(document).ready( function() {
|>> jQuery("a.confirm").click( function() { if ( confirm( 'Are you sure?' )
|>> ) return true; else return false; }); });</script>
|>>
>> No. But it is a good question for Ant.
>>
>> This this script "is" playing hard to get.
>> http://multi-av.thespykiller.co.uk/Image2.jpg
>> Now you see it, now you don't. Its funny how I didn't see it this AM.
>> Saw it Tonight and when I go back, its gone again.
>>
>> I think I have to experiment with a Proxy.
>>
| Yep, that's the booger. I simplified the decoder too much (missed out on
| the h=-1) then accidentally closed the editor.

I won't go into details in public but it looks like the server decides when
and if to host that script.

Drop me an email FTR and I'll explain.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[Dustin]

FromTheRafters <erratic@nomail.afraid.org> wrote in
news:jfl95n$f9m$1@dont-email.me:

> David H. Lipman wrote:
>> From: "FromTheRafters" <erratic@nomail.afraid.org>
>>
>> | G. Morgan wrote:
>> |
>> | I got a blob of obfuscated javascript. While analyzing it, I
>> | accidentally closed the program and lost it all. Going back three
>> | more times did not give me the obfuscated javascript anymore.
>> |
>> | The obfuscation looked very similar to some I have seen before
>> | that had eventually led to a Fake-AV trojan.
>>
>> Yeah. I ran it again at that JS is playing Hide & Seek. I think it
>> is recording IPs and checking User-Agent. I ran it again under
>> sandBox and although no malware and successful explotation occurred
>> (the box is full of exploitable software from IE6, to Adobe Reader 9
>> to Sun Java v5 update X) but I did capture the following screen.
>>
>> http://multi-av.thespykiller.co.uk/dump0.jpeg
>>
>> It "IS" associated with Black Hole Exploit kit sites.
>>
>> http://blog.dynamoo.com/2011/12/malw...from-your.html
>> http://urlquery.net/report.php?id=10700
>>
> Do you know what this line does?
>
> <script type="text/javascript"> jQuery(document).ready( function() {
> jQuery("a.confirm").click( function() { if ( confirm( 'Are you sure?'
> ) ) return true; else return false; }); });</script>
>
>

If you try closing the page or going "back", it comes up and asks "Are
you sure?" This is the routine heh, that does it.


--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

[Dustin]

Dustin <bughunter.dustin@gmail.com> wrote in
news:Xns9FE4BD80B687CHHI2948AJD832@no:

> FromTheRafters <erratic@nomail.afraid.org> wrote in
> news:jfl95n$f9m$1@dont-email.me:
>
>> David H. Lipman wrote:
>>> From: "FromTheRafters" <erratic@nomail.afraid.org>
>>>
>>> | G. Morgan wrote:
>>> |
>>> | I got a blob of obfuscated javascript. While analyzing it, I
>>> | accidentally closed the program and lost it all. Going back three
>>> | more times did not give me the obfuscated javascript anymore.
>>> |
>>> | The obfuscation looked very similar to some I have seen before
>>> | that had eventually led to a Fake-AV trojan.
>>>
>>> Yeah. I ran it again at that JS is playing Hide & Seek. I think it
>>> is recording IPs and checking User-Agent. I ran it again under
>>> sandBox and although no malware and successful explotation occurred
>>> (the box is full of exploitable software from IE6, to Adobe Reader 9
>>> to Sun Java v5 update X) but I did capture the following screen.
>>>
>>> http://multi-av.thespykiller.co.uk/dump0.jpeg
>>>
>>> It "IS" associated with Black Hole Exploit kit sites.
>>>
>>> http://blog.dynamoo.com/2011/12/malw...from-your.html
>>> http://urlquery.net/report.php?id=10700
>>>
>> Do you know what this line does?
>>
>> <script type="text/javascript"> jQuery(document).ready( function() {
>> jQuery("a.confirm").click( function() { if ( confirm( 'Are you sure?'
>> ) ) return true; else return false; }); });</script>
>>
>>
>
> If you try closing the page or going "back", it comes up and asks "Are
> you sure?" This is the routine heh, that does it.
>
>

not sure if some is missing tho. Javascript isn't my speciality.


--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

[FromTheRafters]

Dustin wrote:
> Dustin<bughunter.dustin@gmail.com> wrote in
> news:Xns9FE4BD80B687CHHI2948AJD832@no:
>
>> FromTheRafters<erratic@nomail.afraid.org> wrote in
>> news:jfl95n$f9m$1@dont-email.me:
>>
>>> David H. Lipman wrote:
>>>> From: "FromTheRafters"<erratic@nomail.afraid.org>
>>>>
>>>> | G. Morgan wrote:
>>>> |
>>>> | I got a blob of obfuscated javascript. While analyzing it, I
>>>> | accidentally closed the program and lost it all. Going back three
>>>> | more times did not give me the obfuscated javascript anymore.
>>>> |
>>>> | The obfuscation looked very similar to some I have seen before
>>>> | that had eventually led to a Fake-AV trojan.
>>>>
>>>> Yeah. I ran it again at that JS is playing Hide& Seek. I think it
>>>> is recording IPs and checking User-Agent. I ran it again under
>>>> sandBox and although no malware and successful explotation occurred
>>>> (the box is full of exploitable software from IE6, to Adobe Reader 9
>>>> to Sun Java v5 update X) but I did capture the following screen.
>>>>
>>>> http://multi-av.thespykiller.co.uk/dump0.jpeg
>>>>
>>>> It "IS" associated with Black Hole Exploit kit sites.
>>>>
>>>> http://blog.dynamoo.com/2011/12/malw...from-your.html
>>>> http://urlquery.net/report.php?id=10700
>>>>
>>> Do you know what this line does?
>>>
>>> <script type="text/javascript"> jQuery(document).ready( function() {
>>> jQuery("a.confirm").click( function() { if ( confirm( 'Are you sure?'
>>> ) ) return true; else return false; }); });</script>
>>>
>>>
>>
>> If you try closing the page or going "back", it comes up and asks "Are
>> you sure?" This is the routine heh, that does it.
>>
>>
>
> not sure if some is missing tho. Javascript isn't my speciality.

I think jquery functions for javascript like a library file does for
executables.

[G. Morgan]

David H. Lipman wrote:

>>> I think I have to experiment with a Proxy.
>>>
>| Yep, that's the booger. I simplified the decoder too much (missed out on
>| the h=-1) then accidentally closed the editor.
>
>I won't go into details in public but it looks like the server decides when
>and if to host that script.
>
>Drop me an email FTR and I'll explain.


Would you mind copying me on that? I'd be very interested in your
findings.

My email address is real.