Avast WEBforum
Other => Viruses and worms => Topic started by: !Donovan on June 04, 2012, 07:18:24 PM
-
See: https://www.virustotal.com/url/3345047f0ac663c69820d597570befbd3feeffacb35136a4defc7d1a14c40363/analysis/
And: https://www.virustotal.com/file/79b3bcf5269b102fe38c4888350154bd1fdde9454afddc2ad2e062437f4842fe/analysis/1338828393/
Only McAfee detects this zero-day blackhole exploit. And maybe because of the obfuscation method it uses:
- Inside of the pre and b (bold) tag is an i (italic) tag with the id (identity) of "asd". This contains the malscript
- "e" is defined as a window eval (different from regular eval)
- All "," characters are removed from "asd"
- "s" is set as a new variable
- A loop of createElement is started, repeating until it matches the length of the revised "asd"
- When (if) the CPU returns the exploit error, it defines "s" as the following:
"a" (see above) multiplied by "k" (number when crash occurred) - (12 % [modulus (division remainder)] "k")
And from there, the eval reads "s".
info: DecodedGenericCLSID detected D27CDB6E-AE6D-11CF-96B8-444553540000 CA8A9780-280D-11CF-A24D-444553540000
malicious: Alert detected /alert CVE-2010-0249 MSIEUseAfterFree (CreateElement called 13555 times)
See: http://cwe.mitre.org/data/definitions/416.html
More antiviruses need to detect this..
-
Well it is very new......on VT
First seen by VirusTotal
2012-06-04 16:46:33 UTC ( 44 minutter ago )
-
The kind of CVE exploit comes from 2010.
-
Hi !Donovan & Pondus,
urlQuery alerts it: http://urlquery.net/report.php?id=63667 (not a lot of Blackhole that scanner lets slip by),
but what is the really good news here. is that we are being protected by the avast Networkshield, that blocks connection to -main.php?page=4e9648fa89b4c6cc
as URL:Mal immediately. So we are being protected, my friends,
polonus
-
Hi !Donovan and Pondus,
You have to be aware a lot of old malware is being revamped and being recycled to again make the rounds.
I see a lot of that going around lately. The detection patterns have left the memory of the older analysts and the young havenĀ“t met it yet, so it as it is whit fashion: `red polka dots` from 2007 now reappear as the latest trend for 2012. This goes even for the exploits being used again,
polonus
-
I am now thinking that once a zero-day threat becomes less common the common antivirus removes definitions to save file space. :-\
-
Hi !Donovan,
It is not dramatic, but they have to make a selection the make it go round for the general user to be best protected,
So what to include and what to leave out? The shields will do the additional....
polonus
-
I assume your right Polonus. Too many definitions could slow things down.
It is nice that the netshield blocks the site. :)