347959 - Security problem, related to javascript

Status: RESOLVED INCOMPLETE

(Firefox :: Security, defect)

Description

[Faber]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6

Fault in javascript security:
while searching for bus timetables on a site my antivirus alerted for a file called "ms.exe" dropped onto automatic startup folder.

Solutions i found: 
a. block the browser from opening "http://   js.gbeb.cc   /   advertizing   /" (I used the "hosts" file trick to prevent any browser from browsing that ****.)
b. turn javascript off.

Notes: I noticed that **** page has a script that's crypted but the string arguments.callee.toString().replace is in clear text. I think it somehow uses that function.




Reproducible: Always

Steps to Reproduce:
Steps: it's already explained in the "details" part.
Actual Results:  
a trojan ("ms.exe") is dropped to the startup folder I dunno what the exe can do but it's not good to have **** dropped to the startup folder.

Expected Results:  
Refuse the action ?

It may applies to other Fx versions and related software.


Please find a way to fix this. It's possible that many other sites are using such a way.

I dunno if this has been reported before, and say "sorry" from now for I'm to lazy to check out,but sincerely I don't have the time to do.

I hope this report can be helpful for someone.

Comment 1

[Bob Clary [:bc] (inactive)]

In order for this report to be useful we need to have enough information to reproduce the issue. 

What site were you browsing that did this? 
What anti-virus software do you have? 
When was the last time you updated Windows with security updates?
What plugins and extensions and their versions do you have installed? You can find plugins by typing about:plugins in the url bar and you can find the extensions installed in the Tools Extensions menu.

Comment 2

[Daniel Veditz [:dveditz]]

Attachment: de-fanged initial evil code (alerts instead of runs)

Comment 3

[Daniel Veditz [:dveditz]]

The initial evil sets some variables (is appName "Netscape" or not, is Java enabled, EXLogin='itother', etc.) and loads an iframe with abusecenter.org (DON'T LOAD). This is a newly registered domain (26-July-2006) that looks like a copy of the SpamCop abuse reporting form, but includes some more obfuscated code inline. This code uses basically the same decryptor as that above, but the decrypting key ('P') is different and it's passed different content:

<script type="text/javascript">
  // name="url_check" value="true"
  document.write('<input name="ref" id="ref" type="hidden" value="'+document.referrer+'">');
  function d(xC,P){if(!P){P='8TGDuz:;rl*L&^#dIMg+w|?7,@mtpb2Fi)-UvK0N5jyC/SE41VYRkZAJO(6q.f3=';}var e;var VT='';for(var I=0;I<xC.length;I+=arguments.callee.toString().replace(/\s/g,'').length-535){e=(P.indexOf(xC.charAt(I))&255)<<18|(P.indexOf(xC.charAt(I+1))&255)<<12|(P.indexOf(xC.charAt(I+2))&255)<<(arguments.callee.toString().replace(/\s/g,'').length-533)|P.indexOf(xC.charAt(I+3))&255;VT+=String.fromCharCode((e&16711680)>>16,(e&65280)>>8,e&255);}eval(VT.substring(0,VT.length-(arguments.callee.toString().replace(/\s/g,'').length-537)));}d('@:fUb?ZKtNIEbJljb:w5lRVjtNTZbGTE,?ZKdglZp0VF,A)K,A/-r:KvdglZp0VF,A)K,A/-r;M(p:wfr0)j@:MKt-rib0z/b?wfrNMYb?w-d-pj#Y8i');
</script>

This decrypts to an innocuous-looking document.write() of a hidden "url_check" field in the form.

Very suspicious, but nothing actually malicious. I wonder if they can tell I'm poking around and serve up alternate content?

Comment 4

[Daniel Veditz [:dveditz]]

SANS has an article on what appears to be a variant on this, perhaps an earlier version since the replace(/\s/g,'') in this version appears to get around the IE vs Firefox differences noted in the article.

http://isc.sans.org/diary.php?storyid=1519

Comment 5

[Daniel Veditz [:dveditz]]

I should mention that the page that loads the fake spamcop site "abusecenter.org" in an iframe also loads an image with parameters set by the first obfuscated code.

<img src=http://e1.extreme-dm.com/s10.g?login=itother&jv=y&j=y&srw=1400&srb=32&l=http%3A//somesite.tld>

even though you pass in information about things like whether Java is enabled ("jv=y") it doesn't seem to affect the content of the abusecenter.org site and I'm not seeing where the malware is coming from.

Comment 6

[Faber]

(In reply to comment #1)

What site were you browsing that did this? It's explained before.
What anti-virus software do you have? eWido
When was the last time you updated Windows with security updates? every day
What plugins and extensions and their versions do you have installed? You can
find plugins by typing about:plugins in the url bar and you can find the
extensions installed in the Tools Extensions menu.

Plugings: npnul32.dll NPSWF32.dll NPOFFICE.DLL (11.0.5510) npdrmv2.dll npdsplay.dll npwmsdrm.dll.

Comment 7

[Daniel Veditz [:dveditz]]

> What site were you browsing that did this? It's explained before.

js.gbeb.cc doesn't appear to contain bus timetables so it can't be the site you were browsing. Since the decrypted code doesn't appear to do anything bad (though it's very suspicious for how little it appears to do) there may be some key parameters passed in from the containing page that don't appear directly in the script you linked.

> Plugings: npnul32.dll NPSWF32.dll

What version of Flash?

Comment 8

[Daniel Veditz [:dveditz]]

What version of Windows Media Player are you running, do you have the Microsoft update to fix MS06-006? I saw another site with identical initial exploit format, with a different EXlogin and EXrsrv that eventually downloaded an attack using that flaw. But I never found that code in this case from this particular server when I tried to follow the trail so maybe this is using a different exploit.