Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

obfuscated java script that result to drive-by download

This forum focuses on analyzing malware and any aspects of dealing with packer protections.
Locked
ansar313
Junior Member
Posts: 1
Joined: Sun May 26, 2013 1:54 am

obfuscated java script that result to drive-by download

Post by ansar313 »

I Have been asked to analyze a website with suspicious activity such as drive-by download malware.

The source code of page is this:

<iframe src="/ca172171ce451f92c398830a954d402b/q.php?vywnynlp= 30:1g:1g:1o:1i&fgmv=r&vvoujby=1i:31:32:1g:1n:1h:1l:1l:1n:31&kxt=1f:1d:1f:1d:1f:1d:1f"></iframe>
I can't understand the value of attribute that be sended to q.php through get method

vywnynlp=30:1g:1g:1o:1i&fgmv=r&vvoujby=1i:31:32:1g:1n:1h:1l:1l:1n:31&kxt=1f:1d:1f:1d:1f:1d:1f
Please help me and say how can I decode the encrypted value .
User avatar
Woodmann
Posts: 3605
Joined: Fri Jan 26, 2001 6:28 pm

Post by Woodmann »

You cant decode that.

Woodmann
Learn Or Die.
User avatar
Aimless
Senior Member
Posts: 869
Joined: Thu Sep 13, 2001 3:11 am

Post by Aimless »

Woodmann's right. You can't.

However, what you have to understand here, is that this website, was probably built by a hacker to be able to download malware on unsuspecting users. What this means, is that HIS website is not really protected very hard. In fact, I'd reckon he would be focusing more on his drive-by malware download payload execution, rather than HIS own website security.

So, what does all this mean?

What it means, son, is that you can use WGET (or any other OFFLINE DOWNLOADER), with the robots.txt set to OFF (wget specific only) and MIRROR the entire goddamned website! THEN, you can decrypt it and encrypt it and do whatever you want with it, because you will now have it's 'source code', which HAS to be present to be able to decrypt this gunk.

Comprende? Let us know how it goes.

Have Phun

EDIT1: For some reason, the above looks like MAC addresses. Not sure, just a hunch.
EDIT2: The kxt= part got me looking and I kind of stumbled upon this link

Code: Select all

http://www.ai.mit.edu/courses/6.863/doc/ktext.html
EDIT3: But the beauty is, if I put in

Code: Select all

&kxt=1f:1d:1f:1d:1f:1d:1f
in Google, I get a LOT of hits - a few are also javascripts which are similar to this. After this, it's a matter of tracing to get the the real meat-- Have Phun
Blame Microsoft, get l337 !!
R33N
Junior Member
Posts: 11
Joined: Wed Sep 23, 2009 6:27 pm

Blackhole Exploit Kit Delivery

Post by R33N »

ansar313 wrote:I Have been asked to analyze a website with suspicious activity such as drive-by download malware.

The source code of page is this:

<iframe src="/ca172171ce451f92c398830a954d402b/q.php?vywnynlp= 30:1g:1g:1o:1i&fgmv=r&vvoujby=1i:31:32:1g:1n:1h:1l:1l:1n:31&kxt=1f:1d:1f:1d:1f:1d:1f"></iframe>
I can't understand the value of attribute that be sended to q.php through get method

vywnynlp=30:1g:1g:1o:1i&fgmv=r&vvoujby=1i:31:32:1g:1n:1h:1l:1l:1n:31&kxt=1f:1d:1f:1d:1f:1d:1f
Please help me and say how can I decode the encrypted value .
You are lookin at one of many payloads delivered by a blackhole landing page. It is common to see the q.php? with those paramteres when an executable is being delivered. So if you have traffic logs you need to go back a bit and look for the landing page delivery (jar applets, pdf's, etc.) If this was part of a delivery to a system and you have an older version of java or flash I would look there first. Java cache folder and .idx files there are helpful.

Something to mention is that they have been delivering exeutables through jar's for a while. What has changed is they are using the jar's as a crypto layer on top of the delivery. This is istarting to spread to many exploit kits out there.

Here is some starting points to identify deliveries for this kit if you are interested. http://urlquery.net/search.php?q=%2Fq.p ... 31&max=50; http://contagiodump.blogspot.com/2010/0 ... date.html; http://www.malwaresigs.com/category/exp ... gnatures/; and many more just google Blackhole Exploit Kit.

Deliveries have ranged greatly on this kit. (Citadel, Zeus P2P, Zero Access, Rogue AV, etc.) Sometimes with a downloader in between like pony downloader.

If you are looking at traffic analysis or malware to reverse then you should not just be looking at that exploit kit but many others. Some that I commonly see are Cool, Styx, Sweet Orange, Redkit, to name a few of the larger ones.
Locked