Note : Please don’t try it at your home if you are not protection yet, because contains :
Drive-by Downloads
A drive-by download is computer code that takes advantage of a software bug in a Web browser to make it do something that the attacker wants—such as run malicious code, crash the browser, or read data from the computer. Software bugs that are open to browser attacks are also known as vulnerabilities.
the problem is in server generated messages (404 in this case) → please look at the attached image. There are injected scripts (more copies of identical one). Hidden iframe tag is located under the encryption - it points to known malicious website.
You will have to remove all the scripts (shown in the image) and check security of your server (passwords, vulnerabilities, etc).
I just went to check out that page; here’s what Microsoft Forefront Client Security had to say, almost immediately.
Virus: JS/Decdec.A. Risk level: Severe. Advice: Remove this program immediately.
Programs that may compromise your privacy or damage your computer were detected.
I let it run in a sandbox, then grabbed the malicious JS and de-obfuscated it. Here’s the results:
hxxp://www.kotopes.cn/forum/image/index.php returned a 404 Not Found, but hxxp://www.kotopes.cn is still alive and well. It’s possible, too, that the 404 Not Found is an evasive maneuver.
You couldn’t be more right on that JAR. I just loaded it; for some reason (maybe NoScript interfered with it?), it loaded as text. One thing caught my eye immediately: “payload”. I’m going to download that and analyze it in a sandbox.
EDIT: wow, was that fast. I saved the JAR file, renamed it to a zip, and started extracting it; Microsoft Forefront Client Security immediately yelled about “Exploit:Java/CVE-2008-5353-B. Alert level: severe”, “Trojan:Java/Selace.B” and “Trojan:Java/Selace.A”.
WOW, is this blatant: the JAR contains three files, AppletX.class, LoaderX.class, and PayloadX.class. PayloadX.class triggered “Trojan:Java/Selace.B”, AppletX.class triggered “Exploit:Java/CVE-2008-5353-B”, and LoaderX.class triggered “Trojan:Java/Selace.A”
Let’s see about decompiling these three bad boys and see what comes out.
hmm, Mocha doesn’t like these for some reason. It’s telling me they “aren’t valid class files”; anybody know why, or what else I could use to decompile these?
Just from looking at them in a text editor, it looks like AppletX.class contains an overflow attack of some kind; right after a reference to Java’s String object, I found this, followed by a StringToBytes call: