A javascript coming from an iframe banner advertisement offered me a closer look at what causes the Exploit Rogue Scanner Alert to pop up but it didn’t scan the download file that was in the delivery package.
The script function attempted to load over 29,000 characters into a single javascript variable.
I know of many buffer issues and IE exploits but this one is new for me.
Example (Cut by thousands):
var x304c1e = "60$100$98$84$120$72$75$32$75$118$72$115$61$34$75$115$79$75$47$77$119$97$119$100$98$
84$120$72$75$34$62$97$119$84$32$85$120$100$75$87$119$78$115$32$61$32$87$115$101$32$66$84$84$119$118$
Each time I refreshed the page the script changed but the length remained about the same or within a couple of hundred characters.
I’m guessing this is an IE Exploit.
Ok that is what the iframe was doing. But that wasn’t everything.
I noticed a file attempting to download on the third attempt.
After looking at the source code of the page the file download page was also changing and random.
Example:
Load 1:
var d_e4da416a = ‘2_2ee665.php’+‘?af’+‘fid=’;
Load 2:
var d_e124e6ef = ‘e_e124e6.php’
etc.
Now I see the Exploit script changing on every page load and the package delivery page changing.
That is smooth for the Iframe Advertiser because it’s impossible to report a site page when it’s only their for a second or two.
The page shown above (php) would offer a install.exe file that seemed to be clean or AVG cleaned it out every time I attempted to download it.
It shows as a 1mb exe file but comes up empty.
My Question:
Could one of the experts download the install.exe file and report what it is actually attempting to do?
Also the IP / URL might need to be added to a blacklist.
Here’s the tech notes: (Please do not visit this site if you are not a virus expert. You must turn off all activex and scripting options or use an API to pull the page source code.
IP: 188.124.5.154 (Turkey)
File name: index.html
Within the source code of the index.html page you will find the .php page that is created at random on each page load.
It will attempt to download a file “install.exe”.
If you copy the php page which will be X_XXXXX.php before you refresh the page you’ll find the page active on the server. After you refresh the temporary page will be removed by the script.
I’m interested in what the install.exe has in mind because the delivery system is very good and almost stealthy.
Question:
-
Is the install.exe a virus / malware / trojan or something bad that’s new?
If it’s a joke tell me anyway because I need a good laugh. -
Was the Exploit Rogue Scanner alert caused by the random download or the actual javascript 29,000+ characters in length? (From the index.html page or the random.php page?)
Thanks.