• Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg
  • Delicious

Anti-Malware Laboratory

Yet Another Malware Blog

About

An informal blog from your friendly neighborhood software security humans.

Blog Archive

  • ►  2015 (5)
    • ►  October (1)
    • ►  August (2)
    • ►  May (1)
    • ►  March (1)
  • ►  2014 (8)
    • ►  October (1)
    • ►  July (1)
    • ►  June (1)
    • ►  May (4)
    • ►  April (1)
  • ►  2013 (12)
    • ►  December (3)
    • ►  November (5)
    • ►  August (2)
    • ►  March (2)
  • ▼  2012 (35)
    • ►  April (4)
    • ▼  March (12)
      • NSA Mobility Program
      • The 2012 Cyber Defence University Challenge
      • Double Winrar self-executable archive packed Fakeav
      • Fake Skype Vouchers website leads to Java Exploits
      • AV-TEST Report on Android Anti-Malware Solutions
      • Justin Bieber Facebook Spam
      • Fake Intuit Quickbooks Page Leads to Black Hole Ex...
      • AXMLPrinter2
      • Black Hole exploit kit
      • CrimePack exploit kit
      • Installing Ubuntu 10.04.1 LTS 64 bit, MongoDB 2.0....
      • Baksmali
    • ►  February (17)
    • ►  January (2)

Categories

adobe (1) android (10) android february (1) baksmali (1) Black Hole (2) crimepack (1) disassembler (1) exploit (3) Exploits (4) Fakeav Winrar sfx (1) Fishbowl (1) flash (1) gift certificates (1) Google Authenticator (1) google play (1) hcp (1) java (1) Malware (5) mdac (1) Mobile (24) NSA Mobility Program (1) obfuscated script (1) pdf (1) Reversing (2) rhino (1) skype (1) smali (1) spam (1) test (1) Unpacking (1) vouchers (1) vulnerability (3)

Popular Posts

  • Bank of America spam: An Analysis
    An email claiming to be from Bank of America lures users to open an attachment that shows how to open secure emails from the bank. The mess...
  • [BE CAUTIOUS] Dragon Ball Z: Resurrection of F MALWARE and SCAM
    Be wary of downloading movies in torrent sites.  Executables can also be executed with a file size as huge as a gigabyte...
  • Unpacking MFC Compiled CryptoWall Malware
    Unpacking MFC Compiled CryptoWall Malware Introduction First and foremost, this article does not intend to analyze what CryptoWall malw...

Visitors to this blog

Tuesday, March 13, 2012

Fake Skype Vouchers website leads to Java Exploits

Posted on Tuesday, March 13, 2012 by Red Horse | No comments
Originally posted by kazmot.

I stumbled upon a fake website that targets Skype users through vouchers or gift certificates. Below is the definition of Skype vouchers from their website:


Skype vouchers are electronic Skype Credit vouchers sold in various retail outlets. You don’t have to pay for the vouchers online and they make a great gift for family and friends so that you can keep in touch through Skype.

Vouchers are sometimes included with Skype accessories, or as part of a promotion.


Let's have a look of what is inside the said fake page:

[caption id="attachment_514" align="aligncenter" width="300" caption="Figure 1: Source of the fake website"][/caption]

Figure 1 shows the misleading title. You can also see a hidden iframe connecting to a different website.

Following the hidden iframe, we will now get an obfuscated script.

[caption id="attachment_512" align="aligncenter" width="300" caption="Figure 2: Obfuscated script"][/caption]

Some variables are highlighted in Figure 2. These variables will eventually become a window.eval() function when the script is executed. Now, let us modify the script in order for our script emulator to capture the result of the eval() function:

[caption id="attachment_510" align="aligncenter" width="300" caption="Figure 3: Modification part 1"][/caption]

Figure 3 shows that we need to remove some "if-statements" to make sure that our script will execute. You will also notice that one if-statement checks for the current year. The script will not run properly if it was not satisfied. In addition, proper deobfuscation of the script also depends on the value of the integer in the year check. We will tackle more about this in a while. For now, let's just deobfuscate this script.

[caption id="attachment_511" align="aligncenter" width="300" caption="Figure 4: Modification part 2"][/caption]

Figure 4 shows which variable will become the eval() function. After the modifications, execute the script and then dump the eval result. Figure 5 below will show you the result.

[caption id="attachment_513" align="aligncenter" width="300" caption="Figure 5: Deobfuscated script code"][/caption]

Now, you will see another set of hidden iframes that connect to another site. The said site will now load 2 malicious Java files:

[caption id="attachment_515" align="aligncenter" width="300" caption="Figure 6: Load Java applets"][/caption]

Sample 1: Java Exploit
MD5 hash: d3f933524c85c96a76f7ffd516d335c0
Virus Total scan result available here

Sample 2: Java Exploit
MD5 hash: 58db6e6e25d9b8e4742f2ef9b43c3818
Virus Total scan result available here

These Java files exploit the following vulnerability:


    CVE-2011-3544 - Oracle Java Applet Rhino Script Engine Remote Code Execution


Going back to the date check and value change, Figure 7 shows that we changed the integer value from "012" to "011".

[caption id="attachment_524" align="aligncenter" width="300" caption="Figure 7: Integer value modification"][/caption]

Now, let's dump the result to a file.

[caption id="attachment_521" align="aligncenter" width="300" caption="Figure 8: Result of the wrong value"][/caption]

You can see in Figure 8 that the result is now just a bunch of non-readable strings.

Source:
malwaredomainlist


References:
Skype
Virustotal
cve.mitre.org
Sourceforge
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Categories: Exploits, gift certificates, java, rhino, skype, vouchers, vulnerability
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
volute-glacial
volute-glacial
 volute-glacial
volute-glacial
Copyright © Anti-Malware Laboratory | Powered by Blogger
Design by Fabthemes | Blogger Template by NewBloggerThemes.com