Malicious Site containing SWF:CVE-2007-0071

Someone submitted this malicious link "http://jjxp22.cn/a/iqq.html" to me . It seems to be a pop-up or hidden link from some compromised sites.

After checking on the Page Source, i found an obfuscated Javascript (Shown below).



I de-obfuscated the Javascript and found that it uses Deconcept's SWFObject to embed malicious Shockwave Flash that compromise the Integer overflow vulnerbility in Adobe Flash Player 9.0.115.0 and earlier (CVE-2007-0071), which allows remote attackers to execute arbitrary code.

The malicious Flash files (6 of them, shown in the script below) will exploit the Flash player and download malicious executable files into the victim's system from various websites.



Sample Flash file info
###############

Filename: i16.swf
Size: 17897
MD5: 426969FD0D7324EE170D6F46BDB203B6
Virus Found: Bloodhound.Exploit.193 (Symantec)

On the VirusTotal website, 13 out of 39 AV detected it (Shown Below).



From the "Who-is" record, the IP (61.164.108.35) belongs to RuiAn Telecom (China).

Malicious Website: u-toys.com

This Website "www.u-toys.com" was forwarded to me by commandrine as an suspicious website. While accessing the website, there seems to be a JavaScript running. By checking on the page source (HTML code), there is a obfuscated JavaScript (shown below). It seems to be created by some JavaScript Obfuscator application that i am not able to de-obfuscated.



After doing some behaviour analysis on the Javascript, it seems to be exploiting on some Internet browser vulnerabilities. It manage to inject an executable files into the C:\ folder on older and unpatched browser. Newly patched browser do not seems to find any "injected" files. Below is the analysis on the executable file.

Analysis Report:
##############

Filename: b01kyk.exe
Size: 327680
MD5: 615A8484F113DA99D2C172A44C9E7D31
Virus found: Trojan:W32/Mebroot.gen!A (F-Secure)

On the VirusTotal website, 11 out of 38 AV detected it (Shown below). Well-known AV not detected (Symantec, McAfee).



Registry values added:
================
1> HKLM\SYSTEM\ControlSet001\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 4F 77 6E 65 72 5C 44 65 73 6B 74 6F 70 5C 62 30 31 6B 79 6B 2E 65 78 65 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 44 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 4F 77 6E 65 72 5C 44 65 73 6B 74 6F 70 5C 62 30 31 6B 79 6B 2E 65 78 65 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 45 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 45 2E 74 6D 70 00 00 5C 3F 3F 5C 63 3A 5C 64 6F 63 75 6D 65 7E 31 5C 6F 77 6E 65 72 5C 6C 6F 63 61 6C 73 7E 31 5C 74 65 6D 70 5C 65 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 57 49 4E 44 4F 57 53 5C 54 45 4D 50 5C 46 2E 74 6D 70 00 00 00

2> HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 4F 77 6E 65 72 5C 44 65 73 6B 74 6F 70 5C 62 30 31 6B 79 6B 2E 65 78 65 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 44 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 4F 77 6E 65 72 5C 44 65 73 6B 74 6F 70 5C 62 30 31 6B 79 6B 2E 65 78 65 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 45 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 45 2E 74 6D 70 00 00 5C 3F 3F 5C 63 3A 5C 64 6F 63 75 6D 65 7E 31 5C 6F 77 6E 65 72 5C 6C 6F 63 61 6C 73 7E 31 5C 74 65 6D 70 5C 65 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 57 49 4E 44 4F 57 53 5C 54 45 4D 50 5C 46 2E 74 6D 70 00 00 00

3> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\o01xlx.rkr: 0B 00 00 00 06 00 00 00 00 78 6B 45 46 D4 C9 01

4> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Owner\Desktop\b01kyk.exe: "b01kyk"

Registry values modified:
==================
1> HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x0000000B

2> HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x0000000C

3> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 0B 00 00 00 7F 00 00 00 70 D2 53 1A 46 D4 C9 01

4> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 0B 00 00 00 80 00 00 00 20 91 5F 45 46 D4 C9 01

5> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 0B 00 00 00 D3 00 00 00 20 5B 70 1A 46 D4 C9 01

6> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 0B 00 00 00 D4 00 00 00 00 78 6B 45 46 D4 C9 01

w01f advise: Always patched up your Internet browser and beware of suspicious scripts and pop-up running in the website.

Other reports on this site:
- Security Republic - Innocent???