Latest Entries »

Moving Forward: An Official Site

Due to how limited the free WordPress hosting service is, I’ll be moving The WAR to http://thewar.co/.

The site should be fully functional in a few months!

~!Donovan

A few days ago, Polonus posted about the relationships between unknown html and xmlrpc.php malware. Recently, Essexboy, Polonus, and I had the opportunity to help out a website owner that was infected by his own site. Check out the avast! topic.

At first, the website appeared ok. However, with a search referral, I was shown a 302 (redirect) in the header.

HTTP/1.1 302 Moved Temporarily
Date: Thu, 28 Feb 2013 19:29:17 GMT
Server: Apache
Location: hXtp://fpert.qpoe.com/
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 20
Connection: close
Content-Type: text/html

Also see: urlQuery Report & Sucuri Results

So then, I wondered, what was the root cause behind the redirect? At first, I thought it was an .htaccess redirect, but later, Polonus discovered that it was an xmlrpc.php redirect.

Always keep your WordPress up-to-date,
~!Donovan

More xmlrpc.php malware

Recently, there has been a number of cases involving mxlrpc.php. It appears that these xmlrpc ‘exploits’ are caused by outdated versions of WordPress. Consider reading this RSI Diary post. Although it dates back to 2005, my friend Polonus is finding occurrences of this exploit in 2013.

Read more on the avast! forums,
~!Donovan

Can you guess what the following expression returns?

10000000000000000 === 10000000000000001

If you guessed true, you’re right! Consider the next example:

10000000000000000 === 10000000000000000.9

This expression also returns true! In JavaScript, 10000000000000001 is not an integer. This is just one of the many missing JavaScript integers. Why are these integers missing, you might ask?

In IEEE floating point type numbers, the larger the number gets, the bigger the gap between numbers. It makes sense when you look at how the number is stored. — Paul²

Further testing reveals many big integers are not present and can be manipulated under the strictly equal to operator.JavaScript Integers TestBy creating a conditional with “missing integers”, we can mislead the user.

if(10000000000000000 !== 10000000000000001) {
// the average person thinks this is executed
} else {
// this is what’s really being executed
}

Check out some examples on jsFiddle.

Thoughts?
~!Donovan

Further Reading:
http://blog.greweb.fr/2013/01/be-careful-with-js-numbers/¹
http://stackoverflow.com/a/10756881/1585455²

I was looking at some images on Google and was looking at this particular site when I noticed that there was a unusual url request. I did some investigations and found out that the URL request was a malicious hXXp://hzebw.portrelay.com/jentrate.php

Please note that when I tried using automated analysis on the site, using the same referrers and different scanners, the return didn’t include a jentrate.php. You may also want to see the urlQuery results. Maybe there is a time limit between intervals? Or maybe it’s because I’m using a newer version of Firefox?

Basically, like any exploit, cursor starts flashing and a PDF file is automatically downloaded without user verification. You can only guess what happens next: The downloaded file is immediately ran. I didn’t want to fiddle with the outcome of running this PDF and terminated it upon execution, but if you want to check it out, the VirusTotal results and the download link are below.

Download the PDF (Password: infected): http://db.tt/GAcOjZhx
VirusTotal (6/45) as of 2013-01-24 01:32:17 UTC

Moving along, let’s look for more information about the jentrate.php. A search on Google reveals that this jentrate.php can be traced back to January 15th and 16th of 2013, so this is very new. Jsunpack results show us a somewhat familiar buffer overflow script. We also have analysis on Minotaur and a similar threat on urlQuery. Interesting, no?

Finally, I sent the malicious URL I encountered to urlQuery and was greeted with what I expected. A search on CleanMX reveals many entries for this site. Apparently the domain is also associated with a “jokevity.jar”. Have a look at the Wepawet scan.

For those who wish to dig deeper into subject, I strongly encourage you,
~!Donovan

Follow

Get every new post delivered to your Inbox.