Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Hostile Script Report

Hostile Script Report

Ratings: (0)|Views: 4|Likes:
Published by api-3832461

More info:

Published by: api-3832461 on Oct 18, 2008
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





10 May 06
IH&AA Supervisor


(U) Recently it appears that several websites were compromised and a hostile script inserted into the HTML source; follow-up investigation appears to indicate that the compromises in question may have occurred sometime in April 2006.


(U) In order to determine the nature of the threat and the vulnerability
associated with the hostile code, initial analysis of this threat was conducted in the
author's personal computer laboratory.

(U) The purpose of this report is twofold:
a. to convey information regarding the nature of this threat and the
associated vulnerability; and
b. to demonstrate any activity associated with the threat.

(U) After configuration of the laboratory environment was complete the
internal/external IDS/Sniffer platforms were initialized. The following compromised
websites were then browsed to generate packet captures for the initial visit and a

period of 60 minutes thereafter:
a. creativemods.com (IP address;
b. modelmayhem.com (IP address;
c. sensuflex.com (IP address;
d. topwallpapers.com (IP address; and
e. pinupparadise.com (IP address;


(U) VMWare was utilized to emulate both patched and unpatched Windows XP/Windows 2000 platforms; the virtual machines were reinitialized after each visit in order to ensure that the results were unadulterated.


(U) Whilst loading the compromised webpage, a hostile script embedded in
the page's HTML source (refer to annex B) runs and attempts to install malware
designated "start.exe" from one of the following URIs (the URIs purposely broken to
prevent accidental infection:

a. h t t p://dnv-counter.com/trf/start.exe; or
b. h t t p://us-counter.counter.com/trf/start.exe.

(U) In addition to downloading the malware in question, the hostile code also appears to incorporate a web counter facility; this is conceivably used by the entity responsible for the malware in order to record the number of compromised hosts.

(U) The following patch levels and operating systems were tested in the
course of this investigation; current patches appear to be effective in preventing

exploitation by the hostile script:
a. Windows XP SP2 unpatched - infected;
b. Windows XP SP2 patched to current patch level - no infection noted;
c. Windows 2000 SP 4 unpatched - infected; and
d. Windows 2000 SP 4 patched to current patch level - no infection

(U) Various A/V implementations were utilized in an attempt to identify the
downloader/malware in question; the detect results and the respective A/V

implementations are as follows:
a. McAfee - PWS-JA;
b. Norton - Trojan.Download;
c. Symantec Corporate - Trojan.Anserin, Trojan.Download
c. Avast Home Edition - Win32:Trojano-P; and
d. AVG Free - no detection.


(U) The script in question contained several obfuscated strings; obfuscation of
hostile code is a very common technique used to evade detection and hinder
analysis. All of the obfuscated and reconstituted strings found in the hostile script are
demonstrated in annex C.


(U) One of the reconstituted strings appeared to be a Class ID1 (clasid)
designated "BD96C556-65A3-11D0-983A"; this clasid corresponds to the client-side
RDS.DataSpace2 object.


(U) The hostile code appears to specifically address the RDS.DataSpace
object, which is deployed in Windows installations as an MDAC3 component.
Considering this, the script clearly exploits the CVE-2006-0003 vulnerabilityi; the
patches associated with Microsoft Security Bulletin MS06-014ii, issued on 11 April
2006, address this vulnerability.

(U) This exploit is a potential threat to the organization's network assets for
the following reasons:
a. this threat is widely deployed and requires no interaction from the
user beyond visiting a compromised website;
b. the organization's current patch level does not include the patches
associated with the MS06-014 vulnerability.

c. although the current deployment of the organization's A/V suite will
detect the threat automatically, no further action (e.g. deletion/
quarantine) is taken as the default response is "leave alone".

(U) As a result of the conclusions reached from the analysis of this threat, the
following recommendations are hereby submitted for consideration:
a. an emergency push to implement the patch associated with the
MS06-014 vulnerability should be performed ASAP; and
b. the default settings should be changed to allow for the quarantine of
potential threats; and

c. given the performance history of the current A/V implementation,
heuristic detection protection should be set at maximum vice the
current default level.

1 A clsid ("Class ID") is a globally unique identifier that serves to identify a COM ("Component Object
Module") class object; COM isa Microsoft platform for software componentry that enables interprocess
communication and dynamic object creation in any programming language that supports the technology.
2RDS (Remote Data Services) is a set of programming interfaces from Microsoft that enables users to
update data on the Internet or intranets from their ActiveX-enabled browser.
3 MDAC (Microsoft Data Access Components) is a package of database drivers from Microsoft used for
connecting client PCs to databases in servers.

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->