Blog
Defacing -> A Malicious Trifecta
02.12.2007 - 8:01 AMPrevious Posts
February 2007| 02/23/2007 | Polymorphic Protector » |
| 02/13/2007 | It’s good to be an information miser » |
| 02/13/2007 | Chinese alliance against Google spreading malicious code » |
| 02/12/2007 | Defacing -> A Malicious Trifecta » |
| 02/10/2007 | Dolphin Stadium Malware Analysis » |
| 02/05/2007 | Bot War? » |
+ January 2007
+ December 2006
+ November 2006
+ October 2006
+ September 2006
A CRM & customer service site was recently compromised (it has since been cleansed). The site was defaced by a group that goes by the name of "The Black Scorp!on Team". Unlike defaced attacks in the past, which simply replace the main homepage of the site for political, hacktivist, or other reasons, this attack included two other pieces of code along with the defacement scripts.
Defacement Screenshot:
Within the HTML of the site there were two pieces of obfuscated JavaScript code. The first piece of code appeared to be using a Cross-Site-Scripting XSS vulnerability within Microsoft's MSN Arabian site. Although we do not have access to the server-side PHP code its using, it looks like its designed to steal-cookies from MSN users and post them to a third party site.
The XSS is loaded within an obfuscated IFRAME tag and looks like this:
XSS Encoded Screenshot:
XSS Decoded Screenshot:
The other piece of malicious code is a larger piece of hidden javascript which decodes into exploit code for the Microsoft ADODB vulnerability. This vulnerability has been patched by Microsoft. Assuming users are not patched on for this shellcode is run locally on their machine and a file called "X.exe" is download and run from the same site that is hosting the XSS code. X.exe is a Trojan Horse Backdoor which gives the attacker access to the machine remotely.
Exploit Encoded Snippet:
Exploit Decoded Snippet:
