New Storm...nothing new in exploit land

When a user is lured into visiting a storm website, what he or she will see is the following:

As with most storm web pages, there is a "Click here" link used as a social engineering tactic to have the user download and install the storm binary manually.

What people don't see are the multiple obfuscated javascript exploits on the page that will exploit the user if their machine hasn't been patched.

The page itself attempts to use various exploits each with a different payload

Once deobfuscated the page looks like this:

I did a quick analysis of one of the payloads called from a function named "cf()"

From my analysis the payload if succesful executes the following code:

• Retrieves the system directory by calling GetSystemDirectoryA
• Deletes the file named ~.exe in the system directory
• Downloads the file "file.php" from the same storm ip the webpage is hosted on using URLDownloadToFile and saves it as ~.exe in the system32 directory
• Executes the file using WinExec

This is a fairly basic exploit that looks to be using some basic xor encryption of the payload, and using ror 13 add to hide the function names. All the exploits on the page look very similiar to the mpack toolkit but like most exploits out there, it looks like a lot of the exploit code was ripped from various locations.

References:
Security Research, Computer Laboratory, University of Cambridge - Analysis of the Storm cript exploits
Know Your Enemy: Malicious Web Servers