How to decode Java code safely?

[Gabriele Neukam]

Hi all,


I received one of these infamous "you received a greeting card" mails,
and this time, the body is empty.

Below the HTML sectino (y<es, *below*) is a snippet of Java code, which
is probably designed to exploit the Java loopholes which have already
been mentioned here.

What I'd like to know, is how to deciver the gibberish - it is
deliberately encrypted, to hide what it is about to do. Is there any
tool or site, that will decrypt and display the content? The URL where
the malign code is to be downloaded from, must be hidden in the
encrypted text...


Gabriele Neukam

(e-mail address removed)

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,


I received one of these infamous "you received a greeting card" mails,
and this time, the body is empty.

Below the HTML sectino (y<es, *below*) is a snippet of Java code, which
is probably designed to exploit the Java loopholes which have already
been mentioned here.

What I'd like to know, is how to deciver the gibberish - it is
deliberately encrypted, to hide what it is about to do. Is there any
tool or site, that will decrypt and display the content? The URL where
the malign code is to be downloaded from, must be hidden in the
encrypted text...

I don't suppose it pretended to come from (e-mail address removed)? If so I've had
one recently. I opened it in Outlook Express set up in "Internet Zone",
rather than the default "Restricted Zone" using Virtual PC. Don't do this
on your computer, whoever may read this

It downloaded a rootkit keylogger which NOD32 detected and chewed up. (Once
NOD32 was turned off) It did a rather crap job of rootkitting though
because "type" worked on one of the files, and the filing-system stealthing
hid so many files from view it was obvious something was amiss, before
running RootkitRevealer. As usual it hooked into winlogon and set itself to
run in safe mode.

Virus Total
_______________________________________________

Scan results
File: file.exe
Date: 02/10/2006 11:14:19 (CET)
- ----
AntiVir 6.33.0.81/20060210 found nothing
Avast 4.6.695.0/20060209 found nothing
AVG 718/20060210 found nothing
Avira 6.33.0.81/20060210 found nothing
BitDefender 7.2/20060210 found [BehavesLike:Trojan.WinlogonHook]
CAT-QuickHeal 8.00/20060210 found [(Suspicious) - DNAScan]
ClamAV devel-20060126/20060209 found nothing
DrWeb 4.33/20060210 found nothing
eTrust-InoculateIT 23.71.72/20060209 found [Win32/Haxdoor.Variant!Trojan]
eTrust-Vet 12.4.2074/20060210 found [Win32/Haxdoor!generic]
Ewido 3.5/20060210 found [Backdoor.Haxdoor.gh]
Fortinet 2.54.0.0/20060210 found [suspicious]
F-Prot 3.16c/20060209 found nothing
Ikarus 0.2.59.0/20060209 found [Backdoor.Win32.Haxdoor.GH]
Kaspersky 4.0.2.24/20060210 found [Backdoor.Win32.Haxdoor.gh]
McAfee 4693/20060209 found nothing
NOD32v2 1.1402/20060209 found [a variant of Win32/Haxdoor]
Norman 5.70.10/20060209 found [W32/Haxdoor.SA]
Panda 9.0.0.4/20060209 found nothing
Sophos 4.02.0/20060210 found [Troj/Haxdor-Gen]
Symantec 8.0/20060210 found nothing
TheHacker 5.9.4.094/20060210 found nothing
UNA 1.83/20060209 found [Backdoor.Haxdoor]
VBA32 3.10.5/20060209 found [suspected of Trojan-Downloader.Agent.84]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFD7Ld37uRVdtPsXDkRAitwAJ4wuHPqoPtpd/Oa6g7Si8j6eP8YXgCeIyNw
yWlhiORSxr4acRQpH3cyD4Q=
=pYWu
-----END PGP SIGNATURE-----

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It downloaded a rootkit keylogger which NOD32 detected and chewed up.

I forgot to mention that once the rootkit was installed, NOD32 still
detected it and removed it completely. </plug>

Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFD7MPn7uRVdtPsXDkRAiaLAJ0WC+FCLsMGeIu1/zN6+9nWSFvhrgCgmdrE
U8GYQf9S5DpNsO3horbFYuk=
=h0dN
-----END PGP SIGNATURE-----

 

[Ant]

I received one of these infamous "you received a greeting card" mails,
and this time, the body is empty.

Below the HTML sectino (y<es, *below*) is a snippet of Java code, which
is probably designed to exploit the Java loopholes which have already
been mentioned here.

If it's like some I've received from post[at]postcard.com, the script
(Javascript, not Java) is between the body tags within the html.

What I'd like to know, is how to deciver the gibberish - it is
deliberately encrypted, to hide what it is about to do. Is there any
tool or site, that will decrypt and display the content?

It decodes itself with a custom made function. You can tweak the
script by creating a html file for it, removing the quoted-printable
by replacing "=3D" with "=", and replacing the "document.write" with
an instruction to display the generated code in a textarea. You also
need to tidy up some other stuff.

Let me know if you want the details.

The URL where the malign code is to be downloaded from, must be
hidden in the encrypted text...

It creates an invisible iframe which links to several exploits.
Spamless has given a thorough description in nanae of what happens:

http://groups.google.com/group/news.admin.net-abuse.email/msg/fd8e19c1b2193a7d

 

[Gabriele Neukam]

On that special day, Ant, ([email protected]) said...

Below the HTML sectino (y<es, *below*) is a snippet of Java code, which
is probably designed to exploit the Java loopholes which have already
been mentioned here.

If it's like some I've received from post[at]postcard.com, the script
(Javascript, not Java) is between the body tags within the html.

There are possibly *several* versions which have been sent to many
people.

Someone in Germany managed to decode the stuff, and reported:

<quote>
Ist einfach ein Frameset, das auf 64.71.167.15 / support / leitet.

Diese Seite wirft einen nochmal so ein Ding zum Fraß vor. Exakt
gleicher
Encoder (wie langweilig).

Das geht dann weiter nach www.asikral.com / clientscript /.

Da endet die Spur, denn <TITLE>509 Bandwidth Limit Exceeded</TITLE>.
</quote>

Translated: It is a frameset that redirects to 64.71.167.15/support,
which contains more of the gibberish, which again leads to
www.asikral.com / clientscript, where the further content cannot be
fetched, as the bandwidth is already exceeded. Go figure.


Gabriele Neukam

(e-mail address removed)

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Someone in Germany managed to decode the stuff, and reported:

<quote>
Ist einfach ein Frameset, das auf 64.71.167.15 / support / leitet.

Diese Seite wirft einen nochmal so ein Ding zum Fraß vor. Exakt
gleicher
Encoder (wie langweilig).

Das geht dann weiter nach www.asikral.com / clientscript /.

Da endet die Spur, denn <TITLE>509 Bandwidth Limit Exceeded</TITLE>.
</quote>

Translated: It is a frameset that redirects to 64.71.167.15/support,
which contains more of the gibberish, which again leads to
www.asikral.com / clientscript, where the further content cannot be
fetched, as the bandwidth is already exceeded. Go figure.

That's exactly where my copy of the email went for the malicious code (the
IP address and host name), which was not over its bandwidth at the time.

I also found it didn't work each time - I had to open the email four or
five times to get it to download enough for me to grab the malicious programs.

I have been reading the German threads, using the Google Language tools to
translate it The breakdown that was given there was what I experienced
to the letter, so I think it was the same email.

Cheers,


Adam.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFD7iNK7uRVdtPsXDkRAnYfAJ0ZsaRQU+N4WEuQoyM8UBMCJ/IlswCcDcJ3
IugDMyJ3UiD8Vew9WCW70F8=
=Jvyk
-----END PGP SIGNATURE-----

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,


I received one of these infamous "you received a greeting card" mails,
and this time, the body is empty.

Below the HTML sectino (y<es, *below*) is a snippet of Java code, which
is probably designed to exploit the Java loopholes which have already
been mentioned here.

Had another one today, going to a different site. This one just killed OE
after opening up a JavaScript prompt with a long string of characters for
the title. Couldn't see that it managed to accomplish anything after
killing OE, it might do something different on Win9x/XP, I've only got
access to a Windows 2000 testbed.

Add smsapi.info to your blocking lists!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFD8Nb+7uRVdtPsXDkRAi9qAJ9qDAH1AW6ox2JjWAwZD+ZHiAkUiQCeItS1
vuk75UEVMc126tt4mOUizkM=
=xmmo
-----END PGP SIGNATURE-----

 

[Ant]

It creates an invisible iframe which links to several exploits.
Spamless has given a thorough description in nanae of what happens:

http://groups.google.com/group/news.admin.net-abuse.email/msg/fd8e19c1b2193a7d

More geeky analysis for anyone interested:

http://groups.google.com/group/news.admin.net-abuse.email/msg/3b5d60291710987

 

[Gabriele Neukam]

On that special day, Ant, ([email protected]) said...

More geeky analysis for anyone interested:

http://groups.google.com/group/news.admin.net-abuse.email/msg/3b5d60291710987

This looks quite complicated. These many click commands mentioned in
the posting, are they trying to make use of this exploit?

http://www.securiteam.com/windowsntfocus/5MP0B0UHPA.html


Gabriele Neukam

(e-mail address removed)

 

[Ant]

On that special day, Ant, ([email protected]) said...


This looks quite complicated. These many click commands mentioned in
the posting, are they trying to make use of this exploit?

http://www.securiteam.com/windowsntfocus/5MP0B0UHPA.html

That link talks about about a drag-and-drop exploit relying on the
timing of a pop-up window, whereas Spamless is describing an html help
vulnerability (among several others) which also depends on persuading
the browser to run content in a more trusted security zone.

So, I don't think drag-and-drop is involved, but you never know, he
may have missed something.