|
Those of you who have seen the "google-analytics" URL in your logs before might be tempted to assume (as I was) that google-counter[dot]com is just another incarnation of the same. I even at first discounted that my anti-virus complained about "obfuscated javascript", thinking that Google must have cooked up some really complicated Ajax mess again that misled my AV to a false positive.
But no. On a second look, the site tries to download an ANI cursor exploit. And wait - there is lots more IFRAMES. Ouch! This definitely ain't Google! z-014-1.php contains an obfuscated exploit for MS06-014 z-014-3.php contains another exploit for MS06-014 z-create-o.php contains the IE CreateObject exploit (as seen on Metasploit TV) z-cs-an.php is an obfuscated exploit for MS07-017 z-java1.php is an oldie, Java-ByteVerify exploit All of these try to download and run a file "down.exe" off the same site, which in turn downloads and runs a Browser Helper Object (BHO) off someplace else. The BHO is a key logger / banking trojan. We have decoded the configuration file that tells the trojan what to do - you can look at the file under http://handlers.sans.org/dwesemann/decoded-bho-helper.txt . Yes, lots of banks... Thanks to fellow handlers Lorna and Pedro for help with the analysis. Caution: The google-counter site is still live at the time of writing. Sink yourself at your own risk. |
Daniel 379 Posts ISC Handler May 30th 2007 |
| Thread locked Subscribe |
May 30th 2007 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
