New Dropper/downloader

wikkard
edited May 2008 in Sample submission

My website database was hacked via sql injection (yes I know).


Injected js code pointing at: <link removed. See attachment>


The sample file is one of the subsequent downloaded files from this page.


This a class of attack that virus scanners seem unable to detect because of the obsfucation of the com clsid's. This code can probably be randomised/obsfucated in thousands of different ways making it hard to use signature based detection.


Perhaps the av scanners should incorporate a runtime scanner, which can interpret js and vbscript code, this would stop any virus/dropper/downloaders which use this technique, which is so simple its not funny.


I've attached the ****** files which were undetected, but definitely are malicious. Password is infected.


Thanks

/applications/core/interface/file/attachment.php?id=1993" data-fileid="1993" rel="">killwow.zip

/applications/core/interface/file/attachment.php?id=1995" data-fileid="1995" rel="">js_link.txt

Comments

  • wikkard
    edited June 2008

    Don't you think its a bit dangerous allowing public access to these virus samples? IMHO it would be safer to not let anyone see the sample but the person who submitted it.


    If I were a malicious hacker this would be a great place to get ideas/exploits from.


    Only people with mod access can download attatchments from the malware section of this forums.


    Thats a good thing..... :D


    I hadn't tried to download anything, the thought just occurred to me that this would be fertile ground for malware authors.

  • Don't you think its a bit dangerous allowing public access to these virus samples? IMHO it would be safer to not let anyone see the sample but the person who submitted it.


    If I were a malicious hacker this would be a great place to get ideas/exploits from.


    Now that you know not everyone can download samples from here, please don't post links to infected sites in plain text. Just write them in a TXT file, and attach the file you your post. ;)


    Cris.

  • Any idea when someone will get a chance to look at this virus ?


    There seems to be an automated tool out there which is attacking thousands of sites and inserting links to the site listed above.

  • The samples have been signed and should enter the database by tomorrow.


    However, all links from the attachments are dead, so nothing else could be downloaded.


    Cris.

  • Any chance you could add this sql injection into the signatures ? There seems to be an automated tool which is spreading the above virus/exploit via this sql injection. You are probably familiar with it, basically it searches the master database for all text columns and inserts links to malicious javascript files. AFAIK this is the 3rd round of attacks, the only change is the download location.


    /applications/core/interface/file/attachment.php?id=2019" data-fileid="2019" rel="">SQLInjection.zip