Observations regarding recent Zhelatin.Gen (storm) e-mail

[Virus Guy]

I got one of those storm invitation e-mails yesterday (Halloween
theme, subject = "FW: To much fun").

The link is:

hxxp://69.144.141.75/

It tries to do some cross-site scripting, as well as run an active-x
control. This results in 2 temp files in my IE cache.

I sent those 2 files (one is 6.6 kb, the other 33.9 kb) to Virus
Total, and only 1 application flagged them - Webwasher-Gateway -
identified as JavaScript.CodeUnfolding.gen!High (suspicious).

The user-clickable payload in this case was dancer.exe (about 125 kb)
and it was identified by 19 out of 32 apps on VT (59% detection
rate). Most/all of the first-tier AV apps flagged it (but then again
this is probably after a good 24 hours of exposure).

What is probably not widely known is that all AV apps seem to not care
about the self-unpacking javascript files that come as part of the
experience. Why aren't they looking for those?

This makes Webwasher-Gateway look good.

 

[Dustin Cook]

I got one of those storm invitation e-mails yesterday (Halloween
theme, subject = "FW: To much fun").

The link is:

hxxp://69.144.141.75/

It tries to do some cross-site scripting, as well as run an active-x
control. This results in 2 temp files in my IE cache.

If succesful, it should be trying to install a low level driver for
rootkit functionality, as well as an executable in your windows/system32
folder. BugHunter identifies some various as this as Trojan.Peed; just so
you know.

I sent those 2 files (one is 6.6 kb, the other 33.9 kb) to Virus
Total, and only 1 application flagged them - Webwasher-Gateway -
identified as JavaScript.CodeUnfolding.gen!High (suspicious).

Due to the fact it wasn't succesful, your missing the primary ones.

The user-clickable payload in this case was dancer.exe (about 125 kb)
and it was identified by 19 out of 32 apps on VT (59% detection

Ah yes, a peed varient... Would you mind sending it along?

What is probably not widely known is that all AV apps seem to not care
about the self-unpacking javascript files that come as part of the
experience. Why aren't they looking for those?

The javascript files alone can't do anything, they still require some
user intervention.

--
Dustin Cook, Author of BugHunter - MalWare Removal Tool - v2.2d
Email.: (e-mail address removed)
Web...: http://bughunter.it-mate.co.uk
Pad...: http://bughunter.it-mate.co.uk/pad.xml
PGP...: http://bughunter.it-mate.co.uk/bughunter.dustin.txt

 

[kurt wismer]

I got one of those storm invitation e-mails yesterday (Halloween
theme, subject = "FW: To much fun").

The link is:

hxxp://69.144.141.75/

It tries to do some cross-site scripting, as well as run an active-x
control. This results in 2 temp files in my IE cache.

I sent those 2 files (one is 6.6 kb, the other 33.9 kb) to Virus
Total, and only 1 application flagged them - Webwasher-Gateway -
identified as JavaScript.CodeUnfolding.gen!High (suspicious).

The user-clickable payload in this case was dancer.exe (about 125 kb)
and it was identified by 19 out of 32 apps on VT (59% detection
rate). Most/all of the first-tier AV apps flagged it (but then again
this is probably after a good 24 hours of exposure).

What is probably not widely known is that all AV apps seem to not care
about the self-unpacking javascript files that come as part of the
experience. Why aren't they looking for those?

it may simply be that virus total isn't using the av component that
searches for that sort of thing... mcafee, for example, has a dedicated
script scanner that installs as a proxy between the system and the ie
scripting engine so as to scan the scripts *after* passive obfuscation
(like null characters) have been stripped away by the process that sent
it to the scripting engine... that type of real-time scanning has some
significant advantages when dealing with malicious scripts on websites
(because obfuscation is trivial to perform but difficult to undo since
different browsers treat script differently) but doesn't lend itself to
virus total's mode of operation...

 

[Ant]

Virus Guy:

Obfuscated script is not always an indication of malware. Some sites
use it in an attempt to hide raw page content or to make their script
code harder to steal. Spammers sometimes use it to hide redirectors.

The javascript files alone can't do anything, they still require some
user intervention.

That depends on the user's configuration and how up-to-date their
browser is. Most of them try to inject and run code automatically via
vulnerabilities in ActiveX components or browser plugins.

The latest round of storm is using new and more obfuscated script and
contains two extra sploits in addition to the previous ones:

* AOL SuperBuddy ActiveX control (LinkSBIcons)

* NCTAudioFile2 ActiveX control (SetFormatLikeSample)

These were discovered in January and March this year and should now be
patched.

 

[barrwillams_bnk]

I got one of those storm invitation e-mails yesterday (Halloween
theme, subject = "FW: To much fun").

The link is:

hxxp://69.144.141.75/

Subject: Dancing Bones
Date: Thu, 8 Nov 2007 18:11:28 +0100

I know I know, you hate this stuff, but this was way to funny. Show it
to the kids. hxxp://201.239.219.197/

It tries to do some cross-site scripting, as well as run an active-x
control. This results in 2 temp files in my IE cache.
I sent those 2 files (one is 6.6 kb, the other 33.9 kb) to Virus
Total, and only 1 application flagged them - Webwasher-Gateway -
identified as JavaScript.CodeUnfolding.gen!High (suspicious).

The user-clickable payload in this case was dancer.exe (about 125 kb)
and it was identified by 19 out of 32 apps on VT (59% detection
rate). Most/all of the first-tier AV apps flagged it (but then again
this is probably after a good 24 hours of exposure).

What is probably not widely known is that all AV apps seem to not care
about the self-unpacking javascript files that come as part of the
experience. Why aren't they looking for those?

This makes Webwasher-Gateway look good.

I use Linux machine so do not know what do "Dancing Bones". I only found a
link to hxxp://201.239.219.197/dancer.exe (dancer.exe - infected by
Email-Worm.Win32.Zhelatin.ml says on-line Kaspersky (send a file option))

The most scary thing is this page is still alive today and virus is still
there. Where pages with viruses should be reported?