Weekly Review

This week BitDefender Research Labs stumbled across another JavaScript powered password stealer. Initially looking at the JS code, we discovered many similarities with Trojan.Exploit.SSX.


First of all, the JavaScript tries to exploit several
vulnerabilities in ActiveX controls such as: Storm Player, Snapshot Viewer and
Real Player.

It does so by creating an invisible iframe in infected
websites, which will point to http://jjj.[removed].com . That page will
dynamically create content which makes use of another Internet Explorer flaw
that permits a web application to change the security policy of the user. The
Shockwave Flash Player permission is set to “allowed control”, permitting other
code to execute easier.

It then detects the current browser, and if it’s not
Internet Explorer 7, it creates another iframe which server the user with other
infected web pages. If the browser is Internet Explorer 7 then it creates
several other invisible iframes that lead to the pages that contain the
exploiting code for the applications mentioned above (he exploit for the Real
Player will only work for versions older than

Finally, it will create one more invisible iframe that
will contain a link to a web page that contains a specially crafted XML
document that may allow remote-code execution.

By tracking down the links inside the encrypted code, we
found that the downloaded application is saved in %temp% under the name
“hun.exe” and is detected by BitDefender as: Generic.PWS.Games.2.F6617AE5.

It is not known what games the payload is targeting,
however the analysis has shown that it downloads another file named “wget.exe”,
downloads two lists (list.asp and list.txt) and drops “as01.exe” in %temp%.

As01.exe is a Trojan, part of a unknown botnet. It
probably isn’t very widely spread. BitDefender heuristics detect is as: Trojan.Generic.1363006.


Information in this article is available courtesy of:
Lutas Andrei Vlad