(screenshot from websense)
The exploit used is CVE-2012-0507 ("Java AtomicReferenceArray Type Violation Vulnerability") - which is exploitet using MetaSploit Framework (MSF).
As it can be seen, then the malware is hostet at hxxp://www.48groupclub.org/images/uploads/Image/sethc.exe (file backup).
By examining the file's certificate it becomes clear that this file is not the same as websense saw.
Some things seems odd.. like what's up with the "http://billgates-serve/CertEnroll/VeriSign Class 3 Code Signing 2011-2 CA.crl" ?!
I won't be analyzing the file (but if anyone do, then please post a comment with a link!). However by just looking at some strings in a hexeditor, it very much looks like origin of the file is China.
C:\Program Files\SogouPinyinUp.exeAnd Resource Hacker "confirms" this:
C:\windows\1.dll
QQGameDl.exe
C:\Program Files\1.exe
The website: 48groupclub.org
I've inspected the website 48groupclub.org, and well, I'm not impressed. It literally took me less than five minutes to hack the site - only using free online script kiddies tools... Point-click'n'access :(
What is wrong with the site? First I found a SQL Injection vulnerability. Then I extracted the username and plaintext password! And from here I could easy login.
I can't tell how the hackers managed to upload the sethc.exe file (I couldn't find any place to upload files), but the website contained lots of vulnerabilities, so any unintended upload-vulnerability wouldn't surprise me.
Another interesting vulnerability I found is the "backup feature", which is basically a world+dog-readable dump of the database. Now, opening the file in any standard program will create a popup asking for a password, but as shown here; Jet MDB security - under the hood then the file isn't actually encrypted, its just "protected" via Security through obscurity, which is very bad:
(NirSoft Access PassView 1.12)
I have contacted the site, but hasn't heard anything from them.
No comments:
Post a Comment
Feel free to write anything :-) Post posted as anonymous, is actually anonymous (i.e. I can't see your IP or anything)