Wednesday, December 19, 2007

CuteOverload.com Hosting RTSP Exploit (Storm?!)

It would appear that CuteOverload.com is currently having some malware issues.

At around 12:30 CST, a well-known security researcher and friend alerted me to an active RTSP exploit being served on CuteOverload.com

After several refreshes in IE7, I finally got it to pop.



Using Paros Proxy, I looked into the highlighted JS file.





Clearly, this smells bad and looks to be malicious. So I went to decode as much of the JS as I could. In the process, I found many interesting (and evil) javascript code blocks.









Ummm, Quicktime files. Lets check it out the QTL file.



Ouch, that isn't good at all. Lets look at the files a little closer.





So where is this exploit and the RTSP being hosted?? Good question. Lets look at DNS Tools.








But the real killer here...is this post from CuteOverload.com yesterday.



So they know that this stuff is hitting their users.
Perhaps inside a malicious ad (which is out of their direct control).

But with almost 1,400 sites linking back to them, they might want to find out about this ASAP.

Now that is a Cute Pwnage.

------------------------------------

UPDATE - As you can see from the photo above, it would appear that this JS file is full of multiple exploits, all rendered in JS - pretty nasty. Exploits include the VMLv2, SetSlice, Quicktime, GomManager, Window Media Player, etc.

It would appear that this is some type of super exploit (most likely popped out a malicious ad). In addition, most of the exploits point to the same hard-code return address - 0x0c0c0c0c

I believe this address contains the final heapslide & payload.



Here is the Setslice and the final piece of code that starts all the functions and kicks off the payload.





Also, it would appear that a cookie is used to reduce repeat infections.



Looks like it might be a Storm variant of sorts. Not good.

No comments:

Post a Comment