Home / malware Trojan.Exploit.JS.RealPlr.S
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Trojan.Exploit.JS.RealPlr.S.
Explanation :
The malicious script written in JavaScript just puts on new layers of encryption over the well known recent exploits described in other malware like Exploit.SinaDloader.B, as we'll see later on.
First let's describe this protection layer that the script uses. Basically it has a variable that holds the encrypted string, which, after decryption, is written in the html using the "document.write" feature. It takes three steps until decoding the specific malicious javascript code as the string is encrypted with a) Base64 encoding b) xxtea encryption arithmetic algorithm c) conversion from UTF-8 to UTF-16.
After decryption, different versions have distinct actions. As this type of encryption is spread on malicious sites, the following actions are taken from a version involved in Trojan.Exploit.SSX infection campaign, which can help the user understand the effect of the malware on the affected computer.
The preferred vulnerability is still the "invisible iframe" attack.
* Creates two invisible iframes. The first points to an exploit for the Snapshot Viewer described here and the second downloads some SWF (Adobe Flash extension) files that are detected as Exploit.SWF.Gen
* If the "User Agent" is msie7 (Internet Explorer) it creates an invisible iframe [malicious_site].cn/a2/ms06014.htm which uses MS06-014 - RDS.DataControl exploit in Microsoft Data Access Component and downloads a file detected as Trojan.Dropper.Replacer.A.
* Lianzhong chat room (GLIEDown.IEDown.1) exploit in the found in [malicious_site].cna2/GLWORLD.html (detected as Trojan.Exploit.JS.G) which downloads [malicious_site].cn/new/a4.css (Trojan.Dropper.Replacer.A).
* [malicious_site].cn/sina.htm (DownloadAndInstalll exploit) that downloads [malicious_site].cn/down/sina.exe (heuristicaly detected as Generic.Malware.SYBdld.1FBF30D9).
* UUUpgrade ActiveX Control module--update exploit (UUUPGRADE.UUUpgradeCtrl.1 component) which downloads [malicious_site].cn/UU.htm (unavailable at analysis time)
* Xunlei Thunder exploit (ActiveXObject DPClient.Vod) found in [malicious_site].cn/a2/Thunder.html downloading [malicious_site].cn/down/ko.css ( detected as Trojan.Dropper.Replacer.A)
* RealPlayer exploit ( IERPCtl.IERPCtl.1 component ) for versions older than "6.0.14.552" which finally downloads [malicious_site].cn/down/ko.css ( detected as Trojan.Dropper.Replacer.A) .
* malicious_site is an umbrella term for websites hosting malware and can both differ and change in various examples.Last update 21 November 2011