With all the malware and exploit files around, I find it frequently hard to remember some specific attack. But when today while analyzing a suspicious site I came across an exploit which tried to download a binary called "funny.php", it sure felt enough like a glitch in the matrix to make me look back through my logs. And indeed, there's been another funny.php, from the same server in Malaysia, almost a month ago. And another, five days ago from a server in Germany. The EXEs the exploit tries to retrieve varies (of course) but the exploit pattern is always the same.
1. Exploit-Byteverify (a quite wizened Java exploit)
2. An Exploit for MS06-014, with the code lifted almost in verbatim off the corresponding Metasploit Module
3. A copy of the MS06-057 WebViewFolderIcon.SetSlice exploit, artfully rendered to avoid detection
If either of these is successful, the exploit downloads and runs the mentioned "funny.php?adv=1" files, which invariably turn out to be Trojan Downloaders or worse. The funny.php thingies are apparently refreshed frequently enough to keep AV coverage low to nonexistent.
While the three exploits are not at all lethal on a well patched PC, the prevalence and endurance of these not-so-funny PHPs suggests that there are still far too many PCs out there that fall for this sort of attack. We have informed the two affected ISPs in Germany and Malaysia, lets see who has staff on duty on an Easter weekend...
Apr 8th 2007
Apr 8th 2007
1 decade ago