InformAction Forums

Hi forum members,

Look at the following malcode analysis:
exploit
Here are the details I encountered:

1. Virus identified: JS-CVE-2009-1136-A[Expl] (which is an Exploit)
2. Web address: wXw.uyghurcongress.org/En/home.asp
3. Malicious file identified by Avast!: m2m.net84.net/cn/document.js

Mentioned site with this document.js is the malcode residing site: And this is:
Title:
HTTP Error 403 Forbidden
URL: hXtp://m2m.net84.net/cn
Redirects: 301 -> hXtp://m2m.net84.net/cn/
where I find the following: And this is at the crux of the malcode, because Description (packet storm's):
Anehta is a PHP/Javascript based platform to make cross site scripting and other web attacks easier.
Author: axis
Homepage: hXtp://code.google.com/p/anehta/
File Size: 5596731
Last Modified: Nov 25 17:46:32 2008
MD5 Checksum: 5316c6cb785caef595c58e80a97f4ce8
More info on this new XSS platform: http://archives.neohapsis.com/archives/ ... /0565.html
other redirect is to:
302 -> hXtp://error.000webhost.com/forbidden.html

Is NoScript protecting us against anehta driven exploits?

luntrus

First, when you visit uyghurcongress (presumably) JavaScript is not allowed, so the exploit is thwarted right there.
Second, even if you do Allow JavaScript on uyghurcongress, the exploit is still hosted on a foreign domain, so again the exploit is thwarted.

Third, the exploit page itself doesn't seem to be returning anything at the moment.
(I wonder if it might only do something if you're visiting from a .cn domain?)