Suspicious favicon detected by online Website Malware Scanner
Background
Online Website Malware Scanner has identified suspicious favicon file in scanned website. Detected sensible sequence of executable instructions are similar to vulnerability exploit or shellcode.
Malicious action
Vulnerability exploit or simply exploit is often used as 'means of transportation' for malicious content like viruses, backdoors, trojans and others. Even though it requires certain combination of software and security flaws in order to be executed, when successful it opens unlimited compromising opportunities for the attacker.
Website malware scanner report
Submission date: Mon Apr 1 18:11:00 2013
Infected website's files: 1
Malware entry
Malware entry details.
Disassembly
- Scanning favicon.ico
- favicon.ico is suspicious.
- Detection offset: 0
- Payload disassembly:
- ADD DS:[EAX] (0x00000000),AL (0x00)
- ADD DS:[EAX] (0x00000000),EAX (0x00000000)
- ADD DS:[EAX] (0x00000000),EAX (0x00000000)
- ADC DS:[EAX] (0x00000000),DL (0x00)
- ADD DS:[EAX] (0x00000000),AL (0x00)
- ADD DS:[EAX] (0x00000000),EAX (0x00000000)
- AND DS:[EAX] (0x00000000),AL (0x00)
- PUSH 0x16000004
- ADD DS:[EAX] (0x00000000),AL (0x00)
- ADD DS:[EAX] (0x00000000),CH (0x00)
- ADD DS:[EAX] (0x00000000),AL (0x00)
- ADD DS:[EAX] (0x00000000),DL (0x00)
- ADD DS:[EAX] (0x00000000),AL (0x00)
- ADD DS:[EAX] (0x00000000),AH (0x00)
- ADD DS:[EAX] (0x00000000),AL (0x00)
- ADD DS:[ECX] (0x00000000),AL (0x00)
- ADD DS:[EAX] (0x00000000),AH (0x00)
- ADD DS:[EAX] (0x00000000),AL (0x00)
- ADD DS:[EAX] (0x00000000),AL (0x00)
- ADD DS:[EAX] (0x00000000),AL (0x00)
- ADD AL (0x00),0x00
- ADD DS:[EDX] (0x00000000),DL (0x00)
- OR EAX (0x00000000),DS:[EAX] (0x00000000)
- ADD DS:[EDX] (0x00000000),DL (0x00)
- OR EAX (0x00000000),DS:[EAX] (0x00000000)
- ADD DS:[EAX] (0x00000000),AL (0x00)
- ADD DS:[EAX] (0x00000000),AL (0x00)
- ADD DS:[EAX] (0x00000000),AL (0x00)
- ADD DS:[EAX] (0x00000000),AL (0x00)
- ADD DS:[ECX] (0x00000000),AL (0x00)
- PUSH SS (0x0000)
- AND DS:[EBP + 0x6] (0x00000006),CH (0x00) ==random write instruction
- INC EBX (0x00000000)
- IMUL EAX (0x00000000),EDI (0x00000000),0xEB94550C
- CMOVPO EDX (0x00000000),DS:[ECX + 0x6C340DED] (0x6C340DED) ==random read instruction
- JCXZ 0x07 ==random read instruction
- ADD ECX (0x00000000),DS:[EDX] (0x00000000)
- POP SS (0x0000)
- SAHF
- ADD DS:[EAX] (0x00000000),AL (0x00)
- ADD DS:[EBX - 0x6D000000] (0x93000001),CL (0x00) ==random write instruction
- ADD EAX (0x00000000),DS:[EBX] (0x00000001) ==random read instruction
- ADD ESP (0x091FF633),DS:[EAX - 0x4EEBEBEC] (0xB2141414) ==random read instruction
- POP DS (0x0000)
- POP DS (0x0000)
- POP DS (0x0000)
- MOV BL (0x01),0x0C
- OR AL (0x00),0x0C
- JP 0x00
- ADD DS:[EAX] (0x0100000C),AL (0x0C) ==random write instruction suspicious memory writeinstruction
- INC EAX (0x0100000C)
- ADD DS:[EAX] (0x0100000D),AL (0x0D) suspicious memory write instruction
- ADD [0xD2B48C02] (0xD2B48C02),AH (0x00) ==random write instruction
- POP ES (0x0000)
- MOV AL (0x0D),0xF4
- DEC [EBP*0x4 + EAX] (0x010000F4)
- STD
- CALL DS:[EAX] (0x010000F4)
- CWDE
- STC
- CALL [0x16FFF186] (0x16FFF186)
- ADD DS:[EAX] (0x000000F4),AL (0xF4) ==random write instruction suspicious memory writeinstruction
- ADD DS:[EAX] (0x000000F4),AL (0xF4) ==random write instruction suspicious memory writeinstruction
- ADD DS:[EAX] (0x000000F4),EAX (0x000000F4) ==random write instruction
- ADD DS:[EAX] (0x000000F4),AL (0xF4) ==random write instruction suspicious memory writeinstruction
- ADD DS:[EAX] (0x000000F4),AL (0xF4) ==random write instruction suspicious memory writeinstruction
- ADD DS:[EAX] (0x000000F4),EAX (0x000000F4) ==random write instruction
- AND DS:[EAX] (0x000000F4),AL (0xF4) ==random write instruction suspicious memory writeinstruction
- PUSH 0x16000004
- ADD DS:[EAX] (0x000000F4),AL (0xF4) ==random write instruction suspicious memory writeinstruction
- ADD DS:[EAX] (0x000000F4),CH (0x00) ==random write instruction
- ADD DS:[EAX] (0x000000F4),AL (0xF4) ==random write instruction suspicious memory writeinstruction
- ADD DS:[EAX] (0x000000F4),DL (0x00) ==random write instruction
- ADD DS:[EAX] (0x000000F4),AL (0xF4) ==random write instruction suspicious memory writeinstruction
- ADD DS:[EAX] (0x000000F4),AH (0x00) ==random write instruction
- ADD DS:[EAX] (0x000000F4),AL (0xF4) ==random write instruction suspicious memory writeinstruction
- ADD DS:[ECX] (0x00000000),AL (0xF4) suspicious memory write instruction
- ADD DS:[EAX] (0x000000F4),AH (0x00) ==random write instruction
- ADD DS:[EAX] (0x000000F4),AL (0xF4) ==random write instruction suspicious memory writeinstruction
- ADD DS:[EAX] (0x000000F4),AL (0xF4) ==random write instruction suspicious memory writeinstruction
- ADD DS:[EAX] (0x000000F4),AL (0xF4) ==random write instruction suspicious memory writeinstruction
- ADD AL (0xF4),0x00
- ADD DS:[EDX] (0x00000000),DL (0x00)
- OR EAX (0x000000F4),DS:[EAX] (0x000000F4) ==random read instruction
- ADD DS:[EDX] (0x00000000),DL (0x00)
- OR EAX (0x000007FC),DS:[EAX] (0x000007FC) ==random read instruction
- ADD DS:[EAX] (0x000007FC),AL (0xFC) ==random write instruction suspicious memory writeinstruction
- ADD DS:[EAX] (0x000007FC),AL (0xFC) ==random write instruction suspicious memory writeinstruction
- ADD DS:[EAX] (0x000007FC),AL (0xFC) ==random write instruction suspicious memory writeinstruction
- ADD DS:[EAX] (0x000007FC),AL (0xFC) ==random write instruction suspicious memory writeinstruction
- ADD DS:[ECX] (0x00000000),AL (0xFC) suspicious memory write instruction
- PUSH SS (0x0000)
- AND DS:[EBP + 0x6] (0x00000006),CH (0x00) ==random write instruction
- INC EBX (0x0000000C)
- IMUL EAX (0x000007FC),EDI (0x00000000),0xEB94550C
- CMOVPO EDX (0x00000000),DS:[ECX + 0x6C340DED] (0x6C340DED) ==random read instruction
- JCXZ 0x07 ==random read instruction
- AAM 0xD4
- CALL EAX (0x00000000)
- LOCK ADD DS:[EAX] (0x00000000),EAX (0x00000000)
Investigation counters
- Investigation counters:
- REFERENCES_TO_PROCESS_INTERNALS 0
- REFERENCES_TO_PROCESS_IMPORTS 2
- REFERENCES_TO_PROCESS_EXPORTS 0
- CORRECTLY_PARSED_INSTRUCTIONS 100
- CORRECTLY_EXECUTED_INSTRUCTIONS 95
- UNRECOGNIZED_CALL_TARGETS 3
- UNDEFINED_DIRECT_CALLS 1
- UNRECOGNIZED_JUMP_TARGETS 0
- SYSTEM_CALLS_COUNT 0
- PROC_CALLS_INSIDE_INV_BUFFER 0
- JUMPS_INSIDE_INV_BUFFER 3
- JUMPS_TO_PROCESS_INTERNALS 0
- CALLS_TARGETED_IMPORTS_SECTION 3
- CALLS_TARGETED_EXPORTS_SECTION 0
- CORRECT_PROCEDURES_CALLS 0
- FAR_JUMPS_COUNT 0
- BUFFER_OUTSIDE_WRITES_COUNT 6
- BUFFER_INSIDE_WRITES_COUNT 0
- BUFFER_OUTSIDE_READS_COUNT 6
- BUFFER_INSIDE_READS_COUNT 0
- FULLY_INITIALIZED_INSTRUCTIONS 56
- CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS 3
- PROVIDED_ABSOLUTE_MEMORY_ADDRESSES 0
- INDIRECT_BUFFER_REFERENCES 2
- READS_FROM_PROCESS_STACK_MEMORY 5
- WRITES_TO_PROCESS_STACK_MEMORY 2
- EXECUTED_ARITHMETIC_INSTRUCTIONS 6
- EXECUTES_BITS_OPERATING_INSTRUCTIONS 0
- EIP_RETRIEVAL_INSTRUCTIONS 0
- IMMEDIATE_OPERANDS_INSTRUCTIONS 0
- MEMORY_MODIFYING_MATH_INSTRUCTIONS 0
- MAX_WRITTEN_MEMORY_BLOCK 0
Malware clean-up
If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.
No comments:
Post a Comment