4chan.org Malware .gif files...
FYI...
- http://isc.sans.org/diary.html?storyid=5821
Last Updated: 2009-02-07 21:51:03 UTC - "A Storm Center subscriber has just submitted malware embedded in .gif image files, downloaded from the image site 4chan.org. For the sake of expediency, and because this person did such a good write up, here is the analysis provided:
"The *.gif files were found (on) the "random" board of the image board site 4chan. The files contain a large picture with instructions to save the file with a .jse extension and run it. The *.out files are the result of applying scrdec to the gifs to reveal the encoded script. It appears to:
1) copy itself somewhere as 'sys.jse'
2) add itself to a Run key in the registry
3) a) fetch the index to 4chan's /b forum
b) download the first image
c) save it as 'j.jse'
d) attempt to run 'j.jse'
4) construct a POST request containing the image as payload
5) upload itself as a new post on 4chan
6) point an instance of IE at site it came from
(3)-(6) are in an infinite loop."
To the subscriber who did the legwork on this one, my thanx for the excellent work... will provide more data as it develops."
