Thursday, October 3, 2013

JavaScript Injecting Invisible Spam

Malicious obfuscated JavaScript detected on scanned website injects spam invisible to site visitor



Background

Online Website Malware Scanner reported malicious JavaScript code in scanned web pages. Such malicious obfuscated JavaScript code is often used to inject malicious iframe(s) invisibly to website visitor and to download malware from remote distributor onto visitor's computer.

However, in this case it modifies the property of the html paragraph tag so that to hide its content from the eyes of the visitor while it remains visible for robots. This is likely the BlackHat SEO spam technique as per content and links nature. It can be assumed that this would work for drive-by-download and other malware attacks as well.

You can review BlackHat SEO example and spam SEO techniques using other method (hidden iframes) analysis in earlier posts.

Malicious action

Modifying HTML tags to make content invisible for website visitor is often used for spamming purposes and/or to distribute malware hosted on external web resources(websites).

Malware entry details

Beautified script:
  1. var rio833 = ["116", "127", "115", "133", "125", "117", "126", "132", "62", "119", "117", "132", "85", "124","117", "125", "117", "126", "132", "82", "137", "89", "116", "56", "50", "124", "125", "117", "126", "133", "66","64", "70", "50", "57", "62", "131", "132", "137", "124", "117", "62", "128", "127", "131", "121", "132", "121","127", "126", "48", "77", "48", "50", "113", "114", "131", "127", "124", "133", "132", "117", "50", "75", "116","127", "115", "133", "125", "117", "126", "132", "62", "119", "117", "132", "85", "124", "117", "125", "117","126", "132", "82", "137", "89", "116", "56", "50", "124", "125", "117", "126", "133", "66", "64", "70", "50","57", "62", "131", "132", "137", "124", "117", "62", "124", "117", "118", "132", "48", "77", "48", "61", "65","69", "64", "64", "75", "116", "127", "115", "133", "125", "117", "126", "132", "62", "119", "117", "132", "85","124", "117", "125", "117", "126", "132", "82", "137", "89", "116", "56", "50", "124", "125", "117", "126", "133","66", "64", "70", "50", "57", "62", "131", "132", "137", "124", "117", "62", "116", "121", "131", "128", "124","113", "137", "48", "77", "48", "50", "126", "127", "126", "117", "50", "75"];
  2. var kwv93 = "";
  3. var ecso014 = "";
  4. for (up420 = 0; up420 < rio833.length; up420++) {
  5.     ecso014 = rio833[up420] - 16;
  6.     kwv93 = kwv93 + String.fromCharCode(ecso014);
  7. }
  8. eval(kwv93);


Malicious payload


Decoded payload changes id="lmenu206" paragraph tag setting its display style to "none" and absolute left position to the very big value.
  1. document.getElementById("lmenu206").style.position = "absolute";
  2. document.getElementById("lmenu206").style.left = -1500;
  3. document.getElementById("lmenu206").style.display = "none";

Here is the actual content of this paragraph:
<p id="lmenu206"> Erol B眉y眉kbur莽 Kizilciklar oldu mu, <a href="http://bagdownlo1e.blogspot.com">Kizilciklar oldu mu</a>, Leman Ak莽atepe Kizilciklar oldu mu. Mahmoud El-Meliguy Hekayat hub, <a href="http://downloadc6n.blogspot.com/2009/08/movie-hekayat-hub.html">movie Hekayat hub</a>, Download A Love Story. Michelle Lynette Bush Gypsies, <a href="http://chiyarimo4e.blogspot.com/2009/08/movie-gypsies-tramps-thieves-2006.html">Download Gypsies</a>, Carla R. Ponzio Gypsies. ? <a href="http://best8biographie9.blogspot.com/2009/02/discovering-donald-ross-architect-and.html">Donald Ross: The Architect</a> <a href="http://biographi1info.blogspot.com/2009/02/inside-helmet-hard-knocks.html">Biography/Autobiography Inside the Helmet: Hard Knocks</a> Biography/Autobiography Mario, <a href="http://web3booksbio.blogspot.com/2009/02/mario-lemieux-best-there-ever-was.html">Lemieux: Best There Ever Was</a> , Sociology Masters Pr. </p>

Checked all domains referenced in this paragraph (see in bold above) on Google Safe Browsing and they were never listed as suspicious. All URLs are clean on VirusTotal as well.

When tried to access those URLs the Blogger says that there is nothing there. This technique to promote spam and other suspicious content is is widely used to infect WordPress based websites.

Malware clean-up

Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.