About three weeks ago, when looking for a hotel, I was surprised to get Windows Defender taking action, just by opening the start page of the hotel:
 |
| Windows Defender in action |
First disappointment. What I saw was this:
 |
| View Source - lots of includes |
 |
| suspicious code |
Ok, so we have some obfuscated JavaScript here. While there are automated de-obfuscators on the Internet readily available (like this one), let's do this manually. It's more fun anyway. I'm not afraid of any JavaScript running in my well sandboxed browser, even if it's IE, so why should this be something to block? I want to know the details. So let's start.
In order to do something with this, we have to disable Windows Defender. Even if we save this in a Notepad text file, Defender kicks in and deletes the file. In Windows 8, Defender is no longer in Control Panel Category View, it's hidden. You have to switch to the old Icon View in order to see it. Ok, let's disable Defender and let's start.
The first obvious thing here is that there's a lot of white space after the initial script tag. That's probably to hide itself, because on systems that show this source code in one line, the rest is invisible, scrolled out on the right. Ok, let's remove these spaces. Then there is a big string, with some strange codes in them. In order to understand what this does, I just removed the content of the string in order to see the rest of the code. So it looks like this:
 |
| obfuscated code |
 |
| nicely formatted obfuscated code |
- zz=3; ... if(zz)... → remove this, because it's always true
- dbshre=53; if(dbshre)... → remove this, because it's always true
- ss=(123)?String.fromCharCode:0; → replace this with ss=String.fromCharCode;
- asgq variable → rename it to code_1
- p=parseInt; ... p(...) → use directly parseInt(...)
- ss=String.fromCharCode; ... ss(...) → use directly String.fromCharCode(...)
- gdsgsdg variable → rename it to exc1, as it is an exception
- agdsg variable → rename it to exc2, as it is an exception
- vfvwe variable → rename it to flag, as it is set to 0 or 1
 |
| after first step of de-obfuscation |
- try{document.body} → the document.body is an object HTMLBodyElement. Applying the Bitwise AND Operator with a Number causes an invalid argument exception and will get catched by the catch(exc1){...} part. So leave away the entire first part. I assume this was written to confuse automated de-obfuscating tools.
- if(window.document) → remove this, because it's always true (twice in the code)
- try{document;}catch(exc2){flag=1;} → This is not doing anything. Not even throwing an exception. Remove the entire code part.
- flag=0; ... if(!flag)... → remove this, because it is always true
- e=eval; ... e(s); → use directly eval(s);
 |
| de-obfuscated JavaScript code |
We could simply replace the final eval(s); with an alert(s);, but that wouldn't be nicely formatted and not ready for copy and further examination. So let's use the string and do it manually.
I opened Notepad and replaced
- @ → 9
- !a! → !0a!
- !0d! → !0d!
- ! → space character
 |
| hex data for second stage code |
 |
| second stage code |
 |
| second stage code, formatted |
So finally we can start analyzing it. So we have three functions and a small code block. This code block runs right away and executes GetCookie. From the nice name they left in there we can assume it reads a cookie (which it does if you look at the code of GetCookie) and if the cookie is found, nothing else is done. If the cookie is not there, then the other function with the nice name SetCookie will be called. This simply stores a cookie. We don't need to go into the details of these two functions, only that SetCookie sets an expiration time of today.getTime()+1day (the parameter to setTime is in milliseconds since a fixed date). This is to execute the mainfunc() only once per day. After SetCookie, we get to the main function, the core of this "malware".
So what does mainfunc() do? First it creates an object jn, which is an iframe with 1 pixel size and without a border and pointing to some external URL. Then the code checks if the page already has an HTML element with the id 'jn'. If not, it writes (document.write) at the current position a div tag with the id 'jn' and adds the iframe object into it.
This means that all this malware does is to inject a div tag with an iframe object that loads in the iframe the content of another site, presumably with malicious code in there exploiting some unpatched browser or plugin vulnerability. So per se this code is nothing malicious at all. It would be the same as having an iframe tag on the page itself. It was just hidden in some obfuscated code.
The mentioned URL doesn't work anymore, it results in a 404 (not found). But at the time of testing this, it still worked. But I couldn't get it to serve me anything. It just returned an "ok" text. I thought it does maybe some browser fingerprinting by checking the User Agent, so I tried various strings there, even of old browsers, but I never received anything. So maybe it serves the malware only to certain IP ranges (country specific). Anyway, this php serving the malware and anything it returns would be part of a further blog post. This write up was just for the injection JavaScript.
Some general thoughts: I thought the variable names in the obfuscated code were to distract AV detectors and they were always different. It seems that this is not the case and they are always the same in this variant of the "malware", only the URL in the contained second stage code varies and the length values varies (in the for loop) and also some assigned value for the useless variables. Then the second stage code seems to be not minified nor obfuscated in any way. It even contains useful function and variable names. Formatting could've been better, but the programmers didn't care of shortening the code for unknown reasons. For me all this looks like they were not very professional, more like some script kiddies or someone using tools.
Additionally the same injected code seems to appear on websites all over the world. The funny thing is that obviously this was an automated attack on these sites, probably exploiting some common bug, as for some, the injected code doesn't even work and the JavaScript is at a place where it gets displayed instead of executed, like here:
 |
| injection at the wrong place |
 |
| source code of wrong place injection |
Searching Google for some code parts of the initial obfuscated code results in "about 170,000 results", including a few discussions about this code. On only a few of these pages I got this nice warning from Google:
 |
| Google warning |
One interesting aspect of this is that Google or your AV might block this initial iframe injection, but the underlying iframe source is already down. This also counts in their statistics of "having successfully blocked malware from innocent users", which is wrong of course. Blocking an iframe prevents nothing by itself, but it's a good mitigation.
I looked through the first three pages of Google results (first 30 results). Some of these have slightly different code, probably some variations, and in many cases the GetCookie/SaveCookie part is missing (so it's served always). The one we examined is probably newer. Looking at the second stage code on these pages results in 18 unique links for the malicious iframe. These are the links I found there, including the ones mentioned above (http replaced with hxxp to avoid hotlinking). First the URLs that are down or not reachable:
- hxxp://brandemotion.kei.pl/csv/clik.php - 404 down
- hxxp://209.238.172.66/rel.php - 404 down
- hxxp://bffunsc.com/esd.php - 404 down
- hxxp://cemugurel.tk/SpryAssets/relay.php - 404 down
- hxxp://clutte[p..z]... (URL was cut off there)
- hxxp://cvct.ie/Engineers/traf.php - 404 down
- hxxp://devinedesignswy.com/counter.php - 404 down
- hxxp://faktyinfo.pl/dtd.php - 404 down
- hxxp://ftp.elhermeneuta.org/cgi-bin/clk.php - 403 forbidden
- hxxp://losilla.com/dtd.php - 404 down
- hxxp://thekidsclinic.us/counter.php - 404 down
- hxxp://wineloverguide.com/_vti_bin/counter.php - DNS error
- hxxp://wl29www42.webland.ch/admin/cnt.php - 404 down
- hxxp://www.betterbailbonds.net/VLNSec01/cnt.php - 404 down
- hxxp://www.onestepbuildingsystem.com/Documents/esd.php - 404 down
- hxxp://198.63.54.175/_mm/esd.php - up, served by IIS6
- hxxp://dv8fitness.com/includes/clicker.php - 301 redirect to www site, still up, served by Apache
- hxxp://ops.skylease.aero/dtd.php - up, served by Apache/2.2
- hxxp://www.fansoftaylorswift.com/wp-includes/dtd.php - up, served by Apache/2.2
For the four that are still running, the result looks like this when querying:
 |
| HTTP stream connecting to the malicious URLs |
- 2_ok_0 (with "_" standing for a line break)
- ok
When googling for this, I found some Intrusion Detection System (IDS) log file saying that it "detected malicious iframe injection" and also "detected BlackHole v2.0 exploit kit URL pattern", so they might be related.
Although we didn't get any deeper yet, I still hope you liked this write up.
