This Analysis report will explain in detail on how a Malscript is used to infect users and how this code is injected in the web server. It explains a tricky technique used by the Malware writer.
Analysis of Malscript Injected website:
Screen shot of the Website:
JSSS is a jQuery plugin that allows you to take advantage of the full range of jQuery selector’s across all browsers from within your standard CSS files. The embedded malicious code is given below,
In the above code the expression “eval(unescape(string))” decodes the encoded string. When I decoded the above string I was able to see the actual code as given below.
What does this Code do?
The above code runs based on a specific condition given. It uses external java script file, means it downloads and runs the script to check few conditions, and may be that is why the script itself is named as check.js. And then I analyzed check.js to find the code, which is given below,
After analyzing all the above code it was very clear for me, what the code actually does. Overall, this script checks if user contacts the website directly by typing the URL or they come through search engine. When users contact the site by typing the URL directly in the address bar it displays the actual page. But if the users come through the search engines given in the script, then it displays a different page as shown below which is hosted in the same server. The link to the fake page is “http://www.example.org /demo/webadmin/editeur/lib/themes/aqo/dummy.htm’”
The script checks for the match in the URL which should contain known search engines such as google, msn, yahoo, live, ask, dogpile, mywebsearch, yandex, rambler, aport, mail, gogo, poisk, alltheweb, fireball, freenet, abacho, wanadoo, free, club-internet, aliceadsl, alice, skynet, terra, ya, orange, clix, terravista, gratis-ting, suomi24 and then it finds other keyword matches on the URL part such as, q, query, qs, searchfor, search_for, w, p, r, key, keywords, search_string, search_word, buscar, text, words, su, qt, rdata. This script also uses Regular expression to match few random strings in the URL like (/^http:\/\/([a-z0-9_\-]+\.). This makes the script to identify whether a user comes directly to the website or comes through search engines.
And then the fake page displays a dialogue box which says “Your computer is compromised” as shown in the screen shot below,
Once I clicked on OK, it redirected me again to a different page which is where the actual reason of such attack found. The redirected page has a Explorer.exe interface which displays a fake message as threat detected and prompts me to install a Rogue Antivirus as shown in the below screen shot.
What is all behind this Technique?
These kind of techniques are mostly used in the legitimate sites which are been compromised by the hackers. When a user searches using keywords, the search engine brings websites relevant to the search. When one of these websites was already compromised by such attack the users are redirected to such fake pages. By this way the Rogue Antivirus creators earn money. Though this attack redirects to install a fake antivirus program, such stacks can also lead users to install Financial Crimeware and other stealers which could compromise the system security.
Trackback from your site.