RSS
 

Posts Tagged ‘javascript’

createCSS farligare än den ser ut

12 Apr

Jag upptäckte för några dagar sen en större malwareattack. Vanliga hemsidor hackas och html-kod som anropar extern javascriptkod läggs in på indexsidorna. Jag har lokaliserat 284 olika sidor som används för visa javascriptkoden, samtliga sidor har antagligen hackats.

http://213.175.200.227/js.php
http://213.175.200.233/js.php
http://4nicetime.com/search.php
http://70.86.154.56/js.php
http://abarquitectos.com.pe/search.php
http://abecasinsight.com/search.php
http://agmorganizasyon.com/search.php
http://aircodeac.com/search.php
http://air-link.ws/js.php
http://akyurtemlak.net/counter.php
http://akyurtemlak.net/js.php
http://albagrafica.com/counter.php
http://alcrealty.com/js.php
http://alomextrusions.com/js.php
http://alom.in/js.php
http://alqreenxp.com/js.php
http://aluminiumcasting.net/js.php
http://anekinox.comlu.com/search.php
http://animeshowtime.com/js.php
http://anvikur.tmweb.ru/js.php
http://anwarulquranonline.com/search.php
http://apicons.com.ar/search.php
http://apolomedicspa.com/search.php
http://arabnursing.org/search.php
http://arrowsoleight.com/search.php
http://art.milleniumstudio.pl/js.php
http://assca.fr/search.php
http://attackmediagroup.com/search.php
http://attakornw.comuv.com/search.php
http://autosjulios.com/js.php
http://babychicny.com/search.php
http://balticaniechorze.pl/search.php
http://batecho.eu/js.php
http://beninmarket.com/search.php
http://bestforexacademy.com/js.php
http://biegajski.pl/js.php
http://billrobinsonmusic.com/search.php
http://blogswho.com/search.php
http://bodyfashionperu.com/search.php
http://bodyhome.co.uk/js.php
http://briancampbell.co.uk/js.php
http://buygiftstoindia.com/search.php
http://bymixproduction.com/counter.php
http://callieandcompany.com/search.php
http://canas-bg.com/js.php
http://carreramaleconcampeche.com/js.php
http://casadown.herobo.com/search.php
http://catcumhuriyetyibo.k12.tr/js.php
http://catmuftulugu.gov.tr/js.php
http://cef.co.pt/js.php
http://cennetpansiyon.com/search.php
http://centurycfs.com/js.php
http://chicharito.pl/js.php
http://chipmaster.pt/counter.php
http://cihanbeylininsesigazetesi.com/search.php
http://cinkfranchise.com/search.php
http://clientzone.saturn.tj/js.php
http://cnslis.com/search.php
http://colincampbell.co.uk/js.php
http://comfortseatings.com/search.php
http://computerscienceandmedia.com/search.php
http://cyber-ink.com/search.php
http://dalyanhaber.com/js.php
http://dalyanhomes.net/js.php
http://dalyanrentacar.com/js.php
http://dalyantr.com/js.php
http://debianne.webd.pl/search.php
http://denturessheffield.co.uk/js.php
http://design-maniacs.com/search.php
http://diehlsorchard.com/search.php
http://dl.rap-melody.com/search.php
http://d-mubd3.com/search.php
http://donnamania.com/search.php
http://dreaklandmt2.com/js.php
http://duygusalforum.net/js.php
http://ecoalarm.org/js.php
http://ecofriendlyartists.com/search.php
http://eglen.biz/counter.php
http://ekudakov.ru/js.php
http://emma-bunton.net/search.php
http://energieressourcen.eu/js.php
http://equine-mortality.com/js.php
http://erenerdogan.com.tr/js.php
http://escortbayanla.com/search.php
http://escort-siteleri.net/search.php
http://estudio-zero.com/search.php
http://evelyncampbell.co.uk/js.php
http://extremoskateparkmovil.com/search.php
http://eynesil28.com/search.php
http://eyupliseliler.com/search.php
http://f-3.com.sg/search.php
http://fashionjolik.com/js.php
http://fatmagulunsucuneizle.in/js.php
http://fethiyecarrental.net/js.php
http://filoilkogretim.com/counter.php
http://forextradingglobal.com/js.php
http://fotosnimka.com/js.php
http://four-directions.org/search.php
http://fragata.com.ar/js.php
http://freestyles.xaa.pl/search.php
http://gamefountain.com/js.php
http://gencer.org/js.php
http://GERIH.ORG/search.php
http://girlsgames.me/js.php
http://godswithguns.site90.com/search.php
http://goldensilkscreening.com/search.php
http://gomezteam.ro/search.php
http://goodandbaddrivers.hostzi.com/search.php
http://gpz1357.pdnetworks.pl/js.php
http://grzenio.webd.pl/js.php
http://hairizate.com/search.php
http://harikatatil.com/search.php
http://haydikampa.com/search.php
http://herkimer.com/search.php
http://herocyn.com/search.php
http://highpoint-asia.com/js.php
http://hkorte.net/search.php
http://hkorte.nl/search.php
http://hospital-noticias.com/search.php
http://hosting0013924.az.pl/js.php
http://hsbilisim.net/search.php
http://ideascampechanas.com/js.php
http://ilanozel.com/search.php
http://immobilien-ml.com/search.php
http://influx-website-promotion.com/search.php
http://internetmarketing-tips.net/js.php
http://introplastik.ru/js.php
http://inversionesminerasartc.com/search.php
http://istanbulkulturdans.com/js.php
http://jkarquitectos.com/search.php
http://Kadiyadra.org/js.php
http://kastamonuhaber37.com/search.php
http://katolik4motion.hostoi.com/search.php
http://katosteelthai.com/search.php
http://keynetikfusion.com/search.php
http://khadijahtulquran.com/search.php
http://ki123web.info/search.php
http://konhaber.com/js.php
http://kumarscars.com/search.php
http://l2agony.site90.net/search.php
http://lafaramizda.com/counter.php
http://letfollow.us/js.php
http://limarbis.webd.pl/search.php
http://linkads.in/js.php
http://livezilla.802-x.com/search.php
http://lowcost-car-insurance.com/search.php
http://maciejweigel.pl/js.php
http://marketingnorg.nl/js.php
http://masozescort.com/counter.php
http://mbld.co.uk/search.php
http://mercancicekevi.com/search.php
http://miechowianka.krakow.pl/js.php
http://mijnbernerbende.nl/js.php
http://miloevents.com/js.php
http://mothabroon.com/search.php
http://mujeres-gratis.com/search.php
http://municipiodecampeche.gob.mx/js.php
http://my-garden.pl/js.php
http://nagalla.com/search.php
http://nass.nanolv.com/counter.php
http://navtrack.eu/js.php
http://neotravel.xaa.pl/search.php
http://neroli.com.pl/counter.php
http://neroli.com.pl/js.php
http://neroli.com.pl/search.php
http://networkfairy.com/search.php
http://newperformance.pt/search.php
http://obuwiewl.webd.pl/search.php
http://oceanpacifico.com/js.php
http://oh-geri.fanfusion.org/search.php
http://ohmysole.com/search.php
http://olayspor.net/search.php
http://omegasystems.eu/counter.php
http://optimistbenin.com/search.php
http://osiolkowo.xpag.pl/search.php
http://paintball35.com/js.php
http://pancampeche.org/js.php
http://passionostra.com/js.php
http://pawelmakowski.pl/js.php
http://perih.milleniumstudio.pl/js.php
http://perubrand.com/search.php
http://pesat11jakarta.co.cc/search.php
http://pharmtechsonly.com/search.php
http://pink2cake.com/js.php
http://pirci.com/counter.php
http://pixelwebware.com/js.php
http://pixelwebware.in/js.php
http://pixin.com/js.php
http://playguitarmusiclessons.com/search.php
http://policysimulator.org/counter.php
http://prosuregroup.com/js.php
http://przejrzystaoswiata.pl/js.php
http://psa.krakow.pl/counter.php
http://psa.krakow.pl/js.php
http://puertociudad.mx/js.php
http://pvp-forum.com/js.php
http://quadrapol.milleniumstudio.pl/js.php
http://radicalcosmetics.com/search.php
http://raswiedza.xaa.pl/search.php
http://rewards-palace.com/search.php
http://riarenterprises.com/search.php
http://rifatozkan.com.tr/search.php
http://ropaultra.uphero.com/search.php
http://rotaryklubpancevo.org/search.php
http://sagitta.cp5.win.pl/js.php
http://saglikalemi.com/js.php
http://salecyprus.com/js.php
http://scresurs.kz/js.php
http://secretsimages.com/js.php
http://sharpwebmarketing.com/search.php
http://shatrappz.com/search.php
http://shopriderphilippines.com/search.php
http://shsilver.com/search.php
http://skoopa.com/js.php
http://skracanie.pl/js.php
http://small-servers.com/js.php
http://soal.comuv.com/search.php
http://soscz.ru/js.php
http://starcevo.org.rs/search.php
http://steljanjazaj.host56.com/search.php
http://studiodada.biz/js.php
http://studiodada.biz/search.php
http://support.802-x.com/search.php
http://tanierodzinnezakupy.vot.pl/counter.php
http://targulbisericesc.eu/search.php
http://tazzandersonenterprises.com/search.php
http://tearapy-thailand.com/search.php
http://tekstlandschap.nl/search.php
http://telecomfoundation.com.pk/search.php
http://telemundial.tv/search.php
http://terkom.pl/search.php
http://testzone.saturn.tj/js.php
http://tinydl9.netau.net/search.php
http://tmeg.info/search.php
http://travelbymile.com/js.php
http://unicornteleservices.com/search.php
http://uniqueclassicvideo.com/search.php
http://up.milleniumstudio.pl/js.php
http://vacha.org.in/js.php
http://watorachacha.com/search.php
http://wmakler.star-kom.pl/js.php
http://woweb.biz/js.php
http://www.3doi.com/js.php
http://www.3doq.com/js.php
http://www.acnenomorev.info/js.php
http://www.adamsforwarding.com/js.php
http://www.advertisewithventure.com/js.php
http://www.agen-gamat.com/counter.php
http://www.agmorganizasyon.com/js.php
http://www.andhraruchi.com/search.php
http://www.ankarahavalari.net/counter.php
http://www.ankarahavalari.net/js.php
http://www.avv-roermond.nl/counter.php
http://www.bbwonlinedating.info/js.php
http://www.bestfullgames.com/js.php
http://www.bm69.com/js.php
http://www.broilmastergrills.org/js.php
http://www.butterflyfashion.eu/js.php
http://www.charliesheennews.info/js.php
http://www.floridagas.net/js.php
http://www.forextradingglobal.com/js.php
http://www.freemuslimpartner.com/search.php
http://www.gazetevan.com/js.php
http://www.gemininirman.com/js.php
http://www.geranges.info/js.php
http://www.immobilien-ml.com/search.php
http://www.internetmarketing-tips.net/js.php
http://www.mediapembelajaranonline.web.id/js.php
http://www.m-norte.net/js.php
http://www.mortgagecapped.com/js.php
http://www.myspice.ro/js.php
http://www.obatalami-2u.com/search.php
http://www.optikazoom.si/search.php
http://www.pfmfastdl.ptclans.info/js.php
http://www.protegeanalytics.com/search.php
http://www.ruyacafe.net/js.php
http://www.saglikalemi.com/js.php
http://www.therioclub.com/search.php
http://www.vallesmanteniments.com/js.php
http://www.vallesmanteniments.com/search.php
http://www.zintec.be/js.php
http://yalecontrols.com/search.php
http://zarabianiewnecie24.com.pl/js.php
http://zlinki.com/search.php

Javascriptet som anropas ser till en början oskyldig ut, namnet på funktionen är createCSS och scriptet kontrollerar user agent och kör en datumfunktion. Jag har inte gått genom de exakta funktionerna i scriptet men en trolig gissning är att user agenten kontrolleras för att se att det är en riktig webbläsare som körs och att även datumfunktionen kontrollerar detta.

Men efter dessa kommando blir scriptet mer uppenbart. Jag har lagt till radbrytningen för tydlighetens skull och bara tagit med början av den krypterade delen av scriptet.

Resultatet av javascriptkoden är att den via iframe anropar en ny sida. De 284 sidor jag hittat anropar någon av:

http://offers.daddycrafts.com/news/2010
http://builder.rockstargraphicdesign.com/news/2010
http://top.threejonline.com/news/last

Just nu lyckas jag dock endast få dessa sidor att ge 404-fel eller skicka vidare till Google. Men man kan se att något inte är som det ska vara. Testar jag att hämta http://offers.daddycrafts.com/news/2010 med wget rapporteras det att webbservern är lighthttpd.

Går jag in på sidan med Firefox får jag däremot felmeddelande som anger att det är webbservern nginx som körs.

 

Gott nytt säkert år!

31 Dec

Vid midnatt kommer fyrverkeri explodera, champagne drickas och malwarescript på 8000000.in sluta fungera. 8000000.in registrerades 12 december och har infekterat minst 70 domäner. Malwarescriptet som körs innehåller denna javascriptkod.

Mh använder på rad 32 javascripts datumobjekt medan variabeln vipt är (och förblir) tom. På rad 34 hämtas årtalet med mh.getFullYear() från vilken 1 subtraheras. Fram till och med midnatt 31 december 2010 får man alltså 2009. Eftersom varibeln vipt är tom sätts variabeln gg till ”e2009al”.

Nästa steg är att i variabeln gg byta ut 2009 mot bokstaven v, och vi får ”eval”, okil är nu en funktion som kör eval(). Detta är ett javascriptkommando som exekverar data som javascriptkod. På rad 36 körs kommandot för strängen ”var kfxb=String.fromCharcode”, vilket sätter en ny variabel. Denna variabel används längre fram för att dekryptera och skriva ut ytterligare javascriptkod.

År 2011 kommer variabeln gg istället att sättas till ”e2010al” och kommer inte att ändras till ”eval”. Javascriptet kommer inte att kunna köra vidare eftersom den försöker använda ett kommando som inte existerar.

Denna post är inspirerad av en post hos Websense.