Disection of a web based infection

This post describes how compromised web sites try to infect your pc.

Gone are the days where you actually had to convince someone to open your malicious e-mail attachment to get malicious software installed. Now all you need is to browse a compromised web site and you can become a victim in a matter of seconds. This post will dissect the home page of such a web site and explain the different ways that bad guys are trying to install their malicious software onto your computer.

I was alerted to this compromised web site when our anti-virus console sent me an e-mail because it blocked a trojan on a user’s machine. This e-mail also included the URL of the compromised web site. The trojan is known as JS/Obfuscated by McAfee or JS.Obfuscated.Gen by Bit Defender. The anti-virus actually is able to detect the way the code on the web page has been obfuscated by the author.  This web page only got a 12.83% coverage amongst 39 different AV engines according to Virus Total.  I can only hope that the AV that did not catch that compromised web page will catch whatever the web page will download on the user’s computer before it causes real damage.

You would think that it would be easy to convince the owner of the web site to take action.  Unfortunately, it is not so.  I phoned them personally on Wednesday, Feb. 11.  I actually got a call back on Tuesday, Feb. 17.  I gave the details to the web master.  As of right now (Feb. 21), the site is still has the malicious JavaScript on its home page.  The site is at www dot airdrietrailer dot com and you should not browse it with Internet Explorer on Windows.  You are likely to get infected (especially if you do not keep up with patches).  I took a closer look at the malicious code and it tries to infect you through multiple attack vector, but those are specifically targeting IE.  The nice lady at Airdri Trailer Sales told me that she had already received calls from other people also telling her that their web site is infecting people, but their webmaster could not find what the problem was.

Here is a quick summary of how the infection works:

  1. The web site is somehow compromised and web page(s) modified to inject iFrame into each page on the site.
  2. A user browse the web site, the injected JavaScript code is executed, creating the iFrame which connect to a malicious site to download more code.
  3. The downloaded code is executed and tries multiple attack vectors in order to write to your hard drive.  If one of those vulnerabilities work, a payload is downloaded and executed on your computer.

And voila!  You have been p0wned.

Dissecting the attack

The malicious code is tacked at the bottom of the web page. The code is in two <script></script> blocks.  It is obfuscated by having a bunch of gibberish assigned to variables.  There is actually a bit of code visible in that gibberish, just enough to remove the obfuscation, which is rather simple.  Using the Malzilla tool, it makes it easy to see the code.  The first block reveals how it will de-obfuscate the code.  There are four block of codes that will be de-obfuscated by doing a string substition.  Here are some of the string that are replaced.

  1. Replace aHM with a % character
  2. Replace Zm with the D character
  3. Replace ouG with a % character
  4. Replace tr4 with a 3 character
  5. Replace %P5 with a 2 character
  6. there are more such substitions

All of those strings are then unescaped, and passed to the eval() function to be executed.  That’s where the real action is.

  1. The first block inserts a <BODY> </BODY> and a <DIV> tag into the web page if it finds that the body is empty.
  2. The second block gets a pointer to that DIV and saves it to a variable.  As well, it creates an iFrame element and sets it to a size of 1×1 and sets the source to point to a malicious web site (store16 dot looneytoons dot cc).  Doing a whois on that site reveals that it is a legitimate site registered by Warner Brothers.  Although there is a web server there, it does not return anything as of right now.
  3. Finally, the third block set the iFrame to hidden, gives it an id and appends it to the DIV created in the first block of code.

Since the iframe src attribute is pointing to malicious site, it populates itself with new HTML wich includes more JavaScript.  At that point, the code tries a few number of things in order to gain access to the operating system to enable to write files to your hard drive.  In fact, some of the code looks very much like it was borrowed from the Metasploit framework.  Here are all of the attack vectors that this code tries to exploit:

  1. Flash ActiveX if the version less than 9.0.124
  2. Adobe Reader
  3. Microsoft Office snapshot viewer ActiveX exploit (MS08-041 will protect you)
  4. AOL SB.SuperBuddy ActiveX code found in AOL Client Software 9.0 Security
  5. QuickTime
  6. Microsoft DirecAnimation ActiveX (MS06-067 will protect you)
  7. An oldie but goodie, Microsoft DDS Library Shape Control which was part of Visual Studio 2002 (MS05-052 will protect you)
  8. Windows Sell Remote Code Execution Vulnerability (MS06-57 will protect you)

Bottom line, if you are up to date on patches, you will not have problems.  The trick is to update not only Windows, but all your software you have on your computer.  Not so easy as most people do not really know what actually have installed over time.  The best thing you can do is to visit Secunia Software Scanning and use their scanner.  It will tell you all the software you have installed that requires updates.  If you actually download and install their software, it will keep track of what you have and let you know when there are new updates.

I do have the JavaScript saved, let me know if you would like to see it.