Tag Archive: document.write

Updated 51la Malware ~ No Antivirus Detects

Reported on the avast! forums, a site recently got hacked and was redirecting users. Based on the Sucuri and VirusTotal results Pondus gave, I decided to dig a little deeper. I found the following in the HTML return for the hacked site:

Which can be beautified as follows:

Well look at that! Some HTML if the user has scripts disabled. And look at that! An .asp file for an image tag. Suspicious, no?

There is also a script tag for those who do run scripts. I sent the URL to JSunpack.

The unreadable code strikes again.. I have parsed it into readable content:

The following checks for specifics, then generates a cookie based on the returns. Shortly after, the document is fed an invisible image with a go.asp?… At least one antivirus should’ve considered this suspicious..

Ok, but does it work? I sent the URL to urlQuery to confirm just that. Notice on the image preview it says “Connecting to web1.51.la”, which means that the exploit is live and active.

Below are the VirusTotal results, not detected by any antivirus..

Script Getter (As seen in Figure 2) | Script Original (As seen in Figure 3) | Script Beautified (As seen in Figure 4)


Could use the following syntax: Base([a/random-letter][4-random-numbers])Mix([2-random-letters])


ipad2free4u Scam On Twitter

Scam Tweet

Today a guy on twitter that goes by “Dyner Cobb @dynerauiuih8” decided to send me a random bit.ly link.

ipad2free4u Site

Heh, interesting look to the site without javascript. But the thing that got me was the disabled right click. So, lets dig a little deeper. First lets check his profile..

Dyner's Twitter

Lets scan this url with some scanners. Remember to add the referrer just in case.
urlQuery: http://urlquery.net/report.php?id=126118
Zulu: http://zulu.zscaler.com/submission/show/89f35c32401d3700557b1168f836c2be-1344800813
JSunpack: http://jsunpack.jeek.org/?report=6230f73b581143ae6f23c1bc6f3ab5e604f69bc2
Wepawet: http://wepawet.iseclab.org/view.php?hash=9566df1168749dc0f51a45621ac61717&t=1344800877&type=js
Sucuri: http://sitecheck.sucuri.net/results/ipad2free4u.com/newipadforfree0812/

urlQuery shows a document.write iframe, proven guilty in the Sucuri results. Zulu couldn’t recieve a return. Wepawet shows us where the hidden iframe redirects to, and JSunpack gives us all the elements of the site. The “3. Your email address will never be revealed to any third parties.” is 100% phish. The submit form itself is from another site.

Feel free to comment (i have 35+ spam compared to 2 valid comments ;-;)


Don’t let this phish trick you,


Exploring the recent exploit trends, I found the KaiXin Exploit Kit. Originally found by Kahu Security, the attacked site was also reported on CleanMX. Further research shows that the attack site has been logged on Wepawet and JSunpack. Lets download all the Base Zero (Raw) files and send them to VirusTotal.

KaiXin VirusTotal Results

Now lets set up our files. Keep them organized. :)
Setting Up

Lets start with the ‘Not Detected‘ side. swfObject.js is legit.


deployJava.js aka jpg.js is a little trickier. However, I found a similar file on Google Code.

deployJava.js aka jpg.js

The third party appears to track the user via placing a hidden iframe in the html. Valid but ugly (and not standard, as iframes are deprecated in HTML5).

51Yes Tracking

Now lets look in the malicious stuff! >:)

index.html Original

The index.html contains a hidden iframe to ad.html. Lets have a look.

ad.html Original

Not that readable, so lets beautify it!

ad.html JavaScript Beautified

Hmm.. At first sight unescape. Looks easy enough.

ad.html JavaScript Unescape Deobfuscated

Well looky here! We have 2 long strings, a ‘document’, and ‘write’. We can only guess that there will be a document.write later in the script.

ad.html JavaScript Deobfuscated document.write

So its going to write Dz to the document. Makes our day easy. All we have to do is replicate the situation replacing the document.write with alert :)

ad.html JavaScript Deobfuscated Script

So it defines a cookie as the useragent, then checks if the useragent is valid, not a bot/spider, etc. It also checks if its own cookie has been set before, which ensures that the user is exploited only once and cannot replicate it. It then checks for specific Java versions (using javaDeploy) and uses different class files for the 0.exe based on the results. Comodo analysis of 0.exe Variant 1. AntiVirus Lab analysis of 0.exe Variant 2.

ad.html JavaScript Deobfuscated Java Exploit

It then uses swfObject to get the version of flash and checks the version of internet explorer. 2 different iframes are written, based on the Internet Explorer version.

ad.html JavaScript Deobfuscated Flash Exploit

Anyways, before we go any further, lets send the deobfuscated results to VirusTotal. 1/42..

So lets analyze the flash html files.

cLpl7.html Original

Again we’ll beautify it.

cLpl7.html Beautified

Looks like this Exploit Kit uses the same algorithm. This time we have two Dzs in their own separate script tags. Again we’ll alert the Dz returns. For safety purposes, remember to disable the object tag. You can do so by putting comment tags around it. The return was so big that I couldn’t read it on the alert window! Had to copy-paste before getting a glimpse of the code. Have a look at the core of cLpl7:
cLpl7.html Deobfuscated First

And the second one:

cLpl7.html Deobfuscated Second

So we have some shellcode and a buffer overflow to make it run. Now lets look at the final gADSr.html:

gADSr.html Original

You know the drill ;)

gADSr.html Beautified

Dz returns this:

gADSr.html JavaScript Deobfuscated

Later in the script it loads a obfuscated .swf file.


The phrase ‘document.write() can be a form of eval’ is no joke.

Despite being 5 days old in the wild, only ClamAV detects the deobfuscated return of the main ad.html file.

Stay safe,