Tag Archive: JavaScript


Can you guess what the following expression returns?

10000000000000000 === 10000000000000001

If you guessed true, you’re right! Consider the next example:

10000000000000000 === 10000000000000000.9

This expression also returns true! In JavaScript, 10000000000000001 is not an integer. This is just one of the many missing JavaScript integers. Why are these integers missing, you might ask?

In IEEE floating point type numbers, the larger the number gets, the bigger the gap between numbers. It makes sense when you look at how the number is stored. — Paul²

Further testing reveals many big integers are not present and can be manipulated under the strictly equal to operator.JavaScript Integers TestBy creating a conditional with “missing integers”, we can mislead the user.

if(10000000000000000 !== 10000000000000001) {
// the average person thinks this is executed
} else {
// this is what’s really being executed
}

Check out some examples on jsFiddle.

Thoughts?
~!Donovan

Further Reading:
http://blog.greweb.fr/2013/01/be-careful-with-js-numbers/¹
http://stackoverflow.com/a/10756881/1585455²

Have you ever seen something like this before?

var1=[Integer];
var2=var1;
if(var1==var2) { document.location=”[Insert URL Here]“; }

I have, and today I finally decided to dig a little deeper. In this article we will cover URLs that are used with this redirecting method, other malicious JavaScript files that have adapted to this method, and test this method with various techniques against the AV industry.

Here is the complete list of the URLs I found that are used as the document.location:

hXtp://ukr.net
hXtp://topsearch10.com/search.php?aid=62756&q=home+jobs
hXtp://popka-super.ru
hXtp://realstarsearch.com/search.php?q=runescape+automine
hXtp://zaebiz.info
hXtp://global-advers.com/soft.php?aid=0153&d=2&product=XPA
hXtp://www.mp3sugar.com/?aff=2081
hXtp://evamendesochka.com/go.php?sid=9
hXtp://catalog--sites.info/sea
hXtp://yahhooo.info/search.php?q=ritalin&tpl=forbot
hXtp://tnij.com/iewt
hXtp://clickcashmoney.com/in.htm?wm=101360
hXtp://www.rarewatches.net
hXtp://web4w3.com/jblob.html
hXtp://мой_сайт.ру
hXtp://www.xakep.ru
hXtp://go.1ps.ru/pr/p.php?223280
hXtp://www.searchfor-avail.com/search.php?aff=18424&q=audrey+bitoni
hXtp://www.vipspace.net/?ref=kuzma2002ru
hXtp://officialmedicines.com/item.php?id=162&aid=2268
hXtp://zonaconsult.ru/index.php?option=com_content&view=article&id=94
hXtp://porta100.narod.ru
hXtp://куда редиректить.ru
hXtp://www.0xy.ru
hXtp://имя домена.ru
hXtp://www.autoshkatulka.ru/index.php
hXtp://www.vsemayki.ru/?ref=11049
hXtp://www.ruclicks.com/in/ys0ik6uu
hXtp://www.links-service.info/search.php?q=Abortion+pill
hXtp://tvoi-dosug.com/in.htm?wm=1001116
hXtp://hotkeysearch.com/go.php?sid=2
hXtp://geforceexlusive.ru:8080/forum/links/column.php

I also found something else rather interesting. There is an “o.js” that uses this method in a more advanced way. Have a look at these two Wepawet results here and here. Notice how they use additional variables whilst using the same concept.

So, let’s make our own redirecting JavaScript! The Wepawet examples are from 2009, so this should have good detection, right?  We will conduct various test to ensure that our results are not flawed. Have a quick look at the list:

  1. The Default Approach
  2. Different Variable Names
  3. Additional Variables
  4. Number Obfuscation
  5. String Obfuscation

Before we move on, for those who would like to do this with me, make sure you have your favorite editor open. I myself use Sublime Text. You can download the samples we will be using from my domain here.

 

The Default Approach – VirusTotal (5/46)

Conditional Redirect Test 1

Well now.. I didn’t expect that myself. Maybe 8-14/46 but 5/46? More so they show the same threat name? I’m speechless considering this was the first test..

 

Different Variable Names – VirusTotal (5/46)

Conditional Redirect Test 2

Ok, so everybody can still detect it. That’s a good thing. How about when we add additional variables?

 

Additional Variables – VirusTotal (0/46)

Conditional Redirect Test 3

And just like that, nobody detects. Seriously, WTF? This kind of simple variable trick passes? In my opinion, more should’ve detected it then the first time, considering it explicitly passes “document” into another variable to be called with with window.

 

Number Obfuscation – VirusTotal (0/46)

Conditional Redirect Test 4

None detect this simple obfuscation method? No, just no… The document.location was left in place and obfuscation was added. I expected more to detect this..

 

String Obfuscation – VirusTotal (0/46)

Conditional Redirect Test 5

Err… how does this miss? ._.

 

We can conclude that the AV industry uses a simple method for checking this kind of exploit. It would look something like this:

When a variable (Var A) is defined,
And another variable (Var B) is set to Var A,
With a conditional between each (Var A and Var B),
And an expression utilizing document.location,
That contains a string (not a variable) with a passed URL,
Then alert and mark as malicious.

Follow the discussion on the avast! forums,

~!Donovan

Content In Brief

An exploit kit, namely The KaiXin Exploit Kit, was discovered roughly 4 months ago by the malware analyst community. I also posted a decent report of this malware back in August. Since then, KaiXin has made another go for it, introducing Version 1.1, which was blogged today by Eric Romang.

I immediately set out to compare file sizes and detection number on VirusTotal. What I found out was rather shocking. Check out the results of 2 different variants, both shellcode exploits [Note: names are randomly generated, but the size of the files are so similar as to assume they are different variants]:

KaiXin Version 1.0 (cLpl7.html)
[NEW] KaiXin Version 1.1 (JSZlR.html)

KaiXin Version 1.0 (gADSr.html)
[NEW] KaiXin Version 1.1 (WysBRr.html)

The detection rate is lower than before. Why is that?

Keep searching,
~!Donovan

Yesterday, Polonus addressed the issue on the avast! forums. Let’s check out the inform.htm.

First, review the VirusTotal results.

The malicious code is as follows:

inform.htm

As you can see, no obfuscation. They aren’t trying to hide anything. Maybe they are trying to reduce general AV detection. And the script looks simple enough, with a redirect to this podarunoki(dot)ru site…

Now we will look two at two urlQuery references: here and here.

Both of these sites, including the one given in the picture above, lead to .ru domains with :8080.

You can check for new malicious inform.htm sites on CleanMX,
~!Donovan

Updated 51la Malware ~ No Antivirus Detects

Reported on the avast! forums, a site recently got hacked and was redirecting users. Based on the Sucuri and VirusTotal results Pondus gave, I decided to dig a little deeper. I found the following in the HTML return for the hacked site:

Which can be beautified as follows:

Well look at that! Some HTML if the user has scripts disabled. And look at that! An .asp file for an image tag. Suspicious, no?

There is also a script tag for those who do run scripts. I sent the URL to JSunpack.

The unreadable code strikes again.. I have parsed it into readable content:

The following checks for specifics, then generates a cookie based on the returns. Shortly after, the document is fed an invisible image with a go.asp?… At least one antivirus should’ve considered this suspicious..

Ok, but does it work? I sent the URL to urlQuery to confirm just that. Notice on the image preview it says “Connecting to web1.51.la”, which means that the exploit is live and active.

Below are the VirusTotal results, not detected by any antivirus..

Script Getter (As seen in Figure 2) | Script Original (As seen in Figure 3) | Script Beautified (As seen in Figure 4)

 

Could use the following syntax: Base([a/random-letter][4-random-numbers])Mix([2-random-letters])

~!Donovan