Tag Archive: unescape


Exploring the recent exploit trends, I found the KaiXin Exploit Kit. Originally found by Kahu Security, the attacked site was also reported on CleanMX. Further research shows that the attack site has been logged on Wepawet and JSunpack. Lets download all the Base Zero (Raw) files and send them to VirusTotal.

KaiXin VirusTotal Results

Now lets set up our files. Keep them organized. :)
Setting Up

Lets start with the ‘Not Detected‘ side. swfObject.js is legit.

swfObject.js

deployJava.js aka jpg.js is a little trickier. However, I found a similar file on Google Code.

deployJava.js aka jpg.js

The third party appears to track the user via placing a hidden iframe in the html. Valid but ugly (and not standard, as iframes are deprecated in HTML5).

51Yes Tracking

Now lets look in the malicious stuff! >:)

index.html Original

The index.html contains a hidden iframe to ad.html. Lets have a look.

ad.html Original

Not that readable, so lets beautify it!

ad.html JavaScript Beautified

Hmm.. At first sight unescape. Looks easy enough.

ad.html JavaScript Unescape Deobfuscated

Well looky here! We have 2 long strings, a ‘document’, and ‘write’. We can only guess that there will be a document.write later in the script.

ad.html JavaScript Deobfuscated document.write

So its going to write Dz to the document. Makes our day easy. All we have to do is replicate the situation replacing the document.write with alert :)

ad.html JavaScript Deobfuscated Script

So it defines a cookie as the useragent, then checks if the useragent is valid, not a bot/spider, etc. It also checks if its own cookie has been set before, which ensures that the user is exploited only once and cannot replicate it. It then checks for specific Java versions (using javaDeploy) and uses different class files for the 0.exe based on the results. Comodo analysis of 0.exe Variant 1. AntiVirus Lab analysis of 0.exe Variant 2.

ad.html JavaScript Deobfuscated Java Exploit

It then uses swfObject to get the version of flash and checks the version of internet explorer. 2 different iframes are written, based on the Internet Explorer version.

ad.html JavaScript Deobfuscated Flash Exploit

Anyways, before we go any further, lets send the deobfuscated results to VirusTotal. 1/42..

So lets analyze the flash html files.

cLpl7.html Original

Again we’ll beautify it.

cLpl7.html Beautified

Looks like this Exploit Kit uses the same algorithm. This time we have two Dzs in their own separate script tags. Again we’ll alert the Dz returns. For safety purposes, remember to disable the object tag. You can do so by putting comment tags around it. The return was so big that I couldn’t read it on the alert window! Had to copy-paste before getting a glimpse of the code. Have a look at the core of cLpl7:
cLpl7.html Deobfuscated First

And the second one:

cLpl7.html Deobfuscated Second

So we have some shellcode and a buffer overflow to make it run. Now lets look at the final gADSr.html:

gADSr.html Original

You know the drill ;)

gADSr.html Beautified

Dz returns this:

gADSr.html JavaScript Deobfuscated

Later in the script it loads a obfuscated .swf file.

Conclusion:

The phrase ‘document.write() can be a form of eval’ is no joke.

Despite being 5 days old in the wild, only ClamAV detects the deobfuscated return of the main ad.html file.

Stay safe,
~!Donovan

Official jQuery.org Site

Official jQuery.org Site

The popular javascript library, jQuery, has got a new twin, namely jQuerys. Found on the site mentioned in this avast! topic, lets examine it together. The results of JSunpackshow the link, but its marked as benign. Why is that?

jQuerys Benign On JSunpack

jQuerys Benign On JSunpack

Bingo! Getting the content of the script shows a conditional redirect.

jQuerys' Redirect Algorithm

jQuerys’ Redirect Algorithm

This is how it came directly from the Get request. You can see that it wasn’t obfuscated in any way. With a glance, we can immediately tell that it trys to get a cookie called _js_rd, probably a shortened version of javascript redirect, wanting the cookie to not exist. It then checks if the math.random() javascript function returns a value thats less than 0.05. In other words, its a 5% chance that you will receive the redirect. It then creates a cookie so if you already received the redirect you cannot do so again. Finally, it changes the browser’s location (aka redirects) to a downloadmusicfreenow site. What do we have there? Check out the urlQuery results. First thing we notice is the alert ET RBN Known Russian Business Network IP (412). Further down are various evals that do things such as browser spoofing, obfuscated strings, ads, and more. Lets send this redirect javascript (that we recieved fully beautified) to VirusTotal to see if any detect.

jQuerys Results From VirusTotal

jQuerys Results From VirusTotal

1/41..

Stay Safe,
~!Donovan

WRI Official Site

The World Resources Institute, or WRI for short, has a sub-domain, namely cait, that is blacklisted by Google with the “This site may be compromised” tag. Details about this tag can be found on various sources.

Google Search of WRI CAIT

Google Return For WRI CAIT

WRI CAIT Official Site

WRI CAIT Official Site

So, why exactly is Google warning us? Lets look at the urlQuery results. First thing we notice is a redirect to the main domain. Lets look at the header’s return:
CAIT WRI Get ResponseFirst, we know that this is a 302 redirect to the target page of CAIT from the official site. Second, they use an outdated version of Apache. The latest stable release was version 2.4.2 released 2012-04-17. But what is the offending content that this site return? The suspicious element I found is below:

WRI CAIT init4q function

Which returns..

CAIT WRI init4q function Return

Notice the site name. Detected by two at urlVoid. If you check the history you notice that these are the same results from two months ago. There isn’t really anything on the site however, not even close to a site. Could be associated with phishing.

Outdated sites are more likely to get hacked,
~!Donovan

Billion Homepage

Originally found by avast! antivirus, a regular user reported the problem on the avast! forums here.

Yesterday, urlQuery reported 2 evals. The first one is the important one, so lets start there. CleanMX has the evidence in hex.

Billion Exploit In Hex

Which deobfuscates to something like this:
Billion Exploit Base 1 Decoded

That deobfuscates to this:

Billion Exploit Base 2 Decoded

That can be simplified like this:
Billion Exploit Base 3 DecodedNow that we got a good, clean image of the malware at hand, we see that it checks the document referrer, or how the site got to this site. If from a major search engine, create a cookie and redirect the user. Scanning the url at VirusTotal returns nothing, however URLVoid has issues. This also gives us information that sites with the IP of 66.199.231.59 should be considered suspicious.

The site is now under maintenance to remove the malicious content. Should update their Apache software, as latest is 2.4.2 while they use 1.3.37.

Keep your software up to date,
~!Donovan