Wilkes-Barre PA's official site has fallen victim to an injected blackhole exploit toolkit redirect that uses the Twitter trends API to generate different domains. Some may already know of the little town named Wilkes-Barre for their delicious and super cheap college-beer called "Lionshead", brewed by Lions Brewery. It's 8:30am, and I go could for a refreshing Lionshead right now. Mmmm.
The site looks innocent enough, but behind the scenes there some bad JS ready to own you.
The first layer is easy enough to de-obfuscate. I just replaced eval with document.write()
Layer 2 is also easy enough to de-obfuscate. Same story, just document.write() 'd'
3 Layers of obfuscation already. What in the hell. Just from the look of layer 3, you can basically just guess that it's char-code separated by some gibberish. All I really did was comment out one statement in the "trim()" function that was called, and I got all the char-code.
Char code is the easiest to handle. Just a simple document.write(String.fromCharCode(blahblah)); and presto, I have layer 5.
Here's what it looks like all formatted and pretty
I've found a couple of instances of this type of injection before, but I never really felt like doing a write-up on it since others already have. I figured I'd do the write-up on this one because it was a Wilkes-Barre gov't site, and I was in the mood for Lionshead beer. In the end it turned out to be yet another blackhole exploit injection that was redirecting to RogueAVs/FakeAVs.
Check out a pretty decent write-up about the same type of injection, done on the Websense Blog: sophisticated-injection-abuse-twitter-trend-service
My question is, if these people are willing to obfuscate 5 layers deep, why the hell don't more people who use BH change the formatting of the redirecting URLs so they're not all "/index.php?tp=xxxx" or "/forum.php?tp=xxxx".
No comments:
Post a Comment