Within the past few weeks I've discovered a decent amount of sites that have been injected with iframes that redirect to heavily obfuscated javascript. I usually do write-ups on stuff like this just for myself for future reference. However, I figure I might as well post them in a blog so others can check it out if they want.
Injected JS
- blogohblog.com/cool-javascript-tricks/
- thebudgetfashionista.com/archive/guest-post-fall-classics-fashion-copycat/
- countryuniverse.net/2008/11/19/review-jason-aldean-shes-country/
- beaconequity.com/wp-content/themes/Beacon3.0/js/jqueryanim.js
- cinemablend.com/television/Laurence-Fishburne-Done-With-CSI-Decides-Let-TV-Criminals-Get-Away-32685.html
- rosemont.com/js/swfobject.js
So a random users visits one of these sites and the obfuscated JS is injected into the page, this is the basic process
The site loads, and appears normal
But behind the scenes is injected javascript that decodes to some script HTML tags that source the malicious domain
Once you decode the JS you will see it returns HTML script tags with the malicious domain as the script source
The Exploit Code
I showed how the exploit code gets served. Now it is time to check it out. For anyone who wants to check out the full exploit code on their own, I uploaded it to pasteBin: Full Obfuscated Code
The first thing to note is the hidden input value and the 8 empty divs. The hidden input value is grabbed by the first function 'fez' which is the function that de-obfuscates everything. This is hugely important because 'fez' is called to deobfuscate nearly every action in the code. Below is an example
Here is an example of what nearly every function in the code looks like. Every single action is obfuscated and then decoded by 'fez'. I added the actual values of the obfuscated variables to highlight what the code is looking for and doing.
Going back to the empty div tags mentioned above, it did not seem clear at first what they were for. However, after de-obfuscating some of the code I had an "ahh no shit!" moment. Each of those empty div tags are for a particular exploit if the version criteria is met (among other things). So I continued to de-obfuscate the entire document, all 1000+ lines of it. Once completed I was able to discern what the divs would contain if every exploit were to launch.The only div name that is not mentioned at all in the code is 'mix'. I'm not sure what that div was meant for.
I haven't been lucky enough to get a hold of most of these exploits to categorize them with their CVEs, but based on what versions the exploit code was looking for to drop some of these exploits, I determined a couple of the vulnerabilities. I ordered them by div name.
CVE-2009-0927 - Adobe Reader/Acrobat Collab.getIcon Buffer Overflow
CVE-2010-0188 - Malicious Tiff embedded in PDF
CVE-2010-0842 - Java JMF MIDI 3
Java exploit (unsure of which)
Java exploit (unsure of which)
Java exploit (unsure of which)
CVE-2011-0611 - Adobe Flash Player SWF Memory Corruption Vulnerability
It's becoming more typical to see exploit kits using more Java exploits than anything else. However it's interesting to note that the flash vulnerability they use is fairly new. The three java exploits that I was unsure of are probably your typical exploit kit java exploits. Like: skyline, deployment toolkit, etc.... I just wasn't sure so I didn't act like I was and bullshit what vulnerability they are exploiting.
Some additional reading about the same injections/exploit code described above
http://research.zscaler.com/2011/06/cotv-domains-serving-heavily-obfuscated.html
http://research.zscaler.com/2011/06/google-news-search-results-for-laurence.html
No comments:
Post a Comment