It didn't take a while to figure out where the Trojan is hiding and how its attacking.
As soon as I opened the about and the contact pages, Nod32 alerted that the pages I'm viewing contain a malicious javascript. When i viewed the source code I saw this suspicious script:
The interesting part is that strange code that starts from line 7 to line 13. This code is the second parameter of the setAttribute function. It looks like this: setAttribute('src', strange code).
This function is used to set the value of an attribute on an object. It is typically used along with objects returned by document.getElementById to assign a new value to the object's attribute.
Notice the string.replace function at line 13? it replaces the charactes !, @, #, $, %, ^, &, (, ) with blank. I created a simple Python code that does this replacement:
import sys
strange_code = 'h#&#t&#!t$!@p):)$/!&^/!x#^&t@#&u@b($!)e#(-)c^@$&o#(#m^!$^.&$)b$($l$o!(#&)g(&g)(^$e!$r#@(.@^&(c(o^#m@)!#.)#p!(@o&r@)n(^$o$!^r&!a$)&m$@a$^$@-!c((^o#($m!.&#b$^$l)^u!$!e((#@)j@@a@)@c#k)!^m^(u$$!(s@$@i^@c@&.!@)r@u(!:(^8&@!)!0@)8)@#0&(!/$&)h^d$@$f$(^c^)b@$&a)^n^(k^#.&@^&c#(!#$o^m!)#/!h^@#d(&f)&c^()b#(a^$!n&^(#$k^#.!$c)o))m)&&/($&!g$$o!)o^()g))@(l$^@)e#^&.&&c^(o()m@!)(/(&f)#a!!@n!$@p))o)((p!^#.@c^!@o&@m)@&/@!!i&n^#!.&#!c)))!o(m#/)((!'
strange_code = strange_code.replace('!', '')
strange_code = strange_code.replace('@', '')
strange_code = strange_code.replace('#', '')
strange_code = strange_code.replace('$', '')
strange_code = strange_code.replace('%', '')
strange_code = strange_code.replace('^', '')
strange_code = strange_code.replace('&', '')
strange_code = strange_code.replace('(', '')
strange_code = strange_code.replace(')', '')
print strange_code
The result:
http://xtube-com.blogger.com.pornorama-com.bluejackmusic.ru:8080/hdfcbank.com/hdfcbank.com/google.com/fanpop.com/in.com/
Basically this script adds a reference to a javascript file that is located at the address above. I followed the address of this file and found a script that opens an invisible iframe. By this invisible iframe the attackers can steal information such as online banking credentials.
How to remove this this Trojan?
Simply remove it from every page you find it in.
How to avoid it from infecting your files again?
It probably infected the files through the FTP, so:
1. Change your FTP credentials.
2. Install a good anti-spyware application.
3. Don't use public machines to access your FTP.
4. Check the files that users are uploading to your website.
I am interested in this.. Do you have an idea why the url is formed this way (not the obfuscation, but the actual url)? Is it to try and defeat script blockers based on (lousy) regexp on the url? I understand why you can't post the payload, but could you describe what it does?
ReplyDeleteYou can read an explanation about it here: http://www.theregister.co.uk/2009/09/12/linux_zombies_push_malware/
ReplyDelete- Herzel
good, i drop by here through keyword "sql injection" via a service call "blogger auto follow" im following u.. hope to see u in my followers list soon and would love to share anything from internet, network and information security stuff.
ReplyDeleteregards,
Hacking Expose! Team
Thanks!
ReplyDelete