An Interesting Malicious Script

Today, I came across a hacked website. Hackers apparently used an osCommerce hack to compromise the website and insert malicious code into the webpage. Usually, hackers would insert malicious Javascript that has been obfuscated in some way. This one inserted an iframe but was quite different than anything I've seen before...

The obfuscation is not very difficult to figure out but it's clever nonetheless. It's enough to throw off JSunpack.

The keen eye would notice that there's Javascript in this block of text but yet there's no script tags to be seen. The onerror event is used to run Javascript. It attaches an iframe to the DOM's getElementById method and since this resides inside of a hidden DIV container, the iframe opens but is invisible to the user.

If you create an blank html file with the following text and open it with your browser, a Javascript popup will appear:

<img src="about:blank" onError=alert("hello");>

Anyway, the resulting iframe tag looks like this:

<iframe id="seaid" src="hxxp://0909[.]in/1289850029.php" style="width:300;height:300;border:0px;"></iframe>

The website that was called has since been taken down but I'm sure it was spewing malware earlier.

Posted on: 11/15/2010