Malware Infection from New Exploit Pack

A popular movie website appears to be infecting unsuspecting visitors’ computers. Thanks to reader Jonathan who found this particular drive-by download and let me know about it!

The malicious redirect code does not appear in all visits (approximately 1 of 4 visits or so).

When the code does appear, it’s a wretched piece of work!

It’s actually not too bad once you clean it up. The top part assigns values to three-character variables.

The bottom part of the script joins variables together based on the outcome of a series of math-based if-then-else. This is string splitting at its best/worst.

One of the best ways I found to deal with this is to use Firebug or a debugger since it will enumerate all of the variables used in a script. Let’s try Firebug first. The variable “zGz” shows something interesting but it’s not complete.

Looking at other values I see something even more interesting…hmmm, countermeasures!

Vwv = "chrome://firebug/content/"
pUO = "chrome://jsdeobfuscator/content/"

Okay, so now let’s use a debugger. You can see we’ll get similar results.

But this time, we can extract the full, deobfuscated code.

Beautifying the code, leaves us with this. The code checks the browser and cookie and depending on the results, inserts an iframe to a malicious site.

Now that we know where we are being redirected to, let’s take a look at the exploit code that hits our browsers when we visit the site.

After reversing this code, we end up with this…another layer of obfuscation which uses a compression technique many of you are familiar with.

We finally get to the deobfuscated code. The complete source can be found on Pastebin with another domain.

This pack is using classic exploits that attack IE (MDAC), PDF, and Java.

Posted on: 10/08/2011