[Michael]

In this post I'm going to show you some tricks used by malware authors to evade detection. We shall see redirections, obfuscated javascripts and rootkit.

First things first, here is a site that has been compromised (chinaforge.cn). The last line of code from the source page shows a "script".



The URL is of course obfuscated. It is a redirect to a malicious site: w.siyou.org.cn

That page has rather interesting code starting with an if statement.

if (document.location.href.indexOf("gov")>=0) {} else payload

In other words, the script detects where the user is coming from, and if the string 'gov' is found it will do nothing. (Government sites?)



If the payload gets the green light, we get an iframe to the following domain: w.jsguangji.cn



That page contains yet again 2 iframes as well as javascript code:



Let's take a turn and follow the first iframe:



Alright. We are going to stop here for a moment and see what this is all about.

What appears to be links to pictures is actually pieces of code (javascript). Here is the code revealed from one of the 'picture':



I downloaded all the 'pictures' and compiled the code together. Here is what it looks like:



More obfuscated javascript!

This time we may actually have reached our final destination:



Yes, all of that for a single file.

For the end user, however, things are a lot more simple. You browse to a compromised site, get redirected once, twice and then: wham! bam! a drive-by download as shown below:



Upon execution a file is created: c:\windows\tasks\conime.exe

To make things more difficult, the file is hidden:



But just to prove it is there, I rebooted under Ubuntu (dual boot) to show you:



The file is detected by about half the AV vendors on VirusTotal:



Programs / OS *used for this post:

Malzilla
FileAlyzer
Ubuntu

If you want to do more research, I have uploaded the 'pictures' and the malware sample to our FTP.

Malware ID:*jscode.zip

Malware ID:*3b10f98238023336aa753f9e072fb244.zip

Jerome Segura