[Michael]

Our HoneyPots caught this site as being malicious: legal.bg



They also gave us the drive-by download:

git77.biz/myy/dateoiou1.exe

But I wanted to know more on how this happened...

The Bulgarian site contains obfuscated Javascript:



And a particular long piece of unicode with a lot of 'V's in it:



the new variable uses the "split" function to clear the 'V's out of the way.

Another variable is setup as a string:



Then a 'for loop' function will go through each single character from the long variable without the 'V's:



Finally the document.write method will add the final piece to the puzzle, which is an iframe, but making sure it is obfuscated. The obfuscation part is defined in the long piece of unicode as "opacity=0" (more on that later)




So, how did we deobfuscate this?

Well, we commented out the blue code above... and used our own document.write



It basically takes the variable containing the iframe and writes it with a space between each character. That way, we can print it without it being hidden by the opacity argument. This is what it looks like, in clear text :-)



So what about those iframes that are 0 in width and in height? Too easy to detect... Yes, probably. This one is "in your face" (width="480" height="60") and yet totally invisible.

The final payload is an executable detected on VirusTotal as:

http://www.virustotal.com/analisis/3b4f59eec0bc51dc40c787fef5e167c45f9d595e76712707f8 25cd66db845a15-1255539380

Thanks to Newaz Rafiq for his help on the deobfuscation part.

Jerome Segura

Malware ID: 4e1741d0a991ada20b9a788f2074f0ba.zip

Updated to add: This seems to be using the Fragus exploit kit. More info here from MalwareDomainList. (Thanks to MalwareScene)