Again a large number of sites have been attacked in a mass injection attack that appears to lead to a known exploit pack called BestPack. A brief analysis of the attack is shown below. As with previous attacks, Google shows the list of hit sites. Searching for the domain shows approximately 22,000 sites that the time of analysis.
 |
| Google search results |
The script tags are injected after the title in a manner identical to the injection attacks shown earlier. The scripts leads to some obfuscated javascript that is a number of function calls that generate iframes leading to another remote site.
 |
| Injected script tags |
 |
| First Layer of Obfuscated Javascript |
 |
| Deobfuscated Javascript | |
|
|
 | |
| 2nd Stage Javscript |
The next stage javscript attempts to connect to hxxp://www.susxxxxxin.bz.cm/kent/enter.php. The javascript then includes HTML <img> tags like the following <img src="18.png" alt="long string of ^numbers">. The javascript shown above then uses DOM functions to obtain the img element and its src value. This is then assigned to a variable so that it equals "hxxp://www.susxxxxxin.bz.cm/kent/18.png". The javascript then substrings this to get another variable that equals to "18" (i.e. the name of the png image). This is then used to deobfuscate the long string in a for loop. The resultant value is stored in the variable "resalt".
The resalt value is essentially an encoded string that is unescaped and eval'ed to return the exploit page from the BestPack exploit kit containing numerous vulnerabilities that are very similar to the exploit code in the previous post. The value of deobfuscated resalt value is shown below. This is the final stage code that exploits the user.
0 comments:
Post a Comment