Blackhat SEO requires that two different pages be delivered to different audiences:
- A harmless spam page to the Googlebot and security scanners, in order to get references and be ranked well by Google, as well as evade blacklists
- A redirection to a malicious domain to attack users
Other groups of attackers may want to use vulnerable websites for different purposes. So it is not rare to see the same vulnerable sites being abused by different groups. Recently, there was an increase in hijacked websites sending users to Fake AV pages also being infected with malicious JavaScript. The obfuscated JavaScript code is added before the original HTML code on all pages, making it much more likely to be blacklisted by Google. Here are a few examples:
 |
| Found on dailygizmonews.com |
 |
| Found on malaysianaspiration.com |
 |
| A mix of the 2 previous JavaScript codes |
All of these examples result in the same HTML code, an IFRAME injection pointing to a malicious domain:
- hxxp://fbyvdtydyth.myfw.us/?go=2
- hxxp://tds46.lookin.at/stds/go.php?sid=1
- hxxp://qerhkbdimoitvd5t.lowestprices.at/?go=2
 |
| Deofuscated code |
Ironically, this malicious code might actually keep user safer. Since it is present on all pages, regardless of the HTTP Referrer, the entire website is flagged as malicious much more quickly by search engines.
Posts
3 comments:
What parts of the obfuscated code translate into the deobfuscated code?
I'm curious as to what parts of the obfuscated code translate into the deobfuscated code? Specifically, what does that very strange looking variable "n" translate to and how does the web browser parse it?
@"Curious George" The obfuscated JavaScript is made of 2 parts: the content encoded in the variable "n", and the decoding loop. We've seen other malicious JS where the encoded data is stored as HTML content instead of a JS variable.
Post a Comment