New Obfuscated Scripts in the Wild: /*LGPL*/

Last December we saw a couple of malicious JavaScript strings being pasted into Web sites on compromised servers. The beginning of the scripts look like one of the following:

• <script>/*GNU GPL*/ try{window.onload = function(){var ～
• <script>/*CODE1*/ try{window.onload = function(){var ～

We’ve now confirmed a new version. One of the sites we saw was originally compromised with the "/*GNU GPL*/" script and was recently updated with the "/*LGPL*/" script. A top portion of the obfuscated script looks something like this:

<script>/*LGPL*/ try{ window.onload = function(){var C1nse3sk8o41s = document.createElement('s&c^$#r))i($p@&t^&'.repl

Once deobfuscated, it leads to a URL that looks something like this:

[http://]free-fr.rapidshare.com.hotlinkimage-com.thechocolateweb.ru:8080/51job.com/[REMOVED]/redtube.com/gittigidiyor.com/google.com/

The use of well-known domains in the URL string is an attempt by the attackers to circumvent other protection mechanisms that may be in place. In the example above, the actual domain resolves to thechocolateweb.ru, not the various other domains that appear in the URL.

The payload hasn't changed much from last year's attacks. When one visits a compromised site, the malicious JavaScript loads more JavaScript that contains an iframe tag, which opens another page containing two links. One link goes to a PDF file, which is detected as Trojan.Pidief.H or Bloodhound.Exploit.288. The other is to a JAR (Java ARchive) file, which is detected as Downloader.

Those two files use the following vulnerabilities to infect the computer with malware:

• Adobe Acrobat and Reader Multiple Arbitrary Code Execution and Security Vulnerabilities (BID 27641)
• Adobe Reader and Acrobat 'newplayer()' JavaScript Method Remote Code Execution Vulnerability (BID 37331)
• Sun Java Runtime Environment and Java Development Kit Multiple Security Vulnerabilities  (BID 32608)

Unfortunately, the patch for BID 37331 won't be out until January 12th, so you may want to consider disabling JavaScript in Adobe Reader until it is released.

The final payload includes malware like Trojan.Bredolab, Downloader.Fostrem, and Trojan.Zbot, along with security risks such as PrivacyCenter and a number of other misleading applications that may be detected as Trojan.FakeAV. It's important to keep your definition files up-to-date as these files are frequently being updated.

We also released a generic detection called Trojan.Malscript.B to catch the new malicious JavaScript, as well as scripts with similar code. IPS protection is also in place that will block the malicious Java Archive file using the HTTP Fragus Toolkit Download Activity IPS signature.
--------------
Thanks to Kaoru Hayashi for providing his analysis.