Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

February 14th, 2013

Malware: Dollar Equals Tilde Square Brackets

Recently we encountered a very suspicious piece of code on some Joomla-powered webpages. The code looks as if garbled and without any special meaning, and starts like this:

original

Upon closer observation, several strange things are to be noted. First, there are no alphanumerical symbols to be seen in any part of the code. Second, on the line before this code starts, there is actually an HTML tag indicating a start of Javascript code (<script>), preceded by 37 tabs. Therefore, when opening an infected file in a text editor, one cannot normally see the starting tag, because it is shifted all the way to the right. To be able to see it, you either have to horizontal scroll, or have word wrap on. The same trick is performed with the script closing tag as well. Why would anyone try to hide these tags? The answer is simple, to trick people into thinking this is not actually a Javascript code.

So what does this piece of code do? Upon first glance, you can’t tell. Without any letters or numbers, without any obvious calls of built-in functions, can this piece of code actually do something? We will start with the easiest and proceed further on. The first few characters go like this:

$=~[];

Empty square brackets make an array with 0 elements. But this can also be interpreted as 0 in some cases. By bitwise negating (the tilde sign ~) zero, we get -1, which we store in the variable called $. We now have our first alphanumeric character. Next we get this:

object_orig

Because of curly brackets, we can see the script is creating an object (again, the name of this object is $). The first statement stores a value of ++$ into the object’s variable named three underscores ___. ++$ equals 0 (notice that from this point, variable $ contains value 0), so if we need to use a zero character in our script from now on, we can call it by $.___ (object.property). The next line is even more interesting. It stores a value of (![]+”")[$] into $$$$. [] is an empty array, by negating a non-empty variable we get false. If we add empty string to boolean, it will change the type to string, resulting in string “false”. From this, we take the first letter ([0] means first letter, [1] second). Voilà, the $$$$ property of $ object now holds the value of lowercase letter “f”. In a similar fashion, we create numbers 0-9 and letters a-f and store them as properties of object $. The names of properties are not random; note that if we imagine underscore as zero and dollar as one, names of properties are binary representations of the values they hold.

object_explained                                 object_properties

We have our basic alphabet, something to build on. Neat! What next? The next two lines construct two important keywords, “constructor” and “return” in a similar fashion, in which we were able to store some letters above. The last step before actually decoding our payload is to create a function $.$. This function is eventually used for our payload to be run.

constructor_return_function

Whew! The run payload command starts with

obfus_payload_start

which can be written as Function(Function(return plus a concatenation of characters. We already have characters 0-9 and a-f, as well as characters in words “constructor” and “return”, but what about the others? Another neat trick here. In the code above, you can see the sequence “\\”+$.__$+$.$$_+$.___, which translates to \160. The backslashed number is interpreted as an ASCII character defined by its octal value, therefore 160 octal = 112 decimal = lowercase “p”. Let’s just concatenate all these letters and we finally get the actual payload!

By understanding how the obfuscator works, I have been able to develop a deobfuscator as a byproduct (see the links section below).

 

Digging Deeper – Payload

This payload first checks if you have the “right browser” (which according to the author of the payload means Chrome), takes all links on your webpage, stores them in variable page_links, and then adds an onclick event to all links, but with a random href from page_links. In other words, it shuffles all links referrers.

payload

Imagine you have a very simple page with three items in the menu: Home, About Me, and Contact Us. You may want to click on About Me, but this piece of code invokes an event that sends you to Contact Us. Not that malicious, is it?

It wouldn’t be, if this was the only inserted code on the webpage. However, apart from our link‑shuffler, there is also this piece of code at the very end of the file:

links

There are about 40 of these links in one infected webpage, and none of them can be seen normally (note “position:absolute;top:-10000px;left:-10000px”). Also, the script makes sure only referrers of links from a specific div (in this case, links have to be in <div id=“mlk”>) are used to “overwrite” normal links in a webpage.

As soon as you click on any link, you will be taken somewhere you do not want to be. All the links point to very similar site that claims it can search multiple webpages (megaupload.com, rapidshare.com, and uploading.com) for the file you need.

fakedownload                          fakedownload2

When you click to download and enter the correct captcha, you are redirected to turbodownloadz.com, which at this time is parked at onlinefwd.com and therefore making money out of any potential visitors. However, at any point in time, this domain can be used to distribute malware.

 

Added Bonus – link rel=canonical

But this is not enough for the author of the script. They also add this line (again shifted with many tabs out of your view) to your page.

canonical

This piece of code tells the search engine where to find the canonical (original) version of the page. This means if a search engine robot visits an infected page, it is told that the original version is somewhere else, and indexes only this original version. If you search for any keywords on your page, the search engine will instead present results of the “canonical” version. In other words, an infected page will not be shown in search engine results.

NOTE: This malware is detected by avast! antivirus as JS:Clicker-I [Trj].

 

Links:

 

Comments are closed.