So let’s start with this piece of pretty obviously suspicious code. I found it at the bottom of an index file of the infected site. Copies of this code has been placed on every sub page as well.
Level 1 always starts at the bottom of the mess
We have at least two JS functions. The first
sbhq() seems to just return some encoded and/or encrypted content and the second one
hbfz() processes it.
A bit more tidy:
Line 2 and 7 defines the two important JS functions. Line 13 defines an array variable
s, an integer variable
j and the string literal variable
r set with the return value of
sbhq() in its unescaped (
The usage of
unescape() gives us the hint to answer the question of the encoding format. According to the Mozillas JS reference the string is hexadecimal escaped, as the ‘%’ followed by several bytes indicates.
Line 15 to 17 fills
s with integer values from 0 to 255. And line 19 seems to be the key for some sort of symmetrical encryption.
Line 21 to 27 at the first glance does some modulo calculation on the key
k and prepares the result in
s. From line 32 to 41 the encryption part seems to happen.
The result of all these calculation stuff is feed to
hbfc(e), which is defined in line 7.
I’m really to lazy to mess around with this obfuscation approach, so I’ll take the shortcut!
Shortcut to level 2
Line 9 and 10 seems to be another funny JS method to write
eval(). This indicates
a is some sort of JS code. So let us use our browser to sort this obfuscation mess out by changing these lines to a simple
Clipped what this code does: A new html div element will be appended to the document body but out of sight with an iframe sourcing to a site.
According to virustotal.com this site is of course malicious (5⁄64) but only at a subset of AV vendors.
So the code has basically two layers of obfuscation, a hexadecimal escaping followed by some sort of symmetric encryption. For this it uses a deprecated
unescape() JS standard function and a handmade encryption algorithm. To execute the hidden code the author uses
eval() another old acquaintance (see A restaurant serves harmless malware code).\n\nThe code embeds a third party site in a iframe and lay it over the original one, that is nothing to fancy though