Thursday, May 3, 2012

Code Hiding in Images - JavaScript Manual Armor (3)

Attackers are always using interesting techniques of hiding code. Image files have been used extensively for hiding payloads in the headers and upon rendering, the payloads get executed. In the past, several applications have been pwned for XSS using this technique in which image header is used to inject the payload. Anyways, it works:). In this post, we came across a generic JavaScript code which is used to render an iframe for injecting code. However, the interesting part in this post is to understand the flow of infection.

We came across a website and found that the .js files that are used for JSON communication have been injected with some malicious code. At the bottom of the sample js file, we find the following code snippet

This JavaScript is not that heavy as it is using only unescape. However, the unescape has to be performed two times to get the URL. So we perform a simple step to tweak the code as follows

After doing this, we get the target URL as "". The iframe is pointing to a image file. Interesting ! Let's see what we have

The image file is actually an ASCII file. We find that there is some hexadecimal code in it. So we clean the code and feed it to the converter as follows

So it is pointing to an image folder on  "". On issuing a HTTP request to this URL, we are served with

The log.txt file is served only once to the IP.  When we fetch the page, it contains an iframe that is pointed to log.txt file.

Well, we do not find any data in the file. Anyways, that's not a problem :). The main point is to analyze the flow. Attackers can use hard obfuscated scripts and follow the same flow of infection.