JavaScript is powerful indeed :)

JavaScript just got a promotion in my esteem. I knew this stuff existed, but never seen one live until today. Now, I’m a lucky recipient of a JavaScript Virus! (well, not a real virus, but a downloader, nevertheless…). Read on for more details

It all started with this message on GMail, that looked really funky (note the ZIP attachment).

JSvirus01I haven’t ordered anything on those dates. Moreover, I doubt FedEx emails originate from some fishy Argentinian domains (no offense, Argentina, but I live on the other side of the globe) or sites like websitewelcome.com.

JSvirus02

Analyzing GMail headers proved my suspicion. Thirdly, ZIP attachments are bad tone – most of such services send unpacked PDFs.

So, what one security-cautious person do next – download the ZIP file, of course! And instantly upload it to VirusTotal.com.

JSvirus04

Now that we know what we’re dealing with, we can open the ZIP file. Inside there’s a single 2KB file with .doc.js extension, which will execute JavaScript when ran. Examining the JS file shows a typical downloader script – a single text variable and a whole bunch of functions that construct a real JS script from it piece by piece and download some nasty stuff I don’t even want to look into. Here’s a snippet.

JSvirus03

Having the URL and code split across multiple functions (that are not even declared in the sequence they are executed) really helps avoiding heuristic detection, as the only way to figure out what this code does is to run it (he-he). As you can see it is indeed very efficient – 38 out of 54 engines on VirusTotal did not detect a threat – nearly 75% miss ratio! In addition, the message was not flagged as suspicious neither by GMail, nor by any other mail service in the chain (I have a chain of email accounts forwarding messages to each other).

So, here you go – now you know one when you see it. 🙂 If you want to play with it – best way to get one would be mailing to that address in the header 🙂

Advertisements

One thought on “JavaScript is powerful indeed :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s