JavaScript Worm on Steroids

From time to time during the course of our work, we may discover a novel piece of malware. Whether it is a new technique to infect files, infecting virtual machines, or targeting specific documents, the possibilities are limited only by a malware author’s imagination. 

Such is the case with JS.Proslikefan. While malware can be created using JavaScript or VBScript, it is usually only a few kilobytes in size after it is unpacked. In comparison, JS.Proslikefan weighs in at a whopping 130 kilobytes after it unpacks itself. The upper layers used custom obfuscation as well as the publically available Dean Edwards JavaScript packer. Figure 1 shows the bottom unpacked layer of the threat.

Figure 1. Bottom unpacked layer

Analyzing this file first required deobfuscating all the variable and function names. Once that was completed, the bigger picture of what this threat tries to do became a bit clearer. First, this threat targets Windows computers. If the threat is executed inside a Web browser, the browser must support ActiveX. Typically, this means Internet Explorer, although other browsers have been known to support it as well through plugins. The threat can also be executed using the command line by another malicious program.

This threat has other functionality that is typically not seen in most JavaScript malware. For example, it has the ability to search for keywords hardcoded into the malware on Google, gathering all the URLs from the search results.

Figure 2. SQL injection

As can be seen from Figure 2, once the URLs have been gathered, the threat will then parse each result looking for a specific error that has been known to indicate that SQL injection may be possible in the website. If the error is found, the threat contacts one of the command-and-control (C&C) servers to send back the relevant information.

But the threat doesn’t stop there. It also has functionality to check the results from the Google queries to see if any WordPress blogging sites were found.

Figure 3. WordPress TimThumb vulnerability check

The threat checks the site’s themes directory to see if it is using the TimThumb extension. If it is, the site may be vulnerable to a type of file upload vulnerability. This allows an attacker to upload a file and execute it on the Web server. More information on the vulnerability, discovered last year, can be found here

However, it seems even that wasn’t enough for the malware author. The threat also contains functionality to scan the Cookies directory on the compromised computer in an attempt to find a valid Facebook session. If one exists, the threat can do several things once inside. Depending on the commands given by the C&C server, the threat can "like" or become a fan of certain pages. It can even send chat messages to other Facebook users. Note: Facebook has recently added detection for this malware to help remedy users with compromised devices. Users can visit the Facebook Security Page for more information.

With the amount of functionality put into this threat, the malware author may have wanted it to spread to as many computers as possible. One of the ways it spreads involves placing copies of itself as zip files in folders used by several popular file sharing applications. The threat chooses file names in a unique way:  it contacts a particular RSS page on a popular Torrent site and parses out the content of the XML file, which is then used as the zip file names.

Figure 4. Contacting PirateBay

Of course, the malware author wants the threat to stay under the radar of antivirus companies as it attempts to spread. To avoid traditional antivirus signatures, it copies itself in a polymorphic manner to file sharing application folders as well as several other places. It also has a list of antivirus applications and checks to see if any of them have been installed on the compromised computer. This information is relayed to the C&C servers as well. If any of the applications are found, the threat modifies the Hosts file in order to redirect users to an IP address not related to network security companies. The IP address the malware redirects users to is a Class A address that belongs to a multinational conglomerate involved in energy, technology infrastructure, and capital finance sectors. It’s worth noting that at the time of writing, the IP address in question did not serve any malicious Web content.

Similar to other threats, this piece of malware also possesses the capability to spread to removable drives, run every time the computer starts, end certain processes, download and execute other programs and scripts, update itself, and process commands. We typically do not see this extra functionality the malware author decided to include in our day-to-day analysis of malware.