Jan 10, 2013

404 And You've Been Exploited

Most of the time, when analyzing malicious web pages, HTTP response code is one of my important indicators in order to determine the behaviour of the page (whether it is successful, unsuccessful, redirection and etc).

I've stumbled upon a trick where browser display an error page (php mysql error, cpanel error, or page not found) with HTTP response 200, but instead, it contains malicious JavaScript code on the backend to exploit users when the page is loaded.

Deceiving Error Page with HTTP Response 200

I've never encounter error page with HTTP response 404 and still contains the JavaScript code to redirect users to exploit page until recently. Silly me, as I always thought that 404 error page would give a genuine page not found error (a reason to be lazy :P).

404 Error Page (with HTTP Response 404) 

As for this case, the site runs Drupal CMS where during the time I try to access URL path at /c.php, it returns an 404 error page specified by Drupal.

Embedded JS Files from Drupal CMS

That error page contains several script tag with Drupal default JavaScript files as its sources. Unfortunately, all of the JavaScript files has been appended with obfuscated code redirecting users to malicious site through iframe.

Embedded Obfuscated JS Code

Deobfuscated JS Code

This trick is quite nice to deceive analysts with lack of attention to details, especially when they solely looks for HTTP response code as their first filters to start their analysis. 

Another trick that might need to be handled carefully such as redirection to domain parking page, where we might think that the malicious site has already brought down by hosting company.