[Techtalk] is this malicious code? -- the code in Pastebin

Wed Jan 16 08:40:54 UTC 2013

On Wed, Jan 16, 2013 at 3:54 AM, Carla Schroder <carla at bratgrrl.com> wrote:

> On Tue, 15 Jan 2013 15:28:42 -0800
> Cynthia Kiser <cnk at ugcs.caltech.edu> wrote:
>
> > Quoting Carla Schroder <carla at bratgrrl.com>:
> > > > > I have a snippet of a Javascript ad that Google flagged as
> > > > > malicious.
> > >
> > >
> > > http://pastebin.com/NvTGxDQd
> >
> > Not exactly sure but I am guessing Google is twigging on either
> > wrapping JS in the CDATA block OR the constructing the penultimate
> > script tag with:
> >
> > document.write ("'><\/scr"+"ipt>");
> >
> > Seems like you are trying to pass JS but delay execution thereof. I
> > don't think that makes this malicious - but does make me curious.
> >
> >
>
> Can it be that this is more dangerous that it appears? Can anyone do a
> little deeper analysis of this? One of my chums says that the code (I
> don't know which part) opens a big gateway to remote malicious code. I
> quote:
>
> "iSocket's invoking code itself isn't malicious. It's what that code is
> pulling through the stargate combined with a bunch of other shit
> nobody's clear on because then the malware people would adapt to stop
> triggering it."
>
>
It basically loads a script of theirs and executes it, so the snippet alone
doesn't tell you very much. Could be that google found something
objectionable in the code it actually loads. Any number of reasons are
possible, from a false positive to malware injected by people who breached
the ad provider's security (which is indeed a common vector of attack).

If I were speculating I'd say the obfuscation of the </script> tag is an
attempt to circumvent some types of (simple) ad blockers. Embedding the
script in a CDATA block is not a problem though, it's a perfectly
reasonable way to escape code in XHTML pages, so probably there so it
doesn't break anyone's markup.

regards,
Wim