Security Incidents mailing list archives
Re: udp and dst port 1026
From: Thomas Preissler <tomjohn () gmx de>
Date: Wed, 3 Dec 2003 13:19:38 +0100
Hello Bill, * Bill schrieb am 02.12.2003:
Hi all, Using a sacrificial PC, I surfed over to the web site mentioned in Cedric's packet dump, www.popadstop.com. The web page uses Javascript to obfuscate its contents, but invites users to download and install a free tool that allegedly blocks pop-up spam <g>. I suspect that the user who downloads the tool thereby obtains a Trojan that causes their system to begin sending such invitations to others. I spent a few minutes trying to unobfuscate the web page, but didn't yet entirely succeed in doing so.
I decrypted it a little bit, these are the unscape-chars: s=''; for (i=0;i<dddss.length;i++){ a=l.indexOf(dddss.charAt(i)); if (a==1) a=9; if (a==2) a=10; if (a==3) a=13; if (a==4) a=34; if (a<=31 & a>=14){ off=s.length-(l.indexOf(dddss.charAt(++i))-36+90*(l.indexOf(dddss.charAt(++i))-35))-1; lp=off+a-14+4; s=s+s.substring(off,lp);} else { if (a>=41) a=a-1; s=s+l.charAt(a);}};document.write(s); I downloaded the index.html and replaced the "eval()" with "prompt()". Then I copied the shown Java-Script code. Hm, then I inserted that code instead of the "eval()". I got the really decrypted code, but how can I show it properly? Using "prompt()" is not a solution, that's too much code... By the way: The real code works with "write()" to write the HTML-code on the page... Greets, Tom --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- udp and dst port 1026 Jens Hektor (Dec 01)
- Re: udp and dst port 1026 Bill McCarty (Dec 01)
- Re: udp and dst port 1026 Cedric Foll (Dec 02)
- Re: udp and dst port 1026 Bill McCarty (Dec 02)
- Re: udp and dst port 1026 Bill McCarty (Dec 02)
- Re: udp and dst port 1026 Thomas Preissler (Dec 03)
- Re: udp and dst port 1026 Ockey (Dec 03)
- RE: udp and dst port 1026 Lawrence Baldwin (Dec 04)
- RE: udp and dst port 1026 Jeff Bryner (Dec 05)
- RE: udp and dst port 1026 jamesworld (Dec 07)
- Re: udp and dst port 1026 Cedric Foll (Dec 02)
- Re: udp and dst port 1026 Bill McCarty (Dec 01)