Friday, 20 April 2012
As usual, this only covers basic things, needed to determine where it's going.
In short, myself and my friend and fellow MDL admin, Holger, were sent a URL via the Malware Domain List contact form, letting us know the user had picked up a rather nasty trojan. You can already guess what the payload is, so I'm not going to cover that, instead, I'm only going to show you how to actually decode the code that's popped on your site.
The code is usually placed in the .js files, quite why is baffling as it makes it easy to find, but what the heck, it saves me work. In this case;
To decode this, all you need to, is pop it into Malzilla's decoder window, and modify it, so it becomes;
Click "Run Script", and viola - you can see where it redirects the victim to. From here, you can either follow it manually if you so wish (and remember - these things only allow access once per IP, so ensure you're both recording everything if following it, or have a few extra IPs to hand).
You could cleanup the code a bit to remove parts not required to decode it, but no point removing anymore than necessary.
Oh and Google, this new editor is absolutely rubbish!
I meant to mention, those seeing this code should be familiar not only with the code, but the IP this one redirects to - it was involved in the timthumb issue last year too;
Posted by MysteryFCM at 07:59