tag:blogger.com,1999:blog-36504670.post1468761057836224066..comments2023-09-18T07:56:46.841-07:00Comments on John Sokol's Blog: Javascript Phishing TrojanJohn Sokolhttp://www.blogger.com/profile/17719400170309249969noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-36504670.post-22536723812621057062010-06-14T14:56:23.139-07:002010-06-14T14:56:23.139-07:00There's a good post on StackOverflow.com expla...There's a good post on <a href="http://stackoverflow.com/questions/3012317/what-does-this-suspicious-phishing-code-do" rel="nofollow">StackOverflow.com</a> explaining what's going on w/ the JavaScript.<br /><br />Some of the hosts appear to be clean (I contacted mvblaw.com and lendermedia.com, where it appears that neither knew about the z.htm), others appear to have more malicious intent (askverniek.com and bonenberger.net).<br /><br />The method is slightly different, but the outcome is virtually the same as what you wrote about in your other <a href="http://johnsokol.blogspot.com/2010/06/more-self-modifying-javascript.html" rel="nofollow">post</a>. In my comment there, I made mention of a comment I wrote <a href="http://blog.mxlab.eu/2010/06/11/fifa-world-cup-south-africa-bad-news-emails-leads-reader-to-host-with-malware/" rel="nofollow">here</a> w/ some links for explanation and for complaining.mmengelhttps://www.blogger.com/profile/09471743688997451140noreply@blogger.comtag:blogger.com,1999:blog-36504670.post-65051652558027664472010-06-10T15:13:54.396-07:002010-06-10T15:13:54.396-07:00just a quick at it shows it's downloading some...just a quick at it shows it's downloading something or another from a remote site referenced by the "encoded" part of the script <br /><br />Some of the bits are easy to see...<br /><br />for instance--<br /><br />hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, ''<br /><br />is just a simple regex replace-- so do the replace yourself... and you get: http://mvblaw.com/z.htm<br /><br />'lOovcvavtLi5o5n5' is location<br /><br />'hqrteqfH' is href<br /><br />the rest is just sorting out the javascript to see what each function leads to another and how they interact... I'd do it but my sons birthday is tonight and i need to leave in 2m roughly :PAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-36504670.post-28782669839561360702010-06-10T14:10:56.519-07:002010-06-10T14:10:56.519-07:00> Anonymous said...
Please, can you share the ...> Anonymous said...<br /><br />Please, can you share the code, what tools/techniques are you using to reverse engineer the javascripts.John Sokolhttps://www.blogger.com/profile/17719400170309249969noreply@blogger.comtag:blogger.com,1999:blog-36504670.post-36570291879079851662010-06-10T14:08:28.462-07:002010-06-10T14:08:28.462-07:00I dissected the code just for fun. It goes to a p...I dissected the code just for fun. It goes to a page at mvblaw.com, which redirects to a Canadian Viagra site.<br />Enjoy.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-36504670.post-2975782707236409932010-06-10T13:53:49.485-07:002010-06-10T13:53:49.485-07:00I think the misspelling are on purpose to stop spa...I think the misspelling are on purpose to stop spam filters from catching it.<br /><br />It's one of the few junk mails getting past gmail.com spam filters.John Sokolhttps://www.blogger.com/profile/17719400170309249969noreply@blogger.comtag:blogger.com,1999:blog-36504670.post-80794274592016620462010-06-10T13:00:04.061-07:002010-06-10T13:00:04.061-07:00Same thing happened to me. I will really like to k...Same thing happened to me. I will really like to know what does this javascript does...Manuelhttp://upboard.up.edu.mx/seguridadnoreply@blogger.comtag:blogger.com,1999:blog-36504670.post-62800345884602289912010-06-10T12:28:24.633-07:002010-06-10T12:28:24.633-07:00Hey,
I work in the IT department at my company, a...Hey,<br /><br />I work in the IT department at my company, and we've received 4 of these emails so far, unfortunately I don't know what the java script does either, but the spam email is poorly written, lots of misspellings!<br /><br />If you google the code, yours is the only site that comes up.Chrishttp://www.burlingtonitguy.comnoreply@blogger.comtag:blogger.com,1999:blog-36504670.post-66558186837648305472010-06-10T12:16:16.760-07:002010-06-10T12:16:16.760-07:00I received the exact same thing. In fact, while t...I received the exact same thing. In fact, while trying to research this, I did a google search of the js code, and your blog was the only search result.Anonymousnoreply@blogger.com