Baby, baby!
When Brad went to a web site in search of fluffy clothing for his toddler, little did he know that each web page of that baby site was booby trapped. The bottom of each page contained an obfuscated section framed by comments that claimed that the javascript code was for "Yahoo Counter". Well, it wasn't.
What it did was download a heavily obfuscated Javascript, followed by a download of a PDF with embedded exploit code, followed by a download of an EXE. The EXE has almost no detection (Virustotal) at this time.
The analysis of this case was made a tiny bit more interesting than usual .. because the self defense mechanisms of the obfuscated JavaScript code were pretty good. Whoever wrote this thing probably read my ISC diary on how to patch SpiderMonkey to even untangle obnoxious Javascript. Because when I simply ran the code through my patched Spidermonkey, what I got was:
daniel@debian:~$ js i.js
File i.js Line 68 calls eval with the following parameter:
//Just f**k off...
The ** have been added, of course. Eventually, this protection fell as well though. If you want to make sure your users haven't been "had" likewise while shopping for baby clothes, check your logs for connections to 218.93.202. 61 and 78.110.175. 21 . Don't go there though, both sites are BAD.
Comments